Make the CA a required component and configured by default.

To install IPA without dogtag use the --selfsign option.

The --ca option is now deprecated.

552995

install/tools/ipa-server-install

@@ -46,6 +46,7 @@ from ipaserver.install import bindinstance
 from ipaserver.install import httpinstance
 from ipaserver.install import ntpinstance
 from ipaserver.install import certs
+from ipaserver.install import cainstance
 
 from ipaserver.install import service
 from ipapython import version
@@ -81,8 +82,8 @@ def parse_options():
                       help="admin user kerberos password")
     parser.add_option("-d", "--debug", dest="debug", action="store_true",
                       default=False, help="print debugging information")
-    parser.add_option("", "--ca", dest="ca", action="store_true",
+    parser.add_option("", "--selfsign", dest="selfsign", action="store_true",
-                      default=False, help="Configure a CA instance")
+                      default=False, help="Configure a self-signed CA instance rather than a dogtag CA")
     parser.add_option("", "--external-ca", dest="external_ca", action="store_true",
                       default=False, help="Generate a CSR to be signed by an external CA")
     parser.add_option("", "--external_cert_file", dest="external_cert_file",
@@ -152,17 +153,13 @@ def parse_options():
     if cnt > 0 and cnt < 4:
         parser.error("All PKCS#12 options are required if any are used.")
 
-    if (options.external_cert_file or options.external_ca_file) and not options.ca:
+    if (options.external_cert_file or options.external_ca_file) and options.selfsign:
-        parser.error("--ca required to use the external CA options.")
+        parser.error("--selfsign cannot be used with the external CA options.")
 
     if ((options.external_cert_file and not options.external_ca_file) or
        (not options.external_cert_file and options.external_ca_file)):
         parser.error("if either external option is used, both are required.")
 
-    if options.external_ca and not options.ca:
-        # Go ahead and be nice and fix things up
-        options.ca = True
-
     return options
 
 def signal_handler(signum, frame):
@@ -469,7 +466,7 @@ def main():
 
         api.bootstrap(**cfg)
         api.finalize()
-        return uninstall(not certs.ipa_self_signed() or options.ca)
+        return uninstall(not certs.ipa_self_signed())
 
     # This will override any settings passed in on the cmdline
     options._update_loose(read_cache())
@@ -512,18 +509,6 @@ def main():
             print "Aborting installation"
             return 1
 
-    if options.ca:
-        try:
-            from ipaserver.install import cainstance
-        except ImportError:
-            print >> sys.stderr, "Import failed: %s" % sys.exc_value
-            sys.exit(1)
-        if not cainstance.check_inst():
-            print "--ca was specified but the dogtag certificate server"
-            print "is not installed on the system"
-            print "Please install dogtag and restart the setup program"
-            return 1
-
     # check the hostname is correctly configured, it must be as the kldap
     # utilities just use the hostname as returned by gethostbyname to set
     # up some of the standard entries
@@ -638,7 +623,7 @@ def main():
     fd.write("xmlrpc_uri=https://%s/ipa/xml\n" % host_name)
     fd.write("ldap_uri=ldapi://%%2fvar%%2frun%%2fslapd-%s.socket\n" % dsinstance.realm_to_serverid(realm_name))
     fd.write("enable_ra=True\n")
-    if options.ca:
+    if not options.selfsign:
         fd.write("ra_plugin=dogtag\n")
     fd.write('webui_assets_dir=' + ASSETS_DIR + '\n')
     fd.close()
@@ -657,7 +642,7 @@ def main():
         os.write(pw_fd, options.dirsrv_pin)
         os.close(pw_fd)
 
-    if options.ca:
+    if not options.selfsign:
         # Clean up any previous self-signed CA that may exist
         try:
             os.remove(certs.CA_SERIALNO)
@@ -707,7 +692,7 @@ def main():
         finally:
             os.remove(pw_name)
     else:
-        ds.create_instance(ds_user, realm_name, host_name, domain_name, dm_password, self_signed_ca=not options.ca, uidstart=options.uidstart, gidstart=options.gidstart, subject_base=options.subject)
+        ds.create_instance(ds_user, realm_name, host_name, domain_name, dm_password, self_signed_ca=options.selfsign, uidstart=options.uidstart, gidstart=options.gidstart, subject_base=options.subject)
 
     # Create a kerberos instance
     krb = krbinstance.KrbInstance(fstore)
@@ -734,11 +719,11 @@ def main():
         http.create_instance(realm_name, host_name, domain_name, dm_password, autoconfig=False, pkcs12_info=pkcs12_info, subject_base=options.subject)
         os.remove(pw_name)
     else:
-        http.create_instance(realm_name, host_name, domain_name, dm_password, autoconfig=True, self_signed_ca=not options.ca, subject_base=options.subject)
+        http.create_instance(realm_name, host_name, domain_name, dm_password, autoconfig=True, self_signed_ca=options.selfsign, subject_base=options.subject)
     ipautil.run(["/sbin/restorecon", "/var/cache/ipa/sessions"])
 
     set_subject_in_config(host_name, dm_password, util.realm_to_suffix(realm_name), options.subject)
-    if options.ca:
+    if not options.selfsign:
         service.print_msg("Setting the certificate subject base")
         ca.set_subject_in_config(util.realm_to_suffix(realm_name))
 

ipa.spec.in

@@ -98,6 +98,7 @@ Requires: selinux-policy
 %endif
 Requires(post): selinux-policy-base
 Requires: slapi-nis >= 0.15
+Requires: pki-ca
 Conflicts: mod_ssl
 
 %description server