IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

replica install: enforce --server arg

Browse Source 
When the --server option is provided to ipa-replica-install (1-step
install), make sure that the server offers all the required roles
(CA, KRA). If it's not the case, refuse the installation.

Note that the --server option is ignored when promoting from client to
replica (2-step install with ipa-client-install and ipa-replica-install),
meaning that the existing behavior is not changed in this use case:
by default the host specified in default.conf as server is used for
enrollment, but if it does not provide a required role, another host can
be picked for CA or KRA setup.

Fixes: https://pagure.io/freeipa/issue/7566
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
This commit is contained in:
Florence Blanc-Renaud
2019-09-09 12:58:48 +02:00
parent 2919237753
commit 802e54dd0e
2 changed files with 37 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

36
ipaserver/install/server/replicainstall.py
View File

@@ -789,6 +789,8 @@ def promote_check(installer):
print("IPA client is already configured on this system, ignoring "
"the --domain, --server, --realm, --hostname, --password "
"and --keytab options.")
# Make sure options.server is not used
options.server = None
# The NTP configuration can not be touched on pre-installed client:
if options.no_ntp or options.ntp_servers or options.ntp_pool:
@@ -1043,8 +1045,15 @@ def promote_check(installer):
config.subject_base = DN(subject_base)
# Find any server with a CA
# The order of preference is
# 1. the first server specified in --server, if any
# 2. the server specified in the config file
# 3. any other
preferred_cas = [config.ca_host_name]
if options.server:
preferred_cas.insert(0, options.server)
ca_host = find_providing_server(
'CA', conn, [config.ca_host_name]
'CA', conn, preferred_cas
)
if ca_host is not None:
config.ca_host_name = ca_host
@@ -1053,6 +1062,14 @@ def promote_check(installer):
logger.error("Certificates could not be provided when "
"CA is present on some master.")
raise ScriptError(rval=3)
if options.setup_ca and options.server and \
ca_host != options.server:
# Installer was provided with a specific master
# but this one doesn't provide CA
logger.error("The specified --server %s does not provide CA, "
"please provide a server with the CA role",
options.server)
raise ScriptError(rval=4)
else:
if options.setup_ca:
logger.error("The remote master does not have a CA "
@@ -1067,12 +1084,27 @@ def promote_check(installer):
raise ScriptError(rval=3)
# Find any server with a KRA
# The order of preference is
# 1. the first server specified in --server, if any
# 2. the server specified in the config file
# 3. any other
preferred_kras = [config.kra_host_name]
if options.server:
preferred_kras.insert(0, options.server)
kra_host = find_providing_server(
'KRA', conn, [config.kra_host_name]
'KRA', conn, preferred_kras
)
if kra_host is not None:
config.kra_host_name = kra_host
kra_enabled = True
if options.setup_kra and options.server and \
kra_host != options.server:
# Installer was provided with a specific master
# but this one doesn't provide KRA
logger.error("The specified --server %s does not provide KRA, "
"please provide a server with the KRA role",
options.server)
raise ScriptError(rval=4)
else:
if options.setup_kra:
logger.error("There is no active KRA server in the domain, "