install: remove dirman_pw from services

Remove directory manager's password from service's constructors https://fedorahosted.org/freeipa/ticket/6461 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2025-02-25 18:55:28 -06:00 · 2016-10-06 17:35:04 +02:00 · 2016-10-06 17:35:04 +02:00 · 9340a1417a
commit 9340a1417a
parent 5b81dbfda1
22 changed files with 78 additions and 149 deletions
--- a/install/certmonger/dogtag-ipa-ca-renew-agent-submit
+++ b/install/certmonger/dogtag-ipa-ca-renew-agent-submit
@ -428,7 +428,7 @@ def renew_ca_cert():
        state = 'retrieve'
        if is_renewable():
-            ca = cainstance.CAInstance(host_name=api.env.host, ldapi=False)
+            ca = cainstance.CAInstance(host_name=api.env.host)
            if ca.is_renewal_master():
                state = 'request'
    elif operation == 'POLL':
@ -493,7 +493,7 @@ def main():
        if profile:
            handler = handlers.get(profile, request_and_store_cert)
        else:
-            ca = cainstance.CAInstance(host_name=api.env.host, ldapi=False)
+            ca = cainstance.CAInstance(host_name=api.env.host)
            if ca.is_renewal_master():
                handler = request_and_store_cert
            else:
--- a/install/restart_scripts/renew_ca_cert
+++ b/install/restart_scripts/renew_ca_cert
@ -74,7 +74,7 @@ def _main():
        ipautil.kinit_keytab(principal, paths.KRB5_KEYTAB, ccache_filename)
        os.environ['KRB5CCNAME'] = ccache_filename
-        ca = cainstance.CAInstance(host_name=api.env.host, ldapi=False)
+        ca = cainstance.CAInstance(host_name=api.env.host)
        ca.update_cert_config(nickname, cert)
        if ca.is_renewal_master():
            cainstance.update_people_entry(cert)
--- a/install/restart_scripts/renew_ra_cert
+++ b/install/restart_scripts/renew_ra_cert
@ -48,7 +48,7 @@ def _main():
                             ccache_filename)
        os.environ['KRB5CCNAME'] = ccache_filename
-        ca = cainstance.CAInstance(host_name=api.env.host, ldapi=False)
+        ca = cainstance.CAInstance(host_name=api.env.host)
        if ca.is_renewal_master():
            # Fetch the new certificate
            db = certs.CertDB(api.env.realm)
--- a/install/tools/ipa-ca-install
+++ b/install/tools/ipa-ca-install
@ -190,15 +190,14 @@ def install_replica(safe_options, options, filename):
        custodia.get_ca_keys(config.ca_host_name, ca_data[0], ca_data[1])
        CA = cainstance.CAInstance(config.realm_name, certs.NSS_DIR,
-                                   host_name=config.host_name,
+                                   host_name=config.host_name)
                                   dm_password=config.dirman_password)
        CA.configure_replica(config.ca_host_name,
                             subject_base=config.subject_base,
                             ca_cert_bundle=ca_data)
        # Install CA DNS records
        if bindinstance.dns_container_exists(api.env.host, api.env.basedn,
                                             ldapi=True, realm=api.env.realm):
-            bind = bindinstance.BindInstance(ldapi=True)
+            bind = bindinstance.BindInstance()
            bind.update_system_records()
    else:
        ca.install(True, config, options)
--- a/install/tools/ipa-replica-manage
+++ b/install/tools/ipa-replica-manage
@ -1123,8 +1123,7 @@ def add_link(realm, replica1, replica2, dirman_passwd, options):
    if options.cacert:
        # have to install the given CA cert before doing anything else
-        ds = dsinstance.DsInstance(realm_name = realm,
+        ds = dsinstance.DsInstance(realm_name=realm)
                                   dm_password = dirman_passwd)
        if not ds.add_ca_cert(options.cacert):
            print("Could not load the required CA certificate file [%s]" % options.cacert)
            return
@ -1214,7 +1213,7 @@ def re_initialize(realm, thishost, fromhost, dirman_passwd, nolookup=False):
        # If the agreement doesn't have nsDS5ReplicatedAttributeListTotal it means
        # we did not replicate memberOf, do so now.
        if not agreement.single_value.get('nsDS5ReplicatedAttributeListTotal'):
-            ds = dsinstance.DsInstance(realm_name = realm, dm_password = dirman_passwd)
+            ds = dsinstance.DsInstance(realm_name=realm)
            ds.ldapi = os.getegid() == 0
            ds.init_memberof()
--- a/ipaserver/install/adtrustinstance.py
+++ b/ipaserver/install/adtrustinstance.py
@ -137,8 +137,7 @@ class ADTRUSTInstance(service.Service):
        self.host_netbios_name = None
        self.realm = None
-        service.Service.__init__(self, "smb", service_desc="CIFS",
+        service.Service.__init__(self, "smb", service_desc="CIFS")
                                 dm_password=None, ldapi=True)
        if fstore:
            self.fstore = fstore
@ -740,14 +739,12 @@ class ADTRUSTInstance(service.Service):
        # Note that self.dm_password is None for ADTrustInstance because
        # we ensure to be called as root and using ldapi to use autobind
        try:
-            self.ldap_enable('ADTRUST', self.fqdn, self.dm_password, \
+            self.ldap_enable('ADTRUST', self.fqdn, None, self.suffix)
                             self.suffix)
        except (ldap.ALREADY_EXISTS, errors.DuplicateEntry):
            root_logger.info("ADTRUST Service startup entry already exists.")
        try:
-            self.ldap_enable('EXTID', self.fqdn, self.dm_password, \
+            self.ldap_enable('EXTID', self.fqdn, None, self.suffix)
                             self.suffix)
        except (ldap.ALREADY_EXISTS, errors.DuplicateEntry):
            root_logger.info("EXTID Service startup entry already exists.")
--- a/ipaserver/install/bindinstance.py
+++ b/ipaserver/install/bindinstance.py
@ -228,8 +228,9 @@ def named_conf_add_include(path):
    with open(NAMED_CONF, 'a') as f:
        f.write(named_conf_include_template % {'path': path})
-def dns_container_exists(fqdn, suffix, dm_password=None, ldapi=False, realm=None,
+
-                         autobind=ipaldap.AUTOBIND_DISABLED):
+def dns_container_exists(fqdn, suffix, dm_password=None, ldapi=False,
                         realm=None):
    """
    Test whether the dns container exists.
    """
@ -240,7 +241,7 @@ def dns_container_exists(fqdn, suffix, dm_password=None, ldapi=False, realm=None
        ldap_uri = ipaldap.get_ldap_uri(fqdn, 636, ldapi=ldapi, realm=realm,
                                        cacert=CACERT)
        conn = ipaldap.LDAPClient(ldap_uri, cacert=CACERT)
-        conn.do_bind(dm_password, autobind=autobind)
+        conn.do_bind(dm_password)
    except ldap.SERVER_DOWN:
        raise RuntimeError('LDAP server on %s is not responding. Is IPA installed?' % fqdn)
@ -613,15 +614,10 @@ class DnsBackup(object):
 class BindInstance(service.Service):
-    def __init__(self, fstore=None, dm_password=None, api=api, ldapi=False,
+    def __init__(self, fstore=None, api=api):
                 start_tls=False, autobind=ipaldap.AUTOBIND_DISABLED):
        service.Service.__init__(
            self, "named",
-            service_desc="DNS",
+            service_desc="DNS"
            dm_password=dm_password,
            ldapi=ldapi,
            autobind=autobind,
            start_tls=start_tls
        )
        self.dns_backup = DnsBackup(self)
        self.named_user = None
@ -632,7 +628,6 @@ class BindInstance(service.Service):
        self.forwarders = None
        self.sub_dict = None
        self.reverse_zones = []
        self.dm_password = dm_password
        self.api = api
        self.named_regular = services.service('named-regular')
@ -665,8 +660,7 @@ class BindInstance(service.Service):
            self.zonemgr = normalize_zonemgr(zonemgr)
        self.first_instance = not dns_container_exists(
-            self.fqdn, self.suffix, realm=self.realm, ldapi=True,
+            self.fqdn, self.suffix, realm=self.realm, ldapi=True)
            dm_password=self.dm_password, autobind=self.autobind)
        self.__setup_sub_dict()
@ -763,7 +757,7 @@ class BindInstance(service.Service):
        # Instead we reply on the IPA init script to start only enabled
        # components as found in our LDAP configuration tree
        try:
-            self.ldap_enable('DNS', self.fqdn, self.dm_password, self.suffix)
+            self.ldap_enable('DNS', self.fqdn, None, self.suffix)
        except errors.DuplicateEntry:
            # service already exists (forced DNS reinstall)
            # don't crash, just report error
--- a/ipaserver/install/ca.py
+++ b/ipaserver/install/ca.py
@ -241,7 +241,7 @@ def install_step_1(standalone, replica_config, options):
        # Install CA DNS records
        if bindinstance.dns_container_exists(host_name, basedn, dm_password):
-            bind = bindinstance.BindInstance(dm_password=dm_password)
+            bind = bindinstance.BindInstance()
            bind.update_system_records()
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@ -311,15 +311,12 @@ class CAInstance(DogtagInstance):
                     ('caSigningCert cert-pki-ca', 'ipaCACertRenewal'))
    server_cert_name = 'Server-Cert cert-pki-ca'
-    def __init__(self, realm=None, ra_db=None, host_name=None,
+    def __init__(self, realm=None, ra_db=None, host_name=None):
                 dm_password=None, ldapi=True):
        super(CAInstance, self).__init__(
            realm=realm,
            subsystem="CA",
            service_desc="certificate server",
            host_name=host_name,
            dm_password=dm_password,
            ldapi=ldapi
        )
        # for external CAs
--- a/ipaserver/install/custodiainstance.py
+++ b/ipaserver/install/custodiainstance.py
@ -54,14 +54,13 @@ class CustodiaInstance(SimpleServiceInstance):
        fd.flush()
        fd.close()
-    def create_instance(self, dm_password=None):
+    def create_instance(self):
        suffix = ipautil.realm_to_suffix(self.realm)
        self.step("Generating ipa-custodia config file", self.__config_file)
        self.step("Making sure custodia container exists", self.__create_container)
        self.step("Generating ipa-custodia keys", self.__gen_keys)
        super(CustodiaInstance, self).create_instance(gensvc_name='KEYS',
                                                      fqdn=self.fqdn,
                                                      dm_password=dm_password,
                                                      ldap_suffix=suffix,
                                                      realm=self.realm)
        sysupgrade.set_upgrade_state('custodia', 'installed', True)
@ -103,8 +102,7 @@ class CustodiaInstance(SimpleServiceInstance):
            'SUFFIX': self.suffix,
        }
-        updater = ldapupdate.LDAPUpdate(dm_password=self.dm_password,
+        updater = ldapupdate.LDAPUpdate(sub_dict=sub_dict)
                                        sub_dict=sub_dict)
        updater.update([os.path.join(paths.UPDATES_DIR, '73-custodia.update')])
    def __import_ra_key(self):
--- a/ipaserver/install/dns.py
+++ b/ipaserver/install/dns.py
@ -23,7 +23,6 @@ from ipapython import dnsutil
 from ipapython.dn import DN
 from ipapython.ipa_log_manager import root_logger
 from ipapython.admintool import ScriptError
 from ipapython.ipaldap import AUTOBIND_ENABLED
 from ipapython.ipautil import user_input
 from ipaserver.install.installutils import get_server_ip_address
 from ipaserver.install.installutils import read_dns_forwarders
@ -61,11 +60,10 @@ def _is_master():
 def _disable_dnssec():
    fstore = sysrestore.FileStore(paths.SYSRESTORE)
-    ods = opendnssecinstance.OpenDNSSECInstance(
+    ods = opendnssecinstance.OpenDNSSECInstance(fstore)
            fstore, ldapi=True, autobind=AUTOBIND_ENABLED)
    ods.realm = api.env.realm
-    ods_exporter = odsexporterinstance.ODSExporterInstance(fstore, ldapi=True)
+    ods_exporter = odsexporterinstance.ODSExporterInstance(fstore)
    ods_exporter.realm = api.env.realm
    # unconfigure services first
@ -200,8 +198,7 @@ def install_check(standalone, api, replica, options, hostname):
                ", ".join([str(zone) for zone in dnssec_zones]))
    elif options.dnssec_master:
-        ods = opendnssecinstance.OpenDNSSECInstance(
+        ods = opendnssecinstance.OpenDNSSECInstance(fstore)
            fstore, ldapi=True)
        ods.realm = api.env.realm
        dnssec_masters = ods.get_masters()
        # we can reinstall current server if it is dnssec master
@ -317,8 +314,7 @@ def install(standalone, replica, options, api=api):
        # otherwise this is done by server/replica installer
        update_hosts_file(ip_addresses, api.env.host, fstore)
-    bind = bindinstance.BindInstance(fstore, ldapi=True, api=api,
+    bind = bindinstance.BindInstance(fstore, api=api)
                                     autobind=AUTOBIND_ENABLED)
    bind.setup(api.env.host, ip_addresses, api.env.realm, api.env.domain,
               options.forwarders, options.forward_policy,
               reverse_zones, zonemgr=options.zonemgr,
@ -333,12 +329,11 @@ def install(standalone, replica, options, api=api):
    bind.create_instance()
    # on dnssec master this must be installed last
-    dnskeysyncd = dnskeysyncinstance.DNSKeySyncInstance(fstore, ldapi=True)
+    dnskeysyncd = dnskeysyncinstance.DNSKeySyncInstance(fstore)
    dnskeysyncd.create_instance(api.env.host, api.env.realm)
    if options.dnssec_master:
-        ods = opendnssecinstance.OpenDNSSECInstance(fstore, ldapi=True)
+        ods = opendnssecinstance.OpenDNSSECInstance(fstore)
-        ods_exporter = odsexporterinstance.ODSExporterInstance(
+        ods_exporter = odsexporterinstance.ODSExporterInstance(fstore)
            fstore, ldapi=True)
        ods_exporter.create_instance(api.env.host, api.env.realm)
        ods.create_instance(api.env.host, api.env.realm,
--- a/ipaserver/install/dnskeysyncinstance.py
+++ b/ipaserver/install/dnskeysyncinstance.py
@ -33,7 +33,7 @@ replica_keylabel_template = u"dnssec-replica:%s"
 def dnssec_container_exists(fqdn, suffix, dm_password=None, ldapi=False,
-                            realm=None, autobind=ipaldap.AUTOBIND_DISABLED):
+                            realm=None):
    """
    Test whether the dns container exists.
    """
@ -45,7 +45,7 @@ def dnssec_container_exists(fqdn, suffix, dm_password=None, ldapi=False,
                                        cacert=CACERT)
        conn = ipaldap.LDAPClient(ldap_uri, cacert=CACERT)
-        conn.do_bind(dm_password, autobind=autobind)
+        conn.do_bind(dm_password)
    except ldap.SERVER_DOWN:
        raise RuntimeError('LDAP server on %s is not responding. Is IPA installed?' % fqdn)
@ -61,16 +61,11 @@ def remove_replica_public_keys(hostname):
 class DNSKeySyncInstance(service.Service):
-    def __init__(self, fstore=None, dm_password=None, logger=root_logger,
+    def __init__(self, fstore=None, logger=root_logger):
                 ldapi=False, start_tls=False):
        service.Service.__init__(
            self, "ipa-dnskeysyncd",
            service_desc="DNS key synchronization service",
            dm_password=dm_password,
            ldapi=ldapi,
            start_tls=start_tls
        )
        self.dm_password = dm_password
        self.logger = logger
        self.extra_config = [u'dnssecVersion 1', ]  # DNSSEC enabled
        self.named_uid = None
@ -171,8 +166,7 @@ class DNSKeySyncInstance(service.Service):
            raise RuntimeError("OpenDNSSEC GID not found")
        if not dns_container_exists(
-            self.fqdn, self.suffix, realm=self.realm, ldapi=True,
+            self.fqdn, self.suffix, realm=self.realm, ldapi=True
            dm_password=self.dm_password, autobind=ipaldap.AUTOBIND_AUTO
        ):
            raise RuntimeError("DNS container does not exist")
@ -184,9 +178,7 @@ class DNSKeySyncInstance(service.Service):
        Setup LDAP containers for DNSSEC
        """
        if dnssec_container_exists(self.fqdn, self.suffix, ldapi=True,
-                                   dm_password=self.dm_password,
+                                   realm=self.realm):
                                   realm=self.realm,
                                   autobind=ipaldap.AUTOBIND_AUTO):
            self.logger.info("DNSSEC container exists (step skipped)")
            return
@ -413,7 +405,7 @@ class DNSKeySyncInstance(service.Service):
    def __enable(self):
        try:
-            self.ldap_enable('DNSKeySync', self.fqdn, self.dm_password,
+            self.ldap_enable('DNSKeySync', self.fqdn, None,
                             self.suffix, self.extra_config)
        except errors.DuplicateEntry:
            self.logger.error("DNSKeySync service already exists")
--- a/ipaserver/install/dogtaginstance.py
+++ b/ipaserver/install/dogtaginstance.py
@ -108,15 +108,12 @@ class DogtagInstance(service.Service):
    server_cert_name = None
    def __init__(self, realm, subsystem, service_desc, host_name=None,
                 dm_password=None, ldapi=True,
                 nss_db=paths.PKI_TOMCAT_ALIAS_DIR):
        """Initializer"""
        super(DogtagInstance, self).__init__(
            'pki-tomcatd',
-            service_desc=service_desc,
+            service_desc=service_desc
            dm_password=dm_password,
            ldapi=ldapi
        )
        self.realm = realm
@ -164,7 +161,7 @@ class DogtagInstance(service.Service):
        # Define the things we don't want logged
        if nolog_list is None:
            nolog_list = []
-        nolog = tuple(nolog_list) + (self.admin_password, self.dm_password)
+        nolog = tuple(nolog_list) + (self.admin_password,)
        args = [paths.PKISPAWN,
                "-s", subsystem,
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@ -217,17 +217,13 @@ dc: $BASEDC
 info: IPA V2.0
 """
 class DsInstance(service.Service):
-    def __init__(self, realm_name=None, domain_name=None, dm_password=None,
+    def __init__(self, realm_name=None, domain_name=None, fstore=None,
-                 fstore=None, domainlevel=None, config_ldif=None):
+                 domainlevel=None, config_ldif=None):
        service.Service.__init__(self, "dirsrv",
-            service_desc="directory server",
+                                 service_desc="directory server")
            dm_password=dm_password,
            ldapi=False,
            autobind=ipaldap.AUTOBIND_DISABLED
            )
        self.nickname = 'Server-Cert'
        self.dm_password = dm_password
        self.realm = realm_name
        self.sub_dict = None
        self.domain = domain_name
@ -435,7 +431,6 @@ class DsInstance(service.Service):
        # the local server (as repica pomotion does not have the DM password.
        if self.admin_conn:
            self.ldap_disconnect()
        self.ldapi = True
    def __configure_sasl_mappings(self):
        # we need to remove any existing SASL mappings in the directory as otherwise they
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@ -127,14 +127,12 @@ class HTTPInstance(service.Service):
    subject_base = ipautil.dn_attribute_property('_subject_base')
-    def create_instance(self, realm, fqdn, domain_name, dm_password=None,
+    def create_instance(self, realm, fqdn, domain_name, pkcs12_info=None,
                        pkcs12_info=None,
                        subject_base=None, auto_redirect=True, ca_file=None,
                        ca_is_configured=None, promote=False):
        self.fqdn = fqdn
        self.realm = realm
        self.domain = domain_name
        self.dm_password = dm_password
        self.suffix = ipautil.realm_to_suffix(self.realm)
        self.pkcs12_info = pkcs12_info
        self.principal = "HTTP/%s@%s" % (self.fqdn, self.realm)
@ -193,7 +191,7 @@ class HTTPInstance(service.Service):
        # We do not let the system start IPA components on its own,
        # Instead we reply on the IPA init script to start only enabled
        # components as found in our LDAP configuration tree
-        self.ldap_enable('HTTP', self.fqdn, self.dm_password, self.suffix)
+        self.ldap_enable('HTTP', self.fqdn, None, self.suffix)
    def configure_selinux_for_httpd(self):
        try:
--- a/ipaserver/install/krbinstance.py
+++ b/ipaserver/install/krbinstance.py
@ -167,7 +167,8 @@ class KrbInstance(service.Service):
        self.start_creation(runtime=30)
        self.kpasswd = KpasswdInstance()
-        self.kpasswd.create_instance('KPASSWD', self.fqdn, self.admin_password, self.suffix, realm=self.realm)
+        self.kpasswd.create_instance('KPASSWD', self.fqdn, self.suffix,
                                     realm=self.realm)
    def create_replica(self, realm_name,
                       master_fqdn, host_name,
@ -198,7 +199,7 @@ class KrbInstance(service.Service):
        self.start_creation(runtime=30)
        self.kpasswd = KpasswdInstance()
-        self.kpasswd.create_instance('KPASSWD', self.fqdn, self.admin_password, self.suffix)
+        self.kpasswd.create_instance('KPASSWD', self.fqdn, self.suffix)
    def __enable(self):
@ -206,7 +207,7 @@ class KrbInstance(service.Service):
        # We do not let the system start IPA components on its own,
        # Instead we reply on the IPA init script to start only enabled
        # components as found in our LDAP configuration tree
-        self.ldap_enable('KDC', self.fqdn, self.admin_password, self.suffix)
+        self.ldap_enable('KDC', self.fqdn, None, self.suffix)
    def __start_instance(self):
        try:
--- a/ipaserver/install/odsexporterinstance.py
+++ b/ipaserver/install/odsexporterinstance.py
@ -12,7 +12,7 @@ from ipaserver.install import service
 from ipaserver.install import installutils
 from ipapython.ipa_log_manager import root_logger
 from ipapython.dn import DN
-from ipapython import sysrestore, ipautil, ipaldap
+from ipapython import sysrestore, ipautil
 from ipaplatform.constants import constants
 from ipaplatform.paths import paths
 from ipaplatform import services
@ -20,17 +20,11 @@ from ipalib import errors, api
 class ODSExporterInstance(service.Service):
-    def __init__(self, fstore=None, dm_password=None, ldapi=False,
+    def __init__(self, fstore=None):
                 start_tls=False, autobind=ipaldap.AUTOBIND_ENABLED):
        service.Service.__init__(
            self, "ipa-ods-exporter",
-            service_desc="IPA OpenDNSSEC exporter daemon",
+            service_desc="IPA OpenDNSSEC exporter daemon"
            dm_password=dm_password,
            ldapi=ldapi,
            autobind=autobind,
            start_tls=start_tls
        )
        self.dm_password = dm_password
        self.ods_uid = None
        self.ods_gid = None
        self.enable_if_exists = False
@ -79,7 +73,7 @@ class ODSExporterInstance(service.Service):
    def __enable(self):
        try:
-            self.ldap_enable('DNSKeyExporter', self.fqdn, self.dm_password,
+            self.ldap_enable('DNSKeyExporter', self.fqdn, None,
                             self.suffix)
        except errors.DuplicateEntry:
            root_logger.error("DNSKeyExporter service already exists")
--- a/ipaserver/install/opendnssecinstance.py
+++ b/ipaserver/install/opendnssecinstance.py
@ -13,7 +13,7 @@ from ipaserver.install import service
 from ipaserver.install import installutils
 from ipapython.ipa_log_manager import root_logger
 from ipapython.dn import DN
-from ipapython import sysrestore, ipautil, ipaldap, p11helper
+from ipapython import sysrestore, ipautil, p11helper
 from ipaplatform import services
 from ipaplatform.constants import constants
 from ipaplatform.paths import paths
@ -57,17 +57,11 @@ def get_dnssec_key_masters(conn):
 class OpenDNSSECInstance(service.Service):
-    def __init__(self, fstore=None, dm_password=None, ldapi=False,
+    def __init__(self, fstore=None):
                 start_tls=False, autobind=ipaldap.AUTOBIND_ENABLED):
        service.Service.__init__(
            self, "ods-enforcerd",
            service_desc="OpenDNSSEC enforcer daemon",
            dm_password=dm_password,
            ldapi=ldapi,
            autobind=autobind,
            start_tls=start_tls
        )
        self.dm_password = dm_password
        self.ods_uid = None
        self.ods_gid = None
        self.conf_file_dict = {
@ -146,7 +140,7 @@ class OpenDNSSECInstance(service.Service):
    def __enable(self):
        try:
-            self.ldap_enable('DNSSEC', self.fqdn, self.dm_password,
+            self.ldap_enable('DNSSEC', self.fqdn, None,
                             self.suffix, self.extra_config)
        except errors.DuplicateEntry:
            root_logger.error("DNSSEC service already exists")
--- a/ipaserver/install/server/install.py
+++ b/ipaserver/install/server/install.py
@ -807,27 +807,27 @@ def install(installer):
    ds.add_cert_to_service()
    memcache = memcacheinstance.MemcacheInstance()
-    memcache.create_instance('MEMCACHE', host_name, dm_password,
+    memcache.create_instance('MEMCACHE', host_name,
                             ipautil.realm_to_suffix(realm_name))
    otpd = otpdinstance.OtpdInstance()
-    otpd.create_instance('OTPD', host_name, dm_password,
+    otpd.create_instance('OTPD', host_name,
                         ipautil.realm_to_suffix(realm_name))
    custodia = custodiainstance.CustodiaInstance(host_name, realm_name)
-    custodia.create_instance(dm_password)
+    custodia.create_instance()
    # Create a HTTP instance
    http = httpinstance.HTTPInstance(fstore)
    if options.http_cert_files:
        http.create_instance(
-            realm_name, host_name, domain_name, dm_password,
+            realm_name, host_name, domain_name,
            pkcs12_info=http_pkcs12_info, subject_base=options.subject,
            auto_redirect=not options.no_ui_redirect,
            ca_is_configured=setup_ca)
    else:
        http.create_instance(
-            realm_name, host_name, domain_name, dm_password,
+            realm_name, host_name, domain_name,
            subject_base=options.subject,
            auto_redirect=not options.no_ui_redirect,
            ca_is_configured=setup_ca)
@ -861,7 +861,7 @@ def install(installer):
        dns.install(False, False, options)
    else:
        # Create a BIND instance
-        bind = bindinstance.BindInstance(fstore, dm_password)
+        bind = bindinstance.BindInstance(fstore)
        bind.setup(host_name, ip_addresses, realm_name,
                   domain_name, (), 'first', (),
                   zonemgr=options.zonemgr,
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@ -178,14 +178,12 @@ def install_http(config, auto_redirect, ca_is_configured, promote=False,
    memcache = memcacheinstance.MemcacheInstance()
    memcache.create_instance('MEMCACHE', config.host_name,
                             config.dirman_password,
                             ipautil.realm_to_suffix(config.realm_name))
    http = httpinstance.HTTPInstance()
    http.create_instance(
        config.realm_name, config.host_name, config.domain_name,
-        config.dirman_password, pkcs12_info,
+        pkcs12_info, auto_redirect=auto_redirect, ca_file=ca_file,
        auto_redirect=auto_redirect, ca_file=ca_file,
        ca_is_configured=ca_is_configured, promote=promote)
    return http
@ -196,13 +194,11 @@ def install_dns_records(config, options, remote_api):
    if not bindinstance.dns_container_exists(
            config.host_name,
            ipautil.realm_to_suffix(config.realm_name),
-            realm=config.realm_name, ldapi=True,
+            realm=config.realm_name, ldapi=True):
            autobind=ipaldap.AUTOBIND_ENABLED):
        return
    try:
-        bind = bindinstance.BindInstance(dm_password=config.dirman_password,
+        bind = bindinstance.BindInstance(api=remote_api)
                                         api=remote_api)
        for ip in config.ips:
            reverse_zone = bindinstance.find_reverse_zone(ip, remote_api)
@ -834,7 +830,7 @@ def install(installer):
        ca.install_step_1(False, config, options)
    otpd = otpdinstance.OtpdInstance()
-    otpd.create_instance('OTPD', config.host_name, config.dirman_password,
+    otpd.create_instance('OTPD', config.host_name,
                         ipautil.realm_to_suffix(config.realm_name))
    if ca_enabled:
@ -847,7 +843,7 @@ def install(installer):
    custodia = custodiainstance.CustodiaInstance(config.host_name,
                                                 config.realm_name)
-    custodia.create_instance(config.dirman_password)
+    custodia.create_instance()
    # The DS instance is created before the keytab, add the SSL cert we
    # generated
@ -1497,7 +1493,7 @@ def promote(installer):
    ds.apply_updates()
    otpd = otpdinstance.OtpdInstance()
-    otpd.create_instance('OTPD', config.host_name, config.dirman_password,
+    otpd.create_instance('OTPD', config.host_name,
                         ipautil.realm_to_suffix(config.realm_name))
    if config.setup_ca:
@ -1510,8 +1506,7 @@ def promote(installer):
        custodia.get_ca_keys(config.ca_host_name, ca_data[0], ca_data[1])
        ca = cainstance.CAInstance(config.realm_name, certs.NSS_DIR,
-                                   host_name=config.host_name,
+                                   host_name=config.host_name)
                                   dm_password=config.dirman_password)
        ca.configure_replica(config.ca_host_name,
                             subject_base=config.subject_base,
                             ca_cert_bundle=ca_data)
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@ -1688,7 +1688,7 @@ def upgrade_configuration():
                # 389-ds needs to be running to create the instances
                # because we record the new service in cn=masters.
                ds.start()
-                service.create_instance(ldap_name, fqdn, None,
+                service.create_instance(ldap_name, fqdn,
                                        ipautil.realm_to_suffix(api.env.realm),
                                        realm=api.env.realm)
        except ipalib.errors.DuplicateEntry:
@ -1696,8 +1696,7 @@ def upgrade_configuration():
    # install DNSKeySync service only if DNS is configured on server
    if bindinstance.named_conf_exists():
-            dnskeysyncd = dnskeysyncinstance.DNSKeySyncInstance(fstore,
+            dnskeysyncd = dnskeysyncinstance.DNSKeySyncInstance(fstore)
                                                                ldapi=True)
            if not dnskeysyncd.is_configured():
                ds.start()
                dnskeysyncd.create_instance(fqdn, api.env.realm)
--- a/ipaserver/install/service.py
+++ b/ipaserver/install/service.py
@ -20,11 +20,10 @@
 import sys
 import os
 import socket
 import tempfile
 import datetime
 import traceback
-from ipapython import sysrestore, ipautil, ipaldap
+from ipapython import ipautil, sysrestore
 from ipapython.dn import DN
 from ipapython.ipa_log_manager import root_logger
 from ipalib import api, errors, certstore
@ -131,18 +130,12 @@ def find_providing_server(svcname, conn, host_name=None, api=api):
 class Service(object):
-    def __init__(self, service_name, service_desc=None, sstore=None,
+    def __init__(self, service_name, service_desc=None, sstore=None):
                 dm_password=None, ldapi=True, autobind=ipaldap.AUTOBIND_AUTO,
                 start_tls=False):
        self.service_name = service_name
        self.service_desc = service_desc
        self.service = services.service(service_name)
        self.steps = []
        self.output_fd = sys.stdout
        self.dm_password = dm_password
        self.ldapi = ldapi
        self.autobind = autobind
        self.start_tls = start_tls
        self.fqdn = socket.gethostname()
@ -202,14 +195,8 @@ class Service(object):
            self.ldap_connect()
        args += ["-H", self.admin_conn.ldap_uri]
        # If DM password is available, use it
        if self.dm_password:
            [pw_fd, pw_name] = tempfile.mkstemp()
            os.write(pw_fd, self.dm_password)
            os.close(pw_fd)
            auth_parms = ["-x", "-D", "cn=Directory Manager", "-y", pw_name]
        # Use GSSAPI auth when not using DM password or not being root
-        elif os.getegid() != 0:
+        if os.getegid() != 0:
            auth_parms = ["-Y", "GSSAPI"]
        # Default to EXTERNAL auth mechanism
        else:
@ -457,7 +444,8 @@ class Service(object):
        self.steps = []
-    def ldap_enable(self, name, fqdn, dm_password, ldap_suffix, config=[]):
+    def ldap_enable(self, name, fqdn, dm_password=None, ldap_suffix='',
                    config=[]):
        assert isinstance(ldap_suffix, DN)
        self.disable()
        if not self.admin_conn:
@ -558,14 +546,12 @@ class Service(object):
 class SimpleServiceInstance(Service):
-    def create_instance(self, gensvc_name=None, fqdn=None, dm_password=None, ldap_suffix=None, realm=None):
+    def create_instance(self, gensvc_name=None, fqdn=None, ldap_suffix=None,
                        realm=None):
        self.gensvc_name = gensvc_name
        self.fqdn = fqdn
        self.dm_password = dm_password
        self.suffix = ldap_suffix
        self.realm = realm
        if not realm:
            self.ldapi = False
        self.step("starting %s " % self.service_name, self.__start)
        self.step("configuring %s to start on boot" % self.service_name, self.__enable)
@ -582,8 +568,7 @@ class SimpleServiceInstance(Service):
        if self.gensvc_name == None:
            self.enable()
        else:
-            self.ldap_enable(self.gensvc_name, self.fqdn,
+            self.ldap_enable(self.gensvc_name, self.fqdn, None, self.suffix)
                             self.dm_password, self.suffix)
    def uninstall(self):
        if self.is_configured():