IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2024-12-29 10:21:18 -06:00
Code Issues Packages Projects Releases Wiki Activity
cf35dfa2bc
freeipa/install/tools/ipa-replica-prepare

473 lines
18 KiB
Plaintext
Raw Normal View History

Initial replication setup. This add replication setup through two new commands: ipa-replica-prepare and ipa-replica-install. The procedure is to run ipa-replica-prepare on an existing master. This will collect information about the realm and the current master and create a file storing all of the information. After copying that file to the new replica, ipa-replica-install is run (with -r to create a read-only replica). This version of the patch also includes fixes for the sasl mappings on the replicas. Remaining features: - ssl for replication. - automatic configuration of mesh topology for master (or a simpler way to replicate multiple masters. - tool for view / configuring current replication.
0000-12-31 18:09:24 -05:50
#! /usr/bin/python -E
# Authors: Karl MacMillan <kmacmillan@mentalrootkit.com>
#
# Copyright (C) 2007 Red Hat
# see file 'COPYING' for use and warranty information
#
Change FreeIPA license to GPLv3+ The changes include: * Change license blobs in source files to mention GPLv3+ not GPLv2 only * Add GPLv3+ license text * Package COPYING not LICENSE as the license blobs (even the old ones) mention COPYING specifically, it is also more common, I think https://fedorahosted.org/freeipa/ticket/239
2010-12-09 06:59:11 -06:00
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
Initial replication setup. This add replication setup through two new commands: ipa-replica-prepare and ipa-replica-install. The procedure is to run ipa-replica-prepare on an existing master. This will collect information about the realm and the current master and create a file storing all of the information. After copying that file to the new replica, ipa-replica-install is run (with -r to create a read-only replica). This version of the patch also includes fixes for the sasl mappings on the replicas. Remaining features: - ssl for replication. - automatic configuration of mesh topology for master (or a simpler way to replicate multiple masters. - tool for view / configuring current replication.
0000-12-31 18:09:24 -05:50
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
Change FreeIPA license to GPLv3+ The changes include: * Change license blobs in source files to mention GPLv3+ not GPLv2 only * Add GPLv3+ license text * Package COPYING not LICENSE as the license blobs (even the old ones) mention COPYING specifically, it is also more common, I think https://fedorahosted.org/freeipa/ticket/239
2010-12-09 06:59:11 -06:00
# along with this program. If not, see <http://www.gnu.org/licenses/>.
Initial replication setup. This add replication setup through two new commands: ipa-replica-prepare and ipa-replica-install. The procedure is to run ipa-replica-prepare on an existing master. This will collect information about the realm and the current master and create a file storing all of the information. After copying that file to the new replica, ipa-replica-install is run (with -r to create a read-only replica). This version of the patch also includes fixes for the sasl mappings on the replicas. Remaining features: - ssl for replication. - automatic configuration of mesh topology for master (or a simpler way to replicate multiple masters. - tool for view / configuring current replication.
0000-12-31 18:09:24 -05:50
#
import sys
ticket 2022 - modify codebase to utilize IPALogManager, obsoletes logging change default_logger_level to debug in configure_standard_logging add new ipa_log_manager module, move log_mgr there, also export root_logger from log_mgr. change all log_manager imports to ipa_log_manager and change log_manager.root_logger to root_logger. add missing import for parse_log_level()
2011-11-15 13:39:31 -06:00
import tempfile, shutil, os, pwd
from ipapython.ipa_log_manager import *
Use file to store the current CA serial number No longer create a PKCS#12 file that contains the CA No longer send the entire CA to each replica, generate the SSL certs on master Fix number of bugs in ipa-replica-install and prepare Produce status output during replica creation
2008-02-05 11:23:53 -06:00
import traceback
Initial replication setup. This add replication setup through two new commands: ipa-replica-prepare and ipa-replica-install. The procedure is to run ipa-replica-prepare on an existing master. This will collect information about the realm and the current master and create a file storing all of the information. After copying that file to the new replica, ipa-replica-install is run (with -r to create a read-only replica). This version of the patch also includes fixes for the sasl mappings on the replicas. Remaining features: - ssl for replication. - automatic configuration of mesh topology for master (or a simpler way to replicate multiple masters. - tool for view / configuring current replication.
0000-12-31 18:09:24 -05:50
from ConfigParser import SafeConfigParser
import krbV
Rename ipa-python directory to ipapython so it is a real python library We used to install it as ipa, now installing it as ipapython. The rpm is still ipa-python.
2009-02-05 14:03:08 -06:00
from ipapython import ipautil
Move Selfsigned CA creation out of dsinstance This allows us to have the CA ready to serve out certs for any operation even before the dsinstance is created. The CA is independent of the dsinstance anyway. Also fixes: https://fedorahosted.org/freeipa/ticket/544
2010-12-08 15:35:12 -06:00
from ipaserver.install import bindinstance, dsinstance, installutils, certs
replica-prepare: anonymous binds may be disallowed Fixes: https://fedorahosted.org/freeipa/ticket/1900
2011-10-06 01:37:17 -05:00
from ipaserver.install.bindinstance import add_zone, add_reverse_zone, add_fwd_rr, add_ptr_rr, dns_container_exists
Remove checks for ds-replication plugin The replication plugin is no longer shipped as a separate package. Remove the code checking its existence. https://fedorahosted.org/freeipa/ticket/1815
2011-09-20 03:40:16 -05:00
from ipaserver.install.replication import enable_replication_version_checking
Improve ipa-replica-prepare DNS check Currently, verify_fqdn() function raises RuntimeError for every problem with the hostname. This makes it difficult for tools like ipa-replica-prepare to behave differently for a subset of raised errors (for example to be able to create a DNS record for new replica when verify_fqdn() reports a lookup error). Implement own exceptions for verify_fqdn() that they can be safely used to distinguish the error type. https://fedorahosted.org/freeipa/ticket/1899
2011-10-06 04:26:03 -05:00
from ipaserver.install.installutils import resolve_host, BadHostError, HostLookupError
Use ldap2 instead of legacy LDAP code from v1 in installer scripts.
2010-03-24 09:51:31 -05:00
from ipaserver.plugins.ldap2 import ldap2
Rename ipa-python directory to ipapython so it is a real python library We used to install it as ipa, now installing it as ipapython. The rpm is still ipa-python.
2009-02-05 14:03:08 -06:00
from ipapython import version
Parse netmasks in IP addresses passed to server install. ticket 1212
2011-05-27 13:17:22 -05:00
from ipapython.config import IPAOptionParser
Use ldap2 instead of legacy LDAP code from v1 in installer scripts.
2010-03-24 09:51:31 -05:00
from ipalib import api, errors, util
Initial replication setup. This add replication setup through two new commands: ipa-replica-prepare and ipa-replica-install. The procedure is to run ipa-replica-prepare on an existing master. This will collect information about the realm and the current master and create a file storing all of the information. After copying that file to the new replica, ipa-replica-install is run (with -r to create a read-only replica). This version of the patch also includes fixes for the sasl mappings on the replicas. Remaining features: - ssl for replication. - automatic configuration of mesh topology for master (or a simpler way to replicate multiple masters. - tool for view / configuring current replication.
0000-12-31 18:09:24 -05:50
Use file to store the current CA serial number No longer create a PKCS#12 file that contains the CA No longer send the entire CA to each replica, generate the SSL certs on master Fix number of bugs in ipa-replica-install and prepare Produce status output during replica creation
2008-02-05 11:23:53 -06:00
def parse_options():
Add standard override options to ipa-replica-prepare Fixes: 462489
2008-09-17 04:06:48 -05:00
usage = "%prog [options] FQDN (e.g. replica.example.com)"
Parse netmasks in IP addresses passed to server install. ticket 1212
2011-05-27 13:17:22 -05:00
parser = IPAOptionParser(usage=usage, version=version.VERSION)
Use file to store the current CA serial number No longer create a PKCS#12 file that contains the CA No longer send the entire CA to each replica, generate the SSL certs on master Fix number of bugs in ipa-replica-install and prepare Produce status output during replica creation
2008-02-05 11:23:53 -06:00
Rework the way SSL certificates are imported from PKCS#12 files. Add the ability to provide PKCS#12 files during initial installation Add the ability to provide PKCS#12 files when preparing a replica Correct some issues with ipa-server-certinstall 452402
2008-07-11 10:34:29 -05:00
parser.add_option("--dirsrv_pkcs12", dest="dirsrv_pkcs12",
help="install certificate for the directory server")
parser.add_option("--http_pkcs12", dest="http_pkcs12",
help="install certificate for the http server")
pkinit-replica: create certificates for replicas too altough the kdc certificate name is not tied to the fqdn we create separate certs for each KDC so that renewal of each of them is done separately.
2010-11-03 17:17:36 -05:00
parser.add_option("--pkinit_pkcs12", dest="pkinit_pkcs12",
help="install certificate for the KDC")
Rework the way SSL certificates are imported from PKCS#12 files. Add the ability to provide PKCS#12 files during initial installation Add the ability to provide PKCS#12 files when preparing a replica Correct some issues with ipa-server-certinstall 452402
2008-07-11 10:34:29 -05:00
parser.add_option("--dirsrv_pin", dest="dirsrv_pin",
help="PIN for the Directory Server PKCS#12 file")
parser.add_option("--http_pin", dest="http_pin",
help="PIN for the Apache Server PKCS#12 file")
pkinit-replica: create certificates for replicas too altough the kdc certificate name is not tied to the fqdn we create separate certs for each KDC so that renewal of each of them is done separately.
2010-11-03 17:17:36 -05:00
parser.add_option("--pkinit_pin", dest="pkinit_pin",
help="PIN for the KDC pkinit PKCS#12 file")
ticket 2022 - modify codebase to utilize IPALogManager, obsoletes logging change default_logger_level to debug in configure_standard_logging add new ipa_log_manager module, move log_mgr there, also export root_logger from log_mgr. change all log_manager imports to ipa_log_manager and change log_manager.root_logger to root_logger. add missing import for parse_log_level()
2011-11-15 13:39:31 -06:00
parser.add_option("-p", "--password", dest="password",
Used the encrypt_file and decrypt_file utility functions to encrypt replica information. This way we do not risk to leave around sensitive data. Set the destination host in the replica file too and do checks against in ipa-replica-install
2008-08-08 07:53:55 -05:00
help="Directory Manager (existing master) password")
Add A and PTR records during ipa-replica-prepare Fixes #528996
2009-11-23 09:16:58 -06:00
parser.add_option("--ip-address", dest="ip_address",
Fix creation of reverse DNS zones. Create reverse DNS zone for /24 IPv4 subnet and /64 IPv6 subnet by default instead of using the netmask from the --ip-address option. Custom reverse DNS zone can be specified using new --reverse-zone option, which replaces the old --ip-address netmask way of creating reverse zones. The reverse DNS zone name is printed to the user during the install. ticket 1398
2011-07-11 03:14:53 -05:00
type="ip", help="Add A and PTR records of the future replica")
parser.add_option("--reverse-zone", dest="reverse_zone",
help="The reverse DNS zone to use")
parser.add_option("--no-reverse", dest="no_reverse", action="store_true",
default=False, help="Do not create reverse DNS zone")
Make CA PKCS#12 location arg for ipa-replica-prepare, default /root/cacert.p12 pki-silent puts a copy of the root CA into /root/tmp-ca.p12. Rename this to /root/cacert.p12.
2010-03-10 10:53:24 -06:00
parser.add_option("--ca", dest="ca_file", default="/root/cacert.p12",
help="Location of CA PKCS#12 file, default /root/cacert.p12")
pkinit-replica: create certificates for replicas too altough the kdc certificate name is not tied to the fqdn we create separate certs for each KDC so that renewal of each of them is done separately.
2010-11-03 17:17:36 -05:00
parser.add_option("--no-pkinit", dest="setup_pkinit", action="store_false",
default=True, help="disables pkinit setup steps")
Rework the way SSL certificates are imported from PKCS#12 files. Add the ability to provide PKCS#12 files during initial installation Add the ability to provide PKCS#12 files when preparing a replica Correct some issues with ipa-server-certinstall 452402
2008-07-11 10:34:29 -05:00
Rework config.py and change cli tools. Maintain order of IPA servers from command line, config and DNS. Parse options before detecting IPA configuration. Don't ignore rest of the options if one is missing in ipa.conf. Drop the --usage options, we will rely on --help. Fixes: 458869, 459070, 458980, 459234
2008-08-15 11:08:01 -05:00
options, args = parser.parse_args()
Use file to store the current CA serial number No longer create a PKCS#12 file that contains the CA No longer send the entire CA to each replica, generate the SSL certs on master Fix number of bugs in ipa-replica-install and prepare Produce status output during replica creation
2008-02-05 11:23:53 -06:00
Fix creation of reverse DNS zones. Create reverse DNS zone for /24 IPv4 subnet and /64 IPv6 subnet by default instead of using the netmask from the --ip-address option. Custom reverse DNS zone can be specified using new --reverse-zone option, which replaces the old --ip-address netmask way of creating reverse zones. The reverse DNS zone name is printed to the user during the install. ticket 1398
2011-07-11 03:14:53 -05:00
if not options.ip_address:
if options.reverse_zone:
parser.error("You cannot specify a --reverse-zone option without the --ip-address option")
if options.no_reverse:
parser.error("You cannot specify a --no-reverse option without the --ip-address option")
elif options.reverse_zone and options.no_reverse:
parser.error("You cannot specify a --reverse-zone option together with --no-reverse")
Rework the way SSL certificates are imported from PKCS#12 files. Add the ability to provide PKCS#12 files during initial installation Add the ability to provide PKCS#12 files when preparing a replica Correct some issues with ipa-server-certinstall 452402
2008-07-11 10:34:29 -05:00
# If any of the PKCS#12 options are selected, all are required. Create a
# list of the options and count it to enforce that all are required without
# having a huge set of it blocks.
pkinit-replica: create certificates for replicas too altough the kdc certificate name is not tied to the fqdn we create separate certs for each KDC so that renewal of each of them is done separately.
2010-11-03 17:17:36 -05:00
if options.setup_pkinit:
pkcs12 = [options.dirsrv_pkcs12, options.dirsrv_pin,
options.http_pkcs12, options.http_pin,
options.pkinit_pkcs12, options.pkinit_pin]
num = 6
else:
pkcs12 = [options.dirsrv_pkcs12, options.dirsrv_pin,
options.http_pkcs12, options.http_pin]
num = 4
Rework the way SSL certificates are imported from PKCS#12 files. Add the ability to provide PKCS#12 files during initial installation Add the ability to provide PKCS#12 files when preparing a replica Correct some issues with ipa-server-certinstall 452402
2008-07-11 10:34:29 -05:00
cnt = pkcs12.count(None)
pkinit-replica: create certificates for replicas too altough the kdc certificate name is not tied to the fqdn we create separate certs for each KDC so that renewal of each of them is done separately.
2010-11-03 17:17:36 -05:00
if cnt > 0 and cnt < num:
Remove unnecessary "error: " prefixes The parser.error() method prepends the "error: " prefix itself. Adding it to the error string is not necessary and doesn't look good.
2009-11-23 01:42:30 -06:00
parser.error("All PKCS#12 options are required if any are used.")
Rework the way SSL certificates are imported from PKCS#12 files. Add the ability to provide PKCS#12 files during initial installation Add the ability to provide PKCS#12 files when preparing a replica Correct some issues with ipa-server-certinstall 452402
2008-07-11 10:34:29 -05:00
Rework config.py and change cli tools. Maintain order of IPA servers from command line, config and DNS. Parse options before detecting IPA configuration. Don't ignore rest of the options if one is missing in ipa.conf. Drop the --usage options, we will rely on --help. Fixes: 458869, 459070, 458980, 459234
2008-08-15 11:08:01 -05:00
if len(args) != 1:
Use file to store the current CA serial number No longer create a PKCS#12 file that contains the CA No longer send the entire CA to each replica, generate the SSL certs on master Fix number of bugs in ipa-replica-install and prepare Produce status output during replica creation
2008-02-05 11:23:53 -06:00
parser.error("must provide the fully-qualified name of the replica")
return options, args
User-defined certificate subjects Let the user, upon installation, set the certificate subject base for the dogtag CA. Certificate requests will automatically be given this subject base, regardless of what is in the CSR. The selfsign plugin does not currently support this dynamic name re-assignment and will reject any incoming requests that don't conform to the subject base. The certificate subject base is stored in cn=ipaconfig but it does NOT dynamically update the configuration, for dogtag at least. The file /var/lib/pki-ca/profiles/ca/caIPAserviceCert.cfg would need to be updated and pki-cad restarted.
2010-01-20 10:26:20 -06:00
def get_subject_base(host_name, dm_password, suffix):
try:
Use ldapi: instead of unsecured ldap: in ipa core tools. The patch also corrects exception handling in some of the tools. Fix #874
2011-02-15 13:11:27 -06:00
conn = ldap2(shared_instance=False, base_dn=suffix)
Use ldap2 instead of legacy LDAP code from v1 in installer scripts.
2010-03-24 09:51:31 -05:00
conn.connect(bind_dn='cn=directory manager', bind_pw=dm_password)
except errors.ExecutionError, e:
ticket 2022 - modify codebase to utilize IPALogManager, obsoletes logging change default_logger_level to debug in configure_standard_logging add new ipa_log_manager module, move log_mgr there, also export root_logger from log_mgr. change all log_manager imports to ipa_log_manager and change log_manager.root_logger to root_logger. add missing import for parse_log_level()
2011-11-15 13:39:31 -06:00
root_logger.critical("Could not connect to the Directory Server on %s" % host_name)
User-defined certificate subjects Let the user, upon installation, set the certificate subject base for the dogtag CA. Certificate requests will automatically be given this subject base, regardless of what is in the CSR. The selfsign plugin does not currently support this dynamic name re-assignment and will reject any incoming requests that don't conform to the subject base. The certificate subject base is stored in cn=ipaconfig but it does NOT dynamically update the configuration, for dogtag at least. The file /var/lib/pki-ca/profiles/ca/caIPAserviceCert.cfg would need to be updated and pki-cad restarted.
2010-01-20 10:26:20 -06:00
raise e
Use ldap2 instead of legacy LDAP code from v1 in installer scripts.
2010-03-24 09:51:31 -05:00
(dn, entry_attrs) = conn.get_ipa_config()
conn.disconnect()
return entry_attrs.get('ipacertificatesubjectbase', [None])[0]
User-defined certificate subjects Let the user, upon installation, set the certificate subject base for the dogtag CA. Certificate requests will automatically be given this subject base, regardless of what is in the CSR. The selfsign plugin does not currently support this dynamic name re-assignment and will reject any incoming requests that don't conform to the subject base. The certificate subject base is stored in cn=ipaconfig but it does NOT dynamically update the configuration, for dogtag at least. The file /var/lib/pki-ca/profiles/ca/caIPAserviceCert.cfg would need to be updated and pki-cad restarted.
2010-01-20 10:26:20 -06:00
Initial replication setup. This add replication setup through two new commands: ipa-replica-prepare and ipa-replica-install. The procedure is to run ipa-replica-prepare on an existing master. This will collect information about the realm and the current master and create a file storing all of the information. After copying that file to the new replica, ipa-replica-install is run (with -r to create a read-only replica). This version of the patch also includes fixes for the sasl mappings on the replicas. Remaining features: - ssl for replication. - automatic configuration of mesh topology for master (or a simpler way to replicate multiple masters. - tool for view / configuring current replication.
0000-12-31 18:09:24 -05:50
def check_ipa_configuration(realm_name):
Use file to store the current CA serial number No longer create a PKCS#12 file that contains the CA No longer send the entire CA to each replica, generate the SSL certs on master Fix number of bugs in ipa-replica-install and prepare Produce status output during replica creation
2008-02-05 11:23:53 -06:00
config_dir = dsinstance.config_dirname(dsinstance.realm_to_serverid(realm_name))
Initial replication setup. This add replication setup through two new commands: ipa-replica-prepare and ipa-replica-install. The procedure is to run ipa-replica-prepare on an existing master. This will collect information about the realm and the current master and create a file storing all of the information. After copying that file to the new replica, ipa-replica-install is run (with -r to create a read-only replica). This version of the patch also includes fixes for the sasl mappings on the replicas. Remaining features: - ssl for replication. - automatic configuration of mesh topology for master (or a simpler way to replicate multiple masters. - tool for view / configuring current replication.
0000-12-31 18:09:24 -05:50
if not ipautil.dir_exists(config_dir):
ticket 2022 - modify codebase to utilize IPALogManager, obsoletes logging change default_logger_level to debug in configure_standard_logging add new ipa_log_manager module, move log_mgr there, also export root_logger from log_mgr. change all log_manager imports to ipa_log_manager and change log_manager.root_logger to root_logger. add missing import for parse_log_level()
2011-11-15 13:39:31 -06:00
root_logger.error("could not find directory instance: %s" % config_dir)
Initial replication setup. This add replication setup through two new commands: ipa-replica-prepare and ipa-replica-install. The procedure is to run ipa-replica-prepare on an existing master. This will collect information about the realm and the current master and create a file storing all of the information. After copying that file to the new replica, ipa-replica-install is run (with -r to create a read-only replica). This version of the patch also includes fixes for the sasl mappings on the replicas. Remaining features: - ssl for replication. - automatic configuration of mesh topology for master (or a simpler way to replicate multiple masters. - tool for view / configuring current replication.
0000-12-31 18:09:24 -05:50
sys.exit(1)
pkinit-replica: create certificates for replicas too altough the kdc certificate name is not tied to the fqdn we create separate certs for each KDC so that renewal of each of them is done separately.
2010-11-03 17:17:36 -05:00
def export_certdb(realm_name, ds_dir, dir, passwd_fname, fname, hostname, subject_base=None, is_kdc=False):
Use file to store the current CA serial number No longer create a PKCS#12 file that contains the CA No longer send the entire CA to each replica, generate the SSL certs on master Fix number of bugs in ipa-replica-install and prepare Produce status output during replica creation
2008-02-05 11:23:53 -06:00
"""realm is the kerberos realm for the IPA server.
ds_dir is the location of the master DS we are creating a replica for.
dir is the location of the files for the replica we are creating.
Rework the way SSL certificates are imported from PKCS#12 files. Add the ability to provide PKCS#12 files during initial installation Add the ability to provide PKCS#12 files when preparing a replica Correct some issues with ipa-server-certinstall 452402
2008-07-11 10:34:29 -05:00
passwd_fname is the file containing the PKCS#12 password
Use file to store the current CA serial number No longer create a PKCS#12 file that contains the CA No longer send the entire CA to each replica, generate the SSL certs on master Fix number of bugs in ipa-replica-install and prepare Produce status output during replica creation
2008-02-05 11:23:53 -06:00
fname is the filename of the PKCS#12 file for this cert (minus the .p12).
Allow replicas of an IPA server using an internal dogtag server as the CA This involves creating a new CA instance on the replica and using pkisilent to create a clone of the master CA. Also generally fixes IPA to work with the latest dogtag SVN tip. A lot of changes to ports and configuration have been done recently.
2009-07-10 15:18:16 -05:00
hostname is the FQDN of the server we're creating a cert for.
The subject is handled by certs.CertDB:create_server_cert()
Use file to store the current CA serial number No longer create a PKCS#12 file that contains the CA No longer send the entire CA to each replica, generate the SSL certs on master Fix number of bugs in ipa-replica-install and prepare Produce status output during replica creation
2008-02-05 11:23:53 -06:00
"""
pkinit-replica: create certificates for replicas too altough the kdc certificate name is not tied to the fqdn we create separate certs for each KDC so that renewal of each of them is done separately.
2010-11-03 17:17:36 -05:00
if is_kdc:
nickname = "KDC-Cert"
else:
nickname = "Server-Cert"
Add some additional error handling 433347
2008-02-20 15:31:32 -06:00
try:
Allow replicas of an IPA server using an internal dogtag server as the CA This involves creating a new CA instance on the replica and using pkisilent to create a clone of the master CA. Also generally fixes IPA to work with the latest dogtag SVN tip. A lot of changes to ports and configuration have been done recently.
2009-07-10 15:18:16 -05:00
self_signed = certs.ipa_self_signed()
Move Selfsigned CA creation out of dsinstance This allows us to have the CA ready to serve out certs for any operation even before the dsinstance is created. The CA is independent of the dsinstance anyway. Also fixes: https://fedorahosted.org/freeipa/ticket/544
2010-12-08 15:35:12 -06:00
db = certs.CertDB(realm_name, nssdir=dir, subject_base=subject_base)
Allow replicas of an IPA server using an internal dogtag server as the CA This involves creating a new CA instance on the replica and using pkisilent to create a clone of the master CA. Also generally fixes IPA to work with the latest dogtag SVN tip. A lot of changes to ports and configuration have been done recently.
2009-07-10 15:18:16 -05:00
db.create_passwd_file()
Move Selfsigned CA creation out of dsinstance This allows us to have the CA ready to serve out certs for any operation even before the dsinstance is created. The CA is independent of the dsinstance anyway. Also fixes: https://fedorahosted.org/freeipa/ticket/544
2010-12-08 15:35:12 -06:00
ca_db = certs.CertDB(realm_name, host_name=api.env.host, subject_base=subject_base)
pkinit-replica: create certificates for replicas too altough the kdc certificate name is not tied to the fqdn we create separate certs for each KDC so that renewal of each of them is done separately.
2010-11-03 17:17:36 -05:00
if is_kdc:
ca_db.create_kdc_cert("KDC-Cert", hostname, dir)
else:
db.create_from_cacert(ca_db.cacert_fname)
db.create_server_cert(nickname, hostname, ca_db)
Add some additional error handling 433347
2008-02-20 15:31:32 -06:00
except Exception, e:
raise e
Use file to store the current CA serial number No longer create a PKCS#12 file that contains the CA No longer send the entire CA to each replica, generate the SSL certs on master Fix number of bugs in ipa-replica-install and prepare Produce status output during replica creation
2008-02-05 11:23:53 -06:00
pkcs12_fname = dir + "/" + fname + ".p12"
Initial replication setup. This add replication setup through two new commands: ipa-replica-prepare and ipa-replica-install. The procedure is to run ipa-replica-prepare on an existing master. This will collect information about the realm and the current master and create a file storing all of the information. After copying that file to the new replica, ipa-replica-install is run (with -r to create a read-only replica). This version of the patch also includes fixes for the sasl mappings on the replicas. Remaining features: - ssl for replication. - automatic configuration of mesh topology for master (or a simpler way to replicate multiple masters. - tool for view / configuring current replication.
0000-12-31 18:09:24 -05:50
Convert replication to use the new cert infrastructure and correctly issue certs from the same authority. Also remove support for read-only replicas since that work will not be finished and tested for 1.0.
0000-12-31 18:09:24 -05:50
try:
pkinit-replica: create certificates for replicas too altough the kdc certificate name is not tied to the fqdn we create separate certs for each KDC so that renewal of each of them is done separately.
2010-11-03 17:17:36 -05:00
if is_kdc:
ca_db.export_pem_p12(pkcs12_fname, passwd_fname,
nickname, dir + "/kdc.pem")
else:
db.export_pkcs12(pkcs12_fname, passwd_fname, nickname)
Convert replication to use the new cert infrastructure and correctly issue certs from the same authority. Also remove support for read-only replicas since that work will not be finished and tested for 1.0.
0000-12-31 18:09:24 -05:50
except ipautil.CalledProcessError, e:
Allow replicas of an IPA server using an internal dogtag server as the CA This involves creating a new CA instance on the replica and using pkisilent to create a clone of the master CA. Also generally fixes IPA to work with the latest dogtag SVN tip. A lot of changes to ports and configuration have been done recently.
2009-07-10 15:18:16 -05:00
print "error exporting Server certificate: " + str(e)
Fix replica installation for self-signed CA (no dogtag)
2009-04-28 16:05:39 -05:00
remove_file(pkcs12_fname)
remove_file(passwd_fname)
remove_file(dir + "/cert8.db")
remove_file(dir + "/key3.db")
remove_file(dir + "/secmod.db")
remove_file(dir + "/noise.txt")
pkinit-replica: create certificates for replicas too altough the kdc certificate name is not tied to the fqdn we create separate certs for each KDC so that renewal of each of them is done separately.
2010-11-03 17:17:36 -05:00
if is_kdc:
remove_file(dir + "/kdc.pem")
Verify current domain with user during installation Use that domain when creating replicas Resolves 432066
2008-02-15 19:47:29 -06:00
if ipautil.file_exists(passwd_fname + ".orig"):
Fix replica installation for self-signed CA (no dogtag)
2009-04-28 16:05:39 -05:00
remove_file(passwd_fname + ".orig")
Initial replication setup. This add replication setup through two new commands: ipa-replica-prepare and ipa-replica-install. The procedure is to run ipa-replica-prepare on an existing master. This will collect information about the realm and the current master and create a file storing all of the information. After copying that file to the new replica, ipa-replica-install is run (with -r to create a read-only replica). This version of the patch also includes fixes for the sasl mappings on the replicas. Remaining features: - ssl for replication. - automatic configuration of mesh topology for master (or a simpler way to replicate multiple masters. - tool for view / configuring current replication.
0000-12-31 18:09:24 -05:50
Allow replicas of an IPA server using an internal dogtag server as the CA This involves creating a new CA instance on the replica and using pkisilent to create a clone of the master CA. Also generally fixes IPA to work with the latest dogtag SVN tip. A lot of changes to ports and configuration have been done recently.
2009-07-10 15:18:16 -05:00
def export_ra_pkcs12(dir, dm_password):
"""
dir is the location of the files for the replica we are creating.
dm_password is the Directory Manager password
If this install is using dogtag/RHCS then export the RA certificate.
"""
if certs.ipa_self_signed():
return
(agent_fd, agent_name) = tempfile.mkstemp()
os.write(agent_fd, dm_password)
os.close(agent_fd)
try:
try:
Move Selfsigned CA creation out of dsinstance This allows us to have the CA ready to serve out certs for any operation even before the dsinstance is created. The CA is independent of the dsinstance anyway. Also fixes: https://fedorahosted.org/freeipa/ticket/544
2010-12-08 15:35:12 -06:00
db = certs.CertDB(api.env.realm, host_name=api.env.host)
Allow replicas of an IPA server using an internal dogtag server as the CA This involves creating a new CA instance on the replica and using pkisilent to create a clone of the master CA. Also generally fixes IPA to work with the latest dogtag SVN tip. A lot of changes to ports and configuration have been done recently.
2009-07-10 15:18:16 -05:00
if db.has_nickname("ipaCert"):
pkcs12_fname = "%s/ra.p12" % dir
db.export_pkcs12(pkcs12_fname, agent_name, "ipaCert")
except Exception, e:
raise e
finally:
os.remove(agent_name)
Use a common group for all DS instances Also remove the option to choose a user. It is silly to keep it, when you can't choose the group nor the CA directory user. Fixes: https://fedorahosted.org/freeipa/ticket/851
2011-01-28 14:45:19 -06:00
def save_config(dir, realm_name, host_name,
domain_name, dest_host,
User-defined certificate subjects Let the user, upon installation, set the certificate subject base for the dogtag CA. Certificate requests will automatically be given this subject base, regardless of what is in the CSR. The selfsign plugin does not currently support this dynamic name re-assignment and will reject any incoming requests that don't conform to the subject base. The certificate subject base is stored in cn=ipaconfig but it does NOT dynamically update the configuration, for dogtag at least. The file /var/lib/pki-ca/profiles/ca/caIPAserviceCert.cfg would need to be updated and pki-cad restarted.
2010-01-20 10:26:20 -06:00
subject_base):
Initial replication setup. This add replication setup through two new commands: ipa-replica-prepare and ipa-replica-install. The procedure is to run ipa-replica-prepare on an existing master. This will collect information about the realm and the current master and create a file storing all of the information. After copying that file to the new replica, ipa-replica-install is run (with -r to create a read-only replica). This version of the patch also includes fixes for the sasl mappings on the replicas. Remaining features: - ssl for replication. - automatic configuration of mesh topology for master (or a simpler way to replicate multiple masters. - tool for view / configuring current replication.
0000-12-31 18:09:24 -05:50
config = SafeConfigParser()
config.add_section("realm")
config.set("realm", "realm_name", realm_name)
config.set("realm", "master_host_name", host_name)
Verify current domain with user during installation Use that domain when creating replicas Resolves 432066
2008-02-15 19:47:29 -06:00
config.set("realm", "domain_name", domain_name)
Used the encrypt_file and decrypt_file utility functions to encrypt replica information. This way we do not risk to leave around sensitive data. Set the destination host in the replica file too and do checks against in ipa-replica-install
2008-08-08 07:53:55 -05:00
config.set("realm", "destination_host", dest_host)
User-defined certificate subjects Let the user, upon installation, set the certificate subject base for the dogtag CA. Certificate requests will automatically be given this subject base, regardless of what is in the CSR. The selfsign plugin does not currently support this dynamic name re-assignment and will reject any incoming requests that don't conform to the subject base. The certificate subject base is stored in cn=ipaconfig but it does NOT dynamically update the configuration, for dogtag at least. The file /var/lib/pki-ca/profiles/ca/caIPAserviceCert.cfg would need to be updated and pki-cad restarted.
2010-01-20 10:26:20 -06:00
config.set("realm", "subject_base", subject_base)
Initial replication setup. This add replication setup through two new commands: ipa-replica-prepare and ipa-replica-install. The procedure is to run ipa-replica-prepare on an existing master. This will collect information about the realm and the current master and create a file storing all of the information. After copying that file to the new replica, ipa-replica-install is run (with -r to create a read-only replica). This version of the patch also includes fixes for the sasl mappings on the replicas. Remaining features: - ssl for replication. - automatic configuration of mesh topology for master (or a simpler way to replicate multiple masters. - tool for view / configuring current replication.
0000-12-31 18:09:24 -05:50
fd = open(dir + "/realm_info", "w")
config.write(fd)
Convert replication to use the new cert infrastructure and correctly issue certs from the same authority. Also remove support for read-only replicas since that work will not be finished and tested for 1.0.
0000-12-31 18:09:24 -05:50
Fix replica installation for self-signed CA (no dogtag)
2009-04-28 16:05:39 -05:00
def remove_file(fname, ignore_errors=True):
try:
os.remove(fname)
except OSError, e:
if not ignore_errors:
raise e
Convert replication to use the new cert infrastructure and correctly issue certs from the same authority. Also remove support for read-only replicas since that work will not be finished and tested for 1.0.
0000-12-31 18:09:24 -05:50
def copy_files(realm_name, dir):
Use file to store the current CA serial number No longer create a PKCS#12 file that contains the CA No longer send the entire CA to each replica, generate the SSL certs on master Fix number of bugs in ipa-replica-install and prepare Produce status output during replica creation
2008-02-05 11:23:53 -06:00
config_dir = dsinstance.config_dirname(dsinstance.realm_to_serverid(realm_name))
Don't assume that the Firefox autoconfig files exist. These are created by an object-signing cert and needs to be done after the fact if a server is created with user-supplied PKCS#12 files. 452402
2008-07-25 15:56:42 -05:00
Use file to store the current CA serial number No longer create a PKCS#12 file that contains the CA No longer send the entire CA to each replica, generate the SSL certs on master Fix number of bugs in ipa-replica-install and prepare Produce status output during replica creation
2008-02-05 11:23:53 -06:00
try:
Make sure the CA cert is copied to the replica, fail if no ca.crt is available. Cope with some versions of ipa that forgot to copy the ca.crt cert in the right place.
2008-12-01 14:06:20 -06:00
shutil.copy("/usr/share/ipa/html/ca.crt", dir + "/ca.crt")
Don't assume that the Firefox autoconfig files exist. These are created by an object-signing cert and needs to be done after the fact if a server is created with user-supplied PKCS#12 files. 452402
2008-07-25 15:56:42 -05:00
if ipautil.file_exists("/usr/share/ipa/html/preferences.html"):
shutil.copy("/usr/share/ipa/html/preferences.html", dir + "/preferences.html")
shutil.copy("/usr/share/ipa/html/configure.jar", dir + "/configure.jar")
pkinit-replica: create certificates for replicas too altough the kdc certificate name is not tied to the fqdn we create separate certs for each KDC so that renewal of each of them is done separately.
2010-11-03 17:17:36 -05:00
if ipautil.file_exists("/var/kerberos/krb5kdc/cacert.pem"):
shutil.copy("/var/kerberos/krb5kdc/cacert.pem", dir + "/cacert.pem")
Use file to store the current CA serial number No longer create a PKCS#12 file that contains the CA No longer send the entire CA to each replica, generate the SSL certs on master Fix number of bugs in ipa-replica-install and prepare Produce status output during replica creation
2008-02-05 11:23:53 -06:00
except Exception, e:
print "error copying files: " + str(e)
sys.exit(1)
Initial replication setup. This add replication setup through two new commands: ipa-replica-prepare and ipa-replica-install. The procedure is to run ipa-replica-prepare on an existing master. This will collect information about the realm and the current master and create a file storing all of the information. After copying that file to the new replica, ipa-replica-install is run (with -r to create a read-only replica). This version of the patch also includes fixes for the sasl mappings on the replicas. Remaining features: - ssl for replication. - automatic configuration of mesh topology for master (or a simpler way to replicate multiple masters. - tool for view / configuring current replication.
0000-12-31 18:09:24 -05:50
Used the encrypt_file and decrypt_file utility functions to encrypt replica information. This way we do not risk to leave around sensitive data. Set the destination host in the replica file too and do checks against in ipa-replica-install
2008-08-08 07:53:55 -05:00
def get_dirman_password():
return installutils.read_password("Directory Manager (existing master)", confirm=False, validate=False)
Initial replication setup. This add replication setup through two new commands: ipa-replica-prepare and ipa-replica-install. The procedure is to run ipa-replica-prepare on an existing master. This will collect information about the realm and the current master and create a file storing all of the information. After copying that file to the new replica, ipa-replica-install is run (with -r to create a read-only replica). This version of the patch also includes fixes for the sasl mappings on the replicas. Remaining features: - ssl for replication. - automatic configuration of mesh topology for master (or a simpler way to replicate multiple masters. - tool for view / configuring current replication.
0000-12-31 18:09:24 -05:50
def main():
Check IPA configuration in install tools Install tools may fail with unexpected error when IPA server is not installed on a system. Improve user experience by implementing a check to affected tools. https://fedorahosted.org/freeipa/ticket/1327 https://fedorahosted.org/freeipa/ticket/1347
2011-07-18 02:33:57 -05:00
installutils.check_server_configuration()
Use file to store the current CA serial number No longer create a PKCS#12 file that contains the CA No longer send the entire CA to each replica, generate the SSL certs on master Fix number of bugs in ipa-replica-install and prepare Produce status output during replica creation
2008-02-05 11:23:53 -06:00
options, args = parse_options()
Rework config.py and change cli tools. Maintain order of IPA servers from command line, config and DNS. Parse options before detecting IPA configuration. Don't ignore rest of the options if one is missing in ipa.conf. Drop the --usage options, we will rely on --help. Fixes: 458869, 459070, 458980, 459234
2008-08-15 11:08:01 -05:00
replica_fqdn = args[0]
Use file to store the current CA serial number No longer create a PKCS#12 file that contains the CA No longer send the entire CA to each replica, generate the SSL certs on master Fix number of bugs in ipa-replica-install and prepare Produce status output during replica creation
2008-02-05 11:23:53 -06:00
Add external CA signing and abstract out the RA backend External CA signing is a 2-step process. You first have to run the IPA installer which will generate a CSR. You pass this CSR to your external CA and get back a cert. You then pass this cert and the CA cert and re-run the installer. The CSR is always written to /root/ipa.csr. A run would look like: # ipa-server-install --ca --external-ca -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com -U [ sign cert request ] # ipa-server-install --ca --external-ca -p password -a password --external_cert_file=/tmp/rob.crt --external_ca_file=/tmp/cacert.crt -U -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com This also abstracts out the RA backend plugin so the self-signed CA we create can be used in a running server. This means that the cert plugin can request certs (and nothing else). This should let us do online replica creation. To handle the self-signed CA the simple ca_serialno file now contains additional data so we don't have overlapping serial numbers in replicas. This isn't used yet. Currently the cert plugin will not work on self-signed replicas. One very important change for self-signed CAs is that the CA is no longer held in the DS database. It is now in the Apache database. Lots of general fixes were also made in ipaserver.install.certs including: - better handling when multiple CA certificates are in a single file - A temporary directory for request certs is not always created when the class is instantiated (you have to call setup_cert_request())
2009-09-10 15:15:14 -05:00
# Just initialize the environment. This is so the installer can have
# access to the plugin environment
Get rid of ipapython.config in ipa-replica-prepare Also get rid of functions get_host_name(), get_realm_name() and get_domain_name(). They used the old ipapython.config. Instead, use the variables from api.env. We also change them to bootstrap() and finalize() correctly. Additionally, we add the dns_container_exists() function that will be used in ipa-replica-prepare (next patch).
2010-02-08 07:21:46 -06:00
api.bootstrap(in_server=True)
api.finalize()
Add external CA signing and abstract out the RA backend External CA signing is a 2-step process. You first have to run the IPA installer which will generate a CSR. You pass this CSR to your external CA and get back a cert. You then pass this cert and the CA cert and re-run the installer. The CSR is always written to /root/ipa.csr. A run would look like: # ipa-server-install --ca --external-ca -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com -U [ sign cert request ] # ipa-server-install --ca --external-ca -p password -a password --external_cert_file=/tmp/rob.crt --external_ca_file=/tmp/cacert.crt -U -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com This also abstracts out the RA backend plugin so the self-signed CA we create can be used in a running server. This means that the cert plugin can request certs (and nothing else). This should let us do online replica creation. To handle the self-signed CA the simple ca_serialno file now contains additional data so we don't have overlapping serial numbers in replicas. This isn't used yet. Currently the cert plugin will not work on self-signed replicas. One very important change for self-signed CAs is that the CA is no longer held in the DS database. It is now in the Apache database. Lots of general fixes were also made in ipaserver.install.certs including: - better handling when multiple CA certificates are in a single file - A temporary directory for request certs is not always created when the class is instantiated (you have to call setup_cert_request())
2009-09-10 15:15:14 -05:00
Make pkinit setup optional in ipa-replica-prepare too. Also add fixes for ipa-replica-install as that had issues too. Fixes: https://fedorahosted.org/freeipa/ticket/527
2010-11-22 12:29:56 -06:00
#Automatically disable pkinit w/ dogtag until that is supported
#[certs.ipa_self_signed() must be called only after api.finalize()]
if not options.pkinit_pkcs12 and not certs.ipa_self_signed():
options.setup_pkinit = False
Detect CA installation type in ipa-replica-prepare and ipa-ca-install. ipa-ca-install can only add a dogtag CA to an IPA install. ipa-replica-prepare can only be run on the initial master with a selfsign backend. https://fedorahosted.org/freeipa/ticket/1756 https://fedorahosted.org/freeipa/ticket/1757
2011-09-27 10:44:20 -05:00
if certs.ipa_self_signed_master() == False:
sys.exit('A selfsign CA backend can only prepare on the original master')
replica-prepare: anonymous binds may be disallowed Fixes: https://fedorahosted.org/freeipa/ticket/1900
2011-10-06 01:37:17 -05:00
# get the directory manager password
dirman_password = options.password
if not options.password:
try:
dirman_password = get_dirman_password()
except KeyboardInterrupt:
sys.exit(0)
if dirman_password is None:
sys.exit("\nDirectory Manager password required")
# Try out the password
try:
conn = ldap2(shared_instance=False)
conn.connect(bind_dn='cn=directory manager', bind_pw=dirman_password)
conn.disconnect()
except errors.ACIError:
sys.exit("\nThe password provided is incorrect for LDAP server %s" % api.env.host)
except errors.LDAPError:
sys.exit("\nUnable to connect to LDAP server %s" % api.env.host)
Exit if a DNS A or AAAA record doesn't exist for the replica we are preparing. Without this it is possible to prepare a replica for a host that doesn't exist in DNS. The result when this replica file is installed is that replication will fail because the master won't be able to communicate to the replica by name. ticket 680
2011-01-10 16:16:25 -06:00
try:
Check hostname resolution sanity Always check (even with --setup-dns or --no-host-dns) that if the host name or ip address resolves, it resolves to sane value. Otherwise report an error. Misconfigured /etc/hosts causing these errors could harm the installation later. https://fedorahosted.org/freeipa/ticket/1923
2011-10-07 07:23:20 -05:00
installutils.verify_fqdn(replica_fqdn, local_hostname=False)
Improve ipa-replica-prepare DNS check Currently, verify_fqdn() function raises RuntimeError for every problem with the hostname. This makes it difficult for tools like ipa-replica-prepare to behave differently for a subset of raised errors (for example to be able to create a DNS record for new replica when verify_fqdn() reports a lookup error). Implement own exceptions for verify_fqdn() that they can be safely used to distinguish the error type. https://fedorahosted.org/freeipa/ticket/1899
2011-10-06 04:26:03 -05:00
except BadHostError, e:
Exit if a DNS A or AAAA record doesn't exist for the replica we are preparing. Without this it is possible to prepare a replica for a host that doesn't exist in DNS. The result when this replica file is installed is that replication will fail because the master won't be able to communicate to the replica by name. ticket 680
2011-01-10 16:16:25 -06:00
msg = str(e)
Improve ipa-replica-prepare DNS check Currently, verify_fqdn() function raises RuntimeError for every problem with the hostname. This makes it difficult for tools like ipa-replica-prepare to behave differently for a subset of raised errors (for example to be able to create a DNS record for new replica when verify_fqdn() reports a lookup error). Implement own exceptions for verify_fqdn() that they can be safely used to distinguish the error type. https://fedorahosted.org/freeipa/ticket/1899
2011-10-06 04:26:03 -05:00
if isinstance(e, HostLookupError):
Exit if a DNS A or AAAA record doesn't exist for the replica we are preparing. Without this it is possible to prepare a replica for a host that doesn't exist in DNS. The result when this replica file is installed is that replication will fail because the master won't be able to communicate to the replica by name. ticket 680
2011-01-10 16:16:25 -06:00
if options.ip_address is None:
replica-prepare: anonymous binds may be disallowed Fixes: https://fedorahosted.org/freeipa/ticket/1900
2011-10-06 01:37:17 -05:00
if dns_container_exists(api.env.host, api.env.basedn,
dm_password=dirman_password,
ldapi=True, realm=api.env.realm):
Exit if a DNS A or AAAA record doesn't exist for the replica we are preparing. Without this it is possible to prepare a replica for a host that doesn't exist in DNS. The result when this replica file is installed is that replication will fail because the master won't be able to communicate to the replica by name. ticket 680
2011-01-10 16:16:25 -06:00
msg += '\nAdd the --ip-address argument to create a DNS entry.'
sys.exit(msg)
else:
# The host doesn't exist in DNS but we're adding it.
pass
else:
sys.exit(msg)
Add A and PTR records during ipa-replica-prepare Fixes #528996
2009-11-23 09:16:58 -06:00
if options.ip_address:
replica-prepare: anonymous binds may be disallowed Fixes: https://fedorahosted.org/freeipa/ticket/1900
2011-10-06 01:37:17 -05:00
if not dns_container_exists(api.env.host, api.env.basedn,
dm_password=dirman_password,
ldapi=True, realm=api.env.realm):
Add A and PTR records during ipa-replica-prepare Fixes #528996
2009-11-23 09:16:58 -06:00
print "You can't add a DNS record because DNS is not set up."
sys.exit(1)
Fix creation of reverse DNS zones. Create reverse DNS zone for /24 IPv4 subnet and /64 IPv6 subnet by default instead of using the netmask from the --ip-address option. Custom reverse DNS zone can be specified using new --reverse-zone option, which replaces the old --ip-address netmask way of creating reverse zones. The reverse DNS zone name is printed to the user during the install. ticket 1398
2011-07-11 03:14:53 -05:00
if options.reverse_zone and not bindinstance.verify_reverse_zone(options.reverse_zone, options.ip_address):
sys.exit(1)
Add A and PTR records during ipa-replica-prepare Fixes #528996
2009-11-23 09:16:58 -06:00
Add external CA signing and abstract out the RA backend External CA signing is a 2-step process. You first have to run the IPA installer which will generate a CSR. You pass this CSR to your external CA and get back a cert. You then pass this cert and the CA cert and re-run the installer. The CSR is always written to /root/ipa.csr. A run would look like: # ipa-server-install --ca --external-ca -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com -U [ sign cert request ] # ipa-server-install --ca --external-ca -p password -a password --external_cert_file=/tmp/rob.crt --external_ca_file=/tmp/cacert.crt -U -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com This also abstracts out the RA backend plugin so the self-signed CA we create can be used in a running server. This means that the cert plugin can request certs (and nothing else). This should let us do online replica creation. To handle the self-signed CA the simple ca_serialno file now contains additional data so we don't have overlapping serial numbers in replicas. This isn't used yet. Currently the cert plugin will not work on self-signed replicas. One very important change for self-signed CAs is that the CA is no longer held in the DS database. It is now in the Apache database. Lots of general fixes were also made in ipaserver.install.certs including: - better handling when multiple CA certificates are in a single file - A temporary directory for request certs is not always created when the class is instantiated (you have to call setup_cert_request())
2009-09-10 15:15:14 -05:00
if not certs.ipa_self_signed() and not ipautil.file_exists("/var/lib/pki-ca/conf/CS.cfg") and not options.dirsrv_pin:
Rework the way SSL certificates are imported from PKCS#12 files. Add the ability to provide PKCS#12 files during initial installation Add the ability to provide PKCS#12 files when preparing a replica Correct some issues with ipa-server-certinstall 452402
2008-07-11 10:34:29 -05:00
sys.exit("The replica must be created on the primary IPA server.\nIf you installed IPA with your own certificates using PKCS#12 files you must provide PKCS#12 files for any replicas you create as well.")
Get rid of ipapython.config in ipa-replica-prepare Also get rid of functions get_host_name(), get_realm_name() and get_domain_name(). They used the old ipapython.config. Instead, use the variables from api.env. We also change them to bootstrap() and finalize() correctly. Additionally, we add the dns_container_exists() function that will be used in ipa-replica-prepare (next patch).
2010-02-08 07:21:46 -06:00
check_ipa_configuration(api.env.realm)
Verify current domain with user during installation Use that domain when creating replicas Resolves 432066
2008-02-15 19:47:29 -06:00
Get rid of ipapython.config in ipa-replica-prepare Also get rid of functions get_host_name(), get_realm_name() and get_domain_name(). They used the old ipapython.config. Instead, use the variables from api.env. We also change them to bootstrap() and finalize() correctly. Additionally, we add the dns_container_exists() function that will be used in ipa-replica-prepare (next patch).
2010-02-08 07:21:46 -06:00
if api.env.host == replica_fqdn:
Don't allow a replica to prepare a replica for itself. 442756
2008-04-22 08:50:04 -05:00
print "You can't create a replica on itself"
sys.exit(1)
Get rid of ipapython.config in ipa-replica-prepare Also get rid of functions get_host_name(), get_realm_name() and get_domain_name(). They used the old ipapython.config. Instead, use the variables from api.env. We also change them to bootstrap() and finalize() correctly. Additionally, we add the dns_container_exists() function that will be used in ipa-replica-prepare (next patch).
2010-02-08 07:21:46 -06:00
ds_dir = dsinstance.config_dirname(dsinstance.realm_to_serverid(api.env.realm))
Initial replication setup. This add replication setup through two new commands: ipa-replica-prepare and ipa-replica-install. The procedure is to run ipa-replica-prepare on an existing master. This will collect information about the realm and the current master and create a file storing all of the information. After copying that file to the new replica, ipa-replica-install is run (with -r to create a read-only replica). This version of the patch also includes fixes for the sasl mappings on the replicas. Remaining features: - ssl for replication. - automatic configuration of mesh topology for master (or a simpler way to replicate multiple masters. - tool for view / configuring current replication.
0000-12-31 18:09:24 -05:50
Get rid of ipapython.config in ipa-replica-prepare Also get rid of functions get_host_name(), get_realm_name() and get_domain_name(). They used the old ipapython.config. Instead, use the variables from api.env. We also change them to bootstrap() and finalize() correctly. Additionally, we add the dns_container_exists() function that will be used in ipa-replica-prepare (next patch).
2010-02-08 07:21:46 -06:00
print "Preparing replica for %s from %s" % (replica_fqdn, api.env.host)
Disable replication version plugin by default. The 389-ds replication plugin may not be installed on all platforms and our replication version plugin will cause 389-ds to not start if it is loaded and the replication plugin is not. So disable by default. When a replica is prepared we check for the replication plugin. If it exists we will enable the replication version plugin. Likewise on installation of a replica we check for existence of the repliation plugin and if it is there then we enable the version plugin before replication begins. ticket 918
2011-02-08 21:24:54 -06:00
enable_replication_version_checking(api.env.host, api.env.realm,
dirman_password)
Initial replication setup. This add replication setup through two new commands: ipa-replica-prepare and ipa-replica-install. The procedure is to run ipa-replica-prepare on an existing master. This will collect information about the realm and the current master and create a file storing all of the information. After copying that file to the new replica, ipa-replica-install is run (with -r to create a read-only replica). This version of the patch also includes fixes for the sasl mappings on the replicas. Remaining features: - ssl for replication. - automatic configuration of mesh topology for master (or a simpler way to replicate multiple masters. - tool for view / configuring current replication.
0000-12-31 18:09:24 -05:50
Get rid of ipapython.config in ipa-replica-prepare Also get rid of functions get_host_name(), get_realm_name() and get_domain_name(). They used the old ipapython.config. Instead, use the variables from api.env. We also change them to bootstrap() and finalize() correctly. Additionally, we add the dns_container_exists() function that will be used in ipa-replica-prepare (next patch).
2010-02-08 07:21:46 -06:00
subject_base = get_subject_base(api.env.host, dirman_password, util.realm_to_suffix(api.env.realm))
User-defined certificate subjects Let the user, upon installation, set the certificate subject base for the dogtag CA. Certificate requests will automatically be given this subject base, regardless of what is in the CSR. The selfsign plugin does not currently support this dynamic name re-assignment and will reject any incoming requests that don't conform to the subject base. The certificate subject base is stored in cn=ipaconfig but it does NOT dynamically update the configuration, for dogtag at least. The file /var/lib/pki-ca/profiles/ca/caIPAserviceCert.cfg would need to be updated and pki-cad restarted.
2010-01-20 10:26:20 -06:00
Initial replication setup. This add replication setup through two new commands: ipa-replica-prepare and ipa-replica-install. The procedure is to run ipa-replica-prepare on an existing master. This will collect information about the realm and the current master and create a file storing all of the information. After copying that file to the new replica, ipa-replica-install is run (with -r to create a read-only replica). This version of the patch also includes fixes for the sasl mappings on the replicas. Remaining features: - ssl for replication. - automatic configuration of mesh topology for master (or a simpler way to replicate multiple masters. - tool for view / configuring current replication.
0000-12-31 18:09:24 -05:50
top_dir = tempfile.mkdtemp("ipa")
dir = top_dir + "/realm_info"
os.mkdir(dir, 0700)
Rework the way SSL certificates are imported from PKCS#12 files. Add the ability to provide PKCS#12 files during initial installation Add the ability to provide PKCS#12 files when preparing a replica Correct some issues with ipa-server-certinstall 452402
2008-07-11 10:34:29 -05:00
if options.dirsrv_pin:
passwd = options.dirsrv_pin
else:
passwd = ""
passwd_fname = dir + "/dirsrv_pin.txt"
fd = open(passwd_fname, "w")
fd.write("%s\n" % passwd)
fd.close()
if options.dirsrv_pkcs12:
print "Copying SSL certificate for the Directory Server from %s" % options.dirsrv_pkcs12
try:
shutil.copy(options.dirsrv_pkcs12, dir + "/dscert.p12")
except IOError, e:
print "Copy failed %s" % e
sys.exit(1)
else:
Allow replicas of an IPA server using an internal dogtag server as the CA This involves creating a new CA instance on the replica and using pkisilent to create a clone of the master CA. Also generally fixes IPA to work with the latest dogtag SVN tip. A lot of changes to ports and configuration have been done recently.
2009-07-10 15:18:16 -05:00
try:
if not certs.ipa_self_signed():
# FIXME, need option for location of CA backup
Make CA PKCS#12 location arg for ipa-replica-prepare, default /root/cacert.p12 pki-silent puts a copy of the root CA into /root/tmp-ca.p12. Rename this to /root/cacert.p12.
2010-03-10 10:53:24 -06:00
if ipautil.file_exists(options.ca_file):
shutil.copy(options.ca_file, dir + "/cacert.p12")
Allow replicas of an IPA server using an internal dogtag server as the CA This involves creating a new CA instance on the replica and using pkisilent to create a clone of the master CA. Also generally fixes IPA to work with the latest dogtag SVN tip. A lot of changes to ports and configuration have been done recently.
2009-07-10 15:18:16 -05:00
else:
Make CA PKCS#12 location arg for ipa-replica-prepare, default /root/cacert.p12 pki-silent puts a copy of the root CA into /root/tmp-ca.p12. Rename this to /root/cacert.p12.
2010-03-10 10:53:24 -06:00
raise RuntimeError("Root CA PKCS#12 not found in %s" % options.ca_file)
Allow replicas of an IPA server using an internal dogtag server as the CA This involves creating a new CA instance on the replica and using pkisilent to create a clone of the master CA. Also generally fixes IPA to work with the latest dogtag SVN tip. A lot of changes to ports and configuration have been done recently.
2009-07-10 15:18:16 -05:00
except IOError, e:
print "Copy failed %s" % e
sys.exit(1)
Rework the way SSL certificates are imported from PKCS#12 files. Add the ability to provide PKCS#12 files during initial installation Add the ability to provide PKCS#12 files when preparing a replica Correct some issues with ipa-server-certinstall 452402
2008-07-11 10:34:29 -05:00
print "Creating SSL certificate for the Directory Server"
Properly handle CertificateOperationErrors in replication prepration. The problem here was two-fold: the certs manager was raising an error it didn't know about and ipa-replica-prepare wasn't catching it. ticket 249
2010-09-20 12:35:32 -05:00
try:
export_certdb(api.env.realm, ds_dir, dir, passwd_fname, "dscert", replica_fqdn, subject_base)
except errors.CertificateOperationError, e:
print "%s" % e
sys.exit(1)
Rework the way SSL certificates are imported from PKCS#12 files. Add the ability to provide PKCS#12 files during initial installation Add the ability to provide PKCS#12 files when preparing a replica Correct some issues with ipa-server-certinstall 452402
2008-07-11 10:34:29 -05:00
Fix SELinux errors caused by enabling TLS on dogtag 389-ds instance. This fixes 2 AVCS: * One because we are enabling port 7390 because an SSL port must be defined to use TLS On 7389. * We were symlinking to the main IPA 389-ds NSS certificate databsae. Instead generate a separate NSS database and certificate and have certmonger track it separately I also noticed some variable inconsistency in cainstance.py. Everywhere else we use self.fqdn and that was using self.host_name. I found it confusing so I fixed it. ticket 1085
2011-03-14 15:27:19 -05:00
if not certs.ipa_self_signed():
print "Creating SSL certificate for the dogtag Directory Server"
try:
export_certdb(api.env.realm, ds_dir, dir, passwd_fname, "dogtagcert", replica_fqdn, subject_base)
except errors.CertificateOperationError, e:
print "%s" % e
sys.exit(1)
Rework the way SSL certificates are imported from PKCS#12 files. Add the ability to provide PKCS#12 files during initial installation Add the ability to provide PKCS#12 files when preparing a replica Correct some issues with ipa-server-certinstall 452402
2008-07-11 10:34:29 -05:00
if options.http_pin:
passwd = options.http_pin
else:
passwd = ""
passwd_fname = dir + "/http_pin.txt"
fd = open(passwd_fname, "w")
fd.write("%s\n" % passwd)
fd.close()
if options.http_pkcs12:
print "Copying SSL certificate for the Web Server from %s" % options.http_pkcs12
try:
shutil.copy(options.http_pkcs12, dir + "/httpcert.p12")
except IOError, e:
print "Copy failed %s" % e
sys.exit(1)
else:
print "Creating SSL certificate for the Web Server"
Properly handle CertificateOperationErrors in replication prepration. The problem here was two-fold: the certs manager was raising an error it didn't know about and ipa-replica-prepare wasn't catching it. ticket 249
2010-09-20 12:35:32 -05:00
try:
export_certdb(api.env.realm, ds_dir, dir, passwd_fname, "httpcert", replica_fqdn, subject_base)
except errors.CertificateOperationError, e:
print "%s" % e
sys.exit(1)
Allow replicas of an IPA server using an internal dogtag server as the CA This involves creating a new CA instance on the replica and using pkisilent to create a clone of the master CA. Also generally fixes IPA to work with the latest dogtag SVN tip. A lot of changes to ports and configuration have been done recently.
2009-07-10 15:18:16 -05:00
print "Exporting RA certificate"
export_ra_pkcs12(dir, dirman_password)
User-defined certificate subjects Let the user, upon installation, set the certificate subject base for the dogtag CA. Certificate requests will automatically be given this subject base, regardless of what is in the CSR. The selfsign plugin does not currently support this dynamic name re-assignment and will reject any incoming requests that don't conform to the subject base. The certificate subject base is stored in cn=ipaconfig but it does NOT dynamically update the configuration, for dogtag at least. The file /var/lib/pki-ca/profiles/ca/caIPAserviceCert.cfg would need to be updated and pki-cad restarted.
2010-01-20 10:26:20 -06:00
pkinit-replica: create certificates for replicas too altough the kdc certificate name is not tied to the fqdn we create separate certs for each KDC so that renewal of each of them is done separately.
2010-11-03 17:17:36 -05:00
if options.setup_pkinit:
if options.pkinit_pin:
passwd = options.pkinit_pin
else:
passwd = ""
passwd_fname = dir + "/pkinit_pin.txt"
fd = open(passwd_fname, "w")
fd.write("%s\n" % passwd)
fd.close()
if options.pkinit_pkcs12:
print "Copying SSL certificate for the KDC from %s" % options.pkinit_pkcs12
try:
shutil.copy(options.pkinit_pkcs12, dir + "/pkinitcert.p12")
except IOError, e:
print "Copy failed %s" % e
sys.exit(1)
else:
print "Creating SSL certificate for the KDC"
try:
export_certdb(api.env.realm, ds_dir, dir,
passwd_fname, "pkinitcert",
replica_fqdn, subject_base,
is_kdc=True)
except errors.CertificateOperationError, e:
print "%s" % e
sys.exit(1)
Use file to store the current CA serial number No longer create a PKCS#12 file that contains the CA No longer send the entire CA to each replica, generate the SSL certs on master Fix number of bugs in ipa-replica-install and prepare Produce status output during replica creation
2008-02-05 11:23:53 -06:00
print "Copying additional files"
Get rid of ipapython.config in ipa-replica-prepare Also get rid of functions get_host_name(), get_realm_name() and get_domain_name(). They used the old ipapython.config. Instead, use the variables from api.env. We also change them to bootstrap() and finalize() correctly. Additionally, we add the dns_container_exists() function that will be used in ipa-replica-prepare (next patch).
2010-02-08 07:21:46 -06:00
copy_files(api.env.realm, dir)
Use file to store the current CA serial number No longer create a PKCS#12 file that contains the CA No longer send the entire CA to each replica, generate the SSL certs on master Fix number of bugs in ipa-replica-install and prepare Produce status output during replica creation
2008-02-05 11:23:53 -06:00
print "Finalizing configuration"
Use a common group for all DS instances Also remove the option to choose a user. It is silly to keep it, when you can't choose the group nor the CA directory user. Fixes: https://fedorahosted.org/freeipa/ticket/851
2011-01-28 14:45:19 -06:00
save_config(dir, api.env.realm, api.env.host, api.env.domain, replica_fqdn, subject_base)
Used the encrypt_file and decrypt_file utility functions to encrypt replica information. This way we do not risk to leave around sensitive data. Set the destination host in the replica file too and do checks against in ipa-replica-install
2008-08-08 07:53:55 -05:00
replicafile = "/var/lib/ipa/replica-info-" + replica_fqdn
encfile = replicafile+".gpg"
Initial replication setup. This add replication setup through two new commands: ipa-replica-prepare and ipa-replica-install. The procedure is to run ipa-replica-prepare on an existing master. This will collect information about the realm and the current master and create a file storing all of the information. After copying that file to the new replica, ipa-replica-install is run (with -r to create a read-only replica). This version of the patch also includes fixes for the sasl mappings on the replicas. Remaining features: - ssl for replication. - automatic configuration of mesh topology for master (or a simpler way to replicate multiple masters. - tool for view / configuring current replication.
0000-12-31 18:09:24 -05:50
Used the encrypt_file and decrypt_file utility functions to encrypt replica information. This way we do not risk to leave around sensitive data. Set the destination host in the replica file too and do checks against in ipa-replica-install
2008-08-08 07:53:55 -05:00
print "Packaging replica information into %s" % encfile
ipautil.run(["/bin/tar", "cf", replicafile, "-C", top_dir, "realm_info"])
ipautil.encrypt_file(replicafile, encfile, dirman_password, top_dir);
Initial replication setup. This add replication setup through two new commands: ipa-replica-prepare and ipa-replica-install. The procedure is to run ipa-replica-prepare on an existing master. This will collect information about the realm and the current master and create a file storing all of the information. After copying that file to the new replica, ipa-replica-install is run (with -r to create a read-only replica). This version of the patch also includes fixes for the sasl mappings on the replicas. Remaining features: - ssl for replication. - automatic configuration of mesh topology for master (or a simpler way to replicate multiple masters. - tool for view / configuring current replication.
0000-12-31 18:09:24 -05:50
Fix replica installation for self-signed CA (no dogtag)
2009-04-28 16:05:39 -05:00
remove_file(replicafile)
Initial replication setup. This add replication setup through two new commands: ipa-replica-prepare and ipa-replica-install. The procedure is to run ipa-replica-prepare on an existing master. This will collect information about the realm and the current master and create a file storing all of the information. After copying that file to the new replica, ipa-replica-install is run (with -r to create a read-only replica). This version of the patch also includes fixes for the sasl mappings on the replicas. Remaining features: - ssl for replication. - automatic configuration of mesh topology for master (or a simpler way to replicate multiple masters. - tool for view / configuring current replication.
0000-12-31 18:09:24 -05:50
shutil.rmtree(dir)
Add A and PTR records during ipa-replica-prepare Fixes #528996
2009-11-23 09:16:58 -06:00
if options.ip_address:
print "Adding DNS records for %s" % replica_fqdn
api.Backend.ldap2.connect(bind_dn="cn=Directory Manager", bind_pw=dirman_password)
domain = replica_fqdn.split(".")
name = domain.pop(0)
domain = ".".join(domain)
Honor netmask in DNS reverse zone setup. ticket 910
2011-05-27 13:29:33 -05:00
ip = options.ip_address
ip_address = str(ip)
Fix creation of reverse DNS zones. Create reverse DNS zone for /24 IPv4 subnet and /64 IPv6 subnet by default instead of using the netmask from the --ip-address option. Custom reverse DNS zone can be specified using new --reverse-zone option, which replaces the old --ip-address netmask way of creating reverse zones. The reverse DNS zone name is printed to the user during the install. ticket 1398
2011-07-11 03:14:53 -05:00
if options.reverse_zone:
reverse_zone = bindinstance.normalize_zone(options.reverse_zone)
else:
reverse_zone = bindinstance.find_reverse_zone(ip)
if reverse_zone is None and not options.no_reverse:
reverse_zone = bindinstance.get_reverse_zone_default(ip)
Honor netmask in DNS reverse zone setup. ticket 910
2011-05-27 13:29:33 -05:00
Improve DNS zone creation When a new DNS zone is being created a local hostname is set as a nameserver of the new zone. However, when the zone is created during ipa-replica-prepare, the the current master/replica doesn't have to be an IPA server with DNS support. This would lead to DNS zones with incorrect NS records as they wouldn't point to a valid name server. Now, a list of all master servers with DNS support is retrieved during DNS zone creation and added as NS records for a new DNS zone. https://fedorahosted.org/freeipa/ticket/1261
2011-06-01 07:51:06 -05:00
add_zone(domain)
add_fwd_rr(domain, name, ip_address)
Fix creation of reverse DNS zones. Create reverse DNS zone for /24 IPv4 subnet and /64 IPv6 subnet by default instead of using the netmask from the --ip-address option. Custom reverse DNS zone can be specified using new --reverse-zone option, which replaces the old --ip-address netmask way of creating reverse zones. The reverse DNS zone name is printed to the user during the install. ticket 1398
2011-07-11 03:14:53 -05:00
if reverse_zone is not None:
print "Using reverse zone %s" % reverse_zone
add_reverse_zone(reverse_zone)
add_ptr_rr(reverse_zone, ip_address, replica_fqdn)
Add A and PTR records during ipa-replica-prepare Fixes #528996
2009-11-23 09:16:58 -06:00
Use file to store the current CA serial number No longer create a PKCS#12 file that contains the CA No longer send the entire CA to each replica, generate the SSL certs on master Fix number of bugs in ipa-replica-install and prepare Produce status output during replica creation
2008-02-05 11:23:53 -06:00
try:
if not os.geteuid()==0:
sys.exit("\nYou must be root to run this script.\n")
main()
Missed a place to translate the realm name into an instance name Catch SystemExit exceptions otherwise a trace will be shown with python 2.4
2008-02-08 14:10:26 -06:00
except SystemExit, e:
sys.exit(e)
Check IPA configuration in install tools Install tools may fail with unexpected error when IPA server is not installed on a system. Improve user experience by implementing a check to affected tools. https://fedorahosted.org/freeipa/ticket/1327 https://fedorahosted.org/freeipa/ticket/1347
2011-07-18 02:33:57 -05:00
except RuntimeError, e:
sys.exit(e)
Use file to store the current CA serial number No longer create a PKCS#12 file that contains the CA No longer send the entire CA to each replica, generate the SSL certs on master Fix number of bugs in ipa-replica-install and prepare Produce status output during replica creation
2008-02-05 11:23:53 -06:00
except Exception, e:
print "preparation of replica failed: %s" % str(e)
message = str(e)
for str in traceback.format_tb(sys.exc_info()[2]):
message = message + "\n" + str
ticket 2022 - modify codebase to utilize IPALogManager, obsoletes logging change default_logger_level to debug in configure_standard_logging add new ipa_log_manager module, move log_mgr there, also export root_logger from log_mgr. change all log_manager imports to ipa_log_manager and change log_manager.root_logger to root_logger. add missing import for parse_log_level()
2011-11-15 13:39:31 -06:00
root_logger.debug(message)
Use file to store the current CA serial number No longer create a PKCS#12 file that contains the CA No longer send the entire CA to each replica, generate the SSL certs on master Fix number of bugs in ipa-replica-install and prepare Produce status output during replica creation
2008-02-05 11:23:53 -06:00
print message
sys.exit(1)
Reference in New Issue Copy Permalink