summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRob Crittenden <rcritten@redhat.com>2011-06-23 02:06:49 -0400
committerRob Crittenden <rcritten@redhat.com>2011-06-23 02:11:34 -0400
commit8810758c11df8afb5fb7ddf97a71c55a431edfd2 (patch)
tree15065108a07fcd2d22527691b268b61a66b33fee
parent975e2bfa2b48c60bba99e2f2e4f106e031230bd3 (diff)
downloadfreeipa-8810758c11df8afb5fb7ddf97a71c55a431edfd2.zip
freeipa-8810758c11df8afb5fb7ddf97a71c55a431edfd2.tar.gz
freeipa-8810758c11df8afb5fb7ddf97a71c55a431edfd2.tar.xz
Let the framework be able to override the hostname.
The hostname is passed in during the server installation. We should use this hostname for the resulting server as well. It was being discarded and we always used the system hostname value. Important changes: - configure ipa_hostname in sssd on masters - set PKI_HOSTNAME so the hostname is passed to dogtag installer - set the hostname when doing ldapi binds This also reorders some things in the dogtag installer to eliminate an unnecessary restart. We were restarting the service twice in a row with very little time in between and this could result in a slew of reported errors, though the server installed ok. ticket 1052
-rwxr-xr-xinstall/tools/ipa-replica-install1
-rwxr-xr-xinstall/tools/ipa-server-install3
-rwxr-xr-xinstall/tools/ipactl2
-rw-r--r--ipalib/config.py4
-rw-r--r--ipalib/constants.py12
-rw-r--r--ipaserver/install/cainstance.py29
-rw-r--r--ipaserver/plugins/ldap2.py4
-rw-r--r--tests/test_ipalib/test_config.py1
8 files changed, 32 insertions, 24 deletions
diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install
index 16f8495..3feb2a9 100755
--- a/install/tools/ipa-replica-install
+++ b/install/tools/ipa-replica-install
@@ -447,6 +447,7 @@ def main():
try:
fd = open("/etc/ipa/default.conf", "w")
fd.write("[global]\n")
+ fd.write("host=" + config.host_name + "\n")
fd.write("basedn=" + util.realm_to_suffix(config.realm_name) + "\n")
fd.write("realm=" + config.realm_name + "\n")
fd.write("domain=" + config.domain_name + "\n")
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index 019dfb1..09cc8a0 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -680,6 +680,7 @@ def main():
try:
fd = open("/etc/ipa/default.conf", "w")
fd.write("[global]\n")
+ fd.write("host=" + host_name + "\n")
fd.write("basedn=" + util.realm_to_suffix(realm_name) + "\n")
fd.write("realm=" + realm_name + "\n")
fd.write("domain=" + domain_name + "\n")
@@ -920,7 +921,7 @@ def main():
# Call client install script
try:
- run(["/usr/sbin/ipa-client-install", "--on-master", "--unattended", "--domain", domain_name, "--server", host_name, "--realm", realm_name])
+ run(["/usr/sbin/ipa-client-install", "--on-master", "--unattended", "--domain", domain_name, "--server", host_name, "--realm", realm_name, "--hostname", host_name])
except Exception, e:
sys.exit("Configuration of client side components failed!\nipa-client-install returned: " + str(e))
diff --git a/install/tools/ipactl b/install/tools/ipactl
index 4ce2606..01b88a5 100755
--- a/install/tools/ipactl
+++ b/install/tools/ipactl
@@ -71,7 +71,7 @@ def emit_err(err):
sys.stderr.write(err + '\n')
def get_config():
- base = "cn=%s,cn=masters,cn=ipa,cn=etc,%s" % (socket.gethostname(),
+ base = "cn=%s,cn=masters,cn=ipa,cn=etc,%s" % (api.env.host,
api.env.basedn)
srcfilter = '(ipaConfigString=enabledService)'
attrs = ['cn', 'ipaConfigString']
diff --git a/ipalib/config.py b/ipalib/config.py
index 888785a..410e5f0 100644
--- a/ipalib/config.py
+++ b/ipalib/config.py
@@ -447,7 +447,6 @@ class Env(object):
self.__doing('_bootstrap')
# Set run-time variables (cannot be overridden):
- self.host = getfqdn()
self.ipalib = path.dirname(path.abspath(__file__))
self.site_packages = path.dirname(self.ipalib)
self.script = path.abspath(sys.argv[0])
@@ -550,9 +549,6 @@ class Env(object):
if 'log' not in self:
self.log = self._join('logdir', '%s.log' % self.context)
- # FIXME: move into ca plugin
- if 'ca_host' not in self:
- self.ca_host = self.host
self._merge(**defaults)
def _finalize(self, **lastchance):
diff --git a/ipalib/constants.py b/ipalib/constants.py
index 202f5fa..23e8025 100644
--- a/ipalib/constants.py
+++ b/ipalib/constants.py
@@ -21,6 +21,14 @@
"""
All constants centralised in one file.
"""
+import socket
+try:
+ FQDN = socket.getfqdn()
+except:
+ try:
+ FQDN = socket.gethostname()
+ except:
+ FQDN = None
# The parameter system treats all these values as None:
NULLS = (None, '', u'', tuple(), [])
@@ -127,7 +135,7 @@ DEFAULT_CONFIG = (
('mode', 'production'),
# CA plugin:
- ('ca_host', object), # Set in Env._finalize_core()
+ ('ca_host', FQDN), # Set in Env._finalize_core()
('ca_port', 9180),
('ca_agent_port', 9443),
('ca_ee_port', 9444),
@@ -160,7 +168,7 @@ DEFAULT_CONFIG = (
# raised.
# Non-overridable vars set in Env._bootstrap():
- ('host', object),
+ ('host', FQDN),
('ipalib', object), # The directory containing ipalib/__init__.py
('site_packages', object), # The directory contaning ipalib
('script', object), # sys.argv[0]
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 001e6eb..928d01e 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -519,7 +519,6 @@ class CAInstance(service.Service):
# Step 1 of external is getting a CSR so we don't need to do these
# steps until we get a cert back from the external CA.
if self.external != 1:
- self.step("restarting certificate server", self.__restart_instance)
if not self.clone:
self.step("creating CA agent PKCS#12 file in /root", self.__create_ca_agent_pkcs12)
self.step("creating RA agent certificate database", self.__create_ra_agent_db)
@@ -557,7 +556,7 @@ class CAInstance(service.Service):
'-redirect', 'conf=/etc/pki-ca',
'-redirect', 'logs=/var/log/pki-ca',
]
- ipautil.run(args)
+ ipautil.run(args, env={'PKI_HOSTNAME':self.fqdn})
def __enable(self):
self.backup_state("enabled", self.is_enabled())
@@ -673,7 +672,7 @@ class CAInstance(service.Service):
# Define the things we don't want logged
nolog = (self.admin_password, self.dm_password,)
- ipautil.run(args, nolog=nolog)
+ ipautil.run(args, env={'PKI_HOSTNAME':self.fqdn}, nolog=nolog)
except ipautil.CalledProcessError, e:
logging.critical("failed to configure ca instance %s" % e)
raise RuntimeError('Configuration of CA failed')
@@ -683,11 +682,22 @@ class CAInstance(service.Service):
print "ipa-server-install --external_cert_file=/path/to/signed_certificate --external_ca_file=/path/to/external_ca_certificate"
sys.exit(0)
+ # Turn off Nonces (again)
+ if installutils.update_file('/var/lib/pki-ca/conf/CS.cfg', 'ca.enableNonces=true', 'ca.enableNonces=false') != 0:
+ raise RuntimeError("Disabling nonces failed")
+ pent = pwd.getpwnam(PKI_USER)
+ os.chown('/var/lib/pki-ca/conf/CS.cfg', pent.pw_uid, pent.pw_gid )
+
+ # pkisilent makes a copy of the CA PKCS#12 file for us but gives
+ # it a lousy name.
+ if ipautil.file_exists("/root/tmp-ca.p12"):
+ shutil.move("/root/tmp-ca.p12", "/root/cacert.p12")
+
try:
# After configuration the service is running and configured
# but must be restarted for configuration to take effect.
# The service status in this case will be 4.
- self.restart()
+ self.__restart_instance()
except ipautil.CalledProcessError, e:
logging.critical("failed to restart ca instance after pkisilent configuration %s" % e)
raise RuntimeError('Restarting CA after pkisilent configuration failed')
@@ -702,17 +712,6 @@ class CAInstance(service.Service):
logging.debug("completed creating ca instance")
- # Turn off Nonces (again)
- if installutils.update_file('/var/lib/pki-ca/conf/CS.cfg', 'ca.enableNonces=true', 'ca.enableNonces=false') != 0:
- raise RuntimeError("Disabling nonces failed")
- pent = pwd.getpwnam(PKI_USER)
- os.chown('/var/lib/pki-ca/conf/CS.cfg', pent.pw_uid, pent.pw_gid )
-
- # pkisilent makes a copy of the CA PKCS#12 file for us but gives
- # it a lousy name.
- if ipautil.file_exists("/root/tmp-ca.p12"):
- shutil.move("/root/tmp-ca.p12", "/root/cacert.p12")
-
def __restart_instance(self):
try:
self.restart()
diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py
index e4cc72d..c375252 100644
--- a/ipaserver/plugins/ldap2.py
+++ b/ipaserver/plugins/ldap2.py
@@ -160,6 +160,8 @@ def get_schema(url, conn=None):
if conn is None:
conn = _ldap.initialize(url)
+ if url.startswith('ldapi://'):
+ conn.set_option(_ldap.OPT_HOST_NAME, api.env.host)
conn.sasl_interactive_bind_s('', SASL_AUTH)
schema_entry = conn.search_s(
@@ -321,6 +323,8 @@ class ldap2(CrudBackend, Encoder):
try:
conn = _ldap.initialize(self.ldap_uri)
+ if self.ldap_uri.startswith('ldapi://'):
+ conn.set_option(_ldap.OPT_HOST_NAME, api.env.host)
if ccache is not None:
os.environ['KRB5CCNAME'] = ccache
conn.sasl_interactive_bind_s('', SASL_AUTH)
diff --git a/tests/test_ipalib/test_config.py b/tests/test_ipalib/test_config.py
index 97d7548..e729a62 100644
--- a/tests/test_ipalib/test_config.py
+++ b/tests/test_ipalib/test_config.py
@@ -441,7 +441,6 @@ class test_Env(ClassChecker):
(o, home) = self.new()
o._bootstrap()
ipalib = path.dirname(path.abspath(config.__file__))
- assert o.host == socket.gethostname()
assert o.ipalib == ipalib
assert o.site_packages == path.dirname(ipalib)
assert o.script == path.abspath(sys.argv[0])