Fix replica installation for self-signed CA (no dogtag)

install/tools/ipa-replica-install

@@ -30,6 +30,7 @@ from ipaserver.install import dsinstance, replication, installutils, krbinstance
 from ipaserver.install import httpinstance, ntpinstance, certs
 from ipaserver import ipaldap
 from ipapython import version
+from ipalib import util
 
 CACERT="/usr/share/ipa/html/ca.crt"
 
@@ -144,7 +145,7 @@ def install_http(config):
                        config.dir + "/http_pin.txt")
 
     http = httpinstance.HTTPInstance()
-    http.create_instance(config.realm_name, config.host_name, config.domain_name, False, pkcs12_info)
+    http.create_instance(config.realm_name, config.host_name, config.domain_name, False, pkcs12_info, self_signed_ca=True)
 
     # Now copy the autoconfiguration files
     if ipautil.file_exists(config.dir + "/preferences.html"):
@@ -267,6 +268,18 @@ def main():
     fd.write("domain=" + config.domain_name + "\n")
     fd.close()
 
+    # Create the management framework config file
+    fd = open("/etc/ipa/default.conf", "w")
+    fd.write("[global]\n")
+    fd.write("basedn=" + util.realm_to_suffix(config.realm_name) + "\n")
+    fd.write("realm=" + config.realm_name + "\n")
+    fd.write("domain=" + config.domain_name + "\n")
+    fd.write("xmlrpc_uri=https://%s/ipa/xml\n" % config.host_name)
+    # FIXME: detect when we are installing a cloned CA
+    if False:
+        fd.write("enable_ra=True\n")
+    fd.close()
+
     # Apply any LDAP updates. Needs to be done after the replica is synced-up
     service.print_msg("Applying LDAP updates")
     ds.apply_updates()

install/tools/ipa-replica-manage

@@ -23,8 +23,10 @@ import getpass, ldap, re, krbV
 import traceback, logging
 
 from ipapython import ipautil
-from ipaserver import replication, ipaldap, dsinstance, installutils
+from ipaserver.install import replication, dsinstance, installutils
+from ipaserver import ipaldap
 from ipapython import version
+from ipalib import util
 
 def parse_options():
     from optparse import OptionParser
@@ -68,7 +70,7 @@ def get_realm_name():
     return c.default_realm
 
 def get_suffix():
-    suffix = ipaldap.IPAdmin.normalizeDN(dsinstance.realm_to_suffix(get_realm_name()))
+    suffix = ipaldap.IPAdmin.normalizeDN(util.realm_to_suffix(get_realm_name()))
     return suffix
 
 def get_host_name():
@@ -204,6 +206,9 @@ def main():
             print "must provide hostname of supplier to synchronize with"
             sys.exit(1)
         synch_master(r, args[1])
+    else:
+        print "unknown command: %s" % args[0]
+        sys.exit(1)
 
 try:
     main()

install/tools/ipa-replica-prepare

@@ -120,18 +120,15 @@ def export_certdb(realm_name, ds_dir, dir, passwd_fname, fname, subject):
         ca.export_pkcs12(pkcs12_fname, passwd_fname, "Server-Cert")
     except ipautil.CalledProcessError, e:
         print "error exporting CA certificate: " + str(e)
-        try:
+        remove_file(pkcs12_fname)
-            os.unlink(pkcs12_fname)
+        remove_file(passwd_fname)
-            os.unlink(passwd_fname)
-        except:
-            pass
 
-    os.unlink(dir + "/cert8.db")
+    remove_file(dir + "/cert8.db")
-    os.unlink(dir + "/key3.db")
+    remove_file(dir + "/key3.db")
-    os.unlink(dir + "/secmod.db")
+    remove_file(dir + "/secmod.db")
-    os.unlink(dir + "/noise.txt")
+    remove_file(dir + "/noise.txt")
     if ipautil.file_exists(passwd_fname + ".orig"):
-        os.unlink(passwd_fname + ".orig")
+        remove_file(passwd_fname + ".orig")
 
 def get_ds_user(ds_dir):
     uid = os.stat(ds_dir).st_uid
@@ -150,6 +147,13 @@ def save_config(dir, realm_name, host_name, ds_user, domain_name, dest_host):
     fd = open(dir + "/realm_info", "w")
     config.write(fd)
 
+def remove_file(fname, ignore_errors=True):
+    try:
+        os.remove(fname)
+    except OSError, e:
+        if not ignore_errors:
+            raise e
+
 def copy_files(realm_name, dir):
     config_dir = dsinstance.config_dirname(dsinstance.realm_to_serverid(realm_name))
 
@@ -275,7 +279,7 @@ def main():
     ipautil.run(["/bin/tar", "cf", replicafile, "-C", top_dir, "realm_info"])
     ipautil.encrypt_file(replicafile, encfile, dirman_password, top_dir);
 
-    os.remove(replicafile)
+    remove_file(replicafile)
     shutil.rmtree(dir)
 
 try:

ipaserver/ipaldap.py

@@ -27,6 +27,7 @@ import re
 import string
 import ldap
 import cStringIO
+import time
 import struct
 import ldap.sasl
 from ldap.controls import LDAPControl,DecodeControlTuples,EncodeControlTuples
@@ -243,6 +244,20 @@ class IPAdmin(SimpleLDAPObject):
         self.suffixes = {}
         self.__localinit()
 
+    def __lateinit(self):
+        """
+        This is executed after the connection is bound to fill in some useful
+        values.
+        """
+        try:
+            ent = self.getEntry('cn=config,cn=ldbm database,cn=plugins,cn=config',
+                                ldap.SCOPE_BASE, '(objectclass=*)',
+                                [ 'nsslapd-directory' ])
+
+            self.dbdir = os.path.dirname(ent.getValue('nsslapd-directory'))
+        except ldap.LDAPError, e:
+            self.__handle_errors(e, **{})
+
     def __str__(self):
         return self.host + ":" + str(self.port)
 
@@ -328,6 +343,7 @@ class IPAdmin(SimpleLDAPObject):
         self.binddn = binddn
         self.bindpwd = bindpw
         self.simple_bind_s(binddn, bindpw)
+        self.__lateinit()
 
     def getEntry(self,*args):
         """This wraps the search function.  It is common to just get one entry"""
@@ -569,6 +585,48 @@ class IPAdmin(SimpleLDAPObject):
             if callable(attr):
                 setattr(self, name, wrapper(attr, name))
 
+    def waitForEntry(self, dn, timeout=7200, attr='', quiet=True):
+        scope = ldap.SCOPE_BASE
+        filter = "(objectclass=*)"
+        attrlist = []
+        if attr:
+            filter = "(%s=*)" % attr
+            attrlist.append(attr)
+        timeout += int(time.time())
+
+        if isinstance(dn,Entry):
+            dn = dn.dn
+
+        # wait for entry and/or attr to show up
+        if not quiet:
+            sys.stdout.write("Waiting for %s %s:%s " % (self,dn,attr))
+            sys.stdout.flush()
+        entry = None
+        while not entry and int(time.time()) < timeout:
+            try:
+                entry = self.getEntry(dn, scope, filter, attrlist)
+            except ipaerror.exception_for(ipaerror.LDAP_NOT_FOUND):
+                pass # found entry, but no attr
+            except ldap.NO_SUCH_OBJECT:
+                pass # no entry yet
+            except ldap.LDAPError, e: # badness
+                print "\nError reading entry", dn, e
+                break
+            if not entry:
+                if not quiet:
+                    sys.stdout.write(".")
+                    sys.stdout.flush()
+                time.sleep(1)
+
+        if not entry and int(time.time()) > timeout:
+            print "\nwaitForEntry timeout for %s for %s" % (self,dn)
+        elif entry and not quiet:
+            print "\nThe waited for entry is:", entry
+        elif not entry:
+            print "\nError: could not read entry %s from %s" % (dn,self)
+
+        return entry
+
     def normalizeDN(dn):
         # not great, but will do until we use a newer version of python-ldap
         # that has DN utilities