diff --git a/install/certmonger/dogtag-ipa-ca-renew-agent-submit b/install/certmonger/dogtag-ipa-ca-renew-agent-submit index 967ce6e5e..f2b15cfa2 100755 --- a/install/certmonger/dogtag-ipa-ca-renew-agent-submit +++ b/install/certmonger/dogtag-ipa-ca-renew-agent-submit @@ -428,7 +428,7 @@ def renew_ca_cert(): state = 'retrieve' if is_renewable(): - ca = cainstance.CAInstance(host_name=api.env.host, ldapi=False) + ca = cainstance.CAInstance(host_name=api.env.host) if ca.is_renewal_master(): state = 'request' elif operation == 'POLL': @@ -493,7 +493,7 @@ def main(): if profile: handler = handlers.get(profile, request_and_store_cert) else: - ca = cainstance.CAInstance(host_name=api.env.host, ldapi=False) + ca = cainstance.CAInstance(host_name=api.env.host) if ca.is_renewal_master(): handler = request_and_store_cert else: diff --git a/install/restart_scripts/renew_ca_cert b/install/restart_scripts/renew_ca_cert index 186fb34f6..7b3c8bdc6 100644 --- a/install/restart_scripts/renew_ca_cert +++ b/install/restart_scripts/renew_ca_cert @@ -74,7 +74,7 @@ def _main(): ipautil.kinit_keytab(principal, paths.KRB5_KEYTAB, ccache_filename) os.environ['KRB5CCNAME'] = ccache_filename - ca = cainstance.CAInstance(host_name=api.env.host, ldapi=False) + ca = cainstance.CAInstance(host_name=api.env.host) ca.update_cert_config(nickname, cert) if ca.is_renewal_master(): cainstance.update_people_entry(cert) diff --git a/install/restart_scripts/renew_ra_cert b/install/restart_scripts/renew_ra_cert index 17a7af9b0..62c5aa62c 100644 --- a/install/restart_scripts/renew_ra_cert +++ b/install/restart_scripts/renew_ra_cert @@ -48,7 +48,7 @@ def _main(): ccache_filename) os.environ['KRB5CCNAME'] = ccache_filename - ca = cainstance.CAInstance(host_name=api.env.host, ldapi=False) + ca = cainstance.CAInstance(host_name=api.env.host) if ca.is_renewal_master(): # Fetch the new certificate db = certs.CertDB(api.env.realm) diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install index 985e7413a..bab87fa26 100755 --- a/install/tools/ipa-ca-install +++ b/install/tools/ipa-ca-install @@ -190,15 +190,14 @@ def install_replica(safe_options, options, filename): custodia.get_ca_keys(config.ca_host_name, ca_data[0], ca_data[1]) CA = cainstance.CAInstance(config.realm_name, certs.NSS_DIR, - host_name=config.host_name, - dm_password=config.dirman_password) + host_name=config.host_name) CA.configure_replica(config.ca_host_name, subject_base=config.subject_base, ca_cert_bundle=ca_data) # Install CA DNS records if bindinstance.dns_container_exists(api.env.host, api.env.basedn, ldapi=True, realm=api.env.realm): - bind = bindinstance.BindInstance(ldapi=True) + bind = bindinstance.BindInstance() bind.update_system_records() else: ca.install(True, config, options) diff --git a/install/tools/ipa-replica-manage b/install/tools/ipa-replica-manage index 5abc1d582..945d4215f 100755 --- a/install/tools/ipa-replica-manage +++ b/install/tools/ipa-replica-manage @@ -1123,8 +1123,7 @@ def add_link(realm, replica1, replica2, dirman_passwd, options): if options.cacert: # have to install the given CA cert before doing anything else - ds = dsinstance.DsInstance(realm_name = realm, - dm_password = dirman_passwd) + ds = dsinstance.DsInstance(realm_name=realm) if not ds.add_ca_cert(options.cacert): print("Could not load the required CA certificate file [%s]" % options.cacert) return @@ -1214,7 +1213,7 @@ def re_initialize(realm, thishost, fromhost, dirman_passwd, nolookup=False): # If the agreement doesn't have nsDS5ReplicatedAttributeListTotal it means # we did not replicate memberOf, do so now. if not agreement.single_value.get('nsDS5ReplicatedAttributeListTotal'): - ds = dsinstance.DsInstance(realm_name = realm, dm_password = dirman_passwd) + ds = dsinstance.DsInstance(realm_name=realm) ds.ldapi = os.getegid() == 0 ds.init_memberof() diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py index 49389859d..1dfcf96f7 100644 --- a/ipaserver/install/adtrustinstance.py +++ b/ipaserver/install/adtrustinstance.py @@ -137,8 +137,7 @@ class ADTRUSTInstance(service.Service): self.host_netbios_name = None self.realm = None - service.Service.__init__(self, "smb", service_desc="CIFS", - dm_password=None, ldapi=True) + service.Service.__init__(self, "smb", service_desc="CIFS") if fstore: self.fstore = fstore @@ -740,14 +739,12 @@ class ADTRUSTInstance(service.Service): # Note that self.dm_password is None for ADTrustInstance because # we ensure to be called as root and using ldapi to use autobind try: - self.ldap_enable('ADTRUST', self.fqdn, self.dm_password, \ - self.suffix) + self.ldap_enable('ADTRUST', self.fqdn, None, self.suffix) except (ldap.ALREADY_EXISTS, errors.DuplicateEntry): root_logger.info("ADTRUST Service startup entry already exists.") try: - self.ldap_enable('EXTID', self.fqdn, self.dm_password, \ - self.suffix) + self.ldap_enable('EXTID', self.fqdn, None, self.suffix) except (ldap.ALREADY_EXISTS, errors.DuplicateEntry): root_logger.info("EXTID Service startup entry already exists.") diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py index 65fc462c7..20ae1f20b 100644 --- a/ipaserver/install/bindinstance.py +++ b/ipaserver/install/bindinstance.py @@ -228,8 +228,9 @@ def named_conf_add_include(path): with open(NAMED_CONF, 'a') as f: f.write(named_conf_include_template % {'path': path}) -def dns_container_exists(fqdn, suffix, dm_password=None, ldapi=False, realm=None, - autobind=ipaldap.AUTOBIND_DISABLED): + +def dns_container_exists(fqdn, suffix, dm_password=None, ldapi=False, + realm=None): """ Test whether the dns container exists. """ @@ -240,7 +241,7 @@ def dns_container_exists(fqdn, suffix, dm_password=None, ldapi=False, realm=None ldap_uri = ipaldap.get_ldap_uri(fqdn, 636, ldapi=ldapi, realm=realm, cacert=CACERT) conn = ipaldap.LDAPClient(ldap_uri, cacert=CACERT) - conn.do_bind(dm_password, autobind=autobind) + conn.do_bind(dm_password) except ldap.SERVER_DOWN: raise RuntimeError('LDAP server on %s is not responding. Is IPA installed?' % fqdn) @@ -613,15 +614,10 @@ class DnsBackup(object): class BindInstance(service.Service): - def __init__(self, fstore=None, dm_password=None, api=api, ldapi=False, - start_tls=False, autobind=ipaldap.AUTOBIND_DISABLED): + def __init__(self, fstore=None, api=api): service.Service.__init__( self, "named", - service_desc="DNS", - dm_password=dm_password, - ldapi=ldapi, - autobind=autobind, - start_tls=start_tls + service_desc="DNS" ) self.dns_backup = DnsBackup(self) self.named_user = None @@ -632,7 +628,6 @@ class BindInstance(service.Service): self.forwarders = None self.sub_dict = None self.reverse_zones = [] - self.dm_password = dm_password self.api = api self.named_regular = services.service('named-regular') @@ -665,8 +660,7 @@ class BindInstance(service.Service): self.zonemgr = normalize_zonemgr(zonemgr) self.first_instance = not dns_container_exists( - self.fqdn, self.suffix, realm=self.realm, ldapi=True, - dm_password=self.dm_password, autobind=self.autobind) + self.fqdn, self.suffix, realm=self.realm, ldapi=True) self.__setup_sub_dict() @@ -763,7 +757,7 @@ class BindInstance(service.Service): # Instead we reply on the IPA init script to start only enabled # components as found in our LDAP configuration tree try: - self.ldap_enable('DNS', self.fqdn, self.dm_password, self.suffix) + self.ldap_enable('DNS', self.fqdn, None, self.suffix) except errors.DuplicateEntry: # service already exists (forced DNS reinstall) # don't crash, just report error diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py index ac04b646d..def702a7b 100644 --- a/ipaserver/install/ca.py +++ b/ipaserver/install/ca.py @@ -241,7 +241,7 @@ def install_step_1(standalone, replica_config, options): # Install CA DNS records if bindinstance.dns_container_exists(host_name, basedn, dm_password): - bind = bindinstance.BindInstance(dm_password=dm_password) + bind = bindinstance.BindInstance() bind.update_system_records() diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index a39d11dd9..511a52431 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -311,15 +311,12 @@ class CAInstance(DogtagInstance): ('caSigningCert cert-pki-ca', 'ipaCACertRenewal')) server_cert_name = 'Server-Cert cert-pki-ca' - def __init__(self, realm=None, ra_db=None, host_name=None, - dm_password=None, ldapi=True): + def __init__(self, realm=None, ra_db=None, host_name=None): super(CAInstance, self).__init__( realm=realm, subsystem="CA", service_desc="certificate server", host_name=host_name, - dm_password=dm_password, - ldapi=ldapi ) # for external CAs diff --git a/ipaserver/install/custodiainstance.py b/ipaserver/install/custodiainstance.py index 32740274c..b373344d2 100644 --- a/ipaserver/install/custodiainstance.py +++ b/ipaserver/install/custodiainstance.py @@ -54,14 +54,13 @@ class CustodiaInstance(SimpleServiceInstance): fd.flush() fd.close() - def create_instance(self, dm_password=None): + def create_instance(self): suffix = ipautil.realm_to_suffix(self.realm) self.step("Generating ipa-custodia config file", self.__config_file) self.step("Making sure custodia container exists", self.__create_container) self.step("Generating ipa-custodia keys", self.__gen_keys) super(CustodiaInstance, self).create_instance(gensvc_name='KEYS', fqdn=self.fqdn, - dm_password=dm_password, ldap_suffix=suffix, realm=self.realm) sysupgrade.set_upgrade_state('custodia', 'installed', True) @@ -103,8 +102,7 @@ class CustodiaInstance(SimpleServiceInstance): 'SUFFIX': self.suffix, } - updater = ldapupdate.LDAPUpdate(dm_password=self.dm_password, - sub_dict=sub_dict) + updater = ldapupdate.LDAPUpdate(sub_dict=sub_dict) updater.update([os.path.join(paths.UPDATES_DIR, '73-custodia.update')]) def __import_ra_key(self): diff --git a/ipaserver/install/dns.py b/ipaserver/install/dns.py index c16b96397..bfff0d856 100644 --- a/ipaserver/install/dns.py +++ b/ipaserver/install/dns.py @@ -23,7 +23,6 @@ from ipapython import dnsutil from ipapython.dn import DN from ipapython.ipa_log_manager import root_logger from ipapython.admintool import ScriptError -from ipapython.ipaldap import AUTOBIND_ENABLED from ipapython.ipautil import user_input from ipaserver.install.installutils import get_server_ip_address from ipaserver.install.installutils import read_dns_forwarders @@ -61,11 +60,10 @@ def _is_master(): def _disable_dnssec(): fstore = sysrestore.FileStore(paths.SYSRESTORE) - ods = opendnssecinstance.OpenDNSSECInstance( - fstore, ldapi=True, autobind=AUTOBIND_ENABLED) + ods = opendnssecinstance.OpenDNSSECInstance(fstore) ods.realm = api.env.realm - ods_exporter = odsexporterinstance.ODSExporterInstance(fstore, ldapi=True) + ods_exporter = odsexporterinstance.ODSExporterInstance(fstore) ods_exporter.realm = api.env.realm # unconfigure services first @@ -200,8 +198,7 @@ def install_check(standalone, api, replica, options, hostname): ", ".join([str(zone) for zone in dnssec_zones])) elif options.dnssec_master: - ods = opendnssecinstance.OpenDNSSECInstance( - fstore, ldapi=True) + ods = opendnssecinstance.OpenDNSSECInstance(fstore) ods.realm = api.env.realm dnssec_masters = ods.get_masters() # we can reinstall current server if it is dnssec master @@ -317,8 +314,7 @@ def install(standalone, replica, options, api=api): # otherwise this is done by server/replica installer update_hosts_file(ip_addresses, api.env.host, fstore) - bind = bindinstance.BindInstance(fstore, ldapi=True, api=api, - autobind=AUTOBIND_ENABLED) + bind = bindinstance.BindInstance(fstore, api=api) bind.setup(api.env.host, ip_addresses, api.env.realm, api.env.domain, options.forwarders, options.forward_policy, reverse_zones, zonemgr=options.zonemgr, @@ -333,12 +329,11 @@ def install(standalone, replica, options, api=api): bind.create_instance() # on dnssec master this must be installed last - dnskeysyncd = dnskeysyncinstance.DNSKeySyncInstance(fstore, ldapi=True) + dnskeysyncd = dnskeysyncinstance.DNSKeySyncInstance(fstore) dnskeysyncd.create_instance(api.env.host, api.env.realm) if options.dnssec_master: - ods = opendnssecinstance.OpenDNSSECInstance(fstore, ldapi=True) - ods_exporter = odsexporterinstance.ODSExporterInstance( - fstore, ldapi=True) + ods = opendnssecinstance.OpenDNSSECInstance(fstore) + ods_exporter = odsexporterinstance.ODSExporterInstance(fstore) ods_exporter.create_instance(api.env.host, api.env.realm) ods.create_instance(api.env.host, api.env.realm, diff --git a/ipaserver/install/dnskeysyncinstance.py b/ipaserver/install/dnskeysyncinstance.py index 1ca6c7df3..95c658567 100644 --- a/ipaserver/install/dnskeysyncinstance.py +++ b/ipaserver/install/dnskeysyncinstance.py @@ -33,7 +33,7 @@ replica_keylabel_template = u"dnssec-replica:%s" def dnssec_container_exists(fqdn, suffix, dm_password=None, ldapi=False, - realm=None, autobind=ipaldap.AUTOBIND_DISABLED): + realm=None): """ Test whether the dns container exists. """ @@ -45,7 +45,7 @@ def dnssec_container_exists(fqdn, suffix, dm_password=None, ldapi=False, cacert=CACERT) conn = ipaldap.LDAPClient(ldap_uri, cacert=CACERT) - conn.do_bind(dm_password, autobind=autobind) + conn.do_bind(dm_password) except ldap.SERVER_DOWN: raise RuntimeError('LDAP server on %s is not responding. Is IPA installed?' % fqdn) @@ -61,16 +61,11 @@ def remove_replica_public_keys(hostname): class DNSKeySyncInstance(service.Service): - def __init__(self, fstore=None, dm_password=None, logger=root_logger, - ldapi=False, start_tls=False): + def __init__(self, fstore=None, logger=root_logger): service.Service.__init__( self, "ipa-dnskeysyncd", service_desc="DNS key synchronization service", - dm_password=dm_password, - ldapi=ldapi, - start_tls=start_tls ) - self.dm_password = dm_password self.logger = logger self.extra_config = [u'dnssecVersion 1', ] # DNSSEC enabled self.named_uid = None @@ -171,8 +166,7 @@ class DNSKeySyncInstance(service.Service): raise RuntimeError("OpenDNSSEC GID not found") if not dns_container_exists( - self.fqdn, self.suffix, realm=self.realm, ldapi=True, - dm_password=self.dm_password, autobind=ipaldap.AUTOBIND_AUTO + self.fqdn, self.suffix, realm=self.realm, ldapi=True ): raise RuntimeError("DNS container does not exist") @@ -184,9 +178,7 @@ class DNSKeySyncInstance(service.Service): Setup LDAP containers for DNSSEC """ if dnssec_container_exists(self.fqdn, self.suffix, ldapi=True, - dm_password=self.dm_password, - realm=self.realm, - autobind=ipaldap.AUTOBIND_AUTO): + realm=self.realm): self.logger.info("DNSSEC container exists (step skipped)") return @@ -413,7 +405,7 @@ class DNSKeySyncInstance(service.Service): def __enable(self): try: - self.ldap_enable('DNSKeySync', self.fqdn, self.dm_password, + self.ldap_enable('DNSKeySync', self.fqdn, None, self.suffix, self.extra_config) except errors.DuplicateEntry: self.logger.error("DNSKeySync service already exists") diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py index 174191223..970c0c979 100644 --- a/ipaserver/install/dogtaginstance.py +++ b/ipaserver/install/dogtaginstance.py @@ -108,15 +108,12 @@ class DogtagInstance(service.Service): server_cert_name = None def __init__(self, realm, subsystem, service_desc, host_name=None, - dm_password=None, ldapi=True, nss_db=paths.PKI_TOMCAT_ALIAS_DIR): """Initializer""" super(DogtagInstance, self).__init__( 'pki-tomcatd', - service_desc=service_desc, - dm_password=dm_password, - ldapi=ldapi + service_desc=service_desc ) self.realm = realm @@ -164,7 +161,7 @@ class DogtagInstance(service.Service): # Define the things we don't want logged if nolog_list is None: nolog_list = [] - nolog = tuple(nolog_list) + (self.admin_password, self.dm_password) + nolog = tuple(nolog_list) + (self.admin_password,) args = [paths.PKISPAWN, "-s", subsystem, diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index 9c88b4936..0c42bda33 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -217,17 +217,13 @@ dc: $BASEDC info: IPA V2.0 """ + class DsInstance(service.Service): - def __init__(self, realm_name=None, domain_name=None, dm_password=None, - fstore=None, domainlevel=None, config_ldif=None): + def __init__(self, realm_name=None, domain_name=None, fstore=None, + domainlevel=None, config_ldif=None): service.Service.__init__(self, "dirsrv", - service_desc="directory server", - dm_password=dm_password, - ldapi=False, - autobind=ipaldap.AUTOBIND_DISABLED - ) + service_desc="directory server") self.nickname = 'Server-Cert' - self.dm_password = dm_password self.realm = realm_name self.sub_dict = None self.domain = domain_name @@ -435,7 +431,6 @@ class DsInstance(service.Service): # the local server (as repica pomotion does not have the DM password. if self.admin_conn: self.ldap_disconnect() - self.ldapi = True def __configure_sasl_mappings(self): # we need to remove any existing SASL mappings in the directory as otherwise they diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index decf99622..9a19389a2 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -127,14 +127,12 @@ class HTTPInstance(service.Service): subject_base = ipautil.dn_attribute_property('_subject_base') - def create_instance(self, realm, fqdn, domain_name, dm_password=None, - pkcs12_info=None, + def create_instance(self, realm, fqdn, domain_name, pkcs12_info=None, subject_base=None, auto_redirect=True, ca_file=None, ca_is_configured=None, promote=False): self.fqdn = fqdn self.realm = realm self.domain = domain_name - self.dm_password = dm_password self.suffix = ipautil.realm_to_suffix(self.realm) self.pkcs12_info = pkcs12_info self.principal = "HTTP/%s@%s" % (self.fqdn, self.realm) @@ -193,7 +191,7 @@ class HTTPInstance(service.Service): # We do not let the system start IPA components on its own, # Instead we reply on the IPA init script to start only enabled # components as found in our LDAP configuration tree - self.ldap_enable('HTTP', self.fqdn, self.dm_password, self.suffix) + self.ldap_enable('HTTP', self.fqdn, None, self.suffix) def configure_selinux_for_httpd(self): try: diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py index cf6120462..cfcbfdec8 100644 --- a/ipaserver/install/krbinstance.py +++ b/ipaserver/install/krbinstance.py @@ -167,7 +167,8 @@ class KrbInstance(service.Service): self.start_creation(runtime=30) self.kpasswd = KpasswdInstance() - self.kpasswd.create_instance('KPASSWD', self.fqdn, self.admin_password, self.suffix, realm=self.realm) + self.kpasswd.create_instance('KPASSWD', self.fqdn, self.suffix, + realm=self.realm) def create_replica(self, realm_name, master_fqdn, host_name, @@ -198,7 +199,7 @@ class KrbInstance(service.Service): self.start_creation(runtime=30) self.kpasswd = KpasswdInstance() - self.kpasswd.create_instance('KPASSWD', self.fqdn, self.admin_password, self.suffix) + self.kpasswd.create_instance('KPASSWD', self.fqdn, self.suffix) def __enable(self): @@ -206,7 +207,7 @@ class KrbInstance(service.Service): # We do not let the system start IPA components on its own, # Instead we reply on the IPA init script to start only enabled # components as found in our LDAP configuration tree - self.ldap_enable('KDC', self.fqdn, self.admin_password, self.suffix) + self.ldap_enable('KDC', self.fqdn, None, self.suffix) def __start_instance(self): try: diff --git a/ipaserver/install/odsexporterinstance.py b/ipaserver/install/odsexporterinstance.py index 258d14a48..7c3afc5a7 100644 --- a/ipaserver/install/odsexporterinstance.py +++ b/ipaserver/install/odsexporterinstance.py @@ -12,7 +12,7 @@ from ipaserver.install import service from ipaserver.install import installutils from ipapython.ipa_log_manager import root_logger from ipapython.dn import DN -from ipapython import sysrestore, ipautil, ipaldap +from ipapython import sysrestore, ipautil from ipaplatform.constants import constants from ipaplatform.paths import paths from ipaplatform import services @@ -20,17 +20,11 @@ from ipalib import errors, api class ODSExporterInstance(service.Service): - def __init__(self, fstore=None, dm_password=None, ldapi=False, - start_tls=False, autobind=ipaldap.AUTOBIND_ENABLED): + def __init__(self, fstore=None): service.Service.__init__( self, "ipa-ods-exporter", - service_desc="IPA OpenDNSSEC exporter daemon", - dm_password=dm_password, - ldapi=ldapi, - autobind=autobind, - start_tls=start_tls + service_desc="IPA OpenDNSSEC exporter daemon" ) - self.dm_password = dm_password self.ods_uid = None self.ods_gid = None self.enable_if_exists = False @@ -79,7 +73,7 @@ class ODSExporterInstance(service.Service): def __enable(self): try: - self.ldap_enable('DNSKeyExporter', self.fqdn, self.dm_password, + self.ldap_enable('DNSKeyExporter', self.fqdn, None, self.suffix) except errors.DuplicateEntry: root_logger.error("DNSKeyExporter service already exists") diff --git a/ipaserver/install/opendnssecinstance.py b/ipaserver/install/opendnssecinstance.py index 28638a1f8..bda2ac025 100644 --- a/ipaserver/install/opendnssecinstance.py +++ b/ipaserver/install/opendnssecinstance.py @@ -13,7 +13,7 @@ from ipaserver.install import service from ipaserver.install import installutils from ipapython.ipa_log_manager import root_logger from ipapython.dn import DN -from ipapython import sysrestore, ipautil, ipaldap, p11helper +from ipapython import sysrestore, ipautil, p11helper from ipaplatform import services from ipaplatform.constants import constants from ipaplatform.paths import paths @@ -57,17 +57,11 @@ def get_dnssec_key_masters(conn): class OpenDNSSECInstance(service.Service): - def __init__(self, fstore=None, dm_password=None, ldapi=False, - start_tls=False, autobind=ipaldap.AUTOBIND_ENABLED): + def __init__(self, fstore=None): service.Service.__init__( self, "ods-enforcerd", service_desc="OpenDNSSEC enforcer daemon", - dm_password=dm_password, - ldapi=ldapi, - autobind=autobind, - start_tls=start_tls ) - self.dm_password = dm_password self.ods_uid = None self.ods_gid = None self.conf_file_dict = { @@ -146,7 +140,7 @@ class OpenDNSSECInstance(service.Service): def __enable(self): try: - self.ldap_enable('DNSSEC', self.fqdn, self.dm_password, + self.ldap_enable('DNSSEC', self.fqdn, None, self.suffix, self.extra_config) except errors.DuplicateEntry: root_logger.error("DNSSEC service already exists") diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py index aecf0f638..743909946 100644 --- a/ipaserver/install/server/install.py +++ b/ipaserver/install/server/install.py @@ -807,27 +807,27 @@ def install(installer): ds.add_cert_to_service() memcache = memcacheinstance.MemcacheInstance() - memcache.create_instance('MEMCACHE', host_name, dm_password, + memcache.create_instance('MEMCACHE', host_name, ipautil.realm_to_suffix(realm_name)) otpd = otpdinstance.OtpdInstance() - otpd.create_instance('OTPD', host_name, dm_password, + otpd.create_instance('OTPD', host_name, ipautil.realm_to_suffix(realm_name)) custodia = custodiainstance.CustodiaInstance(host_name, realm_name) - custodia.create_instance(dm_password) + custodia.create_instance() # Create a HTTP instance http = httpinstance.HTTPInstance(fstore) if options.http_cert_files: http.create_instance( - realm_name, host_name, domain_name, dm_password, + realm_name, host_name, domain_name, pkcs12_info=http_pkcs12_info, subject_base=options.subject, auto_redirect=not options.no_ui_redirect, ca_is_configured=setup_ca) else: http.create_instance( - realm_name, host_name, domain_name, dm_password, + realm_name, host_name, domain_name, subject_base=options.subject, auto_redirect=not options.no_ui_redirect, ca_is_configured=setup_ca) @@ -861,7 +861,7 @@ def install(installer): dns.install(False, False, options) else: # Create a BIND instance - bind = bindinstance.BindInstance(fstore, dm_password) + bind = bindinstance.BindInstance(fstore) bind.setup(host_name, ip_addresses, realm_name, domain_name, (), 'first', (), zonemgr=options.zonemgr, diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py index b016dbd19..3d4f4e4f2 100644 --- a/ipaserver/install/server/replicainstall.py +++ b/ipaserver/install/server/replicainstall.py @@ -178,14 +178,12 @@ def install_http(config, auto_redirect, ca_is_configured, promote=False, memcache = memcacheinstance.MemcacheInstance() memcache.create_instance('MEMCACHE', config.host_name, - config.dirman_password, ipautil.realm_to_suffix(config.realm_name)) http = httpinstance.HTTPInstance() http.create_instance( config.realm_name, config.host_name, config.domain_name, - config.dirman_password, pkcs12_info, - auto_redirect=auto_redirect, ca_file=ca_file, + pkcs12_info, auto_redirect=auto_redirect, ca_file=ca_file, ca_is_configured=ca_is_configured, promote=promote) return http @@ -196,13 +194,11 @@ def install_dns_records(config, options, remote_api): if not bindinstance.dns_container_exists( config.host_name, ipautil.realm_to_suffix(config.realm_name), - realm=config.realm_name, ldapi=True, - autobind=ipaldap.AUTOBIND_ENABLED): + realm=config.realm_name, ldapi=True): return try: - bind = bindinstance.BindInstance(dm_password=config.dirman_password, - api=remote_api) + bind = bindinstance.BindInstance(api=remote_api) for ip in config.ips: reverse_zone = bindinstance.find_reverse_zone(ip, remote_api) @@ -834,7 +830,7 @@ def install(installer): ca.install_step_1(False, config, options) otpd = otpdinstance.OtpdInstance() - otpd.create_instance('OTPD', config.host_name, config.dirman_password, + otpd.create_instance('OTPD', config.host_name, ipautil.realm_to_suffix(config.realm_name)) if ca_enabled: @@ -847,7 +843,7 @@ def install(installer): custodia = custodiainstance.CustodiaInstance(config.host_name, config.realm_name) - custodia.create_instance(config.dirman_password) + custodia.create_instance() # The DS instance is created before the keytab, add the SSL cert we # generated @@ -1497,7 +1493,7 @@ def promote(installer): ds.apply_updates() otpd = otpdinstance.OtpdInstance() - otpd.create_instance('OTPD', config.host_name, config.dirman_password, + otpd.create_instance('OTPD', config.host_name, ipautil.realm_to_suffix(config.realm_name)) if config.setup_ca: @@ -1510,8 +1506,7 @@ def promote(installer): custodia.get_ca_keys(config.ca_host_name, ca_data[0], ca_data[1]) ca = cainstance.CAInstance(config.realm_name, certs.NSS_DIR, - host_name=config.host_name, - dm_password=config.dirman_password) + host_name=config.host_name) ca.configure_replica(config.ca_host_name, subject_base=config.subject_base, ca_cert_bundle=ca_data) diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index 18c2a6e87..e6e1e1011 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -1688,7 +1688,7 @@ def upgrade_configuration(): # 389-ds needs to be running to create the instances # because we record the new service in cn=masters. ds.start() - service.create_instance(ldap_name, fqdn, None, + service.create_instance(ldap_name, fqdn, ipautil.realm_to_suffix(api.env.realm), realm=api.env.realm) except ipalib.errors.DuplicateEntry: @@ -1696,8 +1696,7 @@ def upgrade_configuration(): # install DNSKeySync service only if DNS is configured on server if bindinstance.named_conf_exists(): - dnskeysyncd = dnskeysyncinstance.DNSKeySyncInstance(fstore, - ldapi=True) + dnskeysyncd = dnskeysyncinstance.DNSKeySyncInstance(fstore) if not dnskeysyncd.is_configured(): ds.start() dnskeysyncd.create_instance(fqdn, api.env.realm) diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py index 8458db6b7..ae985dc36 100644 --- a/ipaserver/install/service.py +++ b/ipaserver/install/service.py @@ -20,11 +20,10 @@ import sys import os import socket -import tempfile import datetime import traceback -from ipapython import sysrestore, ipautil, ipaldap +from ipapython import ipautil, sysrestore from ipapython.dn import DN from ipapython.ipa_log_manager import root_logger from ipalib import api, errors, certstore @@ -131,18 +130,12 @@ def find_providing_server(svcname, conn, host_name=None, api=api): class Service(object): - def __init__(self, service_name, service_desc=None, sstore=None, - dm_password=None, ldapi=True, autobind=ipaldap.AUTOBIND_AUTO, - start_tls=False): + def __init__(self, service_name, service_desc=None, sstore=None): self.service_name = service_name self.service_desc = service_desc self.service = services.service(service_name) self.steps = [] self.output_fd = sys.stdout - self.dm_password = dm_password - self.ldapi = ldapi - self.autobind = autobind - self.start_tls = start_tls self.fqdn = socket.gethostname() @@ -202,14 +195,8 @@ class Service(object): self.ldap_connect() args += ["-H", self.admin_conn.ldap_uri] - # If DM password is available, use it - if self.dm_password: - [pw_fd, pw_name] = tempfile.mkstemp() - os.write(pw_fd, self.dm_password) - os.close(pw_fd) - auth_parms = ["-x", "-D", "cn=Directory Manager", "-y", pw_name] # Use GSSAPI auth when not using DM password or not being root - elif os.getegid() != 0: + if os.getegid() != 0: auth_parms = ["-Y", "GSSAPI"] # Default to EXTERNAL auth mechanism else: @@ -457,7 +444,8 @@ class Service(object): self.steps = [] - def ldap_enable(self, name, fqdn, dm_password, ldap_suffix, config=[]): + def ldap_enable(self, name, fqdn, dm_password=None, ldap_suffix='', + config=[]): assert isinstance(ldap_suffix, DN) self.disable() if not self.admin_conn: @@ -558,14 +546,12 @@ class Service(object): class SimpleServiceInstance(Service): - def create_instance(self, gensvc_name=None, fqdn=None, dm_password=None, ldap_suffix=None, realm=None): + def create_instance(self, gensvc_name=None, fqdn=None, ldap_suffix=None, + realm=None): self.gensvc_name = gensvc_name self.fqdn = fqdn - self.dm_password = dm_password self.suffix = ldap_suffix self.realm = realm - if not realm: - self.ldapi = False self.step("starting %s " % self.service_name, self.__start) self.step("configuring %s to start on boot" % self.service_name, self.__enable) @@ -582,8 +568,7 @@ class SimpleServiceInstance(Service): if self.gensvc_name == None: self.enable() else: - self.ldap_enable(self.gensvc_name, self.fqdn, - self.dm_password, self.suffix) + self.ldap_enable(self.gensvc_name, self.fqdn, None, self.suffix) def uninstall(self): if self.is_configured():