ipa-dns-install: use STARTTLS to connect to DS

BindInstance et al. now use STARTTLS to set up secure connection to DS during
ipa-dns-install. This fixes https://fedorahosted.org/freeipa/ticket/4933

Reviewed-By: Martin Basti <mbasti@redhat.com>
This commit is contained in:
Martin Babinsky 2015-03-12 16:14:22 +01:00 committed by Tomas Babej
parent 80aeb445e2
commit 41ca3fb499
6 changed files with 32 additions and 17 deletions

View File

@ -151,7 +151,7 @@ def main():
confirm=False, validate=False)
if dm_password is None:
sys.exit("Directory Manager password required")
bind = bindinstance.BindInstance(fstore, dm_password)
bind = bindinstance.BindInstance(fstore, dm_password, start_tls=True)
# try the connection
try:
@ -160,7 +160,8 @@ def main():
except errors.ACIError:
sys.exit("Password is not valid!")
ods = opendnssecinstance.OpenDNSSECInstance(fstore, dm_password)
ods = opendnssecinstance.OpenDNSSECInstance(fstore, dm_password,
start_tls=True)
if options.dnssec_master:
dnssec_masters = ods.get_masters()
# we can reinstall current server if it is dnssec master
@ -214,10 +215,13 @@ def main():
bind.create_instance()
# on dnssec master this must be installed last
dnskeysyncd = dnskeysyncinstance.DNSKeySyncInstance(fstore, dm_password)
dnskeysyncd = dnskeysyncinstance.DNSKeySyncInstance(fstore, dm_password,
start_tls=True)
dnskeysyncd.create_instance(api.env.host, api.env.realm)
if options.dnssec_master:
ods_exporter = odsexporterinstance.ODSExporterInstance(fstore, dm_password)
ods_exporter = odsexporterinstance.ODSExporterInstance(fstore,
dm_password,
start_tls=True)
ods_exporter.create_instance(api.env.host, api.env.realm)
ods.create_instance(api.env.host, api.env.realm)

View File

@ -533,13 +533,15 @@ class DnsBackup(object):
class BindInstance(service.Service):
def __init__(self, fstore=None, dm_password=None):
service.Service.__init__(self, "named",
def __init__(self, fstore=None, dm_password=None, start_tls=False):
service.Service.__init__(
self, "named",
service_desc="DNS",
dm_password=dm_password,
ldapi=False,
autobind=ipaldap.AUTOBIND_DISABLED
)
autobind=ipaldap.AUTOBIND_DISABLED,
start_tls=start_tls
)
self.dns_backup = DnsBackup(self)
self.named_user = None
self.domain = None

View File

@ -62,13 +62,14 @@ def dnssec_container_exists(fqdn, suffix, dm_password=None, ldapi=False,
class DNSKeySyncInstance(service.Service):
def __init__(self, fstore=None, dm_password=None, logger=root_logger,
ldapi=False):
ldapi=False, start_tls=False):
service.Service.__init__(
self, "ipa-dnskeysyncd",
service_desc="DNS key synchronization service",
dm_password=dm_password,
ldapi=ldapi
)
ldapi=ldapi,
start_tls=start_tls
)
self.dm_password = dm_password
self.logger = logger
self.extra_config = [u'dnssecVersion 1', ] # DNSSEC enabled

View File

@ -19,13 +19,14 @@ from ipalib import errors
class ODSExporterInstance(service.Service):
def __init__(self, fstore=None, dm_password=None):
def __init__(self, fstore=None, dm_password=None, start_tls=False):
service.Service.__init__(
self, "ipa-ods-exporter",
service_desc="IPA OpenDNSSEC exporter daemon",
dm_password=dm_password,
ldapi=False,
autobind=ipaldap.AUTOBIND_DISABLED
autobind=ipaldap.AUTOBIND_DISABLED,
start_tls=start_tls
)
self.dm_password = dm_password
self.ods_uid = None

View File

@ -61,13 +61,14 @@ def check_inst():
class OpenDNSSECInstance(service.Service):
def __init__(self, fstore=None, dm_password=None):
def __init__(self, fstore=None, dm_password=None, start_tls=False):
service.Service.__init__(
self, "ods-enforcerd",
service_desc="OpenDNSSEC enforcer daemon",
dm_password=dm_password,
ldapi=False,
autobind=ipaldap.AUTOBIND_DISABLED
autobind=ipaldap.AUTOBIND_DISABLED,
start_tls=start_tls
)
self.dm_password = dm_password
self.ods_uid = None

View File

@ -72,8 +72,9 @@ def format_seconds(seconds):
class Service(object):
def __init__(self, service_name, service_desc=None, sstore=None, dm_password=None, ldapi=True,
autobind=ipaldap.AUTOBIND_AUTO):
def __init__(self, service_name, service_desc=None, sstore=None,
dm_password=None, ldapi=True, autobind=ipaldap.AUTOBIND_AUTO,
start_tls=False):
self.service_name = service_name
self.service_desc = service_desc
self.service = services.service(service_name)
@ -82,6 +83,7 @@ class Service(object):
self.dm_password = dm_password
self.ldapi = ldapi
self.autobind = autobind
self.start_tls = start_tls
self.fqdn = socket.gethostname()
self.admin_conn = None
@ -107,6 +109,10 @@ class Service(object):
if not self.realm:
raise errors.NotFound(reason="realm is missing for %s" % (self))
conn = ipaldap.IPAdmin(ldapi=self.ldapi, realm=self.realm)
elif self.start_tls:
conn = ipaldap.IPAdmin(self.fqdn, port=389, protocol='ldap',
cacert=paths.IPA_CA_CRT,
start_tls=self.start_tls)
else:
conn = ipaldap.IPAdmin(self.fqdn, port=389)