0000-12-31 18:09:24 -05:50
#! /usr/bin/python -E
# Authors: Karl MacMillan <kmacmillan@mentalrootkit.com>
2010-12-06 15:16:49 -06:00
# Simo Sorce <ssorce@redhat.com>
# Rob Crittenden <rcritten@redhat.com>
0000-12-31 18:09:24 -05:50
#
2010-12-06 15:16:49 -06:00
# Copyright (C) 2007-2010 Red Hat
0000-12-31 18:09:24 -05:50
# see file 'COPYING' for use and warranty information
#
2010-12-09 06:59:11 -06:00
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
0000-12-31 18:09:24 -05:50
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
2010-12-09 06:59:11 -06:00
# along with this program. If not, see <http://www.gnu.org/licenses/>.
0000-12-31 18:09:24 -05:50
#
# requires the following packages:
# fedora-ds-base
# openldap-clients
# nss-tools
0000-12-31 18:09:24 -05:50
import sys
2007-10-02 15:56:51 -05:00
import os
2007-10-15 12:27:05 -05:00
import errno
2011-01-28 14:45:19 -06:00
import grp
2007-10-03 16:37:13 -05:00
import subprocess
2007-10-02 15:56:51 -05:00
import signal
import shutil
import glob
0000-12-31 18:09:24 -05:50
import traceback
2011-11-03 05:08:26 -05:00
import pickle
2009-08-27 13:12:55 -05:00
import random
2011-01-26 09:53:02 -06:00
import tempfile
2011-08-17 03:19:37 -05:00
import nss.error
2011-09-26 01:27:01 -05:00
from optparse import OptionGroup, OptionValueError
0000-12-31 18:09:24 -05:50
2009-02-02 12:50:53 -06:00
from ipaserver.install import dsinstance
from ipaserver.install import krbinstance
from ipaserver.install import bindinstance
from ipaserver.install import httpinstance
from ipaserver.install import ntpinstance
2009-04-13 12:39:15 -05:00
from ipaserver.install import certs
2010-02-24 10:38:09 -06:00
from ipaserver.install import cainstance
2012-02-06 12:15:06 -06:00
from ipaserver.install import memcacheinstance
0000-12-31 18:09:24 -05:50
2009-02-02 12:50:53 -06:00
from ipaserver.install import service
2009-02-05 14:03:08 -06:00
from ipapython import version
2009-02-02 12:50:53 -06:00
from ipaserver.install.installutils import *
2010-03-24 09:51:31 -05:00
from ipaserver.plugins.ldap2 import ldap2
0000-12-31 18:09:24 -05:50
2009-02-05 14:03:08 -06:00
from ipapython import sysrestore
from ipapython.ipautil import *
2010-03-24 09:51:31 -05:00
from ipalib import api, errors, util
2010-10-29 13:24:31 -05:00
from ipapython.config import IPAOptionParser
2011-07-07 10:55:20 -05:00
from ipalib.dn import DN
2011-08-17 03:19:37 -05:00
from ipalib.x509 import load_certificate_from_file, load_certificate_chain_from_file
2011-08-31 07:42:57 -05:00
from ipalib.constants import DNS_ZONE_REFRESH
2011-09-12 16:11:54 -05:00
from ipapython import services as ipaservices
2011-11-15 13:39:31 -06:00
from ipapython.ipa_log_manager import *
0000-12-31 18:09:24 -05:50
2008-07-11 10:34:29 -05:00
pw_name = None
2010-04-27 16:51:13 -05:00
uninstalling = False
2011-11-29 02:10:31 -06:00
installation_cleanup = True
2008-07-11 10:34:29 -05:00
2011-07-07 10:55:20 -05:00
VALID_SUBJECT_ATTRS = ['cn', 'st', 'o', 'ou', 'dnqualifier', 'c',
'serialnumber', 'l', 'title', 'sn', 'givenname',
'initials', 'generationqualifier', 'dc', 'mail',
'uid', 'postaladdress', 'postalcode', 'postofficebox',
'houseidentifier', 'e', 'street', 'pseudonym',
'incorporationlocality', 'incorporationstate',
'incorporationcountry', 'businesscategory']
def subject_callback(option, opt_str, value, parser):
"""
Make sure the certificate subject base is a valid DN
"""
name = opt_str.replace('--','')
v = unicode(value, 'utf-8')
2011-09-26 01:27:01 -05:00
if any(ord(c) < 0x20 for c in v):
raise OptionValueError("Subject base must not contain control characters")
if '&' in v:
raise OptionValueError("Subject base must not contain an ampersand (\"&\")")
2011-07-07 10:55:20 -05:00
try:
dn = DN(v)
2011-07-28 13:32:26 -05:00
for rdn in dn:
if rdn.attr.lower() not in VALID_SUBJECT_ATTRS:
2011-09-26 01:27:01 -05:00
raise OptionValueError('invalid attribute: %s' % rdn.attr)
2011-07-07 10:55:20 -05:00
except ValueError, e:
2011-09-26 01:27:01 -05:00
raise OptionValueError('Invalid subject base format: %s' % str(e))
2011-07-11 16:39:30 -05:00
parser.values.subject = str(dn) # may as well normalize it
2011-07-07 10:55:20 -05:00
2011-09-26 01:27:01 -05:00
def validate_dm_password(password):
if len(password) < 8:
raise ValueError("Password must be at least 8 characters long")
if any(ord(c) < 0x20 for c in password):
raise ValueError("Password must not contain control characters")
if ' ' in password:
raise ValueError("Password must not contain a space (\" \")")
if '&' in password:
raise ValueError("Password must not contain an ampersand (\"&\")")
if '\\' in password:
raise ValueError("Password must not contain a backslash (\"\\\")")
0000-12-31 18:09:24 -05:50
def parse_options():
2010-12-06 15:16:49 -06:00
# Guaranteed to give a random 200k range below the 2G mark (uint32_t limit)
namespace = random.randint(1, 10000) * 200000
2010-10-29 13:24:31 -05:00
parser = IPAOptionParser(version=version.VERSION)
2011-09-05 04:04:17 -05:00
basic_group = OptionGroup(parser, "basic options")
basic_group.add_option("-r", "--realm", dest="realm_name",
0000-12-31 18:09:24 -05:50
help="realm name")
2011-09-05 04:04:17 -05:00
basic_group.add_option("-n", "--domain", dest="domain_name",
2008-02-15 19:47:29 -06:00
help="domain name")
2011-09-05 04:04:17 -05:00
basic_group.add_option("-p", "--ds-password", dest="dm_password",
2010-10-29 13:24:31 -05:00
sensitive=True, help="admin password")
2011-09-05 04:04:17 -05:00
basic_group.add_option("-P", "--master-password",
2010-10-29 13:24:31 -05:00
dest="master_password", sensitive=True,
2008-02-25 16:18:18 -06:00
help="kerberos master password (normally autogenerated)")
2011-09-05 04:04:17 -05:00
basic_group.add_option("-a", "--admin-password",
2010-10-29 13:24:31 -05:00
sensitive=True, dest="admin_password",
2007-08-31 17:40:01 -05:00
help="admin user kerberos password")
2011-09-05 04:04:17 -05:00
basic_group.add_option("--hostname", dest="host_name", help="fully qualified name of server")
basic_group.add_option("--ip-address", dest="ip_address",
type="ip", ip_local=True,
help="Master Server IP Address")
basic_group.add_option("-N", "--no-ntp", dest="conf_ntp", action="store_false",
help="do not configure ntp", default=True)
basic_group.add_option("--idstart", dest="idstart", default=namespace, type=int,
help="The starting value for the IDs range (default random)")
basic_group.add_option("--idmax", dest="idmax", default=0, type=int,
help="The max value value for the IDs range (default: idstart+199999)")
basic_group.add_option("--no_hbac_allow", dest="hbac_allow", default=False,
action="store_true",
help="Don't install allow_all HBAC rule")
basic_group.add_option("--no-ui-redirect", dest="ui_redirect", action="store_false",
default=True, help="Do not automatically redirect to the Web UI")
2011-12-07 02:49:09 -06:00
basic_group.add_option("--ssh-trust-dns", dest="trust_sshfp", default=False, action="store_true",
help="configure OpenSSH client to trust DNS SSHFP records")
basic_group.add_option("--no-sshd", dest="conf_sshd", default=True, action="store_false",
help="do not configure OpenSSH server")
2011-09-05 04:04:17 -05:00
basic_group.add_option("-d", "--debug", dest="debug", action="store_true",
2007-09-20 14:10:21 -05:00
default=False, help="print debugging information")
2011-09-05 04:04:17 -05:00
basic_group.add_option("-U", "--unattended", dest="unattended", action="store_true",
default=False, help="unattended (un)installation never prompts the user")
parser.add_option_group(basic_group)
cert_group = OptionGroup(parser, "certificate system options")
cert_group.add_option("", "--external-ca", dest="external_ca", action="store_true",
2009-09-10 15:15:14 -05:00
default=False, help="Generate a CSR to be signed by an external CA")
2011-09-05 04:04:17 -05:00
cert_group.add_option("", "--external_cert_file", dest="external_cert_file",
2009-09-10 15:15:14 -05:00
help="File containing PKCS#10 certificate")
2011-09-05 04:04:17 -05:00
cert_group.add_option("", "--external_ca_file", dest="external_ca_file",
2009-09-10 15:15:14 -05:00
help="File containing PKCS#10 of the external CA chain")
2011-09-05 04:04:17 -05:00
cert_group.add_option("--no-pkinit", dest="setup_pkinit", action="store_false",
default=True, help="disables pkinit setup steps")
cert_group.add_option("--dirsrv_pkcs12", dest="dirsrv_pkcs12",
help="PKCS#12 file containing the Directory Server SSL certificate")
cert_group.add_option("--http_pkcs12", dest="http_pkcs12",
help="PKCS#12 file containing the Apache Server SSL certificate")
cert_group.add_option("--pkinit_pkcs12", dest="pkinit_pkcs12",
help="PKCS#12 file containing the Kerberos KDC SSL certificate")
cert_group.add_option("--dirsrv_pin", dest="dirsrv_pin", sensitive=True,
help="The password of the Directory Server PKCS#12 file")
cert_group.add_option("--http_pin", dest="http_pin", sensitive=True,
help="The password of the Apache Server PKCS#12 file")
cert_group.add_option("--pkinit_pin", dest="pkinit_pin",
help="The password of the Kerberos KDC PKCS#12 file")
cert_group.add_option("--subject", action="callback", callback=subject_callback,
type="string",
help="The certificate subject base (default O=<realm-name>)")
2011-10-03 05:30:34 -05:00
cert_group.add_option("", "--selfsign", dest="selfsign", action="store_true",
default=False, help="Configure a self-signed CA instance rather than a dogtag CA. " \
"WARNING: Certificate management capabilities will be limited")
2011-09-05 04:04:17 -05:00
parser.add_option_group(cert_group)
dns_group = OptionGroup(parser, "DNS options")
dns_group.add_option("--setup-dns", dest="setup_dns", action="store_true",
2009-06-25 07:42:08 -05:00
default=False, help="configure bind with our zone")
2011-09-05 04:04:17 -05:00
dns_group.add_option("--forwarder", dest="forwarders", action="append",
2011-06-16 03:47:11 -05:00
type="ip", help="Add a DNS forwarder")
2011-09-05 04:04:17 -05:00
dns_group.add_option("--no-forwarders", dest="no_forwarders", action="store_true",
2009-09-01 16:28:52 -05:00
default=False, help="Do not add any DNS forwarders, use root servers instead")
2011-09-05 04:04:17 -05:00
dns_group.add_option("--reverse-zone", dest="reverse_zone", help="The reverse DNS zone to use")
dns_group.add_option("--no-reverse", dest="no_reverse", action="store_true",
2011-01-04 07:55:47 -06:00
default=False, help="Do not create reverse DNS zone")
2011-10-24 11:35:48 -05:00
dns_group.add_option("--zonemgr", action="callback", callback=bindinstance.zonemgr_callback,
2011-04-22 16:18:57 -05:00
type="string",
2012-02-20 06:40:13 -06:00
help="DNS zone manager e-mail address. Defaults to hostmaster@DOMAIN")
2011-09-05 04:04:17 -05:00
dns_group.add_option("--zone-notif", dest="zone_notif",
2011-08-31 07:42:57 -05:00
action="store_true", default=False,
help="Let name server receive notification when a new zone is added." \
"Zone refresh is turned off when zone notification is enabled")
2011-09-05 04:04:17 -05:00
dns_group.add_option("--zone-refresh", dest="zone_refresh",
2011-08-31 07:42:57 -05:00
default=DNS_ZONE_REFRESH, type="int",
help="A delay between checks for new DNS zones. Defaults to %d" \
% DNS_ZONE_REFRESH)
2011-09-05 04:04:17 -05:00
dns_group.add_option("--no-host-dns", dest="no_host_dns", action="store_true",
2008-09-16 21:18:11 -05:00
default=False,
help="Do not use DNS for hostname lookup during installation")
2011-12-07 02:40:51 -06:00
dns_group.add_option("--no-dns-sshfp", dest="create_sshfp", default=True, action="store_false",
help="do not automatically create DNS SSHFP records")
2011-09-05 04:04:17 -05:00
parser.add_option_group(dns_group)
uninstall_group = OptionGroup(parser, "uninstall options")
uninstall_group.add_option("", "--uninstall", dest="uninstall", action="store_true",
default=False, help="uninstall an existing installation. The uninstall can " \
"be run with --unattended option")
parser.add_option_group(uninstall_group)
0000-12-31 18:09:24 -05:50
options, args = parser.parse_args()
2010-10-29 13:24:31 -05:00
safe_options = parser.get_safe_opts(options)
0000-12-31 18:09:24 -05:50
2011-09-26 01:27:01 -05:00
if options.dm_password is not None:
try:
validate_dm_password(options.dm_password)
except ValueError, e:
parser.error("DS admin password: " + str(e))
2011-08-15 02:02:39 -05:00
if options.admin_password is not None and len(options.admin_password) < 8:
parser.error("Admin user password must be at least 8 characters long")
2009-09-01 16:28:52 -05:00
if not options.setup_dns:
if options.forwarders:
parser.error("You cannot specify a --forwarder option without the --setup-dns option")
if options.no_forwarders:
parser.error("You cannot specify a --no-forwarders option without the --setup-dns option")
2011-07-11 03:14:53 -05:00
if options.reverse_zone:
parser.error("You cannot specify a --reverse-zone option without the --setup-dns option")
2011-01-04 07:55:47 -06:00
if options.no_reverse:
parser.error("You cannot specify a --no-reverse option without the --setup-dns option")
2009-09-01 16:28:52 -05:00
elif options.forwarders and options.no_forwarders:
parser.error("You cannot specify a --forwarder option together with --no-forwarders")
2011-07-11 03:14:53 -05:00
elif options.reverse_zone and options.no_reverse:
parser.error("You cannot specify a --reverse-zone option together with --no-reverse")
2009-09-01 16:28:52 -05:00
2008-01-11 05:57:36 -06:00
if options.uninstall:
2011-01-28 14:45:19 -06:00
if (options.realm_name or
2010-04-15 04:08:48 -05:00
options.admin_password or options.master_password):
2011-01-28 14:45:19 -06:00
parser.error("In uninstall mode, -a, -r and -P options are not allowed")
2008-01-11 05:57:36 -06:00
elif options.unattended:
2011-01-24 13:58:11 -06:00
if (not options.realm_name or
2008-02-25 16:18:18 -06:00
not options.dm_password or not options.admin_password):
2011-01-24 13:58:11 -06:00
parser.error("In unattended mode you need to provide at least -r, -p and -a options")
2009-09-01 16:28:52 -05:00
if options.setup_dns:
if not options.forwarders and not options.no_forwarders:
parser.error("You must specify at least one --forwarder option or --no-forwarders option")
0000-12-31 18:09:24 -05:50
2008-07-11 10:34:29 -05:00
# If any of the PKCS#12 options are selected, all are required. Create a
# list of the options and count it to enforce that all are required without
# having a huge set of it blocks.
pkcs12 = [options.dirsrv_pkcs12, options.http_pkcs12, options.dirsrv_pin, options.http_pin]
cnt = pkcs12.count(None)
if cnt > 0 and cnt < 4:
2009-11-23 01:42:30 -06:00
parser.error("All PKCS#12 options are required if any are used.")
2008-07-11 10:34:29 -05:00
2010-02-24 10:38:09 -06:00
if (options.external_cert_file or options.external_ca_file) and options.selfsign:
parser.error("--selfsign cannot be used with the external CA options.")
2009-09-10 15:15:14 -05:00
2011-07-26 06:21:36 -05:00
if options.external_ca:
if options.external_cert_file:
parser.error("You cannot specify --external_cert_file together with --external-ca")
if options.external_ca_file:
parser.error("You cannot specify --external_ca_file together with --external-ca")
2009-09-10 15:15:14 -05:00
if ((options.external_cert_file and not options.external_ca_file) or
(not options.external_cert_file and options.external_ca_file)):
2011-07-26 06:21:36 -05:00
parser.error("if either external CA option is used, both are required.")
2009-09-10 15:15:14 -05:00
2010-04-01 16:20:38 -05:00
if (options.external_ca_file and not os.path.isabs(options.external_ca_file)):
parser.error("--external-ca-file must use an absolute path")
if (options.external_cert_file and not os.path.isabs(options.external_cert_file)):
parser.error("--external-cert-file must use an absolute path")
2010-11-11 17:15:28 -06:00
if options.idmax == 0:
2010-12-06 15:16:49 -06:00
options.idmax = int(options.idstart) + 200000 - 1
2010-11-11 17:15:28 -06:00
if options.idmax < options.idstart:
2011-04-07 10:26:15 -05:00
parser.error("idmax (%u) cannot be smaller than idstart (%u)" %
2010-11-11 17:15:28 -06:00
(options.idmax, options.idstart))
2010-11-19 10:22:10 -06:00
#Automatically disable pkinit w/ dogtag until that is supported
if not options.pkinit_pkcs12 and not options.selfsign:
options.setup_pkinit = False
2011-08-31 07:42:57 -05:00
if options.zone_refresh < 0:
parser.error("negative numbers not allowed for --zone-refresh")
if options.zone_notif: # these 2 features are mutually exclusive
options.zone_refresh = 0
2010-10-29 13:24:31 -05:00
return safe_options, options
0000-12-31 18:09:24 -05:50
2007-10-02 15:56:51 -05:00
def signal_handler(signum, frame):
global ds
print "\nCleaning up..."
if ds:
print "Removing configuration for %s instance" % ds.serverid
ds.stop()
if ds.serverid:
2009-02-02 12:50:53 -06:00
dsinstance.erase_ds_instance_data (ds.serverid)
2007-10-02 15:56:51 -05:00
sys.exit(1)
2009-11-18 13:28:33 -06:00
ANSWER_CACHE = "/root/.ipa_cache"
2011-01-26 09:53:02 -06:00
def read_cache(dm_password):
2009-11-18 13:28:33 -06:00
"""
2011-11-03 05:08:26 -05:00
Returns a dict of cached answers or empty dict if no cache file exists.
2009-11-18 13:28:33 -06:00
"""
if not ipautil.file_exists(ANSWER_CACHE):
return {}
2011-01-26 09:53:02 -06:00
top_dir = tempfile.mkdtemp("ipa")
2011-11-03 05:08:26 -05:00
fname = "%s/cache" % top_dir
2011-01-26 09:53:02 -06:00
try:
2011-11-03 05:08:26 -05:00
decrypt_file(ANSWER_CACHE, fname, dm_password, top_dir)
2011-01-26 09:53:02 -06:00
except Exception, e:
shutil.rmtree(top_dir)
2011-11-03 05:08:26 -05:00
raise Exception("Decryption of answer cache in %s failed, please check your password." % ANSWER_CACHE)
2011-01-26 09:53:02 -06:00
2009-11-18 13:28:33 -06:00
try:
2011-11-03 05:08:26 -05:00
with open(fname, 'rb') as f:
try:
optdict = pickle.load(f)
except Exception, e:
raise Exception("Parse error in %s: %s" % (ANSWER_CACHE, str(e)))
2009-11-18 13:28:33 -06:00
except IOError, e:
2011-11-03 05:08:26 -05:00
raise Exception("Read error in %s: %s" % (ANSWER_CACHE, str(e)))
2011-01-26 09:53:02 -06:00
finally:
shutil.rmtree(top_dir)
2009-11-18 13:28:33 -06:00
# These are the only ones that may be overridden
2011-11-03 05:08:26 -05:00
for opt in ('external_ca_file', 'external_cert_file'):
try:
del optdict[opt]
except KeyError:
pass
2009-11-18 13:28:33 -06:00
return optdict
def write_cache(options):
"""
Takes a dict as input and writes a cached file of answers
"""
2011-01-26 09:53:02 -06:00
top_dir = tempfile.mkdtemp("ipa")
2011-11-03 05:08:26 -05:00
fname = "%s/cache" % top_dir
2009-11-18 13:28:33 -06:00
try:
2011-11-03 05:08:26 -05:00
with open(fname, 'wb') as f:
pickle.dump(options, f)
ipautil.encrypt_file(fname, ANSWER_CACHE, options['dm_password'], top_dir)
2009-11-18 13:28:33 -06:00
except IOError, e:
2011-11-03 05:08:26 -05:00
raise Exception("Unable to cache command-line options %s" % str(e))
2011-01-26 09:53:02 -06:00
finally:
shutil.rmtree(top_dir)
2009-11-18 13:28:33 -06:00
2008-09-16 21:18:11 -05:00
def read_host_name(host_default,no_host_dns=False):
0000-12-31 18:09:24 -05:50
host_name = ""
print "Enter the fully qualified domain name of the computer"
print "on which you're setting up server software. Using the form"
print "<hostname>.<domainname>"
print "Example: master.example.com."
print ""
print ""
if host_default == "":
host_default = "master.example.com"
2011-10-06 04:26:03 -05:00
host_name = user_input("Server host name", host_default, allow_empty = False)
print ""
verify_fqdn(host_name,no_host_dns)
0000-12-31 18:09:24 -05:50
return host_name
2008-02-25 16:16:18 -06:00
def read_domain_name(domain_name, unattended):
2008-02-15 19:47:29 -06:00
print "The domain name has been calculated based on the host name."
print ""
2008-02-25 16:16:18 -06:00
if not unattended:
2008-07-21 05:25:37 -05:00
domain_name = user_input("Please confirm the domain name", domain_name)
2008-02-25 16:16:18 -06:00
print ""
2008-02-15 19:47:29 -06:00
return domain_name
2008-02-25 16:16:18 -06:00
def read_realm_name(domain_name, unattended):
0000-12-31 18:09:24 -05:50
print "The kerberos protocol requires a Realm name to be defined."
print "This is typically the domain name converted to uppercase."
print ""
2009-05-12 08:20:24 -05:00
2008-02-25 16:16:18 -06:00
if unattended:
2008-07-21 05:25:37 -05:00
return domain_name.upper()
realm_name = user_input("Please provide a realm name", domain_name.upper())
2011-04-07 09:53:52 -05:00
upper_dom = realm_name.upper() #pylint: disable=E1103
2008-07-21 05:25:37 -05:00
if upper_dom != realm_name:
print "An upper-case realm name is required."
if not user_input("Do you want to use " + upper_dom + " as realm name?", True):
2008-02-25 16:16:18 -06:00
print ""
2008-07-21 05:25:37 -05:00
print "An upper-case realm name is required. Unable to continue."
sys.exit(1)
else:
realm_name = upper_dom
print ""
0000-12-31 18:09:24 -05:50
return realm_name
2008-07-21 05:25:37 -05:00
0000-12-31 18:09:24 -05:50
def read_dm_password():
print "Certain directory server operations require an administrative user."
print "This user is referred to as the Directory Manager and has full access"
2008-01-29 10:33:44 -06:00
print "to the Directory for system management tasks and will be added to the"
2008-01-25 16:08:36 -06:00
print "instance of directory server created for IPA."
0000-12-31 18:09:24 -05:50
print "The password must be at least 8 characters long."
0000-12-31 18:09:24 -05:50
print ""
#TODO: provide the option of generating a random password
2011-09-26 01:27:01 -05:00
dm_password = read_password("Directory Manager", validator=validate_dm_password)
0000-12-31 18:09:24 -05:50
return dm_password
def read_admin_password():
print "The IPA server requires an administrative user, named 'admin'."
print "This user is a regular system account used for IPA server administration."
print ""
#TODO: provide the option of generating a random password
admin_password = read_password("IPA admin")
return admin_password
2008-05-30 14:31:13 -05:00
def check_dirsrv(unattended):
2009-02-02 12:50:53 -06:00
(ds_unsecure, ds_secure) = dsinstance.check_ports()
2008-01-22 02:03:06 -06:00
if not ds_unsecure or not ds_secure:
print "IPA requires ports 389 and 636 for the Directory Server."
print "These are currently in use:"
if not ds_unsecure:
print "\t389"
if not ds_secure:
print "\t636"
sys.exit(1)
2010-10-06 09:16:54 -05:00
def uninstall():
2010-04-15 04:08:48 -05:00
2011-08-29 10:16:52 -05:00
rv = 0
2010-11-08 10:05:37 -06:00
print "Shutting down all IPA services"
try:
(stdout, stderr, rc) = run(["/usr/sbin/ipactl", "stop"], raiseonerr=False)
except Exception, e:
pass
print "Removing IPA client configuration"
2008-03-31 16:35:45 -05:00
try:
2010-08-31 16:21:25 -05:00
(stdout, stderr, rc) = run(["/usr/sbin/ipa-client-install", "--on-master", "--unattended", "--uninstall"], raiseonerr=False)
2010-09-23 11:07:29 -05:00
if rc not in [0,2]:
2011-11-15 13:39:31 -06:00
root_logger.debug("ipa-client-install returned %d" % rc)
2010-08-31 16:21:25 -05:00
raise RuntimeError(stdout)
2008-03-31 16:35:45 -05:00
except Exception, e:
2011-08-29 10:16:52 -05:00
rv = 1
2008-03-31 16:35:45 -05:00
print "Uninstall of client side components failed!"
print "ipa-client-install returned: " + str(e)
2009-02-02 12:50:53 -06:00
ntpinstance.NTPInstance(fstore).uninstall()
2010-05-03 14:21:51 -05:00
if cainstance.CADSInstance().is_configured():
2009-04-01 21:39:44 -05:00
cainstance.CADSInstance().uninstall()
2010-12-08 15:35:12 -06:00
if cainstance.CAInstance(api.env.realm, certs.NSS_DIR).is_configured():
cainstance.CAInstance(api.env.realm, certs.NSS_DIR).uninstall()
2009-02-02 12:50:53 -06:00
bindinstance.BindInstance(fstore).uninstall()
httpinstance.HTTPInstance(fstore).uninstall()
krbinstance.KrbInstance(fstore).uninstall()
2011-03-01 07:17:03 -06:00
dsinstance.DsInstance(fstore=fstore).uninstall()
2012-02-15 15:55:59 -06:00
memcacheinstance.MemcacheInstance().uninstall()
2008-03-27 18:01:38 -05:00
fstore.restore_all_files()
2009-11-18 13:28:33 -06:00
try:
os.remove(ANSWER_CACHE)
except Exception:
pass
2011-09-09 16:07:09 -05:00
2010-01-28 13:22:50 -06:00
# ipa-client-install removes /etc/ipa/default.conf
2011-01-28 14:45:19 -06:00
2011-02-07 12:31:51 -06:00
sstore._load()
2011-01-28 14:45:19 -06:00
group_exists = sstore.restore_state("install", "group_exists")
if group_exists == False:
try:
grp.getgrnam(dsinstance.DS_GROUP)
try:
ipautil.run(["/usr/sbin/groupdel", dsinstance.DS_GROUP])
except ipautil.CalledProcessError, e:
2011-11-15 13:39:31 -06:00
root_logger.critical("failed to delete group %s" % e)
2011-08-29 10:16:52 -05:00
rv = 1
2011-01-28 14:45:19 -06:00
except KeyError:
2011-11-15 13:39:31 -06:00
root_logger.info("Group %s already removed", dsinstance.DS_GROUP)
2011-01-28 14:45:19 -06:00
2011-09-12 16:11:54 -05:00
ipaservices.knownservices.ipa.disable()
2011-03-07 15:29:08 -06:00
2011-10-13 05:16:15 -05:00
old_hostname = sstore.restore_state('network','hostname')
system_hostname = get_fqdn()
if old_hostname is not None and old_hostname != system_hostname:
try:
ipautil.run(['/bin/hostname', old_hostname])
except CalledProcessError, e:
print >>sys.stderr, "Failed to set this machine hostname back to %s (%s)." % (old_hostname, str(e))
2011-08-29 10:16:52 -05:00
if fstore.has_files():
2011-11-15 13:39:31 -06:00
root_logger.error('Some files have not been restored, see /var/lib/ipa/sysrestore/sysrestore.index')
2011-08-29 10:16:52 -05:00
has_state = False
for module in IPA_MODULES: # from installutils
if sstore.has_state(module):
2011-11-15 13:39:31 -06:00
root_logger.error('Some installation state for %s has not been restored, see /var/lib/ipa/sysrestore/sysrestore.state' % module)
2011-08-29 10:16:52 -05:00
has_state = True
rv = 1
if has_state:
2011-11-15 13:39:31 -06:00
root_logger.warning('Some installation state has not been restored.\nThis will cause re-installation to fail.\nIt should be safe to remove /var/lib/ipa/sysrestore.state but it may\nmean your system hasn\'t be restored to its pre-installation state.')
2011-08-29 10:16:52 -05:00
return rv
2008-01-11 05:57:36 -06:00
2009-11-02 15:16:27 -06:00
2011-02-15 13:11:27 -06:00
def set_subject_in_config(realm_name, dm_password, suffix, subject_base):
ldapuri = 'ldapi://%%2fvar%%2frun%%2fslapd-%s.socket' % (
dsinstance.realm_to_serverid(realm_name)
)
2010-01-20 10:26:20 -06:00
try:
2010-03-24 09:51:31 -05:00
conn = ldap2(shared_instance=False, ldap_uri=ldapuri, base_dn=suffix)
conn.connect(bind_dn='cn=directory manager', bind_pw=dm_password)
except errors.ExecutionError, e:
2011-11-15 13:39:31 -06:00
root_logger.critical("Could not connect to the Directory Server on %s" % realm_name)
2010-01-20 10:26:20 -06:00
raise e
2010-03-24 09:51:31 -05:00
(dn, entry_attrs) = conn.get_ipa_config()
if 'ipacertificatesubjectbase' not in entry_attrs:
mod = {'ipacertificatesubjectbase': subject_base}
conn.update_entry(dn, mod)
conn.disconnect()
2009-11-02 15:16:27 -06:00
0000-12-31 18:09:24 -05:50
def main():
2007-10-02 15:56:51 -05:00
global ds
2008-07-11 10:34:29 -05:00
global pw_name
2010-04-27 16:51:13 -05:00
global uninstalling
2011-11-29 02:10:31 -06:00
global installation_cleanup
2007-10-02 15:56:51 -05:00
ds = None
0000-12-31 18:09:24 -05:50
2010-10-29 13:24:31 -05:00
safe_options, options = parse_options()
0000-12-31 18:09:24 -05:50
2007-10-02 15:56:51 -05:00
if os.getegid() != 0:
2010-11-08 16:13:48 -06:00
sys.exit("Must be root to set up server")
2008-02-20 09:16:19 -06:00
2007-10-02 15:56:51 -05:00
signal.signal(signal.SIGTERM, signal_handler)
signal.signal(signal.SIGINT, signal_handler)
2008-03-24 11:22:34 -05:00
if options.uninstall:
2010-04-27 16:51:13 -05:00
uninstalling = True
2011-11-15 13:39:31 -06:00
standard_logging_setup("/var/log/ipaserver-uninstall.log", debug=options.debug)
2011-11-29 02:10:31 -06:00
installation_cleanup = False
2008-03-24 11:22:34 -05:00
else:
2011-11-15 13:39:31 -06:00
standard_logging_setup("/var/log/ipaserver-install.log", debug=options.debug)
2008-03-24 11:22:34 -05:00
print "\nThe log file for this installation can be found in /var/log/ipaserver-install.log"
2011-08-29 10:16:52 -05:00
if not options.external_ca and not options.external_cert_file and is_ipa_configured():
2011-11-29 02:10:31 -06:00
installation_cleanup = False
2011-04-27 09:09:43 -05:00
sys.exit("IPA server is already configured on this system.\n"
+ "If you want to reinstall the IPA server please uninstall it first.")
0000-12-31 18:09:24 -05:50
2011-02-24 06:02:27 -06:00
client_fstore = sysrestore.FileStore('/var/lib/ipa-client/sysrestore')
if client_fstore.has_files():
2011-11-29 02:10:31 -06:00
installation_cleanup = False
2011-02-24 06:02:27 -06:00
sys.exit("IPA client is already configured on this system.\n"
+ "Please uninstall it first before configuring the IPA server.")
2011-11-15 13:39:31 -06:00
root_logger.debug('%s was invoked with options: %s' % (sys.argv[0], safe_options))
root_logger.debug("missing options might be asked for interactively later\n")
2010-10-29 13:24:31 -05:00
2008-03-27 18:01:38 -05:00
global fstore
fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore')
2011-01-28 14:45:19 -06:00
global sstore
sstore = sysrestore.StateFile('/var/lib/ipa/sysrestore')
2008-03-27 18:01:38 -05:00
2009-12-03 09:32:56 -06:00
# Configuration for ipalib, we will bootstrap and finalize later, after
# we are sure we have the configuration file ready.
2009-11-02 15:16:27 -06:00
cfg = dict(
2010-03-17 09:01:24 -05:00
context='installer',
2009-11-02 15:16:27 -06:00
in_server=True,
2009-11-19 09:33:50 -06:00
debug=options.debug
2009-11-02 15:16:27 -06:00
)
2009-09-28 22:34:15 -05:00
2008-01-11 05:57:36 -06:00
if options.uninstall:
2010-04-15 04:08:48 -05:00
# We will need at least api.env, finalize api now. This system is
# already installed, so the configuration file is there.
api.bootstrap(**cfg)
api.finalize()
2008-03-31 16:35:45 -05:00
if not options.unattended:
print "\nThis is a NON REVERSIBLE operation and will delete all data and configuration!\n"
2008-08-06 10:27:04 -05:00
if not user_input("Are you sure you want to continue with the uninstall procedure?", False):
2008-03-31 16:35:45 -05:00
print ""
print "Aborting uninstall operation."
sys.exit(1)
2010-10-06 09:16:54 -05:00
return uninstall()
2008-01-11 05:57:36 -06:00
2011-07-26 06:21:36 -05:00
if options.external_ca:
if cainstance.CADSInstance().is_configured():
print "CA is already installed.\nRun the installer with --external_cert_file and --external_ca_file."
sys.exit(1)
elif options.external_cert_file:
if not cainstance.CADSInstance().is_configured():
# This can happen if someone passes external_ca_file without
# already having done the first stage of the CA install.
print "CA is not installed yet. To install with an external CA is a two-stage process.\nFirst run the installer with --external-ca."
sys.exit(1)
2009-11-18 13:28:33 -06:00
# This will override any settings passed in on the cmdline
2011-01-26 09:53:02 -06:00
if ipautil.file_exists(ANSWER_CACHE):
2011-07-26 06:21:36 -05:00
dm_password = read_password("Directory Manager", confirm=False)
2011-10-06 01:22:08 -05:00
if dm_password is None:
sys.exit("\nDirectory Manager password required")
2011-11-03 05:08:26 -05:00
try:
options._update_loose(read_cache(dm_password))
except Exception, e:
sys.exit("Cannot process the cache file: %s" % str(e))
2009-11-18 13:28:33 -06:00
2011-08-17 03:19:37 -05:00
if options.external_cert_file:
try:
extcert = load_certificate_from_file(options.external_cert_file)
except IOError, e:
print "Can't load the PKCS#10 certificate: %s." % str(e)
sys.exit(1)
except nss.error.NSPRError:
print "'%s' is not a valid PEM-encoded certificate." % options.external_cert_file
sys.exit(1)
certsubject = unicode(extcert.subject)
wantsubject = unicode(DN(('CN','Certificate Authority'), options.subject))
if certsubject.lower() != wantsubject.lower():
print "Subject of the PKCS#10 certificate is not correct (got %s, expected %s)." % (certsubject, wantsubject)
sys.exit(1)
try:
extchain = load_certificate_chain_from_file(options.external_ca_file)
except IOError, e:
print "Can't load the external CA chain: %s." % str(e)
sys.exit(1)
except nss.error.NSPRError:
print "'%s' is not a valid PEM-encoded certificate chain." % options.external_ca_file
sys.exit(1)
certdict = dict((unicode(cert.subject).lower(), cert) for cert in extchain)
certissuer = unicode(extcert.issuer)
if certissuer.lower() not in certdict:
print "The PKCS#10 certificate is not signed by the external CA (unknown issuer %s)." % certissuer
sys.exit(1)
cert = extcert
while cert.issuer != cert.subject:
certissuer = unicode(cert.issuer)
if certissuer.lower() not in certdict:
print "The external CA chain is incomplete (%s is missing from the chain)." % certissuer
sys.exit(1)
cert = certdict[certissuer.lower()]
0000-12-31 18:09:24 -05:50
print "=============================================================================="
2010-02-03 13:56:17 -06:00
print "This program will set up the FreeIPA Server."
0000-12-31 18:09:24 -05:50
print ""
2008-01-25 16:08:36 -06:00
print "This includes:"
2011-10-03 05:30:34 -05:00
if options.selfsign:
print " * Configure NSS to handle a self-signed CA"
print " WARNING: certificate management capabilities will be limited"
else:
print " * Configure a stand-alone CA (dogtag) for certificate management"
2008-06-06 14:25:36 -05:00
if options.conf_ntp:
print " * Configure the Network Time Daemon (ntpd)"
2008-01-25 16:08:36 -06:00
print " * Create and configure an instance of Directory Server"
2008-03-04 13:47:47 -06:00
print " * Create and configure a Kerberos Key Distribution Center (KDC)"
2008-01-25 16:08:36 -06:00
print " * Configure Apache (httpd)"
2009-06-25 07:42:08 -05:00
if options.setup_dns:
2008-06-06 14:25:36 -05:00
print " * Configure DNS (bind)"
2010-10-29 15:23:21 -05:00
if options.setup_pkinit:
print " * Configure the KDC to enable PKINIT"
2008-06-06 14:25:36 -05:00
if not options.conf_ntp:
print ""
print "Excluded by options:"
print " * Configure the Network Time Daemon (ntpd)"
2008-01-25 16:08:36 -06:00
print ""
0000-12-31 18:09:24 -05:50
print "To accept the default shown in brackets, press the Enter key."
print ""
2011-10-21 14:25:21 -05:00
# Make sure the 389-ds ports are available
check_dirsrv(options.unattended)
0000-12-31 18:09:24 -05:50
2007-08-20 17:40:32 -05:00
realm_name = ""
host_name = ""
2007-09-20 14:10:21 -05:00
domain_name = ""
ip_address = ""
2007-08-20 17:40:32 -05:00
master_password = ""
2007-08-31 17:40:01 -05:00
dm_password = ""
admin_password = ""
2011-07-11 03:14:53 -05:00
reverse_zone = None
2007-08-20 17:40:32 -05:00
2007-09-20 14:10:21 -05:00
# check bind packages are installed
2009-06-25 07:42:08 -05:00
if options.setup_dns:
2009-11-13 09:57:51 -06:00
if not bindinstance.check_inst(options.unattended):
2010-11-08 16:13:48 -06:00
sys.exit("Aborting installation")
2007-09-20 14:10:21 -05:00
2011-03-03 15:03:44 -06:00
# Don't require an external DNS to say who we are if we are
# setting up a local DNS server.
options.no_host_dns = True
0000-12-31 18:09:24 -05:50
# check the hostname is correctly configured, it must be as the kldap
2010-12-01 10:22:56 -06:00
# utilities just use the hostname as returned by getaddrinfo to set
0000-12-31 18:09:24 -05:50
# up some of the standard entries
0000-12-31 18:09:24 -05:50
host_default = ""
0000-12-31 18:09:24 -05:50
if options.host_name:
0000-12-31 18:09:24 -05:50
host_default = options.host_name
0000-12-31 18:09:24 -05:50
else:
0000-12-31 18:09:24 -05:50
host_default = get_fqdn()
2008-02-20 09:16:19 -06:00
2011-06-24 09:56:25 -05:00
try:
if options.unattended:
2008-09-16 21:18:11 -05:00
verify_fqdn(host_default,options.no_host_dns)
2011-06-24 09:56:25 -05:00
host_name = host_default
else:
host_name = read_host_name(host_default,options.no_host_dns)
2011-10-06 04:26:03 -05:00
except BadHostError, e:
2011-06-24 09:56:25 -05:00
sys.exit(str(e) + "\n")
2008-02-15 19:47:29 -06:00
2008-05-20 09:17:20 -05:00
host_name = host_name.lower()
2011-11-15 13:39:31 -06:00
root_logger.debug("will use host_name: %s\n" % host_name)
2008-05-20 09:17:20 -05:00
2011-10-13 05:16:15 -05:00
system_hostname = get_fqdn()
if host_name != system_hostname:
print >>sys.stderr
print >>sys.stderr, "Warning: hostname %s does not match system hostname %s." \
% (host_name, system_hostname)
print >>sys.stderr, "System hostname will be updated during the installation process"
print >>sys.stderr, "to prevent service failures."
print >>sys.stderr
2008-02-15 19:47:29 -06:00
if not options.domain_name:
2008-02-25 16:16:18 -06:00
domain_name = read_domain_name(host_name[host_name.find(".")+1:], options.unattended)
2011-11-15 13:39:31 -06:00
root_logger.debug("read domain_name: %s\n" % domain_name)
2008-02-15 19:47:29 -06:00
else:
2008-02-25 16:16:18 -06:00
domain_name = options.domain_name
2007-09-20 14:10:21 -05:00
2008-05-20 09:17:20 -05:00
domain_name = domain_name.lower()
2012-01-04 13:04:21 -06:00
ip = get_server_ip_address(host_name, fstore, options.unattended, options)
2011-05-27 13:17:22 -05:00
ip_address = str(ip)
2011-07-11 03:14:53 -05:00
if options.reverse_zone and not bindinstance.verify_reverse_zone(options.reverse_zone, ip):
sys.exit(1)
2007-09-20 14:10:21 -05:00
2007-08-20 17:40:32 -05:00
if not options.realm_name:
2008-02-25 16:16:18 -06:00
realm_name = read_realm_name(domain_name, options.unattended)
2011-11-15 13:39:31 -06:00
root_logger.debug("read realm_name: %s\n" % realm_name)
2007-08-20 17:40:32 -05:00
else:
2008-06-03 10:28:27 -05:00
realm_name = options.realm_name.upper()
2007-08-20 17:40:32 -05:00
2010-11-01 12:51:14 -05:00
if not options.subject:
options.subject = "O=%s" % realm_name
2007-08-31 17:40:01 -05:00
if not options.dm_password:
0000-12-31 18:09:24 -05:50
dm_password = read_dm_password()
2011-10-06 01:22:08 -05:00
if dm_password is None:
sys.exit("\nDirectory Manager password required")
2007-08-20 17:40:32 -05:00
else:
2007-08-31 17:40:01 -05:00
dm_password = options.dm_password
2007-08-20 17:40:32 -05:00
if not options.master_password:
0000-12-31 18:09:24 -05:50
master_password = ipa_generate_password()
2007-08-20 17:40:32 -05:00
else:
master_password = options.master_password
0000-12-31 18:09:24 -05:50
2007-08-31 17:40:01 -05:00
if not options.admin_password:
0000-12-31 18:09:24 -05:50
admin_password = read_admin_password()
2011-10-06 01:22:08 -05:00
if admin_password is None:
sys.exit("\nIPA admin password required")
2007-08-31 17:40:01 -05:00
else:
admin_password = options.admin_password
2009-09-01 16:28:52 -05:00
if options.setup_dns:
if options.no_forwarders:
dns_forwarders = ()
elif options.forwarders:
dns_forwarders = options.forwarders
else:
dns_forwarders = read_dns_forwarders()
2011-07-26 07:53:19 -05:00
if options.reverse_zone:
reverse_zone = bindinstance.normalize_zone(options.reverse_zone)
elif not options.no_reverse:
reverse_zone = bindinstance.get_reverse_zone_default(ip)
if not options.unattended and bindinstance.create_reverse():
reverse_zone = bindinstance.read_reverse_zone(reverse_zone, ip)
if reverse_zone is not None:
print "Using reverse zone %s" % reverse_zone
2009-09-08 02:03:55 -05:00
else:
dns_forwarders = ()
2011-11-15 13:39:31 -06:00
root_logger.debug("will use dns_forwarders: %s\n" % str(dns_forwarders))
2009-09-01 16:28:52 -05:00
2011-12-07 06:58:35 -06:00
print
print "The IPA Master Server will be configured with:"
print "Hostname: %s" % host_name
print "IP address: %s" % ip_address
print "Domain name: %s" % domain_name
print "Realm name: %s" % realm_name
print
if options.setup_dns:
print "BIND DNS server will be configured to serve IPA domain with:"
print "Forwarders: %s" % ("No forwarders" if not dns_forwarders \
else ", ".join([str(ip) for ip in dns_forwarders]))
print "Reverse zone: %s" % ("No reverse zone" if options.no_reverse \
else reverse_zone)
print
if not options.unattended and not user_input("Continue to configure the system with these values?", False):
sys.exit("Installation aborted")
2011-11-29 02:10:31 -06:00
# Installation has started. No IPA sysrestore items are restored in case of
# failure to enable root cause investigation
installation_cleanup = False
2009-12-03 09:32:56 -06:00
# Create the management framework config file and finalize api
2011-08-30 09:32:40 -05:00
target_fname = '/etc/ipa/default.conf'
fd = open(target_fname, "w")
fd.write("[global]\n")
fd.write("host=" + host_name + "\n")
fd.write("basedn=" + util.realm_to_suffix(realm_name) + "\n")
fd.write("realm=" + realm_name + "\n")
fd.write("domain=" + domain_name + "\n")
2011-09-30 03:09:55 -05:00
fd.write("xmlrpc_uri=https://%s/ipa/xml\n" % format_netloc(host_name))
2011-08-30 09:32:40 -05:00
fd.write("ldap_uri=ldapi://%%2fvar%%2frun%%2fslapd-%s.socket\n" % dsinstance.realm_to_serverid(realm_name))
fd.write("enable_ra=True\n")
if not options.selfsign:
fd.write("ra_plugin=dogtag\n")
fd.write("mode=production\n")
fd.close()
# Must be readable for everyone
os.chmod(target_fname, 0644)
2009-12-03 09:32:56 -06:00
api.bootstrap(**cfg)
api.finalize()
2007-09-20 14:10:21 -05:00
if not options.unattended:
print ""
print "The following operations may take some minutes to complete."
print "Please wait until the prompt is returned."
2009-09-10 15:15:14 -05:00
print ""
2008-02-20 10:03:46 -06:00
2011-10-13 05:16:15 -05:00
if host_name != system_hostname:
2011-11-15 13:39:31 -06:00
root_logger.debug("Chosen hostname (%s) differs from system hostname (%s) - change it" \
2011-10-13 05:16:15 -05:00
% (host_name, system_hostname))
# configure /etc/sysconfig/network to contain the custom hostname
ipaservices.backup_and_replace_hostname(fstore, sstore, host_name)
2011-01-28 14:45:19 -06:00
# Create DS group if it doesn't exist yet
try:
grp.getgrnam(dsinstance.DS_GROUP)
2011-11-15 13:39:31 -06:00
root_logger.debug("ds group %s exists" % dsinstance.DS_GROUP)
2011-01-28 14:45:19 -06:00
group_exists = True
except KeyError:
group_exists = False
args = ["/usr/sbin/groupadd", "-r", dsinstance.DS_GROUP]
try:
ipautil.run(args)
2011-11-15 13:39:31 -06:00
root_logger.debug("done adding DS group")
2011-01-28 14:45:19 -06:00
except ipautil.CalledProcessError, e:
2011-11-15 13:39:31 -06:00
root_logger.critical("failed to add DS group: %s" % e)
2011-01-28 14:45:19 -06:00
sstore.backup_state("install", "group_exists", group_exists)
2010-12-08 09:25:49 -06:00
# Configure ntpd
if options.conf_ntp:
ntp = ntpinstance.NTPInstance(fstore)
2011-01-26 09:53:02 -06:00
if not ntp.is_configured():
ntp.create_instance()
2008-07-11 10:34:29 -05:00
2010-12-08 15:35:12 -06:00
if options.selfsign:
ca = certs.CertDB(realm_name, host_name=host_name,
subject_base=options.subject)
ca.create_self_signed()
else:
2009-04-13 12:39:15 -05:00
# Clean up any previous self-signed CA that may exist
try:
os.remove(certs.CA_SERIALNO)
except:
pass
2009-09-10 15:15:14 -05:00
# Figure out what state we're in. See cainstance.py for more info on
# the 3 states.
2011-07-26 06:21:36 -05:00
if options.external_cert_file:
2009-09-10 15:15:14 -05:00
external = 2
2011-07-26 06:21:36 -05:00
elif options.external_ca:
external = 1
else:
external = 0
2009-09-10 15:15:14 -05:00
2011-06-10 14:28:46 -05:00
cs = cainstance.CADSInstance(host_name, realm_name, domain_name, dm_password)
if not cs.is_configured():
2011-03-14 15:27:19 -05:00
cs.create_instance(realm_name, host_name, domain_name, dm_password, subject_base=options.subject)
2010-12-08 15:35:12 -06:00
ca = cainstance.CAInstance(realm_name, certs.NSS_DIR)
2009-09-10 15:15:14 -05:00
if external == 0:
2011-01-28 14:45:19 -06:00
ca.configure_instance(host_name, dm_password, dm_password,
subject_base=options.subject)
2009-09-10 15:15:14 -05:00
elif external == 1:
2011-06-10 14:28:46 -05:00
# stage 1 of external CA installation
2010-04-01 16:20:38 -05:00
options.realm_name = realm_name
options.domain_name = domain_name
options.master_password = master_password
2011-01-26 09:53:02 -06:00
options.dm_password = dm_password
options.admin_password = admin_password
2011-07-26 06:21:36 -05:00
options.host_name = host_name
2010-04-01 16:20:38 -05:00
options.unattended = True
2011-07-26 06:21:36 -05:00
options.forwarders = dns_forwarders
options.reverse_zone = reverse_zone
2011-11-03 05:08:26 -05:00
write_cache(vars(options))
2011-01-28 14:45:19 -06:00
ca.configure_instance(host_name, dm_password, dm_password,
csr_file="/root/ipa.csr",
subject_base=options.subject)
2009-09-10 15:15:14 -05:00
else:
2011-06-10 14:28:46 -05:00
# stage 2 of external CA installation
2011-01-28 14:45:19 -06:00
ca.configure_instance(host_name, dm_password, dm_password,
cert_file=options.external_cert_file,
cert_chain_file=options.external_ca_file,
subject_base=options.subject)
2009-09-10 15:15:14 -05:00
2010-12-10 13:53:06 -06:00
# Now put the CA cert where other instances exepct it
ca.publish_ca_cert("/etc/ipa/ca.crt")
0000-12-31 18:09:24 -05:50
# Create a directory server instance
2011-03-01 07:17:03 -06:00
ds = dsinstance.DsInstance(fstore=fstore)
2010-12-08 09:25:49 -06:00
if options.dirsrv_pin:
[pw_fd, pw_name] = tempfile.mkstemp()
os.write(pw_fd, options.dirsrv_pin)
os.close(pw_fd)
2008-07-11 10:34:29 -05:00
if options.dirsrv_pkcs12:
pkcs12_info = (options.dirsrv_pkcs12, pw_name)
2009-04-01 21:39:44 -05:00
try:
2011-01-28 14:45:19 -06:00
ds.create_instance(realm_name, host_name, domain_name,
dm_password, pkcs12_info,
subject_base=options.subject,
hbac_allow=not options.hbac_allow)
2009-04-01 21:39:44 -05:00
finally:
os.remove(pw_name)
2008-07-11 10:34:29 -05:00
else:
2011-01-28 14:45:19 -06:00
ds.create_instance(realm_name, host_name, domain_name,
2010-11-11 17:15:28 -06:00
dm_password, self_signed_ca=options.selfsign,
idstart=options.idstart, idmax=options.idmax,
subject_base=options.subject,
hbac_allow=not options.hbac_allow)
0000-12-31 18:09:24 -05:50
2011-03-09 23:06:15 -06:00
# We need to ldap_enable the CA now that DS is up and running
2010-12-10 13:53:06 -06:00
if not options.selfsign:
ca.ldap_enable('CA', host_name, dm_password,
util.realm_to_suffix(realm_name))
2011-03-09 23:06:15 -06:00
# Turn on SSL in the dogtag LDAP instance. This will get restarted
# later, we don't need SSL now.
2011-03-14 15:27:19 -05:00
cs.create_certdb()
2011-03-09 23:06:15 -06:00
cs.enable_ssl()
2011-03-14 15:27:19 -05:00
# Add the IPA service for storing the PKI-IPA server certificate.
2011-06-08 14:56:29 -05:00
cs.add_simple_service(cs.principal)
2011-03-14 15:27:19 -05:00
cs.add_cert_to_service()
2011-03-09 23:06:15 -06:00
2010-12-10 13:53:06 -06:00
# Create a kerberos instance
2010-10-29 15:23:21 -05:00
if options.pkinit_pin:
[pw_fd, pw_name] = tempfile.mkstemp()
os.write(pw_fd, options.dirsrv_pin)
os.close(pw_fd)
2009-02-02 12:50:53 -06:00
krb = krbinstance.KrbInstance(fstore)
2010-10-29 15:23:21 -05:00
if options.pkinit_pkcs12:
pkcs12_info = (options.pkinit_pkcs12, pw_name)
2011-01-28 14:45:19 -06:00
krb.create_instance(realm_name, host_name, domain_name,
2010-10-29 15:23:21 -05:00
dm_password, master_password,
setup_pkinit=options.setup_pkinit,
pkcs12_info=pkcs12_info,
subject_base=options.subject)
else:
2011-01-28 14:45:19 -06:00
krb.create_instance(realm_name, host_name, domain_name,
2010-10-29 15:23:21 -05:00
dm_password, master_password,
setup_pkinit=options.setup_pkinit,
self_signed_ca=options.selfsign,
subject_base=options.subject)
if options.pkinit_pin:
os.remove(pw_name)
0000-12-31 18:09:24 -05:50
2009-12-07 22:17:00 -06:00
# The DS instance is created before the keytab, add the SSL cert we
# generated
ds.add_cert_to_service()
2007-10-15 14:42:12 -05:00
# Create a HTTP instance
2008-07-11 10:34:29 -05:00
if options.http_pin:
[pw_fd, pw_name] = tempfile.mkstemp()
os.write(pw_fd, options.http_pin)
os.close(pw_fd)
2012-02-06 12:15:06 -06:00
memcache = memcacheinstance.MemcacheInstance()
memcache.create_instance('MEMCACHE', host_name, dm_password, util.realm_to_suffix(realm_name))
2009-02-02 12:50:53 -06:00
http = httpinstance.HTTPInstance(fstore)
2008-07-11 10:34:29 -05:00
if options.http_pkcs12:
pkcs12_info = (options.http_pkcs12, pw_name)
2011-08-16 12:34:04 -05:00
http.create_instance(realm_name, host_name, domain_name, dm_password, autoconfig=False, pkcs12_info=pkcs12_info, subject_base=options.subject, auto_redirect=options.ui_redirect)
2008-07-11 10:34:29 -05:00
os.remove(pw_name)
else:
2011-08-16 12:34:04 -05:00
http.create_instance(realm_name, host_name, domain_name, dm_password, autoconfig=True, self_signed_ca=options.selfsign, subject_base=options.subject, auto_redirect=options.ui_redirect)
2011-09-12 16:11:54 -05:00
ipaservices.restore_context("/var/cache/ipa/sessions")
0000-12-31 18:09:24 -05:50
2011-02-15 13:11:27 -06:00
set_subject_in_config(realm_name, dm_password, util.realm_to_suffix(realm_name), options.subject)
2010-01-20 10:26:20 -06:00
2008-09-15 17:15:12 -05:00
# Apply any LDAP updates. Needs to be done after the configuration file
# is created
service.print_msg("Applying LDAP updates")
ds.apply_updates()
2007-09-20 14:10:21 -05:00
# Restart ds and krb after configurations have been changed
2011-02-02 09:24:30 -06:00
service.print_msg("Restarting the directory server")
2007-06-28 18:09:54 -05:00
ds.restart()
2008-02-20 09:16:19 -06:00
2011-02-02 09:24:30 -06:00
service.print_msg("Restarting the KDC")
2007-09-20 14:10:21 -05:00
krb.restart()
2007-06-28 18:09:54 -05:00
2009-11-24 15:07:44 -06:00
# Restart httpd to pick up the new IPA configuration
2011-02-02 09:24:30 -06:00
service.print_msg("Restarting the web server")
2009-11-24 15:07:44 -06:00
http.restart()
2009-09-02 05:24:17 -05:00
# Create a BIND instance
bind = bindinstance.BindInstance(fstore, dm_password)
2011-08-31 07:42:57 -05:00
bind.setup(host_name, ip_address, realm_name, domain_name, dns_forwarders,
options.conf_ntp, reverse_zone, zonemgr=options.zonemgr,
zone_refresh=options.zone_refresh,
zone_notif=options.zone_notif)
2009-09-02 05:24:17 -05:00
if options.setup_dns:
2009-09-02 09:22:50 -05:00
api.Backend.ldap2.connect(bind_dn="cn=Directory Manager", bind_pw=dm_password)
2009-09-02 05:24:17 -05:00
bind.create_instance()
else:
bind.create_sample_bind_zone()
2007-08-31 17:40:01 -05:00
# Set the admin user kerberos password
ds.change_admin_password(admin_password)
2008-02-20 09:16:19 -06:00
# Call client install script
try:
2011-12-07 02:40:51 -06:00
args = ["/usr/sbin/ipa-client-install", "--on-master", "--unattended", "--domain", domain_name, "--server", host_name, "--realm", realm_name, "--hostname", host_name]
if not options.create_sshfp:
args.append("--no-dns-sshfp")
2011-12-07 02:49:09 -06:00
if options.trust_sshfp:
args.append("--ssh-trust-dns")
if not options.conf_sshd:
args.append("--no-sshd")
2011-12-07 02:40:51 -06:00
run(args)
2008-02-20 09:16:19 -06:00
except Exception, e:
2010-11-08 16:13:48 -06:00
sys.exit("Configuration of client side components failed!\nipa-client-install returned: " + str(e))
2008-02-20 09:16:19 -06:00
2010-12-04 14:42:14 -06:00
#Everything installed properly, activate ipa service.
2011-09-12 16:11:54 -05:00
ipaservices.knownservices.ipa.enable()
2010-12-04 14:42:14 -06:00
0000-12-31 18:09:24 -05:50
print "=============================================================================="
print "Setup complete"
print ""
print "Next steps:"
2008-06-06 14:25:36 -05:00
print "\t1. You must make sure these network ports are open:"
0000-12-31 18:09:24 -05:50
print "\t\tTCP Ports:"
2008-01-25 16:08:36 -06:00
print "\t\t * 80, 443: HTTP/HTTPS"
0000-12-31 18:09:24 -05:50
print "\t\t * 389, 636: LDAP/LDAPS"
0000-12-31 18:09:24 -05:50
print "\t\t * 88, 464: kerberos"
2009-06-25 07:42:08 -05:00
if options.setup_dns:
2008-06-06 14:25:36 -05:00
print "\t\t * 53: bind"
0000-12-31 18:09:24 -05:50
print "\t\tUDP Ports:"
0000-12-31 18:09:24 -05:50
print "\t\t * 88, 464: kerberos"
2009-06-25 07:42:08 -05:00
if options.setup_dns:
2008-06-06 14:25:36 -05:00
print "\t\t * 53: bind"
if options.conf_ntp:
print "\t\t * 123: ntp"
0000-12-31 18:09:24 -05:50
print ""
2008-02-05 11:23:53 -06:00
print "\t2. You can now obtain a kerberos ticket using the command: 'kinit admin'"
2010-02-03 13:47:51 -06:00
print "\t This ticket will allow you to use the IPA tools (e.g., ipa user-add)"
0000-12-31 18:09:24 -05:50
print "\t and the web user interface."
2011-09-12 16:11:54 -05:00
if not ipaservices.knownservices.ntpd.is_running():
0000-12-31 18:09:24 -05:50
print "\t3. Kerberos requires time synchronization between clients"
print "\t and servers for correct operation. You should consider enabling ntpd."
2008-02-05 11:23:53 -06:00
print ""
2010-03-10 10:55:48 -06:00
if options.http_pkcs12:
2008-07-11 10:34:29 -05:00
print "In order for Firefox autoconfiguration to work you will need to"
print "use a SSL signing certificate. See the IPA documentation for more details."
2010-03-10 10:55:48 -06:00
print "You also need to install a PEM copy of the CA certificate into"
2008-07-11 10:34:29 -05:00
print "/usr/share/ipa/html/ca.crt"
2010-03-10 10:55:48 -06:00
else:
if options.selfsign:
print "Be sure to back up the CA certificate stored in /etc/httpd/alias/cacert.p12"
print "The password for this file is in /etc/httpd/alias/pwdfile.txt"
else:
print "Be sure to back up the CA certificate stored in /root/cacert.p12"
print "This file is required to create replicas. The password for this"
print "file is the Directory Manager password"
0000-12-31 18:09:24 -05:50
2011-01-26 09:53:02 -06:00
if ipautil.file_exists(ANSWER_CACHE):
os.remove(ANSWER_CACHE)
0000-12-31 18:09:24 -05:50
return 0
0000-12-31 18:09:24 -05:50
try:
2011-11-29 02:10:31 -06:00
success = True
2008-07-11 10:34:29 -05:00
try:
2011-11-29 02:10:31 -06:00
rval = main()
if rval != 0:
success = False
sys.exit(rval)
2008-07-11 10:34:29 -05:00
except SystemExit, e:
2011-11-29 02:10:31 -06:00
if e.code is not None or e.code != 0:
success = False
2008-07-11 10:34:29 -05:00
sys.exit(e)
except Exception, e:
2011-11-29 02:10:31 -06:00
success = False
2010-04-27 16:51:13 -05:00
if uninstalling:
2010-04-27 09:35:07 -05:00
message = "Unexpected error - see ipaserver-uninstall.log for details:\n %s" % str(e)
2010-04-27 16:51:13 -05:00
else:
2010-04-27 09:35:07 -05:00
message = "Unexpected error - see ipaserver-install.log for details:\n %s" % str(e)
2008-07-11 10:34:29 -05:00
print message
message = str(e)
for str in traceback.format_tb(sys.exc_info()[2]):
message = message + "\n" + str
2011-11-15 13:39:31 -06:00
root_logger.debug(message)
2008-07-11 10:34:29 -05:00
sys.exit(1)
finally:
if pw_name and ipautil.file_exists(pw_name):
os.remove(pw_name)
2011-11-29 02:10:31 -06:00
if not success and installation_cleanup:
# Do a cautious clean up as we don't know what failed and what is
# the state of the environment
try:
fstore.restore_file('/etc/hosts')
except:
pass