diff options
-rw-r--r-- | freeipa.spec.in | 9 | ||||
-rw-r--r-- | install/share/certmap.conf.template | 19 | ||||
-rwxr-xr-x | install/tools/ipa-ca-install | 23 | ||||
-rwxr-xr-x | install/tools/ipa-csreplica-manage | 2 | ||||
-rwxr-xr-x | install/tools/ipa-replica-conncheck | 21 | ||||
-rwxr-xr-x | install/tools/ipa-replica-install | 29 | ||||
-rwxr-xr-x | install/tools/ipa-replica-prepare | 8 | ||||
-rwxr-xr-x | install/tools/ipa-server-install | 91 | ||||
-rwxr-xr-x | install/tools/ipactl | 6 | ||||
-rw-r--r-- | ipapython/dogtag.py | 12 | ||||
-rw-r--r-- | ipaserver/install/cainstance.py | 105 | ||||
-rw-r--r-- | ipaserver/install/dsinstance.py | 14 | ||||
-rw-r--r-- | ipaserver/install/installutils.py | 7 | ||||
-rw-r--r-- | ipaserver/install/replication.py | 20 |
14 files changed, 251 insertions, 115 deletions
diff --git a/freeipa.spec.in b/freeipa.spec.in index 43f4a3af2..ab6c5c65e 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -114,17 +114,8 @@ Requires(post): systemd-units Requires: selinux-policy >= 3.10.0-110 Requires(post): selinux-policy-base Requires: slapi-nis >= 0.44 -%if 0%{?fedora} >= 18 Requires: pki-ca >= 10.0.0-0.52.b3 Requires: dogtag-pki-server-theme -%else -Requires: pki-ca >= 9.0.18 -Requires: pki-silent >= 9.0.18 -Requires: pki-setup >= 9.0.18 -Requires: dogtag-pki-common-theme -Requires: dogtag-pki-ca-theme -Requires: tomcat6 >= 6.0.32-17 -%endif %if 0%{?rhel} Requires: subscription-manager %endif diff --git a/install/share/certmap.conf.template b/install/share/certmap.conf.template index 676d3ef35..40b4e6cb1 100644 --- a/install/share/certmap.conf.template +++ b/install/share/certmap.conf.template @@ -71,12 +71,15 @@ # attr names - a comma separated list of attributes to form the filter # -certmap default default +certmap default default #default:DNComps -#default:FilterComps e, uid -#default:verifycert on -#default:CmapLdapAttr certSubjectDN -#default:library <path_to_shared_lib_or_dll> -#default:InitFn <Init function's name> -default:DNComps -default:FilterComps uid +#default:FilterComps e, uid +#default:verifycert on +#default:CmapLdapAttr certSubjectDN +#default:library <path_to_shared_lib_or_dll> +#default:InitFn <Init function's name> +default:DNComps +default:FilterComps uid +certmap ipaca CN=Certificate Authority,O=domain_name +ipaca:CmapLdapAttr seeAlso +ipaca:verifycert on diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install index 1c1b96a91..05dce8ae5 100755 --- a/install/tools/ipa-ca-install +++ b/install/tools/ipa-ca-install @@ -142,17 +142,32 @@ def main(): config.dir = dir config.setup_ca = True + portfile = config.dir + "/dogtag_directory_port.txt" + if not ipautil.file_exists(portfile): + dogtag_master_ds_port = str(dogtag.Dogtag9Constants.DS_PORT) + else: + with open(portfile) as fd: + dogtag_master_ds_port = fd.read() + if not options.skip_conncheck: - replica_conn_check(config.master_host_name, config.host_name, config.realm_name, True, options.admin_password) + replica_conn_check( + config.master_host_name, config.host_name, config.realm_name, True, + dogtag_master_ds_port, options.admin_password) # Configure the CA if necessary - (CA, cs) = cainstance.install_replica_ca(config, postinstall=True) + (CA, cs) = cainstance.install_replica_ca( + config, dogtag_master_ds_port, postinstall=True) # We need to ldap_enable the CA now that DS is up and running CA.ldap_enable('CA', config.host_name, config.dirman_password, ipautil.realm_to_suffix(config.realm_name)) - cs.add_simple_service('dogtagldap/%s@%s' % (config.host_name, config.realm_name)) - cs.add_cert_to_service() + if not dogtag.install_constants.SHARED_DB: + cs.add_simple_service('dogtagldap/%s@%s' % + (config.host_name, config.realm_name)) + cs.add_cert_to_service() + else: + CA.enable_client_auth_to_db() + CA.restart() # We need to restart apache as we drop a new config file in there ipaservices.knownservices.httpd.restart(capture_output=True) diff --git a/install/tools/ipa-csreplica-manage b/install/tools/ipa-csreplica-manage index 5fce48a37..f2924993f 100755 --- a/install/tools/ipa-csreplica-manage +++ b/install/tools/ipa-csreplica-manage @@ -34,7 +34,7 @@ from ipalib import api, errors, util from ipapython.dn import DN CACERT = "/etc/ipa/ca.crt" -PORT = 7389 +PORT = dogtag.install_constants.DS_PORT # dict of command name and tuples of min/max num of args needed commands = { diff --git a/install/tools/ipa-replica-conncheck b/install/tools/ipa-replica-conncheck index 169e9dc9f..29c43f60b 100755 --- a/install/tools/ipa-replica-conncheck +++ b/install/tools/ipa-replica-conncheck @@ -21,6 +21,7 @@ from ipapython.config import IPAOptionParser from ipapython import version from ipapython import ipautil +from ipapython import dogtag from ipapython.ipautil import CalledProcessError from ipaserver.install import installutils import ipaclient.ipachangeconf @@ -59,9 +60,6 @@ BASE_PORTS = [ CheckedPort(443, SOCK_STREAM, "HTTP Server: Secure port"), ] -CA_PORTS = [ - CheckedPort(7389, SOCK_STREAM, "PKI-CA: Directory Service port"), - ] def print_info(msg): if not QUIET: @@ -97,7 +95,8 @@ def parse_options(): common_group.add_option("-c", "--check-ca", dest="check_ca", action="store_true", default=False, - help="Check also ports for Certificate Authority") + help="Check also ports for Certificate Authority " + "(for servers installed before IPA 3.1)") common_group.add_option("", "--hostname", dest="hostname", help="The hostname of this server (FQDN). " @@ -281,7 +280,10 @@ def main(): required_ports = BASE_PORTS if options.check_ca: - required_ports.extend(CA_PORTS) + # Check old Dogtag CA replication port + # New installs with unified databases use main DS port (checked above) + required_ports.append(CheckedPort(dogtag.Dogtag9Constants.DS_PORT, + SOCK_STREAM, "PKI-CA: Directory Service port")) if options.replica: print_info("Check connection from master to remote replica '%s':" % options.replica) @@ -315,6 +317,8 @@ def main(): responder.start() RESPONDERS.append(responder) + remote_check_opts = ['--replica %s' % options.hostname] + if options.auto_master_check: (krb_fd, krb_name) = tempfile.mkstemp() os.close(krb_fd) @@ -355,10 +359,6 @@ def main(): if returncode != 0: raise RuntimeError("Could not get ticket for master server: %s" % stderr) - remote_check_opts = ['--replica %s' % options.hostname] - if options.check_ca: - remote_check_opts.append('--check-ca') - print_info("Execute check on remote master") stderr = '' @@ -380,9 +380,6 @@ def main(): print_info("") print_info("Please run the following command on remote master:") - remote_check_opts = ['--replica %s' % options.hostname] - if options.check_ca: - remote_check_opts.append('--check-ca') print_info("/usr/sbin/ipa-replica-conncheck " + " ".join(remote_check_opts)) time.sleep(3600) print_info("Connection check timeout: terminating listening program") diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install index e39698914..b7870fbe8 100755 --- a/install/tools/ipa-replica-install +++ b/install/tools/ipa-replica-install @@ -479,9 +479,19 @@ def main(): installutils.verify_fqdn(config.master_host_name, options.no_host_dns) + portfile = config.dir + "/dogtag_directory_port.txt" + if not ipautil.file_exists(portfile): + dogtag_master_ds_port = str(dogtag.Dogtag9Constants.DS_PORT) + else: + with open(portfile) as fd: + dogtag_master_ds_port = fd.read() + # check connection if not options.skip_conncheck: - replica_conn_check(config.master_host_name, config.host_name, config.realm_name, options.setup_ca, options.admin_password) + replica_conn_check( + config.master_host_name, config.host_name, config.realm_name, + options.setup_ca, dogtag_master_ds_port, options.admin_password) + # check replica host IP resolution config.ip = installutils.get_server_ip_address(config.host_name, fstore, True, options) @@ -597,21 +607,26 @@ def main(): ntp = ntpinstance.NTPInstance() ntp.create_instance() + # Configure dirsrv + ds = install_replica_ds(config) + # Configure the CA if necessary - (CA, cs) = cainstance.install_replica_ca(config) + (CA, cs) = cainstance.install_replica_ca(config, dogtag_master_ds_port) # Always try to install DNS records install_dns_records(config, options) - # Configure dirsrv - ds = install_replica_ds(config) - # We need to ldap_enable the CA now that DS is up and running if CA and config.setup_ca: CA.ldap_enable('CA', config.host_name, config.dirman_password, ipautil.realm_to_suffix(config.realm_name)) - cs.add_simple_service('dogtagldap/%s@%s' % (config.host_name, config.realm_name)) - cs.add_cert_to_service() + if not dogtag.install_constants.SHARED_DB: + cs.add_simple_service('dogtagldap/%s@%s' % + (config.host_name, config.realm_name)) + cs.add_cert_to_service() + else: + CA.enable_client_auth_to_db() + CA.restart() krb = install_krb(config, setup_pkinit=options.setup_pkinit) http = install_http(config, auto_redirect=options.ui_redirect) diff --git a/install/tools/ipa-replica-prepare b/install/tools/ipa-replica-prepare index d67ed818e..f9d0eb646 100755 --- a/install/tools/ipa-replica-prepare +++ b/install/tools/ipa-replica-prepare @@ -209,8 +209,8 @@ def save_config(dir, realm_name, host_name, config.set("realm", "destination_host", dest_host) config.set("realm", "subject_base", str(subject_base)) config.set("realm", "version", str(version.NUM_VERSION)) - fd = open(dir + "/realm_info", "w") - config.write(fd) + with open(dir + "/realm_info", "w") as fd: + config.write(fd) def remove_file(fname, ignore_errors=True): try: @@ -371,6 +371,10 @@ def main(): except errors.CertificateOperationError, e: print "%s" % e sys.exit(1) + print "Saving dogtag Directory Server port" + port_fname = dir + "/dogtag_directory_port.txt" + with open(port_fname, "w") as fd: + fd.write("%s\n" % str(dogtag.configured_constants().DS_PORT)) if options.http_pin: passwd = options.http_pin diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index 70e5153d7..3e5d9a9d4 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -482,9 +482,11 @@ def uninstall(): print "ipa-client-install returned: " + str(e) ntpinstance.NTPInstance(fstore).uninstall() - cads_instance = cainstance.CADSInstance(dogtag_constants=dogtag_constants) - if cads_instance.is_configured(): - cads_instance.uninstall() + if not dogtag.install_constants.SHARED_DB: + cads_instance = cainstance.CADSInstance( + dogtag_constants=dogtag_constants) + if cads_instance.is_configured(): + cads_instance.uninstall() ca_instance = cainstance.CAInstance( api.env.realm, certs.NSS_DIR, dogtag_constants=dogtag_constants) if ca_instance.is_configured(): @@ -626,11 +628,11 @@ def main(): return uninstall() if options.external_ca: - if cainstance.CADSInstance().is_configured(): + if cainstance.is_step_one_done(): print "CA is already installed.\nRun the installer with --external_cert_file and --external_ca_file." sys.exit(1) elif options.external_cert_file: - if not cainstance.CADSInstance().is_configured(): + if not cainstance.is_step_one_done(): # This can happen if someone passes external_ca_file without # already having done the first stage of the CA install. print "CA is not installed yet. To install with an external CA is a two-stage process.\nFirst run the installer with --external-ca." @@ -913,6 +915,30 @@ def main(): if not ntp.is_configured(): ntp.create_instance() + # Create a directory server instance + ds = dsinstance.DsInstance(fstore=fstore) + + if options.dirsrv_pin: + [pw_fd, pw_name] = tempfile.mkstemp() + os.write(pw_fd, options.dirsrv_pin) + os.close(pw_fd) + + if options.dirsrv_pkcs12: + pkcs12_info = (options.dirsrv_pkcs12, pw_name) + try: + ds.create_instance(realm_name, host_name, domain_name, + dm_password, pkcs12_info, + subject_base=options.subject, + hbac_allow=not options.hbac_allow) + finally: + os.remove(pw_name) + else: + ds.create_instance(realm_name, host_name, domain_name, + dm_password, self_signed_ca=options.selfsign, + idstart=options.idstart, idmax=options.idmax, + subject_base=options.subject, + hbac_allow=not options.hbac_allow) + if options.selfsign: ca = certs.CertDB(realm_name, host_name=host_name, subject_base=options.subject) @@ -933,9 +959,13 @@ def main(): else: external = 0 - cs = cainstance.CADSInstance(host_name, realm_name, domain_name, dm_password) - if not cs.is_configured(): - cs.create_instance(realm_name, host_name, domain_name, dm_password, subject_base=options.subject) + if not dogtag.install_constants.SHARED_DB: + cs = cainstance.CADSInstance( + host_name, realm_name, domain_name, dm_password) + if not cs.is_configured(): + cs.create_instance(realm_name, host_name, domain_name, + dm_password, subject_base=options.subject) + ca = cainstance.CAInstance(realm_name, certs.NSS_DIR, dogtag_constants=dogtag.install_constants) if external == 0: @@ -966,42 +996,25 @@ def main(): # Now put the CA cert where other instances exepct it ca.publish_ca_cert("/etc/ipa/ca.crt") - # Create a directory server instance - ds = dsinstance.DsInstance(fstore=fstore) - - if options.dirsrv_pin: - [pw_fd, pw_name] = tempfile.mkstemp() - os.write(pw_fd, options.dirsrv_pin) - os.close(pw_fd) - - if options.dirsrv_pkcs12: - pkcs12_info = (options.dirsrv_pkcs12, pw_name) - try: - ds.create_instance(realm_name, host_name, domain_name, - dm_password, pkcs12_info, - subject_base=options.subject, - hbac_allow=not options.hbac_allow) - finally: - os.remove(pw_name) - else: - ds.create_instance(realm_name, host_name, domain_name, - dm_password, self_signed_ca=options.selfsign, - idstart=options.idstart, idmax=options.idmax, - subject_base=options.subject, - hbac_allow=not options.hbac_allow) + # we now need to enable ssl on the ds + ds.enable_ssl() + ds.restart() # We need to ldap_enable the CA now that DS is up and running if not options.selfsign: ca.ldap_enable('CA', host_name, dm_password, ipautil.realm_to_suffix(realm_name)) - - # Turn on SSL in the dogtag LDAP instance. This will get restarted - # later, we don't need SSL now. - cs.create_certdb() - cs.enable_ssl() - # Add the IPA service for storing the PKI-IPA server certificate. - cs.add_simple_service(cs.principal) - cs.add_cert_to_service() + if not dogtag.install_constants.SHARED_DB: + # Turn on SSL in the dogtag LDAP instance. This will get restarted + # later, we don't need SSL now. + cs.create_certdb() + cs.enable_ssl() + # Add the IPA service for storing the PKI-IPA server certificate. + cs.add_simple_service(cs.principal) + cs.add_cert_to_service() + else: + ca.enable_client_auth_to_db() + ca.restart() # Create a kerberos instance if options.pkinit_pin: diff --git a/install/tools/ipactl b/install/tools/ipactl index f931a2725..e8f3f6384 100755 --- a/install/tools/ipactl +++ b/install/tools/ipactl @@ -29,6 +29,7 @@ try: from ipalib import api, errors from ipapython import sysrestore from ipapython import config + from ipapython import dogtag from ipapython.dn import DN import ldap import ldap.sasl @@ -64,7 +65,10 @@ def is_dirsrv_debugging_enabled(): """ debugging = False serverid = realm_to_serverid(api.env.realm) - for dse in ['/etc/dirsrv/slapd-PKI-IPA/', config_dirname(serverid)]: + dselist = [config_dirname(serverid)] + if not dogtag.install_constants.SHARED_DB: + dselist.append('/etc/dirsrv/slapd-PKI-IPA/') + for dse in dselist: try: fd = open(dse + 'dse.ldif', 'r') except IOError: diff --git a/ipapython/dogtag.py b/ipapython/dogtag.py index 5cf5a9df8..067a66afb 100644 --- a/ipapython/dogtag.py +++ b/ipapython/dogtag.py @@ -47,6 +47,8 @@ class Dogtag10Constants(object): AGENT_SECURE_PORT = 8443 EE_SECURE_PORT = 8443 AJP_PORT = 8009 + DS_PORT = 389 + DS_SECURE_PORT = 636 SPAWN_BINARY = '/usr/sbin/pkispawn' DESTROY_BINARY = '/usr/sbin/pkidestroy' @@ -64,6 +66,10 @@ class Dogtag10Constants(object): IPA_SERVICE_PROFILE = '%s/caIPAserviceCert.cfg' % SERVICE_PROFILE_DIR SIGN_PROFILE = '%s/caJarSigningCert.cfg' % SERVICE_PROFILE_DIR + SHARED_DB = True + DS_USER = "dirsrv" + DS_NAME = "dirsrv" + class Dogtag9Constants(object): DOGTAG_VERSION = 9 @@ -71,6 +77,8 @@ class Dogtag9Constants(object): AGENT_SECURE_PORT = 9443 EE_SECURE_PORT = 9444 AJP_PORT = 9447 + DS_PORT = 7389 + DS_SECURE_PORT = 7636 SPAWN_BINARY = '/bin/pkicreate' DESTROY_BINARY = '/bin/pkisilent' @@ -92,7 +100,9 @@ class Dogtag9Constants(object): IPA_SERVICE_PROFILE = '%s/caIPAserviceCert.cfg' % SERVICE_PROFILE_DIR SIGN_PROFILE = '%s/caJarSigningCert.cfg' % SERVICE_PROFILE_DIR - + SHARED_DB = False + DS_USER = "pkisrv" + DS_NAME = "PKI-IPA" if os.path.exists('/usr/sbin/pkispawn'): install_constants = Dogtag10Constants diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 163f5c86b..68e1485cd 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -60,10 +60,10 @@ from ipalib import util from ipapython.ipa_log_manager import * HTTPD_CONFD = "/etc/httpd/conf.d/" -DEFAULT_DSPORT=7389 +DEFAULT_DSPORT = dogtag.install_constants.DS_PORT PKI_USER = "pkiuser" -PKI_DS_USER = "pkisrv" +PKI_DS_USER = dogtag.install_constants.DS_USER # We need to reset the template because the CA uses the regular boot @@ -232,6 +232,17 @@ def get_crl_files(path=None): elif f.endswith(".der"): yield os.path.join(path, f) + +def is_step_one_done(): + '''Read CS.cfg and determine if step one of an external CA install is done + ''' + test = installutils.get_directive( + dogtag.install_constants.CS_CFG_PATH, 'preop.ca.type', '=') + if test == "otherca": + return True + return False + + class CADSInstance(service.Service): def __init__(self, host_name=None, realm_name=None, domain_name=None, dm_password=None, dogtag_constants=None): service.Service.__init__(self, "pkids", @@ -518,6 +529,7 @@ class CAInstance(service.Service): admin_password, ds_port=DEFAULT_DSPORT, pkcs12_info=None, master_host=None, csr_file=None, cert_file=None, cert_chain_file=None, + master_replication_port=None, subject_base=None): """Create a CA instance. @@ -538,6 +550,7 @@ class CAInstance(service.Service): if self.pkcs12_info is not None: self.clone = True self.master_host = master_host + self.master_replication_port = master_replication_port if subject_base is None: self.subject_base = DN(('O', self.realm)) else: @@ -656,7 +669,11 @@ class CAInstance(service.Service): "pki_security_domain_user": "admin", "pki_security_domain_password": self.admin_password, "pki_clone_replication_security": "TLS", - "pki_clone_uri": \ + "pki_clone_replication_master_port": + str(self.master_replication_port), + "pki_clone_replication_clone_port": + dogtag.install_constants.DS_PORT, + "pki_clone_uri": "https://%s" % ipautil.format_netloc(self.master_host, 443) } replacevars.update(clone_vars) @@ -839,6 +856,8 @@ class CAInstance(service.Service): args.append("admin") args.append("-sd_admin_password") args.append(self.admin_password) + args.append("-clone_master_port") + args.append(str(self.master_replication_port)) args.append("-clone_start_tls") args.append("true") args.append("-clone_uri") @@ -1275,6 +1294,43 @@ class CAInstance(service.Service): 'OU=pki-ipa, O=IPA', str(self.subject_base)): print "Updating subject_base in CA template failed" + def enable_client_auth_to_db(self): + """ + Enable client auth connection to the internal db. + """ + caconfig = dogtag.install_constants.CS_CFG_PATH + + # Enable file publishing, disable LDAP + installutils.set_directive(caconfig, + 'authz.instance.DirAclAuthz.ldap.ldapauth.authtype', + 'SslClientAuth', quotes=False, separator='=') + installutils.set_directive(caconfig, + 'authz.instance.DirAclAuthz.ldap.ldapauth.bindDN', + 'uid=pkidbuser,ou=people,o=ipa-ca', quotes=False, separator='=') + installutils.set_directive(caconfig, + 'authz.instance.DirAclAuthz.ldap.ldapauth.clientCertNickname', + 'subsystemCert cert-pki-ca', quotes=False, separator='=') + installutils.set_directive(caconfig, + 'authz.instance.DirAclAuthz.ldap.ldapconn.port', + str(dogtag.install_constants.DS_SECURE_PORT), + quotes=False, separator='=') + installutils.set_directive(caconfig, + 'authz.instance.DirAclAuthz.ldap.ldapconn.secureConn', + 'true', quotes=False, separator='=') + + installutils.set_directive(caconfig, 'internaldb.ldapauth.authtype', + 'SslClientAuth', quotes=False, separator='=') + installutils.set_directive(caconfig, 'internaldb.ldapauth.bindDN', + 'uid=pkidbuser,ou=people,o=ipa-ca', quotes=False, separator='=') + installutils.set_directive(caconfig, + 'internaldb.ldapauth.clientCertNickname', + 'subsystemCert cert-pki-ca', quotes=False, separator='=') + installutils.set_directive(caconfig, 'internaldb.ldapconn.port', + str(dogtag.install_constants.DS_SECURE_PORT), + quotes=False, separator='=') + installutils.set_directive(caconfig, 'internaldb.ldapconn.secureConn', + 'true', quotes=False, separator='=') + def uninstall(self): if self.is_configured(): self.print_msg("Unconfiguring CA") @@ -1501,7 +1557,7 @@ class CAInstance(service.Service): return master == 'New' -def install_replica_ca(config, postinstall=False): +def install_replica_ca(config, master_ds_port, postinstall=False): """ Install a CA on a replica. @@ -1539,13 +1595,18 @@ def install_replica_ca(config, postinstall=False): if ipautil.file_exists(config.dir + "/dogtagcert.p12"): pkcs12_info = (config.dir + "/dogtagcert.p12", config.dir + "/dirsrv_pin.txt") - cs = CADSInstance(dogtag_constants=dogtag.install_constants) - cs.create_instance(config.realm_name, config.host_name, - config.domain_name, config.dirman_password, - pkcs12_info) - cs.load_pkcs12() - cs.enable_ssl() - cs.restart_instance() + + if not dogtag.install_constants.SHARED_DB: + cs = CADSInstance(dogtag_constants=dogtag.install_constants) + cs.create_instance(config.realm_name, config.host_name, + config.domain_name, config.dirman_password, + pkcs12_info) + cs.load_pkcs12() + cs.enable_ssl() + cs.restart_instance() + else: + cs = None + ca = CAInstance(config.realm_name, certs.NSS_DIR, dogtag_constants=dogtag.install_constants) if postinstall: @@ -1555,6 +1616,7 @@ def install_replica_ca(config, postinstall=False): ca.configure_instance(config.host_name, config.dirman_password, config.dirman_password, pkcs12_info=(cafile,), master_host=config.master_host_name, + master_replication_port=master_ds_port, subject_base=config.subject_base) if postinstall: @@ -1573,8 +1635,14 @@ def install_replica_ca(config, postinstall=False): service.print_msg("Restarting the directory and certificate servers") ca.stop(dogtag.install_constants.PKI_INSTANCE_NAME) - ipaservices.knownservices.dirsrv.stop("PKI-IPA") - ipaservices.knownservices.dirsrv.start("PKI-IPA") + + if not dogtag.install_constants.SHARED_DB: + ds_name = dogtag.install_constants.DS_NAME + ipaservices.knownservices.dirsrv.stop(ds_name) + ipaservices.knownservices.dirsrv.start(ds_name) + else: + ipaservices.knownservices.dirsrv.restart() + ca.start(dogtag.install_constants.PKI_INSTANCE_NAME) return (ca, cs) @@ -1592,7 +1660,7 @@ def update_cert_config(nickname, cert): 'ocspSigningCert cert-pki-ca': 'ca.ocsp_signing.cert', 'caSigningCert cert-pki-ca': 'ca.signing.cert', 'subsystemCert cert-pki-ca': 'ca.subsystem.cert', - 'Server-Cert cert-pki-ca': 'ca.sslserver.cert' } + 'Server-Cert cert-pki-ca': 'ca.sslserver.cert'} installutils.set_directive(dogtag.configured_constants().CS_CFG_PATH, directives[nickname], @@ -1601,7 +1669,12 @@ def update_cert_config(nickname, cert): if __name__ == "__main__": standard_logging_setup("install.log") - cs = CADSInstance() - cs.create_instance("EXAMPLE.COM", "catest.example.com", "example.com", "password") + if not dogtag.install_constants.SHARED_DB: + cs = CADSInstance() + cs.create_instance( + "EXAMPLE.COM", "catest.example.com", "example.com", "password") + else: + ds = dsinstance.DsInstance() + ca = CAInstance("EXAMPLE.COM", "/etc/httpd/alias") ca.configure_instance("catest.example.com", "password", "password") diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index fe42282dc..c178a4dab 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -31,6 +31,7 @@ import tempfile from ipapython import ipautil from ipapython import sysrestore from ipapython import services as ipaservices +from ipapython import dogtag import service import installutils @@ -166,6 +167,8 @@ class DsInstance(service.Service): ldapi=False, autobind=service.DISABLED ) + self.nickname = 'Server-Cert' + self.dm_password = dm_password self.realm_name = realm_name self.sub_dict = None self.domain = domain_name @@ -192,7 +195,7 @@ class DsInstance(service.Service): subject_base = ipautil.dn_attribute_property('_subject_base') - def __common_setup(self): + def __common_setup(self, enable_ssl=False): self.step("creating directory server user", self.__create_ds_user) self.step("creating directory server instance", self.__create_instance) @@ -209,7 +212,8 @@ class DsInstance(service.Service): self.step("configuring lockout plugin", self.__config_lockout_module) self.step("creating indices", self.__create_indices) self.step("enabling referential integrity plugin", self.__add_referint_module) - self.step("configuring ssl for ds instance", self.__enable_ssl) + if not dogtag.install_constants.SHARED_DB or enable_ssl: + self.step("configuring ssl for ds instance", self.enable_ssl) self.step("configuring certmap.conf", self.__certmap_conf) self.step("configure autobind for root", self.__root_autobind) self.step("configure new location for managed entries", self.__repoint_managed_entries) @@ -284,7 +288,7 @@ class DsInstance(service.Service): self.idmax = 1100 self.__setup_sub_dict() - self.__common_setup() + self.__common_setup(True) self.step("setting up initial replication", self.__setup_replica) self.step("adding replication acis", self.__add_replication_acis) @@ -525,7 +529,7 @@ class DsInstance(service.Service): def generate_random(self): return ipautil.ipa_generate_password() - def __enable_ssl(self): + def enable_ssl(self): dirname = config_dirname(self.serverid) dsdb = certs.CertDB(self.realm_name, nssdir=dirname, subject_base=self.subject_base) if self.pkcs12_info: @@ -601,6 +605,8 @@ class DsInstance(service.Service): def __certmap_conf(self): shutil.copyfile(ipautil.SHARE_DIR + "certmap.conf.template", config_dirname(self.serverid) + "certmap.conf") + installutils.update_file(config_dirname(self.serverid) + "certmap.conf", + 'domain_name', self.realm_name) def __enable_ldapi(self): self._ldap_mod("ldapi.ldif", self.sub_dict) diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py index 754d5fc98..3368533d1 100644 --- a/ipaserver/install/installutils.py +++ b/ipaserver/install/installutils.py @@ -38,7 +38,7 @@ from dns import resolver, rdatatype from dns.exception import DNSException import ldap -from ipapython import ipautil, sysrestore, admintool +from ipapython import ipautil, sysrestore, admintool, dogtag from ipapython.admintool import ScriptError from ipapython.ipa_log_manager import * from ipalib.util import validate_hostname @@ -48,8 +48,11 @@ from ipapython.dn import DN # Used to determine install status IPA_MODULES = [ - 'httpd', 'kadmin', 'dirsrv', 'pki-cad', 'pki-tomcatd', 'pkids', 'install', + 'httpd', 'kadmin', 'dirsrv', 'pki-cad', 'pki-tomcatd', 'install', 'krb5kdc', 'ntpd', 'named', 'ipa_memcached'] +if not dogtag.install_constants.SHARED_DB: + IPA_MODULES.append('pkids') + class BadHostError(Exception): pass diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py index 260e7bba1..23de883a5 100644 --- a/ipaserver/install/replication.py +++ b/ipaserver/install/replication.py @@ -27,7 +27,7 @@ from ipaserver import ipaldap from ipapython import services as ipaservices from ldap import modlist from ipalib import api, util, errors -from ipapython import ipautil +from ipapython import ipautil, dogtag from ipapython.dn import DN CACERT = "/etc/ipa/ca.crt" @@ -59,7 +59,7 @@ STRIP_ATTRS = ('modifiersName', def replica_conn_check(master_host, host_name, realm, check_ca, - admin_password=None): + dogtag_master_ds_port, admin_password=None): """ Check the ports used by the replica both locally and remotely to be sure that replication will work. @@ -77,10 +77,10 @@ def replica_conn_check(master_host, host_name, realm, check_ca, args.extend(["--password", admin_password]) nolog=(admin_password,) - if check_ca: + if check_ca and dogtag_master_ds_port == dogtag.Dogtag9Constants.DS_PORT: args.append('--check-ca') - (stdin, stderr, returncode) = ipautil.run(args,raiseonerr=False,capture_output=False, - nolog=nolog) + (stdin, stderr, returncode) = ipautil.run( + args, raiseonerr=False, capture_output=False, nolog=nolog) if returncode != 0: sys.exit("Connection check failed!" + @@ -958,10 +958,12 @@ class ReplicationManager(object): newschedule = '2358-2359 0' - filter = '(&(nsDS5ReplicaHost=%s)' \ - '(|(objectclass=nsDSWindowsReplicationAgreement)' \ - '(objectclass=nsds5ReplicationAgreement)))' % hostname - entries = conn.getList(DN(('cn', 'config')), ldap.SCOPE_SUBTREE, filter) + filter = ('(&(nsDS5ReplicaHost=%s)' + '(&(!(nsDS5ReplicaRoot=o=ipaca))' + '(|(objectclass=nsDSWindowsReplicationAgreement)' + '(objectclass=nsds5ReplicationAgreement))))' % hostname) + entries = conn.getList( + DN(('cn', 'config')), ldap.SCOPE_SUBTREE, filter) if len(entries) == 0: root_logger.error("Unable to find replication agreement for %s" % (hostname)) |