def setup(self, fqdn, ip_addresses, realm_name, domain_name, forwarders,
forward_policy, reverse_zones,
named_user=constants.NAMED_USER, zonemgr=None,
no_dnssec_validation=False):
self.named_user = named_user
self.fqdn = fqdn
self.ip_addresses = ip_addresses
self.realm = realm_name
self.domain = domain_name
self.forwarders = forwarders
self.forward_policy = forward_policy
self.host = fqdn.split(".")[0]
self.suffix = ipautil.realm_to_suffix(self.realm)
self.reverse_zones = reverse_zones
self.no_dnssec_validation=no_dnssec_validation
if not zonemgr:
self.zonemgr = 'hostmaster.%s' % normalize_zone(self.domain)
else:
self.zonemgr = normalize_zonemgr(zonemgr)
self.first_instance = not dns_container_exists(
self.fqdn, self.suffix, realm=self.realm, ldapi=True)
self.__setup_sub_dict()
def __init__(self, realm_name=None, domain_name=None, fstore=None,
domainlevel=None, config_ldif=None):
super(DsInstance, self).__init__(
"dirsrv",
service_desc="directory server",
fstore=fstore,
service_prefix=u'ldap',
keytab=paths.DS_KEYTAB,
service_user=DS_USER,
realm_name=realm_name
)
self.nickname = 'Server-Cert'
self.sub_dict = None
self.domain = domain_name
self.serverid = None
self.master_fqdn = None
self.pkcs12_info = None
self.cacert_name = None
self.ca_is_configured = True
self.cert = None
self.idstart = None
self.idmax = None
self.ca_subject = None
self.subject_base = None
self.open_ports = []
self.run_init_memberof = True
self.config_ldif = config_ldif # updates for dse.ldif
self.domainlevel = domainlevel
if realm_name:
self.suffix = ipautil.realm_to_suffix(self.realm)
self.__setup_sub_dict()
else:
self.suffix = DN()
def create_replica(self, realm_name, master_fqdn, fqdn,
domain_name, dm_password, pkcs12_info=None):
self.realm_name = realm_name.upper()
self.serverid = realm_to_serverid(self.realm_name)
self.suffix = ipautil.realm_to_suffix(self.realm_name)
self.master_fqdn = master_fqdn
self.fqdn = fqdn
self.dm_password = dm_password
self.domain = domain_name
self.pkcs12_info = pkcs12_info
self.principal = "ldap/%s@%s" % (self.fqdn, self.realm_name)
self.self_signed_ca = False
self.subject_base = None
# idstart and idmax are configured so that the range is seen as
# depleted by the DNA plugin and the replica will go and get a
# new range from the master.
# This way all servers use the initially defined range by default.
self.idstart = 1101
self.idmax = 1100
self.__setup_sub_dict()
self.__common_setup()
self.step("setting up initial replication", self.__setup_replica)
self.step("adding replication acis", self.__add_replication_acis)
# See LDIFs for automember configuration during replica install
self.step("setting Auto Member configuration", self.__add_replica_automember_config)
self.step("enabling S4U2Proxy delegation", self.__setup_s4u2proxy)
self.__common_post_setup()
self.start_creation(runtime=60)
def setup(self, fqdn, ip_addresses, realm_name, domain_name, forwarders, ntp,
reverse_zones, named_user="******", zonemgr=None,
ca_configured=None, no_dnssec_validation=False):
self.named_user = named_user
self.fqdn = fqdn
self.ip_addresses = ip_addresses
self.realm = realm_name
self.domain = domain_name
self.forwarders = forwarders
self.host = fqdn.split(".")[0]
self.suffix = ipautil.realm_to_suffix(self.realm)
self.ntp = ntp
self.reverse_zones = reverse_zones
self.ca_configured = ca_configured
self.no_dnssec_validation=no_dnssec_validation
if not zonemgr:
self.zonemgr = 'hostmaster.%s' % normalize_zone(self.domain)
else:
self.zonemgr = normalize_zonemgr(zonemgr)
self.first_instance = not dns_container_exists(
self.fqdn, self.suffix, realm=self.realm, ldapi=True,
dm_password=self.dm_password, autobind=self.autobind)
self.__setup_sub_dict()
def __setup_default_attributes(self):
"""
This method setups default attributes that are either constants, or
based on api.env attributes, such as realm, hostname or domain name.
"""
# Constants
self.smb_conf = paths.SMB_CONF
self.cifs_hosts = []
# Values obtained from API.env
self.fqdn = self.fqdn or api.env.host
self.host_netbios_name = make_netbios_name(self.fqdn)
self.realm = self.realm or api.env.realm
self.suffix = ipautil.realm_to_suffix(self.realm)
self.ldapi_socket = "%%2fvar%%2frun%%2fslapd-%s.socket" % \
ipaldap.realm_to_serverid(self.realm)
# DN definitions
self.trust_dn = DN(api.env.container_trusts, self.suffix)
self.smb_dn = DN(('cn', 'adtrust agents'), ('cn', 'sysaccounts'),
('cn', 'etc'), self.suffix)
self.smb_dom_dn = DN(('cn', api.env.domain),
api.env.container_cifsdomains, self.suffix)
self.cifs_agent = DN(('krbprincipalname', self.principal.lower()),
api.env.container_service, self.suffix)
self.host_princ = DN(('fqdn', self.fqdn), api.env.container_host,
self.suffix)
def create_instance(self,
fqdn,
realm_name,
generate_master_key=True,
kasp_db_file=None):
if self.get_state("enabled") is None:
self.backup_state("enabled", self.is_enabled())
if self.get_state("running") is None:
self.backup_state("running", self.is_running())
self.fqdn = fqdn
self.realm = realm_name
self.suffix = ipautil.realm_to_suffix(self.realm)
self.kasp_db_file = kasp_db_file
try:
self.stop()
except Exception:
pass
# checking status must be first
self.step("checking status", self.__check_dnssec_status)
self.step("setting up configuration files", self.__setup_conf_files)
self.step("setting up ownership and file mode bits",
self.__setup_ownership_file_modes)
if generate_master_key:
self.step("generating master key", self.__generate_master_key)
self.step("setting up OpenDNSSEC", self.__setup_dnssec)
self.step("setting up ipa-dnskeysyncd", self.__setup_dnskeysyncd)
self.step("starting OpenDNSSEC enforcer", self.__start)
self.step("configuring OpenDNSSEC enforcer to start on boot",
self.__enable)
self.start_creation()
def remove_master_dns_records(self, fqdn, realm_name, domain_name):
host = fqdn.split(".")[0]
suffix = ipautil.realm_to_suffix(realm_name)
zone = domain_name
resource_records = (
("_ldap._tcp", "SRV", "0 100 389 %s" % host),
("_kerberos._tcp", "SRV", "0 100 88 %s" % host),
("_kerberos._udp", "SRV", "0 100 88 %s" % host),
("_kerberos-master._tcp", "SRV", "0 100 88 %s" % host),
("_kerberos-master._udp", "SRV", "0 100 88 %s" % host),
("_kpasswd._tcp", "SRV", "0 100 464 %s" % host),
("_kpasswd._udp", "SRV", "0 100 464 %s" % host),
("_ntp._udp", "SRV", "0 100 123 %s" % host),
("@", "NS", fqdn+"."),
)
for (record, type, rdata) in resource_records:
del_rr(zone, record, type, rdata)
areclist = [("A", x) for x in get_rr(zone, host, "A")] + [("AAAA", x) for x in get_rr(zone, host, "AAAA")]
for (type, rdata) in areclist:
del_rr(zone, host, type, rdata)
rzone = find_reverse_zone(rdata)
if rzone is not None:
record = get_reverse_record_name(rzone, rdata)
del_rr(rzone, record, "PTR", fqdn+".")
# remove also master NS record from the reverse zone
del_rr(rzone, "@", "NS", fqdn+".")
def remove_master_dns_records(self, fqdn, realm_name, domain_name):
host, zone = fqdn.split(".", 1)
self.host = host
self.fqdn = fqdn
self.domain = domain_name
suffix = ipautil.realm_to_suffix(realm_name)
resource_records = (
("_ldap._tcp", "SRV", "0 100 389 %s" % self.host_in_rr),
("_kerberos._tcp", "SRV", "0 100 88 %s" % self.host_in_rr),
("_kerberos._udp", "SRV", "0 100 88 %s" % self.host_in_rr),
("_kerberos-master._tcp", "SRV", "0 100 88 %s" % self.host_in_rr),
("_kerberos-master._udp", "SRV", "0 100 88 %s" % self.host_in_rr),
("_kpasswd._tcp", "SRV", "0 100 464 %s" % self.host_in_rr),
("_kpasswd._udp", "SRV", "0 100 464 %s" % self.host_in_rr),
("_ntp._udp", "SRV", "0 100 123 %s" % self.host_in_rr),
)
for (record, type, rdata) in resource_records:
del_rr(self.domain, record, type, rdata)
areclist = get_fwd_rr(zone, host)
for rdata in areclist:
del_fwd_rr(zone, host, rdata)
rzone = find_reverse_zone(rdata)
if rzone is not None:
record = get_reverse_record_name(rzone, rdata)
del_rr(rzone, record, "PTR", normalize_zone(fqdn))
def generate_update(self, deletes=False):
"""
We need to separate the deletes that need to happen from the
new entries that need to be added.
"""
ldap = self.obj.backend
suffix = ipautil.realm_to_suffix(api.env.realm)
searchfilter = '(objectclass=*)'
definitions_managed_entries = []
old_template_container = DN(('cn', 'etc'), suffix)
new_template_container = DN(('cn', 'Templates'), ('cn', 'Managed Entries'), ('cn', 'etc'), suffix)
old_definition_container = DN(('cn', 'managed entries'), ('cn', 'plugins'), ('cn', 'config'), suffix)
new_definition_container = DN(('cn', 'Definitions'), ('cn', 'Managed Entries'), ('cn', 'etc'), suffix)
definitions_dn = DN(('cn', 'Definitions'))
update_list = []
restart = False
# If the old entries don't exist the server has already been updated.
try:
(definitions_managed_entries, truncated) = ldap.find_entries(
searchfilter, ['*'], old_definition_container, _ldap.SCOPE_ONELEVEL, normalize=False
)
except errors.NotFound, e:
return (False, update_list)
def ask_for_options(self):
options = self.options
super(ReplicaPrepare, self).ask_for_options()
# get the directory manager password
self.dirman_password = options.password
if not options.password:
self.dirman_password = installutils.read_password(
"Directory Manager (existing master)",
confirm=False,
validate=False)
if self.dirman_password is None:
raise admintool.ScriptError(
"Directory Manager password required")
# Try out the password & get the subject base
suffix = ipautil.realm_to_suffix(api.env.realm)
try:
conn = api.Backend.ldap2
conn.connect(bind_dn=DN(('cn', 'directory manager')),
bind_pw=self.dirman_password)
entry_attrs = conn.get_ipa_config()
ca_enabled = api.Command.ca_is_enabled()['result']
conn.disconnect()
except errors.ACIError:
raise admintool.ScriptError("The password provided is incorrect "
"for LDAP server %s" % api.env.host)
except errors.LDAPError:
raise admintool.ScriptError("Unable to connect to LDAP server %s" %
api.env.host)
except errors.DatabaseError, e:
raise admintool.ScriptError(e.desc)
def init_info(self,
realm_name,
fqdn,
domain_name,
dm_password,
subject_base,
ca_subject,
idstart,
idmax,
pkcs12_info,
ca_file=None):
self.realm = realm_name.upper()
self.serverid = installutils.realm_to_serverid(self.realm)
self.suffix = ipautil.realm_to_suffix(self.realm)
self.fqdn = fqdn
self.dm_password = dm_password
self.domain = domain_name
self.subject_base = subject_base
self.ca_subject = ca_subject
self.idstart = idstart
self.idmax = idmax
self.pkcs12_info = pkcs12_info
if pkcs12_info:
self.ca_is_configured = False
self.ca_file = ca_file
self.__setup_sub_dict()
def __init__(self, realm_name=None, domain_name=None, fstore=None,
domainlevel=None, config_ldif=None):
super(DsInstance, self).__init__(
"dirsrv",
service_desc="directory server",
fstore=fstore,
service_prefix=u'ldap',
keytab=paths.DS_KEYTAB,
service_user=DS_USER,
realm_name=realm_name
)
self.nickname = 'Server-Cert'
self.sub_dict = None
self.domain = domain_name
self.serverid = None
self.master_fqdn = None
self.pkcs12_info = None
self.cacert_name = None
self.ca_is_configured = True
self.dercert = None
self.idstart = None
self.idmax = None
self.subject_base = None
self.open_ports = []
self.run_init_memberof = True
self.config_ldif = config_ldif # updates for dse.ldif
self.domainlevel = domainlevel
if realm_name:
self.suffix = ipautil.realm_to_suffix(self.realm)
self.__setup_sub_dict()
else:
self.suffix = DN()
def generate_update(self, deletes=False):
"""
We need to separate the deletes that need to happen from the
new entries that need to be added.
"""
ldap = self.api.Backend.ldap2
suffix = ipautil.realm_to_suffix(self.api.env.realm)
searchfilter = '(objectclass=*)'
definitions_managed_entries = []
old_template_container = DN(('cn', 'etc'), suffix)
new_template_container = DN(('cn', 'Templates'), ('cn', 'Managed Entries'), ('cn', 'etc'), suffix)
old_definition_container = DN(('cn', 'managed entries'), ('cn', 'plugins'), ('cn', 'config'), suffix)
new_definition_container = DN(('cn', 'Definitions'), ('cn', 'Managed Entries'), ('cn', 'etc'), suffix)
definitions_dn = DN(('cn', 'Definitions'))
update_list = []
restart = False
# If the old entries don't exist the server has already been updated.
try:
definitions_managed_entries, truncated = ldap.find_entries(
searchfilter, ['*'], old_definition_container,
ldap.SCOPE_ONELEVEL)
except errors.NotFound, e:
return (False, update_list)
def setup(self, fqdn, ip_addresses, realm_name, domain_name, forwarders, ntp,
reverse_zones, named_user="******", zonemgr=None,
ca_configured=None, no_dnssec_validation=False):
self.named_user = named_user
self.fqdn = fqdn
self.ip_addresses = ip_addresses
self.realm = realm_name
self.domain = domain_name
self.forwarders = forwarders
self.host = fqdn.split(".")[0]
self.suffix = ipautil.realm_to_suffix(self.realm)
self.ntp = ntp
self.reverse_zones = reverse_zones
self.ca_configured = ca_configured
self.no_dnssec_validation=no_dnssec_validation
if not zonemgr:
self.zonemgr = 'hostmaster.%s' % normalize_zone(self.domain)
else:
self.zonemgr = normalize_zonemgr(zonemgr)
self.first_instance = not dns_container_exists(
self.fqdn, self.suffix, realm=self.realm, ldapi=True,
dm_password=self.dm_password, autobind=self.autobind)
self.__setup_sub_dict()
def __init__(self,
realm_name=None,
domain_name=None,
dm_password=None,
fstore=None):
service.Service.__init__(self,
"dirsrv",
service_desc="directory server",
dm_password=dm_password,
ldapi=False,
autobind=service.DISABLED)
self.realm_name = realm_name
self.sub_dict = None
self.domain = domain_name
self.serverid = None
self.fqdn = None
self.pkcs12_info = None
self.dercert = None
self.idstart = None
self.idmax = None
self.subject_base = None
self.open_ports = []
self.run_init_memberof = True
if realm_name:
self.suffix = ipautil.realm_to_suffix(self.realm_name)
self.__setup_sub_dict()
else:
self.suffix = DN()
if fstore:
self.fstore = fstore
else:
self.fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore')
def init_info(self, realm_name, host_name, setup_pkinit=False,
subject_base=None):
self.fqdn = host_name
self.realm = realm_name
self.suffix = ipautil.realm_to_suffix(realm_name)
self.subject_base = subject_base
self.config_pkinit = setup_pkinit
def __init__(self, realm_name=None, domain_name=None, dm_password=None,
fstore=None, domainlevel=None):
service.Service.__init__(self, "dirsrv",
service_desc="directory server",
dm_password=dm_password,
ldapi=False,
autobind=ipaldap.AUTOBIND_DISABLED
)
self.nickname = 'Server-Cert'
self.dm_password = dm_password
self.realm = realm_name
self.sub_dict = None
self.domain = domain_name
self.serverid = None
self.master_fqdn = None
self.pkcs12_info = None
self.cacert_name = None
self.ca_is_configured = True
self.dercert = None
self.idstart = None
self.idmax = None
self.subject_base = None
self.open_ports = []
self.run_init_memberof = True
self.domainlevel = domainlevel
if realm_name:
self.suffix = ipautil.realm_to_suffix(self.realm)
self.__setup_sub_dict()
else:
self.suffix = DN()
if fstore:
self.fstore = fstore
else:
self.fstore = sysrestore.FileStore(paths.SYSRESTORE)
def delete_winsync_agreement(self):
"""
Deletes the winsync agreement between the current master and the
given AD server.
"""
try:
self.manager.delete_agreement(self.options.server)
self.manager.delete_referral(self.options.server)
dn = DN(('cn', self.options.server),
('cn', 'replicas'),
('cn', 'ipa'),
('cn', 'etc'),
realm_to_suffix(api.env.realm))
entries = self.manager.conn.get_entries(dn,
self.ldap.SCOPE_SUBTREE)
if entries:
entries.sort(key=len, reverse=True)
for entry in entries:
self.ldap.delete_entry(entry)
except Exception as e:
raise admintool.ScriptError(
"Deletion of the winsync agreement failed: %s" % str(e))
def create_instance(self, fqdn, realm_name, generate_master_key=True):
self.backup_state("enabled", self.is_enabled())
self.backup_state("running", self.is_running())
self.fqdn = fqdn
self.realm = realm_name
self.suffix = ipautil.realm_to_suffix(self.realm)
try:
self.stop()
except Exception:
pass
# get a connection to the DS
if not self.admin_conn:
self.ldap_connect()
# checking status must be first
self.step("checking status", self.__check_dnssec_status)
self.step("setting up configuration files", self.__setup_conf_files)
self.step("setting up ownership and file mode bits", self.__setup_ownership_file_modes)
if generate_master_key:
self.step("generating master key", self.__generate_master_key)
self.step("setting up OpenDNSSEC", self.__setup_dnssec)
self.step("setting up ipa-dnskeysyncd", self.__setup_dnskeysyncd)
self.step("starting OpenDNSSEC enforcer", self.__start)
self.step("configuring OpenDNSSEC enforcer to start on boot", self.__enable)
self.start_creation()
def init_info(self, realm_name, host_name, setup_pkinit=False,
subject_base=None):
self.fqdn = host_name
self.realm = realm_name
self.suffix = ipautil.realm_to_suffix(realm_name)
self.subject_base = subject_base
self.config_pkinit = setup_pkinit
def generate_update(self, deletes=False):
"""
We need to separate the deletes that need to happen from the
new entries that need to be added.
"""
ldap = self.obj.backend
suffix = ipautil.realm_to_suffix(api.env.realm)
searchfilter = "(objectclass=*)"
definitions_managed_entries = []
old_template_container = DN(("cn", "etc"), suffix)
new_template_container = DN(("cn", "Templates"), ("cn", "Managed Entries"), ("cn", "etc"), suffix)
old_definition_container = DN(("cn", "managed entries"), ("cn", "plugins"), ("cn", "config"), suffix)
new_definition_container = DN(("cn", "Definitions"), ("cn", "Managed Entries"), ("cn", "etc"), suffix)
definitions_dn = DN(("cn", "Definitions"))
update_list = []
restart = False
# If the old entries don't exist the server has already been updated.
try:
(definitions_managed_entries, truncated) = ldap.find_entries(
searchfilter, ["*"], old_definition_container, _ldap.SCOPE_ONELEVEL, normalize=False
)
except errors.NotFound, e:
return (False, update_list)
def install_http(config, auto_redirect):
# if we have a pkcs12 file, create the cert db from
# that. Otherwise the ds setup will create the CA
# cert
pkcs12_info = make_pkcs12_info(config.dir, "httpcert.p12", "http_pin.txt")
memcache = memcacheinstance.MemcacheInstance()
memcache.create_instance('MEMCACHE', config.host_name,
config.dirman_password,
ipautil.realm_to_suffix(config.realm_name))
http = httpinstance.HTTPInstance()
http.create_instance(
config.realm_name, config.host_name, config.domain_name,
config.dirman_password, False, pkcs12_info,
auto_redirect=auto_redirect, ca_file=config.dir + "/ca.crt",
ca_is_configured=ipautil.file_exists(config.dir + "/cacert.p12"))
# Now copy the autoconfiguration files
try:
if ipautil.file_exists(config.dir + "/preferences.html"):
shutil.copy(config.dir + "/preferences.html",
paths.PREFERENCES_HTML)
if ipautil.file_exists(config.dir + "/configure.jar"):
shutil.copy(config.dir + "/configure.jar",
paths.CONFIGURE_JAR)
except Exception, e:
print "error copying files: " + str(e)
sys.exit(1)
def setup(self,
fqdn,
ip_addresses,
realm_name,
domain_name,
forwarders,
forward_policy,
reverse_zones,
named_user=constants.NAMED_USER,
zonemgr=None,
no_dnssec_validation=False):
self.service_user = named_user
self.fqdn = fqdn
self.ip_addresses = ip_addresses
self.realm = realm_name
self.domain = domain_name
self.forwarders = forwarders
self.forward_policy = forward_policy
self.host = fqdn.split(".")[0]
self.suffix = ipautil.realm_to_suffix(self.realm)
self.reverse_zones = reverse_zones
self.no_dnssec_validation = no_dnssec_validation
if not zonemgr:
self.zonemgr = 'hostmaster.%s' % normalize_zone(self.domain)
else:
self.zonemgr = normalize_zonemgr(zonemgr)
self.first_instance = not dns_container_exists(self.suffix)
self.__setup_sub_dict()
def install_dns_records(config, options, remote_api):
if not bindinstance.dns_container_exists(
config.master_host_name,
ipautil.realm_to_suffix(config.realm_name),
dm_password=config.dirman_password):
return
try:
bind = bindinstance.BindInstance(dm_password=config.dirman_password,
api=remote_api)
for ip in config.ips:
reverse_zone = bindinstance.find_reverse_zone(ip, remote_api)
bind.add_master_dns_records(config.host_name,
str(ip),
config.realm_name,
config.domain_name,
reverse_zone,
not options.no_ntp,
options.setup_ca)
except errors.NotFound as e:
root_logger.debug('Replica DNS records could not be added '
'on master: %s', str(e))
# we should not fail here no matter what
except Exception as e:
root_logger.info('Replica DNS records could not be added '
'on master: %s', str(e))
def ask_for_options(self):
options = self.options
super(ReplicaPrepare, self).ask_for_options()
# get the directory manager password
self.dirman_password = options.password
if not options.password:
self.dirman_password = installutils.read_password(
"Directory Manager (existing master)",
confirm=False, validate=False)
if self.dirman_password is None:
raise admintool.ScriptError(
"Directory Manager password required")
# Try out the password & get the subject base
suffix = ipautil.realm_to_suffix(api.env.realm)
try:
conn = api.Backend.ldap2
conn.connect(bind_dn=DN(('cn', 'directory manager')),
bind_pw=self.dirman_password)
entry_attrs = conn.get_ipa_config()
ca_enabled = api.Command.ca_is_enabled()['result']
conn.disconnect()
except errors.ACIError:
raise admintool.ScriptError("The password provided is incorrect "
"for LDAP server %s" % api.env.host)
except errors.LDAPError:
raise admintool.ScriptError(
"Unable to connect to LDAP server %s" % api.env.host)
except errors.DatabaseError, e:
raise admintool.ScriptError(e.desc)
def remove_master_dns_records(self, fqdn, realm_name, domain_name):
host, zone = fqdn.split(".", 1)
self.host = host
self.fqdn = fqdn
self.domain = domain_name
suffix = ipautil.realm_to_suffix(realm_name)
resource_records = (
("_ldap._tcp", "SRV", "0 100 389 %s" % self.host_in_rr),
("_kerberos._tcp", "SRV", "0 100 88 %s" % self.host_in_rr),
("_kerberos._udp", "SRV", "0 100 88 %s" % self.host_in_rr),
("_kerberos-master._tcp", "SRV", "0 100 88 %s" % self.host_in_rr),
("_kerberos-master._udp", "SRV", "0 100 88 %s" % self.host_in_rr),
("_kpasswd._tcp", "SRV", "0 100 464 %s" % self.host_in_rr),
("_kpasswd._udp", "SRV", "0 100 464 %s" % self.host_in_rr),
("_ntp._udp", "SRV", "0 100 123 %s" % self.host_in_rr),
)
for (record, type, rdata) in resource_records:
del_rr(self.domain, record, type, rdata)
areclist = get_fwd_rr(zone, host)
for rdata in areclist:
del_fwd_rr(zone, host, rdata)
rzone = find_reverse_zone(rdata)
if rzone is not None:
record = get_reverse_record_name(rzone, rdata)
del_rr(rzone, record, "PTR", normalize_zone(fqdn))
def __init__(self, realm_name=None, domain_name=None, dm_password=None,
fstore=None, cert_nickname='Server-Cert'):
service.Service.__init__(self, "dirsrv",
service_desc="directory server",
dm_password=dm_password,
ldapi=False,
autobind=service.DISABLED
)
self.nickname = cert_nickname
self.dm_password = dm_password
self.realm = realm_name
self.sub_dict = None
self.domain = domain_name
self.serverid = None
self.pkcs12_info = None
self.ca_is_configured = True
self.dercert = None
self.idstart = None
self.idmax = None
self.subject_base = None
self.open_ports = []
self.run_init_memberof = True
if realm_name:
self.suffix = ipautil.realm_to_suffix(self.realm)
self.__setup_sub_dict()
else:
self.suffix = DN()
if fstore:
self.fstore = fstore
else:
self.fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore')
def delete_winsync_agreement(self):
"""
Deletes the winsync agreement between the current master and the
given AD server.
"""
try:
self.manager.delete_agreement(self.options.server)
self.manager.delete_referral(self.options.server)
dn = DN(('cn', self.options.server),
('cn', 'replicas'),
('cn', 'ipa'),
('cn', 'etc'),
realm_to_suffix(api.env.realm))
entries = self.manager.conn.get_entries(dn,
self.ldap.SCOPE_SUBTREE)
if entries:
entries.sort(key=len, reverse=True)
for entry in entries:
self.ldap.delete_entry(entry)
except Exception as e:
raise admintool.ScriptError(
"Deletion of the winsync agreement failed: %s" % str(e))
def create_instance(self, realm, fqdn, domain_name, dm_password=None,
autoconfig=True, pkcs12_info=None,
subject_base=None, auto_redirect=True, ca_file=None,
ca_is_configured=None, promote=False):
self.fqdn = fqdn
self.realm = realm
self.domain = domain_name
self.dm_password = dm_password
self.suffix = ipautil.realm_to_suffix(self.realm)
self.pkcs12_info = pkcs12_info
self.principal = "HTTP/%s@%s" % (self.fqdn, self.realm)
self.dercert = None
self.subject_base = subject_base
self.sub_dict = dict(
REALM=realm,
FQDN=fqdn,
DOMAIN=self.domain,
AUTOREDIR='' if auto_redirect else '#',
CRL_PUBLISH_PATH=paths.PKI_CA_PUBLISH_DIR,
)
self.ca_file = ca_file
if ca_is_configured is not None:
self.ca_is_configured = ca_is_configured
self.promote = promote
# get a connection to the DS
self.ldap_connect()
self.step("setting mod_nss port to 443", self.__set_mod_nss_port)
self.step("setting mod_nss cipher suite",
self.set_mod_nss_cipher_suite)
self.step("setting mod_nss protocol list to TLSv1.0 - TLSv1.2",
self.set_mod_nss_protocol)
self.step("setting mod_nss password file", self.__set_mod_nss_passwordfile)
self.step("enabling mod_nss renegotiate", self.enable_mod_nss_renegotiate)
self.step("adding URL rewriting rules", self.__add_include)
self.step("configuring httpd", self.__configure_http)
if self.ca_is_configured:
self.step("configure certmonger for renewals",
self.configure_certmonger_renewal_guard)
self.step("setting up httpd keytab", self.__create_http_keytab)
self.step("setting up ssl", self.__setup_ssl)
self.step("importing CA certificates from LDAP", self.__import_ca_certs)
if autoconfig:
self.step("setting up browser autoconfig", self.__setup_autoconfig)
if not self.promote:
self.step("publish CA cert", self.__publish_ca_cert)
self.step("clean up any existing httpd ccache", self.remove_httpd_ccache)
self.step("configuring SELinux for httpd", self.configure_selinux_for_httpd)
if not self.is_kdcproxy_configured():
self.step("create KDC proxy user", create_kdcproxy_user)
self.step("create KDC proxy config", self.create_kdcproxy_conf)
self.step("enable KDC proxy", self.enable_kdcproxy)
self.step("restarting httpd", self.__start)
self.step("configuring httpd to start on boot", self.__enable)
self.step("enabling oddjobd", self.enable_and_start_oddjobd)
self.start_creation(runtime=60)
def configure_instance(self, realm_name, host_name, dm_password,
admin_password, pkcs12_info=None, master_host=None,
subject_base=None, ra_only=False, promote=False):
"""Create a KRA instance.
To create a clone, pass in pkcs12_info.
"""
self.fqdn = host_name
self.dm_password = dm_password
self.admin_groups = ADMIN_GROUPS
self.admin_password = admin_password
self.pkcs12_info = pkcs12_info
if self.pkcs12_info is not None or promote:
self.clone = True
self.master_host = master_host
if subject_base is None:
self.subject_base = DN(('O', self.realm))
else:
self.subject_base = subject_base
self.realm = realm_name
self.suffix = ipautil.realm_to_suffix(realm_name)
if not ra_only:
# Confirm that a KRA does not already exist
if self.is_installed():
raise RuntimeError(
"KRA already installed.")
# Confirm that a Dogtag 10 CA instance already exists
ca = cainstance.CAInstance(self.realm, certs.NSS_DIR)
if not ca.is_installed():
raise RuntimeError(
"KRA configuration failed. "
"A Dogtag CA must be installed first")
if promote:
self.step("creating installation admin user", self.setup_admin)
self.step("configuring KRA instance", self.__spawn_instance)
if not self.clone:
self.step("create KRA agent",
self.__create_kra_agent)
self.step("exporting KRA agent cert", export_kra_agent_pem)
if not ra_only:
if promote:
self.step("destroying installation admin user", self.teardown_admin)
self.step("restarting KRA", self.restart_instance)
self.step("configure certmonger for renewals",
self.configure_certmonger_renewal)
self.step("configure certificate renewals", self.configure_renewal)
self.step("configure HTTP to proxy connections",
self.http_proxy)
if not self.clone:
self.step("add vault container", self.__add_vault_container)
self.step("apply LDAP updates", self.__apply_updates)
self.step("enabling KRA instance", self.__enable_instance)
self.start_creation(runtime=126)
def create_instance(self, realm, fqdn, domain_name, dm_password=None,
pkcs12_info=None,
subject_base=None, auto_redirect=True, ca_file=None,
ca_is_configured=None, promote=False):
self.fqdn = fqdn
self.realm = realm
self.domain = domain_name
self.dm_password = dm_password
self.suffix = ipautil.realm_to_suffix(self.realm)
self.pkcs12_info = pkcs12_info
self.principal = "HTTP/%s@%s" % (self.fqdn, self.realm)
self.dercert = None
self.subject_base = subject_base
self.sub_dict = dict(
REALM=realm,
FQDN=fqdn,
DOMAIN=self.domain,
AUTOREDIR='' if auto_redirect else '#',
CRL_PUBLISH_PATH=paths.PKI_CA_PUBLISH_DIR,
)
self.ca_file = ca_file
if ca_is_configured is not None:
self.ca_is_configured = ca_is_configured
self.promote = promote
# get a connection to the DS
self.ldap_connect()
self.step("setting mod_nss port to 443", self.__set_mod_nss_port)
self.step("setting mod_nss cipher suite",
self.set_mod_nss_cipher_suite)
self.step("setting mod_nss protocol list to TLSv1.0 - TLSv1.2",
self.set_mod_nss_protocol)
self.step("setting mod_nss password file", self.__set_mod_nss_passwordfile)
self.step("enabling mod_nss renegotiate", self.enable_mod_nss_renegotiate)
self.step("adding URL rewriting rules", self.__add_include)
self.step("configuring httpd", self.__configure_http)
if self.ca_is_configured:
self.step("configure certmonger for renewals",
self.configure_certmonger_renewal_guard)
self.step("setting up httpd keytab", self.__create_http_keytab)
self.step("setting up ssl", self.__setup_ssl)
self.step("importing CA certificates from LDAP", self.__import_ca_certs)
if not self.promote:
self.step("publish CA cert", self.__publish_ca_cert)
self.step("clean up any existing httpd ccache", self.remove_httpd_ccache)
self.step("configuring SELinux for httpd", self.configure_selinux_for_httpd)
if not self.is_kdcproxy_configured():
self.step("create KDC proxy user", create_kdcproxy_user)
self.step("create KDC proxy config", self.create_kdcproxy_conf)
self.step("enable KDC proxy", self.enable_kdcproxy)
self.step("restarting httpd", self.__start)
self.step("configuring httpd to start on boot", self.__enable)
self.step("enabling oddjobd", self.enable_and_start_oddjobd)
self.start_creation(runtime=60)
def create_instance(self):
suffix = ipautil.realm_to_suffix(self.realm)
self.step("Generating ipa-custodia config file", self.__config_file)
self.step("Making sure custodia container exists", self.__create_container)
self.step("Generating ipa-custodia keys", self.__gen_keys)
super(CustodiaInstance, self).create_instance(
gensvc_name="KEYS", fqdn=self.fqdn, ldap_suffix=suffix, realm=self.realm
)
sysupgrade.set_upgrade_state("custodia", "installed", True)
def test_replica_install_after_restore(self):
master = self.master
replica1 = self.replicas[0]
replica2 = self.replicas[1]
tasks.install_master(master)
tasks.install_replica(master, replica1)
check_replication(master, replica1, "testuser1")
# backup master.
backup_path = backup(master)
suffix = ipautil.realm_to_suffix(master.domain.realm)
suffix = escape_dn_chars(str(suffix))
entry_ldif = (
"dn: cn=meTo{hostname},cn=replica,"
"cn={suffix},"
"cn=mapping tree,cn=config\n"
"changetype: modify\n"
"replace: nsds5ReplicaEnabled\n"
"nsds5ReplicaEnabled: off\n\n"
"dn: cn=caTo{hostname},cn=replica,"
"cn=o\\3Dipaca,cn=mapping tree,cn=config\n"
"changetype: modify\n"
"replace: nsds5ReplicaEnabled\n"
"nsds5ReplicaEnabled: off").format(
hostname=replica1.hostname,
suffix=suffix)
# disable replication agreement
tasks.ldapmodify_dm(master, entry_ldif)
# uninstall master.
tasks.uninstall_master(master, clean=False)
# master restore.
dirman_password = master.config.dirman_password
master.run_command(['ipa-restore', backup_path],
stdin_text=dirman_password + '\nyes')
# re-initialize topology after restore.
topo_name = "{}-to-{}".format(master.hostname, replica1.hostname)
for topo_suffix in 'domain', 'ca':
arg = ['ipa',
'topologysegment-reinitialize',
topo_suffix,
topo_name,
'--left']
replica1.run_command(arg)
# wait sometime for re-initialization
tasks.wait_for_replication(replica1.ldap_connect())
# install second replica after restore
tasks.install_replica(master, replica2)
check_replication(master, replica2, "testuser2")
def test_replica_install_after_restore(self):
master = self.master
replica1 = self.replicas[0]
replica2 = self.replicas[1]
tasks.install_master(master)
tasks.install_replica(master, replica1)
check_replication(master, replica1, "testuser1")
# backup master.
backup_path = tasks.get_backup_dir(self.master)
suffix = ipautil.realm_to_suffix(master.domain.realm)
suffix = escape_dn_chars(str(suffix))
entry_ldif = (
"dn: cn=meTo{hostname},cn=replica,"
"cn={suffix},"
"cn=mapping tree,cn=config\n"
"changetype: modify\n"
"replace: nsds5ReplicaEnabled\n"
"nsds5ReplicaEnabled: off\n\n"
"dn: cn=caTo{hostname},cn=replica,"
"cn=o\\3Dipaca,cn=mapping tree,cn=config\n"
"changetype: modify\n"
"replace: nsds5ReplicaEnabled\n"
"nsds5ReplicaEnabled: off").format(
hostname=replica1.hostname,
suffix=suffix)
# disable replication agreement
tasks.ldapmodify_dm(master, entry_ldif)
# uninstall master.
tasks.uninstall_master(master, clean=False)
# master restore.
dirman_password = master.config.dirman_password
master.run_command(['ipa-restore', backup_path],
stdin_text=dirman_password + '\nyes')
# re-initialize topology after restore.
topo_name = "{}-to-{}".format(master.hostname, replica1.hostname)
for topo_suffix in 'domain', 'ca':
arg = ['ipa',
'topologysegment-reinitialize',
topo_suffix,
topo_name,
'--left']
replica1.run_command(arg)
# wait sometime for re-initialization
tasks.wait_for_replication(replica1.ldap_connect())
# install second replica after restore
tasks.install_replica(master, replica2)
check_replication(master, replica2, "testuser2")
def __get_keys(self, ca_host, cacerts_file, cacerts_pwd, data):
# Fecth all needed certs one by one, then combine them in a single
# p12 file
prefix = data['prefix']
certlist = data['list']
cli = self.__CustodiaClient(server=ca_host)
# Temporary nssdb
tmpnssdir = tempfile.mkdtemp(dir=paths.TMP)
try:
# Temporary nssdb password
nsspwfile = os.path.join(tmpnssdir, 'nsspwfile')
with open(nsspwfile, 'w+') as f:
f.write(b64encode(os.urandom(16)))
f.flush()
# Cert file password
crtpwfile = os.path.join(tmpnssdir, 'crtpwfile')
with open(crtpwfile, 'w+') as f:
f.write(cacerts_pwd)
f.flush()
for nickname in certlist:
value = cli.fetch_key(os.path.join(prefix, nickname), False)
v = json_decode(value)
pk12pwfile = os.path.join(tmpnssdir, 'pk12pwfile')
with open(pk12pwfile, 'w+') as f:
f.write(v['export password'])
pk12file = os.path.join(tmpnssdir, 'pk12file')
with open(pk12file, 'w+') as f:
f.write(b64decode(v['pkcs12 data']))
ipautil.run([paths.PK12UTIL,
'-d', tmpnssdir,
'-k', nsspwfile,
'-n', nickname,
'-i', pk12file,
'-w', pk12pwfile])
# Add CA certificates
tmpdb = CertDB(self.realm, nssdir=tmpnssdir)
self.suffix = ipautil.realm_to_suffix(self.realm)
if self.admin_conn is not None:
self.ldap_disconnect()
self.import_ca_certs(tmpdb, True)
# Now that we gathered all certs, re-export
ipautil.run([paths.PKCS12EXPORT,
'-d', tmpnssdir,
'-p', nsspwfile,
'-w', crtpwfile,
'-o', cacerts_file])
finally:
shutil.rmtree(tmpnssdir)
def create_instance(self):
suffix = ipautil.realm_to_suffix(self.realm)
self.step("Generating ipa-custodia config file", self.__config_file)
self.step("Making sure custodia container exists", self.__create_container)
self.step("Generating ipa-custodia keys", self.__gen_keys)
super(CustodiaInstance, self).create_instance(gensvc_name='KEYS',
fqdn=self.fqdn,
ldap_suffix=suffix,
realm=self.realm)
sysupgrade.set_upgrade_state('custodia', 'installed', True)
def create_instance(self, dm_password=None):
suffix = ipautil.realm_to_suffix(self.realm)
self.step("Generating ipa-custodia config file", self.__config_file)
self.step("Making sure custodia container exists", self.__create_container)
self.step("Generating ipa-custodia keys", self.__gen_keys)
super(CustodiaInstance, self).create_instance(gensvc_name='KEYS',
fqdn=self.fqdn,
dm_password=dm_password,
ldap_suffix=suffix,
realm=self.realm)
sysupgrade.set_upgrade_state('custodia', 'installed', True)
def create_replica(self, master_host_name):
suffix = ipautil.realm_to_suffix(self.realm)
self.ldap_uri = 'ldap://%s' % master_host_name
self.master_host_name = master_host_name
self.step("Generating ipa-custodia config file", self.__config_file)
self.step("Generating ipa-custodia keys", self.__gen_keys)
super(CustodiaInstance, self).create_instance(gensvc_name='KEYS',
fqdn=self.fqdn,
ldap_suffix=suffix,
realm=self.realm)
def create_replica(self, master_host_name):
suffix = ipautil.realm_to_suffix(self.realm)
self.ldap_uri = 'ldap://%s' % master_host_name
self.master_host_name = master_host_name
self.step("Generating ipa-custodia config file", self.__config_file)
self.step("Generating ipa-custodia keys", self.__gen_keys)
super(CustodiaInstance, self).create_instance(gensvc_name='KEYS',
fqdn=self.fqdn,
ldap_suffix=suffix,
realm=self.realm)
def main():
module = AnsibleModule(argument_spec=dict(domain=dict(required=True, type="str")))
domain = module.params["domain"]
if "." not in domain or domain != domain.lower():
raise ValueError(domain)
version_info = []
for part in version.VERSION.split("."):
# DEV versions look like 4.4.90.201610191151GITd852c00
if "GIT" in part:
version_info.append(part)
else:
version_info.append(int(part))
ipa = dict(
domain=domain,
realm=None,
basedn=None,
packages=dict(ipaserver=ipaserver_package),
configured=dict(client=False, server=False, ca=False, kra=False),
version=dict(
api_version=version.API_VERSION,
num_version=version.NUM_VERSION,
vendor_version=version.VENDOR_VERSION,
version=version.VERSION,
version_info=version_info,
),
paths={name: getattr(paths, name) for name in dir(paths) if name[0].isupper()},
api_env={},
)
fstore = sysrestore.FileStore(paths.IPA_CLIENT_SYSRESTORE)
ipa["configured"]["client"] = os.path.isfile(paths.IPA_DEFAULT_CONF) and fstore.has_files()
if ipa["configured"]["client"]:
ipa["api_env"].update(get_api_env())
if ipa["domain"] != ipa["api_env"]["domain"]:
raise ValueError("domain {} != {}".format(domain, ipa["api_env"]["domain"]))
ipa["realm"] = ipa["api_env"]["realm"]
ipa["basedn"] = ipa["api_env"]["basedn"]
else:
ipa["realm"] = domain.upper()
ipa["basedn"] = str(ipautil.realm_to_suffix(domain.upper()))
if ipaserver_package:
if is_ipa_configured():
ca = CAInstance(ipa["realm"], certs.NSS_DIR)
kra = KRAInstance(ipa["realm"])
ipa["configured"].update(
server=True, ca=ca.is_installed() and ca.is_configured(), kra=kra.is_installed() and kra.is_configured()
)
module.exit_json(changed=False, ansible_facts=dict(ipa=ipa))
def add_master_dns_records(self, fqdn, ip_addresses, realm_name, domain_name,
reverse_zones):
self.fqdn = fqdn
self.ip_addresses = ip_addresses
self.realm = realm_name
self.domain = domain_name
self.host = fqdn.split(".")[0]
self.suffix = ipautil.realm_to_suffix(self.realm)
self.reverse_zones = reverse_zones
self.zonemgr = 'hostmaster.%s' % self.domain
self.__add_self()
def __get_keys(self, ca_host, cacerts_file, cacerts_pwd, data):
# Fecth all needed certs one by one, then combine them in a single
# p12 file
prefix = data['prefix']
certlist = data['list']
cli = self.__CustodiaClient(server=ca_host)
# Temporary nssdb
tmpnssdir = tempfile.mkdtemp(dir=paths.TMP)
try:
# Temporary nssdb password
nsspwfile = os.path.join(tmpnssdir, 'nsspwfile')
with open(nsspwfile, 'w+') as f:
f.write(b64encode(os.urandom(16)))
f.flush()
# Cert file password
crtpwfile = os.path.join(tmpnssdir, 'crtpwfile')
with open(crtpwfile, 'w+') as f:
f.write(cacerts_pwd)
f.flush()
for nickname in certlist:
value = cli.fetch_key(os.path.join(prefix, nickname), False)
v = json_decode(value)
pk12pwfile = os.path.join(tmpnssdir, 'pk12pwfile')
with open(pk12pwfile, 'w+') as f:
f.write(v['export password'])
pk12file = os.path.join(tmpnssdir, 'pk12file')
with open(pk12file, 'w+') as f:
f.write(b64decode(v['pkcs12 data']))
ipautil.run([
paths.PK12UTIL, '-d', tmpnssdir, '-k', nsspwfile, '-n',
nickname, '-i', pk12file, '-w', pk12pwfile
])
# Add CA certificates
tmpdb = CertDB(self.realm, nssdir=tmpnssdir)
self.suffix = ipautil.realm_to_suffix(self.realm)
if self.admin_conn is not None:
self.ldap_disconnect()
self.import_ca_certs(tmpdb, True)
# Now that we gathered all certs, re-export
ipautil.run([
paths.PKCS12EXPORT, '-d', tmpnssdir, '-p', nsspwfile, '-w',
crtpwfile, '-o', cacerts_file
])
finally:
shutil.rmtree(tmpnssdir)
def create_replica(self, master_host_name):
suffix = ipautil.realm_to_suffix(self.realm)
self.ldap_uri = "ldap://%s" % master_host_name
self.master_host_name = master_host_name
self.step("Generating ipa-custodia config file", self.__config_file)
self.step("Generating ipa-custodia keys", self.__gen_keys)
if self.ca_is_configured:
self.step("Importing RA Key", self.__import_ra_key)
super(CustodiaInstance, self).create_instance(
gensvc_name="KEYS", fqdn=self.fqdn, ldap_suffix=suffix, realm=self.realm
)
def retrieve_netbios_name(api):
flat_name_attr = 'ipantflatname'
try:
entry = api.Backend.ldap2.get_entry(
DN(('cn', api.env.domain), api.env.container_cifsdomains,
ipautil.realm_to_suffix(api.env.realm)), [flat_name_attr])
except errors.NotFound:
# trust not configured
logger.debug("No previous trust configuration found")
return None
else:
return entry.get(flat_name_attr)[0]
def setup_templating(
self, fqdn, realm_name, domain_name, no_dnssec_validation=None
):
"""Setup bindinstance for templating
"""
self.fqdn = fqdn
self.realm = realm_name
self.domain = domain_name
self.host = fqdn.split(".")[0]
self.suffix = ipautil.realm_to_suffix(self.realm)
self.no_dnssec_validation = no_dnssec_validation
self._setup_sub_dict()
def create_instance(self,
realm,
fqdn,
domain_name,
dm_password=None,
autoconfig=True,
pkcs12_info=None,
self_signed_ca=False,
subject_base=None,
auto_redirect=True):
self.fqdn = fqdn
self.realm = realm
self.domain = domain_name
self.dm_password = dm_password
self.suffix = ipautil.realm_to_suffix(self.realm)
self.pkcs12_info = pkcs12_info
self.self_signed_ca = self_signed_ca
self.principal = "HTTP/%s@%s" % (self.fqdn, self.realm)
self.dercert = None
self.subject_base = subject_base
self.sub_dict = dict(
REALM=realm,
FQDN=fqdn,
DOMAIN=self.domain,
AUTOREDIR='' if auto_redirect else '#',
CRL_PUBLISH_PATH=dogtag.install_constants.CRL_PUBLISH_PATH,
)
# get a connection to the DS
self.ldap_connect()
self.step("setting mod_nss port to 443", self.__set_mod_nss_port)
self.step("setting mod_nss protocol list to TLSv1.0 - TLSv1.2",
self.set_mod_nss_protocol)
self.step("setting mod_nss password file",
self.__set_mod_nss_passwordfile)
self.step("enabling mod_nss renegotiate",
self.enable_mod_nss_renegotiate)
self.step("adding URL rewriting rules", self.__add_include)
self.step("configuring httpd", self.__configure_http)
self.step("setting up ssl", self.__setup_ssl)
if autoconfig:
self.step("setting up browser autoconfig", self.__setup_autoconfig)
self.step("publish CA cert", self.__publish_ca_cert)
self.step("creating a keytab for httpd", self.__create_http_keytab)
self.step("clean up any existing httpd ccache",
self.remove_httpd_ccache)
self.step("configuring SELinux for httpd",
self.configure_selinux_for_httpd)
self.step("restarting httpd", self.__start)
self.step("configuring httpd to start on boot", self.__enable)
self.start_creation(runtime=60)
def add_master_dns_records(self, fqdn, ip_address, realm_name, domain_name,
reverse_zone, ntp=False):
self.fqdn = fqdn
self.ip_address = ip_address
self.realm = realm_name
self.domain = domain_name
self.host = fqdn.split(".")[0]
self.suffix = ipautil.realm_to_suffix(self.realm)
self.ntp = ntp
self.reverse_zone = reverse_zone
self.__add_self()
def configure_instance(self, realm_name, host_name, domain, dm_password,
admin_password, ds_port=DEFAULT_DSPORT,
pkcs12_info=None, master_host=None,
master_replication_port=None,
subject_base=None):
"""Create a KRA instance.
To create a clone, pass in pkcs12_info.
"""
self.fqdn = host_name
self.domain = domain
self.dm_password = dm_password
self.admin_password = admin_password
self.ds_port = ds_port
self.pkcs12_info = pkcs12_info
if self.pkcs12_info is not None:
self.clone = True
self.master_host = master_host
self.master_replication_port = master_replication_port
if subject_base is None:
self.subject_base = DN(('O', self.realm))
else:
self.subject_base = subject_base
self.realm = realm_name
self.suffix = ipautil.realm_to_suffix(realm_name)
# Confirm that a KRA does not already exist
if self.is_installed():
raise RuntimeError(
"KRA already installed.")
# Confirm that a Dogtag 10 CA instance already exists
ca = cainstance.CAInstance(
api.env.realm, certs.NSS_DIR,
dogtag_constants=dogtag.Dogtag10Constants)
if not ca.is_installed():
raise RuntimeError(
"KRA configuration failed. "
"A Dogtag CA must be installed first")
self.step("configuring KRA instance", self.__spawn_instance)
if not self.clone:
self.step("add RA user to KRA agent group",
self.__add_ra_user_to_agent_group)
self.step("restarting KRA", self.restart_instance)
self.step("configure certmonger for renewals",
self.configure_certmonger_renewal)
self.step("configure certificate renewals", self.configure_renewal)
self.step("configure HTTP to proxy connections",
self.http_proxy)
self.step("add vault container", self.__add_vault_container)
self.start_creation(runtime=126)
def retrieve_netbios_name(api):
flat_name_attr = 'ipantflatname'
try:
entry = api.Backend.ldap2.get_entry(
DN(('cn', api.env.domain), api.env.container_cifsdomains,
ipautil.realm_to_suffix(api.env.realm)),
[flat_name_attr])
except errors.NotFound:
# trust not configured
logger.debug("No previous trust configuration found")
return None
else:
return entry.get(flat_name_attr)[0]
def add_master_dns_records(self, fqdn, ip_addresses, realm_name, domain_name,
reverse_zones):
self.fqdn = fqdn
self.ip_addresses = ip_addresses
self.realm = realm_name
self.domain = domain_name
self.host = fqdn.split(".")[0]
self.suffix = ipautil.realm_to_suffix(self.realm)
self.reverse_zones = reverse_zones
self.first_instance = False
self.zonemgr = 'hostmaster.%s' % self.domain
self.__add_self()
def __get_keys(self, ca_host, cacerts_file, cacerts_pwd, data):
# Fecth all needed certs one by one, then combine them in a single
# p12 file
prefix = data['prefix']
certlist = data['list']
# Before we attempt to fetch keys from this host, make sure our public
# keys have been replicated there.
self.__wait_keys(ca_host)
cli = self.__CustodiaClient(server=ca_host)
# Temporary nssdb
tmpnssdir = tempfile.mkdtemp(dir=paths.TMP)
tmpdb = NSSDatabase(tmpnssdir)
tmpdb.create_db()
try:
# Cert file password
crtpwfile = os.path.join(tmpnssdir, 'crtpwfile')
with open(crtpwfile, 'w+') as f:
f.write(cacerts_pwd)
f.flush()
for nickname in certlist:
value = cli.fetch_key(os.path.join(prefix, nickname), False)
v = json_decode(value)
pk12pwfile = os.path.join(tmpnssdir, 'pk12pwfile')
with open(pk12pwfile, 'w+') as f:
f.write(v['export password'])
pk12file = os.path.join(tmpnssdir, 'pk12file')
with open(pk12file, 'w+') as f:
f.write(b64decode(v['pkcs12 data']))
ipautil.run([
paths.PK12UTIL, '-d', tmpdb.secdir, '-k', tmpdb.pwd_file,
'-n', nickname, '-i', pk12file, '-w', pk12pwfile
])
# Add CA certificates
self.suffix = ipautil.realm_to_suffix(self.realm)
self.import_ca_certs(tmpdb, True)
# Now that we gathered all certs, re-export
ipautil.run([
paths.PKCS12EXPORT, '-d', tmpdb.secdir, '-p', tmpdb.pwd_file,
'-w', crtpwfile, '-o', cacerts_file
])
finally:
shutil.rmtree(tmpnssdir)
def create_instance(self):
if self.ldap_uri is None or self.ldap_uri.startswith('ldapi://'):
# local case, ensure container exists
self.step("Making sure custodia container exists",
self.__create_container)
self.step("Generating ipa-custodia config file", self.__config_file)
self.step("Generating ipa-custodia keys", self.__gen_keys)
super(CustodiaInstance, self).create_instance(
gensvc_name='KEYS',
fqdn=self.fqdn,
ldap_suffix=ipautil.realm_to_suffix(self.realm),
realm=self.realm)
sysupgrade.set_upgrade_state('custodia', 'installed', True)
def add_master_dns_records(self, fqdn, ip_addresses, realm_name, domain_name,
reverse_zones, ntp=False, ca_configured=None):
self.fqdn = fqdn
self.ip_addresses = ip_addresses
self.realm = realm_name
self.domain = domain_name
self.host = fqdn.split(".")[0]
self.suffix = ipautil.realm_to_suffix(self.realm)
self.ntp = ntp
self.reverse_zones = reverse_zones
self.ca_configured = ca_configured
self.first_instance = False
self.zonemgr = 'hostmaster.%s' % self.domain
self.__add_self()
self.__add_ipa_ca_record()
def configure_instance(self,
realm_name,
host_name,
dm_password,
admin_password,
pkcs12_info=None,
master_host=None,
subject_base=None):
"""Create a KRA instance.
To create a clone, pass in pkcs12_info.
"""
self.fqdn = host_name
self.dm_password = dm_password
self.admin_password = admin_password
self.pkcs12_info = pkcs12_info
if self.pkcs12_info is not None:
self.clone = True
self.master_host = master_host
if subject_base is None:
self.subject_base = DN(('O', self.realm))
else:
self.subject_base = subject_base
self.realm = realm_name
self.suffix = ipautil.realm_to_suffix(realm_name)
# Confirm that a KRA does not already exist
if self.is_installed():
raise RuntimeError("KRA already installed.")
# Confirm that a Dogtag 10 CA instance already exists
ca = cainstance.CAInstance(api.env.realm, certs.NSS_DIR)
if not ca.is_installed():
raise RuntimeError("KRA configuration failed. "
"A Dogtag CA must be installed first")
self.step("configuring KRA instance", self.__spawn_instance)
if not self.clone:
self.step("create KRA agent", self.__create_kra_agent)
self.step("restarting KRA", self.restart_instance)
self.step("configure certmonger for renewals",
self.configure_certmonger_renewal)
self.step("configure certificate renewals", self.configure_renewal)
self.step("configure HTTP to proxy connections", self.http_proxy)
self.step("add vault container", self.__add_vault_container)
self.step("apply LDAP updates", self.__apply_updates)
self.start_creation(runtime=126)
def create_instance(self,
realm_name,
fqdn,
domain_name,
dm_password,
pkcs12_info=None,
self_signed_ca=False,
idstart=1100,
idmax=999999,
subject_base=None,
hbac_allow=True):
self.realm_name = realm_name.upper()
self.serverid = realm_to_serverid(self.realm_name)
self.suffix = ipautil.realm_to_suffix(self.realm_name)
self.fqdn = fqdn
self.dm_password = dm_password
self.domain = domain_name
self.pkcs12_info = pkcs12_info
self.self_signed_ca = self_signed_ca
self.idstart = idstart
self.idmax = idmax
self.principal = "ldap/%s@%s" % (self.fqdn, self.realm_name)
self.subject_base = subject_base
self.__setup_sub_dict()
self.__common_setup()
self.step("adding default layout", self.__add_default_layout)
self.step("adding delegation layout", self.__add_delegation_layout)
self.step("adding replication acis", self.__add_replication_acis)
self.step("creating container for managed entries",
self.__managed_entries)
self.step("configuring user private groups",
self.__user_private_groups)
self.step("configuring netgroups from hostgroups",
self.__host_nis_groups)
self.step("creating default Sudo bind user", self.__add_sudo_binduser)
self.step("creating default Auto Member layout",
self.__add_automember_config)
self.step("adding range check plugin", self.__add_range_check_plugin)
if hbac_allow:
self.step("creating default HBAC rule allow_all", self.add_hbac)
self.step("Upload CA cert to the directory", self.__upload_ca_cert)
self.__common_post_setup()
self.start_creation(runtime=60)
def __get_keys(self, ca_host, cacerts_file, cacerts_pwd, data):
# Fecth all needed certs one by one, then combine them in a single
# p12 file
prefix = data["prefix"]
certlist = data["list"]
cli = self.__CustodiaClient(server=ca_host)
# Temporary nssdb
tmpnssdir = tempfile.mkdtemp(dir=paths.TMP)
try:
# Temporary nssdb password
nsspwfile = os.path.join(tmpnssdir, "nsspwfile")
with open(nsspwfile, "w+") as f:
f.write(b64encode(os.urandom(16)))
f.flush()
# Cert file password
crtpwfile = os.path.join(tmpnssdir, "crtpwfile")
with open(crtpwfile, "w+") as f:
f.write(cacerts_pwd)
f.flush()
for nickname in certlist:
value = cli.fetch_key(os.path.join(prefix, nickname), False)
v = json_decode(value)
pk12pwfile = os.path.join(tmpnssdir, "pk12pwfile")
with open(pk12pwfile, "w+") as f:
f.write(v["export password"])
pk12file = os.path.join(tmpnssdir, "pk12file")
with open(pk12file, "w+") as f:
f.write(b64decode(v["pkcs12 data"]))
ipautil.run(
[paths.PK12UTIL, "-d", tmpnssdir, "-k", nsspwfile, "-n", nickname, "-i", pk12file, "-w", pk12pwfile]
)
# Add CA certificates
tmpdb = CertDB(self.realm, nssdir=tmpnssdir)
self.suffix = ipautil.realm_to_suffix(self.realm)
self.import_ca_certs(tmpdb, True)
# Now that we gathered all certs, re-export
ipautil.run([paths.PKCS12EXPORT, "-d", tmpnssdir, "-p", nsspwfile, "-w", crtpwfile, "-o", cacerts_file])
finally:
shutil.rmtree(tmpnssdir)
def _get_keys(self, ca_host, cacerts_file, cacerts_pwd, data):
# Fetch all needed certs one by one, then combine them in a single
# PKCS12 file
prefix = data['prefix']
certlist = data['list']
cli = self._get_custodia_client(server=ca_host)
with NSSDatabase(None) as tmpdb:
tmpdb.create_db()
# Cert file password
crtpwfile = os.path.join(tmpdb.secdir, 'crtpwfile')
with open(crtpwfile, 'w+') as f:
f.write(cacerts_pwd)
for nickname in certlist:
value = cli.fetch_key(os.path.join(prefix, nickname), False)
v = json_decode(value)
pk12pwfile = os.path.join(tmpdb.secdir, 'pk12pwfile')
with open(pk12pwfile, 'w+') as f:
f.write(v['export password'])
pk12file = os.path.join(tmpdb.secdir, 'pk12file')
with open(pk12file, 'wb') as f:
f.write(b64decode(v['pkcs12 data']))
tmpdb.run_pk12util([
'-k', tmpdb.pwd_file, '-n', nickname, '-i', pk12file, '-w',
pk12pwfile
])
# Add CA certificates, but don't import the main CA cert. It's
# already present as 'caSigningCert cert-pki-ca'. With SQL db
# format, a second import would rename the certificate. See
# https://pagure.io/freeipa/issue/7498 for more details.
conn = api.Backend.ldap2
suffix = ipautil.realm_to_suffix(self.realm)
ca_certs = get_ca_certs_nss(conn, suffix, self.realm, True)
for cert, nickname, trust_flags in ca_certs:
if nickname == get_ca_nickname(self.realm):
continue
tmpdb.add_cert(cert, nickname, trust_flags)
# Now that we gathered all certs, re-export
ipautil.run([
paths.PKCS12EXPORT, '-d', tmpdb.secdir, '-p', tmpdb.pwd_file,
'-w', crtpwfile, '-o', cacerts_file
])
def test_replicamanage_del(self):
"""Test Steps:
1. Setup server
2. Setup replica
3. modify the replica entry on Master:
ldapmodify -D cn="Directory Manager"-w <passwd>
dn: cn=KDC,cn=<replicaFQDN>,cn=masters,cn=ipa,cn=etc,<baseDN>
changetype: modify
delete: ipaconfigstring
ipaconfigstring: enabledService
dn: cn=KDC,cn=<replicaFQDN>,cn=masters,cn=ipa,cn=etc,<baseDN>
add: ipaconfigstring
ipaconfigstring: configuredService
4. On master,
run ipa-replica-manage del <replicaFQDN> --cleanup --force
"""
# https://pagure.io/freeipa/issue/7929
# modify the replica entry on Master
cmd_output = None
dn_entry = 'dn: cn=KDC,cn=%s,cn=masters,cn=ipa,' \
'cn=etc,%s' % \
(self.replicas[0].hostname,
ipautil.realm_to_suffix(
self.replicas[0].domain.realm).ldap_text())
entry_ldif = textwrap.dedent("""
{dn}
changetype: modify
delete: ipaconfigstring
ipaconfigstring: enabledService
{dn}
add: ipaconfigstring
ipaconfigstring: configuredService
""").format(dn=dn_entry)
cmd_output = tasks.ldapmodify_dm(self.master, entry_ldif)
assert 'modifying entry' in cmd_output.stdout_text
cmd_output = self.master.run_command([
'ipa-replica-manage', 'del',
self.replicas[0].hostname, '--cleanup', '--force'
])
assert_text = 'Deleted IPA server "%s"' % self.replicas[0].hostname
assert assert_text in cmd_output.stdout_text