def _run(self): super(KRAInstaller, self).run() print dedent(self.INSTALLER_START_MESSAGE) if not self.installing_replica: replica_config = None else: replica_config = create_replica_config( self.options.password, self.replica_file, self.options) self.options.dm_password = self.options.password self.options.setup_ca = False api.Backend.ldap2.connect(bind_dn=DN('cn=Directory Manager'), bind_pw=self.options.dm_password) try: kra.install_check(api, replica_config, self.options) except RuntimeError as e: raise admintool.ScriptError(str(e)) kra.install(api, replica_config, self.options) # Restart apache for new proxy config file services.knownservices.httpd.restart(capture_output=True)
def _run(self): super(KRAInstaller, self).run() print dedent(self.INSTALLER_START_MESSAGE) if not self.installing_replica: replica_config = None else: replica_config = create_replica_config( self.options.password, self.replica_file, self.options) self.options.setup_ca = False try: kra.install_check(replica_config, self.options, api.env.enable_kra, int(api.env.dogtag_version)) except RuntimeError as e: raise admintool.ScriptError(str(e)) kra.install(replica_config, self.options, self.options.password) # Restart apache for new proxy config file services.knownservices.httpd.restart(capture_output=True)
def install(installer): options = installer fstore = installer._fstore sstore = installer._sstore dirsrv_pkcs12_info = installer._dirsrv_pkcs12_info http_pkcs12_info = installer._http_pkcs12_info pkinit_pkcs12_info = installer._pkinit_pkcs12_info http_ca_cert = installer._ca_cert realm_name = options.realm_name domain_name = options.domain_name dm_password = options.dm_password master_password = options.master_password admin_password = options.admin_password host_name = options.host_name ip_addresses = options.ip_addresses setup_ca = options.setup_ca # Installation has started. No IPA sysrestore items are restored in case of # failure to enable root cause investigation installer._installation_cleanup = False if installer.interactive: print("") print("The following operations may take some minutes to complete.") print("Please wait until the prompt is returned.") print("") # set hostname (transient and static) if user instructed us to do so if options._host_name_overridden: tasks.backup_hostname(fstore, sstore) tasks.set_hostname(host_name) if installer._update_hosts_file: update_hosts_file(ip_addresses, host_name, fstore) # Create a directory server instance if not options.external_cert_files: # We have to sync time before certificate handling on master. # As chrony configuration is moved from client here, unconfiguration of # chrony will be handled here in uninstall() method as well by invoking # the ipa-server-install --uninstall if not options.no_ntp: if not ipaclient.install.client.sync_time(options, fstore, sstore): print("Warning: IPA was unable to sync time with chrony!") print(" Time synchronization is required for IPA " "to work correctly") if options.dirsrv_cert_files: ds = dsinstance.DsInstance(fstore=fstore, domainlevel=options.domainlevel, config_ldif=options.dirsrv_config_file) installer._ds = ds ds.create_instance(realm_name, host_name, domain_name, dm_password, dirsrv_pkcs12_info, idstart=options.idstart, idmax=options.idmax, subject_base=options.subject_base, ca_subject=options.ca_subject, hbac_allow=not options.no_hbac_allow, setup_pkinit=not options.no_pkinit) else: ds = dsinstance.DsInstance(fstore=fstore, domainlevel=options.domainlevel, config_ldif=options.dirsrv_config_file) installer._ds = ds ds.create_instance(realm_name, host_name, domain_name, dm_password, idstart=options.idstart, idmax=options.idmax, subject_base=options.subject_base, ca_subject=options.ca_subject, hbac_allow=not options.no_hbac_allow, setup_pkinit=not options.no_pkinit) else: api.Backend.ldap2.connect() ds = dsinstance.DsInstance(fstore=fstore, domainlevel=options.domainlevel) installer._ds = ds ds.init_info( realm_name, host_name, domain_name, dm_password, options.subject_base, options.ca_subject, 1101, 1100, None, setup_pkinit=not options.no_pkinit) krb = krbinstance.KrbInstance(fstore) if not options.external_cert_files: krb.create_instance(realm_name, host_name, domain_name, dm_password, master_password, setup_pkinit=not options.no_pkinit, pkcs12_info=pkinit_pkcs12_info, subject_base=options.subject_base) else: krb.init_info(realm_name, host_name, setup_pkinit=not options.no_pkinit, subject_base=options.subject_base) custodia = custodiainstance.get_custodia_instance( options, custodiainstance.CustodiaModes.FIRST_MASTER) custodia.create_instance() if setup_ca: if not options.external_cert_files and options.external_ca: # stage 1 of external CA installation options.realm_name = realm_name options.domain_name = domain_name options.master_password = master_password options.dm_password = dm_password options.admin_password = admin_password options.host_name = host_name options.reverse_zones = dns.reverse_zones cache_vars = {n: options.__dict__[n] for o, n in installer.knobs() if n in options.__dict__} write_cache(cache_vars) ca.install_step_0(False, None, options, custodia=custodia) else: # Put the CA cert where other instances expect it x509.write_certificate(http_ca_cert, paths.IPA_CA_CRT) os.chmod(paths.IPA_CA_CRT, 0o444) if not options.no_pkinit: x509.write_certificate(http_ca_cert, paths.KDC_CA_BUNDLE_PEM) else: with open(paths.KDC_CA_BUNDLE_PEM, 'w'): pass os.chmod(paths.KDC_CA_BUNDLE_PEM, 0o444) x509.write_certificate(http_ca_cert, paths.CA_BUNDLE_PEM) os.chmod(paths.CA_BUNDLE_PEM, 0o444) # we now need to enable ssl on the ds ds.enable_ssl() if setup_ca: ca.install_step_1(False, None, options, custodia=custodia) otpd = otpdinstance.OtpdInstance() otpd.create_instance('OTPD', host_name, ipautil.realm_to_suffix(realm_name)) # Create a HTTP instance http = httpinstance.HTTPInstance(fstore) if options.http_cert_files: http.create_instance( realm_name, host_name, domain_name, dm_password, pkcs12_info=http_pkcs12_info, subject_base=options.subject_base, auto_redirect=not options.no_ui_redirect, ca_is_configured=setup_ca) else: http.create_instance( realm_name, host_name, domain_name, dm_password, subject_base=options.subject_base, auto_redirect=not options.no_ui_redirect, ca_is_configured=setup_ca) ca.set_subject_base_in_config(options.subject_base) # configure PKINIT now that all required services are in place krb.enable_ssl() # Apply any LDAP updates. Needs to be done after the configuration file # is created. DS is restarted in the process. service.print_msg("Applying LDAP updates") ds.apply_updates() # Restart krb after configurations have been changed service.print_msg("Restarting the KDC") krb.restart() if options.setup_kra: kra.install(api, None, options, custodia=custodia) if options.setup_dns: dns.install(False, False, options) if options.setup_adtrust: adtrust.install(False, options, fstore, api) # Set the admin user kerberos password ds.change_admin_password(admin_password) # Call client install script service.print_msg("Configuring client side components") try: args = [paths.IPA_CLIENT_INSTALL, "--on-master", "--unattended", "--domain", domain_name, "--server", host_name, "--realm", realm_name, "--hostname", host_name, "--no-ntp"] if options.no_dns_sshfp: args.append("--no-dns-sshfp") if options.ssh_trust_dns: args.append("--ssh-trust-dns") if options.no_ssh: args.append("--no-ssh") if options.no_sshd: args.append("--no-sshd") if options.mkhomedir: args.append("--mkhomedir") start = time.time() run(args, redirect_output=True) dur = time.time() - start logger.debug("Client install duration: %0.3f", dur, extra={'timing': ('clientinstall', None, None, dur)}) print() except Exception: raise ScriptError("Configuration of client side components failed!") # Enable configured services and update DNS SRV records service.enable_services(host_name) api.Command.dns_update_system_records() if not options.setup_dns: # After DNS and AD trust are configured and services are # enabled, create a dummy instance to dump DNS configuration. bind = bindinstance.BindInstance(fstore) bind.create_file_with_system_records() # Everything installed properly, activate ipa service. services.knownservices.ipa.enable() print("=======================================" "=======================================") print("Setup complete") print("") print("Next steps:") print("\t1. You must make sure these network ports are open:") print("\t\tTCP Ports:") print("\t\t * 80, 443: HTTP/HTTPS") print("\t\t * 389, 636: LDAP/LDAPS") print("\t\t * 88, 464: kerberos") if options.setup_dns: print("\t\t * 53: bind") print("\t\tUDP Ports:") print("\t\t * 88, 464: kerberos") if options.setup_dns: print("\t\t * 53: bind") if not options.no_ntp: print("\t\t * 123: ntp") print("") print("\t2. You can now obtain a kerberos ticket using the command: " "'kinit admin'") print("\t This ticket will allow you to use the IPA tools (e.g., ipa " "user-add)") print("\t and the web user interface.") if not services.knownservices.chronyd.is_running(): print("\t3. Kerberos requires time synchronization between clients") print("\t and servers for correct operation. You should consider " "enabling chronyd.") print("") if setup_ca: print(("Be sure to back up the CA certificates stored in " + paths.CACERT_P12)) print("These files are required to create replicas. The password for " "these") print("files is the Directory Manager password") if os.path.isfile(paths.ROOT_IPA_CACHE): os.remove(paths.ROOT_IPA_CACHE)
def install(installer): options = installer fstore = installer._fstore sstore = installer._sstore dirsrv_pkcs12_info = installer._dirsrv_pkcs12_info http_pkcs12_info = installer._http_pkcs12_info pkinit_pkcs12_info = installer._pkinit_pkcs12_info http_ca_cert = installer._ca_cert realm_name = options.realm_name domain_name = options.domain_name dm_password = options.dm_password master_password = options.master_password admin_password = options.admin_password host_name = options.host_name ip_addresses = options.ip_addresses setup_ca = options.setup_ca # Installation has started. No IPA sysrestore items are restored in case of # failure to enable root cause investigation installer._installation_cleanup = False if installer.interactive: print("") print("The following operations may take some minutes to complete.") print("Please wait until the prompt is returned.") print("") # set hostname (transient and static) if user instructed us to do so if options._host_name_overridden: tasks.backup_hostname(fstore, sstore) tasks.set_hostname(host_name) if installer._update_hosts_file: update_hosts_file(ip_addresses, host_name, fstore) # Make sure tmpfiles dir exist before installing components tasks.create_tmpfiles_dirs() # Create a directory server instance if not options.external_cert_files: # Configure ntpd if not options.no_ntp: ipaclient.install.ntpconf.force_ntpd(sstore) ntp = ntpinstance.NTPInstance(fstore) if not ntp.is_configured(): ntp.create_instance() if options.dirsrv_cert_files: ds = dsinstance.DsInstance(fstore=fstore, domainlevel=options.domainlevel, config_ldif=options.dirsrv_config_file) installer._ds = ds ds.create_instance(realm_name, host_name, domain_name, dm_password, dirsrv_pkcs12_info, idstart=options.idstart, idmax=options.idmax, subject_base=options.subject_base, ca_subject=options.ca_subject, hbac_allow=not options.no_hbac_allow) else: ds = dsinstance.DsInstance(fstore=fstore, domainlevel=options.domainlevel, config_ldif=options.dirsrv_config_file) installer._ds = ds ds.create_instance(realm_name, host_name, domain_name, dm_password, idstart=options.idstart, idmax=options.idmax, subject_base=options.subject_base, ca_subject=options.ca_subject, hbac_allow=not options.no_hbac_allow) ntpinstance.ntp_ldap_enable(host_name, ds.suffix, realm_name) else: api.Backend.ldap2.connect() ds = dsinstance.DsInstance(fstore=fstore, domainlevel=options.domainlevel) installer._ds = ds ds.init_info(realm_name, host_name, domain_name, dm_password, options.subject_base, options.ca_subject, 1101, 1100, None) krb = krbinstance.KrbInstance(fstore) krb.create_instance(realm_name, host_name, domain_name, dm_password, master_password, setup_pkinit=not options.no_pkinit, pkcs12_info=pkinit_pkcs12_info, subject_base=options.subject_base) if setup_ca: if not options.external_cert_files and options.external_ca: # stage 1 of external CA installation options.realm_name = realm_name options.domain_name = domain_name options.master_password = master_password options.dm_password = dm_password options.admin_password = admin_password options.host_name = host_name options.reverse_zones = dns.reverse_zones cache_vars = { n: options.__dict__[n] for o, n in installer.knobs() if n in options.__dict__ } write_cache(cache_vars) ca.install_step_0(False, None, options) else: # Put the CA cert where other instances expect it x509.write_certificate(http_ca_cert, paths.IPA_CA_CRT) os.chmod(paths.IPA_CA_CRT, 0o444) # we now need to enable ssl on the ds ds.enable_ssl() if setup_ca: ca.install_step_1(False, None, options) otpd = otpdinstance.OtpdInstance() otpd.create_instance('OTPD', host_name, ipautil.realm_to_suffix(realm_name)) custodia = custodiainstance.CustodiaInstance(host_name, realm_name) custodia.create_instance() # Create a HTTP instance http = httpinstance.HTTPInstance(fstore) if options.http_cert_files: http.create_instance(realm_name, host_name, domain_name, pkcs12_info=http_pkcs12_info, subject_base=options.subject_base, auto_redirect=not options.no_ui_redirect, ca_is_configured=setup_ca) else: http.create_instance(realm_name, host_name, domain_name, subject_base=options.subject_base, auto_redirect=not options.no_ui_redirect, ca_is_configured=setup_ca) tasks.restore_context(paths.CACHE_IPA_SESSIONS) ca.set_subject_base_in_config(options.subject_base) # configure PKINIT now that all required services are in place krb.enable_ssl() # Apply any LDAP updates. Needs to be done after the configuration file # is created. DS is restarted in the process. service.print_msg("Applying LDAP updates") ds.apply_updates() # Restart krb after configurations have been changed service.print_msg("Restarting the KDC") krb.restart() if options.setup_kra: kra.install(api, None, options) if options.setup_dns: dns.install(False, False, options) else: # Create a BIND instance bind = bindinstance.BindInstance(fstore) bind.setup(host_name, ip_addresses, realm_name, domain_name, (), 'first', (), zonemgr=options.zonemgr, no_dnssec_validation=options.no_dnssec_validation) bind.create_file_with_system_records() if options.setup_adtrust: adtrust.install(False, options, fstore, api) # Set the admin user kerberos password ds.change_admin_password(admin_password) # Call client install script service.print_msg("Configuring client side components") try: args = [ paths.IPA_CLIENT_INSTALL, "--on-master", "--unattended", "--domain", domain_name, "--server", host_name, "--realm", realm_name, "--hostname", host_name ] if options.no_dns_sshfp: args.append("--no-dns-sshfp") if options.ssh_trust_dns: args.append("--ssh-trust-dns") if options.no_ssh: args.append("--no-ssh") if options.no_sshd: args.append("--no-sshd") if options.mkhomedir: args.append("--mkhomedir") run(args, redirect_output=True) print() except Exception: raise ScriptError("Configuration of client side components failed!") # Make sure the files we crated in /var/run are recreated at startup tasks.configure_tmpfiles() # Everything installed properly, activate ipa service. services.knownservices.ipa.enable() print("=======================================" "=======================================") print("Setup complete") print("") print("Next steps:") print("\t1. You must make sure these network ports are open:") print("\t\tTCP Ports:") print("\t\t * 80, 443: HTTP/HTTPS") print("\t\t * 389, 636: LDAP/LDAPS") print("\t\t * 88, 464: kerberos") if options.setup_dns: print("\t\t * 53: bind") print("\t\tUDP Ports:") print("\t\t * 88, 464: kerberos") if options.setup_dns: print("\t\t * 53: bind") if not options.no_ntp: print("\t\t * 123: ntp") print("") print("\t2. You can now obtain a kerberos ticket using the command: " "'kinit admin'") print("\t This ticket will allow you to use the IPA tools (e.g., ipa " "user-add)") print("\t and the web user interface.") if not services.knownservices.ntpd.is_running(): print("\t3. Kerberos requires time synchronization between clients") print("\t and servers for correct operation. You should consider " "enabling ntpd.") print("") if setup_ca: print(("Be sure to back up the CA certificates stored in " + paths.CACERT_P12)) print("These files are required to create replicas. The password for " "these") print("files is the Directory Manager password") else: print( "In order for Firefox autoconfiguration to work you will need to") print("use a SSL signing certificate. See the IPA documentation for " "more details.") if ipautil.file_exists(paths.ROOT_IPA_CACHE): os.remove(paths.ROOT_IPA_CACHE)
def install(installer): options = installer fstore = installer._fstore sstore = installer._sstore dirsrv_pkcs12_info = installer._dirsrv_pkcs12_info http_pkcs12_info = installer._http_pkcs12_info pkinit_pkcs12_info = installer._pkinit_pkcs12_info http_ca_cert = installer._ca_cert realm_name = options.realm_name domain_name = options.domain_name dm_password = options.dm_password master_password = options.master_password admin_password = options.admin_password host_name = options.host_name ip_addresses = options.ip_addresses setup_ca = options.setup_ca # Installation has started. No IPA sysrestore items are restored in case of # failure to enable root cause investigation installer._installation_cleanup = False if installer.interactive: print("") print("The following operations may take some minutes to complete.") print("Please wait until the prompt is returned.") print("") # set hostname (transient and static) if user instructed us to do so if options._host_name_overridden: tasks.backup_hostname(fstore, sstore) tasks.set_hostname(host_name) if installer._update_hosts_file: update_hosts_file(ip_addresses, host_name, fstore) if tasks.configure_pkcs11_modules(fstore): print("Disabled p11-kit-proxy") # Create a directory server instance if not options.external_cert_files: # We have to sync time before certificate handling on master. # As chrony configuration is moved from client here, unconfiguration of # chrony will be handled here in uninstall() method as well by invoking # the ipa-server-install --uninstall if not options.no_ntp and not sync_time( options.ntp_servers, options.ntp_pool, fstore, sstore): print("Warning: IPA was unable to sync time with chrony!") print(" Time synchronization is required for IPA " "to work correctly") if options.dirsrv_cert_files: ds = dsinstance.DsInstance(fstore=fstore, domainlevel=options.domainlevel, config_ldif=options.dirsrv_config_file) installer._ds = ds ds.create_instance(realm_name, host_name, domain_name, dm_password, dirsrv_pkcs12_info, idstart=options.idstart, idmax=options.idmax, subject_base=options.subject_base, ca_subject=options.ca_subject, hbac_allow=not options.no_hbac_allow, setup_pkinit=not options.no_pkinit) else: ds = dsinstance.DsInstance(fstore=fstore, domainlevel=options.domainlevel, config_ldif=options.dirsrv_config_file) installer._ds = ds ds.create_instance(realm_name, host_name, domain_name, dm_password, idstart=options.idstart, idmax=options.idmax, subject_base=options.subject_base, ca_subject=options.ca_subject, hbac_allow=not options.no_hbac_allow, setup_pkinit=not options.no_pkinit) else: api.Backend.ldap2.connect() ds = dsinstance.DsInstance(fstore=fstore, domainlevel=options.domainlevel) installer._ds = ds ds.init_info( realm_name, host_name, domain_name, dm_password, options.subject_base, options.ca_subject, 1101, 1100, None, setup_pkinit=not options.no_pkinit) krb = krbinstance.KrbInstance(fstore) if not options.external_cert_files: krb.create_instance(realm_name, host_name, domain_name, dm_password, master_password, setup_pkinit=not options.no_pkinit, pkcs12_info=pkinit_pkcs12_info, subject_base=options.subject_base) else: krb.init_info(realm_name, host_name, setup_pkinit=not options.no_pkinit, subject_base=options.subject_base) custodia = custodiainstance.get_custodia_instance( options, custodiainstance.CustodiaModes.FIRST_MASTER) custodia.create_instance() if setup_ca: if not options.external_cert_files and options.external_ca: # stage 1 of external CA installation options.realm_name = realm_name options.domain_name = domain_name options.master_password = master_password options.dm_password = dm_password options.admin_password = admin_password options.host_name = host_name options.reverse_zones = dns.reverse_zones cache_vars = {n: options.__dict__[n] for o, n in installer.knobs() if n in options.__dict__} write_cache(cache_vars) ca.install_step_0(False, None, options, custodia=custodia) else: # Put the CA cert where other instances expect it x509.write_certificate(http_ca_cert, paths.IPA_CA_CRT) os.chmod(paths.IPA_CA_CRT, 0o444) if not options.no_pkinit: x509.write_certificate(http_ca_cert, paths.KDC_CA_BUNDLE_PEM) else: with open(paths.KDC_CA_BUNDLE_PEM, 'w'): pass os.chmod(paths.KDC_CA_BUNDLE_PEM, 0o444) x509.write_certificate(http_ca_cert, paths.CA_BUNDLE_PEM) os.chmod(paths.CA_BUNDLE_PEM, 0o444) # we now need to enable ssl on the ds ds.enable_ssl() if setup_ca: ca.install_step_1(False, None, options, custodia=custodia) otpd = otpdinstance.OtpdInstance() otpd.create_instance('OTPD', host_name, ipautil.realm_to_suffix(realm_name)) # Create a HTTP instance http = httpinstance.HTTPInstance(fstore) if options.http_cert_files: http.create_instance( realm_name, host_name, domain_name, dm_password, pkcs12_info=http_pkcs12_info, subject_base=options.subject_base, auto_redirect=not options.no_ui_redirect, ca_is_configured=setup_ca) else: http.create_instance( realm_name, host_name, domain_name, dm_password, subject_base=options.subject_base, auto_redirect=not options.no_ui_redirect, ca_is_configured=setup_ca) ca.set_subject_base_in_config(options.subject_base) # configure PKINIT now that all required services are in place krb.enable_ssl() # Apply any LDAP updates. Needs to be done after the configuration file # is created. DS is restarted in the process. service.print_msg("Applying LDAP updates") ds.apply_updates() # Restart krb after configurations have been changed service.print_msg("Restarting the KDC") krb.restart() if options.setup_kra: kra.install(api, None, options, custodia=custodia) if options.setup_dns: dns.install(False, False, options) if options.setup_adtrust: adtrust.install(False, options, fstore, api) # Set the admin user kerberos password ds.change_admin_password(admin_password) # Call client install script service.print_msg("Configuring client side components") try: args = [paths.IPA_CLIENT_INSTALL, "--on-master", "--unattended", "--domain", domain_name, "--server", host_name, "--realm", realm_name, "--hostname", host_name, "--no-ntp"] if options.no_dns_sshfp: args.append("--no-dns-sshfp") if options.ssh_trust_dns: args.append("--ssh-trust-dns") if options.no_ssh: args.append("--no-ssh") if options.no_sshd: args.append("--no-sshd") if options.mkhomedir: args.append("--mkhomedir") start = time.time() run(args, redirect_output=True) dur = time.time() - start logger.debug("Client install duration: %0.3f", dur, extra={'timing': ('clientinstall', None, None, dur)}) print() except Exception: raise ScriptError("Configuration of client side components failed!") # Enable configured services and update DNS SRV records service.enable_services(host_name) api.Command.dns_update_system_records() if not options.setup_dns: # After DNS and AD trust are configured and services are # enabled, create a dummy instance to dump DNS configuration. bind = bindinstance.BindInstance(fstore) bind.create_file_with_system_records() # Everything installed properly, activate ipa service. services.knownservices.ipa.enable() print("=======================================" "=======================================") print("Setup complete") print("") print("Next steps:") print("\t1. You must make sure these network ports are open:") print("\t\tTCP Ports:") print("\t\t * 80, 443: HTTP/HTTPS") print("\t\t * 389, 636: LDAP/LDAPS") print("\t\t * 88, 464: kerberos") if options.setup_dns: print("\t\t * 53: bind") print("\t\tUDP Ports:") print("\t\t * 88, 464: kerberos") if options.setup_dns: print("\t\t * 53: bind") if not options.no_ntp: print("\t\t * 123: ntp") print("") print("\t2. You can now obtain a kerberos ticket using the command: " "'kinit admin'") print("\t This ticket will allow you to use the IPA tools (e.g., ipa " "user-add)") print("\t and the web user interface.") if not services.knownservices.chronyd.is_running(): print("\t3. Kerberos requires time synchronization between clients") print("\t and servers for correct operation. You should consider " "enabling chronyd.") print("") if setup_ca: print(("Be sure to back up the CA certificates stored in " + paths.CACERT_P12)) print("These files are required to create replicas. The password for " "these") print("files is the Directory Manager password") if os.path.isfile(paths.ROOT_IPA_CACHE): os.remove(paths.ROOT_IPA_CACHE)
def install(options): global dirsrv_pkcs12_info global http_pkcs12_info global pkinit_pkcs12_info global external_cert_file global external_ca_file global http_ca_cert realm_name = options.realm_name domain_name = options.domain_name dm_password = options.dm_password master_password = options.master_password admin_password = options.admin_password host_name = options.host_name ip_addresses = options.ip_address setup_ca = options.setup_ca setup_kra = options.setup_kra global ds global installation_cleanup # Installation has started. No IPA sysrestore items are restored in case of # failure to enable root cause investigation installation_cleanup = False # Configuration for ipalib, we will bootstrap and finalize later, after # we are sure we have the configuration file ready. cfg = dict( context='installer', in_server=True, debug=options.debug ) # Figure out what external CA step we're in. See cainstance.py for more # info on the 3 states. if options.external_cert_files: external = 2 elif options.external_ca: external = 1 else: external = 0 # Create the management framework config file and finalize api target_fname = paths.IPA_DEFAULT_CONF fd = open(target_fname, "w") fd.write("[global]\n") fd.write("host=%s\n" % host_name) fd.write("basedn=%s\n" % ipautil.realm_to_suffix(realm_name)) fd.write("realm=%s\n" % realm_name) fd.write("domain=%s\n" % domain_name) fd.write("xmlrpc_uri=https://%s/ipa/xml\n" % format_netloc(host_name)) fd.write("ldap_uri=ldapi://%%2fvar%%2frun%%2fslapd-%s.socket\n" % installutils.realm_to_serverid(realm_name)) if setup_ca: fd.write("enable_ra=True\n") fd.write("ra_plugin=dogtag\n") fd.write("dogtag_version=%s\n" % dogtag.install_constants.DOGTAG_VERSION) else: fd.write("enable_ra=False\n") fd.write("ra_plugin=none\n") fd.write("enable_kra=%s\n" % setup_kra) fd.write("mode=production\n") fd.close() # Must be readable for everyone os.chmod(target_fname, 0644) if not options.unattended: print "" print "The following operations may take some minutes to complete." print "Please wait until the prompt is returned." print "" system_hostname = get_fqdn() if host_name != system_hostname: root_logger.debug("Chosen hostname (%s) differs from system hostname " "(%s) - change it" % (host_name, system_hostname)) # configure /etc/sysconfig/network to contain the custom hostname tasks.backup_and_replace_hostname(fstore, sstore, host_name) # update `api.env.ca_host` to correct hostname # https://fedorahosted.org/freeipa/ticket/4936 api.env.ca_host = host_name api.bootstrap(**cfg) if setup_ca: # ensure profile backend is available import ipaserver.plugins.dogtag api.finalize() # Create DS user/group if it doesn't exist yet dsinstance.create_ds_user() # Create a directory server instance if external != 2: # Configure ntpd if options.conf_ntp: ipaclient.ntpconf.force_ntpd(sstore) ntp = ntpinstance.NTPInstance(fstore) if not ntp.is_configured(): ntp.create_instance() if options.dirsrv_cert_files: ds = dsinstance.DsInstance(fstore=fstore, domainlevel=options.domainlevel) ds.create_instance(realm_name, host_name, domain_name, dm_password, dirsrv_pkcs12_info, idstart=options.idstart, idmax=options.idmax, subject_base=options.subject, hbac_allow=not options.hbac_allow) else: ds = dsinstance.DsInstance(fstore=fstore, domainlevel=options.domainlevel) ds.create_instance(realm_name, host_name, domain_name, dm_password, idstart=options.idstart, idmax=options.idmax, subject_base=options.subject, hbac_allow=not options.hbac_allow) else: ds = dsinstance.DsInstance(fstore=fstore, domainlevel=options.domainlevel) ds.init_info( realm_name, host_name, domain_name, dm_password, options.subject, 1101, 1100, None) if setup_ca: ca = cainstance.CAInstance(realm_name, certs.NSS_DIR, dogtag_constants=dogtag.install_constants) if external == 0: ca.configure_instance( host_name, domain_name, dm_password, dm_password, subject_base=options.subject, ca_signing_algorithm=options.ca_signing_algorithm) elif external == 1: # stage 1 of external CA installation options.realm_name = realm_name options.domain_name = domain_name options.master_password = master_password options.dm_password = dm_password options.admin_password = admin_password options.host_name = host_name options.unattended = True options.forwarders = dns.dns_forwarders options.reverse_zones = dns.reverse_zones write_cache(vars(options)) ca.configure_instance( host_name, domain_name, dm_password, dm_password, csr_file=paths.ROOT_IPA_CSR, subject_base=options.subject, ca_signing_algorithm=options.ca_signing_algorithm, ca_type=options.external_ca_type) else: # stage 2 of external CA installation ca.configure_instance( host_name, domain_name, dm_password, dm_password, cert_file=external_cert_file.name, cert_chain_file=external_ca_file.name, subject_base=options.subject, ca_signing_algorithm=options.ca_signing_algorithm) # Now put the CA cert where other instances exepct it ca.publish_ca_cert(CACERT) else: # Put the CA cert where other instances expect it x509.write_certificate(http_ca_cert, CACERT) os.chmod(CACERT, 0444) # we now need to enable ssl on the ds ds.enable_ssl() if setup_ca: # We need to ldap_enable the CA now that DS is up and running ca.ldap_enable('CA', host_name, dm_password, ipautil.realm_to_suffix(realm_name), ['caRenewalMaster']) # This is done within stopped_service context, which restarts CA ca.enable_client_auth_to_db(ca.dogtag_constants.CS_CFG_PATH) krb = krbinstance.KrbInstance(fstore) if options.pkinit_cert_files: krb.create_instance(realm_name, host_name, domain_name, dm_password, master_password, setup_pkinit=options.setup_pkinit, pkcs12_info=pkinit_pkcs12_info, subject_base=options.subject) else: krb.create_instance(realm_name, host_name, domain_name, dm_password, master_password, setup_pkinit=options.setup_pkinit, subject_base=options.subject) # The DS instance is created before the keytab, add the SSL cert we # generated ds.add_cert_to_service() memcache = memcacheinstance.MemcacheInstance() memcache.create_instance('MEMCACHE', host_name, dm_password, ipautil.realm_to_suffix(realm_name)) otpd = otpdinstance.OtpdInstance() otpd.create_instance('OTPD', host_name, dm_password, ipautil.realm_to_suffix(realm_name)) # Create a HTTP instance http = httpinstance.HTTPInstance(fstore) if options.http_cert_files: http.create_instance( realm_name, host_name, domain_name, dm_password, pkcs12_info=http_pkcs12_info, subject_base=options.subject, auto_redirect=options.ui_redirect, ca_is_configured=setup_ca) else: http.create_instance( realm_name, host_name, domain_name, dm_password, subject_base=options.subject, auto_redirect=options.ui_redirect, ca_is_configured=setup_ca) tasks.restore_context(paths.CACHE_IPA_SESSIONS) # Export full CA chain ca_db = certs.CertDB(realm_name) os.chmod(CACERT, 0644) ca_db.publish_ca_cert(CACERT) set_subject_in_config(realm_name, dm_password, ipautil.realm_to_suffix(realm_name), options.subject) # Apply any LDAP updates. Needs to be done after the configuration file # is created service.print_msg("Applying LDAP updates") ds.apply_updates() # Restart ds and krb after configurations have been changed service.print_msg("Restarting the directory server") ds.restart() service.print_msg("Restarting the KDC") krb.restart() if setup_ca: service.print_msg("Restarting the certificate server") ca.restart(dogtag.configured_constants().PKI_INSTANCE_NAME) service.print_msg("Importing certificate profiles") cainstance.import_included_profiles() if options.setup_dns: api.Backend.ldap2.connect(autobind=True) dns.install(False, False, options) else: # Create a BIND instance bind = bindinstance.BindInstance(fstore, dm_password) bind.setup(host_name, ip_addresses, realm_name, domain_name, (), options.conf_ntp, (), zonemgr=options.zonemgr, ca_configured=setup_ca, no_dnssec_validation=options.no_dnssec_validation) bind.create_sample_bind_zone() # Restart httpd to pick up the new IPA configuration service.print_msg("Restarting the web server") http.restart() if setup_kra: kra.install(None, options, dm_password) # Set the admin user kerberos password ds.change_admin_password(admin_password) # Call client install script try: args = [paths.IPA_CLIENT_INSTALL, "--on-master", "--unattended", "--domain", domain_name, "--server", host_name, "--realm", realm_name, "--hostname", host_name] if not options.create_sshfp: args.append("--no-dns-sshfp") if options.trust_sshfp: args.append("--ssh-trust-dns") if not options.conf_ssh: args.append("--no-ssh") if not options.conf_sshd: args.append("--no-sshd") if options.mkhomedir: args.append("--mkhomedir") run(args) except Exception, e: sys.exit("Configuration of client side components failed!\n" "ipa-client-install returned: " + str(e))
def install(filename, options): global config dogtag_constants = dogtag.install_constants # Create the management framework config file # Note: We must do this before bootstraping and finalizing ipalib.api old_umask = os.umask(022) # must be readable for httpd try: fd = open(paths.IPA_DEFAULT_CONF, "w") fd.write("[global]\n") fd.write("host=%s\n" % config.host_name) fd.write("basedn=%s\n" % str(ipautil.realm_to_suffix(config.realm_name))) fd.write("realm=%s\n" % config.realm_name) fd.write("domain=%s\n" % config.domain_name) fd.write("xmlrpc_uri=https://%s/ipa/xml\n" % ipautil.format_netloc(config.host_name)) fd.write("ldap_uri=ldapi://%%2fvar%%2frun%%2fslapd-%s.socket\n" % installutils.realm_to_serverid(config.realm_name)) if ipautil.file_exists(config.dir + "/cacert.p12"): fd.write("enable_ra=True\n") fd.write("ra_plugin=dogtag\n") fd.write("dogtag_version=%s\n" % dogtag_constants.DOGTAG_VERSION) else: fd.write("enable_ra=False\n") fd.write("ra_plugin=none\n") fd.write("enable_kra=%s\n" % config.setup_kra) fd.write("mode=production\n") fd.close() finally: os.umask(old_umask) api.bootstrap(in_server=True, context='installer') api.finalize() # Create DS user/group if it doesn't exist yet dsinstance.create_ds_user() cafile = config.dir + "/ca.crt" ldapuri = 'ldaps://%s' % ipautil.format_netloc(config.master_host_name) remote_api = create_api(mode=None) remote_api.bootstrap(in_server=True, context='installer', ldap_uri=ldapuri, basedn=DN()) remote_api.finalize() conn = remote_api.Backend.ldap2 replman = None try: try: # Try out the password conn.connect(bind_dn=DIRMAN_DN, bind_pw=config.dirman_password, tls_cacertfile=cafile) replman = ReplicationManager(config.realm_name, config.master_host_name, config.dirman_password) # Check that we don't already have a replication agreement try: (agreement_cn, agreement_dn) = replman.agreement_dn( config.host_name) entry = conn.get_entry(agreement_dn, ['*']) except errors.NotFound: pass else: root_logger.info('Error: A replication agreement for this ' 'host already exists.') print('A replication agreement for this host already exists. ' 'It needs to be removed.') print "Run this on the master that generated the info file:" print(" %% ipa-replica-manage del %s --force" % config.host_name) sys.exit(3) # Detect the current domain level try: current = remote_api.Command['domainlevel_get']()['result'] except errors.NotFound: # If we're joining an older master, domain entry is not # available current = 0 # Detect if current level is out of supported range # for this IPA version under_lower_bound = current < constants.MIN_DOMAIN_LEVEL above_upper_bound = current > constants.MAX_DOMAIN_LEVEL if under_lower_bound or above_upper_bound: message = ("This version of FreeIPA does not support " "the Domain Level which is currently set for " "this domain. The Domain Level needs to be " "raised before installing a replica with " "this version is allowed to be installed " "within this domain.") root_logger.error(message) print(message) sys.exit(3) # Check pre-existing host entry try: entry = conn.find_entries(u'fqdn=%s' % config.host_name, ['fqdn'], DN(api.env.container_host, api.env.basedn)) except errors.NotFound: pass else: root_logger.info('Error: Host %s already exists on the master ' 'server.' % config.host_name) print('The host %s already exists on the master server.' % config.host_name) print "You should remove it before proceeding:" print " %% ipa host-del %s" % config.host_name sys.exit(3) # Install CA cert so that we can do SSL connections with ldap install_ca_cert(conn, api.env.basedn, api.env.realm, cafile) dns_masters = remote_api.Object['dnsrecord'].get_dns_masters() if dns_masters: if not options.no_host_dns: master = config.master_host_name root_logger.debug('Check forward/reverse DNS resolution') resolution_ok = ( check_dns_resolution(master, dns_masters) and check_dns_resolution(config.host_name, dns_masters)) if not resolution_ok and not options.unattended: if not ipautil.user_input("Continue?", False): sys.exit(0) else: root_logger.debug('No IPA DNS servers, ' 'skipping forward/reverse resolution check') except errors.ACIError: sys.exit("\nThe password provided is incorrect for LDAP server " "%s" % config.master_host_name) except errors.LDAPError: sys.exit("\nUnable to connect to LDAP server %s" % config.master_host_name) finally: if replman and replman.conn: replman.conn.unbind() # Configure ntpd if options.conf_ntp: ipaclient.ntpconf.force_ntpd(sstore) ntp = ntpinstance.NTPInstance() ntp.create_instance() # Configure dirsrv ds = install_replica_ds(config) # Always try to install DNS records install_dns_records(config, options, remote_api) finally: if conn.isconnected(): conn.disconnect() if config.setup_ca: options.realm_name = config.realm_name options.domain_name = config.domain_name options.dm_password = config.dirman_password options.host_name = config.host_name ca.install(False, config, options) krb = install_krb(config, setup_pkinit=options.setup_pkinit) http = install_http(config, auto_redirect=options.ui_redirect) otpd = otpdinstance.OtpdInstance() otpd.create_instance('OTPD', config.host_name, config.dirman_password, ipautil.realm_to_suffix(config.realm_name)) # The DS instance is created before the keytab, add the SSL cert we # generated ds.add_cert_to_service() # Apply any LDAP updates. Needs to be done after the replica is synced-up service.print_msg("Applying LDAP updates") ds.apply_updates() if options.setup_kra: kra.install(config, options, config.dirman_password) else: service.print_msg("Restarting the directory server") ds.restart() service.print_msg("Restarting the KDC") krb.restart() if config.setup_ca: dogtag_service = services.knownservices[dogtag_constants.SERVICE_NAME] dogtag_service.restart(dogtag_constants.PKI_INSTANCE_NAME) if options.setup_dns: api.Backend.ldap2.connect(autobind=True) dns.install(False, True, options) # Restart httpd to pick up the new IPA configuration service.print_msg("Restarting the web server") http.restart() # Call client install script try: args = [paths.IPA_CLIENT_INSTALL, "--on-master", "--unattended", "--domain", config.domain_name, "--server", config.host_name, "--realm", config.realm_name] if not options.create_sshfp: args.append("--no-dns-sshfp") if options.trust_sshfp: args.append("--ssh-trust-dns") if not options.conf_ssh: args.append("--no-ssh") if not options.conf_sshd: args.append("--no-sshd") if options.mkhomedir: args.append("--mkhomedir") ipautil.run(args) except Exception, e: print "Configuration of client side components failed!" print "ipa-client-install returned: " + str(e) raise RuntimeError("Failed to configure the client")
def install(installer): options = installer ca_enabled = installer._ca_enabled kra_enabled = installer._kra_enabled fstore = installer._fstore config = installer._config cafile = installer._ca_file dirsrv_pkcs12_info = installer._dirsrv_pkcs12_info http_pkcs12_info = installer._http_pkcs12_info pkinit_pkcs12_info = installer._pkinit_pkcs12_info remote_api = installer._remote_api conn = remote_api.Backend.ldap2 ccache = os.environ['KRB5CCNAME'] if installer._add_to_ipaservers: try: conn.connect(ccache=installer._ccache) remote_api.Command['hostgroup_add_member']( u'ipaservers', host=[unicode(api.env.host)], ) finally: if conn.isconnected(): conn.disconnect() os.environ['KRB5CCNAME'] = ccache config.dirman_password = ipautil.ipa_generate_password() # FIXME: allow to use passed in certs instead if ca_enabled: configure_certmonger() try: conn.connect(ccache=ccache) # Update and istall updated CA file cafile = install_ca_cert(conn, api.env.basedn, api.env.realm, cafile) install_ca_cert(conn, api.env.basedn, api.env.realm, cafile, destfile=paths.KDC_CA_BUNDLE_PEM) install_ca_cert(conn, api.env.basedn, api.env.realm, cafile, destfile=paths.CA_BUNDLE_PEM) # Configure dirsrv ds = install_replica_ds(config, options, ca_enabled, remote_api, ca_file=cafile, pkcs12_info=dirsrv_pkcs12_info, fstore=fstore) # Always try to install DNS records install_dns_records(config, options, remote_api, fstore=fstore) finally: if conn.isconnected(): conn.disconnect() # Create the management framework config file. Do this irregardless # of the state of DS installation. Even if it fails, # we need to have master-like configuration in order to perform a # successful uninstallation # The configuration creation has to be here otherwise previous call # To config certmonger would try to connect to local server create_ipa_conf(fstore, config, ca_enabled) krb = install_krb(config, setup_pkinit=not options.no_pkinit, pkcs12_info=pkinit_pkcs12_info, fstore=fstore) # We need to point to the master when certmonger asks for # a DS or HTTP certificate. # During http installation, the <service>/hostname principal is # created locally then the installer waits for the entry to appear # on the master selected for the installation. # In a later step, the installer requests a SSL certificate through # Certmonger (and the op adds the principal if it does not exist yet). # If xmlrpc_uri points to the soon-to-be replica, # the httpd service is not ready yet to handle certmonger requests # and certmonger tries to find another master. The master can be # different from the one selected for the installation, and it is # possible that the principal has not been replicated yet. This # may lead to a replication conflict. # This is why we need to force the use of the same master by # setting xmlrpc_uri create_ipa_conf(fstore, config, ca_enabled, master=config.master_host_name) # we now need to enable ssl on the ds ds.enable_ssl() install_http(config, auto_redirect=not options.no_ui_redirect, pkcs12_info=http_pkcs12_info, ca_is_configured=ca_enabled, ca_file=cafile, fstore=fstore) # Need to point back to ourself after the cert for HTTP is obtained create_ipa_conf(fstore, config, ca_enabled) otpd = otpdinstance.OtpdInstance() otpd.create_instance('OTPD', config.host_name, ipautil.realm_to_suffix(config.realm_name)) if kra_enabled: # A KRA peer always provides a CA, too. mode = custodiainstance.CustodiaModes.KRA_PEER elif ca_enabled: mode = custodiainstance.CustodiaModes.CA_PEER else: mode = custodiainstance.CustodiaModes.MASTER_PEER custodia = custodiainstance.get_custodia_instance(config, mode) custodia.create_instance() if ca_enabled: options.realm_name = config.realm_name options.domain_name = config.domain_name options.host_name = config.host_name options.dm_password = config.dirman_password ca.install(False, config, options, custodia=custodia) # configure PKINIT now that all required services are in place krb.enable_ssl() # Apply any LDAP updates. Needs to be done after the replica is synced-up service.print_msg("Applying LDAP updates") ds.apply_updates() service.print_msg("Finalize replication settings") ds.finalize_replica_config() if kra_enabled: kra.install(api, config, options, custodia=custodia) service.print_msg("Restarting the KDC") krb.restart() custodia.import_dm_password() promote_sssd(config.host_name) promote_openldap_conf(config.host_name, config.master_host_name) if options.setup_dns: dns.install(False, True, options, api) if options.setup_adtrust: adtrust.install(False, options, fstore, api) # Enable configured services and update DNS SRV records service.enable_services(config.host_name) api.Command.dns_update_system_records() ca_servers = service.find_providing_servers('CA', api.Backend.ldap2, api) api.Backend.ldap2.disconnect() # Everything installed properly, activate ipa service. services.knownservices.ipa.enable() # Print a warning if CA role is only installed on one server if len(ca_servers) == 1: msg = textwrap.dedent(u''' WARNING: The CA service is only installed on one server ({}). It is strongly recommended to install it on another server. Run ipa-ca-install(1) on another master to accomplish this. '''.format(ca_servers[0])) print(msg, file=sys.stderr)
def run(self): super(KRAInstaller, self).run() # Verify DM password. This has to be called after ask_for_options(), # so it can't be placed in validate_options(). try: installutils.validate_dm_password_ldap(self.options.password) except ValueError: raise admintool.ScriptError( "Directory Manager password is invalid") if not cainstance.is_ca_installed_locally(): raise RuntimeError("Dogtag CA is not installed. " "Please install the CA first") # check if KRA is not already installed _kra = krainstance.KRAInstance(api) if _kra.is_installed(): raise admintool.ScriptError("KRA already installed") # this check can be done only when CA is installed self.installing_replica = dogtaginstance.is_installing_replica("KRA") self.options.promote = False if self.installing_replica: domain_level = dsinstance.get_domain_level(api) if domain_level > DOMAIN_LEVEL_0: self.options.promote = True elif not self.args: raise RuntimeError("A replica file is required.") if self.args and (not self.installing_replica or self.options.promote): raise RuntimeError("Too many parameters provided. " "No replica file is required.") self.options.dm_password = self.options.password self.options.setup_ca = False self.options.setup_kra = True api.Backend.ldap2.connect() config = None if self.installing_replica: if self.options.promote: config = ReplicaConfig() config.kra_host_name = None config.realm_name = api.env.realm config.host_name = api.env.host config.domain_name = api.env.domain config.dirman_password = self.options.password config.ca_ds_port = 389 config.top_dir = tempfile.mkdtemp("ipa") config.dir = config.top_dir else: config = create_replica_config( self.options.password, self.replica_file, self.options) config.kra_host_name = config.master_host_name config.setup_kra = True if config.subject_base is None: attrs = api.Backend.ldap2.get_ipa_config() config.subject_base = attrs.get('ipacertificatesubjectbase')[0] if config.kra_host_name is None: config.kra_host_name = service.find_providing_server( 'KRA', api.Backend.ldap2, api.env.ca_host) try: kra.install_check(api, config, self.options) except RuntimeError as e: raise admintool.ScriptError(str(e)) print(dedent(self.INSTALLER_START_MESSAGE)) try: kra.install(api, config, self.options) except: self.log.error(dedent(self.FAIL_MESSAGE)) raise api.Backend.ldap2.disconnect()
def run(self): super(KRAInstaller, self).run() # Verify DM password. This has to be called after ask_for_options(), # so it can't be placed in validate_options(). try: installutils.validate_dm_password_ldap(self.options.password) except ValueError: raise admintool.ScriptError( "Directory Manager password is invalid") if not cainstance.is_ca_installed_locally(): raise RuntimeError("Dogtag CA is not installed. " "Please install a CA first with the " "`ipa-ca-install` command.") # check if KRA is not already installed _kra = krainstance.KRAInstance(api) if _kra.is_installed(): raise admintool.ScriptError("KRA already installed") # this check can be done only when CA is installed self.installing_replica = dogtaginstance.is_installing_replica("KRA") if self.installing_replica: domain_level = dsinstance.get_domain_level(api) if domain_level < DOMAIN_LEVEL_1: raise RuntimeError( "Unsupported domain level %d." % domain_level) if self.args: raise RuntimeError("Too many parameters provided.") self.options.dm_password = self.options.password self.options.setup_ca = False self.options.setup_kra = True api.Backend.ldap2.connect() if self.installing_replica: config = ReplicaConfig() config.kra_host_name = None config.realm_name = api.env.realm config.host_name = api.env.host config.domain_name = api.env.domain config.dirman_password = self.options.password config.ca_ds_port = 389 config.top_dir = tempfile.mkdtemp("ipa") config.dir = config.top_dir config.setup_kra = True if config.subject_base is None: attrs = api.Backend.ldap2.get_ipa_config() config.subject_base = attrs.get('ipacertificatesubjectbase')[0] if config.kra_host_name is None: config.kra_host_name = find_providing_server( 'KRA', api.Backend.ldap2, [api.env.ca_host] ) if config.kra_host_name is None: # all CA/KRA servers are down or unreachable. raise admintool.ScriptError( "Failed to find an active KRA server!" ) custodia = custodiainstance.get_custodia_instance( config, custodiainstance.CustodiaModes.KRA_PEER) else: config = None custodia = None try: kra.install_check(api, config, self.options) except RuntimeError as e: raise admintool.ScriptError(str(e)) print(dedent(self.INSTALLER_START_MESSAGE)) try: kra.install(api, config, self.options, custodia=custodia) except: logger.error('%s', dedent(self.FAIL_MESSAGE)) raise # pki-spawn restarts 389-DS, reconnect api.Backend.ldap2.close() api.Backend.ldap2.connect() # Enable configured services and update DNS SRV records service.sync_services_state(api.env.host) api.Command.dns_update_system_records() api.Backend.ldap2.disconnect()
def run(self): super(KRAInstaller, self).run() # Verify DM password. This has to be called after ask_for_options(), # so it can't be placed in validate_options(). try: installutils.validate_dm_password_ldap(self.options.password) except ValueError: raise admintool.ScriptError( "Directory Manager password is invalid") if not cainstance.is_ca_installed_locally(): raise RuntimeError("Dogtag CA is not installed. " "Please install a CA first with the " "`ipa-ca-install` command.") # check if KRA is not already installed _kra = krainstance.KRAInstance(api) if _kra.is_installed(): raise admintool.ScriptError("KRA already installed") # this check can be done only when CA is installed self.installing_replica = dogtaginstance.is_installing_replica("KRA") self.options.promote = False if self.installing_replica: domain_level = dsinstance.get_domain_level(api) if domain_level > DOMAIN_LEVEL_0: self.options.promote = True elif not self.args: raise RuntimeError("A replica file is required.") if self.args and (not self.installing_replica or self.options.promote): raise RuntimeError("Too many parameters provided. " "No replica file is required.") self.options.dm_password = self.options.password self.options.setup_ca = False self.options.setup_kra = True api.Backend.ldap2.connect() config = None if self.installing_replica: if self.options.promote: config = ReplicaConfig() config.kra_host_name = None config.realm_name = api.env.realm config.host_name = api.env.host config.domain_name = api.env.domain config.dirman_password = self.options.password config.ca_ds_port = 389 config.top_dir = tempfile.mkdtemp("ipa") config.dir = config.top_dir else: config = create_replica_config( self.options.password, self.replica_file, self.options) config.kra_host_name = config.master_host_name config.setup_kra = True if config.subject_base is None: attrs = api.Backend.ldap2.get_ipa_config() config.subject_base = attrs.get('ipacertificatesubjectbase')[0] if config.kra_host_name is None: config.kra_host_name = service.find_providing_server( 'KRA', api.Backend.ldap2, api.env.ca_host) try: kra.install_check(api, config, self.options) except RuntimeError as e: raise admintool.ScriptError(str(e)) print(dedent(self.INSTALLER_START_MESSAGE)) try: kra.install(api, config, self.options) except: logger.error('%s', dedent(self.FAIL_MESSAGE)) raise api.Backend.ldap2.disconnect()
def run(self): super(KRAInstaller, self).run() if not cainstance.is_ca_installed_locally(): raise RuntimeError("Dogtag CA is not installed. " "Please install the CA first") # check if KRA is not already installed _kra = krainstance.KRAInstance(api) if _kra.is_installed(): raise admintool.ScriptError("KRA already installed") # this check can be done only when CA is installed self.installing_replica = dogtaginstance.is_installing_replica("KRA") self.options.promote = False if self.installing_replica: domain_level = dsinstance.get_domain_level(api) if domain_level > DOMAIN_LEVEL_0: self.options.promote = True elif not self.args: raise RuntimeError("A replica file is required.") if self.args and (not self.installing_replica or self.options.promote): raise RuntimeError("Too many parameters provided. " "No replica file is required.") self.options.dm_password = self.options.password self.options.setup_ca = False conn = api.Backend.ldap2 conn.connect(bind_dn=DN(("cn", "Directory Manager")), bind_pw=self.options.password) config = None if self.installing_replica: if self.options.promote: config = ReplicaConfig() config.master_host_name = None config.realm_name = api.env.realm config.host_name = api.env.host config.domain_name = api.env.domain config.dirman_password = self.options.password config.ca_ds_port = 389 config.top_dir = tempfile.mkdtemp("ipa") config.dir = config.top_dir else: config = create_replica_config(self.options.password, self.replica_file, self.options) if config.subject_base is None: attrs = conn.get_ipa_config() config.subject_base = attrs.get("ipacertificatesubjectbase")[0] if config.master_host_name is None: config.kra_host_name = service.find_providing_server("KRA", conn, api.env.ca_host) config.master_host_name = config.kra_host_name else: config.kra_host_name = config.master_host_name try: kra.install_check(api, config, self.options) except RuntimeError as e: raise admintool.ScriptError(str(e)) print(dedent(self.INSTALLER_START_MESSAGE)) try: kra.install(api, config, self.options) except: self.log.error(dedent(self.FAIL_MESSAGE)) raise
def install(installer): options = installer fstore = installer._fstore sstore = installer._sstore dirsrv_pkcs12_info = installer._dirsrv_pkcs12_info http_pkcs12_info = installer._http_pkcs12_info pkinit_pkcs12_info = installer._pkinit_pkcs12_info http_ca_cert = installer._ca_cert realm_name = options.realm_name domain_name = options.domain_name dm_password = options.dm_password master_password = options.master_password admin_password = options.admin_password host_name = options.host_name ip_addresses = options.ip_addresses setup_ca = options.setup_ca # Installation has started. No IPA sysrestore items are restored in case of # failure to enable root cause investigation installer._installation_cleanup = False if installer.interactive: print("") print("The following operations may take some minutes to complete.") print("Please wait until the prompt is returned.") print("") # set hostname (transient and static) if user instructed us to do so if options._host_name_overridden: tasks.backup_hostname(fstore, sstore) tasks.set_hostname(host_name) if installer._update_hosts_file: update_hosts_file(ip_addresses, host_name, fstore) http_instance = httpinstance.HTTPInstance() http_instance.create_cert_db() # Create DS user/group if it doesn't exist yet dsinstance.create_ds_user() # Create a directory server instance if not options.external_cert_files: # Configure ntpd if not options.no_ntp: ipaclient.install.ntpconf.force_ntpd(sstore) ntp = ntpinstance.NTPInstance(fstore) if not ntp.is_configured(): ntp.create_instance() if options.dirsrv_cert_files: ds = dsinstance.DsInstance(fstore=fstore, domainlevel=options.domainlevel, config_ldif=options.dirsrv_config_file) installer._ds = ds ds.create_instance(realm_name, host_name, domain_name, dm_password, dirsrv_pkcs12_info, idstart=options.idstart, idmax=options.idmax, subject_base=options.subject, hbac_allow=not options.no_hbac_allow) else: ds = dsinstance.DsInstance(fstore=fstore, domainlevel=options.domainlevel, config_ldif=options.dirsrv_config_file) installer._ds = ds ds.create_instance(realm_name, host_name, domain_name, dm_password, idstart=options.idstart, idmax=options.idmax, subject_base=options.subject, hbac_allow=not options.no_hbac_allow) ntpinstance.ntp_ldap_enable(host_name, ds.suffix, realm_name) else: api.Backend.ldap2.connect() ds = dsinstance.DsInstance(fstore=fstore, domainlevel=options.domainlevel) installer._ds = ds ds.init_info( realm_name, host_name, domain_name, dm_password, options.subject, 1101, 1100, None) if setup_ca: if not options.external_cert_files and options.external_ca: # stage 1 of external CA installation options.realm_name = realm_name options.domain_name = domain_name options.master_password = master_password options.dm_password = dm_password options.admin_password = admin_password options.host_name = host_name options.reverse_zones = dns.reverse_zones cache_vars = {n: options.__dict__[n] for o, n in installer.knobs() if n in options.__dict__} write_cache(cache_vars) ca.install_step_0(False, None, options) # Now put the CA cert where other instances exepct it ca_instance = cainstance.CAInstance(realm_name, certs.NSS_DIR) ca_instance.publish_ca_cert(paths.IPA_CA_CRT) else: # Put the CA cert where other instances expect it x509.write_certificate(http_ca_cert, paths.IPA_CA_CRT) os.chmod(paths.IPA_CA_CRT, 0o444) # we now need to enable ssl on the ds ds.enable_ssl() krb = krbinstance.KrbInstance(fstore) krb.create_instance(realm_name, host_name, domain_name, dm_password, master_password, setup_pkinit=not options.no_pkinit, pkcs12_info=pkinit_pkcs12_info, subject_base=options.subject) # restart DS to enable ipa-pwd-extop plugin print("Restarting directory server to enable password extension plugin") ds.restart() if setup_ca: ca.install_step_1(False, None, options) kra.install(api, None, options) # The DS instance is created before the keytab, add the SSL cert we # generated ds.add_cert_to_service() memcache = memcacheinstance.MemcacheInstance() memcache.create_instance('MEMCACHE', host_name, ipautil.realm_to_suffix(realm_name)) otpd = otpdinstance.OtpdInstance() otpd.create_instance('OTPD', host_name, ipautil.realm_to_suffix(realm_name)) custodia = custodiainstance.CustodiaInstance(host_name, realm_name) custodia.create_instance() # Create a HTTP instance http = httpinstance.HTTPInstance(fstore) if options.http_cert_files: http.create_instance( realm_name, host_name, domain_name, pkcs12_info=http_pkcs12_info, subject_base=options.subject, auto_redirect=not options.no_ui_redirect, ca_is_configured=setup_ca) else: http.create_instance( realm_name, host_name, domain_name, subject_base=options.subject, auto_redirect=not options.no_ui_redirect, ca_is_configured=setup_ca) tasks.restore_context(paths.CACHE_IPA_SESSIONS) # Export full CA chain ca_db = certs.CertDB(realm_name) os.chmod(paths.IPA_CA_CRT, 0o644) ca_db.publish_ca_cert(paths.IPA_CA_CRT) set_subject_in_config(realm_name, dm_password, ipautil.realm_to_suffix(realm_name), options.subject) # Apply any LDAP updates. Needs to be done after the configuration file # is created. DS is restarted in the process. service.print_msg("Applying LDAP updates") ds.apply_updates() # Restart krb after configurations have been changed service.print_msg("Restarting the KDC") krb.restart() if options.setup_dns: dns.install(False, False, options) else: # Create a BIND instance bind = bindinstance.BindInstance(fstore) bind.setup(host_name, ip_addresses, realm_name, domain_name, (), 'first', (), zonemgr=options.zonemgr, no_dnssec_validation=options.no_dnssec_validation) bind.create_file_with_system_records() # Set the admin user kerberos password ds.change_admin_password(admin_password) # Call client install script service.print_msg("Configuring client side components") try: args = [paths.IPA_CLIENT_INSTALL, "--on-master", "--unattended", "--domain", domain_name, "--server", host_name, "--realm", realm_name, "--hostname", host_name] if options.no_dns_sshfp: args.append("--no-dns-sshfp") if options.ssh_trust_dns: args.append("--ssh-trust-dns") if options.no_ssh: args.append("--no-ssh") if options.no_sshd: args.append("--no-sshd") if options.mkhomedir: args.append("--mkhomedir") run(args, redirect_output=True) print() except Exception: raise ScriptError("Configuration of client side components failed!") # Everything installed properly, activate ipa service. services.knownservices.ipa.enable() print("=======================================" "=======================================") print("Setup complete") print("") print("Next steps:") print("\t1. You must make sure these network ports are open:") print("\t\tTCP Ports:") print("\t\t * 80, 443: HTTP/HTTPS") print("\t\t * 389, 636: LDAP/LDAPS") print("\t\t * 88, 464: kerberos") if options.setup_dns: print("\t\t * 53: bind") print("\t\tUDP Ports:") print("\t\t * 88, 464: kerberos") if options.setup_dns: print("\t\t * 53: bind") if not options.no_ntp: print("\t\t * 123: ntp") print("") print("\t2. You can now obtain a kerberos ticket using the command: " "'kinit admin'") print("\t This ticket will allow you to use the IPA tools (e.g., ipa " "user-add)") print("\t and the web user interface.") if not services.knownservices.ntpd.is_running(): print("\t3. Kerberos requires time synchronization between clients") print("\t and servers for correct operation. You should consider " "enabling ntpd.") print("") if setup_ca: print(("Be sure to back up the CA certificates stored in " + paths.CACERT_P12)) print("These files are required to create replicas. The password for " "these") print("files is the Directory Manager password") else: print("In order for Firefox autoconfiguration to work you will need to") print("use a SSL signing certificate. See the IPA documentation for " "more details.") if ipautil.file_exists(paths.ROOT_IPA_CACHE): os.remove(paths.ROOT_IPA_CACHE)
def install(installer): options = installer fstore = installer._fstore sstore = installer._sstore config = installer._config dogtag_constants = dogtag.install_constants # Create DS user/group if it doesn't exist yet dsinstance.create_ds_user() cafile = config.dir + "/ca.crt" remote_api = installer._remote_api conn = remote_api.Backend.ldap2 try: conn.connect(bind_dn=DIRMAN_DN, bind_pw=config.dirman_password, tls_cacertfile=cafile) # Install CA cert so that we can do SSL connections with ldap install_ca_cert(conn, api.env.basedn, api.env.realm, cafile) # Configure ntpd if not options.no_ntp: ipaclient.ntpconf.force_ntpd(sstore) ntp = ntpinstance.NTPInstance() ntp.create_instance() # Configure dirsrv ds = install_replica_ds(config) # Always try to install DNS records install_dns_records(config, options, remote_api) finally: if conn.isconnected(): conn.disconnect() options.dm_password = config.dirman_password if config.setup_ca: options.realm_name = config.realm_name options.domain_name = config.domain_name options.host_name = config.host_name ca.install(False, config, options) krb = install_krb(config, setup_pkinit=not options.no_pkinit) http = install_http(config, auto_redirect=not options.no_ui_redirect) otpd = otpdinstance.OtpdInstance() otpd.create_instance('OTPD', config.host_name, config.dirman_password, ipautil.realm_to_suffix(config.realm_name)) CA = cainstance.CAInstance( config.realm_name, certs.NSS_DIR, dogtag_constants=dogtag_constants) CA.dm_password = config.dirman_password CA.configure_certmonger_renewal() CA.import_ra_cert(config.dir + "/ra.p12") CA.fix_ra_perms() # The DS instance is created before the keytab, add the SSL cert we # generated ds.add_cert_to_service() # Apply any LDAP updates. Needs to be done after the replica is synced-up service.print_msg("Applying LDAP updates") ds.apply_updates() if options.setup_kra: kra.install(api, config, options) else: service.print_msg("Restarting the directory server") ds.restart() service.print_msg("Restarting the KDC") krb.restart() if config.setup_ca: dogtag_service = services.knownservices[dogtag_constants.SERVICE_NAME] dogtag_service.restart(dogtag_constants.PKI_INSTANCE_NAME) if options.setup_dns: api.Backend.ldap2.connect(autobind=True) dns.install(False, True, options) # Restart httpd to pick up the new IPA configuration service.print_msg("Restarting the web server") http.restart() # Call client install script try: args = [paths.IPA_CLIENT_INSTALL, "--on-master", "--unattended", "--domain", config.domain_name, "--server", config.host_name, "--realm", config.realm_name] if options.no_dns_sshfp: args.append("--no-dns-sshfp") if options.ssh_trust_dns: args.append("--ssh-trust-dns") if options.no_ssh: args.append("--no-ssh") if options.no_sshd: args.append("--no-sshd") if options.mkhomedir: args.append("--mkhomedir") ipautil.run(args) except Exception, e: print "Configuration of client side components failed!" print "ipa-client-install returned: " + str(e) raise RuntimeError("Failed to configure the client")
def install(installer): options = installer ca_enabled = installer._ca_enabled kra_enabled = installer._kra_enabled fstore = installer._fstore config = installer._config cafile = installer._ca_file dirsrv_pkcs12_info = installer._dirsrv_pkcs12_info http_pkcs12_info = installer._http_pkcs12_info pkinit_pkcs12_info = installer._pkinit_pkcs12_info remote_api = installer._remote_api conn = remote_api.Backend.ldap2 ccache = os.environ['KRB5CCNAME'] if tasks.configure_pkcs11_modules(fstore): print("Disabled p11-kit-proxy") if installer._add_to_ipaservers: try: conn.connect(ccache=installer._ccache) remote_api.Command['hostgroup_add_member']( u'ipaservers', host=[unicode(api.env.host)], ) finally: if conn.isconnected(): conn.disconnect() os.environ['KRB5CCNAME'] = ccache config.dirman_password = ipautil.ipa_generate_password() # FIXME: allow to use passed in certs instead if ca_enabled: configure_certmonger() try: conn.connect(ccache=ccache) # Update and istall updated CA file cafile = install_ca_cert(conn, api.env.basedn, api.env.realm, cafile) install_ca_cert(conn, api.env.basedn, api.env.realm, cafile, destfile=paths.KDC_CA_BUNDLE_PEM) install_ca_cert(conn, api.env.basedn, api.env.realm, cafile, destfile=paths.CA_BUNDLE_PEM) # Configure dirsrv ds = install_replica_ds(config, options, ca_enabled, remote_api, ca_file=cafile, pkcs12_info=dirsrv_pkcs12_info, fstore=fstore) # Always try to install DNS records install_dns_records(config, options, remote_api, fstore=fstore) finally: if conn.isconnected(): conn.disconnect() # Create the management framework config file. Do this irregardless # of the state of DS installation. Even if it fails, # we need to have master-like configuration in order to perform a # successful uninstallation # The configuration creation has to be here otherwise previous call # To config certmonger would try to connect to local server create_ipa_conf(fstore, config, ca_enabled) krb = install_krb( config, setup_pkinit=not options.no_pkinit, pkcs12_info=pkinit_pkcs12_info, fstore=fstore) # We need to point to the master when certmonger asks for # a DS or HTTP certificate. # During http installation, the <service>/hostname principal is # created locally then the installer waits for the entry to appear # on the master selected for the installation. # In a later step, the installer requests a SSL certificate through # Certmonger (and the op adds the principal if it does not exist yet). # If xmlrpc_uri points to the soon-to-be replica, # the httpd service is not ready yet to handle certmonger requests # and certmonger tries to find another master. The master can be # different from the one selected for the installation, and it is # possible that the principal has not been replicated yet. This # may lead to a replication conflict. # This is why we need to force the use of the same master by # setting xmlrpc_uri create_ipa_conf(fstore, config, ca_enabled, master=config.master_host_name) # we now need to enable ssl on the ds ds.enable_ssl() install_http( config, auto_redirect=not options.no_ui_redirect, pkcs12_info=http_pkcs12_info, ca_is_configured=ca_enabled, ca_file=cafile, fstore=fstore) # Need to point back to ourself after the cert for HTTP is obtained create_ipa_conf(fstore, config, ca_enabled) otpd = otpdinstance.OtpdInstance() otpd.create_instance('OTPD', config.host_name, ipautil.realm_to_suffix(config.realm_name)) if kra_enabled: # A KRA peer always provides a CA, too. mode = custodiainstance.CustodiaModes.KRA_PEER elif ca_enabled: mode = custodiainstance.CustodiaModes.CA_PEER else: mode = custodiainstance.CustodiaModes.MASTER_PEER custodia = custodiainstance.get_custodia_instance(config, mode) custodia.create_instance() if ca_enabled: options.realm_name = config.realm_name options.domain_name = config.domain_name options.host_name = config.host_name options.dm_password = config.dirman_password ca.install(False, config, options, custodia=custodia) # configure PKINIT now that all required services are in place krb.enable_ssl() # Apply any LDAP updates. Needs to be done after the replica is synced-up service.print_msg("Applying LDAP updates") ds.apply_updates() service.print_msg("Finalize replication settings") ds.finalize_replica_config() if kra_enabled: kra.install(api, config, options, custodia=custodia) service.print_msg("Restarting the KDC") krb.restart() custodia.import_dm_password() promote_sssd(config.host_name) promote_openldap_conf(config.host_name, config.master_host_name) if options.setup_dns: dns.install(False, True, options, api) if options.setup_adtrust: adtrust.install(False, options, fstore, api) if options.hidden_replica: # Set services to hidden service.hide_services(config.host_name) else: # Enable configured services service.enable_services(config.host_name) # update DNS SRV records. Although it's only really necessary in # enabled-service case, also perform update in hidden replica case. api.Command.dns_update_system_records() ca_servers = find_providing_servers('CA', api.Backend.ldap2, api=api) api.Backend.ldap2.disconnect() # Everything installed properly, activate ipa service. services.knownservices.ipa.enable() # Print a warning if CA role is only installed on one server if len(ca_servers) == 1: msg = textwrap.dedent(u''' WARNING: The CA service is only installed on one server ({}). It is strongly recommended to install it on another server. Run ipa-ca-install(1) on another master to accomplish this. '''.format(ca_servers[0])) print(msg, file=sys.stderr)
def run(self): super(KRAInstaller, self).run() # Verify DM password. This has to be called after ask_for_options(), # so it can't be placed in validate_options(). try: installutils.validate_dm_password_ldap(self.options.password) except ValueError: raise admintool.ScriptError( "Directory Manager password is invalid") if not cainstance.is_ca_installed_locally(): raise RuntimeError("Dogtag CA is not installed. " "Please install a CA first with the " "`ipa-ca-install` command.") # check if KRA is not already installed _kra = krainstance.KRAInstance(api) if _kra.is_installed(): raise admintool.ScriptError("KRA already installed") # this check can be done only when CA is installed self.installing_replica = dogtaginstance.is_installing_replica("KRA") if self.installing_replica: domain_level = dsinstance.get_domain_level(api) if domain_level < DOMAIN_LEVEL_1: raise RuntimeError("Unsupported domain level %d." % domain_level) if self.args: raise RuntimeError("Too many parameters provided.") self.options.dm_password = self.options.password self.options.setup_ca = False self.options.setup_kra = True api.Backend.ldap2.connect() if self.installing_replica: config = ReplicaConfig() config.kra_host_name = None config.realm_name = api.env.realm config.host_name = api.env.host config.domain_name = api.env.domain config.dirman_password = self.options.password config.ca_ds_port = 389 config.top_dir = tempfile.mkdtemp("ipa") config.dir = config.top_dir config.setup_kra = True if config.subject_base is None: attrs = api.Backend.ldap2.get_ipa_config() config.subject_base = attrs.get('ipacertificatesubjectbase')[0] if config.kra_host_name is None: config.kra_host_name = find_providing_server( 'KRA', api.Backend.ldap2, [api.env.ca_host]) if config.kra_host_name is None: # all CA/KRA servers are down or unreachable. raise admintool.ScriptError( "Failed to find an active KRA server!") custodia = custodiainstance.get_custodia_instance( config, custodiainstance.CustodiaModes.KRA_PEER) else: config = None custodia = None try: kra.install_check(api, config, self.options) except RuntimeError as e: raise admintool.ScriptError(str(e)) print(dedent(self.INSTALLER_START_MESSAGE)) try: kra.install(api, config, self.options, custodia=custodia) except: logger.error('%s', dedent(self.FAIL_MESSAGE)) raise # pki-spawn restarts 389-DS, reconnect api.Backend.ldap2.close() api.Backend.ldap2.connect() # Enable configured services and update DNS SRV records service.sync_services_state(api.env.host) api.Command.dns_update_system_records() api.Backend.ldap2.disconnect()