def install(standalone, replica, options, api=api): fstore = sysrestore.FileStore(paths.SYSRESTORE) if standalone: # otherwise this is done by server/replica installer update_hosts_file(ip_addresses, api.env.host, fstore) bind = bindinstance.BindInstance(fstore, api=api) bind.setup(api.env.host, ip_addresses, api.env.realm, api.env.domain, options.forwarders, options.forward_policy, reverse_zones, zonemgr=options.zonemgr, no_dnssec_validation=options.no_dnssec_validation) if standalone and not options.unattended: print("") print("The following operations may take some minutes to complete.") print("Please wait until the prompt is returned.") print("") bind.create_instance() print("Restarting the web server to pick up resolv.conf changes") services.knownservices.httpd.restart(capture_output=True) # on dnssec master this must be installed last dnskeysyncd = dnskeysyncinstance.DNSKeySyncInstance(fstore) dnskeysyncd.create_instance(api.env.host, api.env.realm) if options.dnssec_master: ods = opendnssecinstance.OpenDNSSECInstance(fstore) ods_exporter = odsexporterinstance.ODSExporterInstance(fstore) ods_exporter.create_instance(api.env.host, api.env.realm) ods.create_instance(api.env.host, api.env.realm, kasp_db_file=options.kasp_db_file) elif options.disable_dnssec_master: _disable_dnssec() dnskeysyncd.start_dnskeysyncd() bind.start_named() # this must be done when bind is started and operational bind.update_system_records() if standalone: print("==============================================================================") print("Setup complete") print("") bind.check_global_configuration() print("") print("") print("\tYou must make sure these network ports are open:") print("\t\tTCP Ports:") print("\t\t * 53: bind") print("\t\tUDP Ports:") print("\t\t * 53: bind") elif not standalone and replica: print("") bind.check_global_configuration() print("")
def named_test_template(host): # create bind instance to get a substitution dict bind = bindinstance.BindInstance() bind.setup_templating( fqdn=host.hostname, realm_name=host.domain.realm, domain_name=host.domain.name, ) sub_dict = bind.sub_dict.copy() sub_dict.update(BINDKEYS_FILE="/etc/named.iscdlv.key") return template_str(OLD_NAMED_TEMPLATE, sub_dict)
def uninstall(): fstore = sysrestore.FileStore(paths.SYSRESTORE) ods = opendnssecinstance.OpenDNSSECInstance(fstore) if ods.is_configured(): ods.uninstall() ods_exporter = odsexporterinstance.ODSExporterInstance(fstore) if ods_exporter.is_configured(): ods_exporter.uninstall() bind = bindinstance.BindInstance(fstore) if bind.is_configured(): bind.uninstall() dnskeysync = dnskeysyncinstance.DNSKeySyncInstance(fstore) if dnskeysync.is_configured(): dnskeysync.uninstall()
def install_dns_records(config, options, remote_api, fstore=None): if not bindinstance.dns_container_exists( ipautil.realm_to_suffix(config.realm_name)): return try: bind = bindinstance.BindInstance(api=remote_api, fstore=fstore) for ip in config.ips: reverse_zone = bindinstance.find_reverse_zone(ip, remote_api) bind.add_master_dns_records(config.host_name, str(ip), config.realm_name, config.domain_name, reverse_zone) except errors.NotFound as e: logger.debug('Replica DNS records could not be added ' 'on master: %s', str(e)) # we should not fail here no matter what except Exception as e: logger.info('Replica DNS records could not be added ' 'on master: %s', str(e))
def install(installer): options = installer fstore = installer._fstore sstore = installer._sstore dirsrv_pkcs12_info = installer._dirsrv_pkcs12_info http_pkcs12_info = installer._http_pkcs12_info pkinit_pkcs12_info = installer._pkinit_pkcs12_info http_ca_cert = installer._ca_cert realm_name = options.realm_name domain_name = options.domain_name dm_password = options.dm_password master_password = options.master_password admin_password = options.admin_password host_name = options.host_name ip_addresses = options.ip_addresses setup_ca = options.setup_ca # Installation has started. No IPA sysrestore items are restored in case of # failure to enable root cause investigation installer._installation_cleanup = False if installer.interactive: print("") print("The following operations may take some minutes to complete.") print("Please wait until the prompt is returned.") print("") # set hostname (transient and static) if user instructed us to do so if options._host_name_overridden: tasks.backup_hostname(fstore, sstore) tasks.set_hostname(host_name) if installer._update_hosts_file: update_hosts_file(ip_addresses, host_name, fstore) # Make sure tmpfiles dir exist before installing components tasks.create_tmpfiles_dirs() # Create a directory server instance if not options.external_cert_files: # Configure ntpd if not options.no_ntp: ipaclient.install.ntpconf.force_ntpd(sstore) ntp = ntpinstance.NTPInstance(fstore) if not ntp.is_configured(): ntp.create_instance() if options.dirsrv_cert_files: ds = dsinstance.DsInstance(fstore=fstore, domainlevel=options.domainlevel, config_ldif=options.dirsrv_config_file) installer._ds = ds ds.create_instance(realm_name, host_name, domain_name, dm_password, dirsrv_pkcs12_info, idstart=options.idstart, idmax=options.idmax, subject_base=options.subject_base, ca_subject=options.ca_subject, hbac_allow=not options.no_hbac_allow) else: ds = dsinstance.DsInstance(fstore=fstore, domainlevel=options.domainlevel, config_ldif=options.dirsrv_config_file) installer._ds = ds ds.create_instance(realm_name, host_name, domain_name, dm_password, idstart=options.idstart, idmax=options.idmax, subject_base=options.subject_base, ca_subject=options.ca_subject, hbac_allow=not options.no_hbac_allow) ntpinstance.ntp_ldap_enable(host_name, ds.suffix, realm_name) else: api.Backend.ldap2.connect() ds = dsinstance.DsInstance(fstore=fstore, domainlevel=options.domainlevel) installer._ds = ds ds.init_info(realm_name, host_name, domain_name, dm_password, options.subject_base, options.ca_subject, 1101, 1100, None) krb = krbinstance.KrbInstance(fstore) krb.create_instance(realm_name, host_name, domain_name, dm_password, master_password, setup_pkinit=not options.no_pkinit, pkcs12_info=pkinit_pkcs12_info, subject_base=options.subject_base) if setup_ca: if not options.external_cert_files and options.external_ca: # stage 1 of external CA installation options.realm_name = realm_name options.domain_name = domain_name options.master_password = master_password options.dm_password = dm_password options.admin_password = admin_password options.host_name = host_name options.reverse_zones = dns.reverse_zones cache_vars = { n: options.__dict__[n] for o, n in installer.knobs() if n in options.__dict__ } write_cache(cache_vars) ca.install_step_0(False, None, options) else: # Put the CA cert where other instances expect it x509.write_certificate(http_ca_cert, paths.IPA_CA_CRT) os.chmod(paths.IPA_CA_CRT, 0o444) # we now need to enable ssl on the ds ds.enable_ssl() if setup_ca: ca.install_step_1(False, None, options) otpd = otpdinstance.OtpdInstance() otpd.create_instance('OTPD', host_name, ipautil.realm_to_suffix(realm_name)) custodia = custodiainstance.CustodiaInstance(host_name, realm_name) custodia.create_instance() # Create a HTTP instance http = httpinstance.HTTPInstance(fstore) if options.http_cert_files: http.create_instance(realm_name, host_name, domain_name, pkcs12_info=http_pkcs12_info, subject_base=options.subject_base, auto_redirect=not options.no_ui_redirect, ca_is_configured=setup_ca) else: http.create_instance(realm_name, host_name, domain_name, subject_base=options.subject_base, auto_redirect=not options.no_ui_redirect, ca_is_configured=setup_ca) tasks.restore_context(paths.CACHE_IPA_SESSIONS) ca.set_subject_base_in_config(options.subject_base) # configure PKINIT now that all required services are in place krb.enable_ssl() # Apply any LDAP updates. Needs to be done after the configuration file # is created. DS is restarted in the process. service.print_msg("Applying LDAP updates") ds.apply_updates() # Restart krb after configurations have been changed service.print_msg("Restarting the KDC") krb.restart() if options.setup_kra: kra.install(api, None, options) if options.setup_dns: dns.install(False, False, options) else: # Create a BIND instance bind = bindinstance.BindInstance(fstore) bind.setup(host_name, ip_addresses, realm_name, domain_name, (), 'first', (), zonemgr=options.zonemgr, no_dnssec_validation=options.no_dnssec_validation) bind.create_file_with_system_records() if options.setup_adtrust: adtrust.install(False, options, fstore, api) # Set the admin user kerberos password ds.change_admin_password(admin_password) # Call client install script service.print_msg("Configuring client side components") try: args = [ paths.IPA_CLIENT_INSTALL, "--on-master", "--unattended", "--domain", domain_name, "--server", host_name, "--realm", realm_name, "--hostname", host_name ] if options.no_dns_sshfp: args.append("--no-dns-sshfp") if options.ssh_trust_dns: args.append("--ssh-trust-dns") if options.no_ssh: args.append("--no-ssh") if options.no_sshd: args.append("--no-sshd") if options.mkhomedir: args.append("--mkhomedir") run(args, redirect_output=True) print() except Exception: raise ScriptError("Configuration of client side components failed!") # Make sure the files we crated in /var/run are recreated at startup tasks.configure_tmpfiles() # Everything installed properly, activate ipa service. services.knownservices.ipa.enable() print("=======================================" "=======================================") print("Setup complete") print("") print("Next steps:") print("\t1. You must make sure these network ports are open:") print("\t\tTCP Ports:") print("\t\t * 80, 443: HTTP/HTTPS") print("\t\t * 389, 636: LDAP/LDAPS") print("\t\t * 88, 464: kerberos") if options.setup_dns: print("\t\t * 53: bind") print("\t\tUDP Ports:") print("\t\t * 88, 464: kerberos") if options.setup_dns: print("\t\t * 53: bind") if not options.no_ntp: print("\t\t * 123: ntp") print("") print("\t2. You can now obtain a kerberos ticket using the command: " "'kinit admin'") print("\t This ticket will allow you to use the IPA tools (e.g., ipa " "user-add)") print("\t and the web user interface.") if not services.knownservices.ntpd.is_running(): print("\t3. Kerberos requires time synchronization between clients") print("\t and servers for correct operation. You should consider " "enabling ntpd.") print("") if setup_ca: print(("Be sure to back up the CA certificates stored in " + paths.CACERT_P12)) print("These files are required to create replicas. The password for " "these") print("files is the Directory Manager password") else: print( "In order for Firefox autoconfiguration to work you will need to") print("use a SSL signing certificate. See the IPA documentation for " "more details.") if ipautil.file_exists(paths.ROOT_IPA_CACHE): os.remove(paths.ROOT_IPA_CACHE)
def install_step_1(standalone, replica_config, options, custodia): if replica_config is not None and not replica_config.setup_ca: return realm_name = options.realm_name host_name = options.host_name subject_base = options._subject_base basedn = ipautil.realm_to_suffix(realm_name) ca = cainstance.CAInstance(realm=realm_name, host_name=host_name, custodia=custodia) ca.stop('pki-tomcat') # This is done within stopped_service context, which restarts CA ca.enable_client_auth_to_db() # Lightweight CA key retrieval is configured in step 1 instead # of CAInstance.configure_instance (which is invoked from step # 0) because kadmin_addprinc fails until krb5.conf is installed # by krb.create_instance. # ca.setup_lightweight_ca_key_retrieval() serverid = ipaldap.realm_to_serverid(realm_name) if standalone and replica_config is None: dirname = dsinstance.config_dirname(serverid) # Store the new IPA CA cert chain in DS NSS database and LDAP cadb = certs.CertDB(realm_name, nssdir=paths.PKI_TOMCAT_ALIAS_DIR, subject_base=subject_base) dsdb = certs.CertDB(realm_name, nssdir=dirname, subject_base=subject_base) cacert = cadb.get_cert_from_db('caSigningCert cert-pki-ca') nickname = certdb.get_ca_nickname(realm_name) trust_flags = certdb.IPA_CA_TRUST_FLAGS dsdb.add_cert(cacert, nickname, trust_flags) certstore.put_ca_cert_nss(api.Backend.ldap2, api.env.basedn, cacert, nickname, trust_flags, config_ipa=True, config_compat=True) # Store DS CA cert in Dogtag NSS database trust_flags = dict(reversed(dsdb.list_certs())) server_certs = dsdb.find_server_certs() trust_chain = dsdb.find_root_cert(server_certs[0][0])[:-1] nickname = trust_chain[-1] cert = dsdb.get_cert_from_db(nickname) cadb.add_cert(cert, nickname, trust_flags[nickname]) installutils.restart_dirsrv() ca.start('pki-tomcat') if standalone or replica_config is not None: # We need to restart apache as we drop a new config file in there services.knownservices.httpd.restart(capture_output=True) if standalone: # Install CA DNS records if bindinstance.dns_container_exists(basedn): bind = bindinstance.BindInstance() bind.update_system_records()
def install(installer): options = installer fstore = installer._fstore sstore = installer._sstore dirsrv_pkcs12_info = installer._dirsrv_pkcs12_info http_pkcs12_info = installer._http_pkcs12_info pkinit_pkcs12_info = installer._pkinit_pkcs12_info http_ca_cert = installer._ca_cert realm_name = options.realm_name domain_name = options.domain_name dm_password = options.dm_password master_password = options.master_password admin_password = options.admin_password host_name = options.host_name ip_addresses = options.ip_addresses setup_ca = options.setup_ca # Installation has started. No IPA sysrestore items are restored in case of # failure to enable root cause investigation installer._installation_cleanup = False if installer.interactive: print("") print("The following operations may take some minutes to complete.") print("Please wait until the prompt is returned.") print("") # set hostname (transient and static) if user instructed us to do so if options._host_name_overridden: tasks.backup_hostname(fstore, sstore) tasks.set_hostname(host_name) if installer._update_hosts_file: update_hosts_file(ip_addresses, host_name, fstore) if tasks.configure_pkcs11_modules(fstore): print("Disabled p11-kit-proxy") # Create a directory server instance if not options.external_cert_files: # We have to sync time before certificate handling on master. # As chrony configuration is moved from client here, unconfiguration of # chrony will be handled here in uninstall() method as well by invoking # the ipa-server-install --uninstall if not options.no_ntp and not sync_time( options.ntp_servers, options.ntp_pool, fstore, sstore): print("Warning: IPA was unable to sync time with chrony!") print(" Time synchronization is required for IPA " "to work correctly") if options.dirsrv_cert_files: ds = dsinstance.DsInstance(fstore=fstore, domainlevel=options.domainlevel, config_ldif=options.dirsrv_config_file) installer._ds = ds ds.create_instance(realm_name, host_name, domain_name, dm_password, dirsrv_pkcs12_info, idstart=options.idstart, idmax=options.idmax, subject_base=options.subject_base, ca_subject=options.ca_subject, hbac_allow=not options.no_hbac_allow, setup_pkinit=not options.no_pkinit) else: ds = dsinstance.DsInstance(fstore=fstore, domainlevel=options.domainlevel, config_ldif=options.dirsrv_config_file) installer._ds = ds ds.create_instance(realm_name, host_name, domain_name, dm_password, idstart=options.idstart, idmax=options.idmax, subject_base=options.subject_base, ca_subject=options.ca_subject, hbac_allow=not options.no_hbac_allow, setup_pkinit=not options.no_pkinit) else: api.Backend.ldap2.connect() ds = dsinstance.DsInstance(fstore=fstore, domainlevel=options.domainlevel) installer._ds = ds ds.init_info( realm_name, host_name, domain_name, dm_password, options.subject_base, options.ca_subject, 1101, 1100, None, setup_pkinit=not options.no_pkinit) krb = krbinstance.KrbInstance(fstore) if not options.external_cert_files: krb.create_instance(realm_name, host_name, domain_name, dm_password, master_password, setup_pkinit=not options.no_pkinit, pkcs12_info=pkinit_pkcs12_info, subject_base=options.subject_base) else: krb.init_info(realm_name, host_name, setup_pkinit=not options.no_pkinit, subject_base=options.subject_base) custodia = custodiainstance.get_custodia_instance( options, custodiainstance.CustodiaModes.FIRST_MASTER) custodia.create_instance() if setup_ca: if not options.external_cert_files and options.external_ca: # stage 1 of external CA installation options.realm_name = realm_name options.domain_name = domain_name options.master_password = master_password options.dm_password = dm_password options.admin_password = admin_password options.host_name = host_name options.reverse_zones = dns.reverse_zones cache_vars = {n: options.__dict__[n] for o, n in installer.knobs() if n in options.__dict__} write_cache(cache_vars) ca.install_step_0(False, None, options, custodia=custodia) else: # Put the CA cert where other instances expect it x509.write_certificate(http_ca_cert, paths.IPA_CA_CRT) os.chmod(paths.IPA_CA_CRT, 0o444) if not options.no_pkinit: x509.write_certificate(http_ca_cert, paths.KDC_CA_BUNDLE_PEM) else: with open(paths.KDC_CA_BUNDLE_PEM, 'w'): pass os.chmod(paths.KDC_CA_BUNDLE_PEM, 0o444) x509.write_certificate(http_ca_cert, paths.CA_BUNDLE_PEM) os.chmod(paths.CA_BUNDLE_PEM, 0o444) # we now need to enable ssl on the ds ds.enable_ssl() if setup_ca: ca.install_step_1(False, None, options, custodia=custodia) otpd = otpdinstance.OtpdInstance() otpd.create_instance('OTPD', host_name, ipautil.realm_to_suffix(realm_name)) # Create a HTTP instance http = httpinstance.HTTPInstance(fstore) if options.http_cert_files: http.create_instance( realm_name, host_name, domain_name, dm_password, pkcs12_info=http_pkcs12_info, subject_base=options.subject_base, auto_redirect=not options.no_ui_redirect, ca_is_configured=setup_ca) else: http.create_instance( realm_name, host_name, domain_name, dm_password, subject_base=options.subject_base, auto_redirect=not options.no_ui_redirect, ca_is_configured=setup_ca) ca.set_subject_base_in_config(options.subject_base) # configure PKINIT now that all required services are in place krb.enable_ssl() # Apply any LDAP updates. Needs to be done after the configuration file # is created. DS is restarted in the process. service.print_msg("Applying LDAP updates") ds.apply_updates() # Restart krb after configurations have been changed service.print_msg("Restarting the KDC") krb.restart() if options.setup_kra: kra.install(api, None, options, custodia=custodia) if options.setup_dns: dns.install(False, False, options) if options.setup_adtrust: adtrust.install(False, options, fstore, api) # Set the admin user kerberos password ds.change_admin_password(admin_password) # Call client install script service.print_msg("Configuring client side components") try: args = [paths.IPA_CLIENT_INSTALL, "--on-master", "--unattended", "--domain", domain_name, "--server", host_name, "--realm", realm_name, "--hostname", host_name, "--no-ntp"] if options.no_dns_sshfp: args.append("--no-dns-sshfp") if options.ssh_trust_dns: args.append("--ssh-trust-dns") if options.no_ssh: args.append("--no-ssh") if options.no_sshd: args.append("--no-sshd") if options.mkhomedir: args.append("--mkhomedir") start = time.time() run(args, redirect_output=True) dur = time.time() - start logger.debug("Client install duration: %0.3f", dur, extra={'timing': ('clientinstall', None, None, dur)}) print() except Exception: raise ScriptError("Configuration of client side components failed!") # Enable configured services and update DNS SRV records service.enable_services(host_name) api.Command.dns_update_system_records() if not options.setup_dns: # After DNS and AD trust are configured and services are # enabled, create a dummy instance to dump DNS configuration. bind = bindinstance.BindInstance(fstore) bind.create_file_with_system_records() # Everything installed properly, activate ipa service. services.knownservices.ipa.enable() print("=======================================" "=======================================") print("Setup complete") print("") print("Next steps:") print("\t1. You must make sure these network ports are open:") print("\t\tTCP Ports:") print("\t\t * 80, 443: HTTP/HTTPS") print("\t\t * 389, 636: LDAP/LDAPS") print("\t\t * 88, 464: kerberos") if options.setup_dns: print("\t\t * 53: bind") print("\t\tUDP Ports:") print("\t\t * 88, 464: kerberos") if options.setup_dns: print("\t\t * 53: bind") if not options.no_ntp: print("\t\t * 123: ntp") print("") print("\t2. You can now obtain a kerberos ticket using the command: " "'kinit admin'") print("\t This ticket will allow you to use the IPA tools (e.g., ipa " "user-add)") print("\t and the web user interface.") if not services.knownservices.chronyd.is_running(): print("\t3. Kerberos requires time synchronization between clients") print("\t and servers for correct operation. You should consider " "enabling chronyd.") print("") if setup_ca: print(("Be sure to back up the CA certificates stored in " + paths.CACERT_P12)) print("These files are required to create replicas. The password for " "these") print("files is the Directory Manager password") if os.path.isfile(paths.ROOT_IPA_CACHE): os.remove(paths.ROOT_IPA_CACHE)
def install_step_1(standalone, replica_config, options): realm_name = options.realm_name dm_password = options.dm_password host_name = options.host_name subject_base = options.subject basedn = ipautil.realm_to_suffix(realm_name) ca = cainstance.CAInstance(realm_name, certs.NSS_DIR, host_name=host_name) if standalone: ca.stop('pki-tomcat') # We need to ldap_enable the CA now that DS is up and running if replica_config is None: config = ['caRenewalMaster'] else: config = [] ca.ldap_enable('CA', host_name, dm_password, basedn, config) # This is done within stopped_service context, which restarts CA ca.enable_client_auth_to_db(paths.CA_CS_CFG_PATH) # Lightweight CA key retrieval is configured in step 1 instead # of CAInstance.configure_instance (which is invoked from step # 0) because kadmin_addprinc fails until krb5.conf is installed # by krb.create_instance. # ca.setup_lightweight_ca_key_retrieval() if standalone and replica_config is None: serverid = installutils.realm_to_serverid(realm_name) dirname = dsinstance.config_dirname(serverid) # Store the new IPA CA cert chain in DS NSS database and LDAP cadb = certs.CertDB(realm_name, subject_base=subject_base) dsdb = certs.CertDB(realm_name, nssdir=dirname, subject_base=subject_base) trust_flags = dict(reversed(cadb.list_certs())) trust_chain = cadb.find_root_cert('ipaCert')[:-1] for nickname in trust_chain[:-1]: cert = cadb.get_cert_from_db(nickname, pem=False) dsdb.add_cert(cert, nickname, trust_flags[nickname]) certstore.put_ca_cert_nss(api.Backend.ldap2, api.env.basedn, cert, nickname, trust_flags[nickname]) nickname = trust_chain[-1] cert = cadb.get_cert_from_db(nickname, pem=False) dsdb.add_cert(cert, nickname, trust_flags[nickname]) certstore.put_ca_cert_nss(api.Backend.ldap2, api.env.basedn, cert, nickname, trust_flags[nickname], config_ipa=True, config_compat=True) api.Backend.ldap2.disconnect() # Restart DS services.knownservices.dirsrv.restart(serverid) api.Backend.ldap2.connect(bind_dn=DN(('cn', 'Directory Manager')), bind_pw=dm_password) # Store DS CA cert in Dogtag NSS database dogtagdb = certs.CertDB(realm_name, nssdir=paths.PKI_TOMCAT_ALIAS_DIR) trust_flags = dict(reversed(dsdb.list_certs())) server_certs = dsdb.find_server_certs() trust_chain = dsdb.find_root_cert(server_certs[0][0])[:-1] nickname = trust_chain[-1] cert = dsdb.get_cert_from_db(nickname) dogtagdb.add_cert(cert, nickname, trust_flags[nickname]) if standalone: ca.start('pki-tomcat') # We need to restart apache as we drop a new config file in there services.knownservices.httpd.restart(capture_output=True) # Install CA DNS records if bindinstance.dns_container_exists(host_name, basedn, dm_password): bind = bindinstance.BindInstance(dm_password=dm_password) bind.update_system_records()