diff options
Diffstat (limited to 'install/tools/ipa-replica-install')
-rw-r--r-- | install/tools/ipa-replica-install | 312 |
1 files changed, 312 insertions, 0 deletions
diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install new file mode 100644 index 00000000..c2704be0 --- /dev/null +++ b/install/tools/ipa-replica-install @@ -0,0 +1,312 @@ +#! /usr/bin/python -E +# Authors: Karl MacMillan <kmacmillan@mentalrootkit.com> +# +# Copyright (C) 2007 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation; version 2 only +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# + +import sys + +import tempfile, os, pwd, traceback, logging, shutil +from ConfigParser import SafeConfigParser +import ldap + +from ipa import ipautil + +from ipaserver import dsinstance, replication, installutils, krbinstance, service +from ipaserver import httpinstance, ntpinstance, certs, ipaldap +from ipa import version + +CACERT="/usr/share/ipa/html/ca.crt" + +class ReplicaConfig: + def __init__(self): + self.realm_name = "" + self.domain_name = "" + self.master_host_name = "" + self.dirman_password = "" + self.ds_user = "" + self.host_name = "" + self.repl_password = "" + self.dir = "" + +def parse_options(): + from optparse import OptionParser + parser = OptionParser(version=version.VERSION) + parser.add_option("-N", "--no-ntp", dest="conf_ntp", action="store_false", + help="do not configure ntp", default=True) + parser.add_option("-d", "--debug", dest="debug", action="store_true", + default=False, help="gather extra debugging information") + parser.add_option("-p", "--password", dest="password", + help="Directory Manager (existing master) password") + + options, args = parser.parse_args() + + if len(args) != 1: + parser.error("you must provide a file generated by ipa-replica-prepare") + + return options, args[0] + +def get_dirman_password(): + return installutils.read_password("Directory Manager (existing master)", confirm=False, validate=False) + +def expand_info(filename, password): + top_dir = tempfile.mkdtemp("ipa") + tarfile = top_dir+"/files.tar" + dir = top_dir + "/realm_info" + ipautil.decrypt_file(filename, tarfile, password, top_dir) + ipautil.run(["tar", "xf", tarfile, "-C", top_dir]) + os.remove(tarfile) + + return top_dir, dir + +def read_info(dir, rconfig): + filename = dir + "/realm_info" + fd = open(filename) + config = SafeConfigParser() + config.readfp(fd) + + rconfig.realm_name = config.get("realm", "realm_name") + rconfig.master_host_name = config.get("realm", "master_host_name") + rconfig.ds_user = config.get("realm", "ds_user") + rconfig.domain_name = config.get("realm", "domain_name") + rconfig.host_name = config.get("realm", "destination_host") + +def get_host_name(): + hostname = installutils.get_fqdn() + try: + installutils.verify_fqdn(hostname) + except RuntimeError, e: + logging.error(str(e)) + sys.exit(1) + + return hostname + +def set_owner(config, dir): + pw = pwd.getpwnam(config.ds_user) + os.chown(dir, pw.pw_uid, pw.pw_gid) + +def install_ds(config): + dsinstance.check_existing_installation() + dsinstance.check_ports() + + # if we have a pkcs12 file, create the cert db from + # that. Otherwise the ds setup will create the CA + # cert + pkcs12_info = None + if ipautil.file_exists(config.dir + "/dscert.p12"): + pkcs12_info = (config.dir + "/dscert.p12", + config.dir + "/dirsrv_pin.txt") + + ds = dsinstance.DsInstance() + ds.create_instance(config.ds_user, config.realm_name, config.host_name, config.domain_name, config.dirman_password, pkcs12_info) + + return ds + +def install_krb(config): + krb = krbinstance.KrbInstance() + ldappwd_filename = config.dir + "/ldappwd" + kpasswd_filename = config.dir + "/kpasswd.keytab" + krb.create_replica(config.ds_user, config.realm_name, config.host_name, + config.domain_name, config.dirman_password, + ldappwd_filename, kpasswd_filename) + +def install_ca_cert(config): + if ipautil.file_exists(config.dir + "/ca.crt"): + try: + shutil.copy(config.dir + "/ca.crt", CACERT) + os.chmod(CACERT, 0444) + except Exception, e: + print "error copying files: " + str(e) + sys.exit(1) + +def install_http(config): + # if we have a pkcs12 file, create the cert db from + # that. Otherwise the ds setup will create the CA + # cert + pkcs12_info = None + if ipautil.file_exists(config.dir + "/httpcert.p12"): + pkcs12_info = (config.dir + "/httpcert.p12", + config.dir + "/http_pin.txt") + + http = httpinstance.HTTPInstance() + http.create_instance(config.realm_name, config.host_name, config.domain_name, False, pkcs12_info) + + # Now copy the autoconfiguration files + if ipautil.file_exists(config.dir + "/preferences.html"): + try: + shutil.copy(config.dir + "/preferences.html", "/usr/share/ipa/html/preferences.html") + shutil.copy(config.dir + "/configure.jar", "/usr/share/ipa/html/configure.jar") + except Exception, e: + print "error copying files: " + str(e) + sys.exit(1) + +def check_dirsrv(): + serverids = dsinstance.check_existing_installation() + if serverids: + print "" + print "An existing Directory Server has been detected." + if not ipautil.user_input("Do you wish to remove it and create a new one?", False): + print "" + print "Only a single Directory Server instance is allowed on an IPA" + print "server, the one used by IPA itself." + sys.exit(1) + + try: + service.stop("dirsrv") + except: + pass + + for serverid in serverids: + dsinstance.erase_ds_instance_data(serverid) + + (ds_unsecure, ds_secure) = dsinstance.check_ports() + if not ds_unsecure or not ds_secure: + print "IPA requires ports 389 and 636 for the Directory Server." + print "These are currently in use:" + if not ds_unsecure: + print "\t389" + if not ds_secure: + print "\t636" + sys.exit(1) + +def main(): + options, filename = parse_options() + installutils.standard_logging_setup("/var/log/ipareplica-install.log", options.debug) + + if not ipautil.file_exists(filename): + sys.exit("Replica file %s does not exist" % filename) + + check_dirsrv() + + # get the directory manager password + dirman_password = options.password + if not dirman_password: + try: + dirman_password = get_dirman_password() + except KeyboardInterrupt: + sys.exit(0) + + try: + top_dir, dir = expand_info(filename, dirman_password) + except Exception, e: + print "ERROR: Failed to decrypt or open the replica file." + print "Verify you entered the correct Directory Manager password." + sys.exit(1) + + config = ReplicaConfig() + read_info(dir, config) + config.dirman_password = dirman_password + host = get_host_name() + if config.host_name != host: + try: + print "This replica was created for '%s' but this machine is named '%s'" % (config.host_name, host) + if not ipautil.user_input("This may cause problems. Continue?", True): + sys.exit(0) + config.host_name = host + print "" + except KeyboardInterrupt: + sys.exit(0) + config.repl_password = ipautil.ipa_generate_password() + config.dir = dir + + # Try out the password + try: + conn = ipaldap.IPAdmin(config.master_host_name) + conn.do_simple_bind(bindpw=config.dirman_password) + conn.unbind() + except ldap.CONNECT_ERROR, e: + sys.exit("\nUnable to connect to LDAP server %s" % config.master_host_name) + except ldap.SERVER_DOWN, e: + sys.exit("\nUnable to connect to LDAP server %s" % config.master_host_name) + except ldap.INVALID_CREDENTIALS, e : + sys.exit("\nThe password provided is incorrect for LDAP server %s" % config.master_host_name) + + # Configure ntpd + if options.conf_ntp: + ntp = ntpinstance.NTPInstance() + ntp.create_instance() + + # Configure dirsrv + ds = install_ds(config) + + # Install CA cert so that we can do SSL connections with ldap + install_ca_cert(config) + + try: + repl = replication.ReplicationManager(config.host_name, config.dirman_password) + ret = repl.setup_replication(config.master_host_name, config.realm_name) + except Exception, e: + logging.debug("Connection error: %s" % e) + raise RuntimeError("Unable to connect to LDAP server %s." % config.host_name) + if ret != 0: + raise RuntimeError("Failed to start replication") + + install_krb(config) + install_http(config) + + # Create the config file + fd = open("/etc/ipa/ipa.conf", "w") + fd.write("[defaults]\n") + fd.write("server=" + config.host_name + "\n") + fd.write("realm=" + config.realm_name + "\n") + fd.write("domain=" + config.domain_name + "\n") + fd.close() + + # Create a Web Gui instance + webgui = httpinstance.WebGuiInstance() + webgui.create_instance() + + # Apply any LDAP updates. Needs to be done after the replica is synced-up + service.print_msg("Applying LDAP updates") + ds.apply_updates() + + service.restart("dirsrv") + service.restart("krb5kdc") + + # Call client install script + try: + ipautil.run(["/usr/sbin/ipa-client-install", "--on-master", "--unattended", "--domain", config.domain_name, "--server", config.host_name, "--realm", config.realm_name]) + except Exception, e: + print "Configuration of client side components failed!" + print "ipa-client-install returned: " + str(e) + raise RuntimeError("Failed to configure the client") + + ds.init_memberof() + +try: + if not os.geteuid()==0: + sys.exit("\nYou must be root to run this script.\n") + + main() + sys.exit(0) +except SystemExit, e: + sys.exit(e) +except Exception, e: + print "creation of replica failed: %s" % str(e) + message = str(e) + for str in traceback.format_tb(sys.exc_info()[2]): + message = message + "\n" + str + logging.debug(message) +except KeyboardInterrupt: + print "Installation cancelled." + +print "" +print "Your system may be partly configured." +print "Run /usr/sbin/ipa-server-install --uninstall to clean up." + +# the only way to get here is on error or ^C +sys.exit(1) |