diff options
author | Rob Crittenden <rcritten@redhat.com> | 2008-02-05 12:23:53 -0500 |
---|---|---|
committer | Rob Crittenden <rcritten@redhat.com> | 2008-02-05 12:23:53 -0500 |
commit | 5a96618f5d31b21b983076ccc4c480561a7ccb2a (patch) | |
tree | ecc32810d350b0d871cb18c4eb07f989b4b5b879 /ipa-server/ipa-install/ipa-replica-prepare | |
parent | 25057816a560064298357d29228c5a4e01466b7c (diff) | |
download | freeipa-5a96618f5d31b21b983076ccc4c480561a7ccb2a.tar.gz freeipa-5a96618f5d31b21b983076ccc4c480561a7ccb2a.tar.xz freeipa-5a96618f5d31b21b983076ccc4c480561a7ccb2a.zip |
Use file to store the current CA serial number
No longer create a PKCS#12 file that contains the CA
No longer send the entire CA to each replica, generate the SSL certs on master
Fix number of bugs in ipa-replica-install and prepare
Produce status output during replica creation
Diffstat (limited to 'ipa-server/ipa-install/ipa-replica-prepare')
-rw-r--r-- | ipa-server/ipa-install/ipa-replica-prepare | 89 |
1 files changed, 74 insertions, 15 deletions
diff --git a/ipa-server/ipa-install/ipa-replica-prepare b/ipa-server/ipa-install/ipa-replica-prepare index ba8455588..54f507dcc 100644 --- a/ipa-server/ipa-install/ipa-replica-prepare +++ b/ipa-server/ipa-install/ipa-replica-prepare @@ -21,12 +21,30 @@ import sys import logging, tempfile, shutil, os, pwd +import traceback from ConfigParser import SafeConfigParser import krbV +from optparse import OptionParser +import ipa.config from ipa import ipautil from ipaserver import dsinstance, installutils, certs +def usage(): + print "ipa-replica-prepate FQDN (e.g. replica.example.com)" + sys.exit(1) + +def parse_options(): + parser = OptionParser() + + args = ipa.config.init_config(sys.argv) + options, args = parser.parse_args(args) + + if len(args) != 2: + parser.error("must provide the fully-qualified name of the replica") + + return options, args + def get_host_name(): hostname = installutils.get_fqdn() try: @@ -42,22 +60,31 @@ def get_realm_name(): return c.default_realm def check_ipa_configuration(realm_name): - config_dir = dsinstance.config_dirname(realm_name) + config_dir = dsinstance.config_dirname(dsinstance.realm_to_serverid(realm_name)) if not ipautil.dir_exists(config_dir): logging.error("could not find directory instance: %s" % config_dir) sys.exit(1) -def export_certdb(ds_dir, dir): - ds_cdb = certs.CertDB(ds_dir) - - pkcs12_fname = dir + "/cacert.p12" +def export_certdb(realm_name, ds_dir, dir, fname, subject): + """realm is the kerberos realm for the IPA server. + ds_dir is the location of the master DS we are creating a replica for. + dir is the location of the files for the replica we are creating. + fname is the filename of the PKCS#12 file for this cert (minus the .p12). + subject is the subject of the certificate we are creating + """ + ds_ca = certs.CertDB(dsinstance.config_dirname(dsinstance.realm_to_serverid(realm_name))) + ca = certs.CertDB(dir) + ca.create_from_cacert(ds_ca.cacert_fname) + ca.create_server_cert("Server-Cert", subject, ds_ca) + + pkcs12_fname = dir + "/" + fname + ".p12" passwd_fname = dir + "/pwdfile.txt" fd = open(passwd_fname, "w") fd.write("\n") fd.close() try: - ds_cdb.export_pkcs12(pkcs12_fname, passwd_fname) + ca.export_pkcs12(pkcs12_fname, passwd_fname, "Server-Cert") except ipautil.CalledProcessError, e: print "error exporting CA certificate: " + str(e) try: @@ -66,6 +93,9 @@ def export_certdb(ds_dir, dir): except: pass + os.unlink(dir + "/cert8.db") + os.unlink(dir + "/key3.db") + os.unlink(dir + "/secmod.db") def get_ds_user(ds_dir): uid = os.stat(ds_dir).st_uid @@ -83,31 +113,60 @@ def save_config(dir, realm_name, host_name, ds_user): config.write(fd) def copy_files(realm_name, dir): - shutil.copy("/var/kerberos/krb5kdc/ldappwd", dir + "/ldappwd") + config_dir = dsinstance.config_dirname(dsinstance.realm_to_serverid(realm_name)) + try: + shutil.copy("/var/kerberos/krb5kdc/ldappwd", dir + "/ldappwd") + shutil.copy("/usr/share/ipa/html/preferences.html", dir + "/preferences.html") + shutil.copy("/usr/share/ipa/html/configure.jar", dir + "/configure.jar") + shutil.copy(config_dir + "/cacert.asc", dir + "/ca.crt") + except Exception, e: + print "error copying files: " + str(e) + sys.exit(1) def main(): + options, args = parse_options() + + replica_fqdn = args[1] + realm_name = get_realm_name() + check_ipa_configuration(realm_name) + host_name = get_host_name() ds_dir = dsinstance.config_dirname(realm_name) ds_user = get_ds_user(ds_dir) - check_ipa_configuration(realm_name) + print "Preparing replica for %s from %s" % (replica_fqdn, host_name) top_dir = tempfile.mkdtemp("ipa") dir = top_dir + "/realm_info" os.mkdir(dir, 0700) - export_certdb(ds_dir, dir) + print "Creating SSL certificate for the Directory Server" + export_certdb(realm_name, ds_dir, dir, "dscert", "cn=%s,ou=Fedora Directory Server" % replica_fqdn) + print "Creating SSL certificate for the Web Server" + export_certdb(realm_name, ds_dir, dir, "httpcert", "cn=%s,ou=Apache Web Server" % replica_fqdn) + print "Copying additional files" copy_files(realm_name, dir) + print "Finalizing configuration" save_config(dir, realm_name, host_name, ds_user) + print "Packaging the replica into %s" % "replica-info-" + realm_name ipautil.run(["/bin/tar", "cfz", "replica-info-" + realm_name, "-C", top_dir, "realm_info"]) shutil.rmtree(dir) -main() - - - - - +try: + if not os.geteuid()==0: + sys.exit("\nYou must be root to run this script.\n") + if not ipautil.file_exists("/usr/share/ipa/serial"): + sys.exist("The replica must be created on the primary IPA server.") + + main() +except Exception, e: + print "preparation of replica failed: %s" % str(e) + message = str(e) + for str in traceback.format_tb(sys.exc_info()[2]): + message = message + "\n" + str + logging.debug(message) + print message + sys.exit(1) |