diff options
author | Rob Crittenden <rcritten@redhat.com> | 2009-04-28 17:05:39 -0400 |
---|---|---|
committer | Rob Crittenden <rcritten@redhat.com> | 2009-05-04 17:42:03 -0400 |
commit | 064240def3e5fe1d0e75020b4a63a130e5232733 (patch) | |
tree | e1f4ff78f6ed4ad15d202116778e127b0cebe6f1 | |
parent | c8ee910ff64f60975eeda9367e48201d21c60ca1 (diff) | |
download | freeipa-064240def3e5fe1d0e75020b4a63a130e5232733.tar.gz freeipa-064240def3e5fe1d0e75020b4a63a130e5232733.tar.xz freeipa-064240def3e5fe1d0e75020b4a63a130e5232733.zip |
Fix replica installation for self-signed CA (no dogtag)
-rwxr-xr-x | install/tools/ipa-replica-install | 15 | ||||
-rwxr-xr-x | install/tools/ipa-replica-manage | 9 | ||||
-rwxr-xr-x | install/tools/ipa-replica-prepare | 28 | ||||
-rw-r--r-- | ipaserver/ipaldap.py | 58 |
4 files changed, 95 insertions, 15 deletions
diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install index e3c0de085..a92db3029 100755 --- a/install/tools/ipa-replica-install +++ b/install/tools/ipa-replica-install @@ -30,6 +30,7 @@ from ipaserver.install import dsinstance, replication, installutils, krbinstance from ipaserver.install import httpinstance, ntpinstance, certs from ipaserver import ipaldap from ipapython import version +from ipalib import util CACERT="/usr/share/ipa/html/ca.crt" @@ -144,7 +145,7 @@ def install_http(config): config.dir + "/http_pin.txt") http = httpinstance.HTTPInstance() - http.create_instance(config.realm_name, config.host_name, config.domain_name, False, pkcs12_info) + http.create_instance(config.realm_name, config.host_name, config.domain_name, False, pkcs12_info, self_signed_ca=True) # Now copy the autoconfiguration files if ipautil.file_exists(config.dir + "/preferences.html"): @@ -267,6 +268,18 @@ def main(): fd.write("domain=" + config.domain_name + "\n") fd.close() + # Create the management framework config file + fd = open("/etc/ipa/default.conf", "w") + fd.write("[global]\n") + fd.write("basedn=" + util.realm_to_suffix(config.realm_name) + "\n") + fd.write("realm=" + config.realm_name + "\n") + fd.write("domain=" + config.domain_name + "\n") + fd.write("xmlrpc_uri=https://%s/ipa/xml\n" % config.host_name) + # FIXME: detect when we are installing a cloned CA + if False: + fd.write("enable_ra=True\n") + fd.close() + # Apply any LDAP updates. Needs to be done after the replica is synced-up service.print_msg("Applying LDAP updates") ds.apply_updates() diff --git a/install/tools/ipa-replica-manage b/install/tools/ipa-replica-manage index d6dfb126b..f24b3f612 100755 --- a/install/tools/ipa-replica-manage +++ b/install/tools/ipa-replica-manage @@ -23,8 +23,10 @@ import getpass, ldap, re, krbV import traceback, logging from ipapython import ipautil -from ipaserver import replication, ipaldap, dsinstance, installutils +from ipaserver.install import replication, dsinstance, installutils +from ipaserver import ipaldap from ipapython import version +from ipalib import util def parse_options(): from optparse import OptionParser @@ -68,7 +70,7 @@ def get_realm_name(): return c.default_realm def get_suffix(): - suffix = ipaldap.IPAdmin.normalizeDN(dsinstance.realm_to_suffix(get_realm_name())) + suffix = ipaldap.IPAdmin.normalizeDN(util.realm_to_suffix(get_realm_name())) return suffix def get_host_name(): @@ -204,6 +206,9 @@ def main(): print "must provide hostname of supplier to synchronize with" sys.exit(1) synch_master(r, args[1]) + else: + print "unknown command: %s" % args[0] + sys.exit(1) try: main() diff --git a/install/tools/ipa-replica-prepare b/install/tools/ipa-replica-prepare index e0f98aa24..c2424652b 100755 --- a/install/tools/ipa-replica-prepare +++ b/install/tools/ipa-replica-prepare @@ -120,18 +120,15 @@ def export_certdb(realm_name, ds_dir, dir, passwd_fname, fname, subject): ca.export_pkcs12(pkcs12_fname, passwd_fname, "Server-Cert") except ipautil.CalledProcessError, e: print "error exporting CA certificate: " + str(e) - try: - os.unlink(pkcs12_fname) - os.unlink(passwd_fname) - except: - pass - - os.unlink(dir + "/cert8.db") - os.unlink(dir + "/key3.db") - os.unlink(dir + "/secmod.db") - os.unlink(dir + "/noise.txt") + remove_file(pkcs12_fname) + remove_file(passwd_fname) + + remove_file(dir + "/cert8.db") + remove_file(dir + "/key3.db") + remove_file(dir + "/secmod.db") + remove_file(dir + "/noise.txt") if ipautil.file_exists(passwd_fname + ".orig"): - os.unlink(passwd_fname + ".orig") + remove_file(passwd_fname + ".orig") def get_ds_user(ds_dir): uid = os.stat(ds_dir).st_uid @@ -150,6 +147,13 @@ def save_config(dir, realm_name, host_name, ds_user, domain_name, dest_host): fd = open(dir + "/realm_info", "w") config.write(fd) +def remove_file(fname, ignore_errors=True): + try: + os.remove(fname) + except OSError, e: + if not ignore_errors: + raise e + def copy_files(realm_name, dir): config_dir = dsinstance.config_dirname(dsinstance.realm_to_serverid(realm_name)) @@ -275,7 +279,7 @@ def main(): ipautil.run(["/bin/tar", "cf", replicafile, "-C", top_dir, "realm_info"]) ipautil.encrypt_file(replicafile, encfile, dirman_password, top_dir); - os.remove(replicafile) + remove_file(replicafile) shutil.rmtree(dir) try: diff --git a/ipaserver/ipaldap.py b/ipaserver/ipaldap.py index 7d194aa95..c80cda428 100644 --- a/ipaserver/ipaldap.py +++ b/ipaserver/ipaldap.py @@ -27,6 +27,7 @@ import re import string import ldap import cStringIO +import time import struct import ldap.sasl from ldap.controls import LDAPControl,DecodeControlTuples,EncodeControlTuples @@ -243,6 +244,20 @@ class IPAdmin(SimpleLDAPObject): self.suffixes = {} self.__localinit() + def __lateinit(self): + """ + This is executed after the connection is bound to fill in some useful + values. + """ + try: + ent = self.getEntry('cn=config,cn=ldbm database,cn=plugins,cn=config', + ldap.SCOPE_BASE, '(objectclass=*)', + [ 'nsslapd-directory' ]) + + self.dbdir = os.path.dirname(ent.getValue('nsslapd-directory')) + except ldap.LDAPError, e: + self.__handle_errors(e, **{}) + def __str__(self): return self.host + ":" + str(self.port) @@ -328,6 +343,7 @@ class IPAdmin(SimpleLDAPObject): self.binddn = binddn self.bindpwd = bindpw self.simple_bind_s(binddn, bindpw) + self.__lateinit() def getEntry(self,*args): """This wraps the search function. It is common to just get one entry""" @@ -569,6 +585,48 @@ class IPAdmin(SimpleLDAPObject): if callable(attr): setattr(self, name, wrapper(attr, name)) + def waitForEntry(self, dn, timeout=7200, attr='', quiet=True): + scope = ldap.SCOPE_BASE + filter = "(objectclass=*)" + attrlist = [] + if attr: + filter = "(%s=*)" % attr + attrlist.append(attr) + timeout += int(time.time()) + + if isinstance(dn,Entry): + dn = dn.dn + + # wait for entry and/or attr to show up + if not quiet: + sys.stdout.write("Waiting for %s %s:%s " % (self,dn,attr)) + sys.stdout.flush() + entry = None + while not entry and int(time.time()) < timeout: + try: + entry = self.getEntry(dn, scope, filter, attrlist) + except ipaerror.exception_for(ipaerror.LDAP_NOT_FOUND): + pass # found entry, but no attr + except ldap.NO_SUCH_OBJECT: + pass # no entry yet + except ldap.LDAPError, e: # badness + print "\nError reading entry", dn, e + break + if not entry: + if not quiet: + sys.stdout.write(".") + sys.stdout.flush() + time.sleep(1) + + if not entry and int(time.time()) > timeout: + print "\nwaitForEntry timeout for %s for %s" % (self,dn) + elif entry and not quiet: + print "\nThe waited for entry is:", entry + elif not entry: + print "\nError: could not read entry %s from %s" % (dn,self) + + return entry + def normalizeDN(dn): # not great, but will do until we use a newer version of python-ldap # that has DN utilities |