def execute(self, **options): update_done = sysupgrade.get_upgrade_state('winsync', 'passsync_privilege_updated') if update_done: root_logger.debug("PassSync privilege update not needed") return False, [] root_logger.debug("Add PassSync user as a member of PassSync privilege") ldap = self.api.Backend.ldap2 passsync_dn = DN(('uid','passsync'), ('cn', 'sysaccounts'), ('cn', 'etc'), self.api.env.basedn) passsync_privilege_dn = DN(('cn','PassSync Service'), self.api.env.container_privilege, self.api.env.basedn) try: entry = ldap.get_entry(passsync_dn, ['']) except errors.NotFound: root_logger.debug("PassSync user not found, no update needed") sysupgrade.set_upgrade_state('winsync', 'passsync_privilege_updated', True) return False, [] else: root_logger.debug("PassSync user found, do update") update = {'dn': passsync_privilege_dn, 'updates': ["add:member:'%s'" % passsync_dn]} sysupgrade.set_upgrade_state('winsync', 'passsync_privilege_updated', True) return False, [update]
def store_version(): """Store current data version and platform. This is required for check if upgrade is required. """ sysupgrade.set_upgrade_state('ipa', 'data_version', version.VENDOR_VERSION) sysupgrade.set_upgrade_state('ipa', 'platform', ipaplatform.NAME)
def __certmap_conf(self): write_certmap_conf(self.realm, self.ca_subject) sysupgrade.set_upgrade_state( 'certmap.conf', 'subject_base', str(self.subject_base) )
def __certmap_conf(self): shutil.copyfile( os.path.join(paths.USR_SHARE_IPA_DIR, "certmap.conf.template"), os.path.join(config_dirname(self.serverid), "certmap.conf"), ) installutils.update_file( config_dirname(self.serverid) + "certmap.conf", "$SUBJECT_BASE", str(self.subject_base) ) sysupgrade.set_upgrade_state("certmap.conf", "subject_base", str(self.subject_base))
def create_instance(self): suffix = ipautil.realm_to_suffix(self.realm) self.step("Generating ipa-custodia config file", self.__config_file) self.step("Making sure custodia container exists", self.__create_container) self.step("Generating ipa-custodia keys", self.__gen_keys) super(CustodiaInstance, self).create_instance( gensvc_name="KEYS", fqdn=self.fqdn, ldap_suffix=suffix, realm=self.realm ) sysupgrade.set_upgrade_state("custodia", "installed", True)
def __certmap_conf(self): shutil.copyfile(ipautil.SHARE_DIR + "certmap.conf.template", config_dirname(self.serverid) + "certmap.conf") installutils.update_file(config_dirname(self.serverid) + "certmap.conf", '$SUBJECT_BASE', str(self.subject_base)) sysupgrade.set_upgrade_state( 'certmap.conf', 'subject_base', str(self.subject_base) )
def create_instance(self, dm_password=None): suffix = ipautil.realm_to_suffix(self.realm) self.step("Generating ipa-custodia config file", self.__config_file) self.step("Making sure custodia container exists", self.__create_container) self.step("Generating ipa-custodia keys", self.__gen_keys) super(CustodiaInstance, self).create_instance(gensvc_name='KEYS', fqdn=self.fqdn, dm_password=dm_password, ldap_suffix=suffix, realm=self.realm) sysupgrade.set_upgrade_state('custodia', 'installed', True)
def execute(self, **options): if sysupgrade.get_upgrade_state('sidgen', 'config_basedn_updated'): self.log.debug("Already done, skipping") return False, () restart = False if self._fix_config(): sysupgrade.set_upgrade_state('sidgen', 'update_sids', True) restart = True # DS has to be restarted to apply changes sysupgrade.set_upgrade_state('sidgen', 'config_basedn_updated', True) return restart, ()
def ntp_ldap_enable(fqdn, base_dn, realm): ntp = NTPInstance(realm=realm) is_exposed_in_ldap = sysupgrade.get_upgrade_state( 'ntp', NTP_EXPOSED_IN_LDAP) was_running = ntp.is_running() if ntp.is_configured() and not is_exposed_in_ldap: ntp.ldap_enable('NTP', fqdn, None, base_dn) sysupgrade.set_upgrade_state('ntp', NTP_EXPOSED_IN_LDAP, True) if was_running: ntp.start()
def change_mod_nss_port_from_http(self): # mod_ssl enforces SSLEngine on for vhost on 443 even though # the listener is mod_nss. This then crashes the httpd as mod_nss # listened port obviously does not match mod_ssl requirements. # # The workaround for this was to change port to http. It is no longer # necessary, as mod_nss now ships with default configuration which # sets SSLEngine off when mod_ssl is installed. # # Remove the workaround. if sysupgrade.get_upgrade_state('nss.conf', 'listen_port_updated'): installutils.set_directive(paths.HTTPD_NSS_CONF, 'Listen', '443', quotes=False) sysupgrade.set_upgrade_state('nss.conf', 'listen_port_updated', False)
def uninstall(self): super(CustodiaInstance, self).uninstall() keystore = IPAKEMKeys({ 'server_keys': self.server_keys, 'ldap_uri': self.ldap_uri }) # Call remove_server_keys_file explicitly to ensure that the key # file is always removed. keystore.remove_server_keys_file() try: keystore.remove_server_keys() except (ldap.CONNECT_ERROR, ldap.SERVER_DOWN): logger.debug( "Cannot remove custodia keys now, server_del takes care of " "them later." ) installutils.remove_file(self.config_file) sysupgrade.set_upgrade_state('custodia', 'installed', False)
def reindex_task(self, force=False): """Reindex ipaca entries pkispawn sometimes does not run its indextasks. This leads to slow unindexed filters on attributes such as description, which is used to log in with a certificate. Explicitly reindex attribute that should have been reindexed by CA's indextasks.ldif. See https://pagure.io/dogtagpki/issue/3083 """ state_name = 'reindex_task' if not force and sysupgrade.get_upgrade_state('dogtag', state_name): return cn = "indextask_ipaca_{}".format(int(time.time())) dn = DN( ('cn', cn), ('cn', 'index'), ('cn', 'tasks'), ('cn', 'config') ) entry = api.Backend.ldap2.make_entry( dn, objectClass=['top', 'extensibleObject'], cn=[cn], nsInstance=['ipaca'], # Dogtag PKI database nsIndexAttribute=[ # from pki/base/ca/shared/conf/indextasks.ldif 'archivedBy', 'certstatus', 'clientId', 'dataType', 'dateOfCreate', 'description', 'duration', 'extension', 'issuedby', 'issuername', 'metaInfo', 'notafter', 'notbefore', 'ownername', 'publicKeyData', 'requestid', 'requestowner', 'requestsourceid', 'requeststate', 'requesttype', 'revInfo', 'revokedOn', 'revokedby', 'serialno', 'status', 'subjectname', ], ttl=[10], ) logger.debug('Creating ipaca reindex task %s', dn) api.Backend.ldap2.add_entry(entry) logger.debug('Waiting for task...') exitcode = replication.wait_for_task(api.Backend.ldap2, dn) logger.debug( 'Task %s has finished with exit code %i', dn, exitcode ) sysupgrade.set_upgrade_state('dogtag', state_name, True)
def __recover_from_missing_maps(self, ldap): # https://fedorahosted.org/freeipa/ticket/5507 # if all following DNs are missing, but 'NIS Server' container exists # we are experiencig bug and maps should be fixed if sysupgrade.get_upgrade_state('nis', 'done_recover_from_missing_maps'): # this recover must be done only once, a user may deleted some # maps, we do not want to restore them again return logger.debug("Recovering from missing NIS maps bug") suffix = "cn=NIS Server,cn=plugins,cn=config" domain = self.api.env.domain missing_dn_list = [ DN(nis_map.format(domain=domain, suffix=suffix)) for nis_map in [ "nis-domain={domain}+nis-map=passwd.byname,{suffix}", "nis-domain={domain}+nis-map=passwd.byuid,{suffix}", "nis-domain={domain}+nis-map=group.byname,{suffix}", "nis-domain={domain}+nis-map=group.bygid,{suffix}", "nis-domain={domain}+nis-map=netid.byname,{suffix}", "nis-domain={domain}+nis-map=netgroup,{suffix}", ] ] for dn in missing_dn_list: try: ldap.get_entry(dn, attrs_list=['cn']) except errors.NotFound: pass else: # bug is not effective, at least one of 'possible missing' # maps was detected return sysupgrade.set_upgrade_state('nis', 'done_recover_from_missing_maps', True) # bug is effective run update to recreate missing maps ld = LDAPUpdate(sub_dict={}, ldapi=True) ld.update([paths.NIS_ULDIF])
def __setup_server_configuration(self): ensure_dnsserver_container_exists(api.Backend.ldap2, self.api) try: self.api.Command.dnsserver_add( self.fqdn, idnssoamname=DNSName(self.fqdn).make_absolute(), ) except errors.DuplicateEntry: # probably reinstallation of DNS pass try: self.api.Command.dnsserver_mod( self.fqdn, idnsforwarders=[unicode(f) for f in self.forwarders], idnsforwardpolicy=unicode(self.forward_policy) ) except errors.EmptyModlist: pass sysupgrade.set_upgrade_state('dns', 'server_config_to_ldap', True)
def execute(self, **options): ldap = self.api.Backend.ldap2 dn = DN(('cn', 'NIS Server'), ('cn', 'plugins'), ('cn', 'config')) try: ldap.get_entry(dn, attrs_list=['cn']) except errors.NotFound: # NIS is not configured on system, do not execute update logger.debug("Skipping NIS update, NIS Server is not configured") # container does not exist, bug #5507 is not effective sysupgrade.set_upgrade_state( 'nis', 'done_recover_from_missing_maps', True) else: self.__recover_from_missing_maps(ldap) logger.debug("Executing NIS Server update") ld = LDAPUpdate(sub_dict={}, ldapi=True) ld.update([paths.NIS_UPDATE_ULDIF]) return False, ()
def execute(self, **options): ldap = self.api.Backend.ldap2 dn = DN(('cn', 'NIS Server'), ('cn', 'plugins'), ('cn', 'config')) try: ldap.get_entry(dn, attrs_list=['cn']) except errors.NotFound: # NIS is not configured on system, do not execute update logger.debug("Skipping NIS update, NIS Server is not configured") # container does not exist, bug #5507 is not effective sysupgrade.set_upgrade_state('nis', 'done_recover_from_missing_maps', True) else: self.__recover_from_missing_maps(ldap) logger.debug("Executing NIS Server update") ld = LDAPUpdate(sub_dict={}, ldapi=True) ld.update([paths.NIS_UPDATE_ULDIF]) return False, ()
def execute(self, **options): ldap = self.api.Backend.ldap2 if sysupgrade.get_upgrade_state('dns', 'server_config_to_ldap'): self.log.debug('upgrade is not needed') return False, [] dns_container_dn = DN(self.api.env.container_dns, self.api.env.basedn) try: ldap.get_entry(dns_container_dn) except errors.NotFound: self.log.debug('DNS container not found, nothing to upgrade') sysupgrade.set_upgrade_state('dns', 'server_config_to_ldap', True) return False, [] result = self.api.Command.server_show(self.api.env.host)['result'] if not 'DNS server' in result.get('enabled_role_servrole', []): self.log.debug('This server is not DNS server, nothing to upgrade') sysupgrade.set_upgrade_state('dns', 'server_config_to_ldap', True) return False, [] # create container first, if doesn't exist ensure_dnsserver_container_exists(ldap, self.api, logger=self.log) try: self.api.Command.dnsserver_add(self.api.env.host) except errors.DuplicateEntry: self.log.debug("DNS server configuration already exists " "in LDAP database") else: self.log.debug("DNS server configuration has been sucessfully " "created in LDAP database") sysupgrade.set_upgrade_state('dns', 'server_config_to_ldap', True) return False, []
def __setup_named_conf(self): if not self.fstore.has_file(NAMED_CONF): self.fstore.backup_file(NAMED_CONF) named_txt = ipautil.template_file(ipautil.SHARE_DIR + "bind.named.conf.template", self.sub_dict) named_fd = open(NAMED_CONF, 'w') named_fd.seek(0) named_fd.truncate(0) named_fd.write(named_txt) named_fd.close() if self.no_dnssec_validation: # disable validation named_conf_set_directive("dnssec-validation", "no", section=NAMED_SECTION_OPTIONS, str_val=False) # prevent repeated upgrade on new installs sysupgrade.set_upgrade_state( 'named.conf', 'forward_policy_conflict_with_empty_zones_handled', True )
def execute(self, **options): update_done = sysupgrade.get_upgrade_state('winsync', 'passsync_privilege_updated') if update_done: root_logger.debug("PassSync privilege update pre-check not needed") return False, [] root_logger.debug("Check if there is existing PassSync privilege") passsync_privilege_dn = DN(('cn','PassSync Service'), self.api.env.container_privilege, self.api.env.basedn) ldap = self.api.Backend.ldap2 try: ldap.get_entry(passsync_privilege_dn, ['']) except errors.NotFound: root_logger.debug("PassSync privilege not found, this is a new update") sysupgrade.set_upgrade_state('winsync', 'passsync_privilege_updated', False) else: root_logger.debug("PassSync privilege found, skip updating PassSync") sysupgrade.set_upgrade_state('winsync', 'passsync_privilege_updated', True) return False, []
def __setup_named_conf(self): if not self.fstore.has_file(NAMED_CONF): self.fstore.backup_file(NAMED_CONF) named_txt = ipautil.template_file( ipautil.SHARE_DIR + "bind.named.conf.template", self.sub_dict) named_fd = open(NAMED_CONF, 'w') named_fd.seek(0) named_fd.truncate(0) named_fd.write(named_txt) named_fd.close() if self.no_dnssec_validation: # disable validation named_conf_set_directive("dnssec-validation", "no", section=NAMED_SECTION_OPTIONS, str_val=False) # prevent repeated upgrade on new installs sysupgrade.set_upgrade_state( 'named.conf', 'forward_policy_conflict_with_empty_zones_handled', True)
def execute(self, **options): update_done = sysupgrade.get_upgrade_state('winsync', 'passsync_privilege_updated') if update_done: logger.debug("PassSync privilege update pre-check not needed") return False, [] logger.debug("Check if there is existing PassSync privilege") passsync_privilege_dn = DN(('cn','PassSync Service'), self.api.env.container_privilege, self.api.env.basedn) ldap = self.api.Backend.ldap2 try: ldap.get_entry(passsync_privilege_dn, ['']) except errors.NotFound: logger.debug("PassSync privilege not found, this is a new update") sysupgrade.set_upgrade_state('winsync', 'passsync_privilege_updated', False) else: logger.debug("PassSync privilege found, skip updating PassSync") sysupgrade.set_upgrade_state('winsync', 'passsync_privilege_updated', True) return False, []
def execute(self, **options): update_done = sysupgrade.get_upgrade_state( 'winsync', 'passsync_privilege_updated') if update_done: root_logger.debug("PassSync privilege update not needed") return False, [] root_logger.debug( "Add PassSync user as a member of PassSync privilege") ldap = self.api.Backend.ldap2 passsync_dn = DN(('uid', 'passsync'), ('cn', 'sysaccounts'), ('cn', 'etc'), self.api.env.basedn) passsync_privilege_dn = DN(('cn', 'PassSync Service'), self.api.env.container_privilege, self.api.env.basedn) try: ldap.get_entry(passsync_dn, ['']) except errors.NotFound: root_logger.debug("PassSync user not found, no update needed") sysupgrade.set_upgrade_state('winsync', 'passsync_privilege_updated', True) return False, [] else: root_logger.debug("PassSync user found, do update") update = { 'dn': passsync_privilege_dn, 'updates': [ dict(action='add', attr='member', value=passsync_dn), ] } sysupgrade.set_upgrade_state('winsync', 'passsync_privilege_updated', True) return False, [update]
def disable_mod_ssl_ocsp(self): if sysupgrade.get_upgrade_state('http', OCSP_ENABLED) is None: self.__disable_mod_ssl_ocsp() sysupgrade.set_upgrade_state('http', OCSP_ENABLED, False)
def __setup_ssl(self): key_passwd_file = paths.HTTPD_PASSWD_FILE_FMT.format(host=api.env.host) with open(key_passwd_file, 'wb') as f: os.fchmod(f.fileno(), 0o600) pkey_passwd = ipautil.ipa_generate_password().encode('utf-8') f.write(pkey_passwd) if self.pkcs12_info: p12_certs, p12_priv_keys = certs.pkcs12_to_certkeys( *self.pkcs12_info) keys_dict = { k.public_key().public_numbers(): k for k in p12_priv_keys } certs_keys = [ (c, keys_dict.get(c.public_key().public_numbers())) for c in p12_certs ] server_certs_keys = [ (c, k) for c, k in certs_keys if k is not None ] if not server_certs_keys: raise RuntimeError( "Could not find a suitable server cert in import in %s" % self.pkcs12_info[0] ) # We only handle one server cert self.cert = server_certs_keys[0][0] x509.write_certificate(self.cert, paths.HTTPD_CERT_FILE) x509.write_pem_private_key( server_certs_keys[0][1], paths.HTTPD_KEY_FILE, passwd=pkey_passwd ) if self.ca_is_configured: self.start_tracking_certificates() self.add_cert_to_service() else: if not self.promote: ca_args = [ paths.CERTMONGER_DOGTAG_SUBMIT, '--ee-url', 'https://%s:8443/ca/ee/ca' % self.fqdn, '--certfile', paths.RA_AGENT_PEM, '--keyfile', paths.RA_AGENT_KEY, '--cafile', paths.IPA_CA_CRT, '--agent-submit' ] helper = " ".join(ca_args) prev_helper = certmonger.modify_ca_helper('IPA', helper) else: prev_helper = None try: certmonger.request_and_wait_for_cert( certpath=(paths.HTTPD_CERT_FILE, paths.HTTPD_KEY_FILE), principal=self.principal, subject=str(DN(('CN', self.fqdn), self.subject_base)), ca='IPA', profile=dogtag.DEFAULT_PROFILE, dns=[self.fqdn], post_command='restart_httpd', storage='FILE', passwd_fname=key_passwd_file ) finally: if prev_helper is not None: certmonger.modify_ca_helper('IPA', prev_helper) self.cert = x509.load_certificate_from_file( paths.HTTPD_CERT_FILE ) if prev_helper is not None: self.add_cert_to_service() with open(paths.HTTPD_KEY_FILE, 'rb') as f: priv_key = x509.load_pem_private_key( f.read(), pkey_passwd, backend=x509.default_backend()) # Verify we have a valid server cert if (priv_key.public_key().public_numbers() != self.cert.public_key().public_numbers()): raise RuntimeError( "The public key of the issued HTTPD service certificate " "does not match its private key.") sysupgrade.set_upgrade_state('ssl.conf', 'migrated_to_mod_ssl', True)
def __certmap_conf(self): write_certmap_conf(self.realm, self.ca_subject) sysupgrade.set_upgrade_state('certmap.conf', 'subject_base', str(self.subject_base))
def store_version(): """Store current data version and platform. This is required for check if upgrade is required. """ sysupgrade.set_upgrade_state('ipa', 'data_version', version.VENDOR_VERSION) sysupgrade.set_upgrade_state('ipa', 'platform', get_current_platform())
def __setup_ssl(self): key_passwd_file = paths.HTTPD_PASSWD_FILE_FMT.format(host=api.env.host) with open(key_passwd_file, 'wb') as f: os.fchmod(f.fileno(), 0o600) pkey_passwd = ipautil.ipa_generate_password().encode('utf-8') f.write(pkey_passwd) if self.pkcs12_info: p12_certs, p12_priv_keys = certs.pkcs12_to_certkeys( *self.pkcs12_info) keys_dict = { k.public_key().public_numbers(): k for k in p12_priv_keys } certs_keys = [(c, keys_dict.get(c.public_key().public_numbers())) for c in p12_certs] server_certs_keys = [(c, k) for c, k in certs_keys if k is not None] if not server_certs_keys: raise RuntimeError( "Could not find a suitable server cert in import in %s" % self.pkcs12_info[0]) # We only handle one server cert self.cert = server_certs_keys[0][0] x509.write_certificate(self.cert, paths.HTTPD_CERT_FILE) x509.write_pem_private_key(server_certs_keys[0][1], paths.HTTPD_KEY_FILE, passwd=pkey_passwd) if self.ca_is_configured: self.start_tracking_certificates() self.add_cert_to_service() else: if not self.promote: ca_args = [ paths.CERTMONGER_DOGTAG_SUBMIT, '--ee-url', 'https://%s:8443/ca/ee/ca' % self.fqdn, '--certfile', paths.RA_AGENT_PEM, '--keyfile', paths.RA_AGENT_KEY, '--cafile', paths.IPA_CA_CRT, '--agent-submit' ] helper = " ".join(ca_args) prev_helper = certmonger.modify_ca_helper('IPA', helper) else: prev_helper = None try: certmonger.request_and_wait_for_cert( certpath=(paths.HTTPD_CERT_FILE, paths.HTTPD_KEY_FILE), principal=self.principal, subject=str(DN(('CN', self.fqdn), self.subject_base)), ca='IPA', profile=dogtag.DEFAULT_PROFILE, dns=[self.fqdn], post_command='restart_httpd', storage='FILE', passwd_fname=key_passwd_file) finally: if prev_helper is not None: certmonger.modify_ca_helper('IPA', prev_helper) self.cert = x509.load_certificate_from_file(paths.HTTPD_CERT_FILE) if prev_helper is not None: self.add_cert_to_service() with open(paths.HTTPD_KEY_FILE, 'rb') as f: priv_key = x509.load_pem_private_key( f.read(), pkey_passwd, backend=x509.default_backend()) # Verify we have a valid server cert if (priv_key.public_key().public_numbers() != self.cert.public_key().public_numbers()): raise RuntimeError( "The public key of the issued HTTPD service certificate " "does not match its private key.") sysupgrade.set_upgrade_state('ssl.conf', 'migrated_to_mod_ssl', True)
def install_step_0(standalone, replica_config, options, custodia): realm_name = options.realm_name dm_password = options.dm_password host_name = options.host_name ca_subject = options._ca_subject subject_base = options._subject_base external_ca_profile = None if replica_config is None: ca_signing_algorithm = options.ca_signing_algorithm if options.external_ca: ca_type = options.external_ca_type external_ca_profile = options.external_ca_profile csr_file = paths.ROOT_IPA_CSR else: ca_type = None csr_file = None if options.external_cert_files: cert_file = external_cert_file.name cert_chain_file = external_ca_file.name else: cert_file = None cert_chain_file = None pkcs12_info = None master_host = None master_replication_port = None ra_p12 = None ra_only = False promote = False else: cafile = os.path.join(replica_config.dir, 'cacert.p12') custodia.get_ca_keys( cafile, replica_config.dirman_password) ca_signing_algorithm = None ca_type = None csr_file = None cert_file = None cert_chain_file = None pkcs12_info = (cafile,) master_host = replica_config.ca_host_name master_replication_port = replica_config.ca_ds_port ra_p12 = os.path.join(replica_config.dir, 'ra.p12') ra_only = not replica_config.setup_ca promote = True # if upgrading from CA-less to CA-ful, need to rewrite # certmap.conf and subject_base configuration # set_subject_base_in_config(subject_base) sysupgrade.set_upgrade_state( 'certmap.conf', 'subject_base', str(subject_base)) dsinstance.write_certmap_conf(realm_name, ca_subject) # use secure ldaps when installing a replica or upgrading to CA-ful # In both cases, 389-DS is already configured to have a trusted cert. use_ldaps = standalone or replica_config is not None ca = cainstance.CAInstance( realm=realm_name, host_name=host_name, custodia=custodia ) ca.configure_instance( host_name, dm_password, dm_password, subject_base=subject_base, ca_subject=ca_subject, ca_signing_algorithm=ca_signing_algorithm, ca_type=ca_type, external_ca_profile=external_ca_profile, csr_file=csr_file, cert_file=cert_file, cert_chain_file=cert_chain_file, pkcs12_info=pkcs12_info, master_host=master_host, master_replication_port=master_replication_port, ra_p12=ra_p12, ra_only=ra_only, promote=promote, use_ldaps=use_ldaps, pki_config_override=options.pki_config_override, )
def execute(self, **options): ldap = self.api.Backend.ldap2 if sysupgrade.get_upgrade_state('sidgen', 'update_sids') is not True: self.log.debug("SIDs do not need to be generated") return False, () # check if IPA domain for AD trust has been created, and if we need to # regenerate missing SIDs if attribute 'ipaNTSecurityIdentifier' domain_IPA_AD_dn = DN( ('cn', self.api.env.domain), self.api.env.container_cifsdomains, self.api.env.basedn) attr_name = 'ipaNTSecurityIdentifier' try: entry = ldap.get_entry(domain_IPA_AD_dn, attrs_list=[attr_name]) except errors.NotFound: self.log.debug("IPA domain object %s is not configured", domain_IPA_AD_dn) sysupgrade.set_upgrade_state('sidgen', 'update_sids', False) return False, () else: if not entry.single_value.get(attr_name): # we need to run sidgen task sidgen_task_dn = DN( "cn=generate domain sid,cn=ipa-sidgen-task,cn=tasks," "cn=config") sidgen_tasks_attr = { "objectclass": ["top", "extensibleObject"], "cn": ["sidgen"], "delay": [0], "nsslapd-basedn": [self.api.env.basedn], } task_entry = ldap.make_entry(sidgen_task_dn, **sidgen_tasks_attr) try: ldap.add_entry(task_entry) except errors.DuplicateEntry: self.log.debug("sidgen task already created") else: self.log.debug("sidgen task has been created") # we have to check all trusts domains which may been affected by the # bug. Symptom is missing 'ipaNTSecurityIdentifier' attribute base_dn = DN(self.api.env.container_adtrusts, self.api.env.basedn) try: trust_domain_entries, truncated = ldap.find_entries( base_dn=base_dn, scope=ldap.SCOPE_ONELEVEL, attrs_list=["cn"], # more types of trusts can be stored under cn=trusts, we need # the type with ipaNTTrustPartner attribute filter="(&(ipaNTTrustPartner=*)(!(%s=*)))" % attr_name ) except errors.NotFound: pass else: if truncated: self.log.warning("update_sids: Search results were truncated") for entry in trust_domain_entries: domain = entry.single_value["cn"] self.log.error( "Your trust to %s is broken. Please re-create it by " "running 'ipa trust-add' again.", domain) sysupgrade.set_upgrade_state('sidgen', 'update_sids', False) return False, ()
def install_step_0(standalone, replica_config, options, custodia): realm_name = options.realm_name dm_password = options.dm_password host_name = options.host_name ca_subject = options._ca_subject subject_base = options._subject_base external_ca_profile = None if replica_config is None: ca_signing_algorithm = options.ca_signing_algorithm if options.external_ca: ca_type = options.external_ca_type external_ca_profile = options.external_ca_profile csr_file = paths.ROOT_IPA_CSR else: ca_type = None csr_file = None if options.external_cert_files: cert_file = external_cert_file.name cert_chain_file = external_ca_file.name else: cert_file = None cert_chain_file = None pkcs12_info = None master_host = None master_replication_port = None ra_p12 = None ra_only = False promote = False else: cafile = os.path.join(replica_config.dir, 'cacert.p12') custodia.get_ca_keys(cafile, replica_config.dirman_password) ca_signing_algorithm = None ca_type = None csr_file = None cert_file = None cert_chain_file = None pkcs12_info = (cafile, ) master_host = replica_config.ca_host_name master_replication_port = replica_config.ca_ds_port ra_p12 = os.path.join(replica_config.dir, 'ra.p12') ra_only = not replica_config.setup_ca promote = True # if upgrading from CA-less to CA-ful, need to rewrite # certmap.conf and subject_base configuration # set_subject_base_in_config(subject_base) sysupgrade.set_upgrade_state('certmap.conf', 'subject_base', str(subject_base)) dsinstance.write_certmap_conf(realm_name, ca_subject) # use secure ldaps when installing a replica or upgrading to CA-ful # In both cases, 389-DS is already configured to have a trusted cert. use_ldaps = standalone or replica_config is not None ca = cainstance.CAInstance(realm=realm_name, host_name=host_name, custodia=custodia) ca.configure_instance( host_name, dm_password, dm_password, subject_base=subject_base, ca_subject=ca_subject, ca_signing_algorithm=ca_signing_algorithm, ca_type=ca_type, external_ca_profile=external_ca_profile, csr_file=csr_file, cert_file=cert_file, cert_chain_file=cert_chain_file, pkcs12_info=pkcs12_info, master_host=master_host, master_replication_port=master_replication_port, ra_p12=ra_p12, ra_only=ra_only, promote=promote, use_ldaps=use_ldaps, pki_config_override=options.pki_config_override, )
def install_step_0(standalone, replica_config, options): realm_name = options.realm_name dm_password = options.dm_password host_name = options.host_name ca_subject = options._ca_subject subject_base = options._subject_base if replica_config is None: ca_signing_algorithm = options.ca_signing_algorithm if options.external_ca: ca_type = options.external_ca_type csr_file = paths.ROOT_IPA_CSR else: ca_type = None csr_file = None if options.external_cert_files: cert_file = external_cert_file.name cert_chain_file = external_ca_file.name else: cert_file = None cert_chain_file = None pkcs12_info = None master_host = None master_replication_port = None ra_p12 = None ra_only = False promote = False else: cafile = os.path.join(replica_config.dir, 'cacert.p12') if options.promote: custodia = custodiainstance.CustodiaInstance( replica_config.host_name, replica_config.realm_name) custodia.get_ca_keys(replica_config.ca_host_name, cafile, replica_config.dirman_password) ca_signing_algorithm = None ca_type = None csr_file = None cert_file = None cert_chain_file = None pkcs12_info = (cafile, ) master_host = replica_config.ca_host_name master_replication_port = replica_config.ca_ds_port ra_p12 = os.path.join(replica_config.dir, 'ra.p12') ra_only = not replica_config.setup_ca promote = options.promote # if upgrading from CA-less to CA-ful, need to rewrite # certmap.conf and subject_base configuration # set_subject_base_in_config(subject_base) sysupgrade.set_upgrade_state('certmap.conf', 'subject_base', str(subject_base)) dsinstance.write_certmap_conf(realm_name, ca_subject) ca = cainstance.CAInstance(realm_name, paths.IPA_RADB_DIR, host_name=host_name) ca.configure_instance(host_name, dm_password, dm_password, subject_base=subject_base, ca_subject=ca_subject, ca_signing_algorithm=ca_signing_algorithm, ca_type=ca_type, csr_file=csr_file, cert_file=cert_file, cert_chain_file=cert_chain_file, pkcs12_info=pkcs12_info, master_host=master_host, master_replication_port=master_replication_port, ra_p12=ra_p12, ra_only=ra_only, promote=promote, use_ldaps=standalone)
def execute(self, **options): ldap = self.api.Backend.ldap2 if sysupgrade.get_upgrade_state('sidgen', 'update_sids') is not True: logger.debug("SIDs do not need to be generated") return False, () # check if IPA domain for AD trust has been created, and if we need to # regenerate missing SIDs if attribute 'ipaNTSecurityIdentifier' domain_IPA_AD_dn = DN( ('cn', self.api.env.domain), self.api.env.container_cifsdomains, self.api.env.basedn) attr_name = 'ipaNTSecurityIdentifier' try: entry = ldap.get_entry(domain_IPA_AD_dn, attrs_list=[attr_name]) except errors.NotFound: logger.debug("IPA domain object %s is not configured", domain_IPA_AD_dn) sysupgrade.set_upgrade_state('sidgen', 'update_sids', False) return False, () else: if not entry.single_value.get(attr_name): # we need to run sidgen task sidgen_task_dn = DN( "cn=generate domain sid,cn=ipa-sidgen-task,cn=tasks," "cn=config") sidgen_tasks_attr = { "objectclass": ["top", "extensibleObject"], "cn": ["sidgen"], "delay": [0], "nsslapd-basedn": [self.api.env.basedn], } task_entry = ldap.make_entry(sidgen_task_dn, **sidgen_tasks_attr) try: ldap.add_entry(task_entry) except errors.DuplicateEntry: logger.debug("sidgen task already created") else: logger.debug("sidgen task has been created") # we have to check all trusts domains which may been affected by the # bug. Symptom is missing 'ipaNTSecurityIdentifier' attribute base_dn = DN(self.api.env.container_adtrusts, self.api.env.basedn) try: trust_domain_entries, truncated = ldap.find_entries( base_dn=base_dn, scope=ldap.SCOPE_ONELEVEL, attrs_list=["cn"], # more types of trusts can be stored under cn=trusts, we need # the type with ipaNTTrustPartner attribute filter="(&(ipaNTTrustPartner=*)(!(%s=*)))" % attr_name ) except errors.NotFound: pass else: if truncated: logger.warning("update_sids: Search results were truncated") for entry in trust_domain_entries: domain = entry.single_value["cn"] logger.error( "Your trust to %s is broken. Please re-create it by " "running 'ipa trust-add' again.", domain) sysupgrade.set_upgrade_state('sidgen', 'update_sids', False) return False, ()