Install the ca.crt file early on so that we can always enforce SSL

protected connections to other LDAP servers
Fix error reporting on replica creation.
This commit is contained in:
Simo Sorce 2008-08-11 16:15:30 -04:00
parent 0d6b6fa084
commit f5177e6b84
3 changed files with 27 additions and 22 deletions

View File

@ -30,6 +30,8 @@ from ipaserver import dsinstance, replication, installutils, krbinstance, servic
from ipaserver import httpinstance, ntpinstance, certs, ipaldap
from ipa import version
CACERT="/usr/share/ipa/html/ca.crt"
class ReplicaConfig:
def __init__(self):
self.realm_name = ""
@ -122,6 +124,15 @@ def install_krb(config):
config.domain_name, config.dirman_password,
ldappwd_filename, kpasswd_filename)
def install_ca_cert(config):
if ipautil.file_exists(config.dir + "/ca.crt"):
try:
shutil.copy(config.dir + "/ca.crt", CACERT)
os.chmod(CACERT, 0444)
except Exception, e:
print "error copying files: " + str(e)
sys.exit(1)
def install_http(config):
# if we have a pkcs12 file, create the cert db from
# that. Otherwise the ds setup will create the CA
@ -139,8 +150,6 @@ def install_http(config):
try:
shutil.copy(config.dir + "/preferences.html", "/usr/share/ipa/html/preferences.html")
shutil.copy(config.dir + "/configure.jar", "/usr/share/ipa/html/configure.jar")
shutil.copy(config.dir + "/ca.crt", "/usr/share/ipa/html/ca.crt")
os.chmod("/usr/share/ipa/html/ca.crt", 0444)
except Exception, e:
print "error copying files: " + str(e)
sys.exit(1)
@ -234,12 +243,14 @@ def main():
# Configure dirsrv
ds = install_ds(config)
repl = replication.ReplicationManager(config.host_name, config.dirman_password)
if repl is None:
# Install CA cert so that we can do SSL connections with ldap
install_ca_cert(config)
try:
repl = replication.ReplicationManager(config.host_name, config.dirman_password)
ret = repl.setup_replication(config.master_host_name, config.realm_name)
except:
raise RuntimeError("Unable to connect to LDAP server %s." % config.host_name)
ret = repl.setup_replication(config.master_host_name, config.realm_name)
if ret is None:
raise RuntimeError("Unable to connect to LDAP server %s." % config.master_host_name)
if ret != 0:
raise RuntimeError("Failed to start replication")

View File

@ -270,7 +270,9 @@ class IPAdmin(SimpleLDAPObject):
ldap.set_option(ldap.OPT_DEBUG_LEVEL,255)
if cacert is not None:
ldap.set_option(ldap.OPT_X_TLS_CACERTFILE,cacert)
if bindcert is not None:
ldap.set_option(ldap.OPT_X_TLS_CERTFILE,bindcert)
if bindkey is not None:
ldap.set_option(ldap.OPT_X_TLS_KEYFILE,bindkey)
self.__wrapmethods()

View File

@ -24,6 +24,7 @@ from ldap import modlist
from ipa import ipaerror
DIRMAN_CN = "cn=directory manager"
CACERT="/usr/share/ipa/html/ca.crt"
PORT = 636
TIMEOUT = 120
@ -32,13 +33,9 @@ class ReplicationManager:
def __init__(self, hostname, dirman_passwd):
self.hostname = hostname
self.dirman_passwd = dirman_passwd
try:
self.conn = ipaldap.IPAdmin(hostname)
self.conn.do_simple_bind(bindpw=dirman_passwd)
except ldap.CONNECT_ERROR, e:
return None
except ldap.SERVER_DOWN, e:
return None
self.conn = ipaldap.IPAdmin(hostname, port=PORT, cacert=CACERT)
self.conn.do_simple_bind(bindpw=dirman_passwd)
self.repl_man_passwd = dirman_passwd
@ -175,7 +172,7 @@ class ReplicationManager:
logging.debug("failed to find mappting tree entry for %s" % self.suffix)
raise e
return entry
return entry
def enable_chain_on_update(self, bename):
@ -301,13 +298,8 @@ class ReplicationManager:
- the directory manager password needs to be the same on
both directories.
"""
try:
other_conn = ipaldap.IPAdmin(other_hostname)
other_conn.do_simple_bind(bindpw=self.dirman_passwd)
except ldap.CONNECT_ERROR, e:
return None
except ldap.SERVER_DOWN, e:
return None
other_conn = ipaldap.IPAdmin(other_hostname, port=PORT, cacert=CACERT)
other_conn.do_simple_bind(bindpw=self.dirman_passwd)
self.suffix = ipaldap.IPAdmin.normalizeDN(dsinstance.realm_to_suffix(realm_name))