mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-25 08:21:05 -06:00
a25fe00c62
This patch adds the capability of installing a Dogtag KRA to an IPA instance. With this patch, a KRA is NOT configured by default when ipa-server-install is run. Rather, the command ipa-kra-install must be executed on an instance on which a Dogtag CA has already been configured. The KRA shares the same tomcat instance and DS instance as the Dogtag CA. Moreover, the same admin user/agent (and agent cert) can be used for both subsystems. Certmonger is also confgured to monitor the new subsystem certificates. To create a clone KRA, simply execute ipa-kra-install <replica_file> on a replica on which a Dogtag CA has already been replicated. ipa-kra-install will use the security domain to detect whether the system being installed is a replica, and will error out if a needed replica file is not provided. The install scripts have been refactored somewhat to minimize duplication of code. A new base class dogtagintance.py has been introduced containing code that is common to KRA and CA installs. This will become very useful when we add more PKI subsystems. The KRA will install its database as a subtree of o=ipaca, specifically o=ipakra,o=ipaca. This means that replication agreements created to replicate CA data will also replicate KRA data. No new replication agreements are required. Added dogtag plugin for KRA. This is an initial commit providing the basic vault functionality needed for vault. This plugin will likely be modified as we create the code to call some of these functions. Part of the work for: https://fedorahosted.org/freeipa/ticket/3872 The uninstallation option in ipa-kra-install is temporarily disabled. Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Petr Viktorin <pviktori@redhat.com>
239 lines
9.5 KiB
Python
Executable File
239 lines
9.5 KiB
Python
Executable File
#! /usr/bin/python2 -E
|
|
# Authors: Martin Nagy <mnagy@redhat.com>
|
|
# Based on ipa-server-install by Karl MacMillan <kmacmillan@mentalrootkit.com>
|
|
#
|
|
# Copyright (C) 2007 - 2009 Red Hat
|
|
# see file 'COPYING' for use and warranty information
|
|
#
|
|
# This program is free software; you can redistribute it and/or modify
|
|
# it under the terms of the GNU General Public License as published by
|
|
# the Free Software Foundation, either version 3 of the License, or
|
|
# (at your option) any later version.
|
|
#
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
#
|
|
|
|
from optparse import OptionGroup, SUPPRESS_HELP
|
|
|
|
import krbV
|
|
|
|
from ipaserver.install import service, bindinstance, ntpinstance, httpinstance
|
|
from ipaserver.install.installutils import *
|
|
from ipaserver.install import installutils
|
|
from ipapython import version
|
|
from ipapython import ipautil, sysrestore
|
|
from ipalib import api, errors, util
|
|
from ipaplatform.paths import paths
|
|
from ipapython.config import IPAOptionParser
|
|
from ipapython.ipa_log_manager import standard_logging_setup, root_logger
|
|
from ipapython.ipautil import DN
|
|
|
|
log_file_name = paths.IPASERVER_INSTALL_LOG
|
|
|
|
def parse_options():
|
|
parser = IPAOptionParser(version=version.VERSION)
|
|
parser.add_option("-p", "--ds-password", dest="dm_password",
|
|
sensitive=True, help="admin password")
|
|
parser.add_option("-d", "--debug", dest="debug", action="store_true",
|
|
default=False, help="print debugging information")
|
|
parser.add_option("--ip-address", dest="ip_address",
|
|
type="ip", ip_local=True, help="Master Server IP Address")
|
|
parser.add_option("--forwarder", dest="forwarders", action="append",
|
|
type="ip", help="Add a DNS forwarder")
|
|
parser.add_option("--no-forwarders", dest="no_forwarders", action="store_true",
|
|
default=False, help="Do not add any DNS forwarders, use root servers instead")
|
|
parser.add_option("--reverse-zone", dest="reverse_zone", help="The reverse DNS zone to use")
|
|
parser.add_option("--no-reverse", dest="no_reverse", action="store_true",
|
|
default=False, help="Do not create new reverse DNS zone")
|
|
parser.add_option("--zonemgr", action="callback", callback=bindinstance.zonemgr_callback,
|
|
type="string",
|
|
help="DNS zone manager e-mail address. Defaults to hostmaster@DOMAIN")
|
|
parser.add_option("-U", "--unattended", dest="unattended", action="store_true",
|
|
default=False, help="unattended installation never prompts the user")
|
|
|
|
options, args = parser.parse_args()
|
|
safe_options = parser.get_safe_opts(options)
|
|
|
|
if options.forwarders and options.no_forwarders:
|
|
parser.error("You cannot specify a --forwarder option together with --no-forwarders")
|
|
elif options.reverse_zone and options.no_reverse:
|
|
parser.error("You cannot specify a --reverse-zone option together with --no-reverse")
|
|
|
|
if options.unattended:
|
|
if not options.forwarders and not options.no_forwarders:
|
|
parser.error("You must specify at least one --forwarder option or --no-forwarders option")
|
|
|
|
return safe_options, options
|
|
|
|
def main():
|
|
safe_options, options = parse_options()
|
|
|
|
if os.getegid() != 0:
|
|
sys.exit("Must be root to setup server")
|
|
|
|
standard_logging_setup(log_file_name, debug=options.debug, filemode='a')
|
|
print "\nThe log file for this installation can be found in %s" % log_file_name
|
|
|
|
root_logger.debug('%s was invoked with options: %s' % (sys.argv[0], safe_options))
|
|
root_logger.debug("missing options might be asked for interactively later\n")
|
|
root_logger.debug('IPA version %s' % version.VENDOR_VERSION)
|
|
|
|
installutils.check_server_configuration()
|
|
|
|
global fstore
|
|
fstore = sysrestore.FileStore(paths.SYSRESTORE)
|
|
|
|
print "=============================================================================="
|
|
print "This program will setup DNS for the FreeIPA Server."
|
|
print ""
|
|
print "This includes:"
|
|
print " * Configure DNS (bind)"
|
|
print ""
|
|
print "To accept the default shown in brackets, press the Enter key."
|
|
print ""
|
|
|
|
# Check bind packages are installed
|
|
if not bindinstance.check_inst(options.unattended):
|
|
sys.exit("Aborting installation.")
|
|
|
|
# Initialize the ipalib api
|
|
cfg = dict(
|
|
in_server=True,
|
|
debug=options.debug,
|
|
)
|
|
api.bootstrap(**cfg)
|
|
api.finalize()
|
|
|
|
if bindinstance.named_conf_exists():
|
|
sys.exit("\nDNS is already configured in this IPA server.")
|
|
|
|
# Create a BIND instance
|
|
if options.unattended and not options.dm_password:
|
|
sys.exit("\nIn unattended mode you need to provide at least the -p option")
|
|
|
|
dm_password = options.dm_password or read_password("Directory Manager",
|
|
confirm=False, validate=False)
|
|
if dm_password is None:
|
|
sys.exit("Directory Manager password required")
|
|
bind = bindinstance.BindInstance(fstore, dm_password)
|
|
|
|
# try the connection
|
|
try:
|
|
bind.ldap_connect()
|
|
bind.ldap_disconnect()
|
|
except errors.ACIError:
|
|
sys.exit("Password is not valid!")
|
|
|
|
# Check we have a public IP that is associated with the hostname
|
|
if options.ip_address:
|
|
ip = options.ip_address
|
|
else:
|
|
hostaddr = resolve_host(api.env.host)
|
|
try:
|
|
if len(hostaddr) > 1:
|
|
print >> sys.stderr, "The server hostname resolves to more than one address:"
|
|
for addr in hostaddr:
|
|
print >> sys.stderr, " %s" % addr
|
|
|
|
if options.ip_address:
|
|
if str(options.ip_address) not in hostaddr:
|
|
print >> sys.stderr, "Address passed in --ip-address did not match any resolved"
|
|
print >> sys.stderr, "address!"
|
|
sys.exit(1)
|
|
print "Selected IP address:", str(options.ip_address)
|
|
ip = options.ip_address
|
|
else:
|
|
if options.unattended:
|
|
print >> sys.stderr, "Please use --ip-address option to specify the address"
|
|
sys.exit(1)
|
|
else:
|
|
ip = read_ip_address(api.env.host, fstore)
|
|
else:
|
|
ip = hostaddr and ipautil.CheckedIPAddress(hostaddr[0], match_local=True)
|
|
except Exception, e:
|
|
print "Error: Invalid IP Address %s: %s" % (ip, e)
|
|
ip = None
|
|
|
|
if not ip:
|
|
if options.unattended:
|
|
sys.exit("Unable to resolve IP address for host name")
|
|
else:
|
|
ip = read_ip_address(api.env.host, fstore)
|
|
ip_address = str(ip)
|
|
root_logger.debug("will use ip_address: %s\n", ip_address)
|
|
|
|
if options.reverse_zone and not bindinstance.verify_reverse_zone(options.reverse_zone, ip):
|
|
sys.exit(1)
|
|
|
|
if options.no_forwarders:
|
|
dns_forwarders = ()
|
|
elif options.forwarders:
|
|
dns_forwarders = options.forwarders
|
|
else:
|
|
dns_forwarders = read_dns_forwarders()
|
|
root_logger.debug("will use dns_forwarders: %s\n", str(dns_forwarders))
|
|
|
|
if bind.dm_password:
|
|
api.Backend.ldap2.connect(bind_dn=DN(('cn', 'Directory Manager')), bind_pw=bind.dm_password)
|
|
else:
|
|
# See if our LDAP server is up and we can talk to it over GSSAPI
|
|
ccache = krbV.default_context().default_ccache()
|
|
api.Backend.ldap2.connect(ccache)
|
|
|
|
if options.reverse_zone:
|
|
reverse_zone = bindinstance.normalize_zone(options.reverse_zone)
|
|
else:
|
|
reverse_zone = bindinstance.find_reverse_zone(ip)
|
|
if reverse_zone is None and not options.no_reverse:
|
|
if options.unattended:
|
|
reverse_zone = util.get_reverse_zone_default(ip)
|
|
elif bindinstance.create_reverse():
|
|
reverse_zone = util.get_reverse_zone_default(ip)
|
|
reverse_zone = bindinstance.read_reverse_zone(reverse_zone, ip)
|
|
|
|
if reverse_zone is not None:
|
|
print "Using reverse zone %s" % reverse_zone
|
|
|
|
conf_ntp = ntpinstance.NTPInstance(fstore).is_enabled()
|
|
|
|
if not options.unattended:
|
|
print ""
|
|
print "The following operations may take some minutes to complete."
|
|
print "Please wait until the prompt is returned."
|
|
print ""
|
|
|
|
bind.setup(api.env.host, ip_address, api.env.realm, api.env.domain,
|
|
dns_forwarders, conf_ntp, reverse_zone, zonemgr=options.zonemgr)
|
|
bind.create_instance()
|
|
|
|
# Restart http instance to make sure that python-dns has the right resolver
|
|
# https://bugzilla.redhat.com/show_bug.cgi?id=800368
|
|
http = httpinstance.HTTPInstance(fstore)
|
|
service.print_msg("Restarting the web server")
|
|
http.restart()
|
|
|
|
print "=============================================================================="
|
|
print "Setup complete"
|
|
print ""
|
|
bind.check_global_configuration()
|
|
print ""
|
|
print ""
|
|
print "\tYou must make sure these network ports are open:"
|
|
print "\t\tTCP Ports:"
|
|
print "\t\t * 53: bind"
|
|
print "\t\tUDP Ports:"
|
|
print "\t\t * 53: bind"
|
|
|
|
return 0
|
|
|
|
if __name__ == '__main__':
|
|
with private_ccache():
|
|
installutils.run_script(main, log_file_name=log_file_name,
|
|
operation_name='ipa-dns-install')
|