예제 #1
0
파일: server.py 프로젝트: zpytela/freeipa
    def execute(self, *keys, **options):
        fqdn = keys[0]
        if options['state'] == u'enabled':
            to_status = ENABLED
            from_status = HIDDEN
        else:
            to_status = HIDDEN
            from_status = ENABLED

        roles = self.api.Command.server_role_find(
            server_server=fqdn,
            status=from_status,
            include_master=True,
        )['result']
        from_roles = [r[u'role_servrole'] for r in roles]
        if not from_roles:
            # no server role is in source status
            raise errors.EmptyModlist

        if to_status == ENABLED:
            enable_services(fqdn)
        else:
            self._check_hide_server(fqdn)
            hide_services(fqdn)

        # update system roles
        result = self.api.Command.dns_update_system_records()
        if not result.get('value'):
            self.add_message(messages.AutomaticDNSRecordsUpdateFailed())

        return {
            'value': fqdn,
            'result': True,
        }
예제 #2
0
파일: server.py 프로젝트: encukou/freeipa
    def execute(self, *keys, **options):
        fqdn = keys[0]
        if options['state'] == u'enabled':
            to_status = ENABLED
            from_status = HIDDEN
        else:
            to_status = HIDDEN
            from_status = ENABLED

        roles = self.api.Command.server_role_find(
            server_server=fqdn,
            status=from_status,
            include_master=True,
        )['result']
        from_roles = [r[u'role_servrole'] for r in roles]
        if not from_roles:
            # no server role is in source status
            raise errors.EmptyModlist

        if to_status == ENABLED:
            enable_services(fqdn)
        else:
            self._check_hide_server(fqdn)
            hide_services(fqdn)

        # update system roles
        result = self.api.Command.dns_update_system_records()
        if not result.get('value'):
            self.add_message(messages.AutomaticDNSRecordsUpdateFailed())

        return {
            'value': fqdn,
            'result': True,
        }
예제 #3
0
def install(installer):
    options = installer
    ca_enabled = installer._ca_enabled
    kra_enabled = installer._kra_enabled
    fstore = installer._fstore
    config = installer._config
    cafile = installer._ca_file
    dirsrv_pkcs12_info = installer._dirsrv_pkcs12_info
    http_pkcs12_info = installer._http_pkcs12_info
    pkinit_pkcs12_info = installer._pkinit_pkcs12_info

    remote_api = installer._remote_api
    conn = remote_api.Backend.ldap2
    ccache = os.environ['KRB5CCNAME']

    if tasks.configure_pkcs11_modules(fstore):
        print("Disabled p11-kit-proxy")

    if installer._add_to_ipaservers:
        try:
            conn.connect(ccache=installer._ccache)
            remote_api.Command['hostgroup_add_member'](
                u'ipaservers',
                host=[unicode(api.env.host)],
            )
        finally:
            if conn.isconnected():
                conn.disconnect()
            os.environ['KRB5CCNAME'] = ccache
    config.dirman_password = ipautil.ipa_generate_password()

    # FIXME: allow to use passed in certs instead
    if ca_enabled:
        configure_certmonger()

    try:
        conn.connect(ccache=ccache)

        # Update and istall updated CA file
        cafile = install_ca_cert(conn, api.env.basedn, api.env.realm, cafile)
        install_ca_cert(conn, api.env.basedn, api.env.realm, cafile,
                        destfile=paths.KDC_CA_BUNDLE_PEM)
        install_ca_cert(conn, api.env.basedn, api.env.realm, cafile,
                        destfile=paths.CA_BUNDLE_PEM)

        # Configure dirsrv
        ds = install_replica_ds(config, options, ca_enabled,
                                remote_api,
                                ca_file=cafile,
                                pkcs12_info=dirsrv_pkcs12_info,
                                fstore=fstore)

        # Always try to install DNS records
        install_dns_records(config, options, remote_api, fstore=fstore)

    finally:
        if conn.isconnected():
            conn.disconnect()

        # Create the management framework config file. Do this irregardless
        # of the state of DS installation. Even if it fails,
        # we need to have master-like configuration in order to perform a
        # successful uninstallation
        # The configuration creation has to be here otherwise previous call
        # To config certmonger would try to connect to local server
        create_ipa_conf(fstore, config, ca_enabled)

    krb = install_krb(
        config,
        setup_pkinit=not options.no_pkinit,
        pkcs12_info=pkinit_pkcs12_info,
        fstore=fstore)

    # We need to point to the master when certmonger asks for
    # a DS or HTTP certificate.
    # During http installation, the <service>/hostname principal is
    # created locally then the installer waits for the entry to appear
    # on the master selected for the installation.
    # In a later step, the installer requests a SSL certificate through
    # Certmonger (and the op adds the principal if it does not exist yet).
    # If xmlrpc_uri points to the soon-to-be replica,
    # the httpd service is not ready yet to handle certmonger requests
    # and certmonger tries to find another master. The master can be
    # different from the one selected for the installation, and it is
    # possible that the principal has not been replicated yet. This
    # may lead to a replication conflict.
    # This is why we need to force the use of the same master by
    # setting xmlrpc_uri
    create_ipa_conf(fstore, config, ca_enabled,
                    master=config.master_host_name)

    # we now need to enable ssl on the ds
    ds.enable_ssl()

    install_http(
        config,
        auto_redirect=not options.no_ui_redirect,
        pkcs12_info=http_pkcs12_info,
        ca_is_configured=ca_enabled,
        ca_file=cafile,
        fstore=fstore)

    # Need to point back to ourself after the cert for HTTP is obtained
    create_ipa_conf(fstore, config, ca_enabled)

    otpd = otpdinstance.OtpdInstance()
    otpd.create_instance('OTPD', config.host_name,
                         ipautil.realm_to_suffix(config.realm_name))

    if kra_enabled:
        # A KRA peer always provides a CA, too.
        mode = custodiainstance.CustodiaModes.KRA_PEER
    elif ca_enabled:
        mode = custodiainstance.CustodiaModes.CA_PEER
    else:
        mode = custodiainstance.CustodiaModes.MASTER_PEER
    custodia = custodiainstance.get_custodia_instance(config, mode)
    custodia.create_instance()

    if ca_enabled:
        options.realm_name = config.realm_name
        options.domain_name = config.domain_name
        options.host_name = config.host_name
        options.dm_password = config.dirman_password
        ca.install(False, config, options, custodia=custodia)

    # configure PKINIT now that all required services are in place
    krb.enable_ssl()

    # Apply any LDAP updates. Needs to be done after the replica is synced-up
    service.print_msg("Applying LDAP updates")
    ds.apply_updates()
    service.print_msg("Finalize replication settings")
    ds.finalize_replica_config()

    if kra_enabled:
        kra.install(api, config, options, custodia=custodia)

    service.print_msg("Restarting the KDC")
    krb.restart()

    custodia.import_dm_password()
    promote_sssd(config.host_name)
    promote_openldap_conf(config.host_name, config.master_host_name)

    if options.setup_dns:
        dns.install(False, True, options, api)

    if options.setup_adtrust:
        adtrust.install(False, options, fstore, api)

    if options.hidden_replica:
        # Set services to hidden
        service.hide_services(config.host_name)
    else:
        # Enable configured services
        service.enable_services(config.host_name)
    # update DNS SRV records. Although it's only really necessary in
    # enabled-service case, also perform update in hidden replica case.
    api.Command.dns_update_system_records()

    ca_servers = find_providing_servers('CA', api.Backend.ldap2, api=api)
    api.Backend.ldap2.disconnect()

    # Everything installed properly, activate ipa service.
    services.knownservices.ipa.enable()

    # Print a warning if CA role is only installed on one server
    if len(ca_servers) == 1:
        msg = textwrap.dedent(u'''
            WARNING: The CA service is only installed on one server ({}).
            It is strongly recommended to install it on another server.
            Run ipa-ca-install(1) on another master to accomplish this.
        '''.format(ca_servers[0]))
        print(msg, file=sys.stderr)
예제 #4
0
def install(installer):
    options = installer
    ca_enabled = installer._ca_enabled
    kra_enabled = installer._kra_enabled
    fstore = installer._fstore
    config = installer._config
    cafile = installer._ca_file
    dirsrv_pkcs12_info = installer._dirsrv_pkcs12_info
    http_pkcs12_info = installer._http_pkcs12_info
    pkinit_pkcs12_info = installer._pkinit_pkcs12_info

    remote_api = installer._remote_api
    conn = remote_api.Backend.ldap2
    ccache = os.environ['KRB5CCNAME']

    if tasks.configure_pkcs11_modules(fstore):
        print("Disabled p11-kit-proxy")

    if installer._add_to_ipaservers:
        try:
            conn.connect(ccache=installer._ccache)
            remote_api.Command['hostgroup_add_member'](
                u'ipaservers',
                host=[unicode(api.env.host)],
            )
        finally:
            if conn.isconnected():
                conn.disconnect()
            os.environ['KRB5CCNAME'] = ccache
    config.dirman_password = ipautil.ipa_generate_password()

    # FIXME: allow to use passed in certs instead
    if ca_enabled:
        configure_certmonger()

    try:
        conn.connect(ccache=ccache)

        # Update and istall updated CA file
        cafile = install_ca_cert(conn, api.env.basedn, api.env.realm, cafile)
        install_ca_cert(conn,
                        api.env.basedn,
                        api.env.realm,
                        cafile,
                        destfile=paths.KDC_CA_BUNDLE_PEM)
        install_ca_cert(conn,
                        api.env.basedn,
                        api.env.realm,
                        cafile,
                        destfile=paths.CA_BUNDLE_PEM)

        # Configure dirsrv
        ds = install_replica_ds(config,
                                options,
                                ca_enabled,
                                remote_api,
                                ca_file=cafile,
                                pkcs12_info=dirsrv_pkcs12_info,
                                fstore=fstore)

        # Always try to install DNS records
        install_dns_records(config, options, remote_api, fstore=fstore)

    finally:
        if conn.isconnected():
            conn.disconnect()

        # Create the management framework config file. Do this irregardless
        # of the state of DS installation. Even if it fails,
        # we need to have master-like configuration in order to perform a
        # successful uninstallation
        # The configuration creation has to be here otherwise previous call
        # To config certmonger would try to connect to local server
        create_ipa_conf(fstore, config, ca_enabled)

    krb = install_krb(config,
                      setup_pkinit=not options.no_pkinit,
                      pkcs12_info=pkinit_pkcs12_info,
                      fstore=fstore)

    # We need to point to the master when certmonger asks for
    # a DS or HTTP certificate.
    # During http installation, the <service>/hostname principal is
    # created locally then the installer waits for the entry to appear
    # on the master selected for the installation.
    # In a later step, the installer requests a SSL certificate through
    # Certmonger (and the op adds the principal if it does not exist yet).
    # If xmlrpc_uri points to the soon-to-be replica,
    # the httpd service is not ready yet to handle certmonger requests
    # and certmonger tries to find another master. The master can be
    # different from the one selected for the installation, and it is
    # possible that the principal has not been replicated yet. This
    # may lead to a replication conflict.
    # This is why we need to force the use of the same master by
    # setting xmlrpc_uri
    create_ipa_conf(fstore, config, ca_enabled, master=config.master_host_name)

    # we now need to enable ssl on the ds
    ds.enable_ssl()

    install_http(config,
                 auto_redirect=not options.no_ui_redirect,
                 pkcs12_info=http_pkcs12_info,
                 ca_is_configured=ca_enabled,
                 ca_file=cafile,
                 fstore=fstore)

    # Need to point back to ourself after the cert for HTTP is obtained
    create_ipa_conf(fstore, config, ca_enabled)

    otpd = otpdinstance.OtpdInstance()
    otpd.create_instance('OTPD', config.host_name,
                         ipautil.realm_to_suffix(config.realm_name))

    if kra_enabled:
        # A KRA peer always provides a CA, too.
        mode = custodiainstance.CustodiaModes.KRA_PEER
    elif ca_enabled:
        mode = custodiainstance.CustodiaModes.CA_PEER
    else:
        mode = custodiainstance.CustodiaModes.MASTER_PEER
    custodia = custodiainstance.get_custodia_instance(config, mode)
    custodia.create_instance()

    if ca_enabled:
        options.realm_name = config.realm_name
        options.domain_name = config.domain_name
        options.host_name = config.host_name
        options.dm_password = config.dirman_password
        ca.install(False, config, options, custodia=custodia)

    # configure PKINIT now that all required services are in place
    krb.enable_ssl()

    # Apply any LDAP updates. Needs to be done after the replica is synced-up
    service.print_msg("Applying LDAP updates")
    ds.apply_updates()
    service.print_msg("Finalize replication settings")
    ds.finalize_replica_config()

    if kra_enabled:
        kra.install(api, config, options, custodia=custodia)

    service.print_msg("Restarting the KDC")
    krb.restart()

    custodia.import_dm_password()
    promote_sssd(config.host_name)
    promote_openldap_conf(config.host_name, config.master_host_name)

    if options.setup_dns:
        dns.install(False, True, options, api)

    if options.setup_adtrust:
        adtrust.install(False, options, fstore, api)

    if options.hidden_replica:
        # Set services to hidden
        service.hide_services(config.host_name)
    else:
        # Enable configured services
        service.enable_services(config.host_name)
    # update DNS SRV records. Although it's only really necessary in
    # enabled-service case, also perform update in hidden replica case.
    api.Command.dns_update_system_records()

    ca_servers = find_providing_servers('CA', api.Backend.ldap2, api=api)
    api.Backend.ldap2.disconnect()

    # Everything installed properly, activate ipa service.
    services.knownservices.ipa.enable()

    # Print a warning if CA role is only installed on one server
    if len(ca_servers) == 1:
        msg = textwrap.dedent(u'''
            WARNING: The CA service is only installed on one server ({}).
            It is strongly recommended to install it on another server.
            Run ipa-ca-install(1) on another master to accomplish this.
        '''.format(ca_servers[0]))
        print(msg, file=sys.stderr)