ipa-dns-install: use STARTTLS to connect to DS

BindInstance et al. now use STARTTLS to set up secure connection to DS during
ipa-dns-install. This fixes https://fedorahosted.org/freeipa/ticket/4933

Reviewed-By: Martin Basti <mbasti@redhat.com>

6 files changed, 33 insertions, 17 deletions

diff --git a/install/tools/ipa-dns-install b/install/tools/ipa-dns-install
index 967057e1a..b17dafaee 100755
--- a/install/tools/ipa-dns-install
+++ b/install/tools/ipa-dns-install
@@ -152,7 +152,7 @@ def main():
                                              confirm=False, validate=False)
     if dm_password is None:
         sys.exit("Directory Manager password required")
-    bind = bindinstance.BindInstance(fstore, dm_password)
+    bind = bindinstance.BindInstance(fstore, dm_password, start_tls=True)
 
     # try the connection
     try:
@@ -161,7 +161,8 @@ def main():
     except errors.ACIError:
         sys.exit("Password is not valid!")
 
-    ods = opendnssecinstance.OpenDNSSECInstance(fstore, dm_password)
+    ods = opendnssecinstance.OpenDNSSECInstance(fstore, dm_password,
+                                                start_tls=True)
     if options.dnssec_master:
         dnssec_masters = ods.get_masters()
         # we can reinstall current server if it is dnssec master
@@ -215,10 +216,13 @@ def main():
     bind.create_instance()
 
     # on dnssec master this must be installed last
-    dnskeysyncd = dnskeysyncinstance.DNSKeySyncInstance(fstore, dm_password)
+    dnskeysyncd = dnskeysyncinstance.DNSKeySyncInstance(fstore, dm_password,
+                                                        start_tls=True)
     dnskeysyncd.create_instance(api.env.host, api.env.realm)
     if options.dnssec_master:
-        ods_exporter = odsexporterinstance.ODSExporterInstance(fstore, dm_password)
+        ods_exporter = odsexporterinstance.ODSExporterInstance(fstore,
+                                                               dm_password,
+                                                               start_tls=True)
 
         ods_exporter.create_instance(api.env.host, api.env.realm)
         ods.create_instance(api.env.host, api.env.realm)
diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py
index 52aea74cd..679dc5b95 100644
--- a/ipaserver/install/bindinstance.py
+++ b/ipaserver/install/bindinstance.py
@@ -533,13 +533,16 @@ class DnsBackup(object):
 
 
 class BindInstance(service.Service):
-    def __init__(self, fstore=None, dm_password=None, api=api):
-        service.Service.__init__(self, "named",
+    def __init__(self, fstore=None, dm_password=None, api=api,
+                 start_tls=False):
+        service.Service.__init__(
+            self, "named",
             service_desc="DNS",
             dm_password=dm_password,
             ldapi=False,
-            autobind=ipaldap.AUTOBIND_DISABLED
-            )
+            autobind=ipaldap.AUTOBIND_DISABLED,
+            start_tls=start_tls
+        )
         self.dns_backup = DnsBackup(self)
         self.named_user = None
         self.domain = None
diff --git a/ipaserver/install/dnskeysyncinstance.py b/ipaserver/install/dnskeysyncinstance.py
index 090c87505..eb6d07f01 100644
--- a/ipaserver/install/dnskeysyncinstance.py
+++ b/ipaserver/install/dnskeysyncinstance.py
@@ -62,13 +62,14 @@ def dnssec_container_exists(fqdn, suffix, dm_password=None, ldapi=False,
 
 class DNSKeySyncInstance(service.Service):
     def __init__(self, fstore=None, dm_password=None, logger=root_logger,
-                 ldapi=False):
+                 ldapi=False, start_tls=False):
         service.Service.__init__(
             self, "ipa-dnskeysyncd",
             service_desc="DNS key synchronization service",
             dm_password=dm_password,
-            ldapi=ldapi
-            )
+            ldapi=ldapi,
+            start_tls=start_tls
+        )
         self.dm_password = dm_password
         self.logger = logger
         self.extra_config = [u'dnssecVersion 1', ]  # DNSSEC enabled
diff --git a/ipaserver/install/odsexporterinstance.py b/ipaserver/install/odsexporterinstance.py
index e01550446..463e9a675 100644
--- a/ipaserver/install/odsexporterinstance.py
+++ b/ipaserver/install/odsexporterinstance.py
@@ -19,13 +19,14 @@ from ipalib import errors
 
 
 class ODSExporterInstance(service.Service):
-    def __init__(self, fstore=None, dm_password=None):
+    def __init__(self, fstore=None, dm_password=None, start_tls=False):
         service.Service.__init__(
             self, "ipa-ods-exporter",
             service_desc="IPA OpenDNSSEC exporter daemon",
             dm_password=dm_password,
             ldapi=False,
-            autobind=ipaldap.AUTOBIND_DISABLED
+            autobind=ipaldap.AUTOBIND_DISABLED,
+            start_tls=start_tls
         )
         self.dm_password = dm_password
         self.ods_uid = None
diff --git a/ipaserver/install/opendnssecinstance.py b/ipaserver/install/opendnssecinstance.py
index 869cf8ffe..2a2c3126f 100644
--- a/ipaserver/install/opendnssecinstance.py
+++ b/ipaserver/install/opendnssecinstance.py
@@ -61,13 +61,14 @@ def check_inst():
 
 
 class OpenDNSSECInstance(service.Service):
-    def __init__(self, fstore=None, dm_password=None):
+    def __init__(self, fstore=None, dm_password=None, start_tls=False):
         service.Service.__init__(
             self, "ods-enforcerd",
             service_desc="OpenDNSSEC enforcer daemon",
             dm_password=dm_password,
             ldapi=False,
-            autobind=ipaldap.AUTOBIND_DISABLED
+            autobind=ipaldap.AUTOBIND_DISABLED,
+            start_tls=start_tls
         )
         self.dm_password = dm_password
         self.ods_uid = None
diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py
index 75285cd90..5a04ef323 100644
--- a/ipaserver/install/service.py
+++ b/ipaserver/install/service.py
@@ -72,8 +72,9 @@ def format_seconds(seconds):
 
 
 class Service(object):
-    def __init__(self, service_name, service_desc=None, sstore=None, dm_password=None, ldapi=True,
-                 autobind=ipaldap.AUTOBIND_AUTO):
+    def __init__(self, service_name, service_desc=None, sstore=None,
+                 dm_password=None, ldapi=True, autobind=ipaldap.AUTOBIND_AUTO,
+                 start_tls=False):
         self.service_name = service_name
         self.service_desc = service_desc
         self.service = services.service(service_name)
@@ -82,6 +83,7 @@ class Service(object):
         self.dm_password = dm_password
         self.ldapi = ldapi
         self.autobind = autobind
+        self.start_tls = start_tls
 
         self.fqdn = socket.gethostname()
         self.admin_conn = None
@@ -107,6 +109,10 @@ class Service(object):
                 if not self.realm:
                     raise errors.NotFound(reason="realm is missing for %s" % (self))
                 conn = ipaldap.IPAdmin(ldapi=self.ldapi, realm=self.realm)
+            elif self.start_tls:
+                conn = ipaldap.IPAdmin(self.fqdn, port=389, protocol='ldap',
+                                       cacert=paths.IPA_CA_CRT,
+                                       start_tls=self.start_tls)
             else:
                 conn = ipaldap.IPAdmin(self.fqdn, port=389)