def ask_for_options(self): options = self.options super(ReplicaPrepare, self).ask_for_options() # get the directory manager password self.dirman_password = options.password if not options.password: self.dirman_password = installutils.read_password( "Directory Manager (existing master)", confirm=False, validate=False) if self.dirman_password is None: raise admintool.ScriptError( "Directory Manager password required") # Try out the password & get the subject base api.Backend.ldap2.disconnect() try: api.Backend.ldap2.connect(bind_pw=self.dirman_password) entry_attrs = api.Backend.ldap2.get_ipa_config() self.subject_base = entry_attrs.get('ipacertificatesubjectbase', [None])[0] ca_enabled = api.Command.ca_is_enabled()['result'] except errors.ACIError: raise admintool.ScriptError("The password provided is incorrect " "for LDAP server %s" % api.env.host) except errors.LDAPError: raise admintool.ScriptError("Unable to connect to LDAP server %s" % api.env.host) except errors.DatabaseError as e: raise admintool.ScriptError(e.desc) if ca_enabled and not ipautil.file_exists(paths.CA_CS_CFG_PATH): raise admintool.ScriptError( "CA is not installed on this server. " "ipa-replica-prepare must be run on an IPA server with CA.") if not ca_enabled and not options.http_cert_files: raise admintool.ScriptError( "Cannot issue certificates: a CA is not installed. Use the " "--http-cert-file, --dirsrv-cert-file options to provide " "custom certificates.") if self.subject_base is not None: self.subject_base = DN(self.subject_base) # Validate more options using the password try: installutils.verify_fqdn(self.replica_fqdn, local_hostname=False) except installutils.BadHostError as e: if isinstance(e, installutils.HostLookupError): if not options.ip_addresses: if dns_container_exists(api.env.basedn): logger.info('You might use the --ip-address option ' 'to create a DNS entry if the DNS zone ' 'is managed by IPA.') raise else: # The host doesn't exist in DNS but we're adding it. pass else: raise if options.ip_addresses: if not dns_container_exists(api.env.basedn): logger.error( "It is not possible to add a DNS record automatically " "because DNS is not managed by IPA. Please create DNS " "record manually and then omit --ip-address option.") raise admintool.ScriptError("Cannot add DNS record") options.reverse_zones = bindinstance.check_reverse_zones( options.ip_addresses, options.reverse_zones, options, False, True) _host, zone = self.replica_fqdn.split('.', 1) if not bindinstance.dns_zone_exists(zone, api=api): logger.error( "DNS zone %s does not exist in IPA managed DNS " "server. Either create DNS zone or omit " "--ip-address option.", zone) raise admintool.ScriptError("Cannot add DNS record") self.http_pin = self.dirsrv_pin = None if options.http_cert_files: if options.http_pin is None: options.http_pin = installutils.read_password( "Enter Apache Server private key unlock", confirm=False, validate=False, retry=False) if options.http_pin is None: raise admintool.ScriptError( "Apache Server private key unlock password required") http_pkcs12_file, http_pin, http_ca_cert = self.load_pkcs12( options.http_cert_files, options.http_pin, options.http_cert_name) self.http_pkcs12_file = http_pkcs12_file self.http_pin = http_pin if options.dirsrv_cert_files: if options.dirsrv_pin is None: options.dirsrv_pin = installutils.read_password( "Enter Directory Server private key unlock", confirm=False, validate=False, retry=False) if options.dirsrv_pin is None: raise admintool.ScriptError( "Directory Server private key unlock password required" ) dirsrv_pkcs12_file, dirsrv_pin, dirsrv_ca_cert = self.load_pkcs12( options.dirsrv_cert_files, options.dirsrv_pin, options.dirsrv_cert_name) self.dirsrv_pkcs12_file = dirsrv_pkcs12_file self.dirsrv_pin = dirsrv_pin if (options.http_cert_files and options.dirsrv_cert_files and http_ca_cert != dirsrv_ca_cert): raise admintool.ScriptError( "Apache Server SSL certificate and Directory Server SSL " "certificate are not signed by the same CA certificate")
def install_check(standalone, api, replica, options, hostname): global ip_addresses global reverse_zones fstore = sysrestore.FileStore(paths.SYSRESTORE) if not os.path.isfile(paths.IPA_DNS_INSTALL): raise RuntimeError("Integrated DNS requires '%s' package" % constants.IPA_DNS_PACKAGE_NAME) # when installing first DNS instance we need to check zone overlap if replica or standalone: already_enabled = api.Command.dns_is_enabled()['result'] else: already_enabled = False if not already_enabled: domain = dnsutil.DNSName(util.normalize_zone(api.env.domain)) print("Checking DNS domain %s, please wait ..." % domain) try: dnsutil.check_zone_overlap(domain, raise_on_error=False) except ValueError as e: if options.force or options.allow_zone_overlap: logger.warning("%s Please make sure that the domain is " "properly delegated to this IPA server.", e) else: raise e for reverse_zone in options.reverse_zones: try: dnsutil.check_zone_overlap(reverse_zone) except ValueError as e: if options.force or options.allow_zone_overlap: logger.warning('%s', six.text_type(e)) else: raise e if standalone: print("==============================================================================") print("This program will setup DNS for the FreeIPA Server.") print("") print("This includes:") print(" * Configure DNS (bind)") print(" * Configure SoftHSM (required by DNSSEC)") print(" * Configure ipa-dnskeysyncd (required by DNSSEC)") if options.dnssec_master: print(" * Configure ipa-ods-exporter (required by DNSSEC key master)") print(" * Configure OpenDNSSEC (required by DNSSEC key master)") print(" * Generate DNSSEC master key (required by DNSSEC key master)") elif options.disable_dnssec_master: print(" * Unconfigure ipa-ods-exporter") print(" * Unconfigure OpenDNSSEC") print("") print("No new zones will be signed without DNSSEC key master IPA server.") print("") print(("Please copy file from %s after uninstallation. This file is needed " "on new DNSSEC key " % paths.IPA_KASP_DB_BACKUP)) print("master server") print("") print("NOTE: DNSSEC zone signing is not enabled by default") print("") if options.dnssec_master: print("Plan carefully, replacing DNSSEC key master is not recommended") print("") print("") print("To accept the default shown in brackets, press the Enter key.") print("") if (options.dnssec_master and not options.unattended and not ipautil.user_input( "Do you want to setup this IPA server as DNSSEC key master?", False)): sys.exit("Aborted") elif (options.disable_dnssec_master and not options.unattended and not ipautil.user_input( "Do you want to disable current DNSSEC key master?", False)): sys.exit("Aborted") if options.disable_dnssec_master: _is_master() if options.disable_dnssec_master or options.dnssec_master: dnssec_zones = _find_dnssec_enabled_zones(api.Backend.ldap2) if options.disable_dnssec_master: if dnssec_zones and not options.force: raise RuntimeError( "Cannot disable DNSSEC key master, DNSSEC signing is still " "enabled for following zone(s):\n" "%s\n" "It is possible to move DNSSEC key master role to a different " "server by using --force option to skip this check.\n\n" "WARNING: You have to immediately copy kasp.db file to a new " "server and run command 'ipa-dns-install --dnssec-master " "--kasp-db'.\n" "Your DNS zones will become unavailable if you " "do not reinstall the DNSSEC key master role immediately." % ", ".join([str(zone) for zone in dnssec_zones])) elif options.dnssec_master: ods = opendnssecinstance.OpenDNSSECInstance(fstore) ods.realm = api.env.realm dnssec_masters = ods.get_masters() # we can reinstall current server if it is dnssec master if dnssec_masters and api.env.host not in dnssec_masters: print("DNSSEC key master(s):", u','.join(dnssec_masters)) raise ScriptError( "Only one DNSSEC key master is supported in current version.") if options.kasp_db_file: dnskeysyncd = services.service('ipa-dnskeysyncd', api) if not dnskeysyncd.is_installed(): raise RuntimeError("ipa-dnskeysyncd is not configured on this " "server, you cannot reuse OpenDNSSEC " "database (kasp.db file)") # check if replica can be the DNSSEC master cmd = [paths.IPA_DNSKEYSYNCD_REPLICA] environment = { "SOFTHSM2_CONF": paths.DNSSEC_SOFTHSM2_CONF, } # stop dnskeysyncd before test dnskeysyncd_running = dnskeysyncd.is_running() dnskeysyncd.stop() try: ipautil.run(cmd, env=environment, runas=constants.ODS_USER, suplementary_groups=[constants.NAMED_GROUP]) except CalledProcessError as e: logger.debug("%s", e) raise RuntimeError("This IPA server cannot be promoted to " "DNSSEC master role because some keys were " "not replicated from the original " "DNSSEC master server") finally: if dnskeysyncd_running: dnskeysyncd.start() elif dnssec_zones and not options.force: # some zones have --dnssec=true, make sure a user really want to # install new database raise RuntimeError( "DNSSEC signing is already enabled for following zone(s): %s\n" "Installation cannot continue without the OpenDNSSEC database " "file from the original DNSSEC master server.\n" "Please use option --kasp-db to specify location " "of the kasp.db file copied from the original " "DNSSEC master server.\n" "WARNING: Zones will become unavailable if you do not provide " "the original kasp.db file." % ", ".join([str(zone) for zone in dnssec_zones])) ip_addresses = get_server_ip_address(hostname, options.unattended, True, options.ip_addresses) util.no_matching_interface_for_ip_address_warning(ip_addresses) if not options.forward_policy: # user did not specify policy, derive it: default is 'first' but # if any of local IP addresses belongs to private ranges use 'only' options.forward_policy = 'first' for ip in ip_addresses: if dnsutil.inside_auto_empty_zone(dnsutil.DNSName(ip.reverse_dns)): options.forward_policy = 'only' logger.debug('IP address %s belongs to a private range, ' 'using forward policy only', ip) break if options.no_forwarders: options.forwarders = [] elif options.forwarders or options.auto_forwarders: if not options.forwarders: options.forwarders = [] if options.auto_forwarders: options.forwarders += resolver.get_default_resolver().nameservers elif standalone or not replica: options.forwarders = read_dns_forwarders() # test DNSSEC forwarders if options.forwarders: if (not bindinstance.check_forwarders(options.forwarders) and not options.no_dnssec_validation): options.no_dnssec_validation = True print("WARNING: DNSSEC validation will be disabled") logger.debug("will use DNS forwarders: %s\n", options.forwarders) if not standalone: search_reverse_zones = False else: search_reverse_zones = True if not standalone and replica: reverse_zones_unattended_check = True else: reverse_zones_unattended_check = options.unattended reverse_zones = bindinstance.check_reverse_zones( ip_addresses, options.reverse_zones, options, reverse_zones_unattended_check, search_reverse_zones ) if reverse_zones: print("Using reverse zone(s) %s" % ', '.join(reverse_zones))
def install_check(standalone, replica, options, hostname): global ip_addresses global dns_forwarders global reverse_zones fstore = sysrestore.FileStore(paths.SYSRESTORE) if not ipautil.file_exists(paths.IPA_DNS_INSTALL): raise RuntimeError("Integrated DNS requires '%s' package" % constants.IPA_DNS_PACKAGE_NAME) if standalone: print "==============================================================================" print "This program will setup DNS for the FreeIPA Server." print "" print "This includes:" print " * Configure DNS (bind)" print " * Configure SoftHSM (required by DNSSEC)" print " * Configure ipa-dnskeysyncd (required by DNSSEC)" if options.dnssec_master: print " * Configure ipa-ods-exporter (required by DNSSEC key master)" print " * Configure OpenDNSSEC (required by DNSSEC key master)" print " * Generate DNSSEC master key (required by DNSSEC key master)" elif options.disable_dnssec_master: print " * Unconfigure ipa-ods-exporter" print " * Unconfigure OpenDNSSEC" print "" print "No new zones will be signed without DNSSEC key master IPA server." print "" print ("Please copy file from %s after uninstallation. This file is needed " "on new DNSSEC key " % paths.IPA_KASP_DB_BACKUP) print "master server" print "" print "NOTE: DNSSEC zone signing is not enabled by default" print "" if options.dnssec_master: print "DNSSEC support is experimental!" print "" print "Plan carefully, replacing DNSSEC key master is not recommended" print "" print "" print "To accept the default shown in brackets, press the Enter key." print "" if (options.dnssec_master and not options.unattended and not ipautil.user_input( "Do you want to setup this IPA server as DNSSEC key master?", False)): sys.exit("Aborted") elif (options.disable_dnssec_master and not options.unattended and not ipautil.user_input( "Do you want to disable current DNSSEC key master?", False)): sys.exit("Aborted") # Check bind packages are installed if not bindinstance.check_inst(options.unattended): sys.exit("Aborting installation.") if options.disable_dnssec_master: _is_master() if options.disable_dnssec_master or options.dnssec_master: dnssec_zones = _find_dnssec_enabled_zones(api.Backend.ldap2) if options.disable_dnssec_master: if dnssec_zones and not options.force: raise RuntimeError( "Cannot disable DNSSEC key master, DNSSEC signing is still " "enabled for following zone(s):\n" "%s\n" "It is possible to move DNSSEC key master role to a different " "server by using --force option to skip this check.\n\n" "WARNING: You have to immediatelly copy kasp.db file to a new " "server and run command 'ipa-dns-install --dnssec-master " "--kasp-db'.\n" "Your DNS zones will become unavailable if you " "do not reinstall the DNSSEC key master role immediatelly." % ", ".join([str(zone) for zone in dnssec_zones])) elif options.dnssec_master: ods = opendnssecinstance.OpenDNSSECInstance( fstore, ldapi=True) ods.realm = api.env.realm dnssec_masters = ods.get_masters() # we can reinstall current server if it is dnssec master if dnssec_masters and api.env.host not in dnssec_masters: print "DNSSEC key master(s):", u','.join(dnssec_masters) sys.exit("Only one DNSSEC key master is supported in current " "version.") if options.kasp_db_file: dnskeysyncd = services.service('ipa-dnskeysyncd') if not dnskeysyncd.is_installed(): raise RuntimeError("ipa-dnskeysyncd is not configured on this " "server, you cannot reuse OpenDNSSEC " "database (kasp.db file)") # check if replica can be the DNSSEC master named = services.knownservices.named ods_enforcerd = services.knownservices.ods_enforcerd cmd = [paths.IPA_DNSKEYSYNCD_REPLICA] environment = { "SOFTHSM2_CONF": paths.DNSSEC_SOFTHSM2_CONF, } # stop dnskeysyncd before test dnskeysyncd_running = dnskeysyncd.is_running() dnskeysyncd.stop() try: ipautil.run(cmd, env=environment, runas=ods_enforcerd.get_user_name(), suplementary_groups=[named.get_group_name()]) except CalledProcessError as e: root_logger.debug("%s", e) raise RuntimeError("This IPA server cannot be promoted to " "DNSSEC master role because some keys were " "not replicated from the original " "DNSSEC master server") finally: if dnskeysyncd_running: dnskeysyncd.start() elif dnssec_zones and not options.force: # some zones have --dnssec=true, make sure a user really want to # install new database raise RuntimeError( "DNSSEC signing is already enabled for following zone(s): %s\n" "Installation cannot continue without the OpenDNSSEC database " "file from the original DNSSEC master server.\n" "Please use option --kasp-db to specify location " "of the kasp.db file copied from the original " "DNSSEC master server.\n" "WARNING: Zones will become unavailable if you do not provide " "the original kasp.db file." % ", ".join([str(zone) for zone in dnssec_zones])) ip_addresses = get_server_ip_address( hostname, fstore, options.unattended, True, options.ip_addresses) if options.no_forwarders: dns_forwarders = () elif options.forwarders: dns_forwarders = options.forwarders elif standalone or not replica: dns_forwarders = read_dns_forwarders() # test DNSSEC forwarders if dns_forwarders: if (not bindinstance.check_forwarders(dns_forwarders, root_logger) and not options.no_dnssec_validation): options.no_dnssec_validation = True print "WARNING: DNSSEC validation will be disabled" root_logger.debug("will use dns_forwarders: %s\n", dns_forwarders) if not standalone: search_reverse_zones = False else: search_reverse_zones = True if not standalone and replica: reverse_zones_unattended_check = True else: reverse_zones_unattended_check = options.unattended reverse_zones = bindinstance.check_reverse_zones( ip_addresses, options.reverse_zones, options, reverse_zones_unattended_check, search_reverse_zones ) if reverse_zones: print "Using reverse zone(s) %s" % ', '.join(reverse_zones)
def ask_for_options(self): options = self.options super(ReplicaPrepare, self).ask_for_options() # get the directory manager password self.dirman_password = options.password if not options.password: self.dirman_password = installutils.read_password( "Directory Manager (existing master)", confirm=False, validate=False) if self.dirman_password is None: raise admintool.ScriptError( "Directory Manager password required") # Try out the password & get the subject base suffix = ipautil.realm_to_suffix(api.env.realm) try: conn = api.Backend.ldap2 conn.connect(bind_dn=DN(('cn', 'directory manager')), bind_pw=self.dirman_password) entry_attrs = conn.get_ipa_config() self.subject_base = entry_attrs.get( 'ipacertificatesubjectbase', [None])[0] ca_enabled = api.Command.ca_is_enabled()['result'] conn.disconnect() except errors.ACIError: raise admintool.ScriptError("The password provided is incorrect " "for LDAP server %s" % api.env.host) except errors.LDAPError: raise admintool.ScriptError( "Unable to connect to LDAP server %s" % api.env.host) except errors.DatabaseError as e: raise admintool.ScriptError(e.desc) if not ca_enabled and not options.http_cert_files: raise admintool.ScriptError( "Cannot issue certificates: a CA is not installed. Use the " "--http-cert-file, --dirsrv-cert-file options to provide " "custom certificates.") if self.subject_base is not None: self.subject_base = DN(self.subject_base) # Validate more options using the password try: installutils.verify_fqdn(self.replica_fqdn, local_hostname=False) except installutils.BadHostError as e: msg = str(e) if isinstance(e, installutils.HostLookupError): if not options.ip_addresses: if dns_container_exists( api.env.host, api.env.basedn, dm_password=self.dirman_password, ldapi=True, realm=api.env.realm): self.log.info('You might use the --ip-address option ' 'to create a DNS entry if the DNS zone ' 'is managed by IPA.') raise else: # The host doesn't exist in DNS but we're adding it. pass else: raise if options.ip_addresses: if not dns_container_exists(api.env.host, api.env.basedn, dm_password=self.dirman_password, ldapi=True, realm=api.env.realm): self.log.error( "It is not possible to add a DNS record automatically " "because DNS is not managed by IPA. Please create DNS " "record manually and then omit --ip-address option.") raise admintool.ScriptError("Cannot add DNS record") disconnect = False if not api.Backend.ldap2.isconnected(): api.Backend.ldap2.connect( bind_dn=DN(('cn', 'Directory Manager')), bind_pw=self.dirman_password) disconnect = True options.reverse_zones = bindinstance.check_reverse_zones( options.ip_addresses, options.reverse_zones, options, False, True) host, zone = self.replica_fqdn.split('.', 1) if not bindinstance.dns_zone_exists(zone, api=api): self.log.error("DNS zone %s does not exist in IPA managed DNS " "server. Either create DNS zone or omit " "--ip-address option." % zone) raise admintool.ScriptError("Cannot add DNS record") if disconnect: api.Backend.ldap2.disconnect() self.http_pin = self.dirsrv_pin = self.pkinit_pin = None if options.http_cert_files: if options.http_pin is None: options.http_pin = installutils.read_password( "Enter Apache Server private key unlock", confirm=False, validate=False) if options.http_pin is None: raise admintool.ScriptError( "Apache Server private key unlock password required") http_pkcs12_file, http_pin, http_ca_cert = self.load_pkcs12( options.http_cert_files, options.http_pin, options.http_cert_name) self.http_pkcs12_file = http_pkcs12_file self.http_pin = http_pin if options.dirsrv_cert_files: if options.dirsrv_pin is None: options.dirsrv_pin = installutils.read_password( "Enter Directory Server private key unlock", confirm=False, validate=False) if options.dirsrv_pin is None: raise admintool.ScriptError( "Directory Server private key unlock password required") dirsrv_pkcs12_file, dirsrv_pin, dirsrv_ca_cert = self.load_pkcs12( options.dirsrv_cert_files, options.dirsrv_pin, options.dirsrv_cert_name) self.dirsrv_pkcs12_file = dirsrv_pkcs12_file self.dirsrv_pin = dirsrv_pin if options.pkinit_cert_files: if options.pkinit_pin is None: options.pkinit_pin = installutils.read_password( "Enter Kerberos KDC private key unlock", confirm=False, validate=False) if options.pkinit_pin is None: raise admintool.ScriptError( "Kerberos KDC private key unlock password required") pkinit_pkcs12_file, pkinit_pin, pkinit_ca_cert = self.load_pkcs12( options.pkinit_cert_files, options.pkinit_pin, options.pkinit_cert_name) self.pkinit_pkcs12_file = pkinit_pkcs12_file self.pkinit_pin = pkinit_pin if (options.http_cert_files and options.dirsrv_cert_files and http_ca_cert != dirsrv_ca_cert): raise admintool.ScriptError( "Apache Server SSL certificate and Directory Server SSL " "certificate are not signed by the same CA certificate") if (not ipautil.file_exists( dogtag.configured_constants().CS_CFG_PATH) and options.dirsrv_pin is None): self.log.info("If you installed IPA with your own certificates " "using PKCS#12 files you must provide PKCS#12 files for any " "replicas you create as well.") raise admintool.ScriptError("The replica must be created on the " "primary IPA server.")
def install_check(standalone, api, replica, options, hostname): global ip_addresses global reverse_zones fstore = sysrestore.FileStore(paths.SYSRESTORE) if not ipautil.file_exists(paths.IPA_DNS_INSTALL): raise RuntimeError("Integrated DNS requires '%s' package" % constants.IPA_DNS_PACKAGE_NAME) # when installing first DNS instance we need to check zone overlap if replica or standalone: already_enabled = api.Command.dns_is_enabled()['result'] else: already_enabled = False if not already_enabled: domain = dnsutil.DNSName(util.normalize_zone(api.env.domain)) print("Checking DNS domain %s, please wait ..." % domain) try: dnsutil.check_zone_overlap(domain, raise_on_error=False) except ValueError as e: if options.force or options.allow_zone_overlap: root_logger.warning("%s Please make sure that the domain is " "properly delegated to this IPA server.", e.message) else: raise e for reverse_zone in options.reverse_zones: try: dnsutil.check_zone_overlap(reverse_zone) except ValueError as e: if options.force or options.allow_zone_overlap: root_logger.warning(e.message) else: raise e if standalone: print("==============================================================================") print("This program will setup DNS for the FreeIPA Server.") print("") print("This includes:") print(" * Configure DNS (bind)") print(" * Configure SoftHSM (required by DNSSEC)") print(" * Configure ipa-dnskeysyncd (required by DNSSEC)") if options.dnssec_master: print(" * Configure ipa-ods-exporter (required by DNSSEC key master)") print(" * Configure OpenDNSSEC (required by DNSSEC key master)") print(" * Generate DNSSEC master key (required by DNSSEC key master)") elif options.disable_dnssec_master: print(" * Unconfigure ipa-ods-exporter") print(" * Unconfigure OpenDNSSEC") print("") print("No new zones will be signed without DNSSEC key master IPA server.") print("") print(("Please copy file from %s after uninstallation. This file is needed " "on new DNSSEC key " % paths.IPA_KASP_DB_BACKUP)) print("master server") print("") print("NOTE: DNSSEC zone signing is not enabled by default") print("") if options.dnssec_master: print("Plan carefully, replacing DNSSEC key master is not recommended") print("") print("") print("To accept the default shown in brackets, press the Enter key.") print("") if (options.dnssec_master and not options.unattended and not ipautil.user_input( "Do you want to setup this IPA server as DNSSEC key master?", False)): sys.exit("Aborted") elif (options.disable_dnssec_master and not options.unattended and not ipautil.user_input( "Do you want to disable current DNSSEC key master?", False)): sys.exit("Aborted") if options.disable_dnssec_master: _is_master() if options.disable_dnssec_master or options.dnssec_master: dnssec_zones = _find_dnssec_enabled_zones(api.Backend.ldap2) if options.disable_dnssec_master: if dnssec_zones and not options.force: raise RuntimeError( "Cannot disable DNSSEC key master, DNSSEC signing is still " "enabled for following zone(s):\n" "%s\n" "It is possible to move DNSSEC key master role to a different " "server by using --force option to skip this check.\n\n" "WARNING: You have to immediatelly copy kasp.db file to a new " "server and run command 'ipa-dns-install --dnssec-master " "--kasp-db'.\n" "Your DNS zones will become unavailable if you " "do not reinstall the DNSSEC key master role immediatelly." % ", ".join([str(zone) for zone in dnssec_zones])) elif options.dnssec_master: ods = opendnssecinstance.OpenDNSSECInstance(fstore) ods.realm = api.env.realm dnssec_masters = ods.get_masters() # we can reinstall current server if it is dnssec master if dnssec_masters and api.env.host not in dnssec_masters: print("DNSSEC key master(s):", u','.join(dnssec_masters)) raise ScriptError( "Only one DNSSEC key master is supported in current version.") if options.kasp_db_file: dnskeysyncd = services.service('ipa-dnskeysyncd') if not dnskeysyncd.is_installed(): raise RuntimeError("ipa-dnskeysyncd is not configured on this " "server, you cannot reuse OpenDNSSEC " "database (kasp.db file)") # check if replica can be the DNSSEC master cmd = [paths.IPA_DNSKEYSYNCD_REPLICA] environment = { "SOFTHSM2_CONF": paths.DNSSEC_SOFTHSM2_CONF, } # stop dnskeysyncd before test dnskeysyncd_running = dnskeysyncd.is_running() dnskeysyncd.stop() try: ipautil.run(cmd, env=environment, runas=constants.ODS_USER, suplementary_groups=[constants.NAMED_GROUP]) except CalledProcessError as e: root_logger.debug("%s", e) raise RuntimeError("This IPA server cannot be promoted to " "DNSSEC master role because some keys were " "not replicated from the original " "DNSSEC master server") finally: if dnskeysyncd_running: dnskeysyncd.start() elif dnssec_zones and not options.force: # some zones have --dnssec=true, make sure a user really want to # install new database raise RuntimeError( "DNSSEC signing is already enabled for following zone(s): %s\n" "Installation cannot continue without the OpenDNSSEC database " "file from the original DNSSEC master server.\n" "Please use option --kasp-db to specify location " "of the kasp.db file copied from the original " "DNSSEC master server.\n" "WARNING: Zones will become unavailable if you do not provide " "the original kasp.db file." % ", ".join([str(zone) for zone in dnssec_zones])) ip_addresses = get_server_ip_address(hostname, options.unattended, True, options.ip_addresses) util.network_ip_address_warning(ip_addresses) util.broadcast_ip_address_warning(ip_addresses) if not options.forward_policy: # user did not specify policy, derive it: default is 'first' but # if any of local IP addresses belongs to private ranges use 'only' options.forward_policy = 'first' for ip in ip_addresses: if dnsutil.inside_auto_empty_zone(dnsutil.DNSName(ip.reverse_dns)): options.forward_policy = 'only' root_logger.debug('IP address %s belongs to a private range, ' 'using forward policy only', ip) break if options.no_forwarders: options.forwarders = [] elif options.forwarders or options.auto_forwarders: if not options.forwarders: options.forwarders = [] if options.auto_forwarders: options.forwarders += resolver.get_default_resolver().nameservers elif standalone or not replica: options.forwarders = read_dns_forwarders() # test DNSSEC forwarders if options.forwarders: if (not bindinstance.check_forwarders(options.forwarders, root_logger) and not options.no_dnssec_validation): options.no_dnssec_validation = True print("WARNING: DNSSEC validation will be disabled") root_logger.debug("will use DNS forwarders: %s\n", options.forwarders) if not standalone: search_reverse_zones = False else: search_reverse_zones = True if not standalone and replica: reverse_zones_unattended_check = True else: reverse_zones_unattended_check = options.unattended reverse_zones = bindinstance.check_reverse_zones( ip_addresses, options.reverse_zones, options, reverse_zones_unattended_check, search_reverse_zones ) if reverse_zones: print("Using reverse zone(s) %s" % ', '.join(reverse_zones))
ldapi=True, realm=api.env.realm): self.log.error( "It is not possible to add a DNS record automatically " "because DNS is not managed by IPA. Please create DNS " "record manually and then omit --ip-address option.") raise admintool.ScriptError("Cannot add DNS record") disconnect = False if not api.Backend.ldap2.isconnected(): api.Backend.ldap2.connect( bind_dn=DN(('cn', 'Directory Manager')), bind_pw=self.dirman_password) disconnect = True options.reverse_zones = bindinstance.check_reverse_zones( options.ip_addresses, options.reverse_zones, options, False, True) if disconnect: api.Backend.ldap2.disconnect() self.http_pin = self.dirsrv_pin = self.pkinit_pin = None if options.http_cert_files: if options.http_pin is None: options.http_pin = installutils.read_password( "Enter Apache Server private key unlock", confirm=False, validate=False) if options.http_pin is None: raise admintool.ScriptError( "Apache Server private key unlock password required") http_pkcs12_file, http_pin, http_ca_cert = self.load_pkcs12(
realm=api.env.realm): self.log.error( "It is not possible to add a DNS record automatically " "because DNS is not managed by IPA. Please create DNS " "record manually and then omit --ip-address option.") raise admintool.ScriptError("Cannot add DNS record") disconnect = False if not api.Backend.ldap2.isconnected(): api.Backend.ldap2.connect(bind_dn=DN( ('cn', 'Directory Manager')), bind_pw=self.dirman_password) disconnect = True options.reverse_zones = bindinstance.check_reverse_zones( options.ip_addresses, options.reverse_zones, options, False, True) if disconnect: api.Backend.ldap2.disconnect() self.http_pin = self.dirsrv_pin = self.pkinit_pin = None if options.http_cert_files: if options.http_pin is None: options.http_pin = installutils.read_password( "Enter Apache Server private key unlock", confirm=False, validate=False) if options.http_pin is None: raise admintool.ScriptError( "Apache Server private key unlock password required")
def ask_for_options(self): options = self.options super(ReplicaPrepare, self).ask_for_options() # get the directory manager password self.dirman_password = options.password if not options.password: self.dirman_password = installutils.read_password( "Directory Manager (existing master)", confirm=False, validate=False) if self.dirman_password is None: raise admintool.ScriptError( "Directory Manager password required") # Try out the password & get the subject base api.Backend.ldap2.disconnect() try: api.Backend.ldap2.connect(bind_pw=self.dirman_password) entry_attrs = api.Backend.ldap2.get_ipa_config() self.subject_base = entry_attrs.get( 'ipacertificatesubjectbase', [None])[0] ca_enabled = api.Command.ca_is_enabled()['result'] except errors.ACIError: raise admintool.ScriptError("The password provided is incorrect " "for LDAP server %s" % api.env.host) except errors.LDAPError: raise admintool.ScriptError( "Unable to connect to LDAP server %s" % api.env.host) except errors.DatabaseError as e: raise admintool.ScriptError(e.desc) if ca_enabled and not ipautil.file_exists(paths.CA_CS_CFG_PATH): raise admintool.ScriptError( "CA is not installed on this server. " "ipa-replica-prepare must be run on an IPA server with CA.") if not ca_enabled and not options.http_cert_files: raise admintool.ScriptError( "Cannot issue certificates: a CA is not installed. Use the " "--http-cert-file, --dirsrv-cert-file options to provide " "custom certificates.") if self.subject_base is not None: self.subject_base = DN(self.subject_base) # Validate more options using the password try: installutils.verify_fqdn(self.replica_fqdn, local_hostname=False) except installutils.BadHostError as e: if isinstance(e, installutils.HostLookupError): if not options.ip_addresses: if dns_container_exists(api.env.basedn): logger.info('You might use the --ip-address option ' 'to create a DNS entry if the DNS zone ' 'is managed by IPA.') raise else: # The host doesn't exist in DNS but we're adding it. pass else: raise if options.ip_addresses: if not dns_container_exists(api.env.basedn): logger.error( "It is not possible to add a DNS record automatically " "because DNS is not managed by IPA. Please create DNS " "record manually and then omit --ip-address option.") raise admintool.ScriptError("Cannot add DNS record") options.reverse_zones = bindinstance.check_reverse_zones( options.ip_addresses, options.reverse_zones, options, False, True) _host, zone = self.replica_fqdn.split('.', 1) if not bindinstance.dns_zone_exists(zone, api=api): logger.error("DNS zone %s does not exist in IPA managed DNS " "server. Either create DNS zone or omit " "--ip-address option.", zone) raise admintool.ScriptError("Cannot add DNS record") self.http_pin = self.dirsrv_pin = None if options.http_cert_files: if options.http_pin is None: options.http_pin = installutils.read_password( "Enter Apache Server private key unlock", confirm=False, validate=False, retry=False) if options.http_pin is None: raise admintool.ScriptError( "Apache Server private key unlock password required") http_pkcs12_file, http_pin, http_ca_cert = self.load_pkcs12( options.http_cert_files, options.http_pin, options.http_cert_name) self.http_pkcs12_file = http_pkcs12_file self.http_pin = http_pin if options.dirsrv_cert_files: if options.dirsrv_pin is None: options.dirsrv_pin = installutils.read_password( "Enter Directory Server private key unlock", confirm=False, validate=False, retry=False) if options.dirsrv_pin is None: raise admintool.ScriptError( "Directory Server private key unlock password required") dirsrv_pkcs12_file, dirsrv_pin, dirsrv_ca_cert = self.load_pkcs12( options.dirsrv_cert_files, options.dirsrv_pin, options.dirsrv_cert_name) self.dirsrv_pkcs12_file = dirsrv_pkcs12_file self.dirsrv_pin = dirsrv_pin if (options.http_cert_files and options.dirsrv_cert_files and http_ca_cert != dirsrv_ca_cert): raise admintool.ScriptError( "Apache Server SSL certificate and Directory Server SSL " "certificate are not signed by the same CA certificate")
def install_check(standalone, replica, options, hostname): global ip_addresses global dns_forwarders global reverse_zones if standalone: print "==============================================================================" print "This program will setup DNS for the FreeIPA Server." print "" print "This includes:" print " * Configure DNS (bind)" print " * Configure SoftHSM (required by DNSSEC)" print " * Configure ipa-dnskeysyncd (required by DNSSEC)" if options.dnssec_master: print " * Configure ipa-ods-exporter (required by DNSSEC key master)" print " * Configure OpenDNSSEC (required by DNSSEC key master)" print " * Generate DNSSEC master key (required by DNSSEC key master)" print "" print "NOTE: DNSSEC zone signing is not enabled by default" print "" if options.dnssec_master: print "DNSSEC support is experimental!" print "" print "Plan carefully, current version doesn't allow you to move DNSSEC" print "key master to different server and master cannot be uninstalled" print "" print "" print "To accept the default shown in brackets, press the Enter key." print "" if (options.dnssec_master and not options.unattended and not ipautil.user_input( "Do you want to setup this IPA server as DNSSEC key master?", False)): sys.exit("Aborted") # Check bind packages are installed if not (bindinstance.check_inst(options.unattended) and dnskeysyncinstance.check_inst()): sys.exit("Aborting installation.") if options.dnssec_master: # check opendnssec packages are installed if not opendnssecinstance.check_inst(): sys.exit("Aborting installation") fstore = sysrestore.FileStore(paths.SYSRESTORE) if options.dnssec_master: ods = opendnssecinstance.OpenDNSSECInstance( fstore, ldapi=True, autobind=AUTOBIND_ENABLED) ods.realm = api.env.realm dnssec_masters = ods.get_masters() # we can reinstall current server if it is dnssec master if api.env.host not in dnssec_masters and dnssec_masters: print "DNSSEC key master(s):", u','.join(dnssec_masters) sys.exit("Only one DNSSEC key master is supported in current " "version.") ip_addresses = get_server_ip_address( hostname, fstore, options.unattended, True, options.ip_addresses) if options.no_forwarders: dns_forwarders = () elif options.forwarders: dns_forwarders = options.forwarders elif standalone or not replica: dns_forwarders = read_dns_forwarders() # test DNSSEC forwarders if dns_forwarders: if (not bindinstance.check_forwarders(dns_forwarders, root_logger) and not options.no_dnssec_validation): options.no_dnssec_validation = True print "WARNING: DNSSEC validation will be disabled" root_logger.debug("will use dns_forwarders: %s\n", dns_forwarders) if not standalone: search_reverse_zones = False else: search_reverse_zones = True if not standalone and replica: reverse_zones_unattended_check = True else: reverse_zones_unattended_check = options.unattended reverse_zones = bindinstance.check_reverse_zones( ip_addresses, options.reverse_zones, options, reverse_zones_unattended_check, search_reverse_zones ) if reverse_zones: print "Using reverse zone(s) %s" % ', '.join(reverse_zones)