def execute(self, *keys, **options):
fqdn = keys[0]
if options['state'] == u'enabled':
to_status = ENABLED
from_status = HIDDEN
else:
to_status = HIDDEN
from_status = ENABLED
roles = self.api.Command.server_role_find(
server_server=fqdn,
status=from_status,
include_master=True,
)['result']
from_roles = [r[u'role_servrole'] for r in roles]
if not from_roles:
# no server role is in source status
raise errors.EmptyModlist
if to_status == ENABLED:
enable_services(fqdn)
else:
self._check_hide_server(fqdn)
hide_services(fqdn)
# update system roles
result = self.api.Command.dns_update_system_records()
if not result.get('value'):
self.add_message(messages.AutomaticDNSRecordsUpdateFailed())
return {
'value': fqdn,
'result': True,
}
def execute(self, *keys, **options):
fqdn = keys[0]
if options['state'] == u'enabled':
to_status = ENABLED
from_status = HIDDEN
else:
to_status = HIDDEN
from_status = ENABLED
roles = self.api.Command.server_role_find(
server_server=fqdn,
status=from_status,
include_master=True,
)['result']
from_roles = [r[u'role_servrole'] for r in roles]
if not from_roles:
# no server role is in source status
raise errors.EmptyModlist
if to_status == ENABLED:
enable_services(fqdn)
else:
self._check_hide_server(fqdn)
hide_services(fqdn)
# update system roles
result = self.api.Command.dns_update_system_records()
if not result.get('value'):
self.add_message(messages.AutomaticDNSRecordsUpdateFailed())
return {
'value': fqdn,
'result': True,
}
def install(installer):
options = installer
ca_enabled = installer._ca_enabled
kra_enabled = installer._kra_enabled
fstore = installer._fstore
config = installer._config
cafile = installer._ca_file
dirsrv_pkcs12_info = installer._dirsrv_pkcs12_info
http_pkcs12_info = installer._http_pkcs12_info
pkinit_pkcs12_info = installer._pkinit_pkcs12_info
remote_api = installer._remote_api
conn = remote_api.Backend.ldap2
ccache = os.environ['KRB5CCNAME']
if tasks.configure_pkcs11_modules(fstore):
print("Disabled p11-kit-proxy")
if installer._add_to_ipaservers:
try:
conn.connect(ccache=installer._ccache)
remote_api.Command['hostgroup_add_member'](
u'ipaservers',
host=[unicode(api.env.host)],
)
finally:
if conn.isconnected():
conn.disconnect()
os.environ['KRB5CCNAME'] = ccache
config.dirman_password = ipautil.ipa_generate_password()
# FIXME: allow to use passed in certs instead
if ca_enabled:
configure_certmonger()
try:
conn.connect(ccache=ccache)
# Update and istall updated CA file
cafile = install_ca_cert(conn, api.env.basedn, api.env.realm, cafile)
install_ca_cert(conn, api.env.basedn, api.env.realm, cafile,
destfile=paths.KDC_CA_BUNDLE_PEM)
install_ca_cert(conn, api.env.basedn, api.env.realm, cafile,
destfile=paths.CA_BUNDLE_PEM)
# Configure dirsrv
ds = install_replica_ds(config, options, ca_enabled,
remote_api,
ca_file=cafile,
pkcs12_info=dirsrv_pkcs12_info,
fstore=fstore)
# Always try to install DNS records
install_dns_records(config, options, remote_api, fstore=fstore)
finally:
if conn.isconnected():
conn.disconnect()
# Create the management framework config file. Do this irregardless
# of the state of DS installation. Even if it fails,
# we need to have master-like configuration in order to perform a
# successful uninstallation
# The configuration creation has to be here otherwise previous call
# To config certmonger would try to connect to local server
create_ipa_conf(fstore, config, ca_enabled)
krb = install_krb(
config,
setup_pkinit=not options.no_pkinit,
pkcs12_info=pkinit_pkcs12_info,
fstore=fstore)
# We need to point to the master when certmonger asks for
# a DS or HTTP certificate.
# During http installation, the <service>/hostname principal is
# created locally then the installer waits for the entry to appear
# on the master selected for the installation.
# In a later step, the installer requests a SSL certificate through
# Certmonger (and the op adds the principal if it does not exist yet).
# If xmlrpc_uri points to the soon-to-be replica,
# the httpd service is not ready yet to handle certmonger requests
# and certmonger tries to find another master. The master can be
# different from the one selected for the installation, and it is
# possible that the principal has not been replicated yet. This
# may lead to a replication conflict.
# This is why we need to force the use of the same master by
# setting xmlrpc_uri
create_ipa_conf(fstore, config, ca_enabled,
master=config.master_host_name)
# we now need to enable ssl on the ds
ds.enable_ssl()
install_http(
config,
auto_redirect=not options.no_ui_redirect,
pkcs12_info=http_pkcs12_info,
ca_is_configured=ca_enabled,
ca_file=cafile,
fstore=fstore)
# Need to point back to ourself after the cert for HTTP is obtained
create_ipa_conf(fstore, config, ca_enabled)
otpd = otpdinstance.OtpdInstance()
otpd.create_instance('OTPD', config.host_name,
ipautil.realm_to_suffix(config.realm_name))
if kra_enabled:
# A KRA peer always provides a CA, too.
mode = custodiainstance.CustodiaModes.KRA_PEER
elif ca_enabled:
mode = custodiainstance.CustodiaModes.CA_PEER
else:
mode = custodiainstance.CustodiaModes.MASTER_PEER
custodia = custodiainstance.get_custodia_instance(config, mode)
custodia.create_instance()
if ca_enabled:
options.realm_name = config.realm_name
options.domain_name = config.domain_name
options.host_name = config.host_name
options.dm_password = config.dirman_password
ca.install(False, config, options, custodia=custodia)
# configure PKINIT now that all required services are in place
krb.enable_ssl()
# Apply any LDAP updates. Needs to be done after the replica is synced-up
service.print_msg("Applying LDAP updates")
ds.apply_updates()
service.print_msg("Finalize replication settings")
ds.finalize_replica_config()
if kra_enabled:
kra.install(api, config, options, custodia=custodia)
service.print_msg("Restarting the KDC")
krb.restart()
custodia.import_dm_password()
promote_sssd(config.host_name)
promote_openldap_conf(config.host_name, config.master_host_name)
if options.setup_dns:
dns.install(False, True, options, api)
if options.setup_adtrust:
adtrust.install(False, options, fstore, api)
if options.hidden_replica:
# Set services to hidden
service.hide_services(config.host_name)
else:
# Enable configured services
service.enable_services(config.host_name)
# update DNS SRV records. Although it's only really necessary in
# enabled-service case, also perform update in hidden replica case.
api.Command.dns_update_system_records()
ca_servers = find_providing_servers('CA', api.Backend.ldap2, api=api)
api.Backend.ldap2.disconnect()
# Everything installed properly, activate ipa service.
services.knownservices.ipa.enable()
# Print a warning if CA role is only installed on one server
if len(ca_servers) == 1:
msg = textwrap.dedent(u'''
WARNING: The CA service is only installed on one server ({}).
It is strongly recommended to install it on another server.
Run ipa-ca-install(1) on another master to accomplish this.
'''.format(ca_servers[0]))
print(msg, file=sys.stderr)
def install(installer):
options = installer
ca_enabled = installer._ca_enabled
kra_enabled = installer._kra_enabled
fstore = installer._fstore
config = installer._config
cafile = installer._ca_file
dirsrv_pkcs12_info = installer._dirsrv_pkcs12_info
http_pkcs12_info = installer._http_pkcs12_info
pkinit_pkcs12_info = installer._pkinit_pkcs12_info
remote_api = installer._remote_api
conn = remote_api.Backend.ldap2
ccache = os.environ['KRB5CCNAME']
if tasks.configure_pkcs11_modules(fstore):
print("Disabled p11-kit-proxy")
if installer._add_to_ipaservers:
try:
conn.connect(ccache=installer._ccache)
remote_api.Command['hostgroup_add_member'](
u'ipaservers',
host=[unicode(api.env.host)],
)
finally:
if conn.isconnected():
conn.disconnect()
os.environ['KRB5CCNAME'] = ccache
config.dirman_password = ipautil.ipa_generate_password()
# FIXME: allow to use passed in certs instead
if ca_enabled:
configure_certmonger()
try:
conn.connect(ccache=ccache)
# Update and istall updated CA file
cafile = install_ca_cert(conn, api.env.basedn, api.env.realm, cafile)
install_ca_cert(conn,
api.env.basedn,
api.env.realm,
cafile,
destfile=paths.KDC_CA_BUNDLE_PEM)
install_ca_cert(conn,
api.env.basedn,
api.env.realm,
cafile,
destfile=paths.CA_BUNDLE_PEM)
# Configure dirsrv
ds = install_replica_ds(config,
options,
ca_enabled,
remote_api,
ca_file=cafile,
pkcs12_info=dirsrv_pkcs12_info,
fstore=fstore)
# Always try to install DNS records
install_dns_records(config, options, remote_api, fstore=fstore)
finally:
if conn.isconnected():
conn.disconnect()
# Create the management framework config file. Do this irregardless
# of the state of DS installation. Even if it fails,
# we need to have master-like configuration in order to perform a
# successful uninstallation
# The configuration creation has to be here otherwise previous call
# To config certmonger would try to connect to local server
create_ipa_conf(fstore, config, ca_enabled)
krb = install_krb(config,
setup_pkinit=not options.no_pkinit,
pkcs12_info=pkinit_pkcs12_info,
fstore=fstore)
# We need to point to the master when certmonger asks for
# a DS or HTTP certificate.
# During http installation, the <service>/hostname principal is
# created locally then the installer waits for the entry to appear
# on the master selected for the installation.
# In a later step, the installer requests a SSL certificate through
# Certmonger (and the op adds the principal if it does not exist yet).
# If xmlrpc_uri points to the soon-to-be replica,
# the httpd service is not ready yet to handle certmonger requests
# and certmonger tries to find another master. The master can be
# different from the one selected for the installation, and it is
# possible that the principal has not been replicated yet. This
# may lead to a replication conflict.
# This is why we need to force the use of the same master by
# setting xmlrpc_uri
create_ipa_conf(fstore, config, ca_enabled, master=config.master_host_name)
# we now need to enable ssl on the ds
ds.enable_ssl()
install_http(config,
auto_redirect=not options.no_ui_redirect,
pkcs12_info=http_pkcs12_info,
ca_is_configured=ca_enabled,
ca_file=cafile,
fstore=fstore)
# Need to point back to ourself after the cert for HTTP is obtained
create_ipa_conf(fstore, config, ca_enabled)
otpd = otpdinstance.OtpdInstance()
otpd.create_instance('OTPD', config.host_name,
ipautil.realm_to_suffix(config.realm_name))
if kra_enabled:
# A KRA peer always provides a CA, too.
mode = custodiainstance.CustodiaModes.KRA_PEER
elif ca_enabled:
mode = custodiainstance.CustodiaModes.CA_PEER
else:
mode = custodiainstance.CustodiaModes.MASTER_PEER
custodia = custodiainstance.get_custodia_instance(config, mode)
custodia.create_instance()
if ca_enabled:
options.realm_name = config.realm_name
options.domain_name = config.domain_name
options.host_name = config.host_name
options.dm_password = config.dirman_password
ca.install(False, config, options, custodia=custodia)
# configure PKINIT now that all required services are in place
krb.enable_ssl()
# Apply any LDAP updates. Needs to be done after the replica is synced-up
service.print_msg("Applying LDAP updates")
ds.apply_updates()
service.print_msg("Finalize replication settings")
ds.finalize_replica_config()
if kra_enabled:
kra.install(api, config, options, custodia=custodia)
service.print_msg("Restarting the KDC")
krb.restart()
custodia.import_dm_password()
promote_sssd(config.host_name)
promote_openldap_conf(config.host_name, config.master_host_name)
if options.setup_dns:
dns.install(False, True, options, api)
if options.setup_adtrust:
adtrust.install(False, options, fstore, api)
if options.hidden_replica:
# Set services to hidden
service.hide_services(config.host_name)
else:
# Enable configured services
service.enable_services(config.host_name)
# update DNS SRV records. Although it's only really necessary in
# enabled-service case, also perform update in hidden replica case.
api.Command.dns_update_system_records()
ca_servers = find_providing_servers('CA', api.Backend.ldap2, api=api)
api.Backend.ldap2.disconnect()
# Everything installed properly, activate ipa service.
services.knownservices.ipa.enable()
# Print a warning if CA role is only installed on one server
if len(ca_servers) == 1:
msg = textwrap.dedent(u'''
WARNING: The CA service is only installed on one server ({}).
It is strongly recommended to install it on another server.
Run ipa-ca-install(1) on another master to accomplish this.
'''.format(ca_servers[0]))
print(msg, file=sys.stderr)