ipa-adtrust-install: run remote configuration for new agents

When ipa-adtrust-install is run, the tool detects masters that are
not enabled as trust agents and propose to configure them. With the
current code, the Schema Compat plugin is not enabled on these new
trust agents and a manual restart of LDAP server + SSSD is required.

With this commit, ipa-adtrust-install now calls remote code on the new
agents through JSON RPC api, in order to configure the missing parts.
On the remote agent, the command is using DBus and oddjob to launch
a new command,
/usr/libexec/ipa/oddjob/org.freeipa.server.trust-enable-agent [--enable-compat]
This command configures the Schema Compat plugin if --enable-compat is
provided, then restarts LDAP server and SSSD.

If the remote agent is an older version and does not support remote
enablement, or if the remote server is not responding, the tool
ipa-adtrust-install prints a WARNING explaining the steps that need
to be manually executed in order to complete the installation, and
exits successfully (keeping the current behavior).

Fixes: https://pagure.io/freeipa/issue/7600
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>

ipaserver/install/adtrust.py

@@ -14,6 +14,7 @@ import os
 import six
 
 from ipalib.constants import MIN_DOMAIN_LEVEL
+from ipalib import create_api, rpc
 from ipalib import errors
 from ipalib.install.service import ServiceAdminInstallInterface
 from ipalib.install.service import replica_install_only
@@ -344,13 +345,68 @@ def add_new_adtrust_agents(api, options):
     if new_agents:
         add_hosts_to_adtrust_agents(api, new_agents)
 
-        print("""
+        # The method trust_enable_agent was added on API version 2.236
+        # Specifically request this version in the remote call
+        kwargs = {u'version': u'2.236',
+                  u'enable_compat': options.enable_compat}
+        failed_agents = []
+        for agent in new_agents:
+            # Try to run the ipa-trust-enable-agent script on the agent
+            # If the agent is too old and does not support this,
+            # print a msg
+            logger.info("Execute trust_enable_agent on remote server %s",
+                        agent)
+            client = None
+            try:
+                xmlrpc_uri = 'https://{}/ipa/xml'.format(
+                    ipautil.format_netloc(agent))
+                remote_api = create_api(mode=None)
+                remote_api.bootstrap(context='installer',
+                                     confdir=paths.ETC_IPA,
+                                     xmlrpc_uri=xmlrpc_uri,
+                                     fallback=False)
+                client = rpc.jsonclient(remote_api)
+                client.finalize()
+                client.connect()
+                result = client.forward(
+                    u'trust_enable_agent',
+                    ipautil.fsdecode(agent),
+                    **kwargs)
+            except errors.CommandError as e:
+                logger.debug(
+                    "Remote server %s does not support agent enablement "
+                    "over RPC: %s", agent, e)
+                failed_agents.append(agent)
+            except (errors.PublicError, ConnectionRefusedError) as e:
+                logger.debug(
+                    "Remote call to trust_enable_agent failed on server %s: "
+                    "%s", agent, e)
+                failed_agents.append(agent)
+            else:
+                for message in result.get('messages'):
+                    logger.debug('%s', message['message'])
+                if not int(result['result']):
+                    logger.debug(
+                        "ipa-trust-enable-agent returned non-zero exit code "
+                        " on server %s", agent)
+                    failed_agents.append(agent)
+            finally:
+                if client and client.isconnected():
+                    client.disconnect()
+
+        # if enablement failed on some agents, print a WARNING:
+        if failed_agents:
+            if options.enable_compat:
+                print("""
+WARNING: you MUST manually enable the Schema compatibility Plugin and """)
+            print("""
 WARNING: you MUST restart (both "ipactl restart" and "systemctl restart sssd")
 the following IPA masters in order to activate them to serve information about
 users from trusted forests:
 """)
-        for x in new_agents:
-            print(x)
+
+            for x in failed_agents:
+                print(x)
 
 
 def install_check(standalone, options, api):

ipaserver/install/ipa_trust_enable_agent.py

@@ -0,0 +1,93 @@
+#
+# Copyright (C) 2020  FreeIPA Contributors see COPYING for license
+#
+
+
+from __future__ import print_function, absolute_import
+
+import logging
+
+from ipalib import api
+from ipaplatform import services
+from ipaplatform.paths import paths
+from ipapython.admintool import AdminTool, ScriptError
+from ipapython.dn import DN
+from ipapython.ipautil import CalledProcessError
+from ipaserver.install import installutils
+
+logger = logging.getLogger(__name__)
+
+
+class IPATrustEnableAgent(AdminTool):
+    command_name = "ipa-trust-enable-agent"
+    log_file_name = paths.IPATRUSTENABLEAGENT_LOG
+    usage = "%prog"
+    description = "Enable this server as a trust agent"
+
+    @classmethod
+    def add_options(cls, parser):
+        super(IPATrustEnableAgent, cls).add_options(parser)
+
+        parser.add_option(
+            "--enable-compat",
+            dest="enable_compat", default=False, action="store_true",
+            help="Enable support for trusted domains for old clients")
+
+    def validate_options(self):
+        super(IPATrustEnableAgent, self).validate_options(needs_root=True)
+        installutils.check_server_configuration()
+
+    def _enable_compat_tree(self):
+        logger.info("Enabling Schema Compatibility plugin")
+        compat_plugin_dn = DN("cn=Schema Compatibility,cn=plugins,cn=config")
+        lookup_nsswitch_name = "schema-compat-lookup-nsswitch"
+        for config in (("cn=users", "user"), ("cn=groups", "group")):
+            entry_dn = DN(config[0], compat_plugin_dn)
+            current = api.Backend.ldap2.get_entry(entry_dn)
+            lookup_nsswitch = current.get(lookup_nsswitch_name, [])
+            if not(config[1] in lookup_nsswitch):
+                logger.debug("Enabling Schema Compatibility plugin "
+                             "for %s", config[0])
+                current[lookup_nsswitch_name] = [config[1]]
+                api.Backend.ldap2.update_entry(current)
+            else:
+                logger.debug("Schema Compatibility plugin already enabled "
+                             "for %s", config[0])
+
+    def run(self):
+        api.bootstrap(in_server=True, confdir=paths.ETC_IPA)
+        api.finalize()
+
+        try:
+            api.Backend.ldap2.connect()  # ensure DS is up
+
+            # If required, enable Schema compat plugin on users/groups
+            if self.options.enable_compat:
+                try:
+                    self._enable_compat_tree()
+                except Exception as e:
+                    raise ScriptError(
+                        "Enabling Schema Compatibility plugin "
+                        "failed: {}".format(e))
+
+            # Restart 389-ds and sssd
+            logger.info("Restarting Directory Server")
+            try:
+                services.knownservices.dirsrv.restart()
+            except Exception as e:
+                raise ScriptError(
+                    "Directory Server restart was unsuccessful: {}".format(e))
+
+            logger.info("Restarting SSSD service")
+            try:
+                sssd = services.service('sssd', api)
+                sssd.restart()
+            except CalledProcessError as e:
+                raise ScriptError(
+                    "SSSD service restart was unsuccessful: {}".format(e))
+
+        finally:
+            if api.Backend.ldap2.isconnected():
+                api.Backend.ldap2.disconnect()
+
+        return 0