mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-02-25 18:55:28 -06:00
b5e06b90c9
Fixes: dnskeysyncisntance - requires a stored state to be uninstalled bindinstance - uninstal service only if bind was configured by IPA Ticket:https://fedorahosted.org/freeipa/ticket/4869 Reviewed-By: David Kupka <dkupka@redhat.com>
1444 lines
60 KiB
Python
Executable File
1444 lines
60 KiB
Python
Executable File
#! /usr/bin/python2 -E
|
|
# Authors: Karl MacMillan <kmacmillan@mentalrootkit.com>
|
|
# Simo Sorce <ssorce@redhat.com>
|
|
# Rob Crittenden <rcritten@redhat.com>
|
|
#
|
|
# Copyright (C) 2007-2014 Red Hat
|
|
# see file 'COPYING' for use and warranty information
|
|
#
|
|
# This program is free software; you can redistribute it and/or modify
|
|
# it under the terms of the GNU General Public License as published by
|
|
# the Free Software Foundation, either version 3 of the License, or
|
|
# (at your option) any later version.
|
|
#
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
#
|
|
|
|
|
|
# requires the following packages:
|
|
# fedora-ds-base
|
|
# openldap-clients
|
|
# nss-tools
|
|
|
|
import sys
|
|
import os
|
|
import grp
|
|
import signal
|
|
import shutil
|
|
import pickle
|
|
import random
|
|
import tempfile
|
|
import nss.error
|
|
import base64
|
|
import pwd
|
|
import textwrap
|
|
from optparse import OptionGroup, OptionValueError, SUPPRESS_HELP
|
|
|
|
try:
|
|
from ipaserver.install import adtrustinstance
|
|
_server_trust_ad_installed = True
|
|
except ImportError:
|
|
_server_trust_ad_installed = False
|
|
|
|
from ipaserver.install import dsinstance
|
|
from ipaserver.install import krbinstance
|
|
from ipaserver.install import bindinstance
|
|
from ipaserver.install import dnskeysyncinstance
|
|
from ipaserver.install import opendnssecinstance
|
|
from ipaserver.install import odsexporterinstance
|
|
from ipaserver.install import httpinstance
|
|
from ipaserver.install import ntpinstance
|
|
from ipaserver.install import certs
|
|
from ipaserver.install import cainstance
|
|
from ipaserver.install import krainstance
|
|
from ipaserver.install import memcacheinstance
|
|
from ipaserver.install import otpdinstance
|
|
from ipaserver.install import sysupgrade
|
|
from ipaserver.install import replication
|
|
from ipaserver.install import service, installutils
|
|
from ipapython import version
|
|
from ipapython import certmonger
|
|
from ipapython import ipaldap
|
|
from ipaserver.install.installutils import *
|
|
from ipaserver.plugins.ldap2 import ldap2
|
|
|
|
from ipapython import sysrestore
|
|
from ipapython.ipautil import *
|
|
from ipapython import ipautil
|
|
from ipapython import dogtag
|
|
from ipalib import api, errors, util, x509
|
|
from ipapython.config import IPAOptionParser
|
|
from ipalib.util import validate_domain_name
|
|
from ipalib.constants import CACERT
|
|
from ipapython.ipa_log_manager import *
|
|
from ipapython.dn import DN
|
|
|
|
import ipaclient.ntpconf
|
|
from ipaplatform.tasks import tasks
|
|
from ipaplatform import services
|
|
from ipaplatform.paths import paths
|
|
|
|
uninstalling = False
|
|
installation_cleanup = True
|
|
|
|
VALID_SUBJECT_ATTRS = ['st', 'o', 'ou', 'dnqualifier', 'c',
|
|
'serialnumber', 'l', 'title', 'sn', 'givenname',
|
|
'initials', 'generationqualifier', 'dc', 'mail',
|
|
'uid', 'postaladdress', 'postalcode', 'postofficebox',
|
|
'houseidentifier', 'e', 'street', 'pseudonym',
|
|
'incorporationlocality', 'incorporationstate',
|
|
'incorporationcountry', 'businesscategory']
|
|
|
|
SYSRESTORE_DIR_PATH = paths.SYSRESTORE
|
|
|
|
def subject_callback(option, opt_str, value, parser):
|
|
"""
|
|
Make sure the certificate subject base is a valid DN
|
|
"""
|
|
v = unicode(value, 'utf-8')
|
|
if any(ord(c) < 0x20 for c in v):
|
|
raise OptionValueError("Subject base must not contain control characters")
|
|
if '&' in v:
|
|
raise OptionValueError("Subject base must not contain an ampersand (\"&\")")
|
|
try:
|
|
dn = DN(v)
|
|
for rdn in dn:
|
|
if rdn.attr.lower() not in VALID_SUBJECT_ATTRS:
|
|
raise OptionValueError('%s=%s has invalid attribute: "%s"' % (opt_str, value, rdn.attr))
|
|
except ValueError, e:
|
|
raise OptionValueError('%s=%s has invalid subject base format: %s' % (opt_str, value, e))
|
|
parser.values.subject = dn
|
|
|
|
def validate_dm_password(password):
|
|
if len(password) < 8:
|
|
raise ValueError("Password must be at least 8 characters long")
|
|
if any(ord(c) < 0x20 for c in password):
|
|
raise ValueError("Password must not contain control characters")
|
|
if any(ord(c) >= 0x7F for c in password):
|
|
raise ValueError("Password must only contain ASCII characters")
|
|
|
|
# Disallow characters that pkisilent doesn't process properly:
|
|
bad_characters = '\\'
|
|
if any(c in bad_characters for c in password):
|
|
raise ValueError('Password must not contain these characters: %s' %
|
|
', '.join('"%s"' % c for c in bad_characters))
|
|
|
|
# TODO: Check https://fedorahosted.org/389/ticket/47849
|
|
# Actual behavior of setup-ds.pl is that it does not accept white
|
|
# space characters in password when called interactively but does when
|
|
# provided such password in INF file. But it ignores leading and trailing
|
|
# white spaces in INF file.
|
|
|
|
# Disallow leading/trailing whaitespaces
|
|
if password.strip() != password:
|
|
raise ValueError('Password must not start or end with whitespace.')
|
|
|
|
def validate_admin_password(password):
|
|
if len(password) < 8:
|
|
raise ValueError("Password must be at least 8 characters long")
|
|
if any(ord(c) < 0x20 for c in password):
|
|
raise ValueError("Password must not contain control characters")
|
|
if any(ord(c) >= 0x7F for c in password):
|
|
raise ValueError("Password must only contain ASCII characters")
|
|
|
|
# Disallow characters that pkisilent doesn't process properly:
|
|
bad_characters = '\\'
|
|
if any(c in bad_characters for c in password):
|
|
raise ValueError('Password must not contain these characters: %s' %
|
|
', '.join('"%s"' % c for c in bad_characters))
|
|
|
|
def parse_options():
|
|
# Guaranteed to give a random 200k range below the 2G mark (uint32_t limit)
|
|
namespace = random.randint(1, 10000) * 200000
|
|
parser = IPAOptionParser(version=version.VERSION)
|
|
|
|
basic_group = OptionGroup(parser, "basic options")
|
|
basic_group.add_option("-r", "--realm", dest="realm_name",
|
|
help="realm name")
|
|
basic_group.add_option("-n", "--domain", dest="domain_name",
|
|
help="domain name")
|
|
basic_group.add_option("-p", "--ds-password", dest="dm_password",
|
|
sensitive=True, help="Directory Manager password")
|
|
basic_group.add_option("-P", "--master-password",
|
|
dest="master_password", sensitive=True,
|
|
help="kerberos master password (normally autogenerated)")
|
|
basic_group.add_option("-a", "--admin-password",
|
|
sensitive=True, dest="admin_password",
|
|
help="admin user kerberos password")
|
|
basic_group.add_option("--mkhomedir",
|
|
dest="mkhomedir",
|
|
action="store_true",
|
|
default=False,
|
|
help="create home directories for users "
|
|
"on their first login")
|
|
basic_group.add_option("--hostname", dest="host_name", help="fully qualified name of server")
|
|
basic_group.add_option("--ip-address", dest="ip_addresses",
|
|
type="ip", ip_local=True, action="append", default=[],
|
|
help="Master Server IP Address. This option can be used multiple times",
|
|
metavar="IP_ADDRESS")
|
|
basic_group.add_option("-N", "--no-ntp", dest="conf_ntp", action="store_false",
|
|
help="do not configure ntp", default=True)
|
|
basic_group.add_option("--idstart", dest="idstart", default=namespace, type=int,
|
|
help="The starting value for the IDs range (default random)")
|
|
basic_group.add_option("--idmax", dest="idmax", default=0, type=int,
|
|
help="The max value value for the IDs range (default: idstart+199999)")
|
|
basic_group.add_option("--no_hbac_allow", dest="hbac_allow", default=False,
|
|
action="store_true",
|
|
help="Don't install allow_all HBAC rule")
|
|
basic_group.add_option("--no-ui-redirect", dest="ui_redirect", action="store_false",
|
|
default=True, help="Do not automatically redirect to the Web UI")
|
|
basic_group.add_option("--ssh-trust-dns", dest="trust_sshfp", default=False, action="store_true",
|
|
help="configure OpenSSH client to trust DNS SSHFP records")
|
|
basic_group.add_option("--no-ssh", dest="conf_ssh", default=True, action="store_false",
|
|
help="do not configure OpenSSH client")
|
|
basic_group.add_option("--no-sshd", dest="conf_sshd", default=True, action="store_false",
|
|
help="do not configure OpenSSH server")
|
|
basic_group.add_option("-d", "--debug", dest="debug", action="store_true",
|
|
default=False, help="print debugging information")
|
|
basic_group.add_option("-U", "--unattended", dest="unattended", action="store_true",
|
|
default=False, help="unattended (un)installation never prompts the user")
|
|
parser.add_option_group(basic_group)
|
|
|
|
cert_group = OptionGroup(parser, "certificate system options")
|
|
cert_group.add_option("", "--external-ca", dest="external_ca", action="store_true",
|
|
default=False, help="Generate a CSR for the IPA CA certificate to be signed by an external CA")
|
|
cert_group.add_option("--external-ca-type", dest="external_ca_type",
|
|
type="choice", choices=("generic", "ms-cs"),
|
|
help="Type of the external CA")
|
|
cert_group.add_option("--external-cert-file", dest="external_cert_files",
|
|
action="append", metavar="FILE",
|
|
help="File containing the IPA CA certificate and the external CA certificate chain")
|
|
cert_group.add_option("--external_cert_file", dest="external_cert_files",
|
|
action="append",
|
|
help=SUPPRESS_HELP)
|
|
cert_group.add_option("--external_ca_file", dest="external_cert_files",
|
|
action="append",
|
|
help=SUPPRESS_HELP)
|
|
cert_group.add_option("--no-pkinit", dest="setup_pkinit", action="store_false",
|
|
default=True, help="disables pkinit setup steps")
|
|
cert_group.add_option("--dirsrv-cert-file", dest="dirsrv_cert_files",
|
|
action="append", metavar="FILE",
|
|
help="File containing the Directory Server SSL certificate and private key")
|
|
cert_group.add_option("--dirsrv_pkcs12", dest="dirsrv_cert_files",
|
|
action="append",
|
|
help=SUPPRESS_HELP)
|
|
cert_group.add_option("--http-cert-file", dest="http_cert_files",
|
|
action="append", metavar="FILE",
|
|
help="File containing the Apache Server SSL certificate and private key")
|
|
cert_group.add_option("--http_pkcs12", dest="http_cert_files",
|
|
action="append",
|
|
help=SUPPRESS_HELP)
|
|
cert_group.add_option("--pkinit-cert-file", dest="pkinit_cert_files",
|
|
action="append", metavar="FILE",
|
|
help="File containing the Kerberos KDC SSL certificate and private key")
|
|
cert_group.add_option("--pkinit_pkcs12", dest="pkinit_cert_files",
|
|
action="append",
|
|
help=SUPPRESS_HELP)
|
|
cert_group.add_option("--dirsrv-pin", dest="dirsrv_pin", sensitive=True,
|
|
metavar="PIN",
|
|
help="The password to unlock the Directory Server private key")
|
|
cert_group.add_option("--dirsrv_pin", dest="dirsrv_pin", sensitive=True,
|
|
help=SUPPRESS_HELP)
|
|
cert_group.add_option("--http-pin", dest="http_pin", sensitive=True,
|
|
metavar="PIN",
|
|
help="The password to unlock the Apache Server private key")
|
|
cert_group.add_option("--http_pin", dest="http_pin", sensitive=True,
|
|
help=SUPPRESS_HELP)
|
|
cert_group.add_option("--pkinit-pin", dest="pkinit_pin", sensitive=True,
|
|
metavar="PIN",
|
|
help="The password to unlock the Kerberos KDC private key")
|
|
cert_group.add_option("--pkinit_pin", dest="pkinit_pin", sensitive=True,
|
|
help=SUPPRESS_HELP)
|
|
cert_group.add_option("--dirsrv-cert-name", dest="dirsrv_cert_name",
|
|
metavar="NAME",
|
|
help="Name of the Directory Server SSL certificate to install")
|
|
cert_group.add_option("--http-cert-name", dest="http_cert_name",
|
|
metavar="NAME",
|
|
help="Name of the Apache Server SSL certificate to install")
|
|
cert_group.add_option("--pkinit-cert-name", dest="pkinit_cert_name",
|
|
metavar="NAME",
|
|
help="Name of the Kerberos KDC SSL certificate to install")
|
|
cert_group.add_option("--ca-cert-file", dest="ca_cert_files",
|
|
action="append", metavar="FILE",
|
|
help="File containing CA certificates for the service certificate files")
|
|
cert_group.add_option("--root-ca-file", dest="ca_cert_files",
|
|
action="append",
|
|
help=SUPPRESS_HELP)
|
|
cert_group.add_option("--subject", action="callback", callback=subject_callback,
|
|
type="string",
|
|
help="The certificate subject base (default O=<realm-name>)")
|
|
cert_group.add_option("--ca-signing-algorithm", dest="ca_signing_algorithm",
|
|
type="choice",
|
|
choices=('SHA1withRSA', 'SHA256withRSA', 'SHA512withRSA'),
|
|
help="Signing algorithm of the IPA CA certificate")
|
|
parser.add_option_group(cert_group)
|
|
|
|
dns_group = OptionGroup(parser, "DNS options")
|
|
dns_group.add_option("--setup-dns", dest="setup_dns", action="store_true",
|
|
default=False, help="configure bind with our zone")
|
|
dns_group.add_option("--forwarder", dest="forwarders", action="append",
|
|
type="ip", help="Add a DNS forwarder. This option can be used multiple times")
|
|
dns_group.add_option("--no-forwarders", dest="no_forwarders", action="store_true",
|
|
default=False, help="Do not add any DNS forwarders, use root servers instead")
|
|
dns_group.add_option("--reverse-zone", dest="reverse_zones",
|
|
help="The reverse DNS zone to use. This option can be used multiple times",
|
|
action="append", default=[], metavar="REVERSE_ZONE")
|
|
dns_group.add_option("--no-reverse", dest="no_reverse", action="store_true",
|
|
default=False, help="Do not create reverse DNS zone")
|
|
dns_group.add_option("--no-dnssec-validation", dest="no_dnssec_validation", action="store_true",
|
|
default=False, help="Disable DNSSEC validation")
|
|
dns_group.add_option("--zonemgr", action="callback", callback=bindinstance.zonemgr_callback,
|
|
type="string",
|
|
help="DNS zone manager e-mail address. Defaults to hostmaster@DOMAIN")
|
|
dns_group.add_option("--no-host-dns", dest="no_host_dns", action="store_true",
|
|
default=False,
|
|
help="Do not use DNS for hostname lookup during installation")
|
|
dns_group.add_option("--no-dns-sshfp", dest="create_sshfp", default=True, action="store_false",
|
|
help="Do not automatically create DNS SSHFP records")
|
|
parser.add_option_group(dns_group)
|
|
|
|
uninstall_group = OptionGroup(parser, "uninstall options")
|
|
uninstall_group.add_option("", "--uninstall", dest="uninstall", action="store_true",
|
|
default=False, help="uninstall an existing installation. The uninstall can " \
|
|
"be run with --unattended option")
|
|
parser.add_option_group(uninstall_group)
|
|
|
|
options, args = parser.parse_args()
|
|
safe_options = parser.get_safe_opts(options)
|
|
|
|
if options.dm_password is not None:
|
|
try:
|
|
validate_dm_password(options.dm_password)
|
|
except ValueError, e:
|
|
parser.error("DS admin password: " + str(e))
|
|
if options.admin_password is not None:
|
|
try:
|
|
validate_admin_password(options.admin_password)
|
|
except ValueError, e:
|
|
parser.error("Admin user password: " + str(e))
|
|
|
|
if options.domain_name is not None:
|
|
try:
|
|
validate_domain_name(options.domain_name)
|
|
except ValueError, e:
|
|
parser.error("invalid domain: " + unicode(e))
|
|
|
|
if not options.setup_dns:
|
|
if options.forwarders:
|
|
parser.error("You cannot specify a --forwarder option without the --setup-dns option")
|
|
if options.no_forwarders:
|
|
parser.error("You cannot specify a --no-forwarders option without the --setup-dns option")
|
|
if options.reverse_zones:
|
|
parser.error("You cannot specify a --reverse-zone option without the --setup-dns option")
|
|
if options.no_reverse:
|
|
parser.error("You cannot specify a --no-reverse option without the --setup-dns option")
|
|
if options.no_dnssec_validation:
|
|
parser.error("You cannot specify a --no-dnssec-validation option without the --setup-dns option")
|
|
elif options.forwarders and options.no_forwarders:
|
|
parser.error("You cannot specify a --forwarder option together with --no-forwarders")
|
|
elif options.reverse_zones and options.no_reverse:
|
|
parser.error("You cannot specify a --reverse-zone option together with --no-reverse")
|
|
|
|
if options.uninstall:
|
|
if (options.realm_name or
|
|
options.admin_password or options.master_password):
|
|
parser.error("In uninstall mode, -a, -r and -P options are not allowed")
|
|
elif options.unattended:
|
|
if (not options.realm_name or
|
|
not options.dm_password or not options.admin_password):
|
|
parser.error("In unattended mode you need to provide at least -r, -p and -a options")
|
|
if options.setup_dns:
|
|
if not options.forwarders and not options.no_forwarders:
|
|
parser.error("You must specify at least one --forwarder option or --no-forwarders option")
|
|
|
|
# If any of the key file options are selected, all are required.
|
|
cert_file_req = (options.dirsrv_cert_files, options.http_cert_files)
|
|
cert_file_opt = (options.pkinit_cert_files,)
|
|
if any(cert_file_req + cert_file_opt) and not all(cert_file_req):
|
|
parser.error("--dirsrv-cert-file and --http-cert-file are required if "
|
|
"any key file options are used.")
|
|
|
|
if options.unattended:
|
|
if options.dirsrv_cert_files and options.dirsrv_pin is None:
|
|
parser.error(
|
|
"You must specify --dirsrv-pin with --dirsrv-cert-file")
|
|
if options.http_cert_files and options.http_pin is None:
|
|
parser.error(
|
|
"You must specify --http-pin with --http-cert-file")
|
|
if options.pkinit_cert_files and options.pkinit_pin is None:
|
|
parser.error(
|
|
"You must specify --pkinit-pin with --pkinit-cert-file")
|
|
|
|
if options.external_cert_files and options.dirsrv_cert_files:
|
|
parser.error("Service certificate file options cannot be used with "
|
|
"the external CA options.")
|
|
|
|
if options.external_ca:
|
|
if options.external_cert_files:
|
|
parser.error("You cannot specify --external-cert-file "
|
|
"together with --external-ca")
|
|
if options.dirsrv_cert_files:
|
|
parser.error("You cannot specify service certificate file options "
|
|
"together with --external-ca")
|
|
|
|
if options.external_ca_type and not options.external_ca:
|
|
parser.error(
|
|
"You cannot specify --external-ca-type without --external-ca")
|
|
|
|
if (options.external_cert_files and
|
|
any(not os.path.isabs(path) for path in options.external_cert_files)):
|
|
parser.error("--external-cert-file must use an absolute path")
|
|
|
|
if options.idmax == 0:
|
|
options.idmax = int(options.idstart) + 200000 - 1
|
|
|
|
if options.idmax < options.idstart:
|
|
parser.error("idmax (%u) cannot be smaller than idstart (%u)" %
|
|
(options.idmax, options.idstart))
|
|
|
|
#Automatically disable pkinit w/ dogtag until that is supported
|
|
options.setup_pkinit = False
|
|
|
|
return safe_options, options
|
|
|
|
def signal_handler(signum, frame):
|
|
global ds
|
|
print "\nCleaning up..."
|
|
if ds:
|
|
print "Removing configuration for %s instance" % ds.serverid
|
|
ds.stop()
|
|
if ds.serverid:
|
|
try:
|
|
dsinstance.remove_ds_instance(ds.serverid)
|
|
except ipautil.CalledProcessError:
|
|
root_logger.error("Failed to remove DS instance. You may "
|
|
"need to remove instance data manually")
|
|
sys.exit(1)
|
|
|
|
def read_cache(dm_password):
|
|
"""
|
|
Returns a dict of cached answers or empty dict if no cache file exists.
|
|
"""
|
|
if not ipautil.file_exists(paths.ROOT_IPA_CACHE):
|
|
return {}
|
|
|
|
top_dir = tempfile.mkdtemp("ipa")
|
|
fname = "%s/cache" % top_dir
|
|
try:
|
|
decrypt_file(paths.ROOT_IPA_CACHE, fname, dm_password, top_dir)
|
|
except Exception, e:
|
|
shutil.rmtree(top_dir)
|
|
raise Exception("Decryption of answer cache in %s failed, please check your password." % paths.ROOT_IPA_CACHE)
|
|
|
|
try:
|
|
with open(fname, 'rb') as f:
|
|
try:
|
|
optdict = pickle.load(f)
|
|
except Exception, e:
|
|
raise Exception("Parse error in %s: %s" % (paths.ROOT_IPA_CACHE, str(e)))
|
|
except IOError, e:
|
|
raise Exception("Read error in %s: %s" % (paths.ROOT_IPA_CACHE, str(e)))
|
|
finally:
|
|
shutil.rmtree(top_dir)
|
|
|
|
# These are the only ones that may be overridden
|
|
try:
|
|
del optdict['external_cert_files']
|
|
except KeyError:
|
|
pass
|
|
|
|
return optdict
|
|
|
|
def write_cache(options):
|
|
"""
|
|
Takes a dict as input and writes a cached file of answers
|
|
"""
|
|
top_dir = tempfile.mkdtemp("ipa")
|
|
fname = "%s/cache" % top_dir
|
|
try:
|
|
with open(fname, 'wb') as f:
|
|
pickle.dump(options, f)
|
|
ipautil.encrypt_file(fname, paths.ROOT_IPA_CACHE, options['dm_password'], top_dir)
|
|
except IOError, e:
|
|
raise Exception("Unable to cache command-line options %s" % str(e))
|
|
finally:
|
|
shutil.rmtree(top_dir)
|
|
|
|
def read_host_name(host_default,no_host_dns=False):
|
|
host_name = ""
|
|
|
|
print "Enter the fully qualified domain name of the computer"
|
|
print "on which you're setting up server software. Using the form"
|
|
print "<hostname>.<domainname>"
|
|
print "Example: master.example.com."
|
|
print ""
|
|
print ""
|
|
if host_default == "":
|
|
host_default = "master.example.com"
|
|
host_name = user_input("Server host name", host_default, allow_empty = False)
|
|
print ""
|
|
verify_fqdn(host_name,no_host_dns)
|
|
|
|
return host_name
|
|
|
|
def read_domain_name(domain_name, unattended):
|
|
print "The domain name has been determined based on the host name."
|
|
print ""
|
|
if not unattended:
|
|
domain_name = user_input("Please confirm the domain name", domain_name)
|
|
print ""
|
|
return domain_name
|
|
|
|
def read_realm_name(domain_name, unattended):
|
|
print "The kerberos protocol requires a Realm name to be defined."
|
|
print "This is typically the domain name converted to uppercase."
|
|
print ""
|
|
|
|
if unattended:
|
|
return domain_name.upper()
|
|
realm_name = user_input("Please provide a realm name", domain_name.upper())
|
|
upper_dom = realm_name.upper() #pylint: disable=E1103
|
|
if upper_dom != realm_name:
|
|
print "An upper-case realm name is required."
|
|
if not user_input("Do you want to use " + upper_dom + " as realm name?", True):
|
|
print ""
|
|
print "An upper-case realm name is required. Unable to continue."
|
|
sys.exit(1)
|
|
else:
|
|
realm_name = upper_dom
|
|
print ""
|
|
return realm_name
|
|
|
|
|
|
def read_dm_password():
|
|
print "Certain directory server operations require an administrative user."
|
|
print "This user is referred to as the Directory Manager and has full access"
|
|
print "to the Directory for system management tasks and will be added to the"
|
|
print "instance of directory server created for IPA."
|
|
print "The password must be at least 8 characters long."
|
|
print ""
|
|
#TODO: provide the option of generating a random password
|
|
dm_password = read_password("Directory Manager", validator=validate_dm_password)
|
|
return dm_password
|
|
|
|
def read_admin_password():
|
|
print "The IPA server requires an administrative user, named 'admin'."
|
|
print "This user is a regular system account used for IPA server administration."
|
|
print ""
|
|
#TODO: provide the option of generating a random password
|
|
admin_password = read_password("IPA admin", validator=validate_admin_password)
|
|
return admin_password
|
|
|
|
def check_dirsrv(unattended):
|
|
(ds_unsecure, ds_secure) = dsinstance.check_ports()
|
|
if not ds_unsecure or not ds_secure:
|
|
print "IPA requires ports 389 and 636 for the Directory Server."
|
|
print "These are currently in use:"
|
|
if not ds_unsecure:
|
|
print "\t389"
|
|
if not ds_secure:
|
|
print "\t636"
|
|
sys.exit(1)
|
|
|
|
def uninstall():
|
|
|
|
rv = 0
|
|
|
|
print "Shutting down all IPA services"
|
|
try:
|
|
(stdout, stderr, rc) = run([paths.IPACTL, "stop"], raiseonerr=False)
|
|
except Exception, e:
|
|
pass
|
|
|
|
# Need to get dogtag info before /etc/ipa/default.conf is removed
|
|
dogtag_constants = dogtag.configured_constants()
|
|
|
|
print "Removing IPA client configuration"
|
|
try:
|
|
(stdout, stderr, rc) = run([paths.IPA_CLIENT_INSTALL, "--on-master", "--unattended", "--uninstall"], raiseonerr=False)
|
|
if rc not in [0,2]:
|
|
root_logger.debug("ipa-client-install returned %d" % rc)
|
|
raise RuntimeError(stdout)
|
|
except Exception, e:
|
|
rv = 1
|
|
print "Uninstall of client side components failed!"
|
|
print "ipa-client-install returned: " + str(e)
|
|
|
|
ntpinstance.NTPInstance(fstore).uninstall()
|
|
if not dogtag_constants.SHARED_DB:
|
|
cads_instance = cainstance.CADSInstance(
|
|
dogtag_constants=dogtag_constants)
|
|
if cads_instance.is_configured():
|
|
cads_instance.uninstall()
|
|
|
|
kra_instance = krainstance.KRAInstance(
|
|
api.env.realm, dogtag_constants=dogtag_constants)
|
|
kra_instance.stop_tracking_certificates()
|
|
if kra_instance.is_installed():
|
|
kra_instance.uninstall()
|
|
|
|
ca_instance = cainstance.CAInstance(
|
|
api.env.realm, certs.NSS_DIR, dogtag_constants=dogtag_constants)
|
|
ca_instance.stop_tracking_certificates()
|
|
if ca_instance.is_configured():
|
|
ca_instance.uninstall()
|
|
|
|
ods = opendnssecinstance.OpenDNSSECInstance(fstore)
|
|
if ods.is_configured():
|
|
ods.uninstall()
|
|
|
|
ods_exporter = odsexporterinstance.ODSExporterInstance(fstore)
|
|
if ods_exporter.is_configured():
|
|
ods_exporter.uninstall()
|
|
|
|
bind = bindinstance.BindInstance(fstore)
|
|
if bind.is_configured():
|
|
bind.uninstall()
|
|
|
|
dnskeysync = dnskeysyncinstance.DNSKeySyncInstance(fstore)
|
|
if dnskeysync.is_configured():
|
|
dnskeysync.uninstall()
|
|
|
|
httpinstance.HTTPInstance(fstore).uninstall()
|
|
krbinstance.KrbInstance(fstore).uninstall()
|
|
dsinstance.DsInstance(fstore=fstore).uninstall()
|
|
if _server_trust_ad_installed:
|
|
adtrustinstance.ADTRUSTInstance(fstore).uninstall()
|
|
memcacheinstance.MemcacheInstance().uninstall()
|
|
otpdinstance.OtpdInstance().uninstall()
|
|
tasks.restore_network_configuration(fstore, sstore)
|
|
fstore.restore_all_files()
|
|
try:
|
|
os.remove(paths.ROOT_IPA_CACHE)
|
|
except Exception:
|
|
pass
|
|
try:
|
|
os.remove(paths.ROOT_IPA_CSR)
|
|
except Exception:
|
|
pass
|
|
|
|
# ipa-client-install removes /etc/ipa/default.conf
|
|
|
|
sstore._load()
|
|
|
|
ipaclient.ntpconf.restore_forced_ntpd(sstore)
|
|
|
|
# Clean up group_exists (unused since IPA 2.2, not being set since 4.1)
|
|
sstore.restore_state("install", "group_exists")
|
|
|
|
services.knownservices.ipa.disable()
|
|
|
|
ipautil.restore_hostname(sstore)
|
|
|
|
# remove upgrade state file
|
|
sysupgrade.remove_upgrade_file()
|
|
|
|
if fstore.has_files():
|
|
root_logger.error('Some files have not been restored, see %s/sysrestore.index' % SYSRESTORE_DIR_PATH)
|
|
has_state = False
|
|
for module in IPA_MODULES: # from installutils
|
|
if sstore.has_state(module):
|
|
root_logger.error('Some installation state for %s has not been restored, see %s/sysrestore.state' % (module, SYSRESTORE_DIR_PATH))
|
|
has_state = True
|
|
rv = 1
|
|
|
|
if has_state:
|
|
root_logger.error('Some installation state has not been restored.\n'
|
|
'This may cause re-installation to fail.\n'
|
|
'It should be safe to remove %s/sysrestore.state but it may\n'
|
|
'mean your system hasn\'t be restored to its pre-installation state.' % SYSRESTORE_DIR_PATH)
|
|
|
|
# Note that this name will be wrong after the first uninstall.
|
|
dirname = dsinstance.config_dirname(dsinstance.realm_to_serverid(api.env.realm))
|
|
dirs = [dirname, dogtag_constants.ALIAS_DIR, certs.NSS_DIR]
|
|
ids = certmonger.check_state(dirs)
|
|
if ids:
|
|
root_logger.error('Some certificates may still be tracked by certmonger.\nThis will cause re-installation to fail.\nStart the certmonger service and list the certificates being tracked\n # getcert list\nThese may be untracked by executing\n # getcert stop-tracking -i <request_id>\nfor each id in: %s' % ', '.join(ids))
|
|
|
|
return rv
|
|
|
|
|
|
def set_subject_in_config(realm_name, dm_password, suffix, subject_base):
|
|
ldapuri = 'ldapi://%%2fvar%%2frun%%2fslapd-%s.socket' % (
|
|
dsinstance.realm_to_serverid(realm_name)
|
|
)
|
|
try:
|
|
conn = ldap2(shared_instance=False, ldap_uri=ldapuri, base_dn=suffix)
|
|
conn.connect(bind_dn=DN(('cn', 'directory manager')), bind_pw=dm_password)
|
|
except errors.ExecutionError, e:
|
|
root_logger.critical("Could not connect to the Directory Server on %s" % realm_name)
|
|
raise e
|
|
entry_attrs = conn.get_ipa_config()
|
|
if 'ipacertificatesubjectbase' not in entry_attrs:
|
|
entry_attrs['ipacertificatesubjectbase'] = [str(subject_base)]
|
|
conn.update_entry(entry_attrs)
|
|
conn.disconnect()
|
|
|
|
|
|
def main():
|
|
global ds
|
|
global uninstalling
|
|
global installation_cleanup
|
|
ds = None
|
|
|
|
safe_options, options = parse_options()
|
|
|
|
if os.getegid() != 0:
|
|
sys.exit("Must be root to set up server")
|
|
|
|
tasks.check_selinux_status()
|
|
|
|
signal.signal(signal.SIGTERM, signal_handler)
|
|
signal.signal(signal.SIGINT, signal_handler)
|
|
|
|
if options.uninstall:
|
|
uninstalling = True
|
|
standard_logging_setup(paths.IPASERVER_UNINSTALL_LOG, debug=options.debug)
|
|
installation_cleanup = False
|
|
else:
|
|
standard_logging_setup(paths.IPASERVER_INSTALL_LOG, debug=options.debug)
|
|
print "\nThe log file for this installation can be found in /var/log/ipaserver-install.log"
|
|
if not options.external_ca and not options.external_cert_files and is_ipa_configured():
|
|
installation_cleanup = False
|
|
sys.exit("IPA server is already configured on this system.\n" +
|
|
"If you want to reinstall the IPA server, please uninstall " +
|
|
"it first using 'ipa-server-install --uninstall'.")
|
|
|
|
client_fstore = sysrestore.FileStore(paths.IPA_CLIENT_SYSRESTORE)
|
|
if client_fstore.has_files():
|
|
installation_cleanup = False
|
|
sys.exit("IPA client is already configured on this system.\n" +
|
|
"Please uninstall it before configuring the IPA server, " +
|
|
"using 'ipa-client-install --uninstall'")
|
|
|
|
root_logger.debug('%s was invoked with options: %s' % (sys.argv[0], safe_options))
|
|
root_logger.debug("missing options might be asked for interactively later\n")
|
|
root_logger.debug('IPA version %s' % version.VENDOR_VERSION)
|
|
|
|
global fstore
|
|
fstore = sysrestore.FileStore(SYSRESTORE_DIR_PATH)
|
|
global sstore
|
|
sstore = sysrestore.StateFile(SYSRESTORE_DIR_PATH)
|
|
|
|
# Configuration for ipalib, we will bootstrap and finalize later, after
|
|
# we are sure we have the configuration file ready.
|
|
cfg = dict(
|
|
context='installer',
|
|
in_server=True,
|
|
debug=options.debug
|
|
)
|
|
|
|
if options.uninstall:
|
|
|
|
# We will need at least api.env, finalize api now. This system is
|
|
# already installed, so the configuration file is there.
|
|
api.bootstrap(**cfg)
|
|
api.finalize()
|
|
|
|
if not options.unattended:
|
|
print "\nThis is a NON REVERSIBLE operation and will delete all data and configuration!\n"
|
|
if not user_input("Are you sure you want to continue with the uninstall procedure?", False):
|
|
print ""
|
|
print "Aborting uninstall operation."
|
|
sys.exit(1)
|
|
|
|
try:
|
|
conn = ipaldap.IPAdmin(
|
|
api.env.host,
|
|
ldapi=True,
|
|
realm=api.env.realm
|
|
)
|
|
conn.do_external_bind(pwd.getpwuid(os.geteuid()).pw_name)
|
|
except Exception:
|
|
msg = ("\nWARNING: Failed to connect to Directory Server to find "
|
|
"information about replication agreements. Uninstallation "
|
|
"will continue despite the possible existing replication "
|
|
"agreements.\n\n")
|
|
print textwrap.fill(msg, width=80, replace_whitespace=False)
|
|
else:
|
|
|
|
# test if server is DNSSEC key master
|
|
masters = opendnssecinstance.get_dnssec_key_masters(conn)
|
|
if api.env.host in masters:
|
|
print "This server is active DNSSEC key master. Uninstall could break your DNS system."
|
|
if not (options.unattended or user_input("Are you sure you "
|
|
"want to continue "
|
|
"with the uninstall "
|
|
"procedure?",
|
|
False)):
|
|
print ""
|
|
print "Aborting uninstall operation."
|
|
sys.exit(1)
|
|
|
|
rm = replication.ReplicationManager(
|
|
realm=api.env.realm,
|
|
hostname=api.env.host,
|
|
dirman_passwd=None,
|
|
conn=conn
|
|
)
|
|
agreements = rm.find_ipa_replication_agreements()
|
|
|
|
if agreements:
|
|
other_masters = [a.get('cn')[0][4:] for a in agreements]
|
|
msg = (
|
|
"\nReplication agreements with the following IPA masters "
|
|
"found: %s. Removing any replication agreements before "
|
|
"uninstalling the server is strongly recommended. You can "
|
|
"remove replication agreements by running the following "
|
|
"command on any other IPA master:\n" % ", ".join(
|
|
other_masters)
|
|
)
|
|
cmd = "$ ipa-replica-manage del %s\n" % api.env.host
|
|
print textwrap.fill(msg, width=80, replace_whitespace=False)
|
|
print cmd
|
|
if not (options.unattended or user_input("Are you sure you "
|
|
"want to continue "
|
|
"with the uninstall "
|
|
"procedure?",
|
|
False)):
|
|
print ""
|
|
print "Aborting uninstall operation."
|
|
sys.exit(1)
|
|
|
|
return uninstall()
|
|
|
|
if options.external_ca:
|
|
if cainstance.is_step_one_done():
|
|
print ("CA is already installed.\nRun the installer with "
|
|
"--external-cert-file.")
|
|
sys.exit(1)
|
|
if ipautil.file_exists(paths.ROOT_IPA_CSR):
|
|
print ("CA CSR file %s already exists.\nIn order to continue "
|
|
"remove the file and run the installer again." %
|
|
paths.ROOT_IPA_CSR)
|
|
sys.exit(1)
|
|
elif options.external_cert_files:
|
|
if not cainstance.is_step_one_done():
|
|
# This can happen if someone passes external_ca_file without
|
|
# already having done the first stage of the CA install.
|
|
print ("CA is not installed yet. To install with an external CA "
|
|
"is a two-stage process.\nFirst run the installer with "
|
|
"--external-ca.")
|
|
sys.exit(1)
|
|
|
|
# This will override any settings passed in on the cmdline
|
|
if ipautil.file_exists(paths.ROOT_IPA_CACHE):
|
|
if options.dm_password is not None:
|
|
dm_password = options.dm_password
|
|
else:
|
|
dm_password = read_password("Directory Manager", confirm=False)
|
|
if dm_password is None:
|
|
sys.exit("Directory Manager password required")
|
|
try:
|
|
options._update_loose(read_cache(dm_password))
|
|
except Exception, e:
|
|
sys.exit("Cannot process the cache file: %s" % str(e))
|
|
|
|
if options.external_cert_files:
|
|
external_cert_file, external_ca_file = load_external_cert(
|
|
options.external_cert_files, options.subject)
|
|
|
|
# We only set up the CA if the PKCS#12 options are not given.
|
|
if options.dirsrv_cert_files:
|
|
setup_ca = False
|
|
setup_kra = False
|
|
else:
|
|
setup_ca = True
|
|
# setup_kra is set to False until Dogtag 10.2 is available for IPA to consume
|
|
# Until then users that want to install the KRA need to use ipa-install-kra
|
|
# TODO set setup_kra = True when Dogtag 10.2 is available
|
|
setup_kra = False
|
|
|
|
# Figure out what external CA step we're in. See cainstance.py for more
|
|
# info on the 3 states.
|
|
if options.external_cert_files:
|
|
external = 2
|
|
elif options.external_ca:
|
|
external = 1
|
|
else:
|
|
external = 0
|
|
|
|
print "=============================================================================="
|
|
print "This program will set up the FreeIPA Server."
|
|
print ""
|
|
print "This includes:"
|
|
if setup_ca:
|
|
print " * Configure a stand-alone CA (dogtag) for certificate management"
|
|
if setup_kra:
|
|
print " * Configure a stand-alone KRA (dogtag) for key storage"
|
|
if options.conf_ntp:
|
|
print " * Configure the Network Time Daemon (ntpd)"
|
|
print " * Create and configure an instance of Directory Server"
|
|
print " * Create and configure a Kerberos Key Distribution Center (KDC)"
|
|
print " * Configure Apache (httpd)"
|
|
if options.setup_dns:
|
|
print " * Configure DNS (bind)"
|
|
if options.setup_pkinit:
|
|
print " * Configure the KDC to enable PKINIT"
|
|
if not options.conf_ntp:
|
|
print ""
|
|
print "Excluded by options:"
|
|
print " * Configure the Network Time Daemon (ntpd)"
|
|
if not options.unattended:
|
|
print ""
|
|
print "To accept the default shown in brackets, press the Enter key."
|
|
print ""
|
|
|
|
if external != 2:
|
|
# Make sure the 389-ds ports are available
|
|
check_dirsrv(options.unattended)
|
|
|
|
if setup_ca:
|
|
if not cainstance.check_port():
|
|
print ("IPA requires port 8443 for PKI but it is currently in "
|
|
"use.")
|
|
sys.exit("Aborting installation")
|
|
|
|
if options.conf_ntp:
|
|
try:
|
|
ipaclient.ntpconf.check_timedate_services()
|
|
except ipaclient.ntpconf.NTPConflictingService, e:
|
|
print "WARNING: conflicting time&date synchronization service '%s'" \
|
|
" will be disabled" % e.conflicting_service
|
|
print "in favor of ntpd"
|
|
print ""
|
|
except ipaclient.ntpconf.NTPConfigurationError:
|
|
pass
|
|
|
|
# Check to see if httpd is already configured to listen on 443
|
|
if httpinstance.httpd_443_configured():
|
|
sys.exit("Aborting installation")
|
|
|
|
realm_name = ""
|
|
host_name = ""
|
|
domain_name = ""
|
|
ip_addresses = []
|
|
master_password = ""
|
|
dm_password = ""
|
|
admin_password = ""
|
|
reverse_zones = []
|
|
|
|
if not options.setup_dns and not options.unattended:
|
|
if ipautil.user_input("Do you want to configure integrated DNS (BIND)?", False):
|
|
options.setup_dns = True
|
|
print ""
|
|
|
|
# check bind packages are installed
|
|
if options.setup_dns:
|
|
if not (bindinstance.check_inst(options.unattended) and
|
|
dnskeysyncinstance.check_inst()):
|
|
sys.exit("Aborting installation")
|
|
|
|
# Don't require an external DNS to say who we are if we are
|
|
# setting up a local DNS server.
|
|
options.no_host_dns = True
|
|
|
|
# check the hostname is correctly configured, it must be as the kldap
|
|
# utilities just use the hostname as returned by getaddrinfo to set
|
|
# up some of the standard entries
|
|
|
|
host_default = ""
|
|
if options.host_name:
|
|
host_default = options.host_name
|
|
else:
|
|
host_default = get_fqdn()
|
|
|
|
try:
|
|
if options.unattended or options.host_name:
|
|
verify_fqdn(host_default,options.no_host_dns)
|
|
host_name = host_default
|
|
else:
|
|
host_name = read_host_name(host_default,options.no_host_dns)
|
|
except BadHostError, e:
|
|
sys.exit(str(e) + "\n")
|
|
|
|
host_name = host_name.lower()
|
|
root_logger.debug("will use host_name: %s\n" % host_name)
|
|
|
|
system_hostname = get_fqdn()
|
|
if host_name != system_hostname:
|
|
print >>sys.stderr
|
|
print >>sys.stderr, "Warning: hostname %s does not match system hostname %s." \
|
|
% (host_name, system_hostname)
|
|
print >>sys.stderr, "System hostname will be updated during the installation process"
|
|
print >>sys.stderr, "to prevent service failures."
|
|
print >>sys.stderr
|
|
|
|
if not options.domain_name:
|
|
domain_name = read_domain_name(host_name[host_name.find(".")+1:], options.unattended)
|
|
root_logger.debug("read domain_name: %s\n" % domain_name)
|
|
try:
|
|
validate_domain_name(domain_name)
|
|
except ValueError, e:
|
|
sys.exit("Invalid domain name: %s" % unicode(e))
|
|
else:
|
|
domain_name = options.domain_name
|
|
|
|
domain_name = domain_name.lower()
|
|
|
|
ip_addresses = get_server_ip_address(host_name, fstore,
|
|
options.unattended, options.setup_dns, options.ip_addresses)
|
|
|
|
if not options.realm_name:
|
|
realm_name = read_realm_name(domain_name, options.unattended)
|
|
root_logger.debug("read realm_name: %s\n" % realm_name)
|
|
else:
|
|
realm_name = options.realm_name.upper()
|
|
|
|
if not options.subject:
|
|
options.subject = DN(('O', realm_name))
|
|
|
|
if options.http_cert_files:
|
|
if options.http_pin is None:
|
|
options.http_pin = installutils.read_password(
|
|
"Enter Apache Server private key unlock",
|
|
confirm=False, validate=False)
|
|
if options.http_pin is None:
|
|
sys.exit(
|
|
"Apache Server private key unlock password required")
|
|
http_pkcs12_file, http_pin, http_ca_cert = load_pkcs12(
|
|
cert_files=options.http_cert_files,
|
|
key_password=options.http_pin,
|
|
key_nickname=options.http_cert_name,
|
|
ca_cert_files=options.ca_cert_files,
|
|
host_name=host_name)
|
|
http_pkcs12_info = (http_pkcs12_file.name, http_pin)
|
|
|
|
if options.dirsrv_cert_files:
|
|
if options.dirsrv_pin is None:
|
|
options.dirsrv_pin = read_password(
|
|
"Enter Directory Server private key unlock",
|
|
confirm=False, validate=False)
|
|
if options.dirsrv_pin is None:
|
|
sys.exit(
|
|
"Directory Server private key unlock password required")
|
|
dirsrv_pkcs12_file, dirsrv_pin, dirsrv_ca_cert = load_pkcs12(
|
|
cert_files=options.dirsrv_cert_files,
|
|
key_password=options.dirsrv_pin,
|
|
key_nickname=options.dirsrv_cert_name,
|
|
ca_cert_files=options.ca_cert_files,
|
|
host_name=host_name)
|
|
dirsrv_pkcs12_info = (dirsrv_pkcs12_file.name, dirsrv_pin)
|
|
|
|
if options.pkinit_cert_files:
|
|
if options.pkinit_pin is None:
|
|
options.pkinit_pin = read_password(
|
|
"Enter Kerberos KDC private key unlock",
|
|
confirm=False, validate=False)
|
|
if options.pkinit_pin is None:
|
|
sys.exit(
|
|
"Kerberos KDC private key unlock password required")
|
|
pkinit_pkcs12_file, pkinit_pin, pkinit_ca_cert = load_pkcs12(
|
|
cert_files=options.pkinit_cert_files,
|
|
key_password=options.pkinit_pin,
|
|
key_nickname=options.pkinit_cert_name,
|
|
ca_cert_files=options.ca_cert_files,
|
|
host_name=host_name)
|
|
pkinit_pkcs12_info = (pkinit_pkcs12_file.name, pkinit_pin)
|
|
|
|
if (options.http_cert_files and options.dirsrv_cert_files and
|
|
http_ca_cert != dirsrv_ca_cert):
|
|
sys.exit("Apache Server SSL certificate and Directory Server SSL "
|
|
"certificate are not signed by the same CA certificate")
|
|
|
|
if not options.dm_password:
|
|
dm_password = read_dm_password()
|
|
|
|
if dm_password is None:
|
|
sys.exit("Directory Manager password required")
|
|
else:
|
|
dm_password = options.dm_password
|
|
|
|
if not options.master_password:
|
|
master_password = ipa_generate_password()
|
|
else:
|
|
master_password = options.master_password
|
|
|
|
if not options.admin_password:
|
|
admin_password = read_admin_password()
|
|
if admin_password is None:
|
|
sys.exit("IPA admin password required")
|
|
else:
|
|
admin_password = options.admin_password
|
|
|
|
if options.setup_dns:
|
|
if options.no_forwarders:
|
|
dns_forwarders = ()
|
|
elif options.forwarders:
|
|
dns_forwarders = options.forwarders
|
|
else:
|
|
dns_forwarders = read_dns_forwarders()
|
|
|
|
#test DNSSEC forwarders
|
|
if dns_forwarders:
|
|
if (not bindinstance.check_forwarders(dns_forwarders, root_logger)
|
|
and not options.no_dnssec_validation):
|
|
options.no_dnssec_validation = True
|
|
print "WARNING: DNSSEC validation will be disabled"
|
|
|
|
reverse_zones = bindinstance.check_reverse_zones(ip_addresses,
|
|
options.reverse_zones, options, options.unattended)
|
|
|
|
if reverse_zones:
|
|
print "Using reverse zone(s) %s" % ", ".join(str(rz) for rz in reverse_zones)
|
|
else:
|
|
dns_forwarders = ()
|
|
root_logger.debug("will use dns_forwarders: %s\n" % str(dns_forwarders))
|
|
|
|
print
|
|
print "The IPA Master Server will be configured with:"
|
|
print "Hostname: %s" % host_name
|
|
print "IP address(es): %s" % ", ".join(str(ip) for ip in ip_addresses)
|
|
print "Domain name: %s" % domain_name
|
|
print "Realm name: %s" % realm_name
|
|
print
|
|
|
|
if options.setup_dns:
|
|
print "BIND DNS server will be configured to serve IPA domain with:"
|
|
print "Forwarders: %s" % ("No forwarders" if not dns_forwarders \
|
|
else ", ".join([str(ip) for ip in dns_forwarders]))
|
|
print "Reverse zone(s): %s" % ("No reverse zone" if options.no_reverse \
|
|
or reverse_zones is None else ", ".join(str(rz) for rz in reverse_zones))
|
|
print
|
|
|
|
# If domain name and realm does not match, IPA server will not be able
|
|
# to estabilish trust with Active Directory. Print big fat warning.
|
|
|
|
realm_not_matching_domain = (domain_name.upper() != realm_name)
|
|
|
|
if realm_not_matching_domain:
|
|
print("WARNING: Realm name does not match the domain name.\n"
|
|
"You will not be able to estabilish trusts with Active "
|
|
"Directory unless\nthe realm name of the IPA server matches "
|
|
"its domain name.\n\n")
|
|
|
|
if not options.unattended and not user_input("Continue to configure the system with these values?", False):
|
|
sys.exit("Installation aborted")
|
|
|
|
# Installation has started. No IPA sysrestore items are restored in case of
|
|
# failure to enable root cause investigation
|
|
installation_cleanup = False
|
|
|
|
# Create the management framework config file and finalize api
|
|
target_fname = paths.IPA_DEFAULT_CONF
|
|
fd = open(target_fname, "w")
|
|
fd.write("[global]\n")
|
|
fd.write("host=%s\n" % host_name)
|
|
fd.write("basedn=%s\n" % ipautil.realm_to_suffix(realm_name))
|
|
fd.write("realm=%s\n" % realm_name)
|
|
fd.write("domain=%s\n" % domain_name)
|
|
fd.write("xmlrpc_uri=https://%s/ipa/xml\n" % format_netloc(host_name))
|
|
fd.write("ldap_uri=ldapi://%%2fvar%%2frun%%2fslapd-%s.socket\n" % dsinstance.realm_to_serverid(realm_name))
|
|
if setup_ca:
|
|
fd.write("enable_ra=True\n")
|
|
fd.write("ra_plugin=dogtag\n")
|
|
fd.write("dogtag_version=%s\n" %
|
|
dogtag.install_constants.DOGTAG_VERSION)
|
|
else:
|
|
fd.write("enable_ra=False\n")
|
|
fd.write("ra_plugin=none\n")
|
|
fd.write("enable_kra=%s\n" % setup_kra)
|
|
fd.write("mode=production\n")
|
|
fd.close()
|
|
|
|
# Must be readable for everyone
|
|
os.chmod(target_fname, 0644)
|
|
|
|
api.bootstrap(**cfg)
|
|
api.finalize()
|
|
|
|
if not options.unattended:
|
|
print ""
|
|
print "The following operations may take some minutes to complete."
|
|
print "Please wait until the prompt is returned."
|
|
print ""
|
|
|
|
if host_name != system_hostname:
|
|
root_logger.debug("Chosen hostname (%s) differs from system hostname (%s) - change it" \
|
|
% (host_name, system_hostname))
|
|
# configure /etc/sysconfig/network to contain the custom hostname
|
|
tasks.backup_and_replace_hostname(fstore, sstore, host_name)
|
|
|
|
# Create DS user/group if it doesn't exist yet
|
|
dsinstance.create_ds_user()
|
|
|
|
# Create a directory server instance
|
|
if external != 2:
|
|
# Configure ntpd
|
|
if options.conf_ntp:
|
|
ipaclient.ntpconf.force_ntpd(sstore)
|
|
ntp = ntpinstance.NTPInstance(fstore)
|
|
if not ntp.is_configured():
|
|
ntp.create_instance()
|
|
|
|
if options.dirsrv_cert_files:
|
|
ds = dsinstance.DsInstance(fstore=fstore)
|
|
ds.create_instance(realm_name, host_name, domain_name,
|
|
dm_password, dirsrv_pkcs12_info,
|
|
idstart=options.idstart, idmax=options.idmax,
|
|
subject_base=options.subject,
|
|
hbac_allow=not options.hbac_allow)
|
|
else:
|
|
ds = dsinstance.DsInstance(fstore=fstore)
|
|
ds.create_instance(realm_name, host_name, domain_name,
|
|
dm_password,
|
|
idstart=options.idstart, idmax=options.idmax,
|
|
subject_base=options.subject,
|
|
hbac_allow=not options.hbac_allow)
|
|
else:
|
|
ds = dsinstance.DsInstance(fstore=fstore)
|
|
ds.init_info(
|
|
realm_name, host_name, domain_name, dm_password,
|
|
options.subject, 1101, 1100, None)
|
|
|
|
|
|
if setup_ca:
|
|
ca = cainstance.CAInstance(realm_name, certs.NSS_DIR,
|
|
dogtag_constants=dogtag.install_constants)
|
|
if external == 0:
|
|
ca.configure_instance(host_name, domain_name, dm_password,
|
|
dm_password, subject_base=options.subject,
|
|
ca_signing_algorithm=options.ca_signing_algorithm)
|
|
elif external == 1:
|
|
# stage 1 of external CA installation
|
|
options.realm_name = realm_name
|
|
options.domain_name = domain_name
|
|
options.master_password = master_password
|
|
options.dm_password = dm_password
|
|
options.admin_password = admin_password
|
|
options.host_name = host_name
|
|
options.unattended = True
|
|
options.forwarders = dns_forwarders
|
|
options.reverse_zones = reverse_zones
|
|
write_cache(vars(options))
|
|
ca.configure_instance(host_name, domain_name, dm_password,
|
|
dm_password, csr_file=paths.ROOT_IPA_CSR,
|
|
subject_base=options.subject,
|
|
ca_signing_algorithm=options.ca_signing_algorithm,
|
|
ca_type=options.external_ca_type)
|
|
else:
|
|
# stage 2 of external CA installation
|
|
ca.configure_instance(host_name, domain_name, dm_password,
|
|
dm_password,
|
|
cert_file=external_cert_file.name,
|
|
cert_chain_file=external_ca_file.name,
|
|
subject_base=options.subject,
|
|
ca_signing_algorithm=options.ca_signing_algorithm)
|
|
|
|
# Now put the CA cert where other instances exepct it
|
|
ca.publish_ca_cert(CACERT)
|
|
else:
|
|
# Put the CA cert where other instances expect it
|
|
x509.write_certificate(http_ca_cert, CACERT)
|
|
os.chmod(CACERT, 0444)
|
|
|
|
# we now need to enable ssl on the ds
|
|
ds.enable_ssl()
|
|
|
|
if setup_ca:
|
|
# We need to ldap_enable the CA now that DS is up and running
|
|
ca.ldap_enable('CA', host_name, dm_password,
|
|
ipautil.realm_to_suffix(realm_name), ['caRenewalMaster'])
|
|
|
|
# This is done within stopped_service context, which restarts CA
|
|
ca.enable_client_auth_to_db(ca.dogtag_constants.CS_CFG_PATH)
|
|
|
|
krb = krbinstance.KrbInstance(fstore)
|
|
if options.pkinit_cert_files:
|
|
krb.create_instance(realm_name, host_name, domain_name,
|
|
dm_password, master_password,
|
|
setup_pkinit=options.setup_pkinit,
|
|
pkcs12_info=pkinit_pkcs12_info,
|
|
subject_base=options.subject)
|
|
else:
|
|
krb.create_instance(realm_name, host_name, domain_name,
|
|
dm_password, master_password,
|
|
setup_pkinit=options.setup_pkinit,
|
|
subject_base=options.subject)
|
|
|
|
# The DS instance is created before the keytab, add the SSL cert we
|
|
# generated
|
|
ds.add_cert_to_service()
|
|
|
|
memcache = memcacheinstance.MemcacheInstance()
|
|
memcache.create_instance('MEMCACHE', host_name, dm_password,
|
|
ipautil.realm_to_suffix(realm_name))
|
|
|
|
otpd = otpdinstance.OtpdInstance()
|
|
otpd.create_instance('OTPD', host_name, dm_password,
|
|
ipautil.realm_to_suffix(realm_name))
|
|
|
|
# Create a HTTP instance
|
|
http = httpinstance.HTTPInstance(fstore)
|
|
if options.http_cert_files:
|
|
http.create_instance(
|
|
realm_name, host_name, domain_name, dm_password,
|
|
pkcs12_info=http_pkcs12_info, subject_base=options.subject,
|
|
auto_redirect=options.ui_redirect,
|
|
ca_is_configured=setup_ca)
|
|
else:
|
|
http.create_instance(
|
|
realm_name, host_name, domain_name, dm_password,
|
|
subject_base=options.subject, auto_redirect=options.ui_redirect,
|
|
ca_is_configured=setup_ca)
|
|
tasks.restore_context(paths.CACHE_IPA_SESSIONS)
|
|
|
|
# Export full CA chain
|
|
ca_db = certs.CertDB(realm_name)
|
|
os.chmod(CACERT, 0644)
|
|
ca_db.publish_ca_cert(CACERT)
|
|
|
|
set_subject_in_config(realm_name, dm_password, ipautil.realm_to_suffix(realm_name), options.subject)
|
|
|
|
# Apply any LDAP updates. Needs to be done after the configuration file
|
|
# is created
|
|
service.print_msg("Applying LDAP updates")
|
|
ds.apply_updates()
|
|
|
|
# Restart ds and krb after configurations have been changed
|
|
service.print_msg("Restarting the directory server")
|
|
ds.restart()
|
|
|
|
service.print_msg("Restarting the KDC")
|
|
krb.restart()
|
|
|
|
if setup_ca:
|
|
service.print_msg("Restarting the certificate server")
|
|
ca.restart(dogtag.configured_constants().PKI_INSTANCE_NAME)
|
|
|
|
# Create a BIND instance
|
|
bind = bindinstance.BindInstance(fstore, dm_password)
|
|
bind.setup(host_name, ip_addresses, realm_name, domain_name, dns_forwarders,
|
|
options.conf_ntp, reverse_zones, zonemgr=options.zonemgr,
|
|
ca_configured=setup_ca,
|
|
no_dnssec_validation=options.no_dnssec_validation)
|
|
if options.setup_dns:
|
|
api.Backend.ldap2.connect(bind_dn=DN(('cn', 'Directory Manager')), bind_pw=dm_password)
|
|
|
|
bind.create_instance()
|
|
dnskeysyncd = dnskeysyncinstance.DNSKeySyncInstance(fstore, dm_password)
|
|
dnskeysyncd.create_instance(api.env.host, api.env.realm)
|
|
dnskeysyncd.start_dnskeysyncd()
|
|
bind.start_named()
|
|
print ""
|
|
bind.check_global_configuration()
|
|
print ""
|
|
else:
|
|
bind.create_sample_bind_zone()
|
|
|
|
# Restart httpd to pick up the new IPA configuration
|
|
service.print_msg("Restarting the web server")
|
|
http.restart()
|
|
|
|
if setup_kra:
|
|
kra = krainstance.KRAInstance(realm_name,
|
|
dogtag_constants=dogtag.install_constants)
|
|
kra.configure_instance(host_name, domain_name, dm_password,
|
|
dm_password, subject_base=options.subject)
|
|
|
|
# This is done within stopped_service context, which restarts KRA
|
|
service.print_msg("Restarting the directory server")
|
|
ds.restart()
|
|
|
|
service.print_msg("Enabling KRA to authenticate with the database "
|
|
"using client certificates")
|
|
kra.enable_client_auth_to_db(kra.dogtag_constants.KRA_CS_CFG_PATH)
|
|
|
|
# Set the admin user kerberos password
|
|
ds.change_admin_password(admin_password)
|
|
|
|
# Call client install script
|
|
try:
|
|
args = [paths.IPA_CLIENT_INSTALL, "--on-master", "--unattended", "--domain", domain_name, "--server", host_name, "--realm", realm_name, "--hostname", host_name]
|
|
if not options.create_sshfp:
|
|
args.append("--no-dns-sshfp")
|
|
if options.trust_sshfp:
|
|
args.append("--ssh-trust-dns")
|
|
if not options.conf_ssh:
|
|
args.append("--no-ssh")
|
|
if not options.conf_sshd:
|
|
args.append("--no-sshd")
|
|
if options.mkhomedir:
|
|
args.append("--mkhomedir")
|
|
run(args)
|
|
except Exception, e:
|
|
sys.exit("Configuration of client side components failed!\nipa-client-install returned: " + str(e))
|
|
|
|
|
|
#Everything installed properly, activate ipa service.
|
|
services.knownservices.ipa.enable()
|
|
|
|
print "=============================================================================="
|
|
print "Setup complete"
|
|
print ""
|
|
print "Next steps:"
|
|
print "\t1. You must make sure these network ports are open:"
|
|
print "\t\tTCP Ports:"
|
|
print "\t\t * 80, 443: HTTP/HTTPS"
|
|
print "\t\t * 389, 636: LDAP/LDAPS"
|
|
print "\t\t * 88, 464: kerberos"
|
|
if options.setup_dns:
|
|
print "\t\t * 53: bind"
|
|
print "\t\tUDP Ports:"
|
|
print "\t\t * 88, 464: kerberos"
|
|
if options.setup_dns:
|
|
print "\t\t * 53: bind"
|
|
if options.conf_ntp:
|
|
print "\t\t * 123: ntp"
|
|
print ""
|
|
print "\t2. You can now obtain a kerberos ticket using the command: 'kinit admin'"
|
|
print "\t This ticket will allow you to use the IPA tools (e.g., ipa user-add)"
|
|
print "\t and the web user interface."
|
|
|
|
if not services.knownservices.ntpd.is_running():
|
|
print "\t3. Kerberos requires time synchronization between clients"
|
|
print "\t and servers for correct operation. You should consider enabling ntpd."
|
|
|
|
print ""
|
|
if setup_ca:
|
|
print "Be sure to back up the CA certificates stored in " + paths.CACERT_P12
|
|
if setup_kra:
|
|
print "and the KRA certificates stored in " + paths.KRACERT_P12
|
|
print "These files are required to create replicas. The password for these"
|
|
print "files is the Directory Manager password"
|
|
else:
|
|
print "In order for Firefox autoconfiguration to work you will need to"
|
|
print "use a SSL signing certificate. See the IPA documentation for more details."
|
|
|
|
if ipautil.file_exists(paths.ROOT_IPA_CACHE):
|
|
os.remove(paths.ROOT_IPA_CACHE)
|
|
return 0
|
|
|
|
if __name__ == '__main__':
|
|
success = False
|
|
|
|
try:
|
|
# FIXME: Common option parsing, logging setup, etc should be factored
|
|
# out from all install scripts
|
|
safe_options, options = parse_options()
|
|
if options.uninstall:
|
|
log_file_name = paths.IPASERVER_UNINSTALL_LOG
|
|
else:
|
|
log_file_name = paths.IPASERVER_INSTALL_LOG
|
|
|
|
# Use private ccache
|
|
with private_ccache():
|
|
installutils.run_script(main, log_file_name=log_file_name,
|
|
operation_name='ipa-server-install')
|
|
success = True
|
|
|
|
finally:
|
|
if not success and installation_cleanup:
|
|
# Do a cautious clean up as we don't know what failed and what is
|
|
# the state of the environment
|
|
try:
|
|
fstore.restore_file(paths.HOSTS)
|
|
except:
|
|
pass
|