def _run(self):
super(KRAInstaller, self).run()
print dedent(self.INSTALLER_START_MESSAGE)
if not self.installing_replica:
replica_config = None
else:
replica_config = create_replica_config(
self.options.password,
self.replica_file,
self.options)
self.options.dm_password = self.options.password
self.options.setup_ca = False
api.Backend.ldap2.connect(bind_dn=DN('cn=Directory Manager'),
bind_pw=self.options.dm_password)
try:
kra.install_check(api, replica_config, self.options)
except RuntimeError as e:
raise admintool.ScriptError(str(e))
kra.install(api, replica_config, self.options)
# Restart apache for new proxy config file
services.knownservices.httpd.restart(capture_output=True)
def _run(self):
super(KRAInstaller, self).run()
print dedent(self.INSTALLER_START_MESSAGE)
subject = dsinstance.DsInstance().find_subject_base()
if not self.installing_replica:
kra = krainstance.KRAInstance(
api.env.realm,
dogtag_constants=dogtag.install_constants)
kra.configure_instance(
api.env.host, api.env.domain, self.options.password,
self.options.password, subject_base=subject)
else:
replica_config = create_replica_config(
self.options.password,
self.replica_file,
self.options)
if not read_replica_info_kra_enabled(replica_config.dir):
raise admintool.ScriptError(
"Either KRA is not installed on the master system or "
"your replica file is out of date"
)
kra = krainstance.install_replica_kra(replica_config)
service.print_msg("Restarting the directory server")
ds = dsinstance.DsInstance()
ds.restart()
kra.enable_client_auth_to_db(kra.dogtag_constants.KRA_CS_CFG_PATH)
# Restart apache for new proxy config file
services.knownservices.httpd.restart(capture_output=True)
# Update config file
parser = RawConfigParser()
parser.read(paths.IPA_DEFAULT_CONF)
parser.set('global', 'enable_kra', 'True')
with open(paths.IPA_DEFAULT_CONF, 'w') as f:
parser.write(f)
def _run(self):
super(KRAInstaller, self).run()
print dedent(self.INSTALLER_START_MESSAGE)
subject = dsinstance.DsInstance().find_subject_base()
if not self.installing_replica:
kra = krainstance.KRAInstance(
api.env.realm, dogtag_constants=dogtag.install_constants)
kra.configure_instance(api.env.host,
api.env.domain,
self.options.password,
self.options.password,
subject_base=subject)
else:
replica_config = create_replica_config(self.options.password,
self.replica_file,
self.options)
if not read_replica_info_kra_enabled(replica_config.dir):
raise admintool.ScriptError(
"Either KRA is not installed on the master system or "
"your replica file is out of date")
kra = krainstance.install_replica_kra(replica_config)
service.print_msg("Restarting the directory server")
ds = dsinstance.DsInstance()
ds.restart()
kra.enable_client_auth_to_db(kra.dogtag_constants.KRA_CS_CFG_PATH)
# Restart apache for new proxy config file
services.knownservices.httpd.restart(capture_output=True)
# Update config file
parser = RawConfigParser()
parser.read(paths.IPA_DEFAULT_CONF)
parser.set('global', 'enable_kra', 'True')
with open(paths.IPA_DEFAULT_CONF, 'w') as f:
parser.write(f)
def _run(self):
super(KRAInstaller, self).run()
print dedent(self.INSTALLER_START_MESSAGE)
if not self.installing_replica:
replica_config = None
else:
replica_config = create_replica_config(
self.options.password,
self.replica_file,
self.options)
self.options.setup_ca = False
try:
kra.install_check(replica_config, self.options, api.env.enable_kra,
int(api.env.dogtag_version))
except RuntimeError as e:
raise admintool.ScriptError(str(e))
kra.install(replica_config, self.options, self.options.password)
# Restart apache for new proxy config file
services.knownservices.httpd.restart(capture_output=True)
print "be disabled in favor of ntpd"
print ""
except ipaclient.ntpconf.NTPConfigurationError:
pass
# get the directory manager password
dirman_password = options.password
if not dirman_password:
try:
dirman_password = get_dirman_password()
except KeyboardInterrupt:
sys.exit(0)
if dirman_password is None:
sys.exit("Directory Manager password required")
config = create_replica_config(dirman_password, filename, options)
global REPLICA_INFO_TOP_DIR
REPLICA_INFO_TOP_DIR = config.top_dir
config.setup_ca = options.setup_ca
config.setup_kra = options.setup_kra
if options.setup_ca:
options.realm_name = config.realm_name
options.host_name = config.host_name
options.subject = config.subject_base
ca.install_check(False, config, options)
if config.setup_kra:
try:
kra.install_check(config, options, False,
dogtag.install_constants.DOGTAG_VERSION)
def run(self):
super(KRAInstaller, self).run()
# Verify DM password. This has to be called after ask_for_options(),
# so it can't be placed in validate_options().
try:
installutils.validate_dm_password_ldap(self.options.password)
except ValueError:
raise admintool.ScriptError(
"Directory Manager password is invalid")
if not cainstance.is_ca_installed_locally():
raise RuntimeError("Dogtag CA is not installed. "
"Please install the CA first")
# check if KRA is not already installed
_kra = krainstance.KRAInstance(api)
if _kra.is_installed():
raise admintool.ScriptError("KRA already installed")
# this check can be done only when CA is installed
self.installing_replica = dogtaginstance.is_installing_replica("KRA")
self.options.promote = False
if self.installing_replica:
domain_level = dsinstance.get_domain_level(api)
if domain_level > DOMAIN_LEVEL_0:
self.options.promote = True
elif not self.args:
raise RuntimeError("A replica file is required.")
if self.args and (not self.installing_replica or self.options.promote):
raise RuntimeError("Too many parameters provided. "
"No replica file is required.")
self.options.dm_password = self.options.password
self.options.setup_ca = False
self.options.setup_kra = True
api.Backend.ldap2.connect()
config = None
if self.installing_replica:
if self.options.promote:
config = ReplicaConfig()
config.kra_host_name = None
config.realm_name = api.env.realm
config.host_name = api.env.host
config.domain_name = api.env.domain
config.dirman_password = self.options.password
config.ca_ds_port = 389
config.top_dir = tempfile.mkdtemp("ipa")
config.dir = config.top_dir
else:
config = create_replica_config(
self.options.password,
self.replica_file,
self.options)
config.kra_host_name = config.master_host_name
config.setup_kra = True
if config.subject_base is None:
attrs = api.Backend.ldap2.get_ipa_config()
config.subject_base = attrs.get('ipacertificatesubjectbase')[0]
if config.kra_host_name is None:
config.kra_host_name = service.find_providing_server(
'KRA', api.Backend.ldap2, api.env.ca_host)
try:
kra.install_check(api, config, self.options)
except RuntimeError as e:
raise admintool.ScriptError(str(e))
print(dedent(self.INSTALLER_START_MESSAGE))
try:
kra.install(api, config, self.options)
except:
self.log.error(dedent(self.FAIL_MESSAGE))
raise
api.Backend.ldap2.disconnect()
def run(self):
super(KRAInstaller, self).run()
# Verify DM password. This has to be called after ask_for_options(),
# so it can't be placed in validate_options().
try:
installutils.validate_dm_password_ldap(self.options.password)
except ValueError:
raise admintool.ScriptError(
"Directory Manager password is invalid")
if not cainstance.is_ca_installed_locally():
raise RuntimeError("Dogtag CA is not installed. "
"Please install a CA first with the "
"`ipa-ca-install` command.")
# check if KRA is not already installed
_kra = krainstance.KRAInstance(api)
if _kra.is_installed():
raise admintool.ScriptError("KRA already installed")
# this check can be done only when CA is installed
self.installing_replica = dogtaginstance.is_installing_replica("KRA")
self.options.promote = False
if self.installing_replica:
domain_level = dsinstance.get_domain_level(api)
if domain_level > DOMAIN_LEVEL_0:
self.options.promote = True
elif not self.args:
raise RuntimeError("A replica file is required.")
if self.args and (not self.installing_replica or self.options.promote):
raise RuntimeError("Too many parameters provided. "
"No replica file is required.")
self.options.dm_password = self.options.password
self.options.setup_ca = False
self.options.setup_kra = True
api.Backend.ldap2.connect()
config = None
if self.installing_replica:
if self.options.promote:
config = ReplicaConfig()
config.kra_host_name = None
config.realm_name = api.env.realm
config.host_name = api.env.host
config.domain_name = api.env.domain
config.dirman_password = self.options.password
config.ca_ds_port = 389
config.top_dir = tempfile.mkdtemp("ipa")
config.dir = config.top_dir
else:
config = create_replica_config(
self.options.password,
self.replica_file,
self.options)
config.kra_host_name = config.master_host_name
config.setup_kra = True
if config.subject_base is None:
attrs = api.Backend.ldap2.get_ipa_config()
config.subject_base = attrs.get('ipacertificatesubjectbase')[0]
if config.kra_host_name is None:
config.kra_host_name = service.find_providing_server(
'KRA', api.Backend.ldap2, api.env.ca_host)
try:
kra.install_check(api, config, self.options)
except RuntimeError as e:
raise admintool.ScriptError(str(e))
print(dedent(self.INSTALLER_START_MESSAGE))
try:
kra.install(api, config, self.options)
except:
logger.error('%s', dedent(self.FAIL_MESSAGE))
raise
api.Backend.ldap2.disconnect()
def run(self):
super(KRAInstaller, self).run()
if not cainstance.is_ca_installed_locally():
raise RuntimeError("Dogtag CA is not installed. " "Please install the CA first")
# check if KRA is not already installed
_kra = krainstance.KRAInstance(api)
if _kra.is_installed():
raise admintool.ScriptError("KRA already installed")
# this check can be done only when CA is installed
self.installing_replica = dogtaginstance.is_installing_replica("KRA")
self.options.promote = False
if self.installing_replica:
domain_level = dsinstance.get_domain_level(api)
if domain_level > DOMAIN_LEVEL_0:
self.options.promote = True
elif not self.args:
raise RuntimeError("A replica file is required.")
if self.args and (not self.installing_replica or self.options.promote):
raise RuntimeError("Too many parameters provided. " "No replica file is required.")
self.options.dm_password = self.options.password
self.options.setup_ca = False
conn = api.Backend.ldap2
conn.connect(bind_dn=DN(("cn", "Directory Manager")), bind_pw=self.options.password)
config = None
if self.installing_replica:
if self.options.promote:
config = ReplicaConfig()
config.master_host_name = None
config.realm_name = api.env.realm
config.host_name = api.env.host
config.domain_name = api.env.domain
config.dirman_password = self.options.password
config.ca_ds_port = 389
config.top_dir = tempfile.mkdtemp("ipa")
config.dir = config.top_dir
else:
config = create_replica_config(self.options.password, self.replica_file, self.options)
if config.subject_base is None:
attrs = conn.get_ipa_config()
config.subject_base = attrs.get("ipacertificatesubjectbase")[0]
if config.master_host_name is None:
config.kra_host_name = service.find_providing_server("KRA", conn, api.env.ca_host)
config.master_host_name = config.kra_host_name
else:
config.kra_host_name = config.master_host_name
try:
kra.install_check(api, config, self.options)
except RuntimeError as e:
raise admintool.ScriptError(str(e))
print(dedent(self.INSTALLER_START_MESSAGE))
try:
kra.install(api, config, self.options)
except:
self.log.error(dedent(self.FAIL_MESSAGE))
raise
def install_check(installer):
options = installer
filename = installer.replica_file
tasks.check_selinux_status()
client_fstore = sysrestore.FileStore(paths.IPA_CLIENT_SYSRESTORE)
if client_fstore.has_files():
sys.exit("IPA client is already configured on this system.\n"
"Please uninstall it first before configuring the replica, "
"using 'ipa-client-install --uninstall'.")
sstore = sysrestore.StateFile(paths.SYSRESTORE)
fstore = sysrestore.FileStore(paths.SYSRESTORE)
# Check to see if httpd is already configured to listen on 443
if httpinstance.httpd_443_configured():
sys.exit("Aborting installation")
check_dirsrv()
if not options.no_ntp:
try:
ipaclient.ntpconf.check_timedate_services()
except ipaclient.ntpconf.NTPConflictingService as e:
print(("WARNING: conflicting time&date synchronization service '%s'"
" will" % e.conflicting_service))
print("be disabled in favor of ntpd")
print("")
except ipaclient.ntpconf.NTPConfigurationError:
pass
# get the directory manager password
dirman_password = options.password
if not dirman_password:
try:
dirman_password = get_dirman_password()
except KeyboardInterrupt:
sys.exit(0)
if dirman_password is None:
sys.exit("Directory Manager password required")
config = create_replica_config(dirman_password, filename, options)
installer._top_dir = config.top_dir
config.setup_ca = options.setup_ca
config.setup_kra = options.setup_kra
# Create the management framework config file
# Note: We must do this before bootstraping and finalizing ipalib.api
old_umask = os.umask(0o22) # must be readable for httpd
try:
fd = open(paths.IPA_DEFAULT_CONF, "w")
fd.write("[global]\n")
fd.write("host=%s\n" % config.host_name)
fd.write("basedn=%s\n" %
str(ipautil.realm_to_suffix(config.realm_name)))
fd.write("realm=%s\n" % config.realm_name)
fd.write("domain=%s\n" % config.domain_name)
fd.write("xmlrpc_uri=https://%s/ipa/xml\n" %
ipautil.format_netloc(config.host_name))
fd.write("ldap_uri=ldapi://%%2fvar%%2frun%%2fslapd-%s.socket\n" %
installutils.realm_to_serverid(config.realm_name))
if ipautil.file_exists(config.dir + "/cacert.p12"):
fd.write("enable_ra=True\n")
fd.write("ra_plugin=dogtag\n")
fd.write("dogtag_version=%s\n" %
dogtag.install_constants.DOGTAG_VERSION)
else:
fd.write("enable_ra=False\n")
fd.write("ra_plugin=none\n")
fd.write("mode=production\n")
fd.close()
finally:
os.umask(old_umask)
api.bootstrap(in_server=True, context='installer')
api.finalize()
installutils.verify_fqdn(config.master_host_name, options.no_host_dns)
cafile = config.dir + "/ca.crt"
if not ipautil.file_exists(cafile):
raise RuntimeError("CA cert file is not available. Please run "
"ipa-replica-prepare to create a new replica file.")
ldapuri = 'ldaps://%s' % ipautil.format_netloc(config.master_host_name)
remote_api = create_api(mode=None)
remote_api.bootstrap(in_server=True, context='installer',
ldap_uri=ldapuri)
remote_api.finalize()
conn = remote_api.Backend.ldap2
replman = None
try:
# Try out the password
conn.connect(bind_dn=DIRMAN_DN, bind_pw=config.dirman_password,
tls_cacertfile=cafile)
replman = ReplicationManager(config.realm_name,
config.master_host_name,
config.dirman_password)
# Check that we don't already have a replication agreement
if replman.get_replication_agreement(config.host_name):
root_logger.info('Error: A replication agreement for this '
'host already exists.')
print('A replication agreement for this host already exists. '
'It needs to be removed.')
print("Run this on the master that generated the info file:")
print((" %% ipa-replica-manage del %s --force" %
config.host_name))
sys.exit(3)
# Detect the current domain level
try:
current = remote_api.Command['domainlevel_get']()['result']
except errors.NotFound:
# If we're joining an older master, domain entry is not
# available
current = 0
# Detect if current level is out of supported range
# for this IPA version
under_lower_bound = current < constants.MIN_DOMAIN_LEVEL
above_upper_bound = current > constants.MAX_DOMAIN_LEVEL
if under_lower_bound or above_upper_bound:
message = ("This version of FreeIPA does not support "
"the Domain Level which is currently set for "
"this domain. The Domain Level needs to be "
"raised before installing a replica with "
"this version is allowed to be installed "
"within this domain.")
root_logger.error(message)
print(message)
sys.exit(3)
# Check pre-existing host entry
try:
entry = conn.find_entries(u'fqdn=%s' % config.host_name,
['fqdn'], DN(api.env.container_host,
api.env.basedn))
except errors.NotFound:
pass
else:
root_logger.info('Error: Host %s already exists on the master '
'server.' % config.host_name)
print(('The host %s already exists on the master server.' %
config.host_name))
print("You should remove it before proceeding:")
print(" %% ipa host-del %s" % config.host_name)
sys.exit(3)
dns_masters = remote_api.Object['dnsrecord'].get_dns_masters()
if dns_masters:
if not options.no_host_dns:
master = config.master_host_name
root_logger.debug('Check forward/reverse DNS resolution')
resolution_ok = (
check_dns_resolution(master, dns_masters) and
check_dns_resolution(config.host_name, dns_masters))
if not resolution_ok and installer.interactive:
if not ipautil.user_input("Continue?", False):
sys.exit(0)
else:
root_logger.debug('No IPA DNS servers, '
'skipping forward/reverse resolution check')
if options.setup_ca:
options.realm_name = config.realm_name
options.host_name = config.host_name
options.subject = config.subject_base
ca.install_check(False, config, options)
if config.setup_kra:
try:
kra.install_check(remote_api, config, options)
except RuntimeError as e:
print(str(e))
sys.exit(1)
except errors.ACIError:
sys.exit("\nThe password provided is incorrect for LDAP server "
"%s" % config.master_host_name)
except errors.LDAPError:
sys.exit("\nUnable to connect to LDAP server %s" %
config.master_host_name)
finally:
if replman and replman.conn:
replman.conn.unbind()
if conn.isconnected():
conn.disconnect()
if options.setup_dns:
dns.install_check(False, True, options, config.host_name)
config.ips = dns.ip_addresses
else:
config.ips = installutils.get_server_ip_address(
config.host_name, not installer.interactive, False,
options.ip_addresses)
# installer needs to update hosts file when DNS subsystem will be
# installed or custom addresses are used
if options.setup_dns or options.ip_addresses:
installer._update_hosts_file = True
# check connection
if not options.skip_conncheck:
replica_conn_check(
config.master_host_name, config.host_name, config.realm_name,
options.setup_ca, config.ca_ds_port, options.admin_password)
installer._remote_api = remote_api
installer._fstore = fstore
installer._sstore = sstore
installer._config = config
