diff options
author | Tomas Babej <tbabej@redhat.com> | 2015-05-14 10:49:55 +0200 |
---|---|---|
committer | Jan Cholasta <jcholast@redhat.com> | 2015-05-26 11:59:47 +0000 |
commit | f3010498af2a4b98512d219b8e09101176c172fe (patch) | |
tree | d62ef1b1e718abb0c8565ca84371c2d488686761 /install | |
parent | 9eedffdfa62b4fa64244f048969b45b27a995c7a (diff) | |
download | freeipa-f3010498af2a4b98512d219b8e09101176c172fe.tar.gz freeipa-f3010498af2a4b98512d219b8e09101176c172fe.tar.xz freeipa-f3010498af2a4b98512d219b8e09101176c172fe.zip |
Add Domain Level feature
https://fedorahosted.org/freeipa/ticket/5018
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Diffstat (limited to 'install')
-rw-r--r-- | install/share/72domainlevels.ldif | 6 | ||||
-rw-r--r-- | install/share/Makefile.am | 2 | ||||
-rw-r--r-- | install/share/domainlevel.ldif | 7 | ||||
-rw-r--r-- | install/share/master-entry.ldif | 6 | ||||
-rwxr-xr-x | install/tools/ipa-replica-install | 32 | ||||
-rwxr-xr-x | install/tools/ipa-server-install | 22 | ||||
-rw-r--r-- | install/updates/72-domainlevels.update | 14 | ||||
-rw-r--r-- | install/updates/Makefile.am | 1 |
8 files changed, 81 insertions, 9 deletions
diff --git a/install/share/72domainlevels.ldif b/install/share/72domainlevels.ldif new file mode 100644 index 000000000..184e1cb22 --- /dev/null +++ b/install/share/72domainlevels.ldif @@ -0,0 +1,6 @@ +dn: cn=schema +attributeTypes: (2.16.840.1.113730.3.8.19.2.1 NAME 'ipaDomainLevel' DESC 'Domain Level value' EQUALITY numericStringMatch ORDERING numericStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.36 SINGLE-VALUE X-ORIGIN 'IPA v4') +attributeTypes: (2.16.840.1.113730.3.8.19.2.2 NAME 'ipaMinDomainLevel' DESC 'Minimal supported Domain Level value' EQUALITY numericStringMatch ORDERING numericStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.36 SINGLE-VALUE X-ORIGIN 'IPA v4') +attributeTypes: (2.16.840.1.113730.3.8.19.2.3 NAME 'ipaMaxDomainLevel' DESC 'Maximal supported Domain Level value' EQUALITY numericStringMatch ORDERING numericStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.36 SINGLE-VALUE X-ORIGIN 'IPA v4') +objectClasses: (2.16.840.1.113730.3.8.19.1.1 NAME 'ipaDomainLevelConfig' SUP ipaConfigObject AUXILIARY DESC 'Domain Level Configuration' MUST (ipaDomainLevel) X-ORIGIN 'IPA v4') +objectClasses: (2.16.840.1.113730.3.8.19.1.2 NAME 'ipaSupportedDomainLevelConfig' SUP ipaConfigObject AUXILIARY DESC 'Supported Domain Level Configuration' MUST (ipaMinDomainLevel $ ipaMaxDomainLevel) X-ORIGIN 'IPA v4') diff --git a/install/share/Makefile.am b/install/share/Makefile.am index c39352caa..8d336690f 100644 --- a/install/share/Makefile.am +++ b/install/share/Makefile.am @@ -22,6 +22,7 @@ app_DATA = \ 70ipaotp.ldif \ 70topology.ldif \ 71idviews.ldif \ + 72domainlevels.ldif \ anonymous-vlv.ldif \ bootstrap-template.ldif \ caJarSigningCert.cfg.template \ @@ -34,6 +35,7 @@ app_DATA = \ ds-nfiles.ldif \ dns.ldif \ dnssec.ldif \ + domainlevel.ldif \ kerberos.ldif \ indices.ldif \ bind.named.conf.template \ diff --git a/install/share/domainlevel.ldif b/install/share/domainlevel.ldif new file mode 100644 index 000000000..21ed6a473 --- /dev/null +++ b/install/share/domainlevel.ldif @@ -0,0 +1,7 @@ +# Create default Domain Level for new masters +dn: cn=Domain Level,cn=ipa,cn=etc,$SUFFIX +changetype: add +objectClass: top +objectClass: nsContainer +objectClass: ipaDomainLevelConfig +ipaDomainLevel: $DOMAIN_LEVEL diff --git a/install/share/master-entry.ldif b/install/share/master-entry.ldif index 34e5b3443..321b8c368 100644 --- a/install/share/master-entry.ldif +++ b/install/share/master-entry.ldif @@ -3,5 +3,9 @@ changetype: add objectclass: top objectclass: nsContainer objectclass: ipaReplTopoManagedServer -ipaReplTopoManagedSuffix: $SUFFIX +objectClass: ipaConfigObject +objectClass: ipaSupportedDomainLevelConfig cn: $FQDN +ipaReplTopoManagedSuffix: $SUFFIX +ipaMinDomainLevel: $MIN_DOMAIN_LEVEL +ipaMaxDomainLevel: $MAX_DOMAIN_LEVEL diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install index c75848b1a..1df782b73 100755 --- a/install/tools/ipa-replica-install +++ b/install/tools/ipa-replica-install @@ -43,7 +43,7 @@ from ipaserver.install import cainstance from ipaserver.install import kra from ipaserver.install import dns as dns_installer from ipalib import api, create_api, errors, util, certstore, x509 -from ipalib.constants import CACERT +from ipalib import constants from ipapython import version from ipapython.config import IPAOptionParser from ipapython import sysrestore @@ -224,12 +224,12 @@ def install_ca_cert(ldap, base_dn, realm, cafile): try: certs = certstore.get_ca_certs(ldap, base_dn, realm, False) except errors.NotFound: - shutil.copy(cafile, CACERT) + shutil.copy(cafile, constants.CACERT) else: certs = [c[0] for c in certs if c[2] is not False] - x509.write_certificate_list(certs, CACERT) + x509.write_certificate_list(certs, constants.CACERT) - os.chmod(CACERT, 0444) + os.chmod(constants.CACERT, 0444) except Exception, e: print "error copying files: " + str(e) sys.exit(1) @@ -569,6 +569,30 @@ def main(): print " %% ipa-replica-manage del %s --force" % config.host_name exit(3) + # Detect the current domain level + try: + current = remote_api.Command['domainlevel_get']()['result'] + except errors.NotFound: + # If we're joining an older master, domain entry is not + # available + current = 0 + + # Detect if current level is out of supported range + # for this IPA version + under_lower_bound = current < constants.MIN_DOMAIN_LEVEL + above_upper_bound = current > constants.MAX_DOMAIN_LEVEL + + if under_lower_bound or above_upper_bound: + message = ("This version of FreeIPA does not support " + "the Domain Level which is currently set for " + "this domain. The Domain Level needs to be " + "raised before installing a replica with " + "this version is allowed to be installed " + "within this domain.") + root_logger.error(message) + print(message) + exit(3) + # Check pre-existing host entry try: entry = conn.find_entries(u'fqdn=%s' % config.host_name, ['fqdn'], DN(api.env.container_host, api.env.basedn)) diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index 9bb8955dc..c7d7c7bff 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -70,7 +70,7 @@ from ipapython import sysrestore from ipapython.ipautil import * from ipapython import ipautil from ipapython import dogtag -from ipalib import api, errors, util, x509 +from ipalib import api, errors, util, x509, constants from ipapython.config import IPAOptionParser from ipalib.util import validate_domain_name from ipalib.constants import CACERT @@ -176,6 +176,8 @@ def parse_options(): help="create home directories for users " "on their first login") basic_group.add_option("--hostname", dest="host_name", help="fully qualified name of server") + basic_group.add_option("--domain-level", dest="domainlevel", help="IPA domain level", + default=constants.MAX_DOMAIN_LEVEL, type=int) basic_group.add_option("--ip-address", dest="ip_addresses", type="ip", ip_local=True, action="append", default=[], help="Master Server IP Address. This option can be used multiple times", @@ -327,6 +329,15 @@ def parse_options(): except ValueError, e: parser.error("invalid domain: " + unicode(e)) + # Check that Domain Level is within the allowed range + if not options.uninstall: + if options.domainlevel < constants.MIN_DOMAIN_LEVEL: + parser.error("Domain Level cannot be lower than {0}" + .format(constants.MIN_DOMAIN_LEVEL)) + elif options.domainlevel > constants.MAX_DOMAIN_LEVEL: + parser.error("Domain Level cannot be higher than {0}" + .format(constants.MAX_DOMAIN_LEVEL)) + if not options.setup_dns: if options.forwarders: parser.error("You cannot specify a --forwarder option without the --setup-dns option") @@ -1143,21 +1154,24 @@ def main(): ntp.create_instance() if options.dirsrv_cert_files: - ds = dsinstance.DsInstance(fstore=fstore) + ds = dsinstance.DsInstance(fstore=fstore, + domainlevel=options.domainlevel) ds.create_instance(realm_name, host_name, domain_name, dm_password, dirsrv_pkcs12_info, idstart=options.idstart, idmax=options.idmax, subject_base=options.subject, hbac_allow=not options.hbac_allow) else: - ds = dsinstance.DsInstance(fstore=fstore) + ds = dsinstance.DsInstance(fstore=fstore, + domainlevel=options.domainlevel) ds.create_instance(realm_name, host_name, domain_name, dm_password, idstart=options.idstart, idmax=options.idmax, subject_base=options.subject, hbac_allow=not options.hbac_allow) else: - ds = dsinstance.DsInstance(fstore=fstore) + ds = dsinstance.DsInstance(fstore=fstore, + domainlevel=options.domainlevel) ds.init_info( realm_name, host_name, domain_name, dm_password, options.subject, 1101, 1100, None) diff --git a/install/updates/72-domainlevels.update b/install/updates/72-domainlevels.update new file mode 100644 index 000000000..2e83c7be9 --- /dev/null +++ b/install/updates/72-domainlevels.update @@ -0,0 +1,14 @@ +# Create default Domain Level entry if it does not exist +dn: cn=Domain Level,cn=ipa,cn=etc,$SUFFIX +default: objectClass: top +default: objectClass: nsContainer +default: objectClass: ipaDomainLevelConfig +default: ipaDomainLevel: 0 + +# Create entry proclaiming Domain Level support of this master +# This will update the supported Domain Levels during upgrade +dn: cn=$FQDN,cn=masters,cn=ipa,cn=etc,$SUFFIX +add: objectClass: ipaConfigObject +add: objectClass: ipaSupportedDomainLevelConfig +only: ipaMinDomainLevel: $MIN_DOMAIN_LEVEL +only: ipaMaxDomainLevel: $MAX_DOMAIN_LEVEL diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am index 66f6b9d37..4e2da05d6 100644 --- a/install/updates/Makefile.am +++ b/install/updates/Makefile.am @@ -49,6 +49,7 @@ app_DATA = \ 61-trusts-s4u2proxy.update \ 62-ranges.update \ 71-idviews.update \ + 72-domainlevels.update \ 90-post_upgrade_plugins.update \ $(NULL) |