mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-23 23:50:03 -06:00
ipa-dns-install: use STARTTLS to connect to DS
BindInstance et al. now use STARTTLS to set up secure connection to DS during ipa-dns-install. This fixes https://fedorahosted.org/freeipa/ticket/4933 Reviewed-By: Martin Basti <mbasti@redhat.com>
This commit is contained in:
parent
80aeb445e2
commit
41ca3fb499
@ -151,7 +151,7 @@ def main():
|
||||
confirm=False, validate=False)
|
||||
if dm_password is None:
|
||||
sys.exit("Directory Manager password required")
|
||||
bind = bindinstance.BindInstance(fstore, dm_password)
|
||||
bind = bindinstance.BindInstance(fstore, dm_password, start_tls=True)
|
||||
|
||||
# try the connection
|
||||
try:
|
||||
@ -160,7 +160,8 @@ def main():
|
||||
except errors.ACIError:
|
||||
sys.exit("Password is not valid!")
|
||||
|
||||
ods = opendnssecinstance.OpenDNSSECInstance(fstore, dm_password)
|
||||
ods = opendnssecinstance.OpenDNSSECInstance(fstore, dm_password,
|
||||
start_tls=True)
|
||||
if options.dnssec_master:
|
||||
dnssec_masters = ods.get_masters()
|
||||
# we can reinstall current server if it is dnssec master
|
||||
@ -214,10 +215,13 @@ def main():
|
||||
bind.create_instance()
|
||||
|
||||
# on dnssec master this must be installed last
|
||||
dnskeysyncd = dnskeysyncinstance.DNSKeySyncInstance(fstore, dm_password)
|
||||
dnskeysyncd = dnskeysyncinstance.DNSKeySyncInstance(fstore, dm_password,
|
||||
start_tls=True)
|
||||
dnskeysyncd.create_instance(api.env.host, api.env.realm)
|
||||
if options.dnssec_master:
|
||||
ods_exporter = odsexporterinstance.ODSExporterInstance(fstore, dm_password)
|
||||
ods_exporter = odsexporterinstance.ODSExporterInstance(fstore,
|
||||
dm_password,
|
||||
start_tls=True)
|
||||
|
||||
ods_exporter.create_instance(api.env.host, api.env.realm)
|
||||
ods.create_instance(api.env.host, api.env.realm)
|
||||
|
@ -533,13 +533,15 @@ class DnsBackup(object):
|
||||
|
||||
|
||||
class BindInstance(service.Service):
|
||||
def __init__(self, fstore=None, dm_password=None):
|
||||
service.Service.__init__(self, "named",
|
||||
def __init__(self, fstore=None, dm_password=None, start_tls=False):
|
||||
service.Service.__init__(
|
||||
self, "named",
|
||||
service_desc="DNS",
|
||||
dm_password=dm_password,
|
||||
ldapi=False,
|
||||
autobind=ipaldap.AUTOBIND_DISABLED
|
||||
)
|
||||
autobind=ipaldap.AUTOBIND_DISABLED,
|
||||
start_tls=start_tls
|
||||
)
|
||||
self.dns_backup = DnsBackup(self)
|
||||
self.named_user = None
|
||||
self.domain = None
|
||||
|
@ -62,13 +62,14 @@ def dnssec_container_exists(fqdn, suffix, dm_password=None, ldapi=False,
|
||||
|
||||
class DNSKeySyncInstance(service.Service):
|
||||
def __init__(self, fstore=None, dm_password=None, logger=root_logger,
|
||||
ldapi=False):
|
||||
ldapi=False, start_tls=False):
|
||||
service.Service.__init__(
|
||||
self, "ipa-dnskeysyncd",
|
||||
service_desc="DNS key synchronization service",
|
||||
dm_password=dm_password,
|
||||
ldapi=ldapi
|
||||
)
|
||||
ldapi=ldapi,
|
||||
start_tls=start_tls
|
||||
)
|
||||
self.dm_password = dm_password
|
||||
self.logger = logger
|
||||
self.extra_config = [u'dnssecVersion 1', ] # DNSSEC enabled
|
||||
|
@ -19,13 +19,14 @@ from ipalib import errors
|
||||
|
||||
|
||||
class ODSExporterInstance(service.Service):
|
||||
def __init__(self, fstore=None, dm_password=None):
|
||||
def __init__(self, fstore=None, dm_password=None, start_tls=False):
|
||||
service.Service.__init__(
|
||||
self, "ipa-ods-exporter",
|
||||
service_desc="IPA OpenDNSSEC exporter daemon",
|
||||
dm_password=dm_password,
|
||||
ldapi=False,
|
||||
autobind=ipaldap.AUTOBIND_DISABLED
|
||||
autobind=ipaldap.AUTOBIND_DISABLED,
|
||||
start_tls=start_tls
|
||||
)
|
||||
self.dm_password = dm_password
|
||||
self.ods_uid = None
|
||||
|
@ -61,13 +61,14 @@ def check_inst():
|
||||
|
||||
|
||||
class OpenDNSSECInstance(service.Service):
|
||||
def __init__(self, fstore=None, dm_password=None):
|
||||
def __init__(self, fstore=None, dm_password=None, start_tls=False):
|
||||
service.Service.__init__(
|
||||
self, "ods-enforcerd",
|
||||
service_desc="OpenDNSSEC enforcer daemon",
|
||||
dm_password=dm_password,
|
||||
ldapi=False,
|
||||
autobind=ipaldap.AUTOBIND_DISABLED
|
||||
autobind=ipaldap.AUTOBIND_DISABLED,
|
||||
start_tls=start_tls
|
||||
)
|
||||
self.dm_password = dm_password
|
||||
self.ods_uid = None
|
||||
|
@ -72,8 +72,9 @@ def format_seconds(seconds):
|
||||
|
||||
|
||||
class Service(object):
|
||||
def __init__(self, service_name, service_desc=None, sstore=None, dm_password=None, ldapi=True,
|
||||
autobind=ipaldap.AUTOBIND_AUTO):
|
||||
def __init__(self, service_name, service_desc=None, sstore=None,
|
||||
dm_password=None, ldapi=True, autobind=ipaldap.AUTOBIND_AUTO,
|
||||
start_tls=False):
|
||||
self.service_name = service_name
|
||||
self.service_desc = service_desc
|
||||
self.service = services.service(service_name)
|
||||
@ -82,6 +83,7 @@ class Service(object):
|
||||
self.dm_password = dm_password
|
||||
self.ldapi = ldapi
|
||||
self.autobind = autobind
|
||||
self.start_tls = start_tls
|
||||
|
||||
self.fqdn = socket.gethostname()
|
||||
self.admin_conn = None
|
||||
@ -107,6 +109,10 @@ class Service(object):
|
||||
if not self.realm:
|
||||
raise errors.NotFound(reason="realm is missing for %s" % (self))
|
||||
conn = ipaldap.IPAdmin(ldapi=self.ldapi, realm=self.realm)
|
||||
elif self.start_tls:
|
||||
conn = ipaldap.IPAdmin(self.fqdn, port=389, protocol='ldap',
|
||||
cacert=paths.IPA_CA_CRT,
|
||||
start_tls=self.start_tls)
|
||||
else:
|
||||
conn = ipaldap.IPAdmin(self.fqdn, port=389)
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user