mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-26 17:01:14 -06:00
fea7163e87
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
769 lines
30 KiB
Python
Executable File
769 lines
30 KiB
Python
Executable File
#! /usr/bin/python2 -E
|
|
# Authors: Karl MacMillan <kmacmillan@mentalrootkit.com>
|
|
#
|
|
# Copyright (C) 2007 Red Hat
|
|
# see file 'COPYING' for use and warranty information
|
|
#
|
|
# This program is free software; you can redistribute it and/or modify
|
|
# it under the terms of the GNU General Public License as published by
|
|
# the Free Software Foundation, either version 3 of the License, or
|
|
# (at your option) any later version.
|
|
#
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
#
|
|
|
|
import sys
|
|
import socket
|
|
|
|
import os, pwd, shutil
|
|
from optparse import OptionGroup
|
|
from contextlib import contextmanager
|
|
|
|
import dns.resolver
|
|
import dns.reversename
|
|
import dns.exception
|
|
|
|
from ipapython import ipautil
|
|
|
|
from ipaserver.install import dsinstance, installutils, krbinstance, service
|
|
from ipaserver.install import bindinstance, httpinstance, ntpinstance
|
|
from ipaserver.install import memcacheinstance
|
|
from ipaserver.install import otpdinstance
|
|
from ipaserver.install.replication import replica_conn_check, ReplicationManager
|
|
from ipaserver.install.installutils import (ReplicaConfig, expand_replica_info,
|
|
read_replica_info, get_host_name, BadHostError, private_ccache,
|
|
read_replica_info_dogtag_port)
|
|
from ipaserver.plugins.ldap2 import ldap2
|
|
from ipaserver.install import cainstance
|
|
from ipalib import api, errors, util
|
|
from ipalib.constants import CACERT
|
|
from ipapython import version
|
|
from ipapython.config import IPAOptionParser
|
|
from ipapython import sysrestore
|
|
from ipapython import services as ipaservices
|
|
from ipapython.ipa_log_manager import *
|
|
from ipapython import dogtag
|
|
from ipapython.dn import DN
|
|
import ipaclient.ntpconf
|
|
|
|
log_file_name = "/var/log/ipareplica-install.log"
|
|
REPLICA_INFO_TOP_DIR = None
|
|
DIRMAN_DN = DN(('cn', 'directory manager'))
|
|
|
|
def parse_options():
|
|
usage = "%prog [options] REPLICA_FILE"
|
|
parser = IPAOptionParser(usage=usage, version=version.VERSION)
|
|
|
|
basic_group = OptionGroup(parser, "basic options")
|
|
basic_group.add_option("--setup-ca", dest="setup_ca", action="store_true",
|
|
default=False, help="configure a dogtag CA")
|
|
basic_group.add_option("--ip-address", dest="ip_address",
|
|
type="ip", ip_local=True,
|
|
help="Replica server IP Address")
|
|
basic_group.add_option("-p", "--password", dest="password", sensitive=True,
|
|
help="Directory Manager (existing master) password")
|
|
basic_group.add_option("-w", "--admin-password", dest="admin_password", sensitive=True,
|
|
help="Admin user Kerberos password used for connection check")
|
|
basic_group.add_option("--mkhomedir",
|
|
dest="mkhomedir",
|
|
action="store_true",
|
|
default=False,
|
|
help="create home directories for users "
|
|
"on their first login")
|
|
basic_group.add_option("-N", "--no-ntp", dest="conf_ntp", action="store_false",
|
|
help="do not configure ntp", default=True)
|
|
basic_group.add_option("--no-ui-redirect", dest="ui_redirect", action="store_false",
|
|
default=True, help="Do not automatically redirect to the Web UI")
|
|
basic_group.add_option("--ssh-trust-dns", dest="trust_sshfp", default=False, action="store_true",
|
|
help="configure OpenSSH client to trust DNS SSHFP records")
|
|
basic_group.add_option("--no-ssh", dest="conf_ssh", default=True, action="store_false",
|
|
help="do not configure OpenSSH client")
|
|
basic_group.add_option("--no-sshd", dest="conf_sshd", default=True, action="store_false",
|
|
help="do not configure OpenSSH server")
|
|
basic_group.add_option("--skip-conncheck", dest="skip_conncheck", action="store_true",
|
|
default=False, help="skip connection check to remote master")
|
|
basic_group.add_option("-d", "--debug", dest="debug", action="store_true",
|
|
default=False, help="gather extra debugging information")
|
|
basic_group.add_option("-U", "--unattended", dest="unattended", action="store_true",
|
|
default=False, help="unattended installation never prompts the user")
|
|
parser.add_option_group(basic_group)
|
|
|
|
cert_group = OptionGroup(parser, "certificate system options")
|
|
cert_group.add_option("--no-pkinit", dest="setup_pkinit", action="store_false",
|
|
default=True, help="disables pkinit setup steps")
|
|
cert_group.add_option("--skip-schema-check", dest="skip_schema_check", action="store_true",
|
|
default=False, help="skip check for updated CA DS schema on the remote master")
|
|
parser.add_option_group(cert_group)
|
|
|
|
dns_group = OptionGroup(parser, "DNS options")
|
|
dns_group.add_option("--setup-dns", dest="setup_dns", action="store_true",
|
|
default=False, help="configure bind with our zone")
|
|
dns_group.add_option("--forwarder", dest="forwarders", action="append",
|
|
type="ip", help="Add a DNS forwarder")
|
|
dns_group.add_option("--no-forwarders", dest="no_forwarders", action="store_true",
|
|
default=False, help="Do not add any DNS forwarders, use root servers instead")
|
|
dns_group.add_option("--reverse-zone", dest="reverse_zone", help="The reverse DNS zone to use")
|
|
dns_group.add_option("--no-reverse", dest="no_reverse", action="store_true",
|
|
default=False, help="Do not create new reverse DNS zone")
|
|
dns_group.add_option("--no-host-dns", dest="no_host_dns", action="store_true",
|
|
default=False,
|
|
help="Do not use DNS for hostname lookup during installation")
|
|
dns_group.add_option("--no-dns-sshfp", dest="create_sshfp", default=True, action="store_false",
|
|
help="do not automatically create DNS SSHFP records")
|
|
parser.add_option_group(dns_group)
|
|
|
|
options, args = parser.parse_args()
|
|
safe_options = parser.get_safe_opts(options)
|
|
|
|
if len(args) != 1:
|
|
parser.error("you must provide a file generated by ipa-replica-prepare")
|
|
|
|
if not options.setup_dns:
|
|
if options.forwarders:
|
|
parser.error("You cannot specify a --forwarder option without the --setup-dns option")
|
|
if options.no_forwarders:
|
|
parser.error("You cannot specify a --no-forwarders option without the --setup-dns option")
|
|
if options.reverse_zone:
|
|
parser.error("You cannot specify a --reverse-zone option without the --setup-dns option")
|
|
if options.no_reverse:
|
|
parser.error("You cannot specify a --no-reverse option without the --setup-dns option")
|
|
elif options.forwarders and options.no_forwarders:
|
|
parser.error("You cannot specify a --forwarder option together with --no-forwarders")
|
|
elif not options.forwarders and not options.no_forwarders:
|
|
parser.error("You must specify at least one --forwarder option or --no-forwarders option")
|
|
elif options.reverse_zone and options.no_reverse:
|
|
parser.error("You cannot specify a --reverse-zone option together with --no-reverse")
|
|
|
|
return safe_options, options, args[0]
|
|
|
|
def get_dirman_password():
|
|
return installutils.read_password("Directory Manager (existing master)", confirm=False, validate=False)
|
|
|
|
def set_owner(config, dir):
|
|
pw = pwd.getpwnam(dsinstance.DS_USER)
|
|
os.chown(dir, pw.pw_uid, pw.pw_gid)
|
|
|
|
|
|
def make_pkcs12_info(directory, cert_name, password_name):
|
|
"""Make pkcs12_info
|
|
|
|
:param directory: Base directory (config.dir)
|
|
:param cert_name: Cert filename (e.g. "dscert.p12")
|
|
:param password_name: Cert filename (e.g. "dirsrv_pin.txt")
|
|
:return: a (full cert path, password) tuple, or None if cert is not found
|
|
"""
|
|
cert_path = os.path.join(directory, cert_name)
|
|
if ipautil.file_exists(cert_path):
|
|
password_file = os.path.join(directory, password_name)
|
|
password = open(password_file).read().strip()
|
|
return cert_path, password
|
|
else:
|
|
return None
|
|
|
|
|
|
def install_replica_ds(config):
|
|
dsinstance.check_ports()
|
|
|
|
# if we have a pkcs12 file, create the cert db from
|
|
# that. Otherwise the ds setup will create the CA
|
|
# cert
|
|
pkcs12_info = make_pkcs12_info(config.dir, "dscert.p12", "dirsrv_pin.txt")
|
|
|
|
ds = dsinstance.DsInstance()
|
|
ds.create_replica(
|
|
realm_name=config.realm_name,
|
|
master_fqdn=config.master_host_name,
|
|
fqdn=config.host_name,
|
|
domain_name=config.domain_name,
|
|
dm_password=config.dirman_password,
|
|
subject_base=config.subject_base,
|
|
pkcs12_info=pkcs12_info,
|
|
ca_is_configured=ipautil.file_exists(config.dir + "/cacert.p12"),
|
|
ca_file=config.dir + "/ca.crt",
|
|
)
|
|
|
|
return ds
|
|
|
|
def install_krb(config, setup_pkinit=False):
|
|
krb = krbinstance.KrbInstance()
|
|
|
|
#pkinit files
|
|
pkcs12_info = make_pkcs12_info(config.dir, "pkinitcert.p12",
|
|
"pkinit_pin.txt")
|
|
|
|
krb.create_replica(config.realm_name,
|
|
config.master_host_name, config.host_name,
|
|
config.domain_name, config.dirman_password,
|
|
setup_pkinit, pkcs12_info)
|
|
|
|
return krb
|
|
|
|
def install_ca_cert(config):
|
|
cafile = config.dir + "/ca.crt"
|
|
if not ipautil.file_exists(cafile):
|
|
raise RuntimeError("Ca cert file is not available")
|
|
|
|
try:
|
|
shutil.copy(cafile, CACERT)
|
|
os.chmod(CACERT, 0444)
|
|
except Exception, e:
|
|
print "error copying files: " + str(e)
|
|
sys.exit(1)
|
|
|
|
def install_http(config, auto_redirect):
|
|
# if we have a pkcs12 file, create the cert db from
|
|
# that. Otherwise the ds setup will create the CA
|
|
# cert
|
|
pkcs12_info = make_pkcs12_info(config.dir, "httpcert.p12", "http_pin.txt")
|
|
|
|
memcache = memcacheinstance.MemcacheInstance()
|
|
memcache.create_instance('MEMCACHE', config.host_name, config.dirman_password, ipautil.realm_to_suffix(config.realm_name))
|
|
|
|
http = httpinstance.HTTPInstance()
|
|
http.create_instance(
|
|
config.realm_name, config.host_name, config.domain_name,
|
|
config.dirman_password, False, pkcs12_info,
|
|
auto_redirect=auto_redirect, ca_file = config.dir + "/ca.crt")
|
|
|
|
# Now copy the autoconfiguration files
|
|
try:
|
|
if ipautil.file_exists(config.dir + "/preferences.html"):
|
|
shutil.copy(config.dir + "/preferences.html",
|
|
"/usr/share/ipa/html/preferences.html")
|
|
if ipautil.file_exists(config.dir + "/configure.jar"):
|
|
shutil.copy(config.dir + "/configure.jar",
|
|
"/usr/share/ipa/html/configure.jar")
|
|
if ipautil.file_exists(config.dir + "/krb.js"):
|
|
shutil.copy(config.dir + "/krb.js",
|
|
"/usr/share/ipa/html/krb.js")
|
|
shutil.copy(config.dir + "/kerberosauth.xpi",
|
|
"/usr/share/ipa/html/kerberosauth.xpi")
|
|
except Exception, e:
|
|
print "error copying files: " + str(e)
|
|
sys.exit(1)
|
|
|
|
http.setup_firefox_extension(config.realm_name, config.domain_name)
|
|
|
|
return http
|
|
|
|
def install_bind(config, options):
|
|
api.Backend.ldap2.connect(bind_dn=DIRMAN_DN,
|
|
bind_pw=config.dirman_password)
|
|
if options.forwarders:
|
|
forwarders = options.forwarders
|
|
else:
|
|
forwarders = ()
|
|
bind = bindinstance.BindInstance(dm_password=config.dirman_password)
|
|
|
|
if options.reverse_zone:
|
|
if not bindinstance.verify_reverse_zone(options.reverse_zone, config.ip):
|
|
sys.exit(1)
|
|
reverse_zone = bindinstance.normalize_zone(options.reverse_zone)
|
|
else:
|
|
reverse_zone = bindinstance.find_reverse_zone(config.ip)
|
|
if reverse_zone is None and not options.no_reverse:
|
|
reverse_zone = util.get_reverse_zone_default(config.ip)
|
|
if not options.unattended and bindinstance.create_reverse():
|
|
reverse_zone = bindinstance.read_reverse_zone(reverse_zone, config.ip)
|
|
|
|
if reverse_zone is not None:
|
|
print "Using reverse zone %s" % reverse_zone
|
|
|
|
bind.setup(config.host_name, config.ip_address, config.realm_name,
|
|
config.domain_name, forwarders, options.conf_ntp, reverse_zone,
|
|
ca_configured=options.setup_ca)
|
|
bind.create_instance()
|
|
|
|
print ""
|
|
bind.check_global_configuration()
|
|
print ""
|
|
|
|
|
|
@contextmanager
|
|
def temporary_ldap2_connection(host_name, bind_pw, bind_dn=DIRMAN_DN):
|
|
"""Context in which the ldap2 backend is connected to the given host
|
|
|
|
When the context is entered, forcefully change the ldap2's URI and connect
|
|
with the given password.
|
|
When it's exited, disconnect and restore ldap2 to previous configuration.
|
|
|
|
Needed to use the standard IPA tools on the remote master, before the
|
|
DS on localhost is installed.
|
|
"""
|
|
# TODO: We shouldn't have to resort to such hacks
|
|
cur_uri = api.Backend.ldap2.ldap_uri
|
|
# ldap2 is finalized at this point, so use __setattr__ directly
|
|
object.__setattr__(api.Backend.ldap2, 'ldap_uri',
|
|
'ldaps://%s' % ipautil.format_netloc(host_name))
|
|
api.Backend.ldap2.connect(bind_dn=DIRMAN_DN, bind_pw=bind_pw,
|
|
tls_cacertfile=CACERT)
|
|
yield
|
|
|
|
api.Backend.ldap2.disconnect()
|
|
#set it back to the default
|
|
object.__setattr__(api.Backend.ldap2, 'ldap_uri', cur_uri)
|
|
|
|
|
|
def install_dns_records(config, options):
|
|
|
|
if not bindinstance.dns_container_exists(config.master_host_name,
|
|
ipautil.realm_to_suffix(config.realm_name),
|
|
dm_password=config.dirman_password):
|
|
return
|
|
|
|
# We have to force to connect to the remote master because we do this step
|
|
# before our DS server is installed.
|
|
with temporary_ldap2_connection(
|
|
config.master_host_name, config.dirman_password):
|
|
try:
|
|
bind = bindinstance.BindInstance(dm_password=config.dirman_password)
|
|
reverse_zone = bindinstance.find_reverse_zone(config.ip)
|
|
|
|
bind.add_master_dns_records(config.host_name, config.ip_address,
|
|
config.realm_name, config.domain_name,
|
|
reverse_zone, options.conf_ntp,
|
|
options.setup_ca)
|
|
except errors.NotFound, e:
|
|
root_logger.debug('Replica DNS records could not be added '
|
|
'on master: %s', str(e))
|
|
|
|
# we should not fail here no matter what
|
|
except Exception, e:
|
|
root_logger.info('Replica DNS records could not be added '
|
|
'on master: %s', str(e))
|
|
|
|
|
|
def check_dirsrv():
|
|
(ds_unsecure, ds_secure) = dsinstance.check_ports()
|
|
if not ds_unsecure or not ds_secure:
|
|
print "IPA requires ports 389 and 636 for the Directory Server."
|
|
print "These are currently in use:"
|
|
if not ds_unsecure:
|
|
print "\t389"
|
|
if not ds_secure:
|
|
print "\t636"
|
|
sys.exit(1)
|
|
|
|
def check_bind():
|
|
if not bindinstance.check_inst(unattended=True):
|
|
print "Aborting installation"
|
|
sys.exit(1)
|
|
|
|
|
|
def check_dns_resolution(host_name, dns_servers):
|
|
"""Check forward and reverse resolution of host_name using dns_servers
|
|
"""
|
|
# Point the resolver at specified DNS server
|
|
server_ips = []
|
|
for dns_server in dns_servers:
|
|
try:
|
|
server_ips = list(
|
|
a[4][0] for a in socket.getaddrinfo(dns_server, None))
|
|
except socket.error:
|
|
pass
|
|
else:
|
|
break
|
|
if not server_ips:
|
|
root_logger.error(
|
|
'Could not resolve any DNS server hostname: %s', dns_servers)
|
|
return False
|
|
resolver = dns.resolver.Resolver()
|
|
resolver.nameservers = server_ips
|
|
|
|
root_logger.debug('Search DNS server %s (%s) for %s',
|
|
dns_server, server_ips, host_name)
|
|
|
|
# Get IP addresses of host_name
|
|
addresses = set()
|
|
for rtype in 'A', 'AAAA':
|
|
try:
|
|
result = resolver.query(host_name, rtype)
|
|
except dns.exception.DNSException:
|
|
rrset = []
|
|
else:
|
|
rrset = result.rrset
|
|
if rrset:
|
|
addresses.update(r.address for r in result.rrset)
|
|
|
|
if not addresses:
|
|
root_logger.error(
|
|
'Could not resolve hostname %s using DNS. '
|
|
'Clients may not function properly. '
|
|
'Please check your DNS setup. '
|
|
'(Note that this check queries IPA DNS directly and '
|
|
'ignores /etc/hosts.)',
|
|
host_name)
|
|
return False
|
|
|
|
no_errors = True
|
|
|
|
# Check each of the IP addresses
|
|
checked = set()
|
|
for address in addresses:
|
|
if address in checked:
|
|
continue
|
|
checked.add(address)
|
|
try:
|
|
root_logger.debug('Check reverse address %s (%s)',
|
|
address, host_name)
|
|
revname = dns.reversename.from_address(address)
|
|
rrset = resolver.query(revname, 'PTR').rrset
|
|
except Exception, e:
|
|
root_logger.debug('Check failed: %s %s', type(e).__name__, e)
|
|
root_logger.error(
|
|
'Reverse DNS resolution of address %s (%s) failed. '
|
|
'Clients may not function properly. '
|
|
'Please check your DNS setup. '
|
|
'(Note that this check queries IPA DNS directly and '
|
|
'ignores /etc/hosts.)',
|
|
address, host_name)
|
|
no_errors = False
|
|
else:
|
|
host_name_obj = dns.name.from_text(host_name)
|
|
if rrset:
|
|
names = [r.target.to_text() for r in rrset]
|
|
else:
|
|
names = []
|
|
root_logger.debug(
|
|
'Address %s resolves to: %s. ', address, ', '.join(names))
|
|
if not rrset or not any(
|
|
r.target == host_name_obj for r in rrset):
|
|
root_logger.error(
|
|
'The IP address %s of host %s resolves to: %s. '
|
|
'Clients may not function properly. '
|
|
'Please check your DNS setup. '
|
|
'(Note that this check queries IPA DNS directly and '
|
|
'ignores /etc/hosts.)',
|
|
address, host_name, ', '.join(names))
|
|
no_errors = False
|
|
|
|
return no_errors
|
|
|
|
|
|
def main():
|
|
ipaservices.check_selinux_status()
|
|
safe_options, options, filename = parse_options()
|
|
|
|
if os.geteuid() != 0:
|
|
sys.exit("\nYou must be root to run this script.\n")
|
|
|
|
standard_logging_setup(log_file_name, debug=options.debug)
|
|
root_logger.debug('%s was invoked with argument "%s" and options: %s' % (sys.argv[0], filename, safe_options))
|
|
|
|
if not ipautil.file_exists(filename):
|
|
sys.exit("Replica file %s does not exist" % filename)
|
|
|
|
client_fstore = sysrestore.FileStore('/var/lib/ipa-client/sysrestore')
|
|
if client_fstore.has_files():
|
|
sys.exit("IPA client is already configured on this system.\n" +
|
|
"Please uninstall it first before configuring the replica, " +
|
|
"using 'ipa-client-install --uninstall'.")
|
|
|
|
global sstore
|
|
sstore = sysrestore.StateFile('/var/lib/ipa/sysrestore')
|
|
|
|
global fstore
|
|
fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore')
|
|
|
|
# check the bind is installed
|
|
if options.setup_dns:
|
|
check_bind()
|
|
|
|
# Check to see if httpd is already configured to listen on 443
|
|
if httpinstance.httpd_443_configured():
|
|
sys.exit("Aborting installation")
|
|
|
|
check_dirsrv()
|
|
|
|
if options.conf_ntp:
|
|
try:
|
|
ipaclient.ntpconf.check_timedate_services()
|
|
except ipaclient.ntpconf.NTPConflictingService, e:
|
|
print "WARNING: conflicting time&date synchronization service '%s'" \
|
|
" will" % e.conflicting_service
|
|
print "be disabled in favor of ntpd"
|
|
print ""
|
|
except ipaclient.ntpconf.NTPConfigurationError:
|
|
pass
|
|
|
|
# get the directory manager password
|
|
dirman_password = options.password
|
|
if not dirman_password:
|
|
try:
|
|
dirman_password = get_dirman_password()
|
|
except KeyboardInterrupt:
|
|
sys.exit(0)
|
|
if dirman_password is None:
|
|
sys.exit("Directory Manager password required")
|
|
|
|
try:
|
|
top_dir, dir = expand_replica_info(filename, dirman_password)
|
|
global REPLICA_INFO_TOP_DIR
|
|
REPLICA_INFO_TOP_DIR = top_dir
|
|
except Exception, e:
|
|
print "ERROR: Failed to decrypt or open the replica file."
|
|
print "Verify you entered the correct Directory Manager password."
|
|
sys.exit(1)
|
|
|
|
config = ReplicaConfig()
|
|
read_replica_info(dir, config)
|
|
root_logger.debug('Installing replica file with version %d (0 means no version in prepared file).' % config.version)
|
|
if config.version and config.version > version.NUM_VERSION:
|
|
root_logger.error('A replica file from a newer release (%d) cannot be installed on an older version (%d)' % (config.version, version.NUM_VERSION))
|
|
sys.exit(1)
|
|
config.dirman_password = dirman_password
|
|
try:
|
|
host = get_host_name(options.no_host_dns)
|
|
except BadHostError, e:
|
|
root_logger.error(str(e))
|
|
sys.exit(1)
|
|
if config.host_name != host:
|
|
try:
|
|
print "This replica was created for '%s' but this machine is named '%s'" % (config.host_name, host)
|
|
if not ipautil.user_input("This may cause problems. Continue?", False):
|
|
sys.exit(0)
|
|
config.host_name = host
|
|
print ""
|
|
except KeyboardInterrupt:
|
|
sys.exit(0)
|
|
config.dir = dir
|
|
config.setup_ca = options.setup_ca
|
|
config.ca_ds_port = read_replica_info_dogtag_port(config.dir)
|
|
|
|
if config.setup_ca and not ipautil.file_exists(config.dir + "/cacert.p12"):
|
|
print 'CA cannot be installed in CA-less setup.'
|
|
sys.exit(1)
|
|
|
|
installutils.verify_fqdn(config.master_host_name, options.no_host_dns)
|
|
|
|
# check connection
|
|
if not options.skip_conncheck:
|
|
replica_conn_check(
|
|
config.master_host_name, config.host_name, config.realm_name,
|
|
options.setup_ca, config.ca_ds_port, options.admin_password)
|
|
|
|
|
|
# check replica host IP resolution
|
|
config.ip = installutils.get_server_ip_address(config.host_name, fstore, True, options)
|
|
config.ip_address = str(config.ip)
|
|
|
|
# Create the management framework config file
|
|
# Note: We must do this before bootstraping and finalizing ipalib.api
|
|
old_umask = os.umask(022) # must be readable for httpd
|
|
try:
|
|
fd = open("/etc/ipa/default.conf", "w")
|
|
fd.write("[global]\n")
|
|
fd.write("host=%s\n" % config.host_name)
|
|
fd.write("basedn=%s\n" % str(ipautil.realm_to_suffix(config.realm_name)))
|
|
fd.write("realm=%s\n" % config.realm_name)
|
|
fd.write("domain=%s\n" % config.domain_name)
|
|
fd.write("xmlrpc_uri=https://%s/ipa/xml\n" % ipautil.format_netloc(config.host_name))
|
|
fd.write("ldap_uri=ldapi://%%2fvar%%2frun%%2fslapd-%s.socket\n" % dsinstance.realm_to_serverid(config.realm_name))
|
|
if ipautil.file_exists(config.dir + "/cacert.p12"):
|
|
fd.write("enable_ra=True\n")
|
|
fd.write("ra_plugin=dogtag\n")
|
|
fd.write("dogtag_version=%s\n" %
|
|
dogtag.install_constants.DOGTAG_VERSION)
|
|
else:
|
|
fd.write("enable_ra=False\n")
|
|
fd.write("ra_plugin=none\n")
|
|
fd.write("mode=production\n")
|
|
fd.close()
|
|
finally:
|
|
os.umask(old_umask)
|
|
|
|
api.bootstrap(in_server=True, context='installer')
|
|
api.finalize()
|
|
|
|
# Create DS group if it doesn't exist yet
|
|
group_exists = dsinstance.create_ds_group()
|
|
sstore.backup_state("install", "group_exists", group_exists)
|
|
|
|
#Automatically disable pkinit w/ dogtag until that is supported
|
|
options.setup_pkinit = False
|
|
|
|
# Install CA cert so that we can do SSL connections with ldap
|
|
install_ca_cert(config)
|
|
|
|
ldapuri = 'ldaps://%s' % ipautil.format_netloc(config.master_host_name)
|
|
replman = conn = None
|
|
try:
|
|
# Try out the password
|
|
conn = ldap2(shared_instance=False, ldap_uri=ldapuri, base_dn='')
|
|
conn.connect(bind_dn=DIRMAN_DN, bind_pw=config.dirman_password,
|
|
tls_cacertfile=CACERT)
|
|
replman = ReplicationManager(config.realm_name, config.master_host_name,
|
|
config.dirman_password)
|
|
|
|
# Check that we don't already have a replication agreement
|
|
try:
|
|
(agreement_cn, agreement_dn) = replman.agreement_dn(host)
|
|
entry = conn.get_entry(agreement_dn, ['*'])
|
|
except errors.NotFound:
|
|
pass
|
|
else:
|
|
root_logger.info('Error: A replication agreement for this host '
|
|
'already exists.')
|
|
print ('A replication agreement for this host already exists. '
|
|
'It needs to be removed.')
|
|
print "Run this on the master that generated the info file:"
|
|
print " %% ipa-replica-manage del %s --force" % host
|
|
exit(3)
|
|
|
|
# Check pre-existing host entry
|
|
try:
|
|
entry = conn.find_entries(u'fqdn=%s' % host, ['fqdn'], DN(api.env.container_host, api.env.basedn))
|
|
except errors.NotFound:
|
|
pass
|
|
else:
|
|
root_logger.info(
|
|
'Error: Host %s already exists on the master server.' % host)
|
|
print 'The host %s already exists on the master server.' % host
|
|
print "You should remove it before proceeding:"
|
|
print " %% ipa host-del %s" % host
|
|
exit(3)
|
|
|
|
# If remote host has DNS, check forward/reverse resolution
|
|
with temporary_ldap2_connection(
|
|
config.master_host_name, config.dirman_password):
|
|
dns_masters = api.Object['dnsrecord'].get_dns_masters()
|
|
if dns_masters:
|
|
if not options.no_host_dns:
|
|
master = config.master_host_name
|
|
root_logger.debug('Check forward/reverse DNS resolution')
|
|
resolution_ok = (
|
|
check_dns_resolution(master, dns_masters) and
|
|
check_dns_resolution(config.host_name, dns_masters))
|
|
if not resolution_ok and not options.unattended:
|
|
if not ipautil.user_input("Continue?", False):
|
|
sys.exit(0)
|
|
else:
|
|
root_logger.debug('No IPA DNS servers, '
|
|
'skipping forward/reverse resolution check')
|
|
|
|
except errors.ACIError:
|
|
sys.exit("\nThe password provided is incorrect for LDAP server %s" % config.master_host_name)
|
|
except errors.LDAPError:
|
|
sys.exit("\nUnable to connect to LDAP server %s" % config.master_host_name)
|
|
finally:
|
|
if conn and conn.isconnected():
|
|
conn.disconnect()
|
|
if replman and replman.conn:
|
|
replman.conn.unbind()
|
|
|
|
if options.skip_schema_check:
|
|
root_logger.info("Skipping CA DS schema check")
|
|
else:
|
|
cainstance.replica_ca_install_check(config)
|
|
|
|
# Configure ntpd
|
|
if options.conf_ntp:
|
|
ipaclient.ntpconf.force_ntpd(sstore)
|
|
ntp = ntpinstance.NTPInstance()
|
|
ntp.create_instance()
|
|
|
|
# Configure dirsrv
|
|
ds = install_replica_ds(config)
|
|
|
|
# Configure the CA if necessary
|
|
CA = cainstance.install_replica_ca(config)
|
|
|
|
# Always try to install DNS records
|
|
install_dns_records(config, options)
|
|
|
|
# We need to ldap_enable the CA now that DS is up and running
|
|
if CA and config.setup_ca:
|
|
CA.ldap_enable('CA', config.host_name, config.dirman_password,
|
|
ipautil.realm_to_suffix(config.realm_name))
|
|
|
|
# This is done within stopped_service context, which restarts CA
|
|
CA.enable_client_auth_to_db()
|
|
|
|
krb = install_krb(config, setup_pkinit=options.setup_pkinit)
|
|
http = install_http(config, auto_redirect=options.ui_redirect)
|
|
|
|
otpd = otpdinstance.OtpdInstance()
|
|
otpd.create_instance('OTPD', config.host_name, config.dirman_password,
|
|
ipautil.realm_to_suffix(config.realm_name))
|
|
|
|
if CA:
|
|
CA.configure_certmonger_renewal()
|
|
CA.import_ra_cert(dir + "/ra.p12")
|
|
CA.fix_ra_perms()
|
|
ipaservices.knownservices.httpd.restart()
|
|
|
|
# The DS instance is created before the keytab, add the SSL cert we
|
|
# generated
|
|
ds.add_cert_to_service()
|
|
|
|
# Apply any LDAP updates. Needs to be done after the replica is synced-up
|
|
service.print_msg("Applying LDAP updates")
|
|
ds.apply_updates()
|
|
|
|
# Restart ds and krb after configurations have been changed
|
|
service.print_msg("Restarting the directory server")
|
|
ds.restart()
|
|
|
|
service.print_msg("Restarting the KDC")
|
|
krb.restart()
|
|
|
|
if CA and config.setup_ca:
|
|
service.print_msg("Restarting the certificate server")
|
|
CA.restart(dogtag.configured_constants().PKI_INSTANCE_NAME)
|
|
|
|
if options.setup_dns:
|
|
install_bind(config, options)
|
|
|
|
# Restart httpd to pick up the new IPA configuration
|
|
service.print_msg("Restarting the web server")
|
|
http.restart()
|
|
|
|
# Call client install script
|
|
try:
|
|
args = ["/usr/sbin/ipa-client-install", "--on-master", "--unattended", "--domain", config.domain_name, "--server", config.host_name, "--realm", config.realm_name]
|
|
if not options.create_sshfp:
|
|
args.append("--no-dns-sshfp")
|
|
if options.trust_sshfp:
|
|
args.append("--ssh-trust-dns")
|
|
if not options.conf_ssh:
|
|
args.append("--no-ssh")
|
|
if not options.conf_sshd:
|
|
args.append("--no-sshd")
|
|
if options.mkhomedir:
|
|
args.append("--mkhomedir")
|
|
ipautil.run(args)
|
|
except Exception, e:
|
|
print "Configuration of client side components failed!"
|
|
print "ipa-client-install returned: " + str(e)
|
|
raise RuntimeError("Failed to configure the client")
|
|
|
|
ds.replica_populate()
|
|
|
|
#Everything installed properly, activate ipa service.
|
|
ipaservices.knownservices.ipa.enable()
|
|
|
|
fail_message = '''
|
|
Your system may be partly configured.
|
|
Run /usr/sbin/ipa-server-install --uninstall to clean up.
|
|
'''
|
|
|
|
if __name__ == '__main__':
|
|
try:
|
|
with private_ccache():
|
|
installutils.run_script(main, log_file_name=log_file_name,
|
|
operation_name='ipa-replica-install',
|
|
fail_message=fail_message)
|
|
finally:
|
|
# always try to remove decrypted replica file
|
|
try:
|
|
if REPLICA_INFO_TOP_DIR:
|
|
shutil.rmtree(REPLICA_INFO_TOP_DIR)
|
|
except OSError:
|
|
pass
|