#! /usr/bin/python -E from ipaserver.install.krbinstance import update_key_val_in_file from ipapython import ipautil, config from ipapython import services as ipaservices import os, platform def convert_java_link(foo, topdir, filepaths): cwd = os.getcwd() os.chdir(topdir) for filepath in filepaths: # All this shouldn't happen because java system upgrade should properly # move files and symlinks but if this is a broken link if os.path.islink(filepath): print " Checking %s ... " % (filepath), if not os.path.exists(filepath): rpath = os.path.realpath(filepath) # .. and it points to jss in /usr/lib if rpath.find('/usr/lib/') != -1 and rpath.find('jss') != -1: base = os.path.basename(rpath) bitness = platform.architecture()[0][:2] # rewrite it to /usr/lib64 for x86_64 platform if bitness == '64': npath = "/usr/lib%s/jss/%s" % (bitness, base) os.unlink(filepath) os.symlink(npath, filepath) print "%s -> %s" % (filepath, npath) else: print "Ok" else: print "Ok" else: print "Ok" os.chdir(cwd) # 0. Init config try: config.init_config() except config.IPAConfigError, e: # No configured IPA install, no need to upgrade anything exit(0) # 1. Convert broken symlinks, if any, in /var/lib/pki-ca if os.path.exists('/var/lib/pki-ca/common/lib'): print "Analyzing symlinks in PKI-CA install" os.path.walk('/var/lib/pki-ca/common/lib', convert_java_link, None) try: print "Found IPA server for domain %s" % (config.config.default_realm) # 1. Make sure Dogtag instance (if exists) has proper OIDs for IPA CA ipa_ca_cfg = "/var/lib/pki-ca/profiles/ca/caIPAserviceCert.cfg" if os.path.exists(ipa_ca_cfg): print "Make sure PKI-CA has Extended Key Usage OIDs for the certificates (Server and Client Authentication)", key = 'policyset.serverCertSet.7.default.params.exKeyUsageOIDs' value = '1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2' replacevars = {key:value} appendvars = {} old_values = ipautil.config_replace_variables(ipa_ca_cfg, replacevars=replacevars, appendvars=appendvars) ipaservices.restore_context(ipa_ca_cfg) if key in old_values and old_values[key] != value: print print " WARNING: Previously issued certificate didn't have both Server and Client Authentication usage" print " Old usage OID(s): %(oids)s" % (old_values[key]) print " Please make sure to revoke old certificates and re-issue them again to add both usages when needed" ipaservices.service('pki-cad').restart() else: print "... ok" print "Converting services setup to systemd" # 2. Upgrade /etc/sysconfig/dirsrv for systemd print " Upgrade /etc/sysconfig/dirsrv" update_key_val_in_file("/etc/sysconfig/dirsrv", "KRB5_KTNAME", "/etc/dirsrv/ds.keytab") update_key_val_in_file("/etc/sysconfig/dirsrv", "export KRB5_KTNAME", "/etc/dirsrv/ds.keytab") # 3. Upgrade /etc/sysconfig/krb5kdc for systemd print " Upgrade /etc/sysconfig/krb5kdc" replacevars = {'KRB5REALM':config.config.default_realm} appendvars = {} ipautil.config_replace_variables("/etc/sysconfig/krb5kdc", replacevars=replacevars, appendvars=appendvars) ipaservices.restore_context("/etc/sysconfig/krb5kdc") # 4. Enable DS instances: # when enabling DS instances we'll also do configure /etc/sysconfig/dirsrv.systemd # which comes with 389-ds-base-1.2.10-0.8.a7 on F-16 and later. This is handled in # fedora16 platform code realm = config.config.default_realm.upper().replace('.','-') #pylint: disable=E1103 print " Re-enable Directory server instances PKI-IPA and %s " % (realm) if os.path.exists('/etc/systemd/system/dirsrv@.service'): os.unlink('/etc/systemd/system/dirsrv@.service') ipaservices.knownservices.dirsrv.enable(realm) ipaservices.knownservices.dirsrv.enable("PKI-IPA") # 4. Enable FreeIPA print " Re-enable IPA service" ipaservices.knownservices.ipa.enable() except: pass finally: print "Finished."