def _run(self): super(KRAInstaller, self).run() print dedent(self.INSTALLER_START_MESSAGE) if not self.installing_replica: replica_config = None else: replica_config = create_replica_config( self.options.password, self.replica_file, self.options) self.options.dm_password = self.options.password self.options.setup_ca = False api.Backend.ldap2.connect(bind_dn=DN('cn=Directory Manager'), bind_pw=self.options.dm_password) try: kra.install_check(api, replica_config, self.options) except RuntimeError as e: raise admintool.ScriptError(str(e)) kra.install(api, replica_config, self.options) # Restart apache for new proxy config file services.knownservices.httpd.restart(capture_output=True)
def _run(self): super(KRAInstaller, self).run() print dedent(self.INSTALLER_START_MESSAGE) subject = dsinstance.DsInstance().find_subject_base() if not self.installing_replica: kra = krainstance.KRAInstance( api.env.realm, dogtag_constants=dogtag.install_constants) kra.configure_instance( api.env.host, api.env.domain, self.options.password, self.options.password, subject_base=subject) else: replica_config = create_replica_config( self.options.password, self.replica_file, self.options) if not read_replica_info_kra_enabled(replica_config.dir): raise admintool.ScriptError( "Either KRA is not installed on the master system or " "your replica file is out of date" ) kra = krainstance.install_replica_kra(replica_config) service.print_msg("Restarting the directory server") ds = dsinstance.DsInstance() ds.restart() kra.enable_client_auth_to_db(kra.dogtag_constants.KRA_CS_CFG_PATH) # Restart apache for new proxy config file services.knownservices.httpd.restart(capture_output=True) # Update config file parser = RawConfigParser() parser.read(paths.IPA_DEFAULT_CONF) parser.set('global', 'enable_kra', 'True') with open(paths.IPA_DEFAULT_CONF, 'w') as f: parser.write(f)
def _run(self): super(KRAInstaller, self).run() print dedent(self.INSTALLER_START_MESSAGE) subject = dsinstance.DsInstance().find_subject_base() if not self.installing_replica: kra = krainstance.KRAInstance( api.env.realm, dogtag_constants=dogtag.install_constants) kra.configure_instance(api.env.host, api.env.domain, self.options.password, self.options.password, subject_base=subject) else: replica_config = create_replica_config(self.options.password, self.replica_file, self.options) if not read_replica_info_kra_enabled(replica_config.dir): raise admintool.ScriptError( "Either KRA is not installed on the master system or " "your replica file is out of date") kra = krainstance.install_replica_kra(replica_config) service.print_msg("Restarting the directory server") ds = dsinstance.DsInstance() ds.restart() kra.enable_client_auth_to_db(kra.dogtag_constants.KRA_CS_CFG_PATH) # Restart apache for new proxy config file services.knownservices.httpd.restart(capture_output=True) # Update config file parser = RawConfigParser() parser.read(paths.IPA_DEFAULT_CONF) parser.set('global', 'enable_kra', 'True') with open(paths.IPA_DEFAULT_CONF, 'w') as f: parser.write(f)
def _run(self): super(KRAInstaller, self).run() print dedent(self.INSTALLER_START_MESSAGE) if not self.installing_replica: replica_config = None else: replica_config = create_replica_config( self.options.password, self.replica_file, self.options) self.options.setup_ca = False try: kra.install_check(replica_config, self.options, api.env.enable_kra, int(api.env.dogtag_version)) except RuntimeError as e: raise admintool.ScriptError(str(e)) kra.install(replica_config, self.options, self.options.password) # Restart apache for new proxy config file services.knownservices.httpd.restart(capture_output=True)
print "be disabled in favor of ntpd" print "" except ipaclient.ntpconf.NTPConfigurationError: pass # get the directory manager password dirman_password = options.password if not dirman_password: try: dirman_password = get_dirman_password() except KeyboardInterrupt: sys.exit(0) if dirman_password is None: sys.exit("Directory Manager password required") config = create_replica_config(dirman_password, filename, options) global REPLICA_INFO_TOP_DIR REPLICA_INFO_TOP_DIR = config.top_dir config.setup_ca = options.setup_ca config.setup_kra = options.setup_kra if options.setup_ca: options.realm_name = config.realm_name options.host_name = config.host_name options.subject = config.subject_base ca.install_check(False, config, options) if config.setup_kra: try: kra.install_check(config, options, False, dogtag.install_constants.DOGTAG_VERSION)
def run(self): super(KRAInstaller, self).run() # Verify DM password. This has to be called after ask_for_options(), # so it can't be placed in validate_options(). try: installutils.validate_dm_password_ldap(self.options.password) except ValueError: raise admintool.ScriptError( "Directory Manager password is invalid") if not cainstance.is_ca_installed_locally(): raise RuntimeError("Dogtag CA is not installed. " "Please install the CA first") # check if KRA is not already installed _kra = krainstance.KRAInstance(api) if _kra.is_installed(): raise admintool.ScriptError("KRA already installed") # this check can be done only when CA is installed self.installing_replica = dogtaginstance.is_installing_replica("KRA") self.options.promote = False if self.installing_replica: domain_level = dsinstance.get_domain_level(api) if domain_level > DOMAIN_LEVEL_0: self.options.promote = True elif not self.args: raise RuntimeError("A replica file is required.") if self.args and (not self.installing_replica or self.options.promote): raise RuntimeError("Too many parameters provided. " "No replica file is required.") self.options.dm_password = self.options.password self.options.setup_ca = False self.options.setup_kra = True api.Backend.ldap2.connect() config = None if self.installing_replica: if self.options.promote: config = ReplicaConfig() config.kra_host_name = None config.realm_name = api.env.realm config.host_name = api.env.host config.domain_name = api.env.domain config.dirman_password = self.options.password config.ca_ds_port = 389 config.top_dir = tempfile.mkdtemp("ipa") config.dir = config.top_dir else: config = create_replica_config( self.options.password, self.replica_file, self.options) config.kra_host_name = config.master_host_name config.setup_kra = True if config.subject_base is None: attrs = api.Backend.ldap2.get_ipa_config() config.subject_base = attrs.get('ipacertificatesubjectbase')[0] if config.kra_host_name is None: config.kra_host_name = service.find_providing_server( 'KRA', api.Backend.ldap2, api.env.ca_host) try: kra.install_check(api, config, self.options) except RuntimeError as e: raise admintool.ScriptError(str(e)) print(dedent(self.INSTALLER_START_MESSAGE)) try: kra.install(api, config, self.options) except: self.log.error(dedent(self.FAIL_MESSAGE)) raise api.Backend.ldap2.disconnect()
def run(self): super(KRAInstaller, self).run() # Verify DM password. This has to be called after ask_for_options(), # so it can't be placed in validate_options(). try: installutils.validate_dm_password_ldap(self.options.password) except ValueError: raise admintool.ScriptError( "Directory Manager password is invalid") if not cainstance.is_ca_installed_locally(): raise RuntimeError("Dogtag CA is not installed. " "Please install a CA first with the " "`ipa-ca-install` command.") # check if KRA is not already installed _kra = krainstance.KRAInstance(api) if _kra.is_installed(): raise admintool.ScriptError("KRA already installed") # this check can be done only when CA is installed self.installing_replica = dogtaginstance.is_installing_replica("KRA") self.options.promote = False if self.installing_replica: domain_level = dsinstance.get_domain_level(api) if domain_level > DOMAIN_LEVEL_0: self.options.promote = True elif not self.args: raise RuntimeError("A replica file is required.") if self.args and (not self.installing_replica or self.options.promote): raise RuntimeError("Too many parameters provided. " "No replica file is required.") self.options.dm_password = self.options.password self.options.setup_ca = False self.options.setup_kra = True api.Backend.ldap2.connect() config = None if self.installing_replica: if self.options.promote: config = ReplicaConfig() config.kra_host_name = None config.realm_name = api.env.realm config.host_name = api.env.host config.domain_name = api.env.domain config.dirman_password = self.options.password config.ca_ds_port = 389 config.top_dir = tempfile.mkdtemp("ipa") config.dir = config.top_dir else: config = create_replica_config( self.options.password, self.replica_file, self.options) config.kra_host_name = config.master_host_name config.setup_kra = True if config.subject_base is None: attrs = api.Backend.ldap2.get_ipa_config() config.subject_base = attrs.get('ipacertificatesubjectbase')[0] if config.kra_host_name is None: config.kra_host_name = service.find_providing_server( 'KRA', api.Backend.ldap2, api.env.ca_host) try: kra.install_check(api, config, self.options) except RuntimeError as e: raise admintool.ScriptError(str(e)) print(dedent(self.INSTALLER_START_MESSAGE)) try: kra.install(api, config, self.options) except: logger.error('%s', dedent(self.FAIL_MESSAGE)) raise api.Backend.ldap2.disconnect()
def run(self): super(KRAInstaller, self).run() if not cainstance.is_ca_installed_locally(): raise RuntimeError("Dogtag CA is not installed. " "Please install the CA first") # check if KRA is not already installed _kra = krainstance.KRAInstance(api) if _kra.is_installed(): raise admintool.ScriptError("KRA already installed") # this check can be done only when CA is installed self.installing_replica = dogtaginstance.is_installing_replica("KRA") self.options.promote = False if self.installing_replica: domain_level = dsinstance.get_domain_level(api) if domain_level > DOMAIN_LEVEL_0: self.options.promote = True elif not self.args: raise RuntimeError("A replica file is required.") if self.args and (not self.installing_replica or self.options.promote): raise RuntimeError("Too many parameters provided. " "No replica file is required.") self.options.dm_password = self.options.password self.options.setup_ca = False conn = api.Backend.ldap2 conn.connect(bind_dn=DN(("cn", "Directory Manager")), bind_pw=self.options.password) config = None if self.installing_replica: if self.options.promote: config = ReplicaConfig() config.master_host_name = None config.realm_name = api.env.realm config.host_name = api.env.host config.domain_name = api.env.domain config.dirman_password = self.options.password config.ca_ds_port = 389 config.top_dir = tempfile.mkdtemp("ipa") config.dir = config.top_dir else: config = create_replica_config(self.options.password, self.replica_file, self.options) if config.subject_base is None: attrs = conn.get_ipa_config() config.subject_base = attrs.get("ipacertificatesubjectbase")[0] if config.master_host_name is None: config.kra_host_name = service.find_providing_server("KRA", conn, api.env.ca_host) config.master_host_name = config.kra_host_name else: config.kra_host_name = config.master_host_name try: kra.install_check(api, config, self.options) except RuntimeError as e: raise admintool.ScriptError(str(e)) print(dedent(self.INSTALLER_START_MESSAGE)) try: kra.install(api, config, self.options) except: self.log.error(dedent(self.FAIL_MESSAGE)) raise
def install_check(installer): options = installer filename = installer.replica_file tasks.check_selinux_status() client_fstore = sysrestore.FileStore(paths.IPA_CLIENT_SYSRESTORE) if client_fstore.has_files(): sys.exit("IPA client is already configured on this system.\n" "Please uninstall it first before configuring the replica, " "using 'ipa-client-install --uninstall'.") sstore = sysrestore.StateFile(paths.SYSRESTORE) fstore = sysrestore.FileStore(paths.SYSRESTORE) # Check to see if httpd is already configured to listen on 443 if httpinstance.httpd_443_configured(): sys.exit("Aborting installation") check_dirsrv() if not options.no_ntp: try: ipaclient.ntpconf.check_timedate_services() except ipaclient.ntpconf.NTPConflictingService as e: print(("WARNING: conflicting time&date synchronization service '%s'" " will" % e.conflicting_service)) print("be disabled in favor of ntpd") print("") except ipaclient.ntpconf.NTPConfigurationError: pass # get the directory manager password dirman_password = options.password if not dirman_password: try: dirman_password = get_dirman_password() except KeyboardInterrupt: sys.exit(0) if dirman_password is None: sys.exit("Directory Manager password required") config = create_replica_config(dirman_password, filename, options) installer._top_dir = config.top_dir config.setup_ca = options.setup_ca config.setup_kra = options.setup_kra # Create the management framework config file # Note: We must do this before bootstraping and finalizing ipalib.api old_umask = os.umask(0o22) # must be readable for httpd try: fd = open(paths.IPA_DEFAULT_CONF, "w") fd.write("[global]\n") fd.write("host=%s\n" % config.host_name) fd.write("basedn=%s\n" % str(ipautil.realm_to_suffix(config.realm_name))) fd.write("realm=%s\n" % config.realm_name) fd.write("domain=%s\n" % config.domain_name) fd.write("xmlrpc_uri=https://%s/ipa/xml\n" % ipautil.format_netloc(config.host_name)) fd.write("ldap_uri=ldapi://%%2fvar%%2frun%%2fslapd-%s.socket\n" % installutils.realm_to_serverid(config.realm_name)) if ipautil.file_exists(config.dir + "/cacert.p12"): fd.write("enable_ra=True\n") fd.write("ra_plugin=dogtag\n") fd.write("dogtag_version=%s\n" % dogtag.install_constants.DOGTAG_VERSION) else: fd.write("enable_ra=False\n") fd.write("ra_plugin=none\n") fd.write("mode=production\n") fd.close() finally: os.umask(old_umask) api.bootstrap(in_server=True, context='installer') api.finalize() installutils.verify_fqdn(config.master_host_name, options.no_host_dns) cafile = config.dir + "/ca.crt" if not ipautil.file_exists(cafile): raise RuntimeError("CA cert file is not available. Please run " "ipa-replica-prepare to create a new replica file.") ldapuri = 'ldaps://%s' % ipautil.format_netloc(config.master_host_name) remote_api = create_api(mode=None) remote_api.bootstrap(in_server=True, context='installer', ldap_uri=ldapuri) remote_api.finalize() conn = remote_api.Backend.ldap2 replman = None try: # Try out the password conn.connect(bind_dn=DIRMAN_DN, bind_pw=config.dirman_password, tls_cacertfile=cafile) replman = ReplicationManager(config.realm_name, config.master_host_name, config.dirman_password) # Check that we don't already have a replication agreement if replman.get_replication_agreement(config.host_name): root_logger.info('Error: A replication agreement for this ' 'host already exists.') print('A replication agreement for this host already exists. ' 'It needs to be removed.') print("Run this on the master that generated the info file:") print((" %% ipa-replica-manage del %s --force" % config.host_name)) sys.exit(3) # Detect the current domain level try: current = remote_api.Command['domainlevel_get']()['result'] except errors.NotFound: # If we're joining an older master, domain entry is not # available current = 0 # Detect if current level is out of supported range # for this IPA version under_lower_bound = current < constants.MIN_DOMAIN_LEVEL above_upper_bound = current > constants.MAX_DOMAIN_LEVEL if under_lower_bound or above_upper_bound: message = ("This version of FreeIPA does not support " "the Domain Level which is currently set for " "this domain. The Domain Level needs to be " "raised before installing a replica with " "this version is allowed to be installed " "within this domain.") root_logger.error(message) print(message) sys.exit(3) # Check pre-existing host entry try: entry = conn.find_entries(u'fqdn=%s' % config.host_name, ['fqdn'], DN(api.env.container_host, api.env.basedn)) except errors.NotFound: pass else: root_logger.info('Error: Host %s already exists on the master ' 'server.' % config.host_name) print(('The host %s already exists on the master server.' % config.host_name)) print("You should remove it before proceeding:") print(" %% ipa host-del %s" % config.host_name) sys.exit(3) dns_masters = remote_api.Object['dnsrecord'].get_dns_masters() if dns_masters: if not options.no_host_dns: master = config.master_host_name root_logger.debug('Check forward/reverse DNS resolution') resolution_ok = ( check_dns_resolution(master, dns_masters) and check_dns_resolution(config.host_name, dns_masters)) if not resolution_ok and installer.interactive: if not ipautil.user_input("Continue?", False): sys.exit(0) else: root_logger.debug('No IPA DNS servers, ' 'skipping forward/reverse resolution check') if options.setup_ca: options.realm_name = config.realm_name options.host_name = config.host_name options.subject = config.subject_base ca.install_check(False, config, options) if config.setup_kra: try: kra.install_check(remote_api, config, options) except RuntimeError as e: print(str(e)) sys.exit(1) except errors.ACIError: sys.exit("\nThe password provided is incorrect for LDAP server " "%s" % config.master_host_name) except errors.LDAPError: sys.exit("\nUnable to connect to LDAP server %s" % config.master_host_name) finally: if replman and replman.conn: replman.conn.unbind() if conn.isconnected(): conn.disconnect() if options.setup_dns: dns.install_check(False, True, options, config.host_name) config.ips = dns.ip_addresses else: config.ips = installutils.get_server_ip_address( config.host_name, not installer.interactive, False, options.ip_addresses) # installer needs to update hosts file when DNS subsystem will be # installed or custom addresses are used if options.setup_dns or options.ip_addresses: installer._update_hosts_file = True # check connection if not options.skip_conncheck: replica_conn_check( config.master_host_name, config.host_name, config.realm_name, options.setup_ca, config.ca_ds_port, options.admin_password) installer._remote_api = remote_api installer._fstore = fstore installer._sstore = sstore installer._config = config