Let the framework be able to override the hostname.

The hostname is passed in during the server installation. We should use
this hostname for the resulting server as well. It was being discarded
and we always used the system hostname value.

Important changes:
- configure ipa_hostname in sssd on masters
- set PKI_HOSTNAME so the hostname is passed to dogtag installer
- set the hostname when doing ldapi binds

This also reorders some things in the dogtag installer to eliminate an
unnecessary restart. We were restarting the service twice in a row with
very little time in between and this could result in a slew of reported
errors, though the server installed ok.

ticket 1052

8 files changed, 32 insertions, 24 deletions

diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install
index 16f849567..3feb2a93d 100755
--- a/install/tools/ipa-replica-install
+++ b/install/tools/ipa-replica-install
@@ -447,6 +447,7 @@ def main():
     try:
         fd = open("/etc/ipa/default.conf", "w")
         fd.write("[global]\n")
+        fd.write("host=" + config.host_name + "\n")
         fd.write("basedn=" + util.realm_to_suffix(config.realm_name) + "\n")
         fd.write("realm=" + config.realm_name + "\n")
         fd.write("domain=" + config.domain_name + "\n")
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index 019dfb1aa..09cc8a099 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -680,6 +680,7 @@ def main():
     try:
         fd = open("/etc/ipa/default.conf", "w")
         fd.write("[global]\n")
+        fd.write("host=" + host_name + "\n")
         fd.write("basedn=" + util.realm_to_suffix(realm_name) + "\n")
         fd.write("realm=" + realm_name + "\n")
         fd.write("domain=" + domain_name + "\n")
@@ -920,7 +921,7 @@ def main():
 
     # Call client install script
     try:
-        run(["/usr/sbin/ipa-client-install", "--on-master", "--unattended", "--domain", domain_name, "--server", host_name, "--realm", realm_name])
+        run(["/usr/sbin/ipa-client-install", "--on-master", "--unattended", "--domain", domain_name, "--server", host_name, "--realm", realm_name, "--hostname", host_name])
     except Exception, e:
         sys.exit("Configuration of client side components failed!\nipa-client-install returned: " + str(e))
 
diff --git a/install/tools/ipactl b/install/tools/ipactl
index 4ce26069c..01b88a549 100755
--- a/install/tools/ipactl
+++ b/install/tools/ipactl
@@ -71,7 +71,7 @@ def emit_err(err):
     sys.stderr.write(err + '\n')
 
 def get_config():
-    base = "cn=%s,cn=masters,cn=ipa,cn=etc,%s" % (socket.gethostname(),
+    base = "cn=%s,cn=masters,cn=ipa,cn=etc,%s" % (api.env.host,
                                                   api.env.basedn)
     srcfilter = '(ipaConfigString=enabledService)'
     attrs = ['cn', 'ipaConfigString']
diff --git a/ipalib/config.py b/ipalib/config.py
index 888785a26..410e5f0b2 100644
--- a/ipalib/config.py
+++ b/ipalib/config.py
@@ -447,7 +447,6 @@ class Env(object):
         self.__doing('_bootstrap')
 
         # Set run-time variables (cannot be overridden):
-        self.host = getfqdn()
         self.ipalib = path.dirname(path.abspath(__file__))
         self.site_packages = path.dirname(self.ipalib)
         self.script = path.abspath(sys.argv[0])
@@ -550,9 +549,6 @@ class Env(object):
         if 'log' not in self:
             self.log = self._join('logdir', '%s.log' % self.context)
 
-        # FIXME: move into ca plugin
-        if 'ca_host' not in self:
-            self.ca_host = self.host
         self._merge(**defaults)
 
     def _finalize(self, **lastchance):
diff --git a/ipalib/constants.py b/ipalib/constants.py
index 202f5fa93..23e80257d 100644
--- a/ipalib/constants.py
+++ b/ipalib/constants.py
@@ -21,6 +21,14 @@
 """
 All constants centralised in one file.
 """
+import socket
+try:
+    FQDN = socket.getfqdn()
+except:
+    try:
+        FQDN = socket.gethostname()
+    except:
+        FQDN = None
 
 # The parameter system treats all these values as None:
 NULLS = (None, '', u'', tuple(), [])
@@ -127,7 +135,7 @@ DEFAULT_CONFIG = (
     ('mode', 'production'),
 
     # CA plugin:
-    ('ca_host', object),  # Set in Env._finalize_core()
+    ('ca_host', FQDN),  # Set in Env._finalize_core()
     ('ca_port', 9180),
     ('ca_agent_port', 9443),
     ('ca_ee_port', 9444),
@@ -160,7 +168,7 @@ DEFAULT_CONFIG = (
     # raised.
 
     # Non-overridable vars set in Env._bootstrap():
-    ('host', object),
+    ('host', FQDN),
     ('ipalib', object),  # The directory containing ipalib/__init__.py
     ('site_packages', object),  # The directory contaning ipalib
     ('script', object),  # sys.argv[0]
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 001e6eb09..928d01e47 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -519,7 +519,6 @@ class CAInstance(service.Service):
         # Step 1 of external is getting a CSR so we don't need to do these
         # steps until we get a cert back from the external CA.
         if self.external != 1:
-            self.step("restarting certificate server", self.__restart_instance)
             if not self.clone:
                 self.step("creating CA agent PKCS#12 file in /root", self.__create_ca_agent_pkcs12)
             self.step("creating RA agent certificate database", self.__create_ra_agent_db)
@@ -557,7 +556,7 @@ class CAInstance(service.Service):
                 '-redirect', 'conf=/etc/pki-ca',
                 '-redirect', 'logs=/var/log/pki-ca',
         ]
-        ipautil.run(args)
+        ipautil.run(args, env={'PKI_HOSTNAME':self.fqdn})
 
     def __enable(self):
         self.backup_state("enabled", self.is_enabled())
@@ -673,7 +672,7 @@ class CAInstance(service.Service):
             # Define the things we don't want logged
             nolog = (self.admin_password, self.dm_password,)
 
-            ipautil.run(args, nolog=nolog)
+            ipautil.run(args, env={'PKI_HOSTNAME':self.fqdn}, nolog=nolog)
         except ipautil.CalledProcessError, e:
             logging.critical("failed to configure ca instance %s" % e)
             raise RuntimeError('Configuration of CA failed')
@@ -683,11 +682,22 @@ class CAInstance(service.Service):
             print "ipa-server-install --external_cert_file=/path/to/signed_certificate --external_ca_file=/path/to/external_ca_certificate"
             sys.exit(0)
 
+        # Turn off Nonces (again)
+        if installutils.update_file('/var/lib/pki-ca/conf/CS.cfg', 'ca.enableNonces=true', 'ca.enableNonces=false') != 0:
+            raise RuntimeError("Disabling nonces failed")
+        pent = pwd.getpwnam(PKI_USER)
+        os.chown('/var/lib/pki-ca/conf/CS.cfg', pent.pw_uid, pent.pw_gid )
+
+        # pkisilent makes a copy of the CA PKCS#12 file for us but gives
+        # it a lousy name.
+        if ipautil.file_exists("/root/tmp-ca.p12"):
+            shutil.move("/root/tmp-ca.p12", "/root/cacert.p12")
+
         try:
             # After configuration the service is running and configured
             # but must be restarted for configuration to take effect.
             # The service status in this case will be 4.
-            self.restart()
+            self.__restart_instance()
         except ipautil.CalledProcessError, e:
             logging.critical("failed to restart ca instance after pkisilent configuration %s" % e)
             raise RuntimeError('Restarting CA after pkisilent configuration failed')
@@ -702,17 +712,6 @@ class CAInstance(service.Service):
 
         logging.debug("completed creating ca instance")
 
-        # Turn off Nonces (again)
-        if installutils.update_file('/var/lib/pki-ca/conf/CS.cfg', 'ca.enableNonces=true', 'ca.enableNonces=false') != 0:
-            raise RuntimeError("Disabling nonces failed")
-        pent = pwd.getpwnam(PKI_USER)
-        os.chown('/var/lib/pki-ca/conf/CS.cfg', pent.pw_uid, pent.pw_gid )
-
-        # pkisilent makes a copy of the CA PKCS#12 file for us but gives
-        # it a lousy name.
-        if ipautil.file_exists("/root/tmp-ca.p12"):
-            shutil.move("/root/tmp-ca.p12", "/root/cacert.p12")
-
     def __restart_instance(self):
         try:
             self.restart()
diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py
index e4cc72de5..c37525203 100644
--- a/ipaserver/plugins/ldap2.py
+++ b/ipaserver/plugins/ldap2.py
@@ -160,6 +160,8 @@ def get_schema(url, conn=None):
 
         if conn is None:
             conn = _ldap.initialize(url)
+            if url.startswith('ldapi://'):
+                conn.set_option(_ldap.OPT_HOST_NAME, api.env.host)
             conn.sasl_interactive_bind_s('', SASL_AUTH)
 
         schema_entry = conn.search_s(
@@ -321,6 +323,8 @@ class ldap2(CrudBackend, Encoder):
 
         try:
             conn = _ldap.initialize(self.ldap_uri)
+            if self.ldap_uri.startswith('ldapi://'):
+                conn.set_option(_ldap.OPT_HOST_NAME, api.env.host)
             if ccache is not None:
                 os.environ['KRB5CCNAME'] = ccache
                 conn.sasl_interactive_bind_s('', SASL_AUTH)
diff --git a/tests/test_ipalib/test_config.py b/tests/test_ipalib/test_config.py
index 97d7548fe..e729a6284 100644
--- a/tests/test_ipalib/test_config.py
+++ b/tests/test_ipalib/test_config.py
@@ -441,7 +441,6 @@ class test_Env(ClassChecker):
         (o, home) = self.new()
         o._bootstrap()
         ipalib = path.dirname(path.abspath(config.__file__))
-        assert o.host == socket.gethostname()
         assert o.ipalib == ipalib
         assert o.site_packages == path.dirname(ipalib)
         assert o.script == path.abspath(sys.argv[0])