def remove_ds_instance(self, instance_name):
"""remove Directory server instance.
Args:
instance_name (str): Instance Name
Returns:
bool: True if successfully removed
Exceptions:
DirSrvException: if DS instance cannot be removed
"""
ret = self.dirsrv_info[instance_name]
if ret['instance_name'] == instance_name:
inst_name = ret['ds_inst_name']
try:
self.dirsrv_obj.remove_ds(inst_name)
except subprocess.CalledProcessError:
raise DirSrvException('Failed to '
'remove %s instance', inst_name)
else:
del self.ds_used_ports[instance_name]
return True
else:
raise DirSrvException('%s Instance not found' % instance_name)
def create_ds_instance(self,
inst_name,
inst_suffix=None,
root_dn_pwd=None,
ldap_port=None,
tls_port=None):
"""Create Directory server instance.
Args:
inst_name (str): Instance Name
inst_suffix (str): Instance suffix
root_dn_pwd (str): Directory Manager password
ldap_port (str): LDAP port to be used
tls_port (str): TLS port to be used
Returns:
result (str) and return code (str): Result containing message and
return code containing 0 or 1 (1 indicating failure)
Exceptions:
DirSrvException: if DS instance could not be created.
"""
result, return_code = self._set_options(inst_name, inst_suffix,
root_dn_pwd, ldap_port,
tls_port)
if return_code == 0:
self.dirsrv_obj = DirSrv(name=self.ds_instance_name,
host=self.ds_instance_host,
suffix=self.ds_instance_suffix,
multihost=self.multihost,
root_dn_password=self.ds_rootdn_pwd,
ldap_port=self.ds_ldap_port,
tls_port=self.ds_tls_port)
cfg_file = self.dirsrv_obj.create_config()
try:
self.dirsrv_obj.setup_ds(cfg_file)
except subprocess.CalledProcessError:
raise DirSrvException('Failed to setup Directory server')
self.dirsrv_info[self.ds_instance_name] = self.dirsrv_obj.__dict__
ldap_uri = 'ldap://%s:%r' % (self.ds_instance_host,
self.ds_ldap_port)
try:
self.dirsrv_obj.enable_anonymous_search(ldap_uri)
except LdapException:
raise DirSrvException("Failed to enable anonymous search")
if self.ssl:
try:
self.dirsrv_obj.setup_certs(self.ssl_dir, self.client_host,
self.canick)
except DirSrvException as err:
return err.msg, err.rval
else:
(result, return_code) = self.enablessl()
return result, return_code
else:
raise DirSrvException('Failed to setup Directory Server instance')
def setup_certs(self, ssl_dir):
"""copy CA and Server certs to all DS instances.
Args:
ssl_dir (str): NSS Directory containing CA and Server-Certs
Returns:
bool: True if files are copied
Exceptions:
DirSrvException
"""
# We stop directory server before we copy files. This is required
# because it's seen that at times, if ns-slapd process is reading
# the db files, copying of files is successful but not all data
# is written causing the files to go corrupt.
stop_ds = ['systemctl', 'stop', 'dirsrv@%s' % (self.instance_name)]
try:
self.multihost.run_command(stop_ds)
except subprocess.CalledProcessError:
raise DirSrvException("Unable to stop Directory Server instance")
else:
self.multihost.log.info('DS instance stopped successfully')
self._copy_pkcs12(ssl_dir)
cacert_file_path = '%s/cacert.pem' % ('/etc/openldap/cacerts')
target_pin_file = os.path.join(self.dsinst_path, 'pin.txt')
pwfile = os.path.join(self.dsinst_path, 'pwfile')
ca_p12 = os.path.join(self.dsinst_path, 'ca.p12')
server_p12 = os.path.join(self.dsinst_path, 'server.p12')
# recreate the database
certutil_cmd = 'certutil -N -d %s -f %s' % (self.dsinst_path, pwfile)
self.multihost.run_command(certutil_cmd)
create_cert_dir = 'mkdir -p /etc/openldap/cacerts'
# recreate the database
self.multihost.run_command(create_cert_dir)
pkcs12_file = [ca_p12, server_p12]
for pkcs_file in pkcs12_file:
if not self._import_certs(pkcs_file, pwfile):
raise DirSrvException("importing certificates failed")
set_trust_cmd = 'certutil -M -d %s -n "Example CA"'\
' -t "CTu,u,u" -f %s' % (self.dsinst_path, pwfile)
self.multihost.run_command(create_cert_dir)
self.multihost.run_command(set_trust_cmd)
self.multihost.transport.put_file(os.path.join(ssl_dir, 'cacert.pem'),
cacert_file_path)
try:
self._set_dsperms(target_pin_file)
except DirSrvException:
raise
start_ds = ['systemctl', 'start', 'dirsrv@%s' % (self.instance_name)]
try:
self.multihost.run_command(start_ds)
except subprocess.CalledProcessError:
raise DirSrvException('Could not Start DS Instance')
else:
self.multihost.log.info('DS instance started successfully')
def _set_dsperms(self, file_path):
""" Set DSUSER permissions on files """
change_ownership = ['chown', DS_USER, file_path]
change_group = ['chgrp', DS_GROUP, file_path]
chmod_file = ['chmod', '600', file_path]
try:
self.multihost.run_command(change_ownership)
except subprocess.CalledProcessError:
raise DirSrvException('Failed to change ownership of pin.txt')
try:
self.multihost.run_command(change_group)
except subprocess.CalledProcessError:
raise DirSrvException(
'Failed to change group ownership of pin.txt')
try:
self.multihost.run_command(chmod_file)
except subprocess.CalledProcessError:
raise DirSrvException('Failed to change permissions of pin.txt')
def _validate_options(self):
"""verify if the instance directory already exists.
Args:
None
Returns:
None
Exceptions:
DirSrvException: if instance directory already exists
"""
check_instance = ['/usr/bin/ls', '/etc/dirsrv/slapd-%s' %
self.ds_instance_name]
output = self.multihost.run_command(check_instance, raiseonerr=False)
if output.returncode == 0:
raise DirSrvException('%s Instance already exists' %
self.ds_instance_name)
def setup_certs(self, ssl_dir):
"""copy CA and Server certs to all DS instances.
Args:
ssl_dir (str): NSS Directory containing CA and Server-Certs
Returns:
bool: True if files are copied
Exceptions:
DirSrvException
"""
# We stop directory server before we copy files. This is required
# because it's seen that at times, if ns-slapd process is reading
# the db files, copying of files is successful but not all data
# is written causing the files to go corrupt.
stop_ds = ['systemctl', 'stop', 'dirsrv@%s' % (self.instance_name)]
try:
self.multihost.run_command(stop_ds)
except subprocess.CalledProcessError:
return True
else:
self.multihost.log.info('DS instance stopped successfully')
nss_db_files = ['cert9.db', 'key4.db', 'pin.txt']
dirsrv_cert_path = '/etc/dirsrv/' + self.ds_inst_name + '/cacert.pem'
cacert_file_path = '%s/cacert.pem' % ('/etc/openldap/cacerts')
for db_file in nss_db_files:
source = os.path.join(ssl_dir, db_file)
destination = os.path.join(self.dsinst_path, db_file)
self.multihost.transport.put_file(source, destination)
target_pin_file = os.path.join(self.dsinst_path, 'pin.txt')
change_ownership = ['chown', DS_USER, target_pin_file]
change_group = ['chgrp', DS_GROUP, target_pin_file]
chmod_file = ['chmod', '600', target_pin_file]
# copy the cacert file to test_dir
create_cert_dir = 'mkdir -p /etc/openldap/cacerts'
self.multihost.run_command(create_cert_dir)
self.multihost.transport.put_file(os.path.join(
ssl_dir, 'cacert.pem'), cacert_file_path)
try:
self.multihost.run_command(change_ownership)
except subprocess.CalledProcessError:
raise DirSrvException(
'fail to user change ownership of pin.txt fail')
try:
self.multihost.run_command(change_group)
except subprocess.CalledProcessError:
raise DirSrvException(
'fail to change group ownership of pin.txt file')
try:
self.multihost.run_command(chmod_file)
except subprocess.CalledProcessError:
raise DirSrvException('fail to change permissions of pin.txt file')
start_ds = ['systemctl', 'start', 'dirsrv@%s' % (self.instance_name)]
try:
self.multihost.run_command(start_ds)
except subprocess.CalledProcessError:
raise DirSrvException('Could not Start DS Instance')
else:
self.multihost.log.info('DS instance started successfully')
ca = self.multihost.get_file_contents(cacert_file_path)
self.multihost.transport.put_file_contents(dirsrv_cert_path, ca)