summaryrefslogtreecommitdiffstats
path: root/install
diff options
context:
space:
mode:
Diffstat (limited to 'install')
-rw-r--r--install/oddjob/Makefile.am3
-rw-r--r--install/oddjob/etc/dbus-1/system.d/org.freeipa.server.conf21
-rw-r--r--install/oddjob/etc/oddjobd.conf.d/ipa-server.conf20
-rwxr-xr-xinstall/oddjob/org.freeipa.server.conncheck2
-rwxr-xr-xinstall/tools/ipa-ca-install6
-rwxr-xr-xinstall/tools/ipa-replica-conncheck131
-rw-r--r--install/updates/90-post_upgrade_plugins.update1
7 files changed, 166 insertions, 18 deletions
diff --git a/install/oddjob/Makefile.am b/install/oddjob/Makefile.am
index 5cdaf2b29..fb64f6cf4 100644
--- a/install/oddjob/Makefile.am
+++ b/install/oddjob/Makefile.am
@@ -6,14 +6,17 @@ dbusconfdir = $(sysconfdir)/dbus-1/system.d
oddjob_SCRIPTS = \
com.redhat.idm.trust-fetch-domains \
+ org.freeipa.server.conncheck \
$(NULL)
dbusconf_DATA = \
etc/dbus-1/system.d/oddjob-ipa-trust.conf \
+ etc/dbus-1/system.d/org.freeipa.server.conf \
$(NULL)
oddjobconf_DATA = \
etc/oddjobd.conf.d/oddjobd-ipa-trust.conf \
+ etc/oddjobd.conf.d/ipa-server.conf \
$(NULL)
diff --git a/install/oddjob/etc/dbus-1/system.d/org.freeipa.server.conf b/install/oddjob/etc/dbus-1/system.d/org.freeipa.server.conf
new file mode 100644
index 000000000..b2cbf746f
--- /dev/null
+++ b/install/oddjob/etc/dbus-1/system.d/org.freeipa.server.conf
@@ -0,0 +1,21 @@
+<!DOCTYPE busconfig PUBLIC
+ "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
+ "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
+
+<busconfig>
+
+ <policy user="root">
+ <allow own="org.freeipa.server"/>
+
+ <allow send_destination="org.freeipa.server" send_interface="org.freeipa.server"/>
+ </policy>
+
+ <policy user="apache">
+ <allow send_destination="org.freeipa.server" send_interface="org.freeipa.server"/>
+ </policy>
+
+ <policy context="default">
+ <allow send_destination="org.freeipa.server" send_interface="org.freedesktop.DBus.Introspectable"/>
+ </policy>
+
+</busconfig>
diff --git a/install/oddjob/etc/oddjobd.conf.d/ipa-server.conf b/install/oddjob/etc/oddjobd.conf.d/ipa-server.conf
new file mode 100644
index 000000000..3f806966b
--- /dev/null
+++ b/install/oddjob/etc/oddjobd.conf.d/ipa-server.conf
@@ -0,0 +1,20 @@
+<?xml version="1.0"?>
+<oddjobconfig>
+ <service name="org.freeipa.server">
+ <allow user="root"/>
+ <allow user="apache"/>
+ <object name="/">
+ <interface name="org.freeipa.server">
+ <method name="conncheck">
+ <helper exec="/usr/libexec/ipa/oddjob/org.freeipa.server.conncheck"
+ arguments="1"
+ prepend_user_name="no"
+ argument_passing_method="cmdline"/>
+ </method>
+ </interface>
+ <interface name="org.freedesktop.DBus.Introspectable">
+ <allow min_uid="0" max_uid="0"/>
+ </interface>
+ </object>
+ </service>
+</oddjobconfig>
diff --git a/install/oddjob/org.freeipa.server.conncheck b/install/oddjob/org.freeipa.server.conncheck
new file mode 100755
index 000000000..ab7a46a86
--- /dev/null
+++ b/install/oddjob/org.freeipa.server.conncheck
@@ -0,0 +1,2 @@
+#!/bin/sh
+exec /usr/sbin/ipa-replica-conncheck --replica "$1" 2>&1
diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install
index b1d58f750..0b8f28cb7 100755
--- a/install/tools/ipa-ca-install
+++ b/install/tools/ipa-ca-install
@@ -149,8 +149,10 @@ def install_replica(safe_options, options, filename):
config.ca_ds_port = 389
config.top_dir = tempfile.mkdtemp("ipa")
config.dir = config.top_dir
+ cafile = paths.IPA_CA_CRT
else:
config = create_replica_config(dirman_password, filename, options)
+ cafile = config.dir + '/ca.crt'
global REPLICA_INFO_TOP_DIR
REPLICA_INFO_TOP_DIR = config.top_dir
@@ -176,6 +178,10 @@ def install_replica(safe_options, options, filename):
options.dm_password = config.dirman_password
options.host_name = config.host_name
options.subject = config.subject_base
+ if os.path.exists(cafile):
+ options.ca_cert_file = cafile
+ else:
+ options.ca_cert_file = None
ca.install_check(True, config, options)
if options.promote:
diff --git a/install/tools/ipa-replica-conncheck b/install/tools/ipa-replica-conncheck
index a67837c54..10e3437bd 100755
--- a/install/tools/ipa-replica-conncheck
+++ b/install/tools/ipa-replica-conncheck
@@ -22,11 +22,12 @@ from __future__ import print_function
from ipapython.config import IPAOptionParser
from ipapython import version
-from ipapython import ipautil
+from ipapython import ipautil, certdb
from ipapython.ipautil import CalledProcessError
+from ipalib import api, errors, x509
from ipaserver.install import installutils
import ipaclient.ipachangeconf
-from optparse import OptionGroup
+from optparse import OptionGroup, OptionValueError
from ipapython.ipa_log_manager import *
import sys
import os
@@ -40,6 +41,7 @@ from socket import SOCK_STREAM, SOCK_DGRAM
import distutils.spawn
from ipaplatform.paths import paths
import gssapi
+from nss import nss
CONNECT_TIMEOUT = 5
RESPONDERS = [ ]
@@ -106,6 +108,30 @@ def print_info(msg):
print(msg)
def parse_options():
+ def ca_cert_file_callback(option, opt, value, parser):
+ if not os.path.exists(value):
+ raise OptionValueError(
+ "%s option '%s' does not exist" % (opt, value))
+ if not os.path.isfile(value):
+ raise OptionValueError(
+ "%s option '%s' is not a file" % (opt, value))
+ if not os.path.isabs(value):
+ raise OptionValueError(
+ "%s option '%s' is not an absolute file path" % (opt, value))
+
+ initialized = nss.nss_is_initialized()
+ try:
+ x509.load_certificate_list_from_file(value)
+ except Exception:
+ raise OptionValueError(
+ "%s option '%s' is not a valid certificate file" %
+ (opt, value))
+ finally:
+ if not initialized:
+ nss.nss_shutdown()
+
+ parser.values.ca_cert_file = value
+
parser = IPAOptionParser(version=version.VERSION)
replica_group = OptionGroup(parser, "on-replica options")
@@ -123,6 +149,10 @@ def parse_options():
default=None, help="Principal to use to log in to remote master")
replica_group.add_option("-w", "--password", dest="password", sensitive=True,
help="Password for the principal"),
+ replica_group.add_option("--ca-cert-file", dest="ca_cert_file",
+ type="string", action="callback",
+ callback=ca_cert_file_callback,
+ help="load the CA certificate from this file")
parser.add_option_group(replica_group)
@@ -418,22 +448,89 @@ def main():
if returncode != 0:
raise RuntimeError("Could not get ticket for master server: %s" % stderr)
- user = principal.partition('@')[0]
- ssh = SshExec(user, options.master)
+ try:
+ print_info("Check RPC connection to remote master")
+
+ xmlrpc_uri = ('https://%s/ipa/xml' %
+ ipautil.format_netloc(options.master))
+ api.bootstrap(context='client', xmlrpc_uri=xmlrpc_uri)
+ api.finalize()
- print_info("Check SSH connection to remote master")
- stdout, stderr, returncode = ssh('echo OK', verbose=True)
- if returncode != 0:
- print('Could not SSH into remote host. Error output:')
- for line in stderr.splitlines():
- print(' %s' % line)
- raise RuntimeError('Could not SSH to remote host.')
-
- print_info("Execute check on remote master")
- stdout, stderr, returncode = ssh(
- "/usr/sbin/ipa-replica-conncheck " +
- " ".join(remote_check_opts))
- print_info(stdout)
+ if options.ca_cert_file:
+ nss_dir = None
+ else:
+ nss_dir = paths.IPA_NSSDB_DIR
+
+ with certdb.NSSDatabase(nss_dir) as nss_db:
+ if options.ca_cert_file:
+ nss_dir = nss_db.secdir
+
+ password = ipautil.ipa_generate_password()
+ password_file = ipautil.write_tmp_file(password)
+ nss_db.create_db(password_file.name)
+
+ ca_certs = x509.load_certificate_list_from_file(
+ options.ca_cert_file, dbdir=nss_db.secdir)
+ for ca_cert in ca_certs:
+ nss_db.add_cert(
+ ca_cert.der_data, str(ca_cert.subject), 'C,,')
+ del ca_cert
+ del ca_certs
+ else:
+ nss_dir = None
+
+ try:
+ api.Backend.rpcclient.connect(nss_dir=nss_dir)
+ api.Command.ping()
+ except Exception as e:
+ print_info(
+ "Could not connect to the remote host: %s" % e)
+ raise
+
+ print_info("Execute check on remote master")
+ try:
+ result = api.Backend.rpcclient.forward(
+ 'server_conncheck',
+ ipautil.fsdecode(options.master),
+ ipautil.fsdecode(options.hostname),
+ version=u'2.162',
+ )
+ except (errors.CommandError, errors.NetworkError) as e:
+ print_info(
+ "Remote master does not support check over RPC: "
+ "%s" % e)
+ raise
+ except errors.PublicError as e:
+ returncode = 1
+ stderr = e
+ else:
+ for message in result['messages']:
+ print_info(message['message'])
+ returncode = int(not result['result'])
+ stderr = ("ipa-replica-conncheck returned non-zero "
+ "exit code")
+ finally:
+ if api.Backend.rpcclient.isconnected():
+ api.Backend.rpcclient.disconnect()
+ except Exception:
+ print_info("Retrying using SSH...")
+
+ user = principal.partition('@')[0]
+ ssh = SshExec(user, options.master)
+
+ print_info("Check SSH connection to remote master")
+ stdout, stderr, returncode = ssh('echo OK', verbose=True)
+ if returncode != 0:
+ print('Could not SSH into remote host. Error output:')
+ for line in stderr.splitlines():
+ print(' %s' % line)
+ raise RuntimeError('Could not SSH to remote host.')
+
+ print_info("Execute check on remote master")
+ stdout, stderr, returncode = ssh(
+ "/usr/sbin/ipa-replica-conncheck " +
+ " ".join(remote_check_opts))
+ print_info(stdout)
if returncode != 0:
raise RuntimeError("Remote master check failed with following error message(s):\n%s" % stderr)
else:
diff --git a/install/updates/90-post_upgrade_plugins.update b/install/updates/90-post_upgrade_plugins.update
index 2089b3320..626255af7 100644
--- a/install/updates/90-post_upgrade_plugins.update
+++ b/install/updates/90-post_upgrade_plugins.update
@@ -19,4 +19,3 @@ plugin: update_managed_post
plugin: update_managed_permissions
plugin: update_idrange_baserid
plugin: update_passync_privilege_update
-plugin: update_oddjobd_for_adtrust
generated by cgit (git 2.34.1) at 2024-09-22 01:52:26 +0000