IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Get rid of ipapython.config in ipa-replica-prepare

Browse Source 
Also get rid of functions get_host_name(), get_realm_name() and
get_domain_name(). They used the old ipapython.config. Instead, use the
variables from api.env. We also change them to bootstrap() and
finalize() correctly.

Additionally, we add the dns_container_exists() function that will be
used in ipa-replica-prepare (next patch).
This commit is contained in:
Martin Nagy
2010-02-08 14:21:46 +01:00
committed by Rob Crittenden
parent b05f94fb4c
commit 206d2d48fa
3 changed files with 63 additions and 105 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
install/tools/ipa-replica-install
View File

@@ -311,12 +311,21 @@ def main():
except ldap.INVALID_CREDENTIALS, e : except ldap.INVALID_CREDENTIALS, e :
sys.exit("\nThe password provided is incorrect for LDAP server %s" % config.master_host_name) sys.exit("\nThe password provided is incorrect for LDAP server %s" % config.master_host_name)
# Create the management framework config file
# Note: We must do this before bootstraping and finalizing ipalib.api
fd = open("/etc/ipa/default.conf", "w")
fd.write("[global]\n")
fd.write("basedn=" + util.realm_to_suffix(config.realm_name) + "\n")
fd.write("realm=" + config.realm_name + "\n")
fd.write("domain=" + config.domain_name + "\n")
fd.write("xmlrpc_uri=https://%s/ipa/xml\n" % config.host_name)
fd.write("ldap_uri=ldapi://%%2fvar%%2frun%%2fslapd-%s.socket\n" % dsinstance.realm_to_serverid(config.realm_name))
if ipautil.file_exists(config.dir + "/ca.p12"): if ipautil.file_exists(config.dir + "/ca.p12"):
ca_type = 'dogtag' fd.write("enable_ra=True\n")
else: fd.write("ra_plugin=dogtag\n")
ca_type = 'selfsign' fd.close()
api.bootstrap(in_server=True, ra_plugin=ca_type) api.bootstrap(in_server=True)
api.finalize() api.finalize()
# Install CA cert so that we can do SSL connections with ldap # Install CA cert so that we can do SSL connections with ldap
@@ -355,19 +364,6 @@ def main():
# generated # generated
ds.add_cert_to_service() ds.add_cert_to_service()
# Create the management framework config file
fd = open("/etc/ipa/default.conf", "w")
fd.write("[global]\n")
fd.write("basedn=" + util.realm_to_suffix(config.realm_name) + "\n")
fd.write("realm=" + config.realm_name + "\n")
fd.write("domain=" + config.domain_name + "\n")
fd.write("xmlrpc_uri=https://%s/ipa/xml\n" % config.host_name)
fd.write("ldap_uri=ldapi://%%2fvar%%2frun%%2fslapd-%s.socket\n" % dsinstance.realm_to_serverid(config.realm_name))
if ipautil.file_exists(config.dir + "/ca.p12"):
fd.write("enable_ra=True\n")
fd.write("ra_plugin=dogtag\n")
fd.close()
# Apply any LDAP updates. Needs to be done after the replica is synced-up # Apply any LDAP updates. Needs to be done after the replica is synced-up
service.print_msg("Applying LDAP updates") service.print_msg("Applying LDAP updates")
ds.apply_updates() ds.apply_updates()

86
install/tools/ipa-replica-prepare
View File

@@ -26,12 +26,10 @@ from ConfigParser import SafeConfigParser
import krbV import krbV
from optparse import OptionParser from optparse import OptionParser
import ipapython.config
from ipapython import ipautil from ipapython import ipautil
from ipaserver.install import dsinstance, installutils, certs, httpinstance from ipaserver.install import dsinstance, installutils, certs, httpinstance
from ipaserver import ipaldap from ipaserver import ipaldap
from ipapython import version from ipapython import version
from ipalib.constants import DEFAULT_CONFIG
from ipalib import api from ipalib import api
from ipalib import util from ipalib import util
import ldap import ldap
@@ -51,7 +49,6 @@ def parse_options():
parser.add_option("-p", "--password", dest="password", parser.add_option("-p", "--password", dest="password",
help="Directory Manager (existing master) password") help="Directory Manager (existing master) password")
ipapython.config.add_standard_options(parser)
options, args = parser.parse_args() options, args = parser.parse_args()
# If any of the PKCS#12 options are selected, all are required. Create a # If any of the PKCS#12 options are selected, all are required. Create a
@@ -62,39 +59,16 @@ def parse_options():
if cnt > 0 and cnt < 4: if cnt > 0 and cnt < 4:
parser.error("All PKCS#12 options are required if any are used.") parser.error("All PKCS#12 options are required if any are used.")
if options.ip_address:
if not installutils.verify_ip_address(options.ip_address):
parser.error("Bad IP address")
sys.exit(1)
if len(args) != 1: if len(args) != 1:
parser.error("must provide the fully-qualified name of the replica") parser.error("must provide the fully-qualified name of the replica")
ipapython.config.init_config(options)
return options, args return options, args
def get_host_name():
hostname = installutils.get_fqdn()
try:
installutils.verify_fqdn(hostname)
except RuntimeError, e:
logging.error(str(e))
sys.exit(1)
return hostname
def get_realm_name():
try:
c = krbV.default_context()
return c.default_realm
except Exception, e:
return None
def get_domain_name():
try:
ipapython.config.init_config()
domain_name = ipapython.config.config.get_domain()
except Exception, e:
return None
return domain_name
def get_subject_base(host_name, dm_password, suffix): def get_subject_base(host_name, dm_password, suffix):
try: try:
conn = ipaldap.IPAdmin(host_name) conn = ipaldap.IPAdmin(host_name)
@@ -130,8 +104,8 @@ def export_certdb(realm_name, ds_dir, dir, passwd_fname, fname, hostname, subjec
# ca_db = certs.CertDB(dsinstance.config_dirname(dsinstance.realm_to_serverid(realm_name))) # ca_db = certs.CertDB(dsinstance.config_dirname(dsinstance.realm_to_serverid(realm_name)))
# db.create_from_cacert(ca_db.cacert_fname) # db.create_from_cacert(ca_db.cacert_fname)
# else: # else:
# ca_db = certs.CertDB(httpinstance.NSS_DIR, host_name=get_host_name()) # ca_db = certs.CertDB(httpinstance.NSS_DIR, host_name=api.env.host)
ca_db = certs.CertDB(httpinstance.NSS_DIR, host_name=get_host_name(), subject_base=subject_base) ca_db = certs.CertDB(httpinstance.NSS_DIR, host_name=api.env.host, subject_base=subject_base)
db.create_from_cacert(ca_db.cacert_fname) db.create_from_cacert(ca_db.cacert_fname)
db.create_server_cert("Server-Cert", hostname, ca_db) db.create_server_cert("Server-Cert", hostname, ca_db)
except Exception, e: except Exception, e:
@@ -169,7 +143,7 @@ def export_ra_pkcs12(dir, dm_password):
try: try:
try: try:
db = certs.CertDB(httpinstance.NSS_DIR, host_name=get_host_name()) db = certs.CertDB(httpinstance.NSS_DIR, host_name=api.env.host)
if db.has_nickname("ipaCert"): if db.has_nickname("ipaCert"):
pkcs12_fname = "%s/ra.p12" % dir pkcs12_fname = "%s/ra.p12" % dir
@@ -229,31 +203,18 @@ def main():
# Just initialize the environment. This is so the installer can have # Just initialize the environment. This is so the installer can have
# access to the plugin environment # access to the plugin environment
api.env._bootstrap() api.bootstrap(in_server=True)
api.env._finalize_core(**dict(DEFAULT_CONFIG)) api.finalize()
if not certs.ipa_self_signed() and not ipautil.file_exists("/var/lib/pki-ca/conf/CS.cfg") and not options.dirsrv_pin: if not certs.ipa_self_signed() and not ipautil.file_exists("/var/lib/pki-ca/conf/CS.cfg") and not options.dirsrv_pin:
sys.exit("The replica must be created on the primary IPA server.\nIf you installed IPA with your own certificates using PKCS#12 files you must provide PKCS#12 files for any replicas you create as well.") sys.exit("The replica must be created on the primary IPA server.\nIf you installed IPA with your own certificates using PKCS#12 files you must provide PKCS#12 files for any replicas you create as well.")
print "Determining current realm name" check_ipa_configuration(api.env.realm)
realm_name = get_realm_name()
if realm_name is None:
print "Unable to determine default realm"
sys.exit(1)
check_ipa_configuration(realm_name) if api.env.host == replica_fqdn:
print "Getting domain name from LDAP"
domain_name = get_domain_name()
if domain_name is None:
print "Unable to determine LDAP default domain"
sys.exit(1)
host_name = get_host_name()
if host_name == replica_fqdn:
print "You can't create a replica on itself" print "You can't create a replica on itself"
sys.exit(1) sys.exit(1)
ds_dir = dsinstance.config_dirname(dsinstance.realm_to_serverid(realm_name)) ds_dir = dsinstance.config_dirname(dsinstance.realm_to_serverid(api.env.realm))
ds_user = get_ds_user(ds_dir) ds_user = get_ds_user(ds_dir)
# get the directory manager password # get the directory manager password
@@ -266,19 +227,19 @@ def main():
# Try out the password # Try out the password
try: try:
conn = ipaldap.IPAdmin(host_name) conn = ipaldap.IPAdmin(api.env.host)
conn.do_simple_bind(bindpw=dirman_password) conn.do_simple_bind(bindpw=dirman_password)
conn.unbind() conn.unbind()
except ldap.CONNECT_ERROR, e: except ldap.CONNECT_ERROR, e:
sys.exit("\nUnable to connect to LDAP server %s" % host_name) sys.exit("\nUnable to connect to LDAP server %s" % api.env.host)
except ldap.SERVER_DOWN, e: except ldap.SERVER_DOWN, e:
sys.exit("\nUnable to connect to LDAP server %s" % host_name) sys.exit("\nUnable to connect to LDAP server %s" % api.env.host)
except ldap.INVALID_CREDENTIALS, e : except ldap.INVALID_CREDENTIALS, e :
sys.exit("\nThe password provided is incorrect for LDAP server %s" % host_name) sys.exit("\nThe password provided is incorrect for LDAP server %s" % api.env.host)
print "Preparing replica for %s from %s" % (replica_fqdn, host_name) print "Preparing replica for %s from %s" % (replica_fqdn, api.env.host)
subject_base = get_subject_base(host_name, dirman_password, util.realm_to_suffix(realm_name)) subject_base = get_subject_base(api.env.host, dirman_password, util.realm_to_suffix(api.env.realm))
top_dir = tempfile.mkdtemp("ipa") top_dir = tempfile.mkdtemp("ipa")
dir = top_dir + "/realm_info" dir = top_dir + "/realm_info"
@@ -313,7 +274,7 @@ def main():
print "Copy failed %s" % e print "Copy failed %s" % e
sys.exit(1) sys.exit(1)
print "Creating SSL certificate for the Directory Server" print "Creating SSL certificate for the Directory Server"
export_certdb(realm_name, ds_dir, dir, passwd_fname, "dscert", replica_fqdn, subject_base) export_certdb(api.env.realm, ds_dir, dir, passwd_fname, "dscert", replica_fqdn, subject_base)
if options.http_pin: if options.http_pin:
passwd = options.http_pin passwd = options.http_pin
@@ -334,15 +295,14 @@ def main():
sys.exit(1) sys.exit(1)
else: else:
print "Creating SSL certificate for the Web Server" print "Creating SSL certificate for the Web Server"
export_certdb(realm_name, ds_dir, dir, passwd_fname, "httpcert", replica_fqdn, subject_base) export_certdb(api.env.realm, ds_dir, dir, passwd_fname, "httpcert", replica_fqdn, subject_base)
print "Exporting RA certificate" print "Exporting RA certificate"
export_ra_pkcs12(dir, dirman_password) export_ra_pkcs12(dir, dirman_password)
print "Copying additional files" print "Copying additional files"
copy_files(realm_name, dir) copy_files(api.env.realm, dir)
print "Finalizing configuration" print "Finalizing configuration"
save_config(dir, realm_name, host_name, ds_user, domain_name, replica_fqdn, subject_base) save_config(dir, api.env.realm, api.env.host, ds_user, api.env.domain, replica_fqdn, subject_base)
replicafile = "/var/lib/ipa/replica-info-" + replica_fqdn replicafile = "/var/lib/ipa/replica-info-" + replica_fqdn
encfile = replicafile+".gpg" encfile = replicafile+".gpg"

52
ipaserver/install/bindinstance.py
View File

@@ -54,6 +54,31 @@ def check_inst(unattended):
return True return True
def dns_container_exists(fqdn, realm):
"""
Test whether the dns container exists.
"""
def object_exists(dn):
"""
Test whether the given object exists in LDAP.
"""
try:
server.search_ext_s(dn, ldap.SCOPE_BASE)
except ldap.NO_SUCH_OBJECT:
return False
else:
return True
server = ldap.initialize("ldap://" + fqdn)
server.simple_bind_s()
suffix = util.realm_to_suffix(realm)
ret = object_exists("cn=dns,%s" % suffix)
server.unbind_s()
return ret
def get_reverse_zone(ip_address): def get_reverse_zone(ip_address):
tmp = ip_address.split(".") tmp = ip_address.split(".")
tmp.reverse() tmp.reverse()
@@ -155,7 +180,8 @@ class BindInstance(service.Service):
except: except:
pass pass
self.__add_zone_steps() if not dns_container_exists(self.fqdn, self.suffix):
self.step("adding DNS container", self.__setup_dns_container)
self.step("setting up our zone", self.__setup_zone) self.step("setting up our zone", self.__setup_zone)
self.step("setting up reverse zone", self.__setup_reverse_zone) self.step("setting up reverse zone", self.__setup_reverse_zone)
@@ -168,30 +194,6 @@ class BindInstance(service.Service):
self.step("changing resolv.conf to point to ourselves", self.__setup_resolv_conf) self.step("changing resolv.conf to point to ourselves", self.__setup_resolv_conf)
self.start_creation("Configuring named:") self.start_creation("Configuring named:")
def __add_zone_steps(self):
"""
Add a DNS container if it doesn't exist.
"""
def object_exists(dn):
"""
Test whether the given object exists in LDAP.
"""
try:
server.search_ext_s(dn, ldap.SCOPE_BASE)
except ldap.NO_SUCH_OBJECT:
return False
else:
return True
server = ldap.initialize("ldap://" + self.fqdn)
server.simple_bind_s()
if not object_exists("cn=dns,%s" % self.suffix):
self.step("adding DNS container", self.__setup_dns_container)
server.unbind_s()
def __start(self): def __start(self):
try: try:
self.backup_state("running", self.is_running()) self.backup_state("running", self.is_running())