示例#1
0
def install(standalone, options, fstore, api):
    if not options.unattended and standalone:
        print("")
        print("The following operations may take some minutes to complete.")
        print("Please wait until the prompt is returned.")
        print("")

    smb = adtrustinstance.ADTRUSTInstance(fstore, options.setup_adtrust)
    smb.realm = api.env.realm
    smb.autobind = ipaldap.AUTOBIND_ENABLED
    smb.setup(api.env.host, api.env.realm,
              netbios_name, reset_netbios_name,
              options.rid_base, options.secondary_rid_base,
              options.add_sids,
              enable_compat=options.enable_compat)
    smb.find_local_id_range()
    smb.create_instance()

    # Update Samba keytab with host keys
    ad_update = update_host_cifs_keytabs(api)
    if ad_update:
        result = ad_update()
        # this particular update does not require restarting DS but
        # the plugin might require that in future
        if result[0]:
            logger.debug('Restarting directory server to apply updates')
            installutils.restart_dirsrv()

    if options.add_agents:
        # Find out IPA masters which are not part of the cn=adtrust agents
        # and propose them to be added to the list
        add_new_adtrust_agents(api, options)
示例#2
0
def install_replica_kra(config, postinstall=False):
    """
    Install a KRA on a replica.

    There are two modes of doing this controlled:
      - While the replica is being installed
      - Post-replica installation

    config is a ReplicaConfig object

    Returns a KRA instance
    """
    # note that the cacert.p12 file is regenerated during the
    # ipa-replica-prepare process and should include all the certs
    # for the CA and KRA
    krafile = config.dir + "/cacert.p12"

    if not ipautil.file_exists(krafile):
        raise RuntimeError("Unable to clone KRA."
                           "  cacert.p12 file not found in replica file")

    _kra = KRAInstance(config.realm_name)
    _kra.dm_password = config.dirman_password
    _kra.subject_base = config.subject_base
    if _kra.is_installed():
        raise ScriptError("A KRA is already configured on this system.")

    _kra.configure_instance(config.realm_name,
                            config.host_name,
                            config.dirman_password,
                            config.dirman_password,
                            pkcs12_info=(krafile, ),
                            master_host=config.master_host_name,
                            subject_base=config.subject_base)

    # Restart httpd since we changed it's config and added ipa-pki-proxy.conf
    if postinstall:
        services.knownservices.httpd.restart()

    # The dogtag DS instance needs to be restarted after installation.
    # The procedure for this is: stop dogtag, stop DS, start DS, start
    # dogtag

    service.print_msg("Restarting the directory and KRA servers")
    _kra.stop('pki-tomcat')
    installutils.restart_dirsrv()
    _kra.start('pki-tomcat')

    return _kra
示例#3
0
def install_replica_kra(config, postinstall=False):
    """
    Install a KRA on a replica.

    There are two modes of doing this controlled:
      - While the replica is being installed
      - Post-replica installation

    config is a ReplicaConfig object

    Returns a KRA instance
    """
    # note that the cacert.p12 file is regenerated during the
    # ipa-replica-prepare process and should include all the certs
    # for the CA and KRA
    krafile = config.dir + "/cacert.p12"

    if not ipautil.file_exists(krafile):
        raise RuntimeError(
            "Unable to clone KRA."
            "  cacert.p12 file not found in replica file")

    _kra = KRAInstance(config.realm_name)
    _kra.dm_password = config.dirman_password
    _kra.subject_base = config.subject_base
    if _kra.is_installed():
        raise ScriptError("A KRA is already configured on this system.")

    _kra.configure_instance(config.realm_name, config.host_name,
                            config.dirman_password, config.dirman_password,
                            pkcs12_info=(krafile,),
                            master_host=config.master_host_name,
                            subject_base=config.subject_base)

    # Restart httpd since we changed it's config and added ipa-pki-proxy.conf
    if postinstall:
        services.knownservices.httpd.restart()

    # The dogtag DS instance needs to be restarted after installation.
    # The procedure for this is: stop dogtag, stop DS, start DS, start
    # dogtag

    service.print_msg("Restarting the directory and KRA servers")
    _kra.stop('pki-tomcat')
    installutils.restart_dirsrv()
    _kra.start('pki-tomcat')

    return _kra
示例#4
0
 def __restart_dirsrv(self):
     try:
         installutils.restart_dirsrv()
     except Exception:
         pass
示例#5
0
 def restart_ds(self):
     logger.debug('Restarting directory server to apply updates')
     installutils.restart_dirsrv()
示例#6
0
def install_step_1(standalone, replica_config, options, custodia):
    if replica_config is not None and not replica_config.setup_ca:
        return

    realm_name = options.realm_name
    host_name = options.host_name
    subject_base = options._subject_base
    basedn = ipautil.realm_to_suffix(realm_name)

    ca = cainstance.CAInstance(realm=realm_name,
                               host_name=host_name,
                               custodia=custodia)

    ca.stop('pki-tomcat')

    # This is done within stopped_service context, which restarts CA
    ca.enable_client_auth_to_db()

    # Lightweight CA key retrieval is configured in step 1 instead
    # of CAInstance.configure_instance (which is invoked from step
    # 0) because kadmin_addprinc fails until krb5.conf is installed
    # by krb.create_instance.
    #
    ca.setup_lightweight_ca_key_retrieval()

    serverid = ipaldap.realm_to_serverid(realm_name)

    if standalone and replica_config is None:
        dirname = dsinstance.config_dirname(serverid)

        # Store the new IPA CA cert chain in DS NSS database and LDAP
        cadb = certs.CertDB(realm_name,
                            nssdir=paths.PKI_TOMCAT_ALIAS_DIR,
                            subject_base=subject_base)
        dsdb = certs.CertDB(realm_name,
                            nssdir=dirname,
                            subject_base=subject_base)
        cacert = cadb.get_cert_from_db('caSigningCert cert-pki-ca')
        nickname = certdb.get_ca_nickname(realm_name)
        trust_flags = certdb.IPA_CA_TRUST_FLAGS
        dsdb.add_cert(cacert, nickname, trust_flags)
        certstore.put_ca_cert_nss(api.Backend.ldap2,
                                  api.env.basedn,
                                  cacert,
                                  nickname,
                                  trust_flags,
                                  config_ipa=True,
                                  config_compat=True)

        # Store DS CA cert in Dogtag NSS database
        trust_flags = dict(reversed(dsdb.list_certs()))
        server_certs = dsdb.find_server_certs()
        trust_chain = dsdb.find_root_cert(server_certs[0][0])[:-1]
        nickname = trust_chain[-1]
        cert = dsdb.get_cert_from_db(nickname)
        cadb.add_cert(cert, nickname, trust_flags[nickname])

    installutils.restart_dirsrv()

    ca.start('pki-tomcat')

    if standalone or replica_config is not None:
        # We need to restart apache as we drop a new config file in there
        services.knownservices.httpd.restart(capture_output=True)

    if standalone:
        # Install CA DNS records
        if bindinstance.dns_container_exists(basedn):
            bind = bindinstance.BindInstance()
            bind.update_system_records()
示例#7
0
 def restart_ds(self):
     self.log.debug('Restarting directory server to apply updates')
     installutils.restart_dirsrv()
示例#8
0
 def __restart_dirsrv(self):
     try:
         installutils.restart_dirsrv()
     except Exception:
         pass
示例#9
0
文件: ca.py 项目: encukou/freeipa
def install_step_1(standalone, replica_config, options, custodia):
    if replica_config is not None and not replica_config.setup_ca:
        return

    realm_name = options.realm_name
    host_name = options.host_name
    subject_base = options._subject_base
    basedn = ipautil.realm_to_suffix(realm_name)

    ca = cainstance.CAInstance(
        realm=realm_name, host_name=host_name, custodia=custodia
    )

    ca.stop('pki-tomcat')

    # This is done within stopped_service context, which restarts CA
    ca.enable_client_auth_to_db()

    # Lightweight CA key retrieval is configured in step 1 instead
    # of CAInstance.configure_instance (which is invoked from step
    # 0) because kadmin_addprinc fails until krb5.conf is installed
    # by krb.create_instance.
    #
    ca.setup_lightweight_ca_key_retrieval()

    serverid = ipaldap.realm_to_serverid(realm_name)

    if standalone and replica_config is None:
        dirname = dsinstance.config_dirname(serverid)

        # Store the new IPA CA cert chain in DS NSS database and LDAP
        cadb = certs.CertDB(
            realm_name, nssdir=paths.PKI_TOMCAT_ALIAS_DIR,
            subject_base=subject_base)
        dsdb = certs.CertDB(
            realm_name, nssdir=dirname, subject_base=subject_base)
        cacert = cadb.get_cert_from_db('caSigningCert cert-pki-ca')
        nickname = certdb.get_ca_nickname(realm_name)
        trust_flags = certdb.IPA_CA_TRUST_FLAGS
        dsdb.add_cert(cacert, nickname, trust_flags)
        certstore.put_ca_cert_nss(api.Backend.ldap2, api.env.basedn,
                                  cacert, nickname, trust_flags,
                                  config_ipa=True, config_compat=True)

        # Store DS CA cert in Dogtag NSS database
        trust_flags = dict(reversed(dsdb.list_certs()))
        server_certs = dsdb.find_server_certs()
        trust_chain = dsdb.find_root_cert(server_certs[0][0])[:-1]
        nickname = trust_chain[-1]
        cert = dsdb.get_cert_from_db(nickname)
        cadb.add_cert(cert, nickname, trust_flags[nickname])

    installutils.restart_dirsrv()

    ca.start('pki-tomcat')

    if standalone or replica_config is not None:
        # We need to restart apache as we drop a new config file in there
        services.knownservices.httpd.restart(capture_output=True)

    if standalone:
        # Install CA DNS records
        if bindinstance.dns_container_exists(basedn):
            bind = bindinstance.BindInstance()
            bind.update_system_records()
示例#10
0
文件: ca.py 项目: jumitche/freeipa
def install_step_1(standalone, replica_config, options):
    realm_name = options.realm_name
    dm_password = options.dm_password
    host_name = options.host_name
    subject_base = options.subject

    basedn = ipautil.realm_to_suffix(realm_name)

    ca = cainstance.CAInstance(realm_name, certs.NSS_DIR, host_name=host_name)

    if standalone:
        ca.stop('pki-tomcat')

    # We need to ldap_enable the CA now that DS is up and running
    if replica_config is None:
        config = ['caRenewalMaster']
    else:
        config = []
    ca.ldap_enable('CA', host_name, dm_password, basedn, config)

    # This is done within stopped_service context, which restarts CA
    ca.enable_client_auth_to_db(paths.CA_CS_CFG_PATH)

    # Lightweight CA key retrieval is configured in step 1 instead
    # of CAInstance.configure_instance (which is invoked from step
    # 0) because kadmin_addprinc fails until krb5.conf is installed
    # by krb.create_instance.
    #
    ca.setup_lightweight_ca_key_retrieval()

    if standalone and replica_config is None:
        serverid = installutils.realm_to_serverid(realm_name)
        dirname = dsinstance.config_dirname(serverid)

        # Store the new IPA CA cert chain in DS NSS database and LDAP
        cadb = certs.CertDB(realm_name, subject_base=subject_base)
        dsdb = certs.CertDB(realm_name, nssdir=dirname, subject_base=subject_base)
        trust_flags = dict(reversed(cadb.list_certs()))
        trust_chain = cadb.find_root_cert('ipaCert')[:-1]
        for nickname in trust_chain[:-1]:
            cert = cadb.get_cert_from_db(nickname, pem=False)
            dsdb.add_cert(cert, nickname, trust_flags[nickname])
            certstore.put_ca_cert_nss(api.Backend.ldap2, api.env.basedn,
                                      cert, nickname, trust_flags[nickname])

        nickname = trust_chain[-1]
        cert = cadb.get_cert_from_db(nickname, pem=False)
        dsdb.add_cert(cert, nickname, trust_flags[nickname])
        certstore.put_ca_cert_nss(api.Backend.ldap2, api.env.basedn,
                                  cert, nickname, trust_flags[nickname],
                                  config_ipa=True, config_compat=True)

        installutils.restart_dirsrv()

        # Store DS CA cert in Dogtag NSS database
        dogtagdb = certs.CertDB(realm_name, nssdir=paths.PKI_TOMCAT_ALIAS_DIR)
        trust_flags = dict(reversed(dsdb.list_certs()))
        server_certs = dsdb.find_server_certs()
        trust_chain = dsdb.find_root_cert(server_certs[0][0])[:-1]
        nickname = trust_chain[-1]
        cert = dsdb.get_cert_from_db(nickname)
        dogtagdb.add_cert(cert, nickname, trust_flags[nickname])

    if standalone:
        ca.start('pki-tomcat')

        # We need to restart apache as we drop a new config file in there
        services.knownservices.httpd.restart(capture_output=True)

        # Install CA DNS records
        if bindinstance.dns_container_exists(host_name, basedn, dm_password):
            bind = bindinstance.BindInstance()
            bind.update_system_records()