Split dsinstance configuration

This is so that master and replica creation can perform different operations as
they need slightly diffeent settings to be applied.

install/tools/ipa-replica-install

@@ -26,14 +26,14 @@ from ConfigParser import SafeConfigParser
 
 from ipapython import ipautil
 
-from ipaserver.install import dsinstance, replication, installutils, krbinstance, service
+from ipaserver.install import dsinstance, installutils, krbinstance, service
 from ipaserver.install import bindinstance, httpinstance, ntpinstance, certs
 from ipaserver.plugins.ldap2 import ldap2
 from ipapython import version
 from ipalib import api, errors, util
 from ipapython.config import IPAOptionParser
 
-CACERT="/usr/share/ipa/html/ca.crt"
+CACERT="/etc/ipa/ca.crt"
 
 class HostnameLocalhost(Exception):
     pass
@@ -163,7 +163,7 @@ def install_ca(config):
 
     return ca
 
-def install_ds(config):
+def install_replica_ds(config):
     dsinstance.check_existing_installation()
     dsinstance.check_ports()
 
@@ -176,13 +176,10 @@ def install_ds(config):
                        config.dir + "/dirsrv_pin.txt")
 
     ds = dsinstance.DsInstance()
-    # idstart and idmax are configured so that the range is seen as depleted
-    # by the DNA plugin and the replica will go and get a new range from the
-    # master.
-    # This way all servers use the initially defined range by default.
-    ds.create_instance(config.ds_user, config.realm_name, config.host_name,
-                       config.domain_name, config.dirman_password,
-                       pkcs12_info, idstart=1101, idmax=1100)
+    ds.create_replica(config.ds_user, config.realm_name,
+                      config.master_host_name, config.host_name,
+                      config.domain_name, config.dirman_password,
+                      pkcs12_info)
 
     return ds
 
@@ -203,13 +200,16 @@ def install_krb(config, setup_pkinit=False):
                        setup_pkinit, pkcs12_info)
 
 def install_ca_cert(config):
-    if ipautil.file_exists(config.dir + "/ca.crt"):
-        try:
-            shutil.copy(config.dir + "/ca.crt", CACERT)
-            os.chmod(CACERT, 0444)
-        except Exception, e:
-            print "error copying files: " + str(e)
-            sys.exit(1)
+    cafile = config.dir + "/ca.crt"
+    if not ipautil.file_exists(cafile):
+        raise RuntimeError("Ca cert file is not available")
+
+    try:
+        shutil.copy(cafile, CACERT)
+        os.chmod(CACERT, 0444)
+    except Exception, e:
+        print "error copying files: " + str(e)
+        sys.exit(1)
 
 def install_http(config):
     # if we have a pkcs12 file, create the cert db from
@@ -354,13 +354,16 @@ def main():
     if options.setup_pkinit:
         check_pkinit()
 
+    # Install CA cert so that we can do SSL connections with ldap
+    install_ca_cert(config)
+
     # Try out the password
-    ldapuri = 'ldap://%s' % config.master_host_name
+    ldapuri = 'ldaps://%s' % config.master_host_name
     try:
         conn = ldap2(shared_instance=False, ldap_uri=ldapuri, base_dn='')
-        conn.connect(
-            bind_dn='cn=directory manager', bind_pw=config.dirman_password
-        )
+        conn.connect(bind_dn='cn=directory manager',
+                     bind_pw=config.dirman_password,
+                     tls_cacertfile=CACERT)
         try:
             entry = conn.find_entries(u'fqdn=%s' % host, ['dn', 'fqdn'], u'%s,%s' % (api.env.container_host, api.env.basedn))
             print "The host %s already exists.\n" % host
@@ -377,9 +380,6 @@ def main():
     except errors.LDAPError:
         sys.exit("\nUnable to connect to LDAP server %s" % config.master_host_name)
 
-    # Install CA cert so that we can do SSL connections with ldap
-    install_ca_cert(config)
-
     # Configure ntpd
     if options.conf_ntp:
         ntp = ntpinstance.NTPInstance()
@@ -389,16 +389,7 @@ def main():
     CA = install_ca(config)
 
     # Configure dirsrv
-    ds = install_ds(config)
-
-    try:
-        repl = replication.ReplicationManager(config.host_name, config.dirman_password)
-        ret = repl.setup_replication(config.master_host_name, config.realm_name)
-    except Exception, e:
-        logging.debug("Connection error: %s" % e)
-        raise RuntimeError("Unable to connect to LDAP server %s." % config.host_name)
-    if ret != 0:
-        raise RuntimeError("Failed to start replication")
+    ds = install_replica_ds(config)
 
     install_krb(config, setup_pkinit=options.setup_pkinit)
     install_http(config)

ipaserver/install/dsinstance.py

@@ -40,12 +40,13 @@ from ldap.dn import escape_dn_chars
 from ipaserver import ipaldap
 from ipaserver.install import ldapupdate
 from ipaserver.install import httpinstance
+from ipaserver.install import replication
 from ipalib import util, errors
 from ipaserver.plugins.ldap2 import ldap2
 
 SERVER_ROOT_64 = "/usr/lib64/dirsrv"
 SERVER_ROOT_32 = "/usr/lib/dirsrv"
-CACERT="/usr/share/ipa/html/ca.crt"
+CACERT="/erc/ipa/ca.crt"
 
 def find_server_root():
     if ipautil.dir_exists(SERVER_ROOT_64):
@@ -188,24 +189,7 @@ class DsInstance(service.Service):
         self.fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore')
 
 
-    def create_instance(self, ds_user, realm_name, fqdn, domain_name,
-                        dm_password, pkcs12_info=None, self_signed_ca=False,
-                        idstart=1100, idmax=999999, subject_base=None,
-                        hbac_allow=True):
-        self.ds_user = ds_user
-        self.realm_name = realm_name.upper()
-        self.serverid = realm_to_serverid(self.realm_name)
-        self.suffix = util.realm_to_suffix(self.realm_name)
-        self.fqdn = fqdn
-        self.dm_password = dm_password
-        self.domain = domain_name
-        self.pkcs12_info = pkcs12_info
-        self.self_signed_ca = self_signed_ca
-        self.idstart = idstart
-        self.idmax = idmax
-        self.principal = "ldap/%s@%s" % (self.fqdn, self.realm_name)
-        self.subject_base = subject_base
-        self.__setup_sub_dict()
+    def __common_setup(self):
 
         self.step("creating directory server user", self.__create_ds_user)
         self.step("creating directory server instance", self.__create_instance)
@@ -225,24 +209,90 @@ class DsInstance(service.Service):
         self.step("configuring certmap.conf", self.__certmap_conf)
         self.step("restarting directory server", self.__restart_instance)
         self.step("configuring user private groups", self.__user_private_groups)
-        self.step("adding default layout", self.__add_default_layout)
-        self.step("adding delegation layout", self.__add_delegation_layout)
-        self.step("configuring Posix uid/gid generation as first master",
-                  self.__config_uidgid_gen_first_master)
-        self.step("adding master entry as first master",
-                  self.__add_master_entry_first_master)
-        self.step("initializing group membership",
-                  self.init_memberof)
-        if hbac_allow:
-            self.step("creating default HBAC rule allow_all", self.add_hbac)
+
+    def __common_post_setup(self):
+        self.step("initializing group membership", self.init_memberof)
+        self.step("adding master entry", self.__add_master_entry)
+        self.step("configuring Posix uid/gid generation",
+                  self.__config_uidgid_gen)
         self.step("enabling compatibility plugin",
                   self.__enable_compat_plugin)
         self.step("tuning directory server", self.__tuning)
 
         self.step("configuring directory to start on boot", self.__enable)
 
+    def create_instance(self, ds_user, realm_name, fqdn, domain_name,
+                        dm_password, pkcs12_info=None, self_signed_ca=False,
+                        idstart=1100, idmax=999999, subject_base=None,
+                        hbac_allow=True):
+        self.ds_user = ds_user
+        self.realm_name = realm_name.upper()
+        self.serverid = realm_to_serverid(self.realm_name)
+        self.suffix = util.realm_to_suffix(self.realm_name)
+        self.fqdn = fqdn
+        self.dm_password = dm_password
+        self.domain = domain_name
+        self.pkcs12_info = pkcs12_info
+        self.self_signed_ca = self_signed_ca
+        self.idstart = idstart
+        self.idmax = idmax
+        self.principal = "ldap/%s@%s" % (self.fqdn, self.realm_name)
+        self.subject_base = subject_base
+
+        self.__setup_sub_dict()
+        self.__common_setup()
+
+        self.step("adding default layout", self.__add_default_layout)
+        self.step("adding delegation layout", self.__add_delegation_layout)
+        if hbac_allow:
+            self.step("creating default HBAC rule allow_all", self.add_hbac)
+
+        self.__common_post_setup()
+
         self.start_creation("Configuring directory server", 60)
 
+    def create_replica(self, ds_user, realm_name, master_fqdn, fqdn,
+                       domain_name, dm_password, pkcs12_info=None):
+        self.ds_user = ds_user
+        self.realm_name = realm_name.upper()
+        self.serverid = realm_to_serverid(self.realm_name)
+        self.suffix = util.realm_to_suffix(self.realm_name)
+        self.master_fqdn = master_fqdn
+        self.fqdn = fqdn
+        self.dm_password = dm_password
+        self.domain = domain_name
+        self.pkcs12_info = pkcs12_info
+        self.principal = "ldap/%s@%s" % (self.fqdn, self.realm_name)
+
+        self.self_signed_ca = False
+        self.subject_base = None
+        # idstart and idmax are configured so that the range is seen as
+        # depleted by the DNA plugin and the replica will go and get a
+        # new range from the master.
+        # This way all servers use the initially defined range by default.
+        self.idstart = 1101
+        self.idmax = 1100
+
+        self.__setup_sub_dict()
+        self.__common_setup()
+
+        self.step("Setting up initial replication", self.__setup_replica)
+
+        self.__common_post_setup()
+
+        self.start_creation("Configuring directory server", 60)
+
+
+    def __setup_replica(self):
+        try:
+            repl = replication.ReplicationManager(self.fqdn, self.dm_password)
+            ret = repl.setup_replication(self.master_fqdn, self.realm_name)
+        except Exception, e:
+            logging.debug("Connection error: %s" % e)
+            raise RuntimeError("Unable to connect to LDAP server %s." % self.fqdn)
+        if ret != 0:
+            raise RuntimeError("Failed to start replication")
+
     def __enable(self):
         self.backup_state("enabled", self.is_enabled())
         self.chkconfig_on()
@@ -378,12 +428,12 @@ class DsInstance(service.Service):
     def __set_unique_attrs(self):
         self._ldap_mod("unique-attributes.ldif", self.sub_dict)
 
-    def __config_uidgid_gen_first_master(self):
+    def __config_uidgid_gen(self):
         if not has_managed_entries(self.fqdn, self.dm_password):
             raise errors.NotFound(reason='Missing Managed Entries Plugin')
         self._ldap_mod("dna.ldif", self.sub_dict)
 
-    def __add_master_entry_first_master(self):
+    def __add_master_entry(self):
         self._ldap_mod("master-entry.ldif", self.sub_dict)
 
     def __add_winsync_module(self):

ipaserver/install/replication.py

@@ -20,14 +20,13 @@
 import time, logging
 
 import ldap
-from ipaserver.install import dsinstance
 from ipaserver import ipaldap
 from ldap import modlist
 from ipalib import util
 from ipalib import errors
 
 DIRMAN_CN = "cn=directory manager"
-CACERT = "/usr/share/ipa/html/ca.crt"
+CACERT = "/etc/ipa/ca.crt"
 # the default container used by AD for user entries
 WIN_USER_CONTAINER = "cn=Users"
 # the default container used by IPA for user entries