def ds_init_info(ansible_log, fstore, domainlevel, dirsrv_config_file, realm_name, host_name, domain_name, dm_password, idstart, idmax, subject_base, ca_subject, no_hbac_allow, dirsrv_pkcs12_info, no_pkinit): if not options.external_cert_files: ds = dsinstance.DsInstance(fstore=fstore, domainlevel=domainlevel, config_ldif=dirsrv_config_file) ds.set_output(ansible_log) if options.dirsrv_cert_files: _dirsrv_pkcs12_info = dirsrv_pkcs12_info else: _dirsrv_pkcs12_info = None with redirect_stdout(ansible_log): ds.init_info(realm_name, host_name, domain_name, dm_password, subject_base, ca_subject, idstart, idmax, # hbac_allow=not no_hbac_allow, _dirsrv_pkcs12_info, setup_pkinit=not no_pkinit) else: ds = dsinstance.DsInstance(fstore=fstore, domainlevel=domainlevel) ds.set_output(ansible_log) with redirect_stdout(ansible_log): ds.init_info(realm_name, host_name, domain_name, dm_password, subject_base, ca_subject, 1101, 1100, None, setup_pkinit=not no_pkinit) return ds
def install(api, replica_config, options, custodia): if replica_config is None: if not options.setup_kra: return realm_name = api.env.realm dm_password = options.dm_password host_name = api.env.host subject_base = dsinstance.DsInstance().find_subject_base() pkcs12_info = None master_host = None promote = False else: if not replica_config.setup_kra: return krafile = os.path.join(replica_config.dir, 'kracert.p12') with ipautil.private_ccache(): ccache = os.environ['KRB5CCNAME'] kinit_keytab( 'host/{env.host}@{env.realm}'.format(env=api.env), paths.KRB5_KEYTAB, ccache) custodia.get_kra_keys( krafile, replica_config.dirman_password) realm_name = replica_config.realm_name dm_password = replica_config.dirman_password host_name = replica_config.host_name subject_base = replica_config.subject_base pkcs12_info = (krafile,) master_host = replica_config.kra_host_name promote = True ca_subject = ca.lookup_ca_subject(api, subject_base) kra = krainstance.KRAInstance(realm_name) kra.configure_instance( realm_name, host_name, dm_password, dm_password, subject_base=subject_base, ca_subject=ca_subject, pkcs12_info=pkcs12_info, master_host=master_host, promote=promote, pki_config_override=options.pki_config_override, ) _service.print_msg("Restarting the directory server") ds = dsinstance.DsInstance() ds.restart() kra.enable_client_auth_to_db() # Restart apache for new proxy config file services.knownservices.httpd.restart(capture_output=True) # Restarted named to restore bind-dyndb-ldap operation, see # https://pagure.io/freeipa/issue/5813 named = services.knownservices.named # alias for current named if named.is_running(): named.restart(capture_output=True)
def install(api, replica_config, options): if replica_config is None: if not options.setup_kra: return realm_name = api.env.realm dm_password = options.dm_password host_name = api.env.host subject_base = dsinstance.DsInstance().find_subject_base() pkcs12_info = None master_host = None promote = False else: if not replica_config.setup_kra: return krafile = os.path.join(replica_config.dir, 'kracert.p12') if options.promote: with ipautil.private_ccache(): ccache = os.environ['KRB5CCNAME'] kinit_keytab('host/{env.host}@{env.realm}'.format(env=api.env), paths.KRB5_KEYTAB, ccache) custodia = custodiainstance.CustodiaInstance( replica_config.host_name, replica_config.realm_name) custodia.get_kra_keys(replica_config.kra_host_name, krafile, replica_config.dirman_password) else: cafile = os.path.join(replica_config.dir, 'cacert.p12') if not os.path.isfile(cafile): raise RuntimeError( "Unable to clone KRA." " cacert.p12 file not found in replica file") shutil.copy(cafile, krafile) realm_name = replica_config.realm_name dm_password = replica_config.dirman_password host_name = replica_config.host_name subject_base = replica_config.subject_base pkcs12_info = (krafile, ) master_host = replica_config.kra_host_name promote = options.promote kra = krainstance.KRAInstance(realm_name) kra.configure_instance(realm_name, host_name, dm_password, dm_password, subject_base=subject_base, pkcs12_info=pkcs12_info, master_host=master_host, promote=promote) _service.print_msg("Restarting the directory server") ds = dsinstance.DsInstance() ds.restart() kra.enable_client_auth_to_db() # Restart apache for new proxy config file services.knownservices.httpd.restart(capture_output=True)
def install(api, replica_config, options): if replica_config is None: realm_name = api.env.realm dm_password = options.dm_password host_name = api.env.host subject_base = dsinstance.DsInstance().find_subject_base() pkcs12_info = None master_host = None ra_only = False promote = False else: krafile = os.path.join(replica_config.dir, 'kracert.p12') if options.promote: custodia = custodiainstance.CustodiaInstance( replica_config.host_name, replica_config.realm_name) custodia.get_kra_keys(replica_config.kra_host_name, krafile, replica_config.dirman_password) else: cafile = os.path.join(replica_config.dir, 'cacert.p12') if not ipautil.file_exists(cafile): raise RuntimeError( "Unable to clone KRA." " cacert.p12 file not found in replica file") shutil.copy(cafile, krafile) realm_name = replica_config.realm_name dm_password = replica_config.dirman_password host_name = replica_config.host_name subject_base = replica_config.subject_base pkcs12_info = (krafile, ) master_host = replica_config.kra_host_name ra_only = not replica_config.setup_kra promote = options.promote kra = krainstance.KRAInstance(realm_name) kra.configure_instance(realm_name, host_name, dm_password, dm_password, subject_base=subject_base, pkcs12_info=pkcs12_info, master_host=master_host, ra_only=ra_only, promote=promote) _service.print_msg("Restarting the directory server") ds = dsinstance.DsInstance() ds.restart() if not ra_only: kra.enable_client_auth_to_db(paths.KRA_CS_CFG_PATH) # Restart apache for new proxy config file services.knownservices.httpd.restart(capture_output=True)
def __init__(self, reg): super().__init__(reg) self.ca = cainstance.CAInstance(api.env.realm, host_name=api.env.host) self.http = httpinstance.HTTPInstance() self.ds = dsinstance.DsInstance() self.serverid = realm_to_serverid(api.env.realm) self.conn = api.Backend.ldap2
def install_replica_ds(config, options, ca_is_configured, remote_api, ca_file, pkcs12_info=None, fstore=None): dsinstance.check_ports() # if we have a pkcs12 file, create the cert db from # that. Otherwise the ds setup will create the CA # cert if pkcs12_info is None: pkcs12_info = make_pkcs12_info(config.dir, "dscert.p12", "dirsrv_pin.txt") if ca_is_configured: ca_subject = ca.lookup_ca_subject(remote_api, config.subject_base) else: ca_subject = installutils.default_ca_subject_dn(config.subject_base) ds = dsinstance.DsInstance( config_ldif=options.dirsrv_config_file, fstore=fstore) ds.create_replica( realm_name=config.realm_name, master_fqdn=config.master_host_name, fqdn=config.host_name, domain_name=config.domain_name, dm_password=config.dirman_password, subject_base=config.subject_base, ca_subject=ca_subject, pkcs12_info=pkcs12_info, ca_is_configured=ca_is_configured, ca_file=ca_file, api=remote_api, setup_pkinit=not options.no_pkinit, ) return ds
def _run(self): super(KRAInstaller, self).run() print dedent(self.INSTALLER_START_MESSAGE) subject = dsinstance.DsInstance().find_subject_base() if not self.installing_replica: kra = krainstance.KRAInstance( api.env.realm, dogtag_constants=dogtag.install_constants) kra.configure_instance(api.env.host, api.env.domain, self.options.password, self.options.password, subject_base=subject) else: replica_config = create_replica_config(self.options.password, self.replica_file, self.options) if not read_replica_info_kra_enabled(replica_config.dir): raise admintool.ScriptError( "Either KRA is not installed on the master system or " "your replica file is out of date") kra = krainstance.install_replica_kra(replica_config) service.print_msg("Restarting the directory server") ds = dsinstance.DsInstance() ds.restart() kra.enable_client_auth_to_db(kra.dogtag_constants.KRA_CS_CFG_PATH) # Restart apache for new proxy config file services.knownservices.httpd.restart(capture_output=True) # Update config file parser = RawConfigParser() parser.read(paths.IPA_DEFAULT_CONF) parser.set('global', 'enable_kra', 'True') with open(paths.IPA_DEFAULT_CONF, 'w') as f: parser.write(f)
def test_failed_uninstall(self): self.master.run_command(['ipactl', 'stop']) serverid = realm_to_serverid(self.master.domain.realm) instance_name = ''.join([dsinstance.DS_INSTANCE_PREFIX, serverid]) try: # Moving the DS instance out of the way will cause the # uninstaller to raise an exception and return with a # non-zero return code. self.master.run_command([ '/usr/bin/mv', '%s/%s' % (paths.ETC_DIRSRV, instance_name), '%s/%s.test' % (paths.ETC_DIRSRV, instance_name) ]) cmd = self.master.run_command([ 'ipa-server-install', '--uninstall', '-U'], raiseonerr=False ) assert cmd.returncode == 1 finally: # Be paranoid. If something really went wrong then DS may # be marked as uninstalled so server cert will still be # tracked and the instances may remain. This can cause # subsequent installations to fail so be thorough. ds = dsinstance.DsInstance() ds_running = ds.is_running() if ds_running: ds.stop(serverid) # Moving it back should allow the uninstall to finish # successfully. self.master.run_command([ '/usr/bin/mv', '%s/%s.test' % (paths.ETC_DIRSRV, instance_name), '%s/%s' % (paths.ETC_DIRSRV, instance_name) ]) # DS has been marked as uninstalled so force the issue ds.stop_tracking_certificates(serverid) self.master.run_command([ paths.REMOVE_DS_PL, '-i', instance_name ]) cmd = self.master.run_command([ 'ipa-server-install', '--uninstall', '-U'], raiseonerr=False ) assert cmd.returncode == 0
def install(api, replica_config, options): subject = dsinstance.DsInstance().find_subject_base() if replica_config is None: kra = krainstance.KRAInstance(api.env.realm) kra.configure_instance(api.env.realm, api.env.host, options.dm_password, options.dm_password, subject_base=subject) else: if options.promote: ca_data = (os.path.join(replica_config.dir, 'kracert.p12'), replica_config.dirman_password) custodia = custodiainstance.CustodiaInstance( replica_config.host_name, replica_config.realm_name) custodia.get_kra_keys(replica_config.kra_host_name, ca_data[0], ca_data[1]) kra = krainstance.KRAInstance(replica_config.realm_name) kra.configure_replica(replica_config.host_name, replica_config.kra_host_name, replica_config.dirman_password, kra_cert_bundle=ca_data) return else: kra = krainstance.install_replica_kra(replica_config) service.print_msg("Restarting the directory server") ds = dsinstance.DsInstance() ds.restart() kra.ldap_enable('KRA', api.env.host, options.dm_password, api.env.basedn) kra.enable_client_auth_to_db(paths.KRA_CS_CFG_PATH) # Restart apache for new proxy config file services.knownservices.httpd.restart(capture_output=True)
def expired_ipa_certs(now): """ Determine which IPA certs are expired, or close to expiry. Return a list of (IPACertType, cert) pairs. """ certs = [] non_renewed = [] # IPA RA cert = x509.load_certificate_from_file(paths.RA_AGENT_PEM) if cert.not_valid_after <= now: certs.append((IPACertType.IPARA, cert)) # Apache HTTPD cert = x509.load_certificate_from_file(paths.HTTPD_CERT_FILE) if cert.not_valid_after <= now: if not is_ipa_issued_cert(api, cert): non_renewed.append((IPACertType.HTTPS, cert)) else: certs.append((IPACertType.HTTPS, cert)) # LDAPS serverid = realm_to_serverid(api.env.realm) ds = dsinstance.DsInstance(realm_name=api.env.realm) ds_dbdir = dsinstance.config_dirname(serverid) ds_nickname = ds.get_server_cert_nickname(serverid) db = NSSDatabase(nssdir=ds_dbdir) cert = db.get_cert(ds_nickname) if cert.not_valid_after <= now: if not is_ipa_issued_cert(api, cert): non_renewed.append((IPACertType.LDAPS, cert)) else: certs.append((IPACertType.LDAPS, cert)) # KDC cert = x509.load_certificate_from_file(paths.KDC_CERT) if cert.not_valid_after <= now: if not is_ipa_issued_cert(api, cert): non_renewed.append((IPACertType.HTTPS, cert)) else: certs.append((IPACertType.KDC, cert)) return certs, non_renewed
def cert_restore_prepare(self): cainstance.CAInstance().stop_tracking_certificates() httpinstance.HTTPInstance().stop_tracking_certificates() try: dsinstance.DsInstance().stop_tracking_certificates( installutils.realm_to_serverid(api.env.realm)) except OSError: # When IPA is not installed, DS NSS DB does not exist pass for basename in ('cert8.db', 'key3.db', 'secmod.db', 'pwdfile.txt'): filename = os.path.join(paths.IPA_NSSDB_DIR, basename) try: ipautil.backup_file(filename) except OSError as e: self.log.error("Failed to backup %s: %s" % (filename, e)) tasks.remove_ca_certs_from_systemwide_ca_store()
def cert_restore_prepare(self): cainstance.CAInstance().stop_tracking_certificates() httpinstance.HTTPInstance().stop_tracking_certificates() try: dsinstance.DsInstance().stop_tracking_certificates( installutils.realm_to_serverid(api.env.realm)) except (OSError, IOError): # When IPA is not installed, DS NSS DB does not exist pass krbinstance.KrbInstance().stop_tracking_certs() for basename in certdb.NSS_FILES: filename = os.path.join(paths.IPA_NSSDB_DIR, basename) try: ipautil.backup_file(filename) except OSError as e: logger.error("Failed to backup %s: %s", filename, e) tasks.remove_ca_certs_from_systemwide_ca_store()
def install_ipa_certs(subject_base, ca_subject_dn, certs): """Print details and install renewed IPA certificates.""" for certtype, oldcert in certs: cert_path = RENEWED_CERT_PATH_TEMPLATE.format(oldcert.serial_number) cert = x509.load_certificate_from_file(cert_path) print_cert_info("Renewed IPA", certtype.value, cert) if certtype is IPACertType.IPARA: shutil.copyfile(cert_path, paths.RA_AGENT_PEM) cainstance.update_people_entry(cert) replicate_cert(subject_base, ca_subject_dn, cert) elif certtype is IPACertType.HTTPS: shutil.copyfile(cert_path, paths.HTTPD_CERT_FILE) elif certtype is IPACertType.LDAPS: serverid = realm_to_serverid(api.env.realm) ds = dsinstance.DsInstance(realm_name=api.env.realm) ds_dbdir = dsinstance.config_dirname(serverid) db = NSSDatabase(nssdir=ds_dbdir) ds_nickname = ds.get_server_cert_nickname(serverid) db.delete_cert(ds_nickname) db.import_pem_cert(ds_nickname, EMPTY_TRUST_FLAGS, cert_path) elif certtype is IPACertType.KDC: shutil.copyfile(cert_path, paths.KDC_CERT)
def replica_ds_init_info(ansible_log, config, options, ca_is_configured, remote_api, ds_ca_subject, ca_file, promote=False, pkcs12_info=None): dsinstance.check_ports() # if we have a pkcs12 file, create the cert db from # that. Otherwise the ds setup will create the CA # cert if pkcs12_info is None: pkcs12_info = make_pkcs12_info(config.dir, "dscert.p12", "dirsrv_pin.txt") # during replica install, this gets invoked before local DS is # available, so use the remote api. #if ca_is_configured: # ca_subject = ca.lookup_ca_subject(_api, config.subject_base) #else: # ca_subject = installutils.default_ca_subject_dn(config.subject_base) ca_subject = ds_ca_subject ds = dsinstance.DsInstance(config_ldif=options.dirsrv_config_file) ds.set_output(ansible_log) # Source: ipaserver/install/dsinstance.py # idstart and idmax are configured so that the range is seen as # depleted by the DNA plugin and the replica will go and get a # new range from the master. # This way all servers use the initially defined range by default. idstart = 1101 idmax = 1100 with redirect_stdout(ansible_log): ds.init_info( realm_name=config.realm_name, fqdn=config.host_name, domain_name=config.domain_name, dm_password=config.dirman_password, subject_base=config.subject_base, ca_subject=ca_subject, idstart=idstart, idmax=idmax, pkcs12_info=pkcs12_info, ca_file=ca_file, setup_pkinit=not options.no_pkinit, ) ds.master_fqdn = config.master_host_name if ca_is_configured is not None: ds.ca_is_configured = ca_is_configured ds.promote = promote ds.api = remote_api # from __setup_replica # Always connect to ds over ldapi ldap_uri = ipaldap.get_ldap_uri(protocol='ldapi', realm=ds.realm) conn = ipaldap.LDAPClient(ldap_uri) conn.external_bind() return ds
def __init__(self, registry): super().__init__(registry) self.ds = self.ds = dsinstance.DsInstance() self.conn = api.Backend.ldap2 self.serverid = realm_to_serverid(api.env.realm)
def run(self): """Execute the tests""" api.Backend.ldap2.connect() self.serverid = installutils.realm_to_serverid(api.env.realm) self.ca = cainstance.CAInstance(api.env.realm, host_name=api.env.host) self.http = httpinstance.HTTPInstance() self.ds = dsinstance.DsInstance() self.conn = api.Backend.ldap2 logger.info("Check CA status") self.check_ca_status() logger.info("Check tracking") self.check_tracking() logger.info("Check NSS trust") self.check_trust() logger.info("Check dates") self.check_dates() logger.info("Checking certificates in CS.cfg") self.check_cs_cfg() logger.info("Comparing certificates to requests in LDAP") self.compare_requests() logger.info("Checking RA certificate") self.check_ra_cert() logger.info("Checking authorities") self.check_ipa_to_cs_authorities() self.check_cs_to_ipa_authorities() logger.info("Checking host keytab") self.check_hostkeytab() logger.info("Validating certificates") self.validate_certs() logger.info("Checking renewal master") self.check_renewal_master() logger.info("End-to-end cert API test") self.cert_api_test() logger.info("Checking permissions and ownership") self.check_permissions() if self.conn is not None and self.conn.isconnected(): self.conn.disconnect() if self.failures: logger.info("Failures:") for f in self.failures: logger.info(f) else: logger.info("All checks passed") if self.warnings: logger.info("Warnings:") for f in self.warnings: logger.info(f) return self.failures != []
def run(self): if not is_ipa_configured(): print("IPA is not configured.") return 2 if not cainstance.is_ca_installed_locally(): print("CA is not installed on this server.") return 1 try: ipautil.run(['pki-server', 'cert-fix', '--help'], raiseonerr=True) except ipautil.CalledProcessError: print("The 'pki-server cert-fix' command is not available; " "cannot proceed.") return 1 api.bootstrap(in_server=True, confdir=paths.ETC_IPA) api.finalize() if not dsinstance.is_ds_running(realm_to_serverid(api.env.realm)): print("The LDAP server is not running; cannot proceed.") return 1 api.Backend.ldap2.connect() # ensure DS is up subject_base = dsinstance.DsInstance().find_subject_base() if not subject_base: raise RuntimeError("Cannot determine certificate subject base.") ca_subject_dn = ca.lookup_ca_subject(api, subject_base) now = datetime.datetime.now() + datetime.timedelta(weeks=2) certs, extra_certs, non_renewed = expired_certs(now) if not certs and not extra_certs: print("Nothing to do.") return 0 print(msg) print_intentions(certs, extra_certs, non_renewed) response = ipautil.user_input('Enter "yes" to proceed') if response.lower() != 'yes': print("Not proceeding.") return 0 print("Proceeding.") try: fix_certreq_directives(certs) run_cert_fix(certs, extra_certs) except ipautil.CalledProcessError: if any(x[0] is IPACertType.LDAPS for x in extra_certs + non_renewed): # The DS cert was expired. This will cause 'pki-server # cert-fix' to fail at the final restart, and return nonzero. # So this exception *might* be OK to ignore. # # If 'pki-server cert-fix' has written new certificates # corresponding to all the extra_certs, then ignore the # CalledProcessError and proceed to installing the IPA-specific # certs. Otherwise re-raise. if check_renewed_ipa_certs(extra_certs): pass else: raise else: raise # otherwise re-raise replicate_dogtag_certs(subject_base, ca_subject_dn, certs) install_ipa_certs(subject_base, ca_subject_dn, extra_certs) if any(x[0] != 'sslserver' for x in certs) \ or any(x[0] is IPACertType.IPARA for x in extra_certs): # we renewed a "shared" certificate, therefore we must # become the renewal master print("Becoming renewal master.") cainstance.CAInstance().set_renewal_master() print("Restarting IPA") ipautil.run(['ipactl', 'restart'], raiseonerr=True) print(renewal_note) return 0
def __init__(self, registry): super(DSPlugin, self).__init__(registry) self.ds = self.ds = dsinstance.DsInstance()
def run(self): if not is_ipa_configured(): print("IPA is not configured.") return 2 if not cainstance.is_ca_installed_locally(): print("CA is not installed on this server.") return 1 try: ipautil.run(['pki-server', 'cert-fix', '--help'], raiseonerr=True) except ipautil.CalledProcessError: print( "The 'pki-server cert-fix' command is not available; " "cannot proceed." ) return 1 api.bootstrap(in_server=True, confdir=paths.ETC_IPA) api.finalize() api.Backend.ldap2.connect() # ensure DS is up subject_base = dsinstance.DsInstance().find_subject_base() if not subject_base: raise RuntimeError("Cannot determine certificate subject base.") ca_subject_dn = ca.lookup_ca_subject(api, subject_base) now = datetime.datetime.now() + datetime.timedelta(weeks=2) certs, extra_certs = expired_certs(now) if not certs and not extra_certs: print("Nothing to do.") return 0 print(msg) print_intentions(certs, extra_certs) response = ipautil.user_input('Enter "yes" to proceed') if response.lower() != 'yes': print("Not proceeding.") return 0 print("Proceeding.") try: run_cert_fix(certs, extra_certs) except ipautil.CalledProcessError: if any(x[0] is IPACertType.LDAPS for x in extra_certs): # The DS cert was expired. This will cause # 'pki-server cert-fix' to fail at the final # restart. Therefore ignore the CalledProcessError # and proceed to installing the IPA-specific certs. pass else: raise # otherwise re-raise replicate_dogtag_certs(subject_base, ca_subject_dn, certs) install_ipa_certs(subject_base, ca_subject_dn, extra_certs) if any(x[0] != 'sslserver' for x in certs) \ or any(x[0] is IPACertType.IPARA for x in extra_certs): # we renewed a "shared" certificate, therefore we must # become the renewal master print("Becoming renewal master.") cainstance.CAInstance().set_renewal_master() ipautil.run(['ipactl', 'restart'], raiseonerr=True) return 0
def uninstall(installer): fstore = installer._fstore sstore = installer._sstore rv = 0 # Uninstall the KRA prior to shutting the services down so it # can un-register with the CA. kra.uninstall() print("Shutting down all IPA services") try: services.knownservices.ipa.stop() except Exception: # Fallback to direct ipactl stop only if system command fails try: run([paths.IPACTL, "stop"], raiseonerr=False) except Exception: pass restore_time_sync(sstore, fstore) ca.uninstall() dns.uninstall() httpinstance.HTTPInstance(fstore).uninstall() krbinstance.KrbInstance(fstore).uninstall() dsinstance.DsInstance(fstore=fstore).uninstall() adtrustinstance.ADTRUSTInstance(fstore).uninstall() # realm isn't used, but IPAKEMKeys parses /etc/ipa/default.conf # otherwise, see https://pagure.io/freeipa/issue/7474 . custodiainstance.CustodiaInstance(realm='REALM.INVALID').uninstall() otpdinstance.OtpdInstance().uninstall() tasks.restore_hostname(fstore, sstore) tasks.restore_pkcs11_modules(fstore) fstore.restore_all_files() try: os.remove(paths.ROOT_IPA_CACHE) except Exception: pass try: os.remove(paths.ROOT_IPA_CSR) except Exception: pass # ipa-client-install removes /etc/ipa/default.conf sstore._load() timeconf.restore_forced_timeservices(sstore) # Clean up group_exists (unused since IPA 2.2, not being set since 4.1) sstore.restore_state("install", "group_exists") services.knownservices.ipa.disable() # remove upgrade state file sysupgrade.remove_upgrade_file() if fstore.has_files(): logger.error('Some files have not been restored, see ' '%s/sysrestore.index', SYSRESTORE_DIR_PATH) sstore.delete_state('installation', 'complete') has_state = False for module in IPA_MODULES: # from installutils if sstore.has_state(module): logger.error('Some installation state for %s has not been ' 'restored, see %s/sysrestore.state', module, SYSRESTORE_DIR_PATH) has_state = True rv = 1 if has_state: logger.error('Some installation state has not been restored.\n' 'This may cause re-installation to fail.\n' 'It should be safe to remove %s/sysrestore.state ' 'but it may\n' 'mean your system hasn\'t be restored to its ' 'pre-installation state.', SYSRESTORE_DIR_PATH) else: # sysrestore.state has no state left, remove it sysrestore = os.path.join(SYSRESTORE_DIR_PATH, 'sysrestore.state') ipautil.remove_file(sysrestore) # Note that this name will be wrong after the first uninstall. dirname = dsinstance.config_dirname( ipaldap.realm_to_serverid(api.env.realm)) dirs = [dirname, paths.PKI_TOMCAT_ALIAS_DIR, paths.HTTPD_ALIAS_DIR] ids = certmonger.check_state(dirs) if ids: logger.error('Some certificates may still be tracked by ' 'certmonger.\n' 'This will cause re-installation to fail.\n' 'Start the certmonger service and list the ' 'certificates being tracked\n' ' # getcert list\n' 'These may be untracked by executing\n' ' # getcert stop-tracking -i <request_id>\n' 'for each id in: %s', ', '.join(ids)) # Remove the cert renewal lock file try: os.remove(paths.IPA_RENEWAL_LOCK) except OSError as e: if e.errno != errno.ENOENT: logger.warning("Failed to remove file %s: %s", paths.IPA_RENEWAL_LOCK, e) print("Removing IPA client configuration") try: result = run([paths.IPA_CLIENT_INSTALL, "--on-master", "--unattended", "--uninstall"], raiseonerr=False, redirect_output=True) if result.returncode not in [0, 2]: raise RuntimeError("Failed to configure the client") except Exception: rv = 1 print("Uninstall of client side components failed!") sys.exit(rv)
def install(installer): options = installer fstore = installer._fstore sstore = installer._sstore dirsrv_pkcs12_info = installer._dirsrv_pkcs12_info http_pkcs12_info = installer._http_pkcs12_info pkinit_pkcs12_info = installer._pkinit_pkcs12_info http_ca_cert = installer._ca_cert realm_name = options.realm_name domain_name = options.domain_name dm_password = options.dm_password master_password = options.master_password admin_password = options.admin_password host_name = options.host_name ip_addresses = options.ip_addresses setup_ca = options.setup_ca # Installation has started. No IPA sysrestore items are restored in case of # failure to enable root cause investigation installer._installation_cleanup = False if installer.interactive: print("") print("The following operations may take some minutes to complete.") print("Please wait until the prompt is returned.") print("") # set hostname (transient and static) if user instructed us to do so if options._host_name_overridden: tasks.backup_hostname(fstore, sstore) tasks.set_hostname(host_name) if installer._update_hosts_file: update_hosts_file(ip_addresses, host_name, fstore) if tasks.configure_pkcs11_modules(fstore): print("Disabled p11-kit-proxy") # Create a directory server instance if not options.external_cert_files: # We have to sync time before certificate handling on master. # As chrony configuration is moved from client here, unconfiguration of # chrony will be handled here in uninstall() method as well by invoking # the ipa-server-install --uninstall if not options.no_ntp and not sync_time( options.ntp_servers, options.ntp_pool, fstore, sstore): print("Warning: IPA was unable to sync time with chrony!") print(" Time synchronization is required for IPA " "to work correctly") if options.dirsrv_cert_files: ds = dsinstance.DsInstance(fstore=fstore, domainlevel=options.domainlevel, config_ldif=options.dirsrv_config_file) installer._ds = ds ds.create_instance(realm_name, host_name, domain_name, dm_password, dirsrv_pkcs12_info, idstart=options.idstart, idmax=options.idmax, subject_base=options.subject_base, ca_subject=options.ca_subject, hbac_allow=not options.no_hbac_allow, setup_pkinit=not options.no_pkinit) else: ds = dsinstance.DsInstance(fstore=fstore, domainlevel=options.domainlevel, config_ldif=options.dirsrv_config_file) installer._ds = ds ds.create_instance(realm_name, host_name, domain_name, dm_password, idstart=options.idstart, idmax=options.idmax, subject_base=options.subject_base, ca_subject=options.ca_subject, hbac_allow=not options.no_hbac_allow, setup_pkinit=not options.no_pkinit) else: api.Backend.ldap2.connect() ds = dsinstance.DsInstance(fstore=fstore, domainlevel=options.domainlevel) installer._ds = ds ds.init_info( realm_name, host_name, domain_name, dm_password, options.subject_base, options.ca_subject, 1101, 1100, None, setup_pkinit=not options.no_pkinit) krb = krbinstance.KrbInstance(fstore) if not options.external_cert_files: krb.create_instance(realm_name, host_name, domain_name, dm_password, master_password, setup_pkinit=not options.no_pkinit, pkcs12_info=pkinit_pkcs12_info, subject_base=options.subject_base) else: krb.init_info(realm_name, host_name, setup_pkinit=not options.no_pkinit, subject_base=options.subject_base) custodia = custodiainstance.get_custodia_instance( options, custodiainstance.CustodiaModes.FIRST_MASTER) custodia.create_instance() if setup_ca: if not options.external_cert_files and options.external_ca: # stage 1 of external CA installation options.realm_name = realm_name options.domain_name = domain_name options.master_password = master_password options.dm_password = dm_password options.admin_password = admin_password options.host_name = host_name options.reverse_zones = dns.reverse_zones cache_vars = {n: options.__dict__[n] for o, n in installer.knobs() if n in options.__dict__} write_cache(cache_vars) ca.install_step_0(False, None, options, custodia=custodia) else: # Put the CA cert where other instances expect it x509.write_certificate(http_ca_cert, paths.IPA_CA_CRT) os.chmod(paths.IPA_CA_CRT, 0o444) if not options.no_pkinit: x509.write_certificate(http_ca_cert, paths.KDC_CA_BUNDLE_PEM) else: with open(paths.KDC_CA_BUNDLE_PEM, 'w'): pass os.chmod(paths.KDC_CA_BUNDLE_PEM, 0o444) x509.write_certificate(http_ca_cert, paths.CA_BUNDLE_PEM) os.chmod(paths.CA_BUNDLE_PEM, 0o444) # we now need to enable ssl on the ds ds.enable_ssl() if setup_ca: ca.install_step_1(False, None, options, custodia=custodia) otpd = otpdinstance.OtpdInstance() otpd.create_instance('OTPD', host_name, ipautil.realm_to_suffix(realm_name)) # Create a HTTP instance http = httpinstance.HTTPInstance(fstore) if options.http_cert_files: http.create_instance( realm_name, host_name, domain_name, dm_password, pkcs12_info=http_pkcs12_info, subject_base=options.subject_base, auto_redirect=not options.no_ui_redirect, ca_is_configured=setup_ca) else: http.create_instance( realm_name, host_name, domain_name, dm_password, subject_base=options.subject_base, auto_redirect=not options.no_ui_redirect, ca_is_configured=setup_ca) ca.set_subject_base_in_config(options.subject_base) # configure PKINIT now that all required services are in place krb.enable_ssl() # Apply any LDAP updates. Needs to be done after the configuration file # is created. DS is restarted in the process. service.print_msg("Applying LDAP updates") ds.apply_updates() # Restart krb after configurations have been changed service.print_msg("Restarting the KDC") krb.restart() if options.setup_kra: kra.install(api, None, options, custodia=custodia) if options.setup_dns: dns.install(False, False, options) if options.setup_adtrust: adtrust.install(False, options, fstore, api) # Set the admin user kerberos password ds.change_admin_password(admin_password) # Call client install script service.print_msg("Configuring client side components") try: args = [paths.IPA_CLIENT_INSTALL, "--on-master", "--unattended", "--domain", domain_name, "--server", host_name, "--realm", realm_name, "--hostname", host_name, "--no-ntp"] if options.no_dns_sshfp: args.append("--no-dns-sshfp") if options.ssh_trust_dns: args.append("--ssh-trust-dns") if options.no_ssh: args.append("--no-ssh") if options.no_sshd: args.append("--no-sshd") if options.mkhomedir: args.append("--mkhomedir") start = time.time() run(args, redirect_output=True) dur = time.time() - start logger.debug("Client install duration: %0.3f", dur, extra={'timing': ('clientinstall', None, None, dur)}) print() except Exception: raise ScriptError("Configuration of client side components failed!") # Enable configured services and update DNS SRV records service.enable_services(host_name) api.Command.dns_update_system_records() if not options.setup_dns: # After DNS and AD trust are configured and services are # enabled, create a dummy instance to dump DNS configuration. bind = bindinstance.BindInstance(fstore) bind.create_file_with_system_records() # Everything installed properly, activate ipa service. services.knownservices.ipa.enable() print("=======================================" "=======================================") print("Setup complete") print("") print("Next steps:") print("\t1. You must make sure these network ports are open:") print("\t\tTCP Ports:") print("\t\t * 80, 443: HTTP/HTTPS") print("\t\t * 389, 636: LDAP/LDAPS") print("\t\t * 88, 464: kerberos") if options.setup_dns: print("\t\t * 53: bind") print("\t\tUDP Ports:") print("\t\t * 88, 464: kerberos") if options.setup_dns: print("\t\t * 53: bind") if not options.no_ntp: print("\t\t * 123: ntp") print("") print("\t2. You can now obtain a kerberos ticket using the command: " "'kinit admin'") print("\t This ticket will allow you to use the IPA tools (e.g., ipa " "user-add)") print("\t and the web user interface.") if not services.knownservices.chronyd.is_running(): print("\t3. Kerberos requires time synchronization between clients") print("\t and servers for correct operation. You should consider " "enabling chronyd.") print("") if setup_ca: print(("Be sure to back up the CA certificates stored in " + paths.CACERT_P12)) print("These files are required to create replicas. The password for " "these") print("files is the Directory Manager password") if os.path.isfile(paths.ROOT_IPA_CACHE): os.remove(paths.ROOT_IPA_CACHE)
def __init__(self, registry): super(DSPlugin, self).__init__(registry) self.ds = self.ds = dsinstance.DsInstance() self.conn = api.Backend.ldap2