IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Fix installing server with external CA

Browse Source 
Reorganize ipa-server-instal so that DS (and NTP server) installation
only happens in step one.

Change CAInstance to behave correctly in two-step install.

Add an `init_info` method to DSInstance that includes common
attribute/sub_dict initialization from create_instance and create_replica.
Use it in ipa-server-install to get a properly configured DSInstance
for later tasks.

https://fedorahosted.org/freeipa/ticket/3459
This commit is contained in:
Petr Viktorin
2013-02-25 17:15:23 +01:00
committed by Martin Kosek
parent 9955ba0714
commit 6ff20ca2d9
3 changed files with 74 additions and 65 deletions
Download Patch File Download Diff File Expand all files Collapse all files

76
install/tools/ipa-server-install
View File

@@ -691,6 +691,15 @@ def main():
sys.exit(1) sys.exit(1)
cert = certdict[certissuer] cert = certdict[certissuer]
# Figure out what external CA step we're in. See cainstance.py for more
# info on the 3 states.
if options.external_cert_file:
external = 2
elif options.external_ca:
external = 1
else:
external = 0
print "==============================================================================" print "=============================================================================="
print "This program will set up the FreeIPA Server." print "This program will set up the FreeIPA Server."
print "" print ""
@@ -717,8 +726,9 @@ def main():
print "To accept the default shown in brackets, press the Enter key." print "To accept the default shown in brackets, press the Enter key."
print "" print ""
# Make sure the 389-ds ports are available if external != 2:
check_dirsrv(options.unattended) # Make sure the 389-ds ports are available
check_dirsrv(options.unattended)
if options.conf_ntp: if options.conf_ntp:
try: try:
@@ -921,36 +931,43 @@ def main():
except ipautil.CalledProcessError, e: except ipautil.CalledProcessError, e:
root_logger.critical("failed to add DS group: %s" % e) root_logger.critical("failed to add DS group: %s" % e)
# Configure ntpd
if options.conf_ntp:
ipaclient.ntpconf.force_ntpd(sstore)
ntp = ntpinstance.NTPInstance(fstore)
if not ntp.is_configured():
ntp.create_instance()
# Create a directory server instance
ds = dsinstance.DsInstance(fstore=fstore)
if options.dirsrv_pin: if options.dirsrv_pin:
[pw_fd, pw_name] = tempfile.mkstemp() [pw_fd, pw_name] = tempfile.mkstemp()
os.write(pw_fd, options.dirsrv_pin) os.write(pw_fd, options.dirsrv_pin)
os.close(pw_fd) os.close(pw_fd)
if options.dirsrv_pkcs12:
pkcs12_info = (options.dirsrv_pkcs12, pw_name) pkcs12_info = (options.dirsrv_pkcs12, pw_name)
try:
if external != 2:
# Configure ntpd
if options.conf_ntp:
ipaclient.ntpconf.force_ntpd(sstore)
ntp = ntpinstance.NTPInstance(fstore)
if not ntp.is_configured():
ntp.create_instance()
# Create a directory server instance
ds = dsinstance.DsInstance(fstore=fstore)
if options.dirsrv_pkcs12:
try:
ds.create_instance(realm_name, host_name, domain_name,
dm_password, pkcs12_info,
subject_base=options.subject,
hbac_allow=not options.hbac_allow)
finally:
os.remove(pw_name)
else:
ds.create_instance(realm_name, host_name, domain_name, ds.create_instance(realm_name, host_name, domain_name,
dm_password, pkcs12_info, dm_password, self_signed_ca=options.selfsign,
subject_base=options.subject, idstart=options.idstart, idmax=options.idmax,
hbac_allow=not options.hbac_allow) subject_base=options.subject,
finally: hbac_allow=not options.hbac_allow)
os.remove(pw_name)
else: else:
ds.create_instance(realm_name, host_name, domain_name, ds = dsinstance.DsInstance(fstore=fstore)
dm_password, self_signed_ca=options.selfsign, ds.init_info(
idstart=options.idstart, idmax=options.idmax, realm_name, host_name, domain_name, dm_password,
subject_base=options.subject, options.selfsign, options.subject, 1101, 1100, None)
hbac_allow=not options.hbac_allow)
if options.selfsign: if options.selfsign:
ca = certs.CertDB(realm_name, host_name=host_name, ca = certs.CertDB(realm_name, host_name=host_name,
@@ -963,15 +980,6 @@ def main():
except: except:
pass pass
# Figure out what state we're in. See cainstance.py for more info on
# the 3 states.
if options.external_cert_file:
external = 2
elif options.external_ca:
external = 1
else:
external = 0
if not dogtag.install_constants.SHARED_DB: if not dogtag.install_constants.SHARED_DB:
cs = cainstance.CADSInstance( cs = cainstance.CADSInstance(
host_name, realm_name, domain_name, dm_password) host_name, realm_name, domain_name, dm_password)

18
ipaserver/install/cainstance.py
View File

@@ -238,8 +238,10 @@ def get_crl_files(path=None):
def is_step_one_done(): def is_step_one_done():
'''Read CS.cfg and determine if step one of an external CA install is done '''Read CS.cfg and determine if step one of an external CA install is done
''' '''
test = installutils.get_directive( path = dogtag.install_constants.CS_CFG_PATH
dogtag.install_constants.CS_CFG_PATH, 'preop.ca.type', '=') if not os.path.exists(path):
return False
test = installutils.get_directive(path, 'preop.ca.type', '=')
if test == "otherca": if test == "otherca":
return True return True
return False return False
@@ -736,16 +738,16 @@ class CAInstance(service.Service):
finally: finally:
os.remove(cfg_file) os.remove(cfg_file)
if not self.clone:
shutil.move("/root/.pki/pki-tomcat/ca_admin_cert.p12", \
"/root/ca-agent.p12")
shutil.move("/var/lib/pki/pki-tomcat/alias/ca_backup_keys.p12", \
"/root/cacert.p12")
if self.external == 1: if self.external == 1:
print "The next step is to get %s signed by your CA and re-run ipa-server-install as:" % self.csr_file print "The next step is to get %s signed by your CA and re-run ipa-server-install as:" % self.csr_file
print "ipa-server-install --external_cert_file=/path/to/signed_certificate --external_ca_file=/path/to/external_ca_certificate" print "ipa-server-install --external_cert_file=/path/to/signed_certificate --external_ca_file=/path/to/external_ca_certificate"
sys.exit(0) sys.exit(0)
else:
if not self.clone:
shutil.move("/root/.pki/pki-tomcat/ca_admin_cert.p12", \
"/root/ca-agent.p12")
shutil.move("/var/lib/pki/pki-tomcat/alias/ca_backup_keys.p12", \
"/root/cacert.p12")
root_logger.debug("completed creating ca instance") root_logger.debug("completed creating ca instance")

45
ipaserver/install/dsinstance.py
View File

@@ -228,24 +228,31 @@ class DsInstance(service.Service):
self.step("configuring directory to start on boot", self.__enable) self.step("configuring directory to start on boot", self.__enable)
def create_instance(self, realm_name, fqdn, domain_name, def init_info(self, realm_name, fqdn, domain_name, dm_password,
dm_password, pkcs12_info=None, self_signed_ca=False, self_signed_ca, subject_base, idstart, idmax, pkcs12_info):
idstart=1100, idmax=999999, subject_base=None,
hbac_allow=True):
self.realm_name = realm_name.upper() self.realm_name = realm_name.upper()
self.serverid = realm_to_serverid(self.realm_name) self.serverid = realm_to_serverid(self.realm_name)
self.suffix = ipautil.realm_to_suffix(self.realm_name) self.suffix = ipautil.realm_to_suffix(self.realm_name)
self.fqdn = fqdn self.fqdn = fqdn
self.dm_password = dm_password self.dm_password = dm_password
self.domain = domain_name self.domain = domain_name
self.pkcs12_info = pkcs12_info self.principal = "ldap/%s@%s" % (self.fqdn, self.realm_name)
self.self_signed_ca = self_signed_ca self.self_signed_ca = False
self.subject_base = subject_base
self.idstart = idstart self.idstart = idstart
self.idmax = idmax self.idmax = idmax
self.principal = "ldap/%s@%s" % (self.fqdn, self.realm_name) self.pkcs12_info = pkcs12_info
self.subject_base = subject_base
self.__setup_sub_dict() self.__setup_sub_dict()
def create_instance(self, realm_name, fqdn, domain_name,
dm_password, pkcs12_info=None, self_signed_ca=False,
idstart=1100, idmax=999999, subject_base=None,
hbac_allow=True):
self.init_info(
realm_name, fqdn, domain_name, dm_password, self_signed_ca,
subject_base, idstart, idmax, pkcs12_info)
self.__common_setup() self.__common_setup()
self.step("adding default layout", self.__add_default_layout) self.step("adding default layout", self.__add_default_layout)
@@ -266,26 +273,18 @@ class DsInstance(service.Service):
def create_replica(self, realm_name, master_fqdn, fqdn, def create_replica(self, realm_name, master_fqdn, fqdn,
domain_name, dm_password, pkcs12_info=None): domain_name, dm_password, pkcs12_info=None):
self.realm_name = realm_name.upper()
self.serverid = realm_to_serverid(self.realm_name)
self.suffix = ipautil.realm_to_suffix(self.realm_name)
self.master_fqdn = master_fqdn
self.fqdn = fqdn
self.dm_password = dm_password
self.domain = domain_name
self.pkcs12_info = pkcs12_info
self.principal = "ldap/%s@%s" % (self.fqdn, self.realm_name)
self.self_signed_ca = False
self.subject_base = None
# idstart and idmax are configured so that the range is seen as # idstart and idmax are configured so that the range is seen as
# depleted by the DNA plugin and the replica will go and get a # depleted by the DNA plugin and the replica will go and get a
# new range from the master. # new range from the master.
# This way all servers use the initially defined range by default. # This way all servers use the initially defined range by default.
self.idstart = 1101 idstart = 1101
self.idmax = 1100 idmax = 1100
self.init_info(
realm_name, fqdn, domain_name, dm_password, None, None,
idstart, idmax, pkcs12_info)
self.master_fqdn = master_fqdn
self.__setup_sub_dict()
self.__common_setup(True) self.__common_setup(True)
self.step("setting up initial replication", self.__setup_replica) self.step("setting up initial replication", self.__setup_replica)