ipa-replica-install never checks for 7389 port

When creating replica from a Dogtag 9 based IPA server, the port 7389
which is required for the installation is never checked by
ipa-replica-conncheck even though it knows that it is being installed
from the Dogtag 9 based FreeIPA. If the 7389 port would be blocked by
firewall, installation would stuck with no hint to user.

Make sure that the port configuration parsed from replica info file
is used consistently in the installers.

https://fedorahosted.org/freeipa/ticket/4240

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
This commit is contained in:
Martin Kosek 2014-03-11 16:28:19 +01:00
parent 740298d120
commit 0be66e9a67
4 changed files with 32 additions and 31 deletions

View File

@ -30,7 +30,7 @@ from ipaserver.install import installutils, service
from ipaserver.install import certs
from ipaserver.install.installutils import (HostnameLocalhost, ReplicaConfig,
expand_replica_info, read_replica_info, get_host_name, BadHostError,
private_ccache)
private_ccache, read_replica_info_dogtag_port)
from ipaserver.install import dsinstance, cainstance, bindinstance
from ipaserver.install.replication import replica_conn_check
from ipapython import version
@ -159,31 +159,24 @@ def main():
sys.exit(0)
config.dir = dir
config.setup_ca = True
config.ca_ds_port = read_replica_info_dogtag_port(config.dir)
if not ipautil.file_exists(config.dir + "/cacert.p12"):
print 'CA cannot be installed in CA-less setup.'
sys.exit(1)
portfile = config.dir + "/dogtag_directory_port.txt"
if not ipautil.file_exists(portfile):
dogtag_master_ds_port = str(dogtag.Dogtag9Constants.DS_PORT)
else:
with open(portfile) as fd:
dogtag_master_ds_port = fd.read()
if not options.skip_conncheck:
replica_conn_check(
config.master_host_name, config.host_name, config.realm_name, True,
dogtag_master_ds_port, options.admin_password)
config.ca_ds_port, options.admin_password)
if options.skip_schema_check:
root_logger.info("Skipping CA DS schema check")
else:
cainstance.replica_ca_install_check(config, dogtag_master_ds_port)
cainstance.replica_ca_install_check(config)
# Configure the CA if necessary
CA = cainstance.install_replica_ca(
config, dogtag_master_ds_port, postinstall=True)
CA = cainstance.install_replica_ca(config, postinstall=True)
# We need to ldap_enable the CA now that DS is up and running
CA.ldap_enable('CA', config.host_name, config.dirman_password,

View File

@ -37,8 +37,8 @@ from ipaserver.install import memcacheinstance
from ipaserver.install import otpdinstance
from ipaserver.install.replication import replica_conn_check, ReplicationManager
from ipaserver.install.installutils import (ReplicaConfig, expand_replica_info,
read_replica_info ,get_host_name,
BadHostError, private_ccache)
read_replica_info, get_host_name, BadHostError, private_ccache,
read_replica_info_dogtag_port)
from ipaserver.plugins.ldap2 import ldap2
from ipaserver.install import cainstance
from ipalib import api, errors, util
@ -534,6 +534,7 @@ def main():
sys.exit(0)
config.dir = dir
config.setup_ca = options.setup_ca
config.ca_ds_port = read_replica_info_dogtag_port(config.dir)
if config.setup_ca and not ipautil.file_exists(config.dir + "/cacert.p12"):
print 'CA cannot be installed in CA-less setup.'
@ -541,18 +542,11 @@ def main():
installutils.verify_fqdn(config.master_host_name, options.no_host_dns)
portfile = config.dir + "/dogtag_directory_port.txt"
if not ipautil.file_exists(portfile):
dogtag_master_ds_port = str(dogtag.Dogtag9Constants.DS_PORT)
else:
with open(portfile) as fd:
dogtag_master_ds_port = fd.read()
# check connection
if not options.skip_conncheck:
replica_conn_check(
config.master_host_name, config.host_name, config.realm_name,
options.setup_ca, dogtag_master_ds_port, options.admin_password)
options.setup_ca, config.ca_ds_port, options.admin_password)
# check replica host IP resolution
@ -666,7 +660,7 @@ def main():
if options.skip_schema_check:
root_logger.info("Skipping CA DS schema check")
else:
cainstance.replica_ca_install_check(config, dogtag_master_ds_port)
cainstance.replica_ca_install_check(config)
# Configure ntpd
if options.conf_ntp:
@ -678,7 +672,7 @@ def main():
ds = install_replica_ds(config)
# Configure the CA if necessary
CA = cainstance.install_replica_ca(config, dogtag_master_ds_port)
CA = cainstance.install_replica_ca(config)
# Always try to install DNS records
install_dns_records(config, options)

View File

@ -1575,7 +1575,7 @@ class CAInstance(service.Service):
return master == 'New'
def replica_ca_install_check(config, master_ds_port):
def replica_ca_install_check(config):
if not config.setup_ca:
return
@ -1584,8 +1584,6 @@ def replica_ca_install_check(config, master_ds_port):
# Replica of old "self-signed" master - CA won't be installed
return
master_ds_port = int(master_ds_port)
# Exit if we have an old-style (Dogtag 9) CA already installed
ca = CAInstance(config.realm_name, certs.NSS_DIR,
dogtag_constants=dogtag.Dogtag9Constants)
@ -1593,13 +1591,13 @@ def replica_ca_install_check(config, master_ds_port):
root_logger.info('Dogtag 9 style CA instance found')
sys.exit("A CA is already configured on this system.")
if master_ds_port != dogtag.Dogtag9Constants.DS_PORT:
if config.ca_ds_port != dogtag.Dogtag9Constants.DS_PORT:
root_logger.debug(
'Installing CA Replica from master with a merged database')
return
# Check if the master has the necessary schema in its CA instance
ca_ldap_url = 'ldap://%s:%s' % (config.master_host_name, master_ds_port)
ca_ldap_url = 'ldap://%s:%s' % (config.master_host_name, config.ca_ds_port)
objectclass = 'ipaObject'
root_logger.debug('Checking if IPA schema is present in %s', ca_ldap_url)
try:
@ -1628,7 +1626,7 @@ def replica_ca_install_check(config, master_ds_port):
exit('IPA schema missing on master CA directory server')
def install_replica_ca(config, master_ds_port, postinstall=False):
def install_replica_ca(config, postinstall=False):
"""
Install a CA on a replica.
@ -1677,7 +1675,7 @@ def install_replica_ca(config, master_ds_port, postinstall=False):
config.dirman_password, config.dirman_password,
pkcs12_info=(cafile,),
master_host=config.master_host_name,
master_replication_port=master_ds_port,
master_replication_port=config.ca_ds_port,
subject_base=config.subject_base)
# Restart httpd since we changed it's config and added ipa-pki-proxy.conf

View File

@ -538,6 +538,22 @@ def read_replica_info(dir, rconfig):
except NoOptionError:
pass
def read_replica_info_dogtag_port(config_dir):
portfile = config_dir + "/dogtag_directory_port.txt"
default_port = dogtag.Dogtag9Constants.DS_PORT
if not ipautil.file_exists(portfile):
dogtag_master_ds_port = default_port
else:
with open(portfile) as fd:
try:
dogtag_master_ds_port = int(fd.read())
except (ValueError, IOError), e:
root_logger.debug('Cannot parse dogtag DS port: %s', e)
root_logger.debug('Default to %d', default_port)
dogtag_master_ds_port = default_port
return dogtag_master_ds_port
def check_server_configuration():
"""
Check if IPA server is configured on the system.