summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRob Crittenden <rcritten@redhat.com>2009-04-28 17:05:39 -0400
committerRob Crittenden <rcritten@redhat.com>2009-05-04 17:42:03 -0400
commit064240def3e5fe1d0e75020b4a63a130e5232733 (patch)
treee1f4ff78f6ed4ad15d202116778e127b0cebe6f1
parentc8ee910ff64f60975eeda9367e48201d21c60ca1 (diff)
downloadfreeipa-064240def3e5fe1d0e75020b4a63a130e5232733.tar.gz
freeipa-064240def3e5fe1d0e75020b4a63a130e5232733.tar.xz
freeipa-064240def3e5fe1d0e75020b4a63a130e5232733.zip
Fix replica installation for self-signed CA (no dogtag)
-rwxr-xr-xinstall/tools/ipa-replica-install15
-rwxr-xr-xinstall/tools/ipa-replica-manage9
-rwxr-xr-xinstall/tools/ipa-replica-prepare28
-rw-r--r--ipaserver/ipaldap.py58
4 files changed, 95 insertions, 15 deletions
diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install
index e3c0de085..a92db3029 100755
--- a/install/tools/ipa-replica-install
+++ b/install/tools/ipa-replica-install
@@ -30,6 +30,7 @@ from ipaserver.install import dsinstance, replication, installutils, krbinstance
from ipaserver.install import httpinstance, ntpinstance, certs
from ipaserver import ipaldap
from ipapython import version
+from ipalib import util
CACERT="/usr/share/ipa/html/ca.crt"
@@ -144,7 +145,7 @@ def install_http(config):
config.dir + "/http_pin.txt")
http = httpinstance.HTTPInstance()
- http.create_instance(config.realm_name, config.host_name, config.domain_name, False, pkcs12_info)
+ http.create_instance(config.realm_name, config.host_name, config.domain_name, False, pkcs12_info, self_signed_ca=True)
# Now copy the autoconfiguration files
if ipautil.file_exists(config.dir + "/preferences.html"):
@@ -267,6 +268,18 @@ def main():
fd.write("domain=" + config.domain_name + "\n")
fd.close()
+ # Create the management framework config file
+ fd = open("/etc/ipa/default.conf", "w")
+ fd.write("[global]\n")
+ fd.write("basedn=" + util.realm_to_suffix(config.realm_name) + "\n")
+ fd.write("realm=" + config.realm_name + "\n")
+ fd.write("domain=" + config.domain_name + "\n")
+ fd.write("xmlrpc_uri=https://%s/ipa/xml\n" % config.host_name)
+ # FIXME: detect when we are installing a cloned CA
+ if False:
+ fd.write("enable_ra=True\n")
+ fd.close()
+
# Apply any LDAP updates. Needs to be done after the replica is synced-up
service.print_msg("Applying LDAP updates")
ds.apply_updates()
diff --git a/install/tools/ipa-replica-manage b/install/tools/ipa-replica-manage
index d6dfb126b..f24b3f612 100755
--- a/install/tools/ipa-replica-manage
+++ b/install/tools/ipa-replica-manage
@@ -23,8 +23,10 @@ import getpass, ldap, re, krbV
import traceback, logging
from ipapython import ipautil
-from ipaserver import replication, ipaldap, dsinstance, installutils
+from ipaserver.install import replication, dsinstance, installutils
+from ipaserver import ipaldap
from ipapython import version
+from ipalib import util
def parse_options():
from optparse import OptionParser
@@ -68,7 +70,7 @@ def get_realm_name():
return c.default_realm
def get_suffix():
- suffix = ipaldap.IPAdmin.normalizeDN(dsinstance.realm_to_suffix(get_realm_name()))
+ suffix = ipaldap.IPAdmin.normalizeDN(util.realm_to_suffix(get_realm_name()))
return suffix
def get_host_name():
@@ -204,6 +206,9 @@ def main():
print "must provide hostname of supplier to synchronize with"
sys.exit(1)
synch_master(r, args[1])
+ else:
+ print "unknown command: %s" % args[0]
+ sys.exit(1)
try:
main()
diff --git a/install/tools/ipa-replica-prepare b/install/tools/ipa-replica-prepare
index e0f98aa24..c2424652b 100755
--- a/install/tools/ipa-replica-prepare
+++ b/install/tools/ipa-replica-prepare
@@ -120,18 +120,15 @@ def export_certdb(realm_name, ds_dir, dir, passwd_fname, fname, subject):
ca.export_pkcs12(pkcs12_fname, passwd_fname, "Server-Cert")
except ipautil.CalledProcessError, e:
print "error exporting CA certificate: " + str(e)
- try:
- os.unlink(pkcs12_fname)
- os.unlink(passwd_fname)
- except:
- pass
-
- os.unlink(dir + "/cert8.db")
- os.unlink(dir + "/key3.db")
- os.unlink(dir + "/secmod.db")
- os.unlink(dir + "/noise.txt")
+ remove_file(pkcs12_fname)
+ remove_file(passwd_fname)
+
+ remove_file(dir + "/cert8.db")
+ remove_file(dir + "/key3.db")
+ remove_file(dir + "/secmod.db")
+ remove_file(dir + "/noise.txt")
if ipautil.file_exists(passwd_fname + ".orig"):
- os.unlink(passwd_fname + ".orig")
+ remove_file(passwd_fname + ".orig")
def get_ds_user(ds_dir):
uid = os.stat(ds_dir).st_uid
@@ -150,6 +147,13 @@ def save_config(dir, realm_name, host_name, ds_user, domain_name, dest_host):
fd = open(dir + "/realm_info", "w")
config.write(fd)
+def remove_file(fname, ignore_errors=True):
+ try:
+ os.remove(fname)
+ except OSError, e:
+ if not ignore_errors:
+ raise e
+
def copy_files(realm_name, dir):
config_dir = dsinstance.config_dirname(dsinstance.realm_to_serverid(realm_name))
@@ -275,7 +279,7 @@ def main():
ipautil.run(["/bin/tar", "cf", replicafile, "-C", top_dir, "realm_info"])
ipautil.encrypt_file(replicafile, encfile, dirman_password, top_dir);
- os.remove(replicafile)
+ remove_file(replicafile)
shutil.rmtree(dir)
try:
diff --git a/ipaserver/ipaldap.py b/ipaserver/ipaldap.py
index 7d194aa95..c80cda428 100644
--- a/ipaserver/ipaldap.py
+++ b/ipaserver/ipaldap.py
@@ -27,6 +27,7 @@ import re
import string
import ldap
import cStringIO
+import time
import struct
import ldap.sasl
from ldap.controls import LDAPControl,DecodeControlTuples,EncodeControlTuples
@@ -243,6 +244,20 @@ class IPAdmin(SimpleLDAPObject):
self.suffixes = {}
self.__localinit()
+ def __lateinit(self):
+ """
+ This is executed after the connection is bound to fill in some useful
+ values.
+ """
+ try:
+ ent = self.getEntry('cn=config,cn=ldbm database,cn=plugins,cn=config',
+ ldap.SCOPE_BASE, '(objectclass=*)',
+ [ 'nsslapd-directory' ])
+
+ self.dbdir = os.path.dirname(ent.getValue('nsslapd-directory'))
+ except ldap.LDAPError, e:
+ self.__handle_errors(e, **{})
+
def __str__(self):
return self.host + ":" + str(self.port)
@@ -328,6 +343,7 @@ class IPAdmin(SimpleLDAPObject):
self.binddn = binddn
self.bindpwd = bindpw
self.simple_bind_s(binddn, bindpw)
+ self.__lateinit()
def getEntry(self,*args):
"""This wraps the search function. It is common to just get one entry"""
@@ -569,6 +585,48 @@ class IPAdmin(SimpleLDAPObject):
if callable(attr):
setattr(self, name, wrapper(attr, name))
+ def waitForEntry(self, dn, timeout=7200, attr='', quiet=True):
+ scope = ldap.SCOPE_BASE
+ filter = "(objectclass=*)"
+ attrlist = []
+ if attr:
+ filter = "(%s=*)" % attr
+ attrlist.append(attr)
+ timeout += int(time.time())
+
+ if isinstance(dn,Entry):
+ dn = dn.dn
+
+ # wait for entry and/or attr to show up
+ if not quiet:
+ sys.stdout.write("Waiting for %s %s:%s " % (self,dn,attr))
+ sys.stdout.flush()
+ entry = None
+ while not entry and int(time.time()) < timeout:
+ try:
+ entry = self.getEntry(dn, scope, filter, attrlist)
+ except ipaerror.exception_for(ipaerror.LDAP_NOT_FOUND):
+ pass # found entry, but no attr
+ except ldap.NO_SUCH_OBJECT:
+ pass # no entry yet
+ except ldap.LDAPError, e: # badness
+ print "\nError reading entry", dn, e
+ break
+ if not entry:
+ if not quiet:
+ sys.stdout.write(".")
+ sys.stdout.flush()
+ time.sleep(1)
+
+ if not entry and int(time.time()) > timeout:
+ print "\nwaitForEntry timeout for %s for %s" % (self,dn)
+ elif entry and not quiet:
+ print "\nThe waited for entry is:", entry
+ elif not entry:
+ print "\nError: could not read entry %s from %s" % (dn,self)
+
+ return entry
+
def normalizeDN(dn):
# not great, but will do until we use a newer version of python-ldap
# that has DN utilities