def get_sub_dict(realm, domain, suffix, fqdn, idstart=None, idmax=None): """LDAP template substitution dict for installer and updater """ if idstart is None: idrange_size = None subid_base_rid = None else: idrange_size = idmax - idstart + 1 subid_base_rid = constants.SUBID_RANGE_START - idrange_size # uid / gid for autobind # user is only defined when ipa-server-dns and bind are installed try: named_uid = platformconstants.NAMED_USER.uid named_gid = platformconstants.NAMED_GROUP.gid except ValueError: named_uid = None named_gid = None return dict( REALM=realm, DOMAIN=domain, SUFFIX=suffix, ESCAPED_SUFFIX=str(suffix), FQDN=fqdn, HOST=fqdn, LIBARCH=paths.LIBARCH, TIME=int(time.time()), FIPS="#" if tasks.is_fips_enabled() else "", # idstart, idmax, and idrange_size may be None IDSTART=idstart, IDMAX=idmax, IDRANGE_SIZE=idrange_size, SUBID_COUNT=constants.SUBID_COUNT, SUBID_RANGE_START=constants.SUBID_RANGE_START, SUBID_RANGE_SIZE=constants.SUBID_RANGE_SIZE, SUBID_RANGE_MAX=constants.SUBID_RANGE_MAX, SUBID_DNA_THRESHOLD=constants.SUBID_DNA_THRESHOLD, SUBID_BASE_RID=subid_base_rid, DOMAIN_HASH=murmurhash3(domain, len(domain), 0xdeadbeef), MAX_DOMAIN_LEVEL=constants.MAX_DOMAIN_LEVEL, MIN_DOMAIN_LEVEL=constants.MIN_DOMAIN_LEVEL, STRIP_ATTRS=" ".join(replication.STRIP_ATTRS), EXCLUDES=( '(objectclass=*) $ EXCLUDE ' + ' '.join(replication.EXCLUDES) ), TOTAL_EXCLUDES=( '(objectclass=*) $ EXCLUDE ' + ' '.join(replication.TOTAL_EXCLUDES) ), DEFAULT_SHELL=platformconstants.DEFAULT_SHELL, DEFAULT_ADMIN_SHELL=platformconstants.DEFAULT_ADMIN_SHELL, SELINUX_USERMAP_DEFAULT=platformconstants.SELINUX_USERMAP_DEFAULT, SELINUX_USERMAP_ORDER=platformconstants.SELINUX_USERMAP_ORDER, NAMED_UID=named_uid, NAMED_GID=named_gid, )
def __setup_sub_dict(self): if os.path.exists(paths.COMMON_KRB5_CONF_DIR): includes = 'includedir {}'.format(paths.COMMON_KRB5_CONF_DIR) else: includes = '' self.sub_dict = dict(FQDN=self.fqdn, IP=self.ip, PASSWORD=self.kdc_password, SUFFIX=self.suffix, DOMAIN=self.domain, HOST=self.host, SERVER_ID=ipaldap.realm_to_serverid(self.realm), REALM=self.realm, KRB5KDC_KADM5_ACL=paths.KRB5KDC_KADM5_ACL, DICT_WORDS=paths.DICT_WORDS, KRB5KDC_KADM5_KEYTAB=paths.KRB5KDC_KADM5_KEYTAB, KDC_CERT=paths.KDC_CERT, KDC_KEY=paths.KDC_KEY, CACERT_PEM=paths.CACERT_PEM, KDC_CA_BUNDLE_PEM=paths.KDC_CA_BUNDLE_PEM, CA_BUNDLE_PEM=paths.CA_BUNDLE_PEM, INCLUDES=includes, FIPS='#' if tasks.is_fips_enabled() else '') # IPA server/KDC is not a subdomain of default domain # Proper domain-realm mapping needs to be specified domain = dns.name.from_text(self.domain) fqdn = dns.name.from_text(self.fqdn) if not fqdn.is_subdomain(domain): logger.debug("IPA FQDN '%s' is not located in default domain '%s'", fqdn, domain) server_domain = fqdn.parent().to_unicode(omit_final_dot=True) logger.debug("Domain '%s' needs additional mapping in krb5.conf", server_domain) dr_map = " .%(domain)s = %(realm)s\n %(domain)s = %(realm)s\n" \ % dict(domain=server_domain, realm=self.realm) else: dr_map = "" self.sub_dict['OTHER_DOMAIN_REALM_MAPS'] = dr_map # Configure KEYRING CCACHE if supported if kernel_keyring.is_persistent_keyring_supported(): logger.debug("Enabling persistent keyring CCACHE") self.sub_dict['OTHER_LIBDEFAULTS'] = \ " default_ccache_name = KEYRING:persistent:%{uid}\n" else: logger.debug("Persistent keyring CCACHE is not enabled") self.sub_dict['OTHER_LIBDEFAULTS'] = '' # Create kadm5.acl if it doesn't exist if not os.path.exists(paths.KRB5KDC_KADM5_ACL): open(paths.KRB5KDC_KADM5_ACL, 'a').close() os.chmod(paths.KRB5KDC_KADM5_ACL, 0o600)
def _bootstrap(self, **overrides): """ Initialize basic environment. This method will perform the following steps: 1. Initialize certain run-time variables. These run-time variables are strictly determined by the external environment the process is running in; they cannot be specified on the command-line nor in the configuration files. 2. Merge-in the variables in ``overrides`` by calling `Env._merge()`. The intended use of ``overrides`` is to merge-in variables specified on the command-line. 3. Intelligently fill-in the *in_tree*, *context*, *conf*, and *conf_default* variables if they haven't been set already. Also see `Env._finalize_core()`, the next method in the bootstrap sequence. :param overrides: Variables specified via command-line options. """ self.__doing('_bootstrap') # Set run-time variables (cannot be overridden): self.ipalib = path.dirname(path.abspath(__file__)) self.site_packages = path.dirname(self.ipalib) self.script = path.abspath(sys.argv[0]) self.bin = path.dirname(self.script) self.home = os.environ.get('HOME', None) # Set fips_mode only if ipaplatform module was loaded if tasks is not None: self.fips_mode = tasks.is_fips_enabled() # Merge in overrides: self._merge(**overrides) # Determine if running in source tree: if 'in_tree' not in self: self.in_tree = ( self.bin == self.site_packages and path.isfile(path.join(self.bin, 'setup.py')) ) if self.in_tree and 'mode' not in self: self.mode = 'developer' # Set dot_ipa: if 'dot_ipa' not in self: self.dot_ipa = self._join('home', '.ipa') # Set context if 'context' not in self: self.context = 'default' # Set confdir: self.env_confdir = os.environ.get('IPA_CONFDIR') if 'confdir' in self and self.env_confdir is not None: raise errors.EnvironmentError( "IPA_CONFDIR env cannot be set because explicit confdir " "is used") if 'confdir' not in self: if self.env_confdir is not None: if (not path.isabs(self.env_confdir) or not path.isdir(self.env_confdir)): raise errors.EnvironmentError( "IPA_CONFDIR env var must be an absolute path to an " "existing directory, got '{}'.".format( self.env_confdir)) self.confdir = self.env_confdir elif self.in_tree: self.confdir = self.dot_ipa else: self.confdir = path.join('/', 'etc', 'ipa') # Set conf (config file for this context): if 'conf' not in self: self.conf = self._join('confdir', '%s.conf' % self.context) # Set conf_default (default base config used in all contexts): if 'conf_default' not in self: self.conf_default = self._join('confdir', 'default.conf') if 'nss_dir' not in self: self.nss_dir = self._join('confdir', 'nssdb') if 'tls_ca_cert' not in self: self.tls_ca_cert = self._join('confdir', 'ca.crt') # having tls_ca_cert an absolute path could help us extending this # in the future for different certificate providers simply by adding # a prefix to the path if not path.isabs(self.tls_ca_cert): raise errors.EnvironmentError( "tls_ca_cert has to be an absolute path to a CA certificate, " "got '{}'".format(self.tls_ca_cert)) # Set plugins_on_demand: if 'plugins_on_demand' not in self: self.plugins_on_demand = (self.context == 'cli')
def _bootstrap(self, **overrides): """ Initialize basic environment. This method will perform the following steps: 1. Initialize certain run-time variables. These run-time variables are strictly determined by the external environment the process is running in; they cannot be specified on the command-line nor in the configuration files. 2. Merge-in the variables in ``overrides`` by calling `Env._merge()`. The intended use of ``overrides`` is to merge-in variables specified on the command-line. 3. Intelligently fill-in the *in_tree*, *context*, *conf*, and *conf_default* variables if they haven't been set already. Also see `Env._finalize_core()`, the next method in the bootstrap sequence. :param overrides: Variables specified via command-line options. """ self.__doing('_bootstrap') # Set run-time variables (cannot be overridden): self.ipalib = path.dirname(path.abspath(__file__)) self.site_packages = path.dirname(self.ipalib) self.script = path.abspath(sys.argv[0]) self.bin = path.dirname(self.script) self.home = os.environ.get('HOME', None) self.fips_mode = tasks.is_fips_enabled() # Merge in overrides: self._merge(**overrides) # Determine if running in source tree: if 'in_tree' not in self: self.in_tree = (self.bin == self.site_packages and path.isfile(path.join(self.bin, 'setup.py'))) if self.in_tree and 'mode' not in self: self.mode = 'developer' # Set dot_ipa: if 'dot_ipa' not in self: self.dot_ipa = self._join('home', '.ipa') # Set context if 'context' not in self: self.context = 'default' # Set confdir: self.env_confdir = os.environ.get('IPA_CONFDIR') if 'confdir' in self and self.env_confdir is not None: raise errors.EnvironmentError( "IPA_CONFDIR env cannot be set because explicit confdir " "is used") if 'confdir' not in self: if self.env_confdir is not None: if (not path.isabs(self.env_confdir) or not path.isdir(self.env_confdir)): raise errors.EnvironmentError( "IPA_CONFDIR env var must be an absolute path to an " "existing directory, got '{}'.".format( self.env_confdir)) self.confdir = self.env_confdir elif self.in_tree: self.confdir = self.dot_ipa else: self.confdir = path.join('/', 'etc', 'ipa') # Set conf (config file for this context): if 'conf' not in self: self.conf = self._join('confdir', '%s.conf' % self.context) # Set conf_default (default base config used in all contexts): if 'conf_default' not in self: self.conf_default = self._join('confdir', 'default.conf') if 'nss_dir' not in self: self.nss_dir = self._join('confdir', 'nssdb') if 'tls_ca_cert' not in self: self.tls_ca_cert = self._join('confdir', 'ca.crt') # having tls_ca_cert an absolute path could help us extending this # in the future for different certificate providers simply by adding # a prefix to the path if not path.isabs(self.tls_ca_cert): raise errors.EnvironmentError( "tls_ca_cert has to be an absolute path to a CA certificate, " "got '{}'".format(self.tls_ca_cert)) # Set plugins_on_demand: if 'plugins_on_demand' not in self: self.plugins_on_demand = (self.context == 'cli')
def install_check(installer): options = installer dirsrv_pkcs12_file = installer._dirsrv_pkcs12_file http_pkcs12_file = installer._http_pkcs12_file pkinit_pkcs12_file = installer._pkinit_pkcs12_file dirsrv_pkcs12_info = installer._dirsrv_pkcs12_info http_pkcs12_info = installer._http_pkcs12_info pkinit_pkcs12_info = installer._pkinit_pkcs12_info external_cert_file = installer._external_cert_file external_ca_file = installer._external_ca_file http_ca_cert = installer._ca_cert if tasks.is_fips_enabled(): raise RuntimeError( "Installing IPA server in FIPS mode is not supported") tasks.check_selinux_status() if options.master_password: msg = ("WARNING:\noption '-P/--master-password' is deprecated. " "KDC master password of sufficient strength is autogenerated " "during IPA server installation and should not be set " "manually.") print(textwrap.fill(msg, width=79, replace_whitespace=False)) installer._installation_cleanup = True print("\nThe log file for this installation can be found in " "/var/log/ipaserver-install.log") if (not options.external_ca and not options.external_cert_files and is_ipa_configured()): installer._installation_cleanup = False raise ScriptError( "IPA server is already configured on this system.\n" "If you want to reinstall the IPA server, please uninstall " "it first using 'ipa-server-install --uninstall'.") client_fstore = sysrestore.FileStore(paths.IPA_CLIENT_SYSRESTORE) if client_fstore.has_files(): installer._installation_cleanup = False raise ScriptError( "IPA client is already configured on this system.\n" "Please uninstall it before configuring the IPA server, " "using 'ipa-client-install --uninstall'") fstore = sysrestore.FileStore(SYSRESTORE_DIR_PATH) sstore = sysrestore.StateFile(SYSRESTORE_DIR_PATH) # This will override any settings passed in on the cmdline if ipautil.file_exists(paths.ROOT_IPA_CACHE): if options.dm_password is not None: dm_password = options.dm_password else: dm_password = read_password("Directory Manager", confirm=False) if dm_password is None: raise ScriptError("Directory Manager password required") try: cache_vars = read_cache(dm_password) options.__dict__.update(cache_vars) if cache_vars.get('external_ca', False): options.external_ca = False options.interactive = False except Exception as e: raise ScriptError("Cannot process the cache file: %s" % str(e)) # We only set up the CA if the PKCS#12 options are not given. if options.dirsrv_cert_files: setup_ca = False else: setup_ca = True options.setup_ca = setup_ca # first instance of KRA must be installed by ipa-kra-install options.setup_kra = False print("=======================================" "=======================================") print("This program will set up the FreeIPA Server.") print("") print("This includes:") if setup_ca: print(" * Configure a stand-alone CA (dogtag) for certificate " "management") if not options.no_ntp: print(" * Configure the Network Time Daemon (ntpd)") print(" * Create and configure an instance of Directory Server") print(" * Create and configure a Kerberos Key Distribution Center (KDC)") print(" * Configure Apache (httpd)") if options.setup_dns: print(" * Configure DNS (bind)") if not options.no_pkinit: print(" * Configure the KDC to enable PKINIT") if options.no_ntp: print("") print("Excluded by options:") print(" * Configure the Network Time Daemon (ntpd)") if installer.interactive: print("") print("To accept the default shown in brackets, press the Enter key.") print("") if not options.external_cert_files: # Make sure the 389-ds ports are available check_dirsrv(not installer.interactive) if not options.no_ntp: try: ipaclient.install.ntpconf.check_timedate_services() except ipaclient.install.ntpconf.NTPConflictingService as e: print(("WARNING: conflicting time&date synchronization service '%s'" " will be disabled" % e.conflicting_service)) print("in favor of ntpd") print("") except ipaclient.install.ntpconf.NTPConfigurationError: pass # Check to see if httpd is already configured to listen on 443 if httpinstance.httpd_443_configured(): raise ScriptError("Aborting installation") if not options.setup_dns and installer.interactive: if ipautil.user_input("Do you want to configure integrated DNS " "(BIND)?", False): options.setup_dns = True print("") # check bind packages are installed if options.setup_dns: # Don't require an external DNS to say who we are if we are # setting up a local DNS server. options.no_host_dns = True # check the hostname is correctly configured, it must be as the kldap # utilities just use the hostname as returned by getaddrinfo to set # up some of the standard entries if options.host_name: host_default = options.host_name else: host_default = get_fqdn() try: if not installer.interactive or options.host_name: verify_fqdn(host_default, options.no_host_dns) host_name = host_default else: host_name = read_host_name(host_default, options.no_host_dns) except BadHostError as e: raise ScriptError(e) host_name = host_name.lower() root_logger.debug("will use host_name: %s\n" % host_name) if not options.domain_name: domain_name = read_domain_name(host_name[host_name.find(".")+1:], not installer.interactive) root_logger.debug("read domain_name: %s\n" % domain_name) try: validate_domain_name(domain_name) except ValueError as e: raise ScriptError("Invalid domain name: %s" % unicode(e)) else: domain_name = options.domain_name domain_name = domain_name.lower() if not options.realm_name: realm_name = read_realm_name(domain_name, not installer.interactive) root_logger.debug("read realm_name: %s\n" % realm_name) else: realm_name = options.realm_name.upper() if not options.subject: options.subject = DN(('O', realm_name)) if options.http_cert_files: if options.http_pin is None: options.http_pin = installutils.read_password( "Enter Apache Server private key unlock", confirm=False, validate=False, retry=False) if options.http_pin is None: raise ScriptError( "Apache Server private key unlock password required") http_pkcs12_file, http_pin, http_ca_cert = load_pkcs12( cert_files=options.http_cert_files, key_password=options.http_pin, key_nickname=options.http_cert_name, ca_cert_files=options.ca_cert_files, host_name=host_name) http_pkcs12_info = (http_pkcs12_file.name, http_pin) if options.dirsrv_cert_files: if options.dirsrv_pin is None: options.dirsrv_pin = read_password( "Enter Directory Server private key unlock", confirm=False, validate=False, retry=False) if options.dirsrv_pin is None: raise ScriptError( "Directory Server private key unlock password required") dirsrv_pkcs12_file, dirsrv_pin, dirsrv_ca_cert = load_pkcs12( cert_files=options.dirsrv_cert_files, key_password=options.dirsrv_pin, key_nickname=options.dirsrv_cert_name, ca_cert_files=options.ca_cert_files, host_name=host_name) dirsrv_pkcs12_info = (dirsrv_pkcs12_file.name, dirsrv_pin) if options.pkinit_cert_files: if not options.no_pkinit: raise ScriptError("Cannot create KDC PKINIT certificate and use " "provided external PKINIT certificate at the " "same time. Please choose one of them.") if options.pkinit_pin is None: options.pkinit_pin = read_password( "Enter Kerberos KDC private key unlock", confirm=False, validate=False, retry=False) if options.pkinit_pin is None: raise ScriptError( "Kerberos KDC private key unlock password required") pkinit_pkcs12_file, pkinit_pin, _pkinit_ca_cert = load_pkcs12( cert_files=options.pkinit_cert_files, key_password=options.pkinit_pin, key_nickname=options.pkinit_cert_name, ca_cert_files=options.ca_cert_files, host_name=host_name) pkinit_pkcs12_info = (pkinit_pkcs12_file.name, pkinit_pin) if (options.http_cert_files and options.dirsrv_cert_files and http_ca_cert != dirsrv_ca_cert): raise ScriptError( "Apache Server SSL certificate and Directory Server SSL " "certificate are not signed by the same CA certificate") if not options.dm_password: dm_password = read_dm_password() if dm_password is None: raise ScriptError("Directory Manager password required") else: dm_password = options.dm_password if not options.master_password: master_password = ipa_generate_password() else: master_password = options.master_password if not options.admin_password: admin_password = read_admin_password() if admin_password is None: raise ScriptError("IPA admin password required") else: admin_password = options.admin_password # Configuration for ipalib, we will bootstrap and finalize later, after # we are sure we have the configuration file ready. cfg = dict( context='installer', confdir=paths.ETC_IPA, in_server=True, # make sure host name specified by user is used instead of default host=host_name, ) if setup_ca: # we have an IPA-integrated CA cfg['ca_host'] = host_name # Create the management framework config file and finalize api target_fname = paths.IPA_DEFAULT_CONF fd = open(target_fname, "w") fd.write("[global]\n") fd.write("host=%s\n" % host_name) fd.write("basedn=%s\n" % ipautil.realm_to_suffix(realm_name)) fd.write("realm=%s\n" % realm_name) fd.write("domain=%s\n" % domain_name) fd.write("xmlrpc_uri=https://%s/ipa/xml\n" % format_netloc(host_name)) fd.write("ldap_uri=ldapi://%%2fvar%%2frun%%2fslapd-%s.socket\n" % installutils.realm_to_serverid(realm_name)) if setup_ca: fd.write("enable_ra=True\n") fd.write("ra_plugin=dogtag\n") fd.write("dogtag_version=10\n") else: fd.write("enable_ra=False\n") fd.write("ra_plugin=none\n") fd.write("mode=production\n") fd.close() # Must be readable for everyone os.chmod(target_fname, 0o644) api.bootstrap(**cfg) api.finalize() if setup_ca: ca.install_check(False, None, options) kra.install_check(api, None, options) if options.setup_dns: dns.install_check(False, api, False, options, host_name) ip_addresses = dns.ip_addresses else: ip_addresses = get_server_ip_address(host_name, not installer.interactive, False, options.ip_addresses) # check addresses here, dns module is doing own check network_ip_address_warning(ip_addresses) broadcast_ip_address_warning(ip_addresses) # installer needs to update hosts file when DNS subsystem will be # installed or custom addresses are used if options.ip_addresses or options.setup_dns: installer._update_hosts_file = True print() print("The IPA Master Server will be configured with:") print("Hostname: %s" % host_name) print("IP address(es): %s" % ", ".join(str(ip) for ip in ip_addresses)) print("Domain name: %s" % domain_name) print("Realm name: %s" % realm_name) print() if options.setup_dns: print("BIND DNS server will be configured to serve IPA domain with:") print("Forwarders: %s" % ( "No forwarders" if not options.forwarders else ", ".join([str(ip) for ip in options.forwarders]) )) print('Forward policy: %s' % options.forward_policy) print("Reverse zone(s): %s" % ( "No reverse zone" if options.no_reverse or not dns.reverse_zones else ", ".join(str(rz) for rz in dns.reverse_zones) )) print() # If domain name and realm does not match, IPA server will not be able # to estabilish trust with Active Directory. Print big fat warning. realm_not_matching_domain = (domain_name.upper() != realm_name) if realm_not_matching_domain: print("WARNING: Realm name does not match the domain name.\n" "You will not be able to estabilish trusts with Active " "Directory unless\nthe realm name of the IPA server matches " "its domain name.\n\n") if installer.interactive and not user_input( "Continue to configure the system with these values?", False): raise ScriptError("Installation aborted") options.realm_name = realm_name options.domain_name = domain_name options.dm_password = dm_password options.master_password = master_password options.admin_password = admin_password options._host_name_overridden = bool(options.host_name) options.host_name = host_name options.ip_addresses = ip_addresses installer._fstore = fstore installer._sstore = sstore installer._dirsrv_pkcs12_file = dirsrv_pkcs12_file installer._http_pkcs12_file = http_pkcs12_file installer._pkinit_pkcs12_file = pkinit_pkcs12_file installer._dirsrv_pkcs12_info = dirsrv_pkcs12_info installer._http_pkcs12_info = http_pkcs12_info installer._pkinit_pkcs12_info = pkinit_pkcs12_info installer._external_cert_file = external_cert_file installer._external_ca_file = external_ca_file installer._ca_cert = http_ca_cert
def __init__(self, dm_password=_sentinel, sub_dict=None, online=_sentinel, ldapi=_sentinel, api=api): ''' :parameters: dm_password deprecated and no longer used sub_dict substitution dictionary online deprecated and no longer used ldapi deprecated and no longer used api bootstrapped API object (for configuration) Data Structure Example: ----------------------- dn_by_rdn_count = { 3: 'cn=config,dc=example,dc=com': 4: 'cn=bob,ou=people,dc=example,dc=com', } all_updates = [ { 'dn': 'cn=config,dc=example,dc=com', 'default': [ dict(attr='attr1', value='default1'), ], 'updates': [ dict(action='action', attr='attr1', value='value1'), dict(action='replace', attr='attr2', value=['old', 'new']), ] }, { 'dn': 'cn=bob,ou=people,dc=example,dc=com', 'default': [ dict(attr='attr3', value='default3'), ], 'updates': [ dict(action='action', attr='attr3', value='value3'), dict(action='action', attr='attr4', value='value4'), } } ] Please notice the replace action requires two values in list The default and update lists are "dispositions" Plugins: Plugins has to be specified in update file to be executed, using 'plugin' directive Example: plugin: update_uniqueness_plugins_to_new_syntax Each plugin returns two values: 1. restart: dirsrv will be restarted AFTER this update is applied. 2. updates: A list of updates to be applied. The value of an update is a dictionary with the following possible values: - dn: DN, equal to the dn attribute - updates: list of updates against the dn - default: list of the default entry to be added if it doesn't exist - deleteentry: list of dn's to be deleted (typically single dn) For example, this update file: dn: cn=global_policy,cn=$REALM,cn=kerberos,$SUFFIX replace:krbPwdLockoutDuration:10::600 replace: krbPwdMaxFailure:3::6 Generates this list which contain the update dictionary: [ { 'dn': 'cn=global_policy,cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com', 'updates': [ dict(action='replace', attr='krbPwdLockoutDuration', value=['10','600']), dict(action='replace', attr='krbPwdMaxFailure', value=['3','6']), ] } ] Here is another example showing how a default entry is configured: dn: cn=Managed Entries,cn=etc,$SUFFIX default: objectClass: nsContainer default: objectClass: top default: cn: Managed Entries This generates: [ { 'dn': 'cn=Managed Entries,cn=etc,dc=example,dc=com', 'default': [ dict(attr='objectClass', value='nsContainer'), dict(attr='objectClass', value='top'), dict(attr='cn', value='Managed Entries'), ] } ] Note that the variable substitution in both examples has been completed. Either may make changes directly in LDAP or can return updates in update format. ''' if any(arg is not _sentinel for arg in (dm_password, online, ldapi)): warnings.warn( "dm_password, online, and ldapi arguments are deprecated", DeprecationWarning, stacklevel=2 ) self.sub_dict = sub_dict if sub_dict is not None else {} self.conn = None self.modified = False self.ldapuri = ipaldap.realm_to_ldapi_uri(api.env.realm) default_sub = dict( REALM=api.env.realm, DOMAIN=api.env.domain, SUFFIX=api.env.basedn, ESCAPED_SUFFIX=str(api.env.basedn), FQDN=api.env.host, LIBARCH=paths.LIBARCH, TIME=int(time.time()), MIN_DOMAIN_LEVEL=str(constants.MIN_DOMAIN_LEVEL), MAX_DOMAIN_LEVEL=str(constants.MAX_DOMAIN_LEVEL), STRIP_ATTRS=" ".join(constants.REPL_AGMT_STRIP_ATTRS), EXCLUDES="(objectclass=*) $ EXCLUDE %s" % ( " ".join(constants.REPL_AGMT_EXCLUDES) ), TOTAL_EXCLUDES="(objectclass=*) $ EXCLUDE %s" % ( " ".join(constants.REPL_AGMT_TOTAL_EXCLUDES) ), SELINUX_USERMAP_DEFAULT=platformconstants.SELINUX_USERMAP_DEFAULT, SELINUX_USERMAP_ORDER=platformconstants.SELINUX_USERMAP_ORDER, FIPS="#" if tasks.is_fips_enabled() else "", ) for k, v in default_sub.items(): self.sub_dict.setdefault(k, v) self.api = create_api(mode=None) self.api.bootstrap( in_server=True, context='updates', confdir=paths.ETC_IPA, ldap_uri=self.ldapuri ) self.api.finalize()
def __init__(self, dm_password=None, sub_dict={}, online=True, ldapi=False): ''' :parameters: dm_password Directory Manager password sub_dict substitution dictionary online Do an online LDAP update or use an experimental LDIF updater ldapi Bind using ldapi. This assumes autobind is enabled. Data Structure Example: ----------------------- dn_by_rdn_count = { 3: 'cn=config,dc=example,dc=com': 4: 'cn=bob,ou=people,dc=example,dc=com', } all_updates = [ { 'dn': 'cn=config,dc=example,dc=com', 'default': [ dict(attr='attr1', value='default1'), ], 'updates': [ dict(action='action', attr='attr1', value='value1'), dict(action='replace', attr='attr2', value=['old', 'new']), ] }, { 'dn': 'cn=bob,ou=people,dc=example,dc=com', 'default': [ dict(attr='attr3', value='default3'), ], 'updates': [ dict(action='action', attr='attr3', value='value3'), dict(action='action', attr='attr4', value='value4'), } } ] Please notice the replace action requires two values in list The default and update lists are "dispositions" Plugins: Plugins has to be specified in update file to be executed, using 'plugin' directive Example: plugin: update_uniqueness_plugins_to_new_syntax Each plugin returns two values: 1. restart: dirsrv will be restarted AFTER this update is applied. 2. updates: A list of updates to be applied. The value of an update is a dictionary with the following possible values: - dn: DN, equal to the dn attribute - updates: list of updates against the dn - default: list of the default entry to be added if it doesn't exist - deleteentry: list of dn's to be deleted (typically single dn) For example, this update file: dn: cn=global_policy,cn=$REALM,cn=kerberos,$SUFFIX replace:krbPwdLockoutDuration:10::600 replace: krbPwdMaxFailure:3::6 Generates this list which contain the update dictionary: [ { 'dn': 'cn=global_policy,cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com', 'updates': [ dict(action='replace', attr='krbPwdLockoutDuration', value=['10','600']), dict(action='replace', attr='krbPwdMaxFailure', value=['3','6']), ] } ] Here is another example showing how a default entry is configured: dn: cn=Managed Entries,cn=etc,$SUFFIX default: objectClass: nsContainer default: objectClass: top default: cn: Managed Entries This generates: [ { 'dn': 'cn=Managed Entries,cn=etc,dc=example,dc=com', 'default': [ dict(attr='objectClass', value='nsContainer'), dict(attr='objectClass', value='top'), dict(attr='cn', value='Managed Entries'), ] } ] Note that the variable substitution in both examples has been completed. Either may make changes directly in LDAP or can return updates in update format. ''' self.sub_dict = sub_dict self.dm_password = dm_password self.conn = None self.modified = False self.online = online self.ldapi = ldapi self.pw_name = pwd.getpwuid(os.geteuid()).pw_name self.realm = None self.socket_name = ( paths.SLAPD_INSTANCE_SOCKET_TEMPLATE % api.env.realm.replace('.', '-') ) suffix = None if sub_dict.get("REALM"): self.realm = sub_dict["REALM"] else: self.realm = api.env.realm suffix = ipautil.realm_to_suffix(self.realm) if self.realm else None self.ldapuri = ipaldap.realm_to_ldapi_uri(self.realm) if suffix is not None: assert isinstance(suffix, DN) fqdn = installutils.get_fqdn() if fqdn is None: raise RuntimeError("Unable to determine hostname") if not self.sub_dict.get("REALM") and self.realm is not None: self.sub_dict["REALM"] = self.realm if not self.sub_dict.get("FQDN"): self.sub_dict["FQDN"] = fqdn if not self.sub_dict.get("DOMAIN"): self.sub_dict["DOMAIN"] = api.env.domain if not self.sub_dict.get("SUFFIX") and suffix is not None: self.sub_dict["SUFFIX"] = suffix if not self.sub_dict.get("ESCAPED_SUFFIX"): self.sub_dict["ESCAPED_SUFFIX"] = str(suffix) if not self.sub_dict.get("LIBARCH"): self.sub_dict["LIBARCH"] = paths.LIBARCH if not self.sub_dict.get("TIME"): self.sub_dict["TIME"] = int(time.time()) if not self.sub_dict.get("MIN_DOMAIN_LEVEL"): self.sub_dict["MIN_DOMAIN_LEVEL"] = str(constants.MIN_DOMAIN_LEVEL) if not self.sub_dict.get("MAX_DOMAIN_LEVEL"): self.sub_dict["MAX_DOMAIN_LEVEL"] = str(constants.MAX_DOMAIN_LEVEL) if not self.sub_dict.get("STRIP_ATTRS"): self.sub_dict["STRIP_ATTRS"] = "%s" % ( " ".join(constants.REPL_AGMT_STRIP_ATTRS),) if not self.sub_dict.get("EXCLUDES"): self.sub_dict["EXCLUDES"] = "(objectclass=*) $ EXCLUDE %s" % ( " ".join(constants.REPL_AGMT_EXCLUDES),) if not self.sub_dict.get("TOTAL_EXCLUDES"): self.sub_dict["TOTAL_EXCLUDES"] = "(objectclass=*) $ EXCLUDE " + \ " ".join(constants.REPL_AGMT_TOTAL_EXCLUDES) if not self.sub_dict.get("SELINUX_USERMAP_DEFAULT"): self.sub_dict["SELINUX_USERMAP_DEFAULT"] = \ platformconstants.SELINUX_USERMAP_DEFAULT if not self.sub_dict.get("SELINUX_USERMAP_ORDER"): self.sub_dict["SELINUX_USERMAP_ORDER"] = \ platformconstants.SELINUX_USERMAP_ORDER if "FIPS" not in self.sub_dict: self.sub_dict["FIPS"] = '#' if tasks.is_fips_enabled() else '' self.api = create_api(mode=None) self.api.bootstrap(in_server=True, context='updates', confdir=paths.ETC_IPA, ldap_uri=self.ldapuri) self.api.finalize() if online: # Try out the connection/password # (This will raise if the server is not available) self.create_connection() self.close_connection() else: raise RuntimeError("Offline updates are not supported.")
def install_check(installer): options = installer dirsrv_pkcs12_file = installer._dirsrv_pkcs12_file http_pkcs12_file = installer._http_pkcs12_file pkinit_pkcs12_file = installer._pkinit_pkcs12_file dirsrv_pkcs12_info = installer._dirsrv_pkcs12_info http_pkcs12_info = installer._http_pkcs12_info pkinit_pkcs12_info = installer._pkinit_pkcs12_info external_cert_file = installer._external_cert_file external_ca_file = installer._external_ca_file http_ca_cert = installer._ca_cert if tasks.is_fips_enabled(): raise RuntimeError( "Installing IPA server in FIPS mode is not supported") tasks.check_selinux_status() if options.master_password: msg = ("WARNING:\noption '-P/--master-password' is deprecated. " "KDC master password of sufficient strength is autogenerated " "during IPA server installation and should not be set " "manually.") print(textwrap.fill(msg, width=79, replace_whitespace=False)) installer._installation_cleanup = True print("\nThe log file for this installation can be found in " "/var/log/ipaserver-install.log") if (not options.external_ca and not options.external_cert_files and is_ipa_configured()): installer._installation_cleanup = False raise ScriptError( "IPA server is already configured on this system.\n" "If you want to reinstall the IPA server, please uninstall " "it first using 'ipa-server-install --uninstall'.") client_fstore = sysrestore.FileStore(paths.IPA_CLIENT_SYSRESTORE) if client_fstore.has_files(): installer._installation_cleanup = False raise ScriptError( "IPA client is already configured on this system.\n" "Please uninstall it before configuring the IPA server, " "using 'ipa-client-install --uninstall'") fstore = sysrestore.FileStore(SYSRESTORE_DIR_PATH) sstore = sysrestore.StateFile(SYSRESTORE_DIR_PATH) # This will override any settings passed in on the cmdline if ipautil.file_exists(paths.ROOT_IPA_CACHE): if options.dm_password is not None: dm_password = options.dm_password else: dm_password = read_password("Directory Manager", confirm=False) if dm_password is None: raise ScriptError("Directory Manager password required") try: cache_vars = read_cache(dm_password) options.__dict__.update(cache_vars) if cache_vars.get('external_ca', False): options.external_ca = False options.interactive = False except Exception as e: raise ScriptError("Cannot process the cache file: %s" % str(e)) # We only set up the CA if the PKCS#12 options are not given. if options.dirsrv_cert_files: setup_ca = False else: setup_ca = True options.setup_ca = setup_ca # first instance of KRA must be installed by ipa-kra-install options.setup_kra = False print("=======================================" "=======================================") print("This program will set up the FreeIPA Server.") print("") print("This includes:") if setup_ca: print(" * Configure a stand-alone CA (dogtag) for certificate " "management") if not options.no_ntp: print(" * Configure the Network Time Daemon (ntpd)") print(" * Create and configure an instance of Directory Server") print(" * Create and configure a Kerberos Key Distribution Center (KDC)") print(" * Configure Apache (httpd)") if options.setup_dns: print(" * Configure DNS (bind)") if not options.no_pkinit: print(" * Configure the KDC to enable PKINIT") if options.no_ntp: print("") print("Excluded by options:") print(" * Configure the Network Time Daemon (ntpd)") if installer.interactive: print("") print("To accept the default shown in brackets, press the Enter key.") print("") if not options.external_cert_files: # Make sure the 389-ds ports are available check_dirsrv(not installer.interactive) if not options.no_ntp: try: ipaclient.install.ntpconf.check_timedate_services() except ipaclient.install.ntpconf.NTPConflictingService as e: print( ("WARNING: conflicting time&date synchronization service '%s'" " will be disabled" % e.conflicting_service)) print("in favor of ntpd") print("") except ipaclient.install.ntpconf.NTPConfigurationError: pass # Check to see if httpd is already configured to listen on 443 if httpinstance.httpd_443_configured(): raise ScriptError("Aborting installation") if not options.setup_dns and installer.interactive: if ipautil.user_input( "Do you want to configure integrated DNS " "(BIND)?", False): options.setup_dns = True print("") # check bind packages are installed if options.setup_dns: # Don't require an external DNS to say who we are if we are # setting up a local DNS server. options.no_host_dns = True # check the hostname is correctly configured, it must be as the kldap # utilities just use the hostname as returned by getaddrinfo to set # up some of the standard entries if options.host_name: host_default = options.host_name else: host_default = get_fqdn() try: if not installer.interactive or options.host_name: verify_fqdn(host_default, options.no_host_dns) host_name = host_default else: host_name = read_host_name(host_default, options.no_host_dns) except BadHostError as e: raise ScriptError(e) host_name = host_name.lower() root_logger.debug("will use host_name: %s\n" % host_name) if not options.domain_name: domain_name = read_domain_name(host_name[host_name.find(".") + 1:], not installer.interactive) root_logger.debug("read domain_name: %s\n" % domain_name) try: validate_domain_name(domain_name) except ValueError as e: raise ScriptError("Invalid domain name: %s" % unicode(e)) else: domain_name = options.domain_name domain_name = domain_name.lower() if not options.realm_name: realm_name = read_realm_name(domain_name, not installer.interactive) root_logger.debug("read realm_name: %s\n" % realm_name) else: realm_name = options.realm_name.upper() if not options.subject: options.subject = DN(('O', realm_name)) if options.http_cert_files: if options.http_pin is None: options.http_pin = installutils.read_password( "Enter Apache Server private key unlock", confirm=False, validate=False, retry=False) if options.http_pin is None: raise ScriptError( "Apache Server private key unlock password required") http_pkcs12_file, http_pin, http_ca_cert = load_pkcs12( cert_files=options.http_cert_files, key_password=options.http_pin, key_nickname=options.http_cert_name, ca_cert_files=options.ca_cert_files, host_name=host_name) http_pkcs12_info = (http_pkcs12_file.name, http_pin) if options.dirsrv_cert_files: if options.dirsrv_pin is None: options.dirsrv_pin = read_password( "Enter Directory Server private key unlock", confirm=False, validate=False, retry=False) if options.dirsrv_pin is None: raise ScriptError( "Directory Server private key unlock password required") dirsrv_pkcs12_file, dirsrv_pin, dirsrv_ca_cert = load_pkcs12( cert_files=options.dirsrv_cert_files, key_password=options.dirsrv_pin, key_nickname=options.dirsrv_cert_name, ca_cert_files=options.ca_cert_files, host_name=host_name) dirsrv_pkcs12_info = (dirsrv_pkcs12_file.name, dirsrv_pin) if options.pkinit_cert_files: if options.pkinit_pin is None: options.pkinit_pin = read_password( "Enter Kerberos KDC private key unlock", confirm=False, validate=False, retry=False) if options.pkinit_pin is None: raise ScriptError( "Kerberos KDC private key unlock password required") pkinit_pkcs12_file, pkinit_pin, _pkinit_ca_cert = load_pkcs12( cert_files=options.pkinit_cert_files, key_password=options.pkinit_pin, key_nickname=options.pkinit_cert_name, ca_cert_files=options.ca_cert_files, host_name=host_name) pkinit_pkcs12_info = (pkinit_pkcs12_file.name, pkinit_pin) if (options.http_cert_files and options.dirsrv_cert_files and http_ca_cert != dirsrv_ca_cert): raise ScriptError( "Apache Server SSL certificate and Directory Server SSL " "certificate are not signed by the same CA certificate") if not options.dm_password: dm_password = read_dm_password() if dm_password is None: raise ScriptError("Directory Manager password required") else: dm_password = options.dm_password if not options.master_password: master_password = ipa_generate_password() else: master_password = options.master_password if not options.admin_password: admin_password = read_admin_password() if admin_password is None: raise ScriptError("IPA admin password required") else: admin_password = options.admin_password # Configuration for ipalib, we will bootstrap and finalize later, after # we are sure we have the configuration file ready. cfg = dict( context='installer', confdir=paths.ETC_IPA, in_server=True, # make sure host name specified by user is used instead of default host=host_name, ) if setup_ca: # we have an IPA-integrated CA cfg['ca_host'] = host_name # Create the management framework config file and finalize api target_fname = paths.IPA_DEFAULT_CONF fd = open(target_fname, "w") fd.write("[global]\n") fd.write("host=%s\n" % host_name) fd.write("basedn=%s\n" % ipautil.realm_to_suffix(realm_name)) fd.write("realm=%s\n" % realm_name) fd.write("domain=%s\n" % domain_name) fd.write("xmlrpc_uri=https://%s/ipa/xml\n" % format_netloc(host_name)) fd.write("ldap_uri=ldapi://%%2fvar%%2frun%%2fslapd-%s.socket\n" % installutils.realm_to_serverid(realm_name)) if setup_ca: fd.write("enable_ra=True\n") fd.write("ra_plugin=dogtag\n") fd.write("dogtag_version=10\n") else: fd.write("enable_ra=False\n") fd.write("ra_plugin=none\n") fd.write("mode=production\n") fd.close() # Must be readable for everyone os.chmod(target_fname, 0o644) api.bootstrap(**cfg) api.finalize() if setup_ca: ca.install_check(False, None, options) if options.setup_dns: dns.install_check(False, api, False, options, host_name) ip_addresses = dns.ip_addresses else: ip_addresses = get_server_ip_address(host_name, not installer.interactive, False, options.ip_addresses) # check addresses here, dns module is doing own check network_ip_address_warning(ip_addresses) broadcast_ip_address_warning(ip_addresses) # installer needs to update hosts file when DNS subsystem will be # installed or custom addresses are used if options.ip_addresses or options.setup_dns: installer._update_hosts_file = True print() print("The IPA Master Server will be configured with:") print("Hostname: %s" % host_name) print("IP address(es): %s" % ", ".join(str(ip) for ip in ip_addresses)) print("Domain name: %s" % domain_name) print("Realm name: %s" % realm_name) print() if options.setup_dns: print("BIND DNS server will be configured to serve IPA domain with:") print("Forwarders: %s" % ("No forwarders" if not options.forwarders else ", ".join( [str(ip) for ip in options.forwarders]))) print('Forward policy: %s' % options.forward_policy) print("Reverse zone(s): %s" % ("No reverse zone" if options.no_reverse or not dns.reverse_zones else ", ".join(str(rz) for rz in dns.reverse_zones))) print() # If domain name and realm does not match, IPA server will not be able # to estabilish trust with Active Directory. Print big fat warning. realm_not_matching_domain = (domain_name.upper() != realm_name) if realm_not_matching_domain: print("WARNING: Realm name does not match the domain name.\n" "You will not be able to estabilish trusts with Active " "Directory unless\nthe realm name of the IPA server matches " "its domain name.\n\n") if installer.interactive and not user_input( "Continue to configure the system with these values?", False): raise ScriptError("Installation aborted") options.realm_name = realm_name options.domain_name = domain_name options.dm_password = dm_password options.master_password = master_password options.admin_password = admin_password options._host_name_overridden = bool(options.host_name) options.host_name = host_name options.ip_addresses = ip_addresses installer._fstore = fstore installer._sstore = sstore installer._dirsrv_pkcs12_file = dirsrv_pkcs12_file installer._http_pkcs12_file = http_pkcs12_file installer._pkinit_pkcs12_file = pkinit_pkcs12_file installer._dirsrv_pkcs12_info = dirsrv_pkcs12_info installer._http_pkcs12_info = http_pkcs12_info installer._pkinit_pkcs12_info = pkinit_pkcs12_info installer._external_cert_file = external_cert_file installer._external_ca_file = external_ca_file installer._ca_cert = http_ca_cert