def execute(self, **options):
update_done = sysupgrade.get_upgrade_state('winsync', 'passsync_privilege_updated')
if update_done:
root_logger.debug("PassSync privilege update not needed")
return False, []
root_logger.debug("Add PassSync user as a member of PassSync privilege")
ldap = self.api.Backend.ldap2
passsync_dn = DN(('uid','passsync'), ('cn', 'sysaccounts'), ('cn', 'etc'),
self.api.env.basedn)
passsync_privilege_dn = DN(('cn','PassSync Service'),
self.api.env.container_privilege,
self.api.env.basedn)
try:
entry = ldap.get_entry(passsync_dn, [''])
except errors.NotFound:
root_logger.debug("PassSync user not found, no update needed")
sysupgrade.set_upgrade_state('winsync', 'passsync_privilege_updated', True)
return False, []
else:
root_logger.debug("PassSync user found, do update")
update = {'dn': passsync_privilege_dn,
'updates': ["add:member:'%s'" % passsync_dn]}
sysupgrade.set_upgrade_state('winsync', 'passsync_privilege_updated', True)
return False, [update]
def store_version():
"""Store current data version and platform. This is required for check if
upgrade is required.
"""
sysupgrade.set_upgrade_state('ipa', 'data_version',
version.VENDOR_VERSION)
sysupgrade.set_upgrade_state('ipa', 'platform', ipaplatform.NAME)
def __certmap_conf(self):
write_certmap_conf(self.realm, self.ca_subject)
sysupgrade.set_upgrade_state(
'certmap.conf',
'subject_base',
str(self.subject_base)
)
def __certmap_conf(self):
shutil.copyfile(
os.path.join(paths.USR_SHARE_IPA_DIR, "certmap.conf.template"),
os.path.join(config_dirname(self.serverid), "certmap.conf"),
)
installutils.update_file(
config_dirname(self.serverid) + "certmap.conf", "$SUBJECT_BASE", str(self.subject_base)
)
sysupgrade.set_upgrade_state("certmap.conf", "subject_base", str(self.subject_base))
def create_instance(self):
suffix = ipautil.realm_to_suffix(self.realm)
self.step("Generating ipa-custodia config file", self.__config_file)
self.step("Making sure custodia container exists", self.__create_container)
self.step("Generating ipa-custodia keys", self.__gen_keys)
super(CustodiaInstance, self).create_instance(
gensvc_name="KEYS", fqdn=self.fqdn, ldap_suffix=suffix, realm=self.realm
)
sysupgrade.set_upgrade_state("custodia", "installed", True)
def __certmap_conf(self):
shutil.copyfile(ipautil.SHARE_DIR + "certmap.conf.template",
config_dirname(self.serverid) + "certmap.conf")
installutils.update_file(config_dirname(self.serverid) + "certmap.conf",
'$SUBJECT_BASE', str(self.subject_base))
sysupgrade.set_upgrade_state(
'certmap.conf',
'subject_base',
str(self.subject_base)
)
def create_instance(self, dm_password=None):
suffix = ipautil.realm_to_suffix(self.realm)
self.step("Generating ipa-custodia config file", self.__config_file)
self.step("Making sure custodia container exists", self.__create_container)
self.step("Generating ipa-custodia keys", self.__gen_keys)
super(CustodiaInstance, self).create_instance(gensvc_name='KEYS',
fqdn=self.fqdn,
dm_password=dm_password,
ldap_suffix=suffix,
realm=self.realm)
sysupgrade.set_upgrade_state('custodia', 'installed', True)
def execute(self, **options):
if sysupgrade.get_upgrade_state('sidgen', 'config_basedn_updated'):
self.log.debug("Already done, skipping")
return False, ()
restart = False
if self._fix_config():
sysupgrade.set_upgrade_state('sidgen', 'update_sids', True)
restart = True # DS has to be restarted to apply changes
sysupgrade.set_upgrade_state('sidgen', 'config_basedn_updated', True)
return restart, ()
def ntp_ldap_enable(fqdn, base_dn, realm):
ntp = NTPInstance(realm=realm)
is_exposed_in_ldap = sysupgrade.get_upgrade_state(
'ntp', NTP_EXPOSED_IN_LDAP)
was_running = ntp.is_running()
if ntp.is_configured() and not is_exposed_in_ldap:
ntp.ldap_enable('NTP', fqdn, None, base_dn)
sysupgrade.set_upgrade_state('ntp', NTP_EXPOSED_IN_LDAP, True)
if was_running:
ntp.start()
def change_mod_nss_port_from_http(self):
# mod_ssl enforces SSLEngine on for vhost on 443 even though
# the listener is mod_nss. This then crashes the httpd as mod_nss
# listened port obviously does not match mod_ssl requirements.
#
# The workaround for this was to change port to http. It is no longer
# necessary, as mod_nss now ships with default configuration which
# sets SSLEngine off when mod_ssl is installed.
#
# Remove the workaround.
if sysupgrade.get_upgrade_state('nss.conf', 'listen_port_updated'):
installutils.set_directive(paths.HTTPD_NSS_CONF, 'Listen', '443', quotes=False)
sysupgrade.set_upgrade_state('nss.conf', 'listen_port_updated', False)
def uninstall(self):
super(CustodiaInstance, self).uninstall()
keystore = IPAKEMKeys({
'server_keys': self.server_keys,
'ldap_uri': self.ldap_uri
})
# Call remove_server_keys_file explicitly to ensure that the key
# file is always removed.
keystore.remove_server_keys_file()
try:
keystore.remove_server_keys()
except (ldap.CONNECT_ERROR, ldap.SERVER_DOWN):
logger.debug(
"Cannot remove custodia keys now, server_del takes care of "
"them later."
)
installutils.remove_file(self.config_file)
sysupgrade.set_upgrade_state('custodia', 'installed', False)
def reindex_task(self, force=False):
"""Reindex ipaca entries
pkispawn sometimes does not run its indextasks. This leads to slow
unindexed filters on attributes such as description, which is used
to log in with a certificate. Explicitly reindex attribute that
should have been reindexed by CA's indextasks.ldif.
See https://pagure.io/dogtagpki/issue/3083
"""
state_name = 'reindex_task'
if not force and sysupgrade.get_upgrade_state('dogtag', state_name):
return
cn = "indextask_ipaca_{}".format(int(time.time()))
dn = DN(
('cn', cn), ('cn', 'index'), ('cn', 'tasks'), ('cn', 'config')
)
entry = api.Backend.ldap2.make_entry(
dn,
objectClass=['top', 'extensibleObject'],
cn=[cn],
nsInstance=['ipaca'], # Dogtag PKI database
nsIndexAttribute=[
# from pki/base/ca/shared/conf/indextasks.ldif
'archivedBy', 'certstatus', 'clientId', 'dataType',
'dateOfCreate', 'description', 'duration', 'extension',
'issuedby', 'issuername', 'metaInfo', 'notafter',
'notbefore', 'ownername', 'publicKeyData', 'requestid',
'requestowner', 'requestsourceid', 'requeststate',
'requesttype', 'revInfo', 'revokedOn', 'revokedby',
'serialno', 'status', 'subjectname',
],
ttl=[10],
)
logger.debug('Creating ipaca reindex task %s', dn)
api.Backend.ldap2.add_entry(entry)
logger.debug('Waiting for task...')
exitcode = replication.wait_for_task(api.Backend.ldap2, dn)
logger.debug(
'Task %s has finished with exit code %i',
dn, exitcode
)
sysupgrade.set_upgrade_state('dogtag', state_name, True)
def __recover_from_missing_maps(self, ldap):
# https://fedorahosted.org/freeipa/ticket/5507
# if all following DNs are missing, but 'NIS Server' container exists
# we are experiencig bug and maps should be fixed
if sysupgrade.get_upgrade_state('nis',
'done_recover_from_missing_maps'):
# this recover must be done only once, a user may deleted some
# maps, we do not want to restore them again
return
logger.debug("Recovering from missing NIS maps bug")
suffix = "cn=NIS Server,cn=plugins,cn=config"
domain = self.api.env.domain
missing_dn_list = [
DN(nis_map.format(domain=domain, suffix=suffix)) for nis_map in [
"nis-domain={domain}+nis-map=passwd.byname,{suffix}",
"nis-domain={domain}+nis-map=passwd.byuid,{suffix}",
"nis-domain={domain}+nis-map=group.byname,{suffix}",
"nis-domain={domain}+nis-map=group.bygid,{suffix}",
"nis-domain={domain}+nis-map=netid.byname,{suffix}",
"nis-domain={domain}+nis-map=netgroup,{suffix}",
]
]
for dn in missing_dn_list:
try:
ldap.get_entry(dn, attrs_list=['cn'])
except errors.NotFound:
pass
else:
# bug is not effective, at least one of 'possible missing'
# maps was detected
return
sysupgrade.set_upgrade_state('nis', 'done_recover_from_missing_maps',
True)
# bug is effective run update to recreate missing maps
ld = LDAPUpdate(sub_dict={}, ldapi=True)
ld.update([paths.NIS_ULDIF])
def __setup_server_configuration(self):
ensure_dnsserver_container_exists(api.Backend.ldap2, self.api)
try:
self.api.Command.dnsserver_add(
self.fqdn, idnssoamname=DNSName(self.fqdn).make_absolute(),
)
except errors.DuplicateEntry:
# probably reinstallation of DNS
pass
try:
self.api.Command.dnsserver_mod(
self.fqdn,
idnsforwarders=[unicode(f) for f in self.forwarders],
idnsforwardpolicy=unicode(self.forward_policy)
)
except errors.EmptyModlist:
pass
sysupgrade.set_upgrade_state('dns', 'server_config_to_ldap', True)
def execute(self, **options):
ldap = self.api.Backend.ldap2
dn = DN(('cn', 'NIS Server'), ('cn', 'plugins'), ('cn', 'config'))
try:
ldap.get_entry(dn, attrs_list=['cn'])
except errors.NotFound:
# NIS is not configured on system, do not execute update
logger.debug("Skipping NIS update, NIS Server is not configured")
# container does not exist, bug #5507 is not effective
sysupgrade.set_upgrade_state(
'nis', 'done_recover_from_missing_maps', True)
else:
self.__recover_from_missing_maps(ldap)
logger.debug("Executing NIS Server update")
ld = LDAPUpdate(sub_dict={}, ldapi=True)
ld.update([paths.NIS_UPDATE_ULDIF])
return False, ()
def __setup_server_configuration(self):
ensure_dnsserver_container_exists(api.Backend.ldap2, self.api)
try:
self.api.Command.dnsserver_add(
self.fqdn, idnssoamname=DNSName(self.fqdn).make_absolute(),
)
except errors.DuplicateEntry:
# probably reinstallation of DNS
pass
try:
self.api.Command.dnsserver_mod(
self.fqdn,
idnsforwarders=[unicode(f) for f in self.forwarders],
idnsforwardpolicy=unicode(self.forward_policy)
)
except errors.EmptyModlist:
pass
sysupgrade.set_upgrade_state('dns', 'server_config_to_ldap', True)
def execute(self, **options):
ldap = self.api.Backend.ldap2
dn = DN(('cn', 'NIS Server'), ('cn', 'plugins'), ('cn', 'config'))
try:
ldap.get_entry(dn, attrs_list=['cn'])
except errors.NotFound:
# NIS is not configured on system, do not execute update
logger.debug("Skipping NIS update, NIS Server is not configured")
# container does not exist, bug #5507 is not effective
sysupgrade.set_upgrade_state('nis',
'done_recover_from_missing_maps',
True)
else:
self.__recover_from_missing_maps(ldap)
logger.debug("Executing NIS Server update")
ld = LDAPUpdate(sub_dict={}, ldapi=True)
ld.update([paths.NIS_UPDATE_ULDIF])
return False, ()
def execute(self, **options):
ldap = self.api.Backend.ldap2
if sysupgrade.get_upgrade_state('dns', 'server_config_to_ldap'):
self.log.debug('upgrade is not needed')
return False, []
dns_container_dn = DN(self.api.env.container_dns, self.api.env.basedn)
try:
ldap.get_entry(dns_container_dn)
except errors.NotFound:
self.log.debug('DNS container not found, nothing to upgrade')
sysupgrade.set_upgrade_state('dns', 'server_config_to_ldap', True)
return False, []
result = self.api.Command.server_show(self.api.env.host)['result']
if not 'DNS server' in result.get('enabled_role_servrole', []):
self.log.debug('This server is not DNS server, nothing to upgrade')
sysupgrade.set_upgrade_state('dns', 'server_config_to_ldap', True)
return False, []
# create container first, if doesn't exist
ensure_dnsserver_container_exists(ldap, self.api, logger=self.log)
try:
self.api.Command.dnsserver_add(self.api.env.host)
except errors.DuplicateEntry:
self.log.debug("DNS server configuration already exists "
"in LDAP database")
else:
self.log.debug("DNS server configuration has been sucessfully "
"created in LDAP database")
sysupgrade.set_upgrade_state('dns', 'server_config_to_ldap', True)
return False, []
def execute(self, **options):
ldap = self.api.Backend.ldap2
if sysupgrade.get_upgrade_state('dns', 'server_config_to_ldap'):
self.log.debug('upgrade is not needed')
return False, []
dns_container_dn = DN(self.api.env.container_dns, self.api.env.basedn)
try:
ldap.get_entry(dns_container_dn)
except errors.NotFound:
self.log.debug('DNS container not found, nothing to upgrade')
sysupgrade.set_upgrade_state('dns', 'server_config_to_ldap', True)
return False, []
result = self.api.Command.server_show(self.api.env.host)['result']
if not 'DNS server' in result.get('enabled_role_servrole', []):
self.log.debug('This server is not DNS server, nothing to upgrade')
sysupgrade.set_upgrade_state('dns', 'server_config_to_ldap', True)
return False, []
# create container first, if doesn't exist
ensure_dnsserver_container_exists(ldap, self.api, logger=self.log)
try:
self.api.Command.dnsserver_add(self.api.env.host)
except errors.DuplicateEntry:
self.log.debug("DNS server configuration already exists "
"in LDAP database")
else:
self.log.debug("DNS server configuration has been sucessfully "
"created in LDAP database")
sysupgrade.set_upgrade_state('dns', 'server_config_to_ldap', True)
return False, []
def __setup_named_conf(self):
if not self.fstore.has_file(NAMED_CONF):
self.fstore.backup_file(NAMED_CONF)
named_txt = ipautil.template_file(ipautil.SHARE_DIR + "bind.named.conf.template", self.sub_dict)
named_fd = open(NAMED_CONF, 'w')
named_fd.seek(0)
named_fd.truncate(0)
named_fd.write(named_txt)
named_fd.close()
if self.no_dnssec_validation:
# disable validation
named_conf_set_directive("dnssec-validation", "no",
section=NAMED_SECTION_OPTIONS,
str_val=False)
# prevent repeated upgrade on new installs
sysupgrade.set_upgrade_state(
'named.conf',
'forward_policy_conflict_with_empty_zones_handled', True
)
def execute(self, **options):
update_done = sysupgrade.get_upgrade_state('winsync', 'passsync_privilege_updated')
if update_done:
root_logger.debug("PassSync privilege update pre-check not needed")
return False, []
root_logger.debug("Check if there is existing PassSync privilege")
passsync_privilege_dn = DN(('cn','PassSync Service'),
self.api.env.container_privilege,
self.api.env.basedn)
ldap = self.api.Backend.ldap2
try:
ldap.get_entry(passsync_privilege_dn, [''])
except errors.NotFound:
root_logger.debug("PassSync privilege not found, this is a new update")
sysupgrade.set_upgrade_state('winsync', 'passsync_privilege_updated', False)
else:
root_logger.debug("PassSync privilege found, skip updating PassSync")
sysupgrade.set_upgrade_state('winsync', 'passsync_privilege_updated', True)
return False, []
def __setup_named_conf(self):
if not self.fstore.has_file(NAMED_CONF):
self.fstore.backup_file(NAMED_CONF)
named_txt = ipautil.template_file(
ipautil.SHARE_DIR + "bind.named.conf.template", self.sub_dict)
named_fd = open(NAMED_CONF, 'w')
named_fd.seek(0)
named_fd.truncate(0)
named_fd.write(named_txt)
named_fd.close()
if self.no_dnssec_validation:
# disable validation
named_conf_set_directive("dnssec-validation",
"no",
section=NAMED_SECTION_OPTIONS,
str_val=False)
# prevent repeated upgrade on new installs
sysupgrade.set_upgrade_state(
'named.conf', 'forward_policy_conflict_with_empty_zones_handled',
True)
def execute(self, **options):
update_done = sysupgrade.get_upgrade_state('winsync', 'passsync_privilege_updated')
if update_done:
logger.debug("PassSync privilege update pre-check not needed")
return False, []
logger.debug("Check if there is existing PassSync privilege")
passsync_privilege_dn = DN(('cn','PassSync Service'),
self.api.env.container_privilege,
self.api.env.basedn)
ldap = self.api.Backend.ldap2
try:
ldap.get_entry(passsync_privilege_dn, [''])
except errors.NotFound:
logger.debug("PassSync privilege not found, this is a new update")
sysupgrade.set_upgrade_state('winsync', 'passsync_privilege_updated', False)
else:
logger.debug("PassSync privilege found, skip updating PassSync")
sysupgrade.set_upgrade_state('winsync', 'passsync_privilege_updated', True)
return False, []
def execute(self, **options):
update_done = sysupgrade.get_upgrade_state(
'winsync', 'passsync_privilege_updated')
if update_done:
root_logger.debug("PassSync privilege update not needed")
return False, []
root_logger.debug(
"Add PassSync user as a member of PassSync privilege")
ldap = self.api.Backend.ldap2
passsync_dn = DN(('uid', 'passsync'), ('cn', 'sysaccounts'),
('cn', 'etc'), self.api.env.basedn)
passsync_privilege_dn = DN(('cn', 'PassSync Service'),
self.api.env.container_privilege,
self.api.env.basedn)
try:
ldap.get_entry(passsync_dn, [''])
except errors.NotFound:
root_logger.debug("PassSync user not found, no update needed")
sysupgrade.set_upgrade_state('winsync',
'passsync_privilege_updated', True)
return False, []
else:
root_logger.debug("PassSync user found, do update")
update = {
'dn': passsync_privilege_dn,
'updates': [
dict(action='add', attr='member', value=passsync_dn),
]
}
sysupgrade.set_upgrade_state('winsync', 'passsync_privilege_updated',
True)
return False, [update]
def disable_mod_ssl_ocsp(self):
if sysupgrade.get_upgrade_state('http', OCSP_ENABLED) is None:
self.__disable_mod_ssl_ocsp()
sysupgrade.set_upgrade_state('http', OCSP_ENABLED, False)
def __setup_ssl(self):
key_passwd_file = paths.HTTPD_PASSWD_FILE_FMT.format(host=api.env.host)
with open(key_passwd_file, 'wb') as f:
os.fchmod(f.fileno(), 0o600)
pkey_passwd = ipautil.ipa_generate_password().encode('utf-8')
f.write(pkey_passwd)
if self.pkcs12_info:
p12_certs, p12_priv_keys = certs.pkcs12_to_certkeys(
*self.pkcs12_info)
keys_dict = {
k.public_key().public_numbers(): k
for k in p12_priv_keys
}
certs_keys = [
(c, keys_dict.get(c.public_key().public_numbers()))
for c in p12_certs
]
server_certs_keys = [
(c, k) for c, k in certs_keys if k is not None
]
if not server_certs_keys:
raise RuntimeError(
"Could not find a suitable server cert in import in %s"
% self.pkcs12_info[0]
)
# We only handle one server cert
self.cert = server_certs_keys[0][0]
x509.write_certificate(self.cert, paths.HTTPD_CERT_FILE)
x509.write_pem_private_key(
server_certs_keys[0][1],
paths.HTTPD_KEY_FILE,
passwd=pkey_passwd
)
if self.ca_is_configured:
self.start_tracking_certificates()
self.add_cert_to_service()
else:
if not self.promote:
ca_args = [
paths.CERTMONGER_DOGTAG_SUBMIT,
'--ee-url', 'https://%s:8443/ca/ee/ca' % self.fqdn,
'--certfile', paths.RA_AGENT_PEM,
'--keyfile', paths.RA_AGENT_KEY,
'--cafile', paths.IPA_CA_CRT,
'--agent-submit'
]
helper = " ".join(ca_args)
prev_helper = certmonger.modify_ca_helper('IPA', helper)
else:
prev_helper = None
try:
certmonger.request_and_wait_for_cert(
certpath=(paths.HTTPD_CERT_FILE, paths.HTTPD_KEY_FILE),
principal=self.principal,
subject=str(DN(('CN', self.fqdn), self.subject_base)),
ca='IPA',
profile=dogtag.DEFAULT_PROFILE,
dns=[self.fqdn],
post_command='restart_httpd',
storage='FILE',
passwd_fname=key_passwd_file
)
finally:
if prev_helper is not None:
certmonger.modify_ca_helper('IPA', prev_helper)
self.cert = x509.load_certificate_from_file(
paths.HTTPD_CERT_FILE
)
if prev_helper is not None:
self.add_cert_to_service()
with open(paths.HTTPD_KEY_FILE, 'rb') as f:
priv_key = x509.load_pem_private_key(
f.read(), pkey_passwd, backend=x509.default_backend())
# Verify we have a valid server cert
if (priv_key.public_key().public_numbers()
!= self.cert.public_key().public_numbers()):
raise RuntimeError(
"The public key of the issued HTTPD service certificate "
"does not match its private key.")
sysupgrade.set_upgrade_state('ssl.conf', 'migrated_to_mod_ssl', True)
def __certmap_conf(self):
write_certmap_conf(self.realm, self.ca_subject)
sysupgrade.set_upgrade_state('certmap.conf', 'subject_base',
str(self.subject_base))
def store_version():
"""Store current data version and platform. This is required for check if
upgrade is required.
"""
sysupgrade.set_upgrade_state('ipa', 'data_version', version.VENDOR_VERSION)
sysupgrade.set_upgrade_state('ipa', 'platform', get_current_platform())
def __setup_ssl(self):
key_passwd_file = paths.HTTPD_PASSWD_FILE_FMT.format(host=api.env.host)
with open(key_passwd_file, 'wb') as f:
os.fchmod(f.fileno(), 0o600)
pkey_passwd = ipautil.ipa_generate_password().encode('utf-8')
f.write(pkey_passwd)
if self.pkcs12_info:
p12_certs, p12_priv_keys = certs.pkcs12_to_certkeys(
*self.pkcs12_info)
keys_dict = {
k.public_key().public_numbers(): k
for k in p12_priv_keys
}
certs_keys = [(c, keys_dict.get(c.public_key().public_numbers()))
for c in p12_certs]
server_certs_keys = [(c, k) for c, k in certs_keys
if k is not None]
if not server_certs_keys:
raise RuntimeError(
"Could not find a suitable server cert in import in %s" %
self.pkcs12_info[0])
# We only handle one server cert
self.cert = server_certs_keys[0][0]
x509.write_certificate(self.cert, paths.HTTPD_CERT_FILE)
x509.write_pem_private_key(server_certs_keys[0][1],
paths.HTTPD_KEY_FILE,
passwd=pkey_passwd)
if self.ca_is_configured:
self.start_tracking_certificates()
self.add_cert_to_service()
else:
if not self.promote:
ca_args = [
paths.CERTMONGER_DOGTAG_SUBMIT, '--ee-url',
'https://%s:8443/ca/ee/ca' % self.fqdn, '--certfile',
paths.RA_AGENT_PEM, '--keyfile', paths.RA_AGENT_KEY,
'--cafile', paths.IPA_CA_CRT, '--agent-submit'
]
helper = " ".join(ca_args)
prev_helper = certmonger.modify_ca_helper('IPA', helper)
else:
prev_helper = None
try:
certmonger.request_and_wait_for_cert(
certpath=(paths.HTTPD_CERT_FILE, paths.HTTPD_KEY_FILE),
principal=self.principal,
subject=str(DN(('CN', self.fqdn), self.subject_base)),
ca='IPA',
profile=dogtag.DEFAULT_PROFILE,
dns=[self.fqdn],
post_command='restart_httpd',
storage='FILE',
passwd_fname=key_passwd_file)
finally:
if prev_helper is not None:
certmonger.modify_ca_helper('IPA', prev_helper)
self.cert = x509.load_certificate_from_file(paths.HTTPD_CERT_FILE)
if prev_helper is not None:
self.add_cert_to_service()
with open(paths.HTTPD_KEY_FILE, 'rb') as f:
priv_key = x509.load_pem_private_key(
f.read(), pkey_passwd, backend=x509.default_backend())
# Verify we have a valid server cert
if (priv_key.public_key().public_numbers() !=
self.cert.public_key().public_numbers()):
raise RuntimeError(
"The public key of the issued HTTPD service certificate "
"does not match its private key.")
sysupgrade.set_upgrade_state('ssl.conf', 'migrated_to_mod_ssl', True)
def disable_mod_ssl_ocsp(self):
if sysupgrade.get_upgrade_state('http', OCSP_ENABLED) is None:
self.__disable_mod_ssl_ocsp()
sysupgrade.set_upgrade_state('http', OCSP_ENABLED, False)
def install_step_0(standalone, replica_config, options, custodia):
realm_name = options.realm_name
dm_password = options.dm_password
host_name = options.host_name
ca_subject = options._ca_subject
subject_base = options._subject_base
external_ca_profile = None
if replica_config is None:
ca_signing_algorithm = options.ca_signing_algorithm
if options.external_ca:
ca_type = options.external_ca_type
external_ca_profile = options.external_ca_profile
csr_file = paths.ROOT_IPA_CSR
else:
ca_type = None
csr_file = None
if options.external_cert_files:
cert_file = external_cert_file.name
cert_chain_file = external_ca_file.name
else:
cert_file = None
cert_chain_file = None
pkcs12_info = None
master_host = None
master_replication_port = None
ra_p12 = None
ra_only = False
promote = False
else:
cafile = os.path.join(replica_config.dir, 'cacert.p12')
custodia.get_ca_keys(
cafile,
replica_config.dirman_password)
ca_signing_algorithm = None
ca_type = None
csr_file = None
cert_file = None
cert_chain_file = None
pkcs12_info = (cafile,)
master_host = replica_config.ca_host_name
master_replication_port = replica_config.ca_ds_port
ra_p12 = os.path.join(replica_config.dir, 'ra.p12')
ra_only = not replica_config.setup_ca
promote = True
# if upgrading from CA-less to CA-ful, need to rewrite
# certmap.conf and subject_base configuration
#
set_subject_base_in_config(subject_base)
sysupgrade.set_upgrade_state(
'certmap.conf', 'subject_base', str(subject_base))
dsinstance.write_certmap_conf(realm_name, ca_subject)
# use secure ldaps when installing a replica or upgrading to CA-ful
# In both cases, 389-DS is already configured to have a trusted cert.
use_ldaps = standalone or replica_config is not None
ca = cainstance.CAInstance(
realm=realm_name, host_name=host_name, custodia=custodia
)
ca.configure_instance(
host_name, dm_password, dm_password,
subject_base=subject_base,
ca_subject=ca_subject,
ca_signing_algorithm=ca_signing_algorithm,
ca_type=ca_type,
external_ca_profile=external_ca_profile,
csr_file=csr_file,
cert_file=cert_file,
cert_chain_file=cert_chain_file,
pkcs12_info=pkcs12_info,
master_host=master_host,
master_replication_port=master_replication_port,
ra_p12=ra_p12,
ra_only=ra_only,
promote=promote,
use_ldaps=use_ldaps,
pki_config_override=options.pki_config_override,
)
def execute(self, **options):
ldap = self.api.Backend.ldap2
if sysupgrade.get_upgrade_state('sidgen', 'update_sids') is not True:
self.log.debug("SIDs do not need to be generated")
return False, ()
# check if IPA domain for AD trust has been created, and if we need to
# regenerate missing SIDs if attribute 'ipaNTSecurityIdentifier'
domain_IPA_AD_dn = DN(
('cn', self.api.env.domain),
self.api.env.container_cifsdomains,
self.api.env.basedn)
attr_name = 'ipaNTSecurityIdentifier'
try:
entry = ldap.get_entry(domain_IPA_AD_dn, attrs_list=[attr_name])
except errors.NotFound:
self.log.debug("IPA domain object %s is not configured",
domain_IPA_AD_dn)
sysupgrade.set_upgrade_state('sidgen', 'update_sids', False)
return False, ()
else:
if not entry.single_value.get(attr_name):
# we need to run sidgen task
sidgen_task_dn = DN(
"cn=generate domain sid,cn=ipa-sidgen-task,cn=tasks,"
"cn=config")
sidgen_tasks_attr = {
"objectclass": ["top", "extensibleObject"],
"cn": ["sidgen"],
"delay": [0],
"nsslapd-basedn": [self.api.env.basedn],
}
task_entry = ldap.make_entry(sidgen_task_dn,
**sidgen_tasks_attr)
try:
ldap.add_entry(task_entry)
except errors.DuplicateEntry:
self.log.debug("sidgen task already created")
else:
self.log.debug("sidgen task has been created")
# we have to check all trusts domains which may been affected by the
# bug. Symptom is missing 'ipaNTSecurityIdentifier' attribute
base_dn = DN(self.api.env.container_adtrusts, self.api.env.basedn)
try:
trust_domain_entries, truncated = ldap.find_entries(
base_dn=base_dn,
scope=ldap.SCOPE_ONELEVEL,
attrs_list=["cn"],
# more types of trusts can be stored under cn=trusts, we need
# the type with ipaNTTrustPartner attribute
filter="(&(ipaNTTrustPartner=*)(!(%s=*)))" % attr_name
)
except errors.NotFound:
pass
else:
if truncated:
self.log.warning("update_sids: Search results were truncated")
for entry in trust_domain_entries:
domain = entry.single_value["cn"]
self.log.error(
"Your trust to %s is broken. Please re-create it by "
"running 'ipa trust-add' again.", domain)
sysupgrade.set_upgrade_state('sidgen', 'update_sids', False)
return False, ()
def install_step_0(standalone, replica_config, options, custodia):
realm_name = options.realm_name
dm_password = options.dm_password
host_name = options.host_name
ca_subject = options._ca_subject
subject_base = options._subject_base
external_ca_profile = None
if replica_config is None:
ca_signing_algorithm = options.ca_signing_algorithm
if options.external_ca:
ca_type = options.external_ca_type
external_ca_profile = options.external_ca_profile
csr_file = paths.ROOT_IPA_CSR
else:
ca_type = None
csr_file = None
if options.external_cert_files:
cert_file = external_cert_file.name
cert_chain_file = external_ca_file.name
else:
cert_file = None
cert_chain_file = None
pkcs12_info = None
master_host = None
master_replication_port = None
ra_p12 = None
ra_only = False
promote = False
else:
cafile = os.path.join(replica_config.dir, 'cacert.p12')
custodia.get_ca_keys(cafile, replica_config.dirman_password)
ca_signing_algorithm = None
ca_type = None
csr_file = None
cert_file = None
cert_chain_file = None
pkcs12_info = (cafile, )
master_host = replica_config.ca_host_name
master_replication_port = replica_config.ca_ds_port
ra_p12 = os.path.join(replica_config.dir, 'ra.p12')
ra_only = not replica_config.setup_ca
promote = True
# if upgrading from CA-less to CA-ful, need to rewrite
# certmap.conf and subject_base configuration
#
set_subject_base_in_config(subject_base)
sysupgrade.set_upgrade_state('certmap.conf', 'subject_base',
str(subject_base))
dsinstance.write_certmap_conf(realm_name, ca_subject)
# use secure ldaps when installing a replica or upgrading to CA-ful
# In both cases, 389-DS is already configured to have a trusted cert.
use_ldaps = standalone or replica_config is not None
ca = cainstance.CAInstance(realm=realm_name,
host_name=host_name,
custodia=custodia)
ca.configure_instance(
host_name,
dm_password,
dm_password,
subject_base=subject_base,
ca_subject=ca_subject,
ca_signing_algorithm=ca_signing_algorithm,
ca_type=ca_type,
external_ca_profile=external_ca_profile,
csr_file=csr_file,
cert_file=cert_file,
cert_chain_file=cert_chain_file,
pkcs12_info=pkcs12_info,
master_host=master_host,
master_replication_port=master_replication_port,
ra_p12=ra_p12,
ra_only=ra_only,
promote=promote,
use_ldaps=use_ldaps,
pki_config_override=options.pki_config_override,
)
def install_step_0(standalone, replica_config, options):
realm_name = options.realm_name
dm_password = options.dm_password
host_name = options.host_name
ca_subject = options._ca_subject
subject_base = options._subject_base
if replica_config is None:
ca_signing_algorithm = options.ca_signing_algorithm
if options.external_ca:
ca_type = options.external_ca_type
csr_file = paths.ROOT_IPA_CSR
else:
ca_type = None
csr_file = None
if options.external_cert_files:
cert_file = external_cert_file.name
cert_chain_file = external_ca_file.name
else:
cert_file = None
cert_chain_file = None
pkcs12_info = None
master_host = None
master_replication_port = None
ra_p12 = None
ra_only = False
promote = False
else:
cafile = os.path.join(replica_config.dir, 'cacert.p12')
if options.promote:
custodia = custodiainstance.CustodiaInstance(
replica_config.host_name, replica_config.realm_name)
custodia.get_ca_keys(replica_config.ca_host_name, cafile,
replica_config.dirman_password)
ca_signing_algorithm = None
ca_type = None
csr_file = None
cert_file = None
cert_chain_file = None
pkcs12_info = (cafile, )
master_host = replica_config.ca_host_name
master_replication_port = replica_config.ca_ds_port
ra_p12 = os.path.join(replica_config.dir, 'ra.p12')
ra_only = not replica_config.setup_ca
promote = options.promote
# if upgrading from CA-less to CA-ful, need to rewrite
# certmap.conf and subject_base configuration
#
set_subject_base_in_config(subject_base)
sysupgrade.set_upgrade_state('certmap.conf', 'subject_base',
str(subject_base))
dsinstance.write_certmap_conf(realm_name, ca_subject)
ca = cainstance.CAInstance(realm_name,
paths.IPA_RADB_DIR,
host_name=host_name)
ca.configure_instance(host_name,
dm_password,
dm_password,
subject_base=subject_base,
ca_subject=ca_subject,
ca_signing_algorithm=ca_signing_algorithm,
ca_type=ca_type,
csr_file=csr_file,
cert_file=cert_file,
cert_chain_file=cert_chain_file,
pkcs12_info=pkcs12_info,
master_host=master_host,
master_replication_port=master_replication_port,
ra_p12=ra_p12,
ra_only=ra_only,
promote=promote,
use_ldaps=standalone)
def execute(self, **options):
ldap = self.api.Backend.ldap2
if sysupgrade.get_upgrade_state('sidgen', 'update_sids') is not True:
logger.debug("SIDs do not need to be generated")
return False, ()
# check if IPA domain for AD trust has been created, and if we need to
# regenerate missing SIDs if attribute 'ipaNTSecurityIdentifier'
domain_IPA_AD_dn = DN(
('cn', self.api.env.domain),
self.api.env.container_cifsdomains,
self.api.env.basedn)
attr_name = 'ipaNTSecurityIdentifier'
try:
entry = ldap.get_entry(domain_IPA_AD_dn, attrs_list=[attr_name])
except errors.NotFound:
logger.debug("IPA domain object %s is not configured",
domain_IPA_AD_dn)
sysupgrade.set_upgrade_state('sidgen', 'update_sids', False)
return False, ()
else:
if not entry.single_value.get(attr_name):
# we need to run sidgen task
sidgen_task_dn = DN(
"cn=generate domain sid,cn=ipa-sidgen-task,cn=tasks,"
"cn=config")
sidgen_tasks_attr = {
"objectclass": ["top", "extensibleObject"],
"cn": ["sidgen"],
"delay": [0],
"nsslapd-basedn": [self.api.env.basedn],
}
task_entry = ldap.make_entry(sidgen_task_dn,
**sidgen_tasks_attr)
try:
ldap.add_entry(task_entry)
except errors.DuplicateEntry:
logger.debug("sidgen task already created")
else:
logger.debug("sidgen task has been created")
# we have to check all trusts domains which may been affected by the
# bug. Symptom is missing 'ipaNTSecurityIdentifier' attribute
base_dn = DN(self.api.env.container_adtrusts, self.api.env.basedn)
try:
trust_domain_entries, truncated = ldap.find_entries(
base_dn=base_dn,
scope=ldap.SCOPE_ONELEVEL,
attrs_list=["cn"],
# more types of trusts can be stored under cn=trusts, we need
# the type with ipaNTTrustPartner attribute
filter="(&(ipaNTTrustPartner=*)(!(%s=*)))" % attr_name
)
except errors.NotFound:
pass
else:
if truncated:
logger.warning("update_sids: Search results were truncated")
for entry in trust_domain_entries:
domain = entry.single_value["cn"]
logger.error(
"Your trust to %s is broken. Please re-create it by "
"running 'ipa trust-add' again.", domain)
sysupgrade.set_upgrade_state('sidgen', 'update_sids', False)
return False, ()