mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-23 15:40:01 -06:00
Install the ca.crt file early on so that we can always enforce SSL
protected connections to other LDAP servers Fix error reporting on replica creation.
This commit is contained in:
parent
0d6b6fa084
commit
f5177e6b84
@ -30,6 +30,8 @@ from ipaserver import dsinstance, replication, installutils, krbinstance, servic
|
||||
from ipaserver import httpinstance, ntpinstance, certs, ipaldap
|
||||
from ipa import version
|
||||
|
||||
CACERT="/usr/share/ipa/html/ca.crt"
|
||||
|
||||
class ReplicaConfig:
|
||||
def __init__(self):
|
||||
self.realm_name = ""
|
||||
@ -122,6 +124,15 @@ def install_krb(config):
|
||||
config.domain_name, config.dirman_password,
|
||||
ldappwd_filename, kpasswd_filename)
|
||||
|
||||
def install_ca_cert(config):
|
||||
if ipautil.file_exists(config.dir + "/ca.crt"):
|
||||
try:
|
||||
shutil.copy(config.dir + "/ca.crt", CACERT)
|
||||
os.chmod(CACERT, 0444)
|
||||
except Exception, e:
|
||||
print "error copying files: " + str(e)
|
||||
sys.exit(1)
|
||||
|
||||
def install_http(config):
|
||||
# if we have a pkcs12 file, create the cert db from
|
||||
# that. Otherwise the ds setup will create the CA
|
||||
@ -139,8 +150,6 @@ def install_http(config):
|
||||
try:
|
||||
shutil.copy(config.dir + "/preferences.html", "/usr/share/ipa/html/preferences.html")
|
||||
shutil.copy(config.dir + "/configure.jar", "/usr/share/ipa/html/configure.jar")
|
||||
shutil.copy(config.dir + "/ca.crt", "/usr/share/ipa/html/ca.crt")
|
||||
os.chmod("/usr/share/ipa/html/ca.crt", 0444)
|
||||
except Exception, e:
|
||||
print "error copying files: " + str(e)
|
||||
sys.exit(1)
|
||||
@ -234,12 +243,14 @@ def main():
|
||||
# Configure dirsrv
|
||||
ds = install_ds(config)
|
||||
|
||||
repl = replication.ReplicationManager(config.host_name, config.dirman_password)
|
||||
if repl is None:
|
||||
# Install CA cert so that we can do SSL connections with ldap
|
||||
install_ca_cert(config)
|
||||
|
||||
try:
|
||||
repl = replication.ReplicationManager(config.host_name, config.dirman_password)
|
||||
ret = repl.setup_replication(config.master_host_name, config.realm_name)
|
||||
except:
|
||||
raise RuntimeError("Unable to connect to LDAP server %s." % config.host_name)
|
||||
ret = repl.setup_replication(config.master_host_name, config.realm_name)
|
||||
if ret is None:
|
||||
raise RuntimeError("Unable to connect to LDAP server %s." % config.master_host_name)
|
||||
if ret != 0:
|
||||
raise RuntimeError("Failed to start replication")
|
||||
|
||||
|
@ -270,7 +270,9 @@ class IPAdmin(SimpleLDAPObject):
|
||||
ldap.set_option(ldap.OPT_DEBUG_LEVEL,255)
|
||||
if cacert is not None:
|
||||
ldap.set_option(ldap.OPT_X_TLS_CACERTFILE,cacert)
|
||||
if bindcert is not None:
|
||||
ldap.set_option(ldap.OPT_X_TLS_CERTFILE,bindcert)
|
||||
if bindkey is not None:
|
||||
ldap.set_option(ldap.OPT_X_TLS_KEYFILE,bindkey)
|
||||
|
||||
self.__wrapmethods()
|
||||
|
@ -24,6 +24,7 @@ from ldap import modlist
|
||||
from ipa import ipaerror
|
||||
|
||||
DIRMAN_CN = "cn=directory manager"
|
||||
CACERT="/usr/share/ipa/html/ca.crt"
|
||||
PORT = 636
|
||||
TIMEOUT = 120
|
||||
|
||||
@ -32,13 +33,9 @@ class ReplicationManager:
|
||||
def __init__(self, hostname, dirman_passwd):
|
||||
self.hostname = hostname
|
||||
self.dirman_passwd = dirman_passwd
|
||||
try:
|
||||
self.conn = ipaldap.IPAdmin(hostname)
|
||||
self.conn.do_simple_bind(bindpw=dirman_passwd)
|
||||
except ldap.CONNECT_ERROR, e:
|
||||
return None
|
||||
except ldap.SERVER_DOWN, e:
|
||||
return None
|
||||
|
||||
self.conn = ipaldap.IPAdmin(hostname, port=PORT, cacert=CACERT)
|
||||
self.conn.do_simple_bind(bindpw=dirman_passwd)
|
||||
|
||||
self.repl_man_passwd = dirman_passwd
|
||||
|
||||
@ -175,7 +172,7 @@ class ReplicationManager:
|
||||
logging.debug("failed to find mappting tree entry for %s" % self.suffix)
|
||||
raise e
|
||||
|
||||
return entry
|
||||
return entry
|
||||
|
||||
|
||||
def enable_chain_on_update(self, bename):
|
||||
@ -301,13 +298,8 @@ class ReplicationManager:
|
||||
- the directory manager password needs to be the same on
|
||||
both directories.
|
||||
"""
|
||||
try:
|
||||
other_conn = ipaldap.IPAdmin(other_hostname)
|
||||
other_conn.do_simple_bind(bindpw=self.dirman_passwd)
|
||||
except ldap.CONNECT_ERROR, e:
|
||||
return None
|
||||
except ldap.SERVER_DOWN, e:
|
||||
return None
|
||||
other_conn = ipaldap.IPAdmin(other_hostname, port=PORT, cacert=CACERT)
|
||||
other_conn.do_simple_bind(bindpw=self.dirman_passwd)
|
||||
|
||||
self.suffix = ipaldap.IPAdmin.normalizeDN(dsinstance.realm_to_suffix(realm_name))
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user