IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

install: remove dirman_pw from services

Browse Source 
Remove directory manager's password from service's constructors

https://fedorahosted.org/freeipa/ticket/6461

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
This commit is contained in:
Tomas Krizek 2016-10-06 17:35:04 +02:00 committed by Martin Basti
parent 5b81dbfda1
commit 9340a1417a
22 changed files with 78 additions and 149 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
install/certmonger/dogtag-ipa-ca-renew-agent-submit
View File

@ -428,7 +428,7 @@ def renew_ca_cert():
state = 'retrieve'
if is_renewable():
ca = cainstance.CAInstance(host_name=api.env.host, ldapi=False)
ca = cainstance.CAInstance(host_name=api.env.host)
if ca.is_renewal_master():
state = 'request'
elif operation == 'POLL':
@ -493,7 +493,7 @@ def main():
if profile:
handler = handlers.get(profile, request_and_store_cert)
else:
ca = cainstance.CAInstance(host_name=api.env.host, ldapi=False)
ca = cainstance.CAInstance(host_name=api.env.host)
if ca.is_renewal_master():
handler = request_and_store_cert
else:

2
install/restart_scripts/renew_ca_cert
View File

@ -74,7 +74,7 @@ def _main():
ipautil.kinit_keytab(principal, paths.KRB5_KEYTAB, ccache_filename)
os.environ['KRB5CCNAME'] = ccache_filename
ca = cainstance.CAInstance(host_name=api.env.host, ldapi=False)
ca = cainstance.CAInstance(host_name=api.env.host)
ca.update_cert_config(nickname, cert)
if ca.is_renewal_master():
cainstance.update_people_entry(cert)

2
install/restart_scripts/renew_ra_cert
View File

@ -48,7 +48,7 @@ def _main():
ccache_filename)
os.environ['KRB5CCNAME'] = ccache_filename
ca = cainstance.CAInstance(host_name=api.env.host, ldapi=False)
ca = cainstance.CAInstance(host_name=api.env.host)
if ca.is_renewal_master():
# Fetch the new certificate
db = certs.CertDB(api.env.realm)

5
install/tools/ipa-ca-install
View File

@ -190,15 +190,14 @@ def install_replica(safe_options, options, filename):
custodia.get_ca_keys(config.ca_host_name, ca_data[0], ca_data[1])
CA = cainstance.CAInstance(config.realm_name, certs.NSS_DIR,
host_name=config.host_name,
dm_password=config.dirman_password)
host_name=config.host_name)
CA.configure_replica(config.ca_host_name,
subject_base=config.subject_base,
ca_cert_bundle=ca_data)
# Install CA DNS records
if bindinstance.dns_container_exists(api.env.host, api.env.basedn,
ldapi=True, realm=api.env.realm):
bind = bindinstance.BindInstance(ldapi=True)
bind = bindinstance.BindInstance()
bind.update_system_records()
else:
ca.install(True, config, options)

5
install/tools/ipa-replica-manage
View File

@ -1123,8 +1123,7 @@ def add_link(realm, replica1, replica2, dirman_passwd, options):
if options.cacert:
# have to install the given CA cert before doing anything else
ds = dsinstance.DsInstance(realm_name = realm,
dm_password = dirman_passwd)
ds = dsinstance.DsInstance(realm_name=realm)
if not ds.add_ca_cert(options.cacert):
print("Could not load the required CA certificate file [%s]" % options.cacert)
return
@ -1214,7 +1213,7 @@ def re_initialize(realm, thishost, fromhost, dirman_passwd, nolookup=False):
# If the agreement doesn't have nsDS5ReplicatedAttributeListTotal it means
# we did not replicate memberOf, do so now.
if not agreement.single_value.get('nsDS5ReplicatedAttributeListTotal'):
ds = dsinstance.DsInstance(realm_name = realm, dm_password = dirman_passwd)
ds = dsinstance.DsInstance(realm_name=realm)
ds.ldapi = os.getegid() == 0
ds.init_memberof()

9
ipaserver/install/adtrustinstance.py
View File

@ -137,8 +137,7 @@ class ADTRUSTInstance(service.Service):
self.host_netbios_name = None
self.realm = None
service.Service.__init__(self, "smb", service_desc="CIFS",
dm_password=None, ldapi=True)
service.Service.__init__(self, "smb", service_desc="CIFS")
if fstore:
self.fstore = fstore
@ -740,14 +739,12 @@ class ADTRUSTInstance(service.Service):
# Note that self.dm_password is None for ADTrustInstance because
# we ensure to be called as root and using ldapi to use autobind
try:
self.ldap_enable('ADTRUST', self.fqdn, self.dm_password, \
self.suffix)
self.ldap_enable('ADTRUST', self.fqdn, None, self.suffix)
except (ldap.ALREADY_EXISTS, errors.DuplicateEntry):
root_logger.info("ADTRUST Service startup entry already exists.")
try:
self.ldap_enable('EXTID', self.fqdn, self.dm_password, \
self.suffix)
self.ldap_enable('EXTID', self.fqdn, None, self.suffix)
except (ldap.ALREADY_EXISTS, errors.DuplicateEntry):
root_logger.info("EXTID Service startup entry already exists.")

22
ipaserver/install/bindinstance.py
View File

@ -228,8 +228,9 @@ def named_conf_add_include(path):
with open(NAMED_CONF, 'a') as f:
f.write(named_conf_include_template % {'path': path})
def dns_container_exists(fqdn, suffix, dm_password=None, ldapi=False, realm=None,
autobind=ipaldap.AUTOBIND_DISABLED):
def dns_container_exists(fqdn, suffix, dm_password=None, ldapi=False,
realm=None):
"""
Test whether the dns container exists.
"""
@ -240,7 +241,7 @@ def dns_container_exists(fqdn, suffix, dm_password=None, ldapi=False, realm=None
ldap_uri = ipaldap.get_ldap_uri(fqdn, 636, ldapi=ldapi, realm=realm,
cacert=CACERT)
conn = ipaldap.LDAPClient(ldap_uri, cacert=CACERT)
conn.do_bind(dm_password, autobind=autobind)
conn.do_bind(dm_password)
except ldap.SERVER_DOWN:
raise RuntimeError('LDAP server on %s is not responding. Is IPA installed?' % fqdn)
@ -613,15 +614,10 @@ class DnsBackup(object):
class BindInstance(service.Service):
def __init__(self, fstore=None, dm_password=None, api=api, ldapi=False,
start_tls=False, autobind=ipaldap.AUTOBIND_DISABLED):
def __init__(self, fstore=None, api=api):
service.Service.__init__(
self, "named",
service_desc="DNS",
dm_password=dm_password,
ldapi=ldapi,
autobind=autobind,
start_tls=start_tls
service_desc="DNS"
)
self.dns_backup = DnsBackup(self)
self.named_user = None
@ -632,7 +628,6 @@ class BindInstance(service.Service):
self.forwarders = None
self.sub_dict = None
self.reverse_zones = []
self.dm_password = dm_password
self.api = api
self.named_regular = services.service('named-regular')
@ -665,8 +660,7 @@ class BindInstance(service.Service):
self.zonemgr = normalize_zonemgr(zonemgr)
self.first_instance = not dns_container_exists(
self.fqdn, self.suffix, realm=self.realm, ldapi=True,
dm_password=self.dm_password, autobind=self.autobind)
self.fqdn, self.suffix, realm=self.realm, ldapi=True)
self.__setup_sub_dict()
@ -763,7 +757,7 @@ class BindInstance(service.Service):
# Instead we reply on the IPA init script to start only enabled
# components as found in our LDAP configuration tree
try:
self.ldap_enable('DNS', self.fqdn, self.dm_password, self.suffix)
self.ldap_enable('DNS', self.fqdn, None, self.suffix)
except errors.DuplicateEntry:
# service already exists (forced DNS reinstall)
# don't crash, just report error

2
ipaserver/install/ca.py
View File

@ -241,7 +241,7 @@ def install_step_1(standalone, replica_config, options):
# Install CA DNS records
if bindinstance.dns_container_exists(host_name, basedn, dm_password):
bind = bindinstance.BindInstance(dm_password=dm_password)
bind = bindinstance.BindInstance()
bind.update_system_records()

5
ipaserver/install/cainstance.py
View File

@ -311,15 +311,12 @@ class CAInstance(DogtagInstance):
('caSigningCert cert-pki-ca', 'ipaCACertRenewal'))
server_cert_name = 'Server-Cert cert-pki-ca'
def __init__(self, realm=None, ra_db=None, host_name=None,
dm_password=None, ldapi=True):
def __init__(self, realm=None, ra_db=None, host_name=None):
super(CAInstance, self).__init__(
realm=realm,
subsystem="CA",
service_desc="certificate server",
host_name=host_name,
dm_password=dm_password,
ldapi=ldapi
)
# for external CAs

6
ipaserver/install/custodiainstance.py
View File

@ -54,14 +54,13 @@ class CustodiaInstance(SimpleServiceInstance):
fd.flush()
fd.close()
def create_instance(self, dm_password=None):
def create_instance(self):
suffix = ipautil.realm_to_suffix(self.realm)
self.step("Generating ipa-custodia config file", self.__config_file)
self.step("Making sure custodia container exists", self.__create_container)
self.step("Generating ipa-custodia keys", self.__gen_keys)
super(CustodiaInstance, self).create_instance(gensvc_name='KEYS',
fqdn=self.fqdn,
dm_password=dm_password,
ldap_suffix=suffix,
realm=self.realm)
sysupgrade.set_upgrade_state('custodia', 'installed', True)
@ -103,8 +102,7 @@ class CustodiaInstance(SimpleServiceInstance):
'SUFFIX': self.suffix,
}
updater = ldapupdate.LDAPUpdate(dm_password=self.dm_password,
sub_dict=sub_dict)
updater = ldapupdate.LDAPUpdate(sub_dict=sub_dict)
updater.update([os.path.join(paths.UPDATES_DIR, '73-custodia.update')])
def __import_ra_key(self):

19
ipaserver/install/dns.py
View File

@ -23,7 +23,6 @@ from ipapython import dnsutil
from ipapython.dn import DN
from ipapython.ipa_log_manager import root_logger
from ipapython.admintool import ScriptError
from ipapython.ipaldap import AUTOBIND_ENABLED
from ipapython.ipautil import user_input
from ipaserver.install.installutils import get_server_ip_address
from ipaserver.install.installutils import read_dns_forwarders
@ -61,11 +60,10 @@ def _is_master():
def _disable_dnssec():
fstore = sysrestore.FileStore(paths.SYSRESTORE)
ods = opendnssecinstance.OpenDNSSECInstance(
fstore, ldapi=True, autobind=AUTOBIND_ENABLED)
ods = opendnssecinstance.OpenDNSSECInstance(fstore)
ods.realm = api.env.realm
ods_exporter = odsexporterinstance.ODSExporterInstance(fstore, ldapi=True)
ods_exporter = odsexporterinstance.ODSExporterInstance(fstore)
ods_exporter.realm = api.env.realm
# unconfigure services first
@ -200,8 +198,7 @@ def install_check(standalone, api, replica, options, hostname):
", ".join([str(zone) for zone in dnssec_zones]))
elif options.dnssec_master:
ods = opendnssecinstance.OpenDNSSECInstance(
fstore, ldapi=True)
ods = opendnssecinstance.OpenDNSSECInstance(fstore)
ods.realm = api.env.realm
dnssec_masters = ods.get_masters()
# we can reinstall current server if it is dnssec master
@ -317,8 +314,7 @@ def install(standalone, replica, options, api=api):
# otherwise this is done by server/replica installer
update_hosts_file(ip_addresses, api.env.host, fstore)
bind = bindinstance.BindInstance(fstore, ldapi=True, api=api,
autobind=AUTOBIND_ENABLED)
bind = bindinstance.BindInstance(fstore, api=api)
bind.setup(api.env.host, ip_addresses, api.env.realm, api.env.domain,
options.forwarders, options.forward_policy,
reverse_zones, zonemgr=options.zonemgr,
@ -333,12 +329,11 @@ def install(standalone, replica, options, api=api):
bind.create_instance()
# on dnssec master this must be installed last
dnskeysyncd = dnskeysyncinstance.DNSKeySyncInstance(fstore, ldapi=True)
dnskeysyncd = dnskeysyncinstance.DNSKeySyncInstance(fstore)
dnskeysyncd.create_instance(api.env.host, api.env.realm)
if options.dnssec_master:
ods = opendnssecinstance.OpenDNSSECInstance(fstore, ldapi=True)
ods_exporter = odsexporterinstance.ODSExporterInstance(
fstore, ldapi=True)
ods = opendnssecinstance.OpenDNSSECInstance(fstore)
ods_exporter = odsexporterinstance.ODSExporterInstance(fstore)
ods_exporter.create_instance(api.env.host, api.env.realm)
ods.create_instance(api.env.host, api.env.realm,

20
ipaserver/install/dnskeysyncinstance.py
View File

@ -33,7 +33,7 @@ replica_keylabel_template = u"dnssec-replica:%s"
def dnssec_container_exists(fqdn, suffix, dm_password=None, ldapi=False,
realm=None, autobind=ipaldap.AUTOBIND_DISABLED):
realm=None):
"""
Test whether the dns container exists.
"""
@ -45,7 +45,7 @@ def dnssec_container_exists(fqdn, suffix, dm_password=None, ldapi=False,
cacert=CACERT)
conn = ipaldap.LDAPClient(ldap_uri, cacert=CACERT)
conn.do_bind(dm_password, autobind=autobind)
conn.do_bind(dm_password)
except ldap.SERVER_DOWN:
raise RuntimeError('LDAP server on %s is not responding. Is IPA installed?' % fqdn)
@ -61,16 +61,11 @@ def remove_replica_public_keys(hostname):
class DNSKeySyncInstance(service.Service):
def __init__(self, fstore=None, dm_password=None, logger=root_logger,
ldapi=False, start_tls=False):
def __init__(self, fstore=None, logger=root_logger):
service.Service.__init__(
self, "ipa-dnskeysyncd",
service_desc="DNS key synchronization service",
dm_password=dm_password,
ldapi=ldapi,
start_tls=start_tls
)
self.dm_password = dm_password
self.logger = logger
self.extra_config = [u'dnssecVersion 1', ] # DNSSEC enabled
self.named_uid = None
@ -171,8 +166,7 @@ class DNSKeySyncInstance(service.Service):
raise RuntimeError("OpenDNSSEC GID not found")
if not dns_container_exists(
self.fqdn, self.suffix, realm=self.realm, ldapi=True,
dm_password=self.dm_password, autobind=ipaldap.AUTOBIND_AUTO
self.fqdn, self.suffix, realm=self.realm, ldapi=True
):
raise RuntimeError("DNS container does not exist")
@ -184,9 +178,7 @@ class DNSKeySyncInstance(service.Service):
Setup LDAP containers for DNSSEC
"""
if dnssec_container_exists(self.fqdn, self.suffix, ldapi=True,
dm_password=self.dm_password,
realm=self.realm,
autobind=ipaldap.AUTOBIND_AUTO):
realm=self.realm):
self.logger.info("DNSSEC container exists (step skipped)")
return
@ -413,7 +405,7 @@ class DNSKeySyncInstance(service.Service):
def __enable(self):
try:
self.ldap_enable('DNSKeySync', self.fqdn, self.dm_password,
self.ldap_enable('DNSKeySync', self.fqdn, None,
self.suffix, self.extra_config)
except errors.DuplicateEntry:
self.logger.error("DNSKeySync service already exists")

7
ipaserver/install/dogtaginstance.py
View File

@ -108,15 +108,12 @@ class DogtagInstance(service.Service):
server_cert_name = None
def __init__(self, realm, subsystem, service_desc, host_name=None,
dm_password=None, ldapi=True,
nss_db=paths.PKI_TOMCAT_ALIAS_DIR):
"""Initializer"""
super(DogtagInstance, self).__init__(
'pki-tomcatd',
service_desc=service_desc,
dm_password=dm_password,
ldapi=ldapi
service_desc=service_desc
)
self.realm = realm
@ -164,7 +161,7 @@ class DogtagInstance(service.Service):
# Define the things we don't want logged
if nolog_list is None:
nolog_list = []
nolog = tuple(nolog_list) + (self.admin_password, self.dm_password)
nolog = tuple(nolog_list) + (self.admin_password,)
args = [paths.PKISPAWN,
"-s", subsystem,

13
ipaserver/install/dsinstance.py
View File

@ -217,17 +217,13 @@ dc: $BASEDC
info: IPA V2.0
"""
class DsInstance(service.Service):
def __init__(self, realm_name=None, domain_name=None, dm_password=None,
fstore=None, domainlevel=None, config_ldif=None):
def __init__(self, realm_name=None, domain_name=None, fstore=None,
domainlevel=None, config_ldif=None):
service.Service.__init__(self, "dirsrv",
service_desc="directory server",
dm_password=dm_password,
ldapi=False,
autobind=ipaldap.AUTOBIND_DISABLED
)
service_desc="directory server")
self.nickname = 'Server-Cert'
self.dm_password = dm_password
self.realm = realm_name
self.sub_dict = None
self.domain = domain_name
@ -435,7 +431,6 @@ class DsInstance(service.Service):
# the local server (as repica pomotion does not have the DM password.
if self.admin_conn:
self.ldap_disconnect()
self.ldapi = True
def __configure_sasl_mappings(self):
# we need to remove any existing SASL mappings in the directory as otherwise they

6
ipaserver/install/httpinstance.py
View File

@ -127,14 +127,12 @@ class HTTPInstance(service.Service):
subject_base = ipautil.dn_attribute_property('_subject_base')
def create_instance(self, realm, fqdn, domain_name, dm_password=None,
pkcs12_info=None,
def create_instance(self, realm, fqdn, domain_name, pkcs12_info=None,
subject_base=None, auto_redirect=True, ca_file=None,
ca_is_configured=None, promote=False):
self.fqdn = fqdn
self.realm = realm
self.domain = domain_name
self.dm_password = dm_password
self.suffix = ipautil.realm_to_suffix(self.realm)
self.pkcs12_info = pkcs12_info
self.principal = "HTTP/%s@%s" % (self.fqdn, self.realm)
@ -193,7 +191,7 @@ class HTTPInstance(service.Service):
# We do not let the system start IPA components on its own,
# Instead we reply on the IPA init script to start only enabled
# components as found in our LDAP configuration tree
self.ldap_enable('HTTP', self.fqdn, self.dm_password, self.suffix)
self.ldap_enable('HTTP', self.fqdn, None, self.suffix)
def configure_selinux_for_httpd(self):
try:

7
ipaserver/install/krbinstance.py
View File

@ -167,7 +167,8 @@ class KrbInstance(service.Service):
self.start_creation(runtime=30)
self.kpasswd = KpasswdInstance()
self.kpasswd.create_instance('KPASSWD', self.fqdn, self.admin_password, self.suffix, realm=self.realm)
self.kpasswd.create_instance('KPASSWD', self.fqdn, self.suffix,
realm=self.realm)
def create_replica(self, realm_name,
master_fqdn, host_name,
@ -198,7 +199,7 @@ class KrbInstance(service.Service):
self.start_creation(runtime=30)
self.kpasswd = KpasswdInstance()
self.kpasswd.create_instance('KPASSWD', self.fqdn, self.admin_password, self.suffix)
self.kpasswd.create_instance('KPASSWD', self.fqdn, self.suffix)
def __enable(self):
@ -206,7 +207,7 @@ class KrbInstance(service.Service):
# We do not let the system start IPA components on its own,
# Instead we reply on the IPA init script to start only enabled
# components as found in our LDAP configuration tree
self.ldap_enable('KDC', self.fqdn, self.admin_password, self.suffix)
self.ldap_enable('KDC', self.fqdn, None, self.suffix)
def __start_instance(self):
try:

14
ipaserver/install/odsexporterinstance.py
View File

@ -12,7 +12,7 @@ from ipaserver.install import service
from ipaserver.install import installutils
from ipapython.ipa_log_manager import root_logger
from ipapython.dn import DN
from ipapython import sysrestore, ipautil, ipaldap
from ipapython import sysrestore, ipautil
from ipaplatform.constants import constants
from ipaplatform.paths import paths
from ipaplatform import services
@ -20,17 +20,11 @@ from ipalib import errors, api
class ODSExporterInstance(service.Service):
def __init__(self, fstore=None, dm_password=None, ldapi=False,
start_tls=False, autobind=ipaldap.AUTOBIND_ENABLED):
def __init__(self, fstore=None):
service.Service.__init__(
self, "ipa-ods-exporter",
service_desc="IPA OpenDNSSEC exporter daemon",
dm_password=dm_password,
ldapi=ldapi,
autobind=autobind,
start_tls=start_tls
service_desc="IPA OpenDNSSEC exporter daemon"
)
self.dm_password = dm_password
self.ods_uid = None
self.ods_gid = None
self.enable_if_exists = False
@ -79,7 +73,7 @@ class ODSExporterInstance(service.Service):
def __enable(self):
try:
self.ldap_enable('DNSKeyExporter', self.fqdn, self.dm_password,
self.ldap_enable('DNSKeyExporter', self.fqdn, None,
self.suffix)
except errors.DuplicateEntry:
root_logger.error("DNSKeyExporter service already exists")

12
ipaserver/install/opendnssecinstance.py
View File

@ -13,7 +13,7 @@ from ipaserver.install import service
from ipaserver.install import installutils
from ipapython.ipa_log_manager import root_logger
from ipapython.dn import DN
from ipapython import sysrestore, ipautil, ipaldap, p11helper
from ipapython import sysrestore, ipautil, p11helper
from ipaplatform import services
from ipaplatform.constants import constants
from ipaplatform.paths import paths
@ -57,17 +57,11 @@ def get_dnssec_key_masters(conn):
class OpenDNSSECInstance(service.Service):
def __init__(self, fstore=None, dm_password=None, ldapi=False,
start_tls=False, autobind=ipaldap.AUTOBIND_ENABLED):
def __init__(self, fstore=None):
service.Service.__init__(
self, "ods-enforcerd",
service_desc="OpenDNSSEC enforcer daemon",
dm_password=dm_password,
ldapi=ldapi,
autobind=autobind,
start_tls=start_tls
)
self.dm_password = dm_password
self.ods_uid = None
self.ods_gid = None
self.conf_file_dict = {
@ -146,7 +140,7 @@ class OpenDNSSECInstance(service.Service):
def __enable(self):
try:
self.ldap_enable('DNSSEC', self.fqdn, self.dm_password,
self.ldap_enable('DNSSEC', self.fqdn, None,
self.suffix, self.extra_config)
except errors.DuplicateEntry:
root_logger.error("DNSSEC service already exists")

12
ipaserver/install/server/install.py
View File

@ -807,27 +807,27 @@ def install(installer):
ds.add_cert_to_service()
memcache = memcacheinstance.MemcacheInstance()
memcache.create_instance('MEMCACHE', host_name, dm_password,
memcache.create_instance('MEMCACHE', host_name,
ipautil.realm_to_suffix(realm_name))
otpd = otpdinstance.OtpdInstance()
otpd.create_instance('OTPD', host_name, dm_password,
otpd.create_instance('OTPD', host_name,
ipautil.realm_to_suffix(realm_name))
custodia = custodiainstance.CustodiaInstance(host_name, realm_name)
custodia.create_instance(dm_password)
custodia.create_instance()
# Create a HTTP instance
http = httpinstance.HTTPInstance(fstore)
if options.http_cert_files:
http.create_instance(
realm_name, host_name, domain_name, dm_password,
realm_name, host_name, domain_name,
pkcs12_info=http_pkcs12_info, subject_base=options.subject,
auto_redirect=not options.no_ui_redirect,
ca_is_configured=setup_ca)
else:
http.create_instance(
realm_name, host_name, domain_name, dm_password,
realm_name, host_name, domain_name,
subject_base=options.subject,
auto_redirect=not options.no_ui_redirect,
ca_is_configured=setup_ca)
@ -861,7 +861,7 @@ def install(installer):
dns.install(False, False, options)
else:
# Create a BIND instance
bind = bindinstance.BindInstance(fstore, dm_password)
bind = bindinstance.BindInstance(fstore)
bind.setup(host_name, ip_addresses, realm_name,
domain_name, (), 'first', (),
zonemgr=options.zonemgr,

19
ipaserver/install/server/replicainstall.py
View File

@ -178,14 +178,12 @@ def install_http(config, auto_redirect, ca_is_configured, promote=False,
memcache = memcacheinstance.MemcacheInstance()
memcache.create_instance('MEMCACHE', config.host_name,
config.dirman_password,
ipautil.realm_to_suffix(config.realm_name))
http = httpinstance.HTTPInstance()
http.create_instance(
config.realm_name, config.host_name, config.domain_name,
config.dirman_password, pkcs12_info,
auto_redirect=auto_redirect, ca_file=ca_file,
pkcs12_info, auto_redirect=auto_redirect, ca_file=ca_file,
ca_is_configured=ca_is_configured, promote=promote)
return http
@ -196,13 +194,11 @@ def install_dns_records(config, options, remote_api):
if not bindinstance.dns_container_exists(
config.host_name,
ipautil.realm_to_suffix(config.realm_name),
realm=config.realm_name, ldapi=True,
autobind=ipaldap.AUTOBIND_ENABLED):
realm=config.realm_name, ldapi=True):
return
try:
bind = bindinstance.BindInstance(dm_password=config.dirman_password,
api=remote_api)
bind = bindinstance.BindInstance(api=remote_api)
for ip in config.ips:
reverse_zone = bindinstance.find_reverse_zone(ip, remote_api)
@ -834,7 +830,7 @@ def install(installer):
ca.install_step_1(False, config, options)
otpd = otpdinstance.OtpdInstance()
otpd.create_instance('OTPD', config.host_name, config.dirman_password,
otpd.create_instance('OTPD', config.host_name,
ipautil.realm_to_suffix(config.realm_name))
if ca_enabled:
@ -847,7 +843,7 @@ def install(installer):
custodia = custodiainstance.CustodiaInstance(config.host_name,
config.realm_name)
custodia.create_instance(config.dirman_password)
custodia.create_instance()
# The DS instance is created before the keytab, add the SSL cert we
# generated
@ -1497,7 +1493,7 @@ def promote(installer):
ds.apply_updates()
otpd = otpdinstance.OtpdInstance()
otpd.create_instance('OTPD', config.host_name, config.dirman_password,
otpd.create_instance('OTPD', config.host_name,
ipautil.realm_to_suffix(config.realm_name))
if config.setup_ca:
@ -1510,8 +1506,7 @@ def promote(installer):
custodia.get_ca_keys(config.ca_host_name, ca_data[0], ca_data[1])
ca = cainstance.CAInstance(config.realm_name, certs.NSS_DIR,
host_name=config.host_name,
dm_password=config.dirman_password)
host_name=config.host_name)
ca.configure_replica(config.ca_host_name,
subject_base=config.subject_base,
ca_cert_bundle=ca_data)

5
ipaserver/install/server/upgrade.py
View File

@ -1688,7 +1688,7 @@ def upgrade_configuration():
# 389-ds needs to be running to create the instances
# because we record the new service in cn=masters.
ds.start()
service.create_instance(ldap_name, fqdn, None,
service.create_instance(ldap_name, fqdn,
ipautil.realm_to_suffix(api.env.realm),
realm=api.env.realm)
except ipalib.errors.DuplicateEntry:
@ -1696,8 +1696,7 @@ def upgrade_configuration():
# install DNSKeySync service only if DNS is configured on server
if bindinstance.named_conf_exists():
dnskeysyncd = dnskeysyncinstance.DNSKeySyncInstance(fstore,
ldapi=True)
dnskeysyncd = dnskeysyncinstance.DNSKeySyncInstance(fstore)
if not dnskeysyncd.is_configured():
ds.start()
dnskeysyncd.create_instance(fqdn, api.env.realm)

31
ipaserver/install/service.py
View File

@ -20,11 +20,10 @@
import sys
import os
import socket
import tempfile
import datetime
import traceback
from ipapython import sysrestore, ipautil, ipaldap
from ipapython import ipautil, sysrestore
from ipapython.dn import DN
from ipapython.ipa_log_manager import root_logger
from ipalib import api, errors, certstore
@ -131,18 +130,12 @@ def find_providing_server(svcname, conn, host_name=None, api=api):
class Service(object):
def __init__(self, service_name, service_desc=None, sstore=None,
dm_password=None, ldapi=True, autobind=ipaldap.AUTOBIND_AUTO,
start_tls=False):
def __init__(self, service_name, service_desc=None, sstore=None):
self.service_name = service_name
self.service_desc = service_desc
self.service = services.service(service_name)
self.steps = []
self.output_fd = sys.stdout
self.dm_password = dm_password
self.ldapi = ldapi
self.autobind = autobind
self.start_tls = start_tls
self.fqdn = socket.gethostname()
@ -202,14 +195,8 @@ class Service(object):
self.ldap_connect()
args += ["-H", self.admin_conn.ldap_uri]
# If DM password is available, use it
if self.dm_password:
[pw_fd, pw_name] = tempfile.mkstemp()
os.write(pw_fd, self.dm_password)
os.close(pw_fd)
auth_parms = ["-x", "-D", "cn=Directory Manager", "-y", pw_name]
# Use GSSAPI auth when not using DM password or not being root
elif os.getegid() != 0:
if os.getegid() != 0:
auth_parms = ["-Y", "GSSAPI"]
# Default to EXTERNAL auth mechanism
else:
@ -457,7 +444,8 @@ class Service(object):
self.steps = []
def ldap_enable(self, name, fqdn, dm_password, ldap_suffix, config=[]):
def ldap_enable(self, name, fqdn, dm_password=None, ldap_suffix='',
config=[]):
assert isinstance(ldap_suffix, DN)
self.disable()
if not self.admin_conn:
@ -558,14 +546,12 @@ class Service(object):
class SimpleServiceInstance(Service):
def create_instance(self, gensvc_name=None, fqdn=None, dm_password=None, ldap_suffix=None, realm=None):
def create_instance(self, gensvc_name=None, fqdn=None, ldap_suffix=None,
realm=None):
self.gensvc_name = gensvc_name
self.fqdn = fqdn
self.dm_password = dm_password
self.suffix = ldap_suffix
self.realm = realm
if not realm:
self.ldapi = False
self.step("starting %s " % self.service_name, self.__start)
self.step("configuring %s to start on boot" % self.service_name, self.__enable)
@ -582,8 +568,7 @@ class SimpleServiceInstance(Service):
if self.gensvc_name == None:
self.enable()
else:
self.ldap_enable(self.gensvc_name, self.fqdn,
self.dm_password, self.suffix)
self.ldap_enable(self.gensvc_name, self.fqdn, None, self.suffix)
def uninstall(self):
if self.is_configured():