mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-25 08:21:05 -06:00
ipa-replica-install never checks for 7389 port
When creating replica from a Dogtag 9 based IPA server, the port 7389 which is required for the installation is never checked by ipa-replica-conncheck even though it knows that it is being installed from the Dogtag 9 based FreeIPA. If the 7389 port would be blocked by firewall, installation would stuck with no hint to user. Make sure that the port configuration parsed from replica info file is used consistently in the installers. https://fedorahosted.org/freeipa/ticket/4240 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
This commit is contained in:
parent
740298d120
commit
0be66e9a67
@ -30,7 +30,7 @@ from ipaserver.install import installutils, service
|
||||
from ipaserver.install import certs
|
||||
from ipaserver.install.installutils import (HostnameLocalhost, ReplicaConfig,
|
||||
expand_replica_info, read_replica_info, get_host_name, BadHostError,
|
||||
private_ccache)
|
||||
private_ccache, read_replica_info_dogtag_port)
|
||||
from ipaserver.install import dsinstance, cainstance, bindinstance
|
||||
from ipaserver.install.replication import replica_conn_check
|
||||
from ipapython import version
|
||||
@ -159,31 +159,24 @@ def main():
|
||||
sys.exit(0)
|
||||
config.dir = dir
|
||||
config.setup_ca = True
|
||||
config.ca_ds_port = read_replica_info_dogtag_port(config.dir)
|
||||
|
||||
if not ipautil.file_exists(config.dir + "/cacert.p12"):
|
||||
print 'CA cannot be installed in CA-less setup.'
|
||||
sys.exit(1)
|
||||
|
||||
portfile = config.dir + "/dogtag_directory_port.txt"
|
||||
if not ipautil.file_exists(portfile):
|
||||
dogtag_master_ds_port = str(dogtag.Dogtag9Constants.DS_PORT)
|
||||
else:
|
||||
with open(portfile) as fd:
|
||||
dogtag_master_ds_port = fd.read()
|
||||
|
||||
if not options.skip_conncheck:
|
||||
replica_conn_check(
|
||||
config.master_host_name, config.host_name, config.realm_name, True,
|
||||
dogtag_master_ds_port, options.admin_password)
|
||||
config.ca_ds_port, options.admin_password)
|
||||
|
||||
if options.skip_schema_check:
|
||||
root_logger.info("Skipping CA DS schema check")
|
||||
else:
|
||||
cainstance.replica_ca_install_check(config, dogtag_master_ds_port)
|
||||
cainstance.replica_ca_install_check(config)
|
||||
|
||||
# Configure the CA if necessary
|
||||
CA = cainstance.install_replica_ca(
|
||||
config, dogtag_master_ds_port, postinstall=True)
|
||||
CA = cainstance.install_replica_ca(config, postinstall=True)
|
||||
|
||||
# We need to ldap_enable the CA now that DS is up and running
|
||||
CA.ldap_enable('CA', config.host_name, config.dirman_password,
|
||||
|
@ -37,8 +37,8 @@ from ipaserver.install import memcacheinstance
|
||||
from ipaserver.install import otpdinstance
|
||||
from ipaserver.install.replication import replica_conn_check, ReplicationManager
|
||||
from ipaserver.install.installutils import (ReplicaConfig, expand_replica_info,
|
||||
read_replica_info ,get_host_name,
|
||||
BadHostError, private_ccache)
|
||||
read_replica_info, get_host_name, BadHostError, private_ccache,
|
||||
read_replica_info_dogtag_port)
|
||||
from ipaserver.plugins.ldap2 import ldap2
|
||||
from ipaserver.install import cainstance
|
||||
from ipalib import api, errors, util
|
||||
@ -534,6 +534,7 @@ def main():
|
||||
sys.exit(0)
|
||||
config.dir = dir
|
||||
config.setup_ca = options.setup_ca
|
||||
config.ca_ds_port = read_replica_info_dogtag_port(config.dir)
|
||||
|
||||
if config.setup_ca and not ipautil.file_exists(config.dir + "/cacert.p12"):
|
||||
print 'CA cannot be installed in CA-less setup.'
|
||||
@ -541,18 +542,11 @@ def main():
|
||||
|
||||
installutils.verify_fqdn(config.master_host_name, options.no_host_dns)
|
||||
|
||||
portfile = config.dir + "/dogtag_directory_port.txt"
|
||||
if not ipautil.file_exists(portfile):
|
||||
dogtag_master_ds_port = str(dogtag.Dogtag9Constants.DS_PORT)
|
||||
else:
|
||||
with open(portfile) as fd:
|
||||
dogtag_master_ds_port = fd.read()
|
||||
|
||||
# check connection
|
||||
if not options.skip_conncheck:
|
||||
replica_conn_check(
|
||||
config.master_host_name, config.host_name, config.realm_name,
|
||||
options.setup_ca, dogtag_master_ds_port, options.admin_password)
|
||||
options.setup_ca, config.ca_ds_port, options.admin_password)
|
||||
|
||||
|
||||
# check replica host IP resolution
|
||||
@ -666,7 +660,7 @@ def main():
|
||||
if options.skip_schema_check:
|
||||
root_logger.info("Skipping CA DS schema check")
|
||||
else:
|
||||
cainstance.replica_ca_install_check(config, dogtag_master_ds_port)
|
||||
cainstance.replica_ca_install_check(config)
|
||||
|
||||
# Configure ntpd
|
||||
if options.conf_ntp:
|
||||
@ -678,7 +672,7 @@ def main():
|
||||
ds = install_replica_ds(config)
|
||||
|
||||
# Configure the CA if necessary
|
||||
CA = cainstance.install_replica_ca(config, dogtag_master_ds_port)
|
||||
CA = cainstance.install_replica_ca(config)
|
||||
|
||||
# Always try to install DNS records
|
||||
install_dns_records(config, options)
|
||||
|
@ -1575,7 +1575,7 @@ class CAInstance(service.Service):
|
||||
return master == 'New'
|
||||
|
||||
|
||||
def replica_ca_install_check(config, master_ds_port):
|
||||
def replica_ca_install_check(config):
|
||||
if not config.setup_ca:
|
||||
return
|
||||
|
||||
@ -1584,8 +1584,6 @@ def replica_ca_install_check(config, master_ds_port):
|
||||
# Replica of old "self-signed" master - CA won't be installed
|
||||
return
|
||||
|
||||
master_ds_port = int(master_ds_port)
|
||||
|
||||
# Exit if we have an old-style (Dogtag 9) CA already installed
|
||||
ca = CAInstance(config.realm_name, certs.NSS_DIR,
|
||||
dogtag_constants=dogtag.Dogtag9Constants)
|
||||
@ -1593,13 +1591,13 @@ def replica_ca_install_check(config, master_ds_port):
|
||||
root_logger.info('Dogtag 9 style CA instance found')
|
||||
sys.exit("A CA is already configured on this system.")
|
||||
|
||||
if master_ds_port != dogtag.Dogtag9Constants.DS_PORT:
|
||||
if config.ca_ds_port != dogtag.Dogtag9Constants.DS_PORT:
|
||||
root_logger.debug(
|
||||
'Installing CA Replica from master with a merged database')
|
||||
return
|
||||
|
||||
# Check if the master has the necessary schema in its CA instance
|
||||
ca_ldap_url = 'ldap://%s:%s' % (config.master_host_name, master_ds_port)
|
||||
ca_ldap_url = 'ldap://%s:%s' % (config.master_host_name, config.ca_ds_port)
|
||||
objectclass = 'ipaObject'
|
||||
root_logger.debug('Checking if IPA schema is present in %s', ca_ldap_url)
|
||||
try:
|
||||
@ -1628,7 +1626,7 @@ def replica_ca_install_check(config, master_ds_port):
|
||||
exit('IPA schema missing on master CA directory server')
|
||||
|
||||
|
||||
def install_replica_ca(config, master_ds_port, postinstall=False):
|
||||
def install_replica_ca(config, postinstall=False):
|
||||
"""
|
||||
Install a CA on a replica.
|
||||
|
||||
@ -1677,7 +1675,7 @@ def install_replica_ca(config, master_ds_port, postinstall=False):
|
||||
config.dirman_password, config.dirman_password,
|
||||
pkcs12_info=(cafile,),
|
||||
master_host=config.master_host_name,
|
||||
master_replication_port=master_ds_port,
|
||||
master_replication_port=config.ca_ds_port,
|
||||
subject_base=config.subject_base)
|
||||
|
||||
# Restart httpd since we changed it's config and added ipa-pki-proxy.conf
|
||||
|
@ -538,6 +538,22 @@ def read_replica_info(dir, rconfig):
|
||||
except NoOptionError:
|
||||
pass
|
||||
|
||||
def read_replica_info_dogtag_port(config_dir):
|
||||
portfile = config_dir + "/dogtag_directory_port.txt"
|
||||
default_port = dogtag.Dogtag9Constants.DS_PORT
|
||||
if not ipautil.file_exists(portfile):
|
||||
dogtag_master_ds_port = default_port
|
||||
else:
|
||||
with open(portfile) as fd:
|
||||
try:
|
||||
dogtag_master_ds_port = int(fd.read())
|
||||
except (ValueError, IOError), e:
|
||||
root_logger.debug('Cannot parse dogtag DS port: %s', e)
|
||||
root_logger.debug('Default to %d', default_port)
|
||||
dogtag_master_ds_port = default_port
|
||||
|
||||
return dogtag_master_ds_port
|
||||
|
||||
def check_server_configuration():
|
||||
"""
|
||||
Check if IPA server is configured on the system.
|
||||
|
Loading…
Reference in New Issue
Block a user