IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Convert replication to use the new cert infrastructure and

Browse Source 
correctly issue certs from the same authority. Also remove
support for read-only replicas since that work will not
be finished and tested for 1.0.
This commit is contained in:
Karl MacMillan
-
parent 6d9974dd95
commit ac0fb8ea52
7 changed files with 114 additions and 71 deletions
Download Patch File Download Diff File Expand all files Collapse all files

45
ipa-server/ipa-install/ipa-replica-install
View File

@@ -21,13 +21,13 @@
import sys
sys.path.append("/usr/share/ipa")
import tempfile
import tempfile, os, pwd, traceback, logging
from ConfigParser import SafeConfigParser
from ipa import ipautil
from ipaserver import dsinstance, replication, installutils, krbinstance, service
from ipaserver import httpinstance, webguiinstance, radiusinstance, ntpinstance
from ipaserver import httpinstance, webguiinstance, radiusinstance, ntpinstance, certs
class ReplicaConfig:
def __init__(self):
@@ -42,8 +42,8 @@ class ReplicaConfig:
def parse_options():
from optparse import OptionParser
parser = OptionParser()
parser.add_option("-r", "--read-only", dest="master", action="store_false",
default=True, help="create read-only replica - default is master")
parser.add_option("-d", "--debug", dest="debug", action="store_true",
default=False, help="gather extra debugging information")
options, args = parser.parse_args()
@@ -82,12 +82,25 @@ def get_host_name():
return hostname
def set_owner(config, dir):
pw = pwd.getpwnam(config.ds_user)
os.chown(dir, pw.pw_uid, pw.pw_gid)
def install_ds(config):
dsinstance.check_existing_installation()
dsinstance.check_ports()
# if we have a pkcs12 file, create the cert db from
# that. Otherwise the ds setup will create the CA
# cert
pkcs12_info = None
if ipautil.file_exists(config.dir + "/cacert.p12"):
pkcs12_info = (config.dir + "/cacert.p12",
config.dir + "/pwdfile.txt")
ds = dsinstance.DsInstance()
ds.create_instance(config.ds_user, config.realm_name, config.host_name, config.dirman_password)
ds.create_instance(config.ds_user, config.realm_name, config.host_name, config.dirman_password,
pkcs12_info)
def install_krb(config):
krb = krbinstance.KrbInstance()
@@ -101,6 +114,8 @@ def install_http(config):
def main():
options, filename = parse_options()
installutils.standard_logging_setup("ipareplica-install.log", options.debug)
top_dir, dir = expand_info(filename)
config = ReplicaConfig()
@@ -115,7 +130,9 @@ def main():
install_ds(config)
repl = replication.ReplicationManager(config.host_name, config.dirman_password)
repl.setup_replication(config.master_host_name, config.realm_name, options.master)
ret = repl.setup_replication(config.master_host_name, config.realm_name)
if ret != 0:
raise RuntimeError("failed to start replication")
install_krb(config)
install_http(config)
@@ -124,11 +141,6 @@ def main():
webgui = webguiinstance.WebGuiInstance()
webgui.create_instance()
# Create a radius instance
radius = radiusinstance.RadiusInstance()
# FIXME: ldap_server should be derived, not hardcoded to localhost, also should it be a URL?
radius.create_instance(config.realm_name, config.host_name, 'localhost')
# Configure ntpd
ntp = ntpinstance.NTPInstance()
ntp.create_instance()
@@ -137,6 +149,13 @@ def main():
service.restart("dirsrv")
service.restart("krb5kdc")
main()
try:
main()
except Exception, e:
print "creation of replica failed: %s" % str(e)
message = str(e)
for str in traceback.format_tb(sys.exc_info()[2]):
message = message + "\n" + str
logging.debug(message)
sys.exit(1)

44
ipa-server/ipa-install/ipa-replica-prepare
View File

@@ -26,10 +26,7 @@ from ConfigParser import SafeConfigParser
import krbV
from ipa import ipautil
from ipaserver import dsinstance
from ipaserver import installutils
certutil = "/usr/bin/certutil"
from ipaserver import dsinstance, installutils, certs
def get_host_name():
hostname = installutils.get_fqdn()
@@ -51,18 +48,25 @@ def check_ipa_configuration(realm_name):
logging.error("could not find directory instance: %s" % config_dir)
sys.exit(1)
def create_certdb(ds_dir, dir):
# copy the passwd, noise, and pin files
shutil.copyfile(ds_dir + "/pwdfile.txt", dir + "/pwdfile.txt")
shutil.copyfile(ds_dir + "/noise.txt", dir + "/noise.txt")
shutil.copyfile(ds_dir + "/pin.txt", dir + "/pin.txt")
def export_certdb(ds_dir, dir):
ds_cdb = certs.CertDB(ds_dir)
pkcs12_fname = dir + "/cacert.p12"
passwd_fname = dir + "/pwdfile.txt"
fd = open(passwd_fname, "w")
fd.write("\n")
fd.close()
# create a new cert db
ipautil.run([certutil, "-N", "-d", dir, "-f", dir + "/pwdfile.txt"])
try:
ds_cdb.export_pkcs12(pkcs12_fname, passwd_fname)
except ipautil.CalledProcessError, e:
print "error exporting CA certificate: " + str(e)
try:
os.unlink(pkcs12_fname)
os.unlink(passwd_fname)
except:
pass
# Add the CA cert
ipautil.run([certutil, "-A", "-d", dir, "-n", "CA certificate", "-t", "CT,CT", "-a", "-i",
ds_dir + "/cacert.asc"])
def get_ds_user(ds_dir):
uid = os.stat(ds_dir).st_uid
@@ -70,10 +74,6 @@ def get_ds_user(ds_dir):
return user
def copy_files(realm_name, dir):
shutil.copy("/var/kerberos/krb5kdc/ldappwd", dir + "/ldappwd")
def save_config(dir, realm_name, host_name, ds_user):
config = SafeConfigParser()
config.add_section("realm")
@@ -82,7 +82,9 @@ def save_config(dir, realm_name, host_name, ds_user):
config.set("realm", "ds_user", ds_user)
fd = open(dir + "/realm_info", "w")
config.write(fd)
def copy_files(realm_name, dir):
shutil.copy("/var/kerberos/krb5kdc/ldappwd", dir + "/ldappwd")
def main():
realm_name = get_realm_name()
@@ -96,10 +98,8 @@ def main():
dir = top_dir + "/realm_info"
os.mkdir(dir, 0700)
create_certdb(ds_dir, dir)
export_certdb(ds_dir, dir)
copy_files(realm_name, dir)
save_config(dir, realm_name, host_name, ds_user)
ipautil.run(["/bin/tar", "cfz", "replica-info-" + realm_name, "-C", top_dir, "realm_info"])