diff options
Diffstat (limited to 'ipa-server/ipaserver')
-rw-r--r-- | ipa-server/ipaserver/certs.py | 29 | ||||
-rw-r--r-- | ipa-server/ipaserver/dsinstance.py | 25 | ||||
-rw-r--r-- | ipa-server/ipaserver/ipaldap.py | 15 | ||||
-rw-r--r-- | ipa-server/ipaserver/krbinstance.py | 2 | ||||
-rw-r--r-- | ipa-server/ipaserver/replication.py | 25 |
5 files changed, 60 insertions, 36 deletions
diff --git a/ipa-server/ipaserver/certs.py b/ipa-server/ipaserver/certs.py index eecfdf21c..08f2cdd6c 100644 --- a/ipa-server/ipaserver/certs.py +++ b/ipa-server/ipaserver/certs.py @@ -119,6 +119,7 @@ class CertDB(object): "-z", self.noise_fname, "-f", self.passwd_fname]) + def export_ca_cert(self): # export the CA cert for use with other apps ipautil.backup_file(self.cacert_fname) self.run_certutil(["-L", "-n", "CA certificate", @@ -274,21 +275,33 @@ class CertDB(object): return server_certs - def import_pkcs12(self, pkcs12_fname): + def import_pkcs12(self, pkcs12_fname, passwd_fname=None): + args = ["/usr/bin/pk12util", "-d", self.secdir, + "-i", pkcs12_fname, + "-k", self.passwd_fname] + if passwd_fname: + args = args + ["-w", passwd_fname] try: - ipautil.run(["/usr/bin/pk12util", "-d", self.secdir, - "-i", pkcs12_fname]) + ipautil.run(args) except ipautil.CalledProcessError, e: if e.returncode == 17: raise RuntimeError("incorrect password") else: raise RuntimeError("unknown error import pkcs#12 file") + def export_pkcs12(self, pkcs12_fname, pkcs12_pwd_fname, nickname="CA certificate"): + ipautil.run(["/usr/bin/pk12util", "-d", self.secdir, + "-o", pkcs12_fname, + "-n", nickname, + "-k", self.passwd_fname, + "-w", pkcs12_pwd_fname]) + def create_self_signed(self, passwd=True): self.create_noise_file() self.create_passwd_file(passwd) self.create_certdbs() self.create_ca_cert() + self.export_ca_cert() self.create_pin_file() def create_from_cacert(self, cacert_fname, passwd=False): @@ -296,3 +309,13 @@ class CertDB(object): self.create_passwd_file(passwd) self.create_certdbs() self.load_cacert(cacert_fname) + + def create_from_pkcs12(self, pkcs12_fname, pkcs12_pwd_fname, nickname="CA certificate", passwd=True): + self.create_noise_file() + self.create_passwd_file(passwd) + self.create_certdbs() + self.import_pkcs12(pkcs12_fname, pkcs12_pwd_fname) + self.trust_root_cert(nickname) + self.create_pin_file() + self.export_ca_cert() + diff --git a/ipa-server/ipaserver/dsinstance.py b/ipa-server/ipaserver/dsinstance.py index 6cbffcb84..e3c8cb8d4 100644 --- a/ipa-server/ipaserver/dsinstance.py +++ b/ipa-server/ipaserver/dsinstance.py @@ -125,7 +125,7 @@ class DsInstance(service.Service): self.sub_dict = None self.domain = None - def create_instance(self, ds_user, realm_name, host_name, dm_password, ro_replica=False): + def create_instance(self, ds_user, realm_name, host_name, dm_password, pkcs12_info=None): self.ds_user = ds_user self.realm_name = realm_name.upper() self.serverid = realm_to_serverid(self.realm_name) @@ -133,13 +133,13 @@ class DsInstance(service.Service): self.host_name = host_name self.dm_password = dm_password self.domain = host_name[host_name.find(".")+1:] + self.pkcs12_info = pkcs12_info self.__setup_sub_dict() self.step("creating directory server user", self.__create_ds_user) self.step("creating directory server instance", self.__create_instance) self.step("adding default schema", self.__add_default_schemas) - if not ro_replica: - self.step("enabling memberof plugin", self.__add_memberof_module) + self.step("enabling memberof plugin", self.__add_memberof_module) self.step("enabling referential integrity plugin", self.__add_referint_module) self.step("enabling distributed numeric assignment plugin", self.__add_dna_module) self.step("creating indeces", self.__create_indeces) @@ -147,13 +147,12 @@ class DsInstance(service.Service): self.step("configuring certmap.conf", self.__certmap_conf) self.step("restarting directory server", self.__restart_instance) self.step("adding default layout", self.__add_default_layout) - if not ro_replica: - self.step("configuring Posix uid/gid generation as first master", - self.__config_uidgid_gen_first_master) - self.step("adding master entry as first master", - self.__add_master_entry_first_master) - self.step("initializing group membership", - self.__init_memberof) + self.step("configuring Posix uid/gid generation as first master", + self.__config_uidgid_gen_first_master) + self.step("adding master entry as first master", + self.__add_master_entry_first_master) + self.step("initializing group membership", + self.__init_memberof) self.step("configuring directory to start on boot", self.chkconfig_on) @@ -261,7 +260,11 @@ class DsInstance(service.Service): def __enable_ssl(self): dirname = config_dirname(self.realm_name) ca = certs.CertDB(dirname) - ca.create_self_signed() + if self.pkcs12_info: + ca.create_from_pkcs12(self.pkcs12_info[0], self.pkcs12_info[1]) + ca.cur_serial = 2000 + else: + ca.create_self_signed() ca.create_server_cert("Server-Cert", "cn=%s,ou=Fedora Directory Server" % self.host_name) conn = ipaldap.IPAdmin("127.0.0.1") diff --git a/ipa-server/ipaserver/ipaldap.py b/ipa-server/ipaserver/ipaldap.py index b1a9ea56c..7bb9719ea 100644 --- a/ipa-server/ipaserver/ipaldap.py +++ b/ipa-server/ipaserver/ipaldap.py @@ -724,9 +724,12 @@ def notfound(args): search returns no results. This just returns whatever is after the equals sign""" - filter = args[2] - try: - target = re.match(r'\(.*=(.*)\)', filter).group(1) - except: - target = filter - return "%s not found" % str(target) + if len(args) > 2: + filter = args[2] + try: + target = re.match(r'\(.*=(.*)\)', filter).group(1) + except: + target = filter + return "%s not found" % str(target) + else: + return args[0] diff --git a/ipa-server/ipaserver/krbinstance.py b/ipa-server/ipaserver/krbinstance.py index 5c4976b72..438bfb7d5 100644 --- a/ipa-server/ipaserver/krbinstance.py +++ b/ipa-server/ipaserver/krbinstance.py @@ -257,7 +257,7 @@ class KrbInstance(service.Service): self.__ldap_mod("default-aci.ldif") def __create_replica_instance(self): - self.__create_instance(replace=True) + self.__create_instance(replica=True) def __create_instance(self, replica=False): kdc_conf = ipautil.template_file(ipautil.SHARE_DIR+"kdc.conf.template", self.sub_dict) diff --git a/ipa-server/ipaserver/replication.py b/ipa-server/ipaserver/replication.py index 580ec27bf..df2b02889 100644 --- a/ipa-server/ipaserver/replication.py +++ b/ipa-server/ipaserver/replication.py @@ -77,7 +77,7 @@ class ReplicationManager: except ldap.NO_SUCH_OBJECT: pass - def get_replica_type(self, master): + def get_replica_type(self, master=True): if master: return "3" else: @@ -87,7 +87,7 @@ class ReplicationManager: return 'cn=replica, cn="%s", cn=mapping tree, cn=config' % self.suffix - def local_replica_config(self, conn, master, replica_id): + def local_replica_config(self, conn, replica_id): dn = self.replica_dn() try: @@ -97,7 +97,7 @@ class ReplicationManager: except ipaerror.exception_for(ipaerror.LDAP_NOT_FOUND): pass - replica_type = self.get_replica_type(master) + replica_type = self.get_replica_type() entry = ipaldap.Entry(dn) entry.setValues('objectclass', "top", "nsds5replica", "extensibleobject") @@ -284,13 +284,12 @@ class ReplicationManager: return self.wait_for_repl_init(other_conn, dn) - def basic_replication_setup(self, conn, master, replica_id): + def basic_replication_setup(self, conn, replica_id): self.add_replication_manager(conn) - self.local_replica_config(conn, master, replica_id) - if master: - self.setup_changelog(conn) + self.local_replica_config(conn, replica_id) + self.setup_changelog(conn) - def setup_replication(self, other_hostname, realm_name, master=True): + def setup_replication(self, other_hostname, realm_name): """ NOTES: - the directory manager password needs to be the same on @@ -300,15 +299,11 @@ class ReplicationManager: other_conn.do_simple_bind(bindpw=self.dirman_passwd) self.suffix = ipaldap.IPAdmin.normalizeDN(dsinstance.realm_to_suffix(realm_name)) - self.basic_replication_setup(self.conn, master, 1) - self.basic_replication_setup(other_conn, True, 2) + self.basic_replication_setup(self.conn, 1) + self.basic_replication_setup(other_conn, 2) self.setup_agreement(other_conn, self.conn) - if master: - self.setup_agreement(self.conn, other_conn) - else: - self.setup_chaining_farm(other_conn) - self.setup_chain_on_update(other_conn) + self.setup_agreement(self.conn, other_conn) return self.start_replication(other_conn) |