Remove code to install Dogtag 9

Since we depend on Dogtag 10 now, there is no need to keep code that installs a Dogtag 9 CA. Support for upgraded Dogtag-9-style instances is left in. https://fedorahosted.org/freeipa/ticket/3529
2025-02-25 18:55:28 -06:00 · 2012-11-15 09:38:24 -05:00 · 2012-11-15 09:38:24 -05:00 · 34ba1b7060
commit 34ba1b7060
parent b21abc76ca
8 changed files with 22 additions and 218 deletions
--- a/install/tools/ipa-ca-install
+++ b/install/tools/ipa-ca-install
@ -178,19 +178,15 @@ def main():
        cainstance.replica_ca_install_check(config, dogtag_master_ds_port)
    # Configure the CA if necessary
-    (CA, cs) = cainstance.install_replica_ca(
+    CA = cainstance.install_replica_ca(
        config, dogtag_master_ds_port, postinstall=True)
    # We need to ldap_enable the CA now that DS is up and running
    CA.ldap_enable('CA', config.host_name, config.dirman_password,
                   ipautil.realm_to_suffix(config.realm_name))
-    if not dogtag.install_constants.SHARED_DB:
+
-        cs.add_simple_service('dogtagldap/%s@%s' %
+    CA.enable_client_auth_to_db()
-            (config.host_name, config.realm_name))
+    CA.restart()
        cs.add_cert_to_service()
    else:
        CA.enable_client_auth_to_db()
        CA.restart()
    # Install CA DNS records
    install_dns_records(config, options)
--- a/install/tools/ipa-replica-install
+++ b/install/tools/ipa-replica-install
@ -653,7 +653,7 @@ def main():
    ds = install_replica_ds(config)
    # Configure the CA if necessary
-    (CA, cs) = cainstance.install_replica_ca(config, dogtag_master_ds_port)
+    CA = cainstance.install_replica_ca(config, dogtag_master_ds_port)
    # Always try to install DNS records
    install_dns_records(config, options)
@ -662,13 +662,8 @@ def main():
    if CA and config.setup_ca:
        CA.ldap_enable('CA', config.host_name, config.dirman_password,
                       ipautil.realm_to_suffix(config.realm_name))
-        if not dogtag.install_constants.SHARED_DB:
+        CA.enable_client_auth_to_db()
-            cs.add_simple_service('dogtagldap/%s@%s' %
+        CA.restart()
                (config.host_name, config.realm_name))
            cs.add_cert_to_service()
        else:
            CA.enable_client_auth_to_db()
            CA.restart()
    krb = install_krb(config, setup_pkinit=options.setup_pkinit)
    http = install_http(config, auto_redirect=options.ui_redirect)
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@ -1009,13 +1009,6 @@ def main():
    if setup_ca:
        if not dogtag.install_constants.SHARED_DB:
            cs = cainstance.CADSInstance(
                host_name, realm_name, domain_name, dm_password)
            if not cs.is_configured():
                cs.create_instance(realm_name, host_name, domain_name,
                    dm_password, subject_base=options.subject)
        ca = cainstance.CAInstance(realm_name, certs.NSS_DIR,
            dogtag_constants=dogtag.install_constants)
        if external == 0:
@ -1055,17 +1048,8 @@ def main():
        # We need to ldap_enable the CA now that DS is up and running
        ca.ldap_enable('CA', host_name, dm_password,
                       ipautil.realm_to_suffix(realm_name))
-        if not dogtag.install_constants.SHARED_DB:
+        ca.enable_client_auth_to_db()
-            # Turn on SSL in the dogtag LDAP instance. This will get restarted
+        ca.restart()
            # later, we don't need SSL now.
            cs.create_certdb()
            cs.enable_ssl()
            # Add the IPA service for storing the PKI-IPA server certificate.
            cs.add_simple_service(cs.principal)
            cs.add_cert_to_service()
        else:
            ca.enable_client_auth_to_db()
            ca.restart()
        # Upload the CA cert to the directory
        ds.upload_ca_cert()
--- a/install/tools/ipactl
+++ b/install/tools/ipactl
@ -45,16 +45,14 @@ def check_IPA_configuration():
 def is_dirsrv_debugging_enabled():
    """
-    Check the IPA and PKI-CA 389-ds instances to see if debugging is
+    Check the 389-ds instance to see if debugging is enabled.
-    enabled. If so we suppress that in our output.
+    If so we suppress that in our output.
    returns True or False
    """
    debugging = False
    serverid = realm_to_serverid(api.env.realm)
    dselist = [config_dirname(serverid)]
    if not dogtag.install_constants.SHARED_DB:
        dselist.append('/etc/dirsrv/slapd-PKI-IPA/')
    for dse in dselist:
        try:
            fd = open(dse + 'dse.ldif', 'r')
--- a/ipapython/platform/fedora16/service.py
+++ b/ipapython/platform/fedora16/service.py
@ -128,10 +128,6 @@ class Fedora16CAService(Fedora16Service):
            root_logger.debug(
                'The httpd proxy is not installed, skipping wait for CA')
            return
        if dogtag.install_constants.DOGTAG_VERSION < 10:
            # The server status information isn't available on DT 9
            root_logger.debug('Using Dogtag 9, skipping wait for CA')
            return
        root_logger.debug('Waiting until the CA is running')
        timeout = api.env.startup_timeout
        op_timeout = time.time() + timeout
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@ -247,6 +247,11 @@ def is_step_one_done():
 class CADSInstance(service.Service):
    """Certificate Authority DS instance
    The CA DS was used with Dogtag 9. Only upgraded installations still use it.
    Thus this class only does uninstallation.
    """
    def __init__(self, host_name=None, realm_name=None, domain_name=None, dm_password=None, dogtag_constants=None):
        service.Service.__init__(self, "pkids",
            service_desc="directory server for the CA",
@ -265,153 +270,6 @@ class CADSInstance(service.Service):
        self.master_host = None
        self.nickname = 'Server-Cert'
        self.subject_base = None
        if host_name and realm_name:
            self.principal = "dogtagldap/%s@%s" % (self.fqdn, self.realm_name)
        if realm_name:
            self.suffix = ipautil.realm_to_suffix(self.realm_name)
            self.__setup_sub_dict()
        else:
            self.suffix = DN()
        if dogtag_constants is None:
            dogtag_constants = dogtag.configured_constants()
        self.dogtag_constants = dogtag_constants
    subject_base = ipautil.dn_attribute_property('_subject_base')
    def create_instance(self, realm_name, host_name, domain_name,
                        dm_password, pkcs12_info=None, ds_port=DEFAULT_DSPORT,
                        subject_base=None):
        self.ds_port = ds_port
        self.realm_name = realm_name.upper()
        self.suffix = ipautil.realm_to_suffix(self.realm_name)
        self.fqdn = host_name
        self.dm_password = dm_password
        self.domain = domain_name
        self.pkcs12_info = pkcs12_info
        self.subject_base = subject_base
        self.principal = "dogtagldap/%s@%s" % (self.fqdn, self.realm_name)
        self.__setup_sub_dict()
        self.step("creating directory server user", self.__create_ds_user)
        self.step("creating directory server instance", self.__create_instance)
        self.step("restarting directory server", self.restart_instance)
        self.start_creation(runtime=30)
    def __setup_sub_dict(self):
        server_root = dsinstance.find_server_root()
        self.sub_dict = dict(FQDN=self.fqdn, SERVERID=self.serverid,
                             PASSWORD=self.dm_password, SUFFIX=self.suffix,
                             REALM=self.realm_name, USER=PKI_DS_USER,
                             SERVER_ROOT=server_root, DOMAIN=self.domain,
                             TIME=int(time.time()), DSPORT=self.ds_port,
                             GROUP=dsinstance.DS_GROUP)
    def __create_ds_user(self):
        try:
            pwd.getpwnam(PKI_DS_USER)
            root_logger.debug("ds user %s exists" % PKI_DS_USER)
        except KeyError:
            root_logger.debug("adding ds user %s" % PKI_DS_USER)
            args = ["/usr/sbin/useradd", "-g", dsinstance.DS_GROUP,
                                         "-c", "PKI DS System User",
                                         "-d", "/var/lib/dirsrv",
                                         "-s", "/sbin/nologin",
                                         "-M", "-r", PKI_DS_USER]
            try:
                ipautil.run(args)
                root_logger.debug("done adding user")
            except ipautil.CalledProcessError, e:
                root_logger.critical("failed to add user %s" % e)
    def __create_instance(self):
        self.backup_state("serverid", self.serverid)
        inf_txt = ipautil.template_str(INF_TEMPLATE, self.sub_dict)
        root_logger.debug("writing inf template")
        inf_fd = ipautil.write_tmp_file(inf_txt)
        inf_txt = re.sub(r"RootDNPwd=.*\n", "", inf_txt)
        root_logger.debug(inf_txt)
        if ipautil.file_exists("/usr/sbin/setup-ds.pl"):
            args = ["/usr/sbin/setup-ds.pl", "--silent", "--logfile", "-", "-f", inf_fd.name]
            root_logger.debug("calling setup-ds.pl")
        else:
            args = ["/usr/bin/ds_newinst.pl", inf_fd.name]
            root_logger.debug("calling ds_newinst.pl")
        try:
            ipautil.run(args)
            root_logger.debug("completed creating ds instance")
        except ipautil.CalledProcessError, e:
            root_logger.critical("failed to create ds instance %s" % e)
        inf_fd.close()
    def load_pkcs12(self):
        dirname = dsinstance.config_dirname(self.serverid)
        dsdb = certs.CertDB(self.realm_name, nssdir=dirname)
        if self.pkcs12_info:
            dsdb.create_from_pkcs12(self.pkcs12_info[0], self.pkcs12_info[1])
            server_certs = dsdb.find_server_certs()
            if len(server_certs) == 0:
                raise RuntimeError("Could not find a suitable server cert in import in %s" % self.pkcs12_info[0])
            # We only handle one server cert
            self.nickname = server_certs[0][0]
            self.dercert = dsdb.get_cert_from_db(self.nickname, pem=False)
            dsdb.track_server_cert(self.nickname, self.principal, dsdb.passwd_fname, 'restart_dirsrv %s' % self.serverid)
    def create_certdb(self):
        """
        Create the dogtag 389-ds instance NSS certificate database. This needs
        to be done after dogtag is installed and configured.
        """
        dirname = dsinstance.config_dirname(self.serverid)
        dsdb = certs.CertDB(self.realm_name, nssdir=dirname, subject_base=self.subject_base)
        cadb = certs.CertDB(self.realm_name, host_name=self.fqdn, subject_base=self.subject_base)
        cadb.export_ca_cert('ipaCert', False)
        dsdb.create_from_cacert(cadb.cacert_fname, passwd=None)
        self.dercert = dsdb.create_server_cert("Server-Cert", self.fqdn, cadb)
        dsdb.track_server_cert("Server-Cert", self.principal, dsdb.passwd_fname, 'restart_dirsrv %s' % self.serverid)
        dsdb.create_pin_file()
    def enable_ssl(self):
        conn = ipaldap.IPAdmin(self.fqdn, port=DEFAULT_DSPORT)
        conn.do_simple_bind(DN(('cn', 'directory manager')), self.dm_password)
        mod = [(ldap.MOD_REPLACE, "nsSSLClientAuth", "allowed"),
               (ldap.MOD_REPLACE, "nsSSL3Ciphers",
                "-rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,\
 +rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,\
 +fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,\
 +tls_rsa_export1024_with_des_cbc_sha")]
        conn.modify_s(DN(('cn', 'encryption'), ('cn', 'config')), mod)
        mod = [(ldap.MOD_ADD, "nsslapd-security", "on"),
               (ldap.MOD_ADD, "nsslapd-secureport", str(DEFAULT_DSPORT+1))]
        conn.modify_s(DN(('cn', 'config')), mod)
        entry = conn.make_entry(
            DN(('cn', 'RSA'), ('cn', 'encryption'), ('cn', 'config')),
            objectclass=["top", "nsEncryptionModule"],
            cn=["RSA"],
            nsSSLPersonalitySSL=[self.nickname],
            nsSSLToken=["internal (software)"],
            nsSSLActivation=["on"],
        )
        conn.add_entry(entry)
        conn.unbind()
    def restart_instance(self):
        try:
            ipaservices.knownservices.dirsrv.restart(self.serverid)
            if not dsinstance.is_ds_running(self.serverid):
                root_logger.critical("Failed to restart the directory server. See the installation log for details.")
                sys.exit(1)
        except Exception:
            # TODO: roll back here?
            root_logger.debug(traceback.format_exc())
            root_logger.critical("Failed to restart the directory server. See the installation log for details.")
    def uninstall(self):
        if self.is_configured():
@ -1757,7 +1615,7 @@ def install_replica_ca(config, master_ds_port, postinstall=False):
    if not ipautil.file_exists(cafile):
        # Replica of old "self-signed" master - skip installing CA
-        return (None, None)
+        return None
    if not config.setup_ca:
        # We aren't configuring the CA in this step but we still need
@ -1766,7 +1624,7 @@ def install_replica_ca(config, master_ds_port, postinstall=False):
            dogtag_constants=dogtag.install_constants)
        ca.dm_password = config.dirman_password
        ca.subject_base = config.subject_base
-        return (ca, None)
+        return ca
    ca = CAInstance(config.realm_name, certs.NSS_DIR,
        dogtag_constants=dogtag.install_constants)
@ -1780,17 +1638,6 @@ def install_replica_ca(config, master_ds_port, postinstall=False):
        pkcs12_info = (config.dir + "/dogtagcert.p12",
                       config.dir + "/dirsrv_pin.txt")
    if not dogtag.install_constants.SHARED_DB:
        cs = CADSInstance(dogtag_constants=dogtag.install_constants)
        cs.create_instance(config.realm_name, config.host_name,
                           config.domain_name, config.dirman_password,
                           pkcs12_info)
        cs.load_pkcs12()
        cs.enable_ssl()
        cs.restart_instance()
    else:
        cs = None
    ca = CAInstance(config.realm_name, certs.NSS_DIR,
            dogtag_constants=dogtag.install_constants)
    if postinstall:
@ -1821,16 +1668,11 @@ def install_replica_ca(config, master_ds_port, postinstall=False):
    service.print_msg("Restarting the directory and certificate servers")
    ca.stop(dogtag.install_constants.PKI_INSTANCE_NAME)
-    if not dogtag.install_constants.SHARED_DB:
+    ipaservices.knownservices.dirsrv.restart()
        ds_name = dogtag.install_constants.DS_NAME
        ipaservices.knownservices.dirsrv.stop(ds_name)
        ipaservices.knownservices.dirsrv.start(ds_name)
    else:
        ipaservices.knownservices.dirsrv.restart()
    ca.start(dogtag.install_constants.PKI_INSTANCE_NAME)
-    return (ca, cs)
+    return ca
 def update_cert_config(nickname, cert):
    """
@ -1914,12 +1756,7 @@ def update_people_entry(uid, dercert):
 if __name__ == "__main__":
    standard_logging_setup("install.log")
-    if not dogtag.install_constants.SHARED_DB:
+    ds = dsinstance.DsInstance()
        cs = CADSInstance()
        cs.create_instance(
            "EXAMPLE.COM", "catest.example.com", "example.com", "password")
    else:
        ds = dsinstance.DsInstance()
    ca = CAInstance("EXAMPLE.COM", "/etc/httpd/alias")
    ca.configure_instance("catest.example.com", "example.com", "password", "password")
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@ -209,7 +209,7 @@ class DsInstance(service.Service):
        self.step("configuring lockout plugin", self.__config_lockout_module)
        self.step("creating indices", self.__create_indices)
        self.step("enabling referential integrity plugin", self.__add_referint_module)
-        if not dogtag.install_constants.SHARED_DB or enable_ssl:
+        if enable_ssl:
            self.step("configuring ssl for ds instance", self.enable_ssl)
        self.step("configuring certmap.conf", self.__certmap_conf)
        self.step("configure autobind for root", self.__root_autobind)
--- a/ipaserver/install/installutils.py
+++ b/ipaserver/install/installutils.py
@ -46,8 +46,6 @@ from ipaserver.install import certs
 IPA_MODULES = [
    'httpd', 'kadmin', 'dirsrv', 'pki-cad', 'pki-tomcatd', 'install',
    'krb5kdc', 'ntpd', 'named', 'ipa_memcached']
 if not dogtag.install_constants.SHARED_DB:
    IPA_MODULES.append('pkids')
 class BadHostError(Exception):