freeipa/ipa-server/ipa-install/ipa-server-install

#! /usr/bin/python -E
# Authors: Karl MacMillan <kmacmillan@mentalrootkit.com>
#
# Copyright (C) 2007  Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License as
# published by the Free Software Foundation; version 2 only
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
#


# requires the following packages:
# fedora-ds-base
# openldap-clients
# nss-tools

VERSION = "%prog .1"

import sys
sys.path.append("/usr/share/ipa")

import os
import socket
import logging
import pwd
import getpass
import subprocess
import signal
import shutil
import glob
from optparse import OptionParser
import ipaserver.dsinstance
import ipaserver.krbinstance
import ipaserver.bindinstance
from ipa.ipautil import run

def parse_options():
    parser = OptionParser(version=VERSION)
    parser.add_option("-u", "--user", dest="ds_user",
                      help="ds user")
    parser.add_option("-r", "--realm", dest="realm_name",
                      help="realm name")
    parser.add_option("-p", "--ds-password", dest="dm_password",
                      help="admin password")
    parser.add_option("-P", "--master-password", dest="master_password",
                      help="kerberos master password")
    parser.add_option("-a", "--admin-password", dest="admin_password",
                      help="admin user kerberos password")
    parser.add_option("-d", "--debug", dest="debug", action="store_true",
                      default=False, help="print debugging information")
    parser.add_option("--hostname", dest="host_name", help="fully qualified name of server")
    parser.add_option("--ip-address", dest="ip_address", help="Master Server IP Address")
    parser.add_option("--setup-bind", dest="setup_bind", action="store_true",
                      default=False, help="configure bind with our zone file")
    parser.add_option("-U", "--unattended", dest="unattended", action="store_true",
                      default=False, help="unattended installation never prompts the user")

    options, args = parser.parse_args()

    if options.unattended and (not options.ds_user or
                               not options.realm_name or
                               not options.dm_password or
                               not options.admin_password or
                               not options.master_password):
        parser.error("error: In unattended mode you need to provide iat least -u, -r, -p and -P options")

    return options

def logging_setup(options):
    # Always log everything (i.e., DEBUG) to the log
    # file.
    logging.basicConfig(level=logging.DEBUG,
                        format='%(asctime)s %(levelname)s %(message)s',
                        filename='ipaserver-install.log',
                        filemode='w')

    console = logging.StreamHandler()
    # If the debug option is set, also log debug messages to the console
    if options.debug:
        console.setLevel(logging.DEBUG)
    else:
        # Otherwise, log critical and error messages
        console.setLevel(logging.ERROR)
    formatter = logging.Formatter('%(name)-12s: %(levelname)-8s %(message)s')
    console.setFormatter(formatter)
    logging.getLogger('').addHandler(console)

def erase_ds_instance_data(serverid):
    try:
        shutil.rmtree("/etc/dirsrv/slapd-%s" % serverid)
    except:
        pass
    try:
        shutil.rmtree("/var/lib/dirsrv/slapd-%s" % serverid)
    except:
        pass
    try:
        shutil.rmtree("/var/lock/dirsrv/slapd-%s" % serverid)
    except:
        pass

def signal_handler(signum, frame):
    global ds
    print "\nCleaning up..."
    if ds:
        print "Removing configuration for %s instance" % ds.serverid
        ds.stop()
        if ds.serverid:
            erase_ds_instance_data (ds.serverid)
    sys.exit(1)

def check_existing_installation():
    dirs = glob.glob("/etc/dirsrv/slapd-*")
    if not dirs:
        return
    yesno = raw_input("An existing Directory Server has been detected.  Do you wish to remove it and create a new one? [y/N]: ")
    if yesno.lower() != "y":
        sys.exit(1)
    for d in dirs:
        serverid = os.path.basename(d).split("slapd-", 1)[1]
        if serverid:
            erase_ds_instance_data (serverid)

def main():
    global ds
    ds = None
    
    if os.getegid() != 0:
        print "Must be root to setup server"
        return
    
    signal.signal(signal.SIGTERM, signal_handler)
    signal.signal(signal.SIGINT, signal_handler)

    check_existing_installation()

    options = parse_options()
    logging_setup(options)

    ds_user = ""
    realm_name = ""
    host_name = ""
    domain_name = ""
    ip_address = ""
    master_password = ""
    dm_password = ""
    admin_password = ""

    # check bind packages are installed
    bind = ipaserver.bindinstance.BindInstance()
    if options.setup_bind:
        if not bind.check_inst():
            print "--setup-bind was specified but bind is not installed on the system"
            print "Please install bind (you also need the package 'caching-nameserver') and restart the setup program"
            return "-Fatal Error-"

    # check the hostname is correctly configured, it must be as the kldap
    # utilities just use the hostname as returned by gethostbyname to set
    # up some of the standard entries

    host_name = ""
    if options.host_name:
        host_name = options.host_name
    else:
        try:
            host_name = socket.gethostname()
        except:
            pass
        if options.unattended:
           if len(host_name.split(".")) < 2 or host_name == "localhost.localdomain":
               print "Invalid hostname: "+host_name
               print "This host name can't be used as a hostname for an IPA Server"
               return "-Fatal Error-"
        else:
            host_ok = False
            while not host_ok:
               if host_name == "":
                   print ""
                   host_name = raw_input("Please provide a Fully Qualified name to use for your system [master.example.com]: ")
                   if host_name == "":
                       host_name = "master.example.com"
    
               if len(host_name.split(".")) < 2 or host_name == "localhost.localdomain":
                   print "Invalid hostname: "+host_name
                   print "This host name can't be used as a hostname for an IPA Server"
                   host_name = ""
                   continue
               else:
                   host_ok = True
    
               yesno = raw_input("Please confirm this ["+host_name+"] is the server hostname you want to use [Y/n]: ")
               if yesno != "" and yesno.lower() != 'y':
                   host_name = ""
                   host_ok = False

    domain_name = host_name[host_name.find(".")+1:]

    # Check we have a public IP that is associated with the hostname
    ip = ""
    askip = False
    try:
        ip = socket.gethostbyname(host_name)

        if ip == "127.0.0.1" or ip == "::1":
            print "The hostname resolves to the localhost address (127.0.0.1/::1)"
            print "Please change your /etc/hosts file so that the hostname"
            print "resolves to the ip address of your network interface."
            print "The KDC service does not listen on localhost"
            print ""
            print "Please fix your /etc/hosts file and restart the setup program"
            return "-Fatal Error-"

    except:
        print "The provided hostname can't actually be use to resolve the IP address"
        if options.ip_address:
            ip = options.ip_address
        else:
            askip = True

    if ip != "":
        try:
            socket.inet_pton(socket.AF_INET, ip)
        except:
            try:
                socket.inet_pton(socket.AF_INET6, ip)
            except:
                print "Invalid IP format"
                if options.unattended:
                    return "-Fatal Error-"
                else:
                    ip = ""
                    askip = True

        if options.ip_address and options.ip_address != ip:
            if options.setup_bind:
                ip = options.ip_address
            else:
                print "Error: the hostname resolves to an IP that is different from the one provided on the command line"
                print "Please fix your DNS or /etc/hosts file to provide consistent information and restart the setup program"
                return "-Fatal Error-"
 
    if options.unattended:
        if askip or ip == "":
            print "Unable to resolve IP address"
            return "-Fatal Error-"

    while askip:
        ip = raw_input("Please provide the IP address to be used for this host name: ")

        if ip == "":
            print "An empty IP is not acceptable"
            continue
        if ip == "127.0.0.1" or ip == "::1":
            print "The IPA Server can't use localhost as a valid IP"
            continue

        try:
            socket.inet_pton(socket.AF_INET, ip)
        except:
            try:
                socket.inet_pton(socket.AF_INET6, ip)
            except:
                print "Invalid IP format"
                continue

        print "Adding ["+ip+" "+host_name+"] to your /etc/hosts file"
        hosts_fd = open('/etc/hosts', 'r+')
        hosts_fd.seek(0, 2)
        hosts_fd.write(ip+'\t'+host_name+' '+host_name[:host_name.find('.')]+'\n')
        hosts_fd.close()
        askip = False

    ip_address = ip

    print "The IPA Master Server Name will be: " + host_name + ". With IP address: " + ip_address
    print "The IPA Domain Name will be: " + domain_name
    print ""

    if not options.ds_user:

        try:
            pwd.getpwnam('dirsrv')

            print "To securely run Directory Server we need a user account to be set up."
            print "This will allow DS to run as a user and not as root."
            print "The user account will have access to some security material so it should not be shared with any other application."
            print "A user account named 'dirsrv' already exist. You should not share the account with any other service."
            print ""
            yesno = raw_input("Do you want to use the existing 'dirsrv' account ? (y/N)")
            print ""
            if yesno.lower() == "y":
                ds_user = "dirsrv"
            else:
                ds_user = raw_input("Which account name do you want to use for the DS instance ? ")
                print ""
        except KeyError:
            ds_user = "dirsrv"

        if ds_user == "":
             return "-Aborted-"
    else:
        ds_user = options.ds_user

    if not options.realm_name:
        print "The kerberos protocol requires a Realm name to be defined."
        print "Usually the domain name all in uppercase is used as realm name."
        print ""
        upper_dom = domain_name.upper()
        realm_name = raw_input("Please provide a realm name ["+upper_dom+"]: ")
        print ""
        if realm_name == "":
            realm_name = upper_dom
        else:
            upper_dom = realm_name.upper()
        if upper_dom != realm_name:
            print "It is strongly adviced to use a completely uppercased name for the realm."
            dom_realm = raw_input("Do you want to use "+upper_dom+" as realm name ? [Y/n] ")
            print ""
            if dom_realm.lower() != "y":
                print "WARNING: Using a non upper-cased realm name may cause unexpected problems."
            else:
                realm_name = upper_dom
    else:
        realm_name = options.realm_name

    if not options.dm_password:
        print "The Directory Manager user is the equivalent of 'root' for Diretcory Server."
        print "This account has full access to the Directory and is used for system management tasks."
        print ""
        #TODO: provide the option of generating a random password
        correct = False
        while not correct:
            dm_password = getpass.getpass("Please provide a password for the Directory Manager: ")
            pwd_confirm = getpass.getpass("Please confirm the password: ")
            if dm_password == "":
                print "Password is empty!"
                print ""
            elif dm_password != pwd_confirm:
                print "Password mismatch!"
                print ""
            else:
                correct = True
        print ""
    else:
        dm_password = options.dm_password

    if not options.master_password:
        print "The Kerberos database is usually encrypted using a master password."
        print "Please store this password offline in a secure place."
        print "It may be necessary in a recovery situation or to install a replica."
        print "Without the master password the encrypted material can't be used by the KDC."
        print "If the master password gets lost all kerberos related secrets will be lost."
        print ""
        #TODO: provide the option of generating a random password
        correct = False
        while not correct:
            master_password = getpass.getpass("Please provide a master password: ")
            pwd_confirm = getpass.getpass("Please confirm the password: ")
            if master_password == "":
                print "Password is empty!"
                print ""
            elif master_password != pwd_confirm:
                print "Password mismatch!"
                print ""
            else:
                correct = True
        print ""
    else:
        master_password = options.master_password

    if not options.admin_password:
        print "The 'admin' user is the administrative user used to administare an IPA server."
        print "This account is the one that will be used for normal administration and is also a regular unix user"
        print ""
        #TODO: provide the option of generating a random password
        correct = False
        while not correct:
            admin_password = getpass.getpass("Please provide a kerberos password for the 'admin' user: ")
            pwd_confirm = getpass.getpass("Please confirm the password: ")
            if admin_password == "":
                print "Password is empty!"
                print ""
            elif admin_password != pwd_confirm:
                print "Password mismatch!"
                print ""
            else:
                correct = True
        print ""
    else:
        admin_password = options.admin_password

    if not options.unattended:
        print ""
        print "The following operations may take some minutes to complete."
        print "Please wait until the prompt is returned."

    # Create a directory server instance
    ds = ipaserver.dsinstance.DsInstance()
    ds.create_instance(ds_user, realm_name, host_name, dm_password)

    # Create a kerberos instance
    krb = ipaserver.krbinstance.KrbInstance()
    krb.create_instance(ds_user, realm_name, host_name, dm_password, master_password)

    bind.setup(host_name, ip_address, realm_name)
    if options.setup_bind:
        skipbind = False
        if not options.unattended:
            print "This program is about to replace the DNS Server configuration,"
            print "with an automatically generated one, based on the data gathered so far."
            print "This will REPLACE any existing configuration."
            yesno = raw_input("Are you sure you want to configure the DNS Server ? [y/N]: ")
            if yesno.lower() != 'y':
                skipbind = True
        if not skipbind:
            bind.create_instance()
    else:
        bind.create_sample_bind_zone()

    # Restart ds and krb after configurations have been changed
    ds.restart()
    krb.restart()

    try:
        selinux=0
        try:
            if (os.path.exists('/usr/sbin/selinuxenabled')):
                run(["/usr/sbin/selinuxenabled"])
                selinux=1
        except subprocess.CalledProcessError, e:
            # selinuxenabled returns 1 if not enabled
            pass

        if selinux:
            # Allow apache to connect to the turbogears web gui
            run(["/usr/sbin/setsebool", "-P", "httpd_can_network_connect", "true"])

        # Start the web gui
        run(["/sbin/service", "ipa-webgui", "start"])

        # Set the web gui to start on boot
        run(["/sbin/chkconfig", "ipa-webgui", "on"])

        # Restart apache
        run(["/sbin/service", "httpd", "restart"])

        # Set apache to start on boot
        run(["/sbin/chkconfig", "httpd", "on"])

        # Set fedora-ds to start on boot
        run(["/sbin/chkconfig", "dirsrv", "on"])

        # Set the KDC to start on boot
        run(["/sbin/chkconfig", "krb5kdc", "on"])

        # Set the Kpasswd to start on boot
        run(["/sbin/chkconfig", "ipa-kpasswd", "on"])

        # Start Kpasswd
        run(["/sbin/service", "ipa-kpasswd", "start"])
    except subprocess.CalledProcessError, e:
        print "Installation failed:", e
        return 1

    # Set the admin user kerberos password
    ds.change_admin_password(admin_password)

    # Create the config file
    fd = open("/etc/ipa/ipa.conf", "w")
    fd.write("[defaults]\n")
    fd.write("server=" + host_name + "\n")
    fd.write("realm=" + realm_name + "\n")
    fd.close()

    return 0

main()