IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2024-12-25 16:31:08 -06:00
Code Issues Packages Projects Releases Wiki Activity
22d3a93bbc
freeipa/install/tools/ipa-dns-install
Martin Babinsky 26d6c6fbbb ipa-dns-install: use LDAPI to connect to DS 
ipa-dns-install now uses LDAPI/autobind to connect to DS during the setup of
DNS/DNSSEC-related service and thus makes -p option obsolete.

Futhermore, now it makes more sense to use LDAPI also for API Backend
connections to DS and thus all forms of Kerberos auth were removed.

This fixes https://fedorahosted.org/freeipa/ticket/4933 and brings us closer
to fixing https://fedorahosted.org/freeipa/ticket/2957

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-03-18 12:31:23 +01:00

241 lines
10 KiB
Python
Executable File
Raw Blame History

#! /usr/bin/python2 -E
# Authors: Martin Nagy <mnagy@redhat.com>
# Based on ipa-server-install by Karl MacMillan <kmacmillan@mentalrootkit.com>
#
# Copyright (C) 2007 - 2009 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
from optparse import OptionGroup, SUPPRESS_HELP
from ipaserver.install import (service, bindinstance, ntpinstance,
httpinstance, dnskeysyncinstance, opendnssecinstance, odsexporterinstance)
from ipaserver.install.installutils import *
from ipaserver.install import installutils
from ipapython import version
from ipapython import ipautil, sysrestore
from ipapython.ipaldap import AUTOBIND_ENABLED
from ipalib import api, errors, util
from ipaplatform.paths import paths
from ipapython.config import IPAOptionParser
from ipapython.ipa_log_manager import standard_logging_setup, root_logger
from ipapython.ipautil import DN
log_file_name = paths.IPASERVER_INSTALL_LOG
def parse_options():
parser = IPAOptionParser(version=version.VERSION)
parser.add_option("-p", "--ds-password", dest="dm_password",
sensitive=True, help=SUPPRESS_HELP)
parser.add_option("-d", "--debug", dest="debug", action="store_true",
default=False, help="print debugging information")
parser.add_option("--ip-address", dest="ip_addresses", metavar="IP_ADDRESS",
default=[], action="append",
type="ip", ip_local=True, help="Master Server IP Address. This option can be used multiple times")
parser.add_option("--forwarder", dest="forwarders", action="append",
type="ip", help="Add a DNS forwarder. This option can be used multiple times")
parser.add_option("--no-forwarders", dest="no_forwarders", action="store_true",
default=False, help="Do not add any DNS forwarders, use root servers instead")
parser.add_option("--reverse-zone", dest="reverse_zones",
default=[], action="append", metavar="REVERSE_ZONE",
help="The reverse DNS zone to use. This option can be used multiple times")
parser.add_option("--no-reverse", dest="no_reverse", action="store_true",
default=False, help="Do not create new reverse DNS zone")
parser.add_option("--no-dnssec-validation", dest="no_dnssec_validation", action="store_true",
default=False, help="Disable DNSSEC validation")
parser.add_option("--dnssec-master", dest="dnssec_master", action="store_true",
default=False, help="Setup server to be DNSSEC key master")
parser.add_option("--zonemgr", action="callback", callback=bindinstance.zonemgr_callback,
type="string",
help="DNS zone manager e-mail address. Defaults to hostmaster@DOMAIN")
parser.add_option("-U", "--unattended", dest="unattended", action="store_true",
default=False, help="unattended installation never prompts the user")
options, args = parser.parse_args()
safe_options = parser.get_safe_opts(options)
if options.forwarders and options.no_forwarders:
parser.error("You cannot specify a --forwarder option together with --no-forwarders")
elif options.reverse_zones and options.no_reverse:
parser.error("You cannot specify a --reverse-zone option together with --no-reverse")
if options.unattended:
if not options.forwarders and not options.no_forwarders:
parser.error("You must specify at least one --forwarder option or --no-forwarders option")
if options.dm_password:
print ("WARNING: Option -p/--ds-password is deprecated "
"and should not be used anymore.")
return safe_options, options
def main():
safe_options, options = parse_options()
if os.getegid() != 0:
sys.exit("Must be root to setup server")
standard_logging_setup(log_file_name, debug=options.debug, filemode='a')
print "\nThe log file for this installation can be found in %s" % log_file_name
root_logger.debug('%s was invoked with options: %s' % (sys.argv[0], safe_options))
root_logger.debug("missing options might be asked for interactively later\n")
root_logger.debug('IPA version %s' % version.VENDOR_VERSION)
installutils.check_server_configuration()
global fstore
fstore = sysrestore.FileStore(paths.SYSRESTORE)
print "=============================================================================="
print "This program will setup DNS for the FreeIPA Server."
print ""
print "This includes:"
print " * Configure DNS (bind)"
print " * Configure SoftHSM (required by DNSSEC)"
print " * Configure ipa-dnskeysyncd (required by DNSSEC)"
if options.dnssec_master:
print " * Configure ipa-ods-exporter (required by DNSSEC key master)"
print " * Configure OpenDNSSEC (required by DNSSEC key master)"
print " * Generate DNSSEC master key (required by DNSSEC key master)"
print ""
print "NOTE: DNSSEC zone signing is not enabled by default"
print ""
if options.dnssec_master:
print "DNSSEC support is experimental!"
print ""
print "Plan carefully, current version doesn't allow you to move DNSSEC"
print "key master to different server and master cannot be uninstalled"
print ""
print ""
print "To accept the default shown in brackets, press the Enter key."
print ""
if options.dnssec_master and not options.unattended and not ipautil.user_input(
"Do you want to setup this IPA server as DNSSEC key master?",
False):
sys.exit("Aborted")
# Check bind packages are installed
if not (bindinstance.check_inst(options.unattended) and
dnskeysyncinstance.check_inst()):
sys.exit("Aborting installation.")
if options.dnssec_master:
# check opendnssec packages are installed
if not opendnssecinstance.check_inst():
sys.exit("Aborting installation")
# Initialize the ipalib api
cfg = dict(
in_server=True,
debug=options.debug,
)
api.bootstrap(**cfg)
api.finalize()
# create BIND and OpenDNSSec instances
bind = bindinstance.BindInstance(fstore, ldapi=True,
autobind=AUTOBIND_ENABLED)
ods = opendnssecinstance.OpenDNSSECInstance(fstore, ldapi=True,
autobind=AUTOBIND_ENABLED)
if options.dnssec_master:
ods.realm = api.env.realm
dnssec_masters = ods.get_masters()
# we can reinstall current server if it is dnssec master
if not api.env.host in dnssec_masters and dnssec_masters:
print "DNSSEC key master(s):", u','.join(dnssec_masters)
sys.exit("Only one DNSSEC key master is supported in current version.")
ip_addresses = get_server_ip_address(api.env.host, fstore,
options.unattended, True, options.ip_addresses)
if options.no_forwarders:
dns_forwarders = ()
elif options.forwarders:
dns_forwarders = options.forwarders
else:
dns_forwarders = read_dns_forwarders()
# test DNSSEC forwarders
if dns_forwarders:
if (not bindinstance.check_forwarders(dns_forwarders, root_logger)
and not options.no_dnssec_validation):
options.no_dnssec_validation = True
print "WARNING: DNSSEC validation will be disabled"
root_logger.debug("will use dns_forwarders: %s\n", str(dns_forwarders))
api.Backend.ldap2.connect(autobind=True)
reverse_zones = bindinstance.check_reverse_zones(ip_addresses,
options.reverse_zones, options, options.unattended, True)
if reverse_zones:
print "Using reverse zone(s) %s" % ', '.join(reverse_zones)
conf_ntp = ntpinstance.NTPInstance(fstore).is_enabled()
if not options.unattended:
print ""
print "The following operations may take some minutes to complete."
print "Please wait until the prompt is returned."
print ""
bind.setup(api.env.host, ip_addresses, api.env.realm, api.env.domain,
dns_forwarders, conf_ntp, reverse_zones, zonemgr=options.zonemgr,
no_dnssec_validation=options.no_dnssec_validation)
bind.create_instance()
# on dnssec master this must be installed last
dnskeysyncd = dnskeysyncinstance.DNSKeySyncInstance(fstore, ldapi=True)
dnskeysyncd.create_instance(api.env.host, api.env.realm)
if options.dnssec_master:
ods_exporter = odsexporterinstance.ODSExporterInstance(
fstore, ldapi=True, autobind=AUTOBIND_ENABLED)
ods_exporter.create_instance(api.env.host, api.env.realm)
ods.create_instance(api.env.host, api.env.realm)
dnskeysyncd.start_dnskeysyncd()
bind.start_named()
# Restart http instance to make sure that python-dns has the right resolver
# https://bugzilla.redhat.com/show_bug.cgi?id=800368
http = httpinstance.HTTPInstance(fstore)
service.print_msg("Restarting the web server")
http.restart()
print "=============================================================================="
print "Setup complete"
print ""
bind.check_global_configuration()
print ""
print ""
print "\tYou must make sure these network ports are open:"
print "\t\tTCP Ports:"
print "\t\t * 53: bind"
print "\t\tUDP Ports:"
print "\t\t * 53: bind"
return 0
if __name__ == '__main__':
installutils.run_script(main, log_file_name=log_file_name,
operation_name='ipa-dns-install')
Reference in New Issue View Git Blame Copy Permalink