IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

dns: check if container exists using ldapi

Browse Source 
Previously an adhoc connection was established for checking if
dns(sec) container exists. A simple or external bind was used.
Instead, always connect with ldapi through api.Backend.ldap2.

https://fedorahosted.org/freeipa/ticket/6461

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
This commit is contained in:
Tomas Krizek
2016-11-11 12:45:11 +01:00
committed by Martin Babinsky
parent 28bc54f91d
commit f183f70e01
7 changed files with 15 additions and 58 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
install/tools/ipa-csreplica-manage
View File

@@ -281,8 +281,7 @@ def del_master(realm, hostname, options):
# 7. And clean up the removed replica DNS entries if any. # 7. And clean up the removed replica DNS entries if any.
try: try:
if bindinstance.dns_container_exists(options.host, api.env.basedn, if bindinstance.dns_container_exists(api.env.basedn):
dm_password=options.dirman_passwd):
bind = bindinstance.BindInstance() bind = bindinstance.BindInstance()
bind.update_system_records() bind.update_system_records()
except Exception as e: except Exception as e:

3
install/tools/ipa-replica-manage
View File

@@ -903,8 +903,7 @@ def ensure_last_services(conn, hostname, masters, options):
def cleanup_server_dns_entries(realm, hostname, suffix, options): def cleanup_server_dns_entries(realm, hostname, suffix, options):
try: try:
if bindinstance.dns_container_exists(options.host, suffix, if bindinstance.dns_container_exists(suffix):
dm_password=options.dirman_passwd):
bindinstance.remove_master_dns_records(hostname, realm) bindinstance.remove_master_dns_records(hostname, realm)
dnskeysyncinstance.remove_replica_public_keys(hostname) dnskeysyncinstance.remove_replica_public_keys(hostname)
except Exception as e: except Exception as e:

23
ipaserver/install/bindinstance.py
View File

@@ -39,7 +39,7 @@ from ipaserver.dns_data_management import (
from ipaserver.install import installutils from ipaserver.install import installutils
from ipaserver.install import service from ipaserver.install import service
from ipaserver.install import sysupgrade from ipaserver.install import sysupgrade
from ipapython import ipautil, ipaldap from ipapython import ipautil
from ipapython import dnsutil from ipapython import dnsutil
from ipapython.dnsutil import DNSName from ipapython.dnsutil import DNSName
from ipapython.ipa_log_manager import root_logger from ipapython.ipa_log_manager import root_logger
@@ -58,7 +58,6 @@ from ipalib.util import (validate_zonemgr_str, normalize_zonemgr,
zone_is_reverse, validate_dnssec_global_forwarder, zone_is_reverse, validate_dnssec_global_forwarder,
DNSSECSignatureMissingError, EDNS0UnsupportedError, DNSSECSignatureMissingError, EDNS0UnsupportedError,
UnresolvableRecordError) UnresolvableRecordError)
from ipalib.constants import CACERT
if six.PY3: if six.PY3:
unicode = str unicode = str
@@ -229,26 +228,13 @@ def named_conf_add_include(path):
f.write(named_conf_include_template % {'path': path}) f.write(named_conf_include_template % {'path': path})
def dns_container_exists(fqdn, suffix, dm_password=None, ldapi=False, def dns_container_exists(suffix):
realm=None):
""" """
Test whether the dns container exists. Test whether the dns container exists.
""" """
assert isinstance(suffix, DN) assert isinstance(suffix, DN)
try: return api.Backend.ldap2.entry_exists(DN(('cn', 'dns'), suffix))
# At install time we may need to use LDAPI to avoid chicken/egg
# issues with SSL certs and truting CAs
ldap_uri = ipaldap.get_ldap_uri(fqdn, 636, ldapi=ldapi, realm=realm,
cacert=CACERT)
conn = ipaldap.LDAPClient(ldap_uri, cacert=CACERT)
conn.simple_bind(ipaldap.DIRMAN_DN, dm_password)
except ldap.SERVER_DOWN:
raise RuntimeError('LDAP server on %s is not responding. Is IPA installed?' % fqdn)
ret = conn.entry_exists(DN(('cn', 'dns'), suffix))
conn.unbind()
return ret
def dns_zone_exists(name, api=api): def dns_zone_exists(name, api=api):
try: try:
@@ -656,8 +642,7 @@ class BindInstance(service.Service):
else: else:
self.zonemgr = normalize_zonemgr(zonemgr) self.zonemgr = normalize_zonemgr(zonemgr)
self.first_instance = not dns_container_exists( self.first_instance = not dns_container_exists(self.suffix)
self.fqdn, self.suffix, realm=self.realm, ldapi=True)
self.__setup_sub_dict() self.__setup_sub_dict()

3
ipaserver/install/ca.py
View File

@@ -223,7 +223,6 @@ def install_step_1(standalone, replica_config, options):
return return
realm_name = options.realm_name realm_name = options.realm_name
dm_password = options.dm_password
host_name = options.host_name host_name = options.host_name
subject_base = options.subject subject_base = options.subject
@@ -285,7 +284,7 @@ def install_step_1(standalone, replica_config, options):
if standalone: if standalone:
# Install CA DNS records # Install CA DNS records
if bindinstance.dns_container_exists(host_name, basedn, dm_password): if bindinstance.dns_container_exists(basedn):
bind = bindinstance.BindInstance() bind = bindinstance.BindInstance()
bind.update_system_records() bind.update_system_records()

28
ipaserver/install/dnskeysyncinstance.py
View File

@@ -19,12 +19,10 @@ from ipaserver.install import service
from ipaserver.install import installutils from ipaserver.install import installutils
from ipapython.ipa_log_manager import root_logger from ipapython.ipa_log_manager import root_logger
from ipapython.dn import DN from ipapython.dn import DN
from ipapython import ipaldap
from ipapython import ipautil from ipapython import ipautil
from ipaplatform.constants import constants from ipaplatform.constants import constants
from ipaplatform.paths import paths from ipaplatform.paths import paths
from ipalib import errors, api from ipalib import errors, api
from ipalib.constants import CACERT
from ipaserver.install.bindinstance import dns_container_exists from ipaserver.install.bindinstance import dns_container_exists
softhsm_token_label = u'ipaDNSSEC' softhsm_token_label = u'ipaDNSSEC'
@@ -32,26 +30,13 @@ softhsm_slot = 0
replica_keylabel_template = u"dnssec-replica:%s" replica_keylabel_template = u"dnssec-replica:%s"
def dnssec_container_exists(fqdn, suffix, dm_password=None, ldapi=False, def dnssec_container_exists(suffix):
realm=None):
""" """
Test whether the dns container exists. Test whether the dns container exists.
""" """
assert isinstance(suffix, DN) assert isinstance(suffix, DN)
try: return api.Backend.ldap2.entry_exists(
# At install time we may need to use LDAPI to avoid chicken/egg DN(('cn', 'sec'), ('cn', 'dns'), suffix))
# issues with SSL certs and truting CAs
ldap_uri = ipaldap.get_ldap_uri(fqdn, 636, ldapi=ldapi, realm=realm,
cacert=CACERT)
conn = ipaldap.LDAPClient(ldap_uri, cacert=CACERT)
conn.simple_bind(ipaldap.DIRMAN_DN, dm_password)
except ldap.SERVER_DOWN:
raise RuntimeError('LDAP server on %s is not responding. Is IPA installed?' % fqdn)
ret = conn.entry_exists(DN(('cn', 'sec'), ('cn', 'dns'), suffix))
conn.unbind()
return ret
def remove_replica_public_keys(hostname): def remove_replica_public_keys(hostname):
@@ -161,9 +146,7 @@ class DNSKeySyncInstance(service.Service):
except KeyError: except KeyError:
raise RuntimeError("OpenDNSSEC GID not found") raise RuntimeError("OpenDNSSEC GID not found")
if not dns_container_exists( if not dns_container_exists(self.suffix):
self.fqdn, self.suffix, realm=self.realm, ldapi=True
):
raise RuntimeError("DNS container does not exist") raise RuntimeError("DNS container does not exist")
# ready to be installed, storing a state is required to run uninstall # ready to be installed, storing a state is required to run uninstall
@@ -173,8 +156,7 @@ class DNSKeySyncInstance(service.Service):
""" """
Setup LDAP containers for DNSSEC Setup LDAP containers for DNSSEC
""" """
if dnssec_container_exists(self.fqdn, self.suffix, ldapi=True, if dnssec_container_exists(self.suffix):
realm=self.realm):
self.logger.info("DNSSEC container exists (step skipped)") self.logger.info("DNSSEC container exists (step skipped)")
return return

9
ipaserver/install/ipa_replica_prepare.py
View File

@@ -253,10 +253,7 @@ class ReplicaPrepare(admintool.AdminTool):
except installutils.BadHostError as e: except installutils.BadHostError as e:
if isinstance(e, installutils.HostLookupError): if isinstance(e, installutils.HostLookupError):
if not options.ip_addresses: if not options.ip_addresses:
if dns_container_exists( if dns_container_exists(api.env.basedn):
api.env.host, api.env.basedn,
dm_password=self.dirman_password,
ldapi=True, realm=api.env.realm):
self.log.info('You might use the --ip-address option ' self.log.info('You might use the --ip-address option '
'to create a DNS entry if the DNS zone ' 'to create a DNS entry if the DNS zone '
'is managed by IPA.') 'is managed by IPA.')
@@ -268,9 +265,7 @@ class ReplicaPrepare(admintool.AdminTool):
raise raise
if options.ip_addresses: if options.ip_addresses:
if not dns_container_exists(api.env.host, api.env.basedn, if not dns_container_exists(api.env.basedn):
dm_password=self.dirman_password,
ldapi=True, realm=api.env.realm):
self.log.error( self.log.error(
"It is not possible to add a DNS record automatically " "It is not possible to add a DNS record automatically "
"because DNS is not managed by IPA. Please create DNS " "because DNS is not managed by IPA. Please create DNS "

4
ipaserver/install/server/replicainstall.py
View File

@@ -171,9 +171,7 @@ def install_http(config, auto_redirect, ca_is_configured, ca_file,
def install_dns_records(config, options, remote_api): def install_dns_records(config, options, remote_api):
if not bindinstance.dns_container_exists( if not bindinstance.dns_container_exists(
config.host_name, ipautil.realm_to_suffix(config.realm_name)):
ipautil.realm_to_suffix(config.realm_name),
realm=config.realm_name, ldapi=True):
return return
try: try: