summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPetr Viktorin <pviktori@redhat.com>2012-12-18 07:42:18 -0500
committerRob Crittenden <rcritten@redhat.com>2013-02-01 13:44:59 -0500
commit26c498736ec8eabb8dafbc090811c92c79a8c318 (patch)
treef4c2187920025a5f98b26e699179e3fdcd9d7b62
parent55cfd06e3a9cb730220836b07207f4e650de3a03 (diff)
downloadfreeipa.git-26c498736ec8eabb8dafbc090811c92c79a8c318.tar.gz
freeipa.git-26c498736ec8eabb8dafbc090811c92c79a8c318.tar.xz
freeipa.git-26c498736ec8eabb8dafbc090811c92c79a8c318.zip
Port ipa-replica-prepare to the admintool framework
Break the script into several smaller methods. Use modern idioms: os.path.join instead of string addition; the with statement for closing files. Add --quiet, --verbose, and --log-file options. Use logging instead of print statements. (http://freeipa.org/page/V3/Logging_and_output) Part of: https://fedorahosted.org/freeipa/ticket/2652 Fixes: https://fedorahosted.org/freeipa/ticket/3285
Diffstat
-rwxr-xr-xinstall/tools/ipa-replica-prepare492
-rw-r--r--ipapython/admintool.py5
-rw-r--r--ipaserver/install/ipa_replica_prepare.py504
3 files changed, 512 insertions, 489 deletions
diff --git a/install/tools/ipa-replica-prepare b/install/tools/ipa-replica-prepare
index 274e8456..21df3410 100755
--- a/install/tools/ipa-replica-prepare
+++ b/install/tools/ipa-replica-prepare
@@ -1,7 +1,7 @@
#! /usr/bin/python -E
-# Authors: Karl MacMillan <kmacmillan@mentalrootkit.com>
+# Authors: Petr Viktorin <pviktori@redhat.com>
#
-# Copyright (C) 2007 Red Hat
+# Copyright (C) 2012 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
@@ -18,490 +18,6 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
-import sys
+from ipaserver.install.ipa_replica_prepare import ReplicaPrepare
-import tempfile, shutil, os, pwd
-from ipapython.ipa_log_manager import *
-import traceback
-from ConfigParser import SafeConfigParser
-import krbV
-
-from ipapython import ipautil
-from ipaserver.install import bindinstance, dsinstance, installutils, certs
-from ipaserver.install.bindinstance import add_zone, add_fwd_rr, add_ptr_rr, dns_container_exists
-from ipaserver.install.replication import enable_replication_version_checking
-from ipaserver.install.installutils import resolve_host, BadHostError, HostLookupError
-from ipaserver.plugins.ldap2 import ldap2
-from ipapython import version
-from ipapython import dogtag
-from ipapython.config import IPAOptionParser
-from ipalib import api, errors, util
-from ipapython.dn import DN
-
-def parse_options():
- usage = "%prog [options] FQDN (e.g. replica.example.com)"
- parser = IPAOptionParser(usage=usage, version=version.VERSION)
-
- parser.add_option("--dirsrv_pkcs12", dest="dirsrv_pkcs12",
- help="install certificate for the directory server")
- parser.add_option("--http_pkcs12", dest="http_pkcs12",
- help="install certificate for the http server")
- parser.add_option("--pkinit_pkcs12", dest="pkinit_pkcs12",
- help="install certificate for the KDC")
- parser.add_option("--dirsrv_pin", dest="dirsrv_pin",
- help="PIN for the Directory Server PKCS#12 file")
- parser.add_option("--http_pin", dest="http_pin",
- help="PIN for the Apache Server PKCS#12 file")
- parser.add_option("--pkinit_pin", dest="pkinit_pin",
- help="PIN for the KDC pkinit PKCS#12 file")
- parser.add_option("-p", "--password", dest="password",
- help="Directory Manager (existing master) password")
- parser.add_option("--ip-address", dest="ip_address",
- type="ip", help="Add A and PTR records of the future replica")
- parser.add_option("--reverse-zone", dest="reverse_zone",
- help="The reverse DNS zone to use")
- parser.add_option("--no-reverse", dest="no_reverse", action="store_true",
- default=False, help="Do not create reverse DNS zone")
- parser.add_option("--ca", dest="ca_file", default="/root/cacert.p12",
- help="Location of CA PKCS#12 file, default /root/cacert.p12")
- parser.add_option("--no-pkinit", dest="setup_pkinit", action="store_false",
- default=True, help="disables pkinit setup steps")
- parser.add_option("--debug", dest="debug", action="store_true",
- default=False, help="enable debugging")
-
- options, args = parser.parse_args()
-
- if not options.ip_address:
- if options.reverse_zone:
- parser.error("You cannot specify a --reverse-zone option without the --ip-address option")
- if options.no_reverse:
- parser.error("You cannot specify a --no-reverse option without the --ip-address option")
- elif options.reverse_zone and options.no_reverse:
- parser.error("You cannot specify a --reverse-zone option together with --no-reverse")
-
- # If any of the PKCS#12 options are selected, all are required. Create a
- # list of the options and count it to enforce that all are required without
- # having a huge set of it blocks.
- if options.setup_pkinit:
- pkcs12 = [options.dirsrv_pkcs12, options.dirsrv_pin,
- options.http_pkcs12, options.http_pin,
- options.pkinit_pkcs12, options.pkinit_pin]
- num = 6
- else:
- pkcs12 = [options.dirsrv_pkcs12, options.dirsrv_pin,
- options.http_pkcs12, options.http_pin]
- num = 4
- cnt = pkcs12.count(None)
- if cnt > 0 and cnt < num:
- parser.error("All PKCS#12 options are required if any are used.")
-
- if len(args) != 1:
- parser.error("must provide the fully-qualified name of the replica")
-
- return options, args
-
-def get_subject_base(host_name, dm_password, suffix):
- try:
- conn = ldap2(shared_instance=False, base_dn=suffix)
- conn.connect(bind_dn=DN(('cn', 'directory manager')), bind_pw=dm_password)
- except errors.ExecutionError, e:
- root_logger.critical("Could not connect to the Directory Server on %s" % host_name)
- raise e
- (dn, entry_attrs) = conn.get_ipa_config()
- conn.disconnect()
- subject_base = entry_attrs.get('ipacertificatesubjectbase', [None])[0]
- if subject_base is not None:
- subject_base = DN(subject_base)
- return subject_base
-
-def check_ipa_configuration(realm_name):
- config_dir = dsinstance.config_dirname(dsinstance.realm_to_serverid(realm_name))
- if not ipautil.dir_exists(config_dir):
- root_logger.error("could not find directory instance: %s" % config_dir)
- sys.exit(1)
-
-def export_certdb(realm_name, ds_dir, dir, passwd_fname, fname, hostname, subject_base=None, is_kdc=False):
- """realm is the kerberos realm for the IPA server.
- ds_dir is the location of the master DS we are creating a replica for.
- dir is the location of the files for the replica we are creating.
- passwd_fname is the file containing the PKCS#12 password
- fname is the filename of the PKCS#12 file for this cert (minus the .p12).
- hostname is the FQDN of the server we're creating a cert for.
-
- The subject is handled by certs.CertDB:create_server_cert()
- """
-
- if is_kdc:
- nickname = "KDC-Cert"
- else:
- nickname = "Server-Cert"
-
- try:
- self_signed = certs.ipa_self_signed()
-
- db = certs.CertDB(realm_name, nssdir=dir, subject_base=subject_base)
- db.create_passwd_file()
- ca_db = certs.CertDB(realm_name, host_name=api.env.host, subject_base=subject_base)
- if is_kdc:
- ca_db.create_kdc_cert("KDC-Cert", hostname, dir)
- else:
- db.create_from_cacert(ca_db.cacert_fname)
- db.create_server_cert(nickname, hostname, ca_db)
- except Exception, e:
- raise e
-
- pkcs12_fname = dir + "/" + fname + ".p12"
-
- try:
- if is_kdc:
- ca_db.export_pem_p12(pkcs12_fname, passwd_fname,
- nickname, dir + "/kdc.pem")
- else:
- db.export_pkcs12(pkcs12_fname, passwd_fname, nickname)
- except ipautil.CalledProcessError, e:
- print "error exporting Server certificate: " + str(e)
- remove_file(pkcs12_fname)
- remove_file(passwd_fname)
-
- remove_file(dir + "/cert8.db")
- remove_file(dir + "/key3.db")
- remove_file(dir + "/secmod.db")
- remove_file(dir + "/noise.txt")
- if is_kdc:
- remove_file(dir + "/kdc.pem")
- if ipautil.file_exists(passwd_fname + ".orig"):
- remove_file(passwd_fname + ".orig")
-
-def export_ra_pkcs12(dir, dm_password):
- """
- dir is the location of the files for the replica we are creating.
- dm_password is the Directory Manager password
-
- If this install is using dogtag/RHCS then export the RA certificate.
- """
- if certs.ipa_self_signed():
- return
-
- (agent_fd, agent_name) = tempfile.mkstemp()
- os.write(agent_fd, dm_password)
- os.close(agent_fd)
-
- try:
- try:
- db = certs.CertDB(api.env.realm, host_name=api.env.host)
-
- if db.has_nickname("ipaCert"):
- pkcs12_fname = "%s/ra.p12" % dir
- db.export_pkcs12(pkcs12_fname, agent_name, "ipaCert")
- except Exception, e:
- raise e
- finally:
- os.remove(agent_name)
-
-def save_config(dir, realm_name, host_name,
- domain_name, dest_host,
- subject_base):
- config = SafeConfigParser()
- config.add_section("realm")
- config.set("realm", "realm_name", realm_name)
- config.set("realm", "master_host_name", host_name)
- config.set("realm", "domain_name", domain_name)
- config.set("realm", "destination_host", dest_host)
- config.set("realm", "subject_base", str(subject_base))
- config.set("realm", "version", str(version.NUM_VERSION))
- with open(dir + "/realm_info", "w") as fd:
- config.write(fd)
-
-def remove_file(fname, ignore_errors=True):
- try:
- os.remove(fname)
- except OSError, e:
- if not ignore_errors:
- raise e
-
-def copy_files(realm_name, dir):
- config_dir = dsinstance.config_dirname(dsinstance.realm_to_serverid(realm_name))
-
- try:
- shutil.copy("/usr/share/ipa/html/ca.crt", dir + "/ca.crt")
- if ipautil.file_exists("/usr/share/ipa/html/preferences.html"):
- shutil.copy("/usr/share/ipa/html/krb.js", dir + "/krb.js")
- shutil.copy("/usr/share/ipa/html/kerberosauth.xpi", dir + "/kerberosauth.xpi")
- shutil.copy("/usr/share/ipa/html/preferences.html", dir + "/preferences.html")
- shutil.copy("/usr/share/ipa/html/configure.jar", dir + "/configure.jar")
- if ipautil.file_exists("/var/kerberos/krb5kdc/cacert.pem"):
- shutil.copy("/var/kerberos/krb5kdc/cacert.pem", dir + "/cacert.pem")
- except Exception, e:
- print "error copying files: " + str(e)
- sys.exit(1)
-
-def get_dirman_password():
- return installutils.read_password("Directory Manager (existing master)", confirm=False, validate=False)
-
-def main():
- installutils.check_server_configuration()
- options, args = parse_options()
-
- replica_fqdn = args[0]
-
- standard_logging_setup(None, debug=options.debug)
-
- # Just initialize the environment. This is so the installer can have
- # access to the plugin environment
- api.bootstrap(in_server=True, debug=options.debug)
- api.finalize()
-
- #Automatically disable pkinit w/ dogtag until that is supported
- #[certs.ipa_self_signed() must be called only after api.finalize()]
- if not options.pkinit_pkcs12 and not certs.ipa_self_signed():
- options.setup_pkinit = False
-
- if certs.ipa_self_signed_master() == False:
- sys.exit('A selfsign CA backend can only prepare on the original master')
-
- # get the directory manager password
- dirman_password = options.password
- if not options.password:
- try:
- dirman_password = get_dirman_password()
- except KeyboardInterrupt:
- sys.exit(0)
- if dirman_password is None:
- sys.exit("\nDirectory Manager password required")
-
- # Try out the password
- try:
- conn = ldap2(shared_instance=False)
- conn.connect(bind_dn=DN(('cn', 'directory manager')), bind_pw=dirman_password)
- conn.disconnect()
- except errors.ACIError:
- sys.exit("\nThe password provided is incorrect for LDAP server %s" % api.env.host)
- except errors.LDAPError:
- sys.exit("\nUnable to connect to LDAP server %s" % api.env.host)
- except errors.DatabaseError, e:
- sys.exit("\n"+e.desc)
-
- try:
- installutils.verify_fqdn(replica_fqdn, local_hostname=False)
- except BadHostError, e:
- msg = str(e)
- if isinstance(e, HostLookupError):
- if options.ip_address is None:
- if dns_container_exists(api.env.host, api.env.basedn,
- dm_password=dirman_password,
- ldapi=True, realm=api.env.realm):
- msg += '\nAdd the --ip-address argument to create a DNS entry.'
- sys.exit(msg)
- else:
- # The host doesn't exist in DNS but we're adding it.
- pass
- else:
- sys.exit(msg)
-
- if options.ip_address:
- if not dns_container_exists(api.env.host, api.env.basedn,
- dm_password=dirman_password,
- ldapi=True, realm=api.env.realm):
- print "You can't add a DNS record because DNS is not set up."
- sys.exit(1)
- if options.reverse_zone and not bindinstance.verify_reverse_zone(options.reverse_zone, options.ip_address):
- sys.exit(1)
-
- if (not certs.ipa_self_signed() and
- not ipautil.file_exists(dogtag.configured_constants().CS_CFG_PATH) and
- not options.dirsrv_pin):
- sys.exit("The replica must be created on the primary IPA server.\nIf you installed IPA with your own certificates using PKCS#12 files you must provide PKCS#12 files for any replicas you create as well.")
-
- check_ipa_configuration(api.env.realm)
-
- if api.env.host == replica_fqdn:
- print "You can't create a replica on itself"
- sys.exit(1)
- ds_dir = dsinstance.config_dirname(dsinstance.realm_to_serverid(api.env.realm))
-
- print "Preparing replica for %s from %s" % (replica_fqdn, api.env.host)
- enable_replication_version_checking(api.env.host, api.env.realm,
- dirman_password)
-
- subject_base = get_subject_base(api.env.host, dirman_password, ipautil.realm_to_suffix(api.env.realm))
-
- top_dir = tempfile.mkdtemp("ipa")
- dir = top_dir + "/realm_info"
- os.mkdir(dir, 0700)
-
- if options.dirsrv_pin:
- passwd = options.dirsrv_pin
- else:
- passwd = ""
-
- passwd_fname = dir + "/dirsrv_pin.txt"
- fd = open(passwd_fname, "w")
- fd.write("%s\n" % passwd)
- fd.close()
-
- if options.dirsrv_pkcs12:
- print "Copying SSL certificate for the Directory Server from %s" % options.dirsrv_pkcs12
- try:
- shutil.copy(options.dirsrv_pkcs12, dir + "/dscert.p12")
- except IOError, e:
- print "Copy failed %s" % e
- sys.exit(1)
- else:
- try:
- if not certs.ipa_self_signed():
- # FIXME, need option for location of CA backup
- if ipautil.file_exists(options.ca_file):
- shutil.copy(options.ca_file, dir + "/cacert.p12")
- else:
- raise RuntimeError("Root CA PKCS#12 not found in %s" % options.ca_file)
- except IOError, e:
- print "Copy failed %s" % e
- sys.exit(1)
- print "Creating SSL certificate for the Directory Server"
- try:
- export_certdb(api.env.realm, ds_dir, dir, passwd_fname, "dscert", replica_fqdn, subject_base)
- except errors.CertificateOperationError, e:
- print "%s" % e
- sys.exit(1)
-
- if not certs.ipa_self_signed():
- print "Creating SSL certificate for the dogtag Directory Server"
- try:
- export_certdb(api.env.realm, ds_dir, dir, passwd_fname, "dogtagcert", replica_fqdn, subject_base)
- except errors.CertificateOperationError, e:
- print "%s" % e
- sys.exit(1)
- print "Saving dogtag Directory Server port"
- port_fname = dir + "/dogtag_directory_port.txt"
- with open(port_fname, "w") as fd:
- fd.write("%s\n" % str(dogtag.configured_constants().DS_PORT))
-
- if options.http_pin:
- passwd = options.http_pin
- else:
- passwd = ""
-
- passwd_fname = dir + "/http_pin.txt"
- fd = open(passwd_fname, "w")
- fd.write("%s\n" % passwd)
- fd.close()
-
- if options.http_pkcs12:
- print "Copying SSL certificate for the Web Server from %s" % options.http_pkcs12
- try:
- shutil.copy(options.http_pkcs12, dir + "/httpcert.p12")
- except IOError, e:
- print "Copy failed %s" % e
- sys.exit(1)
- else:
- print "Creating SSL certificate for the Web Server"
- try:
- export_certdb(api.env.realm, ds_dir, dir, passwd_fname, "httpcert", replica_fqdn, subject_base)
- except errors.CertificateOperationError, e:
- print "%s" % e
- sys.exit(1)
- print "Exporting RA certificate"
- export_ra_pkcs12(dir, dirman_password)
-
- if options.setup_pkinit:
- if options.pkinit_pin:
- passwd = options.pkinit_pin
- else:
- passwd = ""
-
- passwd_fname = dir + "/pkinit_pin.txt"
- fd = open(passwd_fname, "w")
- fd.write("%s\n" % passwd)
- fd.close()
-
- if options.pkinit_pkcs12:
- print "Copying SSL certificate for the KDC from %s" % options.pkinit_pkcs12
- try:
- shutil.copy(options.pkinit_pkcs12, dir + "/pkinitcert.p12")
- except IOError, e:
- print "Copy failed %s" % e
- sys.exit(1)
- else:
- print "Creating SSL certificate for the KDC"
- try:
- export_certdb(api.env.realm, ds_dir, dir,
- passwd_fname, "pkinitcert",
- replica_fqdn, subject_base,
- is_kdc=True)
- except errors.CertificateOperationError, e:
- print "%s" % e
- sys.exit(1)
-
- print "Copying additional files"
- copy_files(api.env.realm, dir)
- print "Finalizing configuration"
- save_config(dir, api.env.realm, api.env.host, api.env.domain, replica_fqdn, subject_base)
-
- replicafile = "/var/lib/ipa/replica-info-" + replica_fqdn
- encfile = replicafile+".gpg"
-
- print "Packaging replica information into %s" % encfile
- ipautil.run(["/bin/tar", "cf", replicafile, "-C", top_dir, "realm_info"])
- ipautil.encrypt_file(replicafile, encfile, dirman_password, top_dir)
-
- os.chmod(encfile, 0600)
-
- remove_file(replicafile)
- shutil.rmtree(dir)
-
- if options.ip_address:
- print "Adding DNS records for %s" % replica_fqdn
- api.Backend.ldap2.connect(bind_dn=DN(('cn', 'Directory Manager')), bind_pw=dirman_password)
-
- domain = replica_fqdn.split(".")
- name = domain.pop(0)
- domain = ".".join(domain)
-
- ip = options.ip_address
- ip_address = str(ip)
-
- if options.reverse_zone:
- reverse_zone = bindinstance.normalize_zone(options.reverse_zone)
- else:
- reverse_zone = bindinstance.find_reverse_zone(ip)
- if reverse_zone is None and not options.no_reverse:
- reverse_zone = bindinstance.get_reverse_zone_default(ip)
-
- try:
- add_zone(domain)
- except errors.PublicError, e:
- sys.exit("Could not create forward DNS zone for the replica: %s" % e)
-
- try:
- add_fwd_rr(domain, name, ip_address)
- except errors.PublicError, e:
- sys.exit("Could not add forward DNS record for the replica: %s" % e)
-
- if reverse_zone is not None:
- print "Using reverse zone %s" % reverse_zone
- try:
- add_zone(reverse_zone)
- except errors.PublicError, e:
- sys.exit("Could not create reverse DNS zone for the replica: %s" % e)
- try:
- add_ptr_rr(reverse_zone, ip_address, replica_fqdn)
- except errors.PublicError, e:
- sys.exit("Could not add reverse DNS record for the replica: %s" % e)
-
-try:
- if not os.geteuid()==0:
- sys.exit("\nYou must be root to run this script.\n")
-
- main()
-except SystemExit, e:
- sys.exit(e)
-except RuntimeError, e:
- sys.exit(e)
-except Exception, e:
- print "preparation of replica failed: %s" % str(e)
- message = str(e)
- for str in traceback.format_tb(sys.exc_info()[2]):
- message = message + "\n" + str
- root_logger.debug(message)
- print message
- sys.exit(1)
+ReplicaPrepare.run_cli()
diff --git a/ipapython/admintool.py b/ipapython/admintool.py
index 5bc21516..5beed4a8 100644
--- a/ipapython/admintool.py
+++ b/ipapython/admintool.py
@@ -77,12 +77,14 @@ class AdminTool(object):
command_name - shown in logs
log_file_name - if None, logging is to stderr only
usage - text shown in help
+ description - text shown in help
See the setup_logging method for more info on logging.
"""
command_name = None
log_file_name = None
usage = None
+ description = None
log = None
_option_parsers = dict()
@@ -91,7 +93,8 @@ class AdminTool(object):
def make_parser(cls):
"""Create an option parser shared across all instances of this class"""
parser = config.IPAOptionParser(version=version.VERSION,
- usage=cls.usage, formatter=config.IPAFormatter())
+ usage=cls.usage, formatter=config.IPAFormatter(),
+ description=cls.description)
cls.option_parser = parser
cls.add_options(parser)
diff --git a/ipaserver/install/ipa_replica_prepare.py b/ipaserver/install/ipa_replica_prepare.py
new file mode 100644
index 00000000..8afa4e8e
--- /dev/null
+++ b/ipaserver/install/ipa_replica_prepare.py
@@ -0,0 +1,504 @@
+#!/usr/bin/python
+# Authors: Karl MacMillan <kmacmillan@mentalrootkit.com>
+# Petr Viktorin <pviktori@redhat.com>
+#
+# Copyright (C) 2008-2012 Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+import os
+import shutil
+import tempfile
+from optparse import OptionGroup
+from ConfigParser import SafeConfigParser
+
+from ipaserver.install import certs, installutils, bindinstance, dsinstance
+from ipaserver.install.replication import enable_replication_version_checking
+from ipaserver.plugins.ldap2 import ldap2
+from ipaserver.install.bindinstance import (
+ add_zone, add_fwd_rr, add_ptr_rr, dns_container_exists)
+from ipapython import ipautil, admintool, dogtag
+from ipapython.dn import DN
+from ipapython import version
+from ipalib import api
+from ipalib import errors
+
+
+class ReplicaPrepare(admintool.AdminTool):
+ command_name = 'ipa-replica-prepare'
+
+ usage = "%prog [options] <replica-fqdn>"
+
+ description = "Prepare a file for replica installation."
+
+ @classmethod
+ def add_options(cls, parser):
+ super(ReplicaPrepare, cls).add_options(parser, debug_option=True)
+
+ parser.add_option("-p", "--password", dest="password",
+ help="Directory Manager password (for the existing master)")
+ parser.add_option("--ip-address", dest="ip_address", type="ip",
+ help="add A and PTR records of the future replica")
+ parser.add_option("--reverse-zone", dest="reverse_zone",
+ help="the reverse DNS zone to use")
+ parser.add_option("--no-reverse", dest="no_reverse",
+ action="store_true", default=False,
+ help="do not create reverse DNS zone")
+ parser.add_option("--no-pkinit", dest="setup_pkinit",
+ action="store_false", default=True,
+ help="disables pkinit setup steps")
+ parser.add_option("--ca", dest="ca_file", default="/root/cacert.p12",
+ metavar="FILE",
+ help="location of CA PKCS#12 file, default /root/cacert.p12")
+
+ group = OptionGroup(parser, "SSL certificate options",
+ "Only used if the server was installed using custom SSL certificates")
+ group.add_option("--dirsrv_pkcs12", dest="dirsrv_pkcs12",
+ metavar="FILE",
+ help="install certificate for the directory server")
+ group.add_option("--http_pkcs12", dest="http_pkcs12",
+ metavar="FILE",
+ help="install certificate for the http server")
+ group.add_option("--pkinit_pkcs12", dest="pkinit_pkcs12",
+ metavar="FILE",
+ help="install certificate for the KDC")
+ group.add_option("--dirsrv_pin", dest="dirsrv_pin", metavar="PIN",
+ help="PIN for the Directory Server PKCS#12 file")
+ group.add_option("--http_pin", dest="http_pin", metavar="PIN",
+ help="PIN for the Apache Server PKCS#12 file")
+ group.add_option("--pkinit_pin", dest="pkinit_pin", metavar="PIN",
+ help="PIN for the KDC pkinit PKCS#12 file")
+ parser.add_option_group(group)
+
+ def validate_options(self):
+ options = self.options
+ super(ReplicaPrepare, self).validate_options(needs_root=True)
+ installutils.check_server_configuration()
+
+ if not options.ip_address:
+ if options.reverse_zone:
+ self.option_parser.error("You cannot specify a --reverse-zone "
+ "option without the --ip-address option")
+ if options.no_reverse:
+ self.option_parser.error("You cannot specify a --no-reverse "
+ "option without the --ip-address option")
+ elif options.reverse_zone and options.no_reverse:
+ self.option_parser.error("You cannot specify a --reverse-zone "
+ "option together with --no-reverse")
+
+ # If any of the PKCS#12 options are selected, all are required.
+ pkcs12_opts = [options.dirsrv_pkcs12, options.dirsrv_pin,
+ options.http_pkcs12, options.http_pin]
+ if options.setup_pkinit:
+ pkcs12_opts.extend([options.pkinit_pkcs12, options.pkinit_pin])
+ if pkcs12_opts[0]:
+ pkcs12_okay = all(opt for opt in pkcs12_opts)
+ else:
+ pkcs12_okay = all(opt is None for opt in pkcs12_opts)
+ if not pkcs12_okay:
+ self.option_parser.error(
+ "All PKCS#12 options are required if any are used.")
+
+ if len(self.args) < 1:
+ self.option_parser.error(
+ "must provide the fully-qualified name of the replica")
+ elif len(self.args) > 1:
+ self.option_parser.error(
+ "must provide exactly one name for the replica")
+ else:
+ [self.replica_fqdn] = self.args
+
+ api.bootstrap(in_server=True)
+ api.finalize()
+
+ if api.env.host == self.replica_fqdn:
+ raise admintool.ScriptError("You can't create a replica on itself")
+
+ #Automatically disable pkinit w/ dogtag until that is supported
+ #[certs.ipa_self_signed() must be called only after api.finalize()]
+ if not options.pkinit_pkcs12 and not certs.ipa_self_signed():
+ options.setup_pkinit = False
+
+ # FIXME: certs.ipa_self_signed_master return value can be
+ # True, False, None, with different meanings.
+ # So, we need to explicitly compare to False
+ if certs.ipa_self_signed_master() == False:
+ raise admintool.ScriptError("A selfsign CA backend can only "
+ "prepare on the original master")
+
+ config_dir = dsinstance.config_dirname(
+ dsinstance.realm_to_serverid(api.env.realm))
+ if not ipautil.dir_exists(config_dir):
+ raise admintool.ScriptError(
+ "could not find directory instance: %s" % config_dir)
+
+ def ask_for_options(self):
+ options = self.options
+ super(ReplicaPrepare, self).ask_for_options()
+
+ # get the directory manager password
+ self.dirman_password = options.password
+ if not options.password:
+ self.dirman_password = installutils.read_password(
+ "Directory Manager (existing master)",
+ confirm=False, validate=False)
+ if self.dirman_password is None:
+ raise admintool.ScriptError(
+ "Directory Manager password required")
+
+ # Try out the password & get the subject base
+ suffix = ipautil.realm_to_suffix(api.env.realm)
+ try:
+ conn = ldap2(shared_instance=False, base_dn=suffix)
+ conn.connect(bind_dn=DN(('cn', 'directory manager')),
+ bind_pw=self.dirman_password)
+ dn, entry_attrs = conn.get_ipa_config()
+ conn.disconnect()
+ except errors.ACIError:
+ raise admintool.ScriptError("The password provided is incorrect "
+ "for LDAP server %s" % api.env.host)
+ except errors.LDAPError:
+ raise admintool.ScriptError(
+ "Unable to connect to LDAP server %s" % api.env.host)
+ except errors.DatabaseError, e:
+ raise admintool.ScriptError(e.desc)
+
+ self.subject_base = entry_attrs.get(
+ 'ipacertificatesubjectbase', [None])[0]
+ if self.subject_base is not None:
+ self.subject_base = DN(self.subject_base)
+
+ # Validate more options using the password
+ try:
+ installutils.verify_fqdn(self.replica_fqdn, local_hostname=False)
+ except installutils.BadHostError, e:
+ msg = str(e)
+ if isinstance(e, installutils.HostLookupError):
+ if options.ip_address is None:
+ if dns_container_exists(
+ api.env.host, api.env.basedn,
+ dm_password=self.dirman_password,
+ ldapi=True, realm=api.env.realm):
+ self.log.info('Add the --ip-address argument to '
+ 'create a DNS entry.')
+ raise
+ else:
+ # The host doesn't exist in DNS but we're adding it.
+ pass
+ else:
+ raise
+
+ if options.ip_address:
+ if not dns_container_exists(api.env.host, api.env.basedn,
+ dm_password=self.dirman_password,
+ ldapi=True, realm=api.env.realm):
+ raise admintool.ScriptError("You can't add a DNS record "
+ "because DNS is not set up.")
+ if options.reverse_zone and not bindinstance.verify_reverse_zone(
+ options.reverse_zone, options.ip_address):
+ raise admintool.ScriptError("Invalid reverse zone")
+
+ if (not certs.ipa_self_signed() and
+ not ipautil.file_exists(
+ dogtag.configured_constants().CS_CFG_PATH) and
+ not options.dirsrv_pin):
+ self.log.info("If you installed IPA with your own certificates "
+ "using PKCS#12 files you must provide PKCS#12 files for any "
+ "replicas you create as well.")
+ raise admintool.ScriptError("The replica must be created on the "
+ "primary IPA server.")
+
+ def run(self):
+ options = self.options
+ super(ReplicaPrepare, self).run()
+
+ self.log.info("Preparing replica for %s from %s",
+ self.replica_fqdn, api.env.host)
+ enable_replication_version_checking(api.env.host, api.env.realm,
+ self.dirman_password)
+
+ self.top_dir = tempfile.mkdtemp("ipa")
+ self.dir = os.path.join(self.top_dir, "realm_info")
+ os.mkdir(self.dir, 0700)
+ try:
+ self.copy_ds_certificate()
+
+ self.copy_httpd_certificate()
+
+ if options.setup_pkinit:
+ self.copy_pkinit_certificate()
+
+ self.copy_misc_files()
+
+ self.save_config()
+
+ self.package_replica_file()
+ finally:
+ shutil.rmtree(self.top_dir)
+
+ if options.ip_address:
+ self.add_dns_records()
+
+ def copy_ds_certificate(self):
+ options = self.options
+
+ passwd_fname = os.path.join(self.dir, "dirsrv_pin.txt")
+ with open(passwd_fname, "w") as fd:
+ fd.write("%s\n" % (options.dirsrv_pin or ''))
+
+ if options.dirsrv_pkcs12:
+ self.log.info(
+ "Copying SSL certificate for the Directory Server from %s",
+ options.dirsrv_pkcs12)
+ self.copy_info_file(options.dirsrv_pkcs12, "dscert.p12")
+ else:
+ if not certs.ipa_self_signed():
+ if ipautil.file_exists(options.ca_file):
+ self.copy_info_file(options.ca_file, "cacert.p12")
+ else:
+ raise admintool.ScriptError("Root CA PKCS#12 not "
+ "found in %s" % options.ca_file)
+ self.log.info(
+ "Creating SSL certificate for the Directory Server")
+ self.export_certdb("dscert", passwd_fname)
+
+ if not certs.ipa_self_signed():
+ self.log.info(
+ "Creating SSL certificate for the dogtag Directory Server")
+ self.export_certdb("dogtagcert", passwd_fname)
+ self.log.info("Saving dogtag Directory Server port")
+ port_fname = os.path.join(
+ self.dir, "dogtag_directory_port.txt")
+ with open(port_fname, "w") as fd:
+ fd.write("%s\n" % str(dogtag.configured_constants().DS_PORT))
+
+ def copy_httpd_certificate(self):
+ options = self.options
+
+ passwd_fname = os.path.join(self.dir, "http_pin.txt")
+ with open(passwd_fname, "w") as fd:
+ fd.write("%s\n" % (options.http_pin or ''))
+
+ if options.http_pkcs12:
+ self.log.info(
+ "Copying SSL certificate for the Web Server from %s",
+ options.http_pkcs12)
+ self.copy_info_file(options.http_pkcs12, "httpcert.p12")
+ else:
+ self.log.info("Creating SSL certificate for the Web Server")
+ self.export_certdb("httpcert", passwd_fname)
+
+ self.log.info("Exporting RA certificate")
+ if not certs.ipa_self_signed():
+ self.export_ra_pkcs12()
+
+ def copy_pkinit_certificate(self):
+ options = self.options
+
+ passwd_fname = os.path.join(self.dir, "pkinit_pin.txt")
+ with open(passwd_fname, "w") as fd:
+ fd.write("%s\n" % (options.pkinit_pin or ''))
+
+ if options.pkinit_pkcs12:
+ self.log.info(
+ "Copying SSL certificate for the KDC from %s",
+ options.pkinit_pkcs12)
+ self.copy_info_file(options.pkinit_pkcs12, "pkinitcert.p12")
+ else:
+ self.log.info("Creating SSL certificate for the KDC")
+ self.export_certdb("pkinitcert", passwd_fname, is_kdc=True)
+
+ def copy_misc_files(self):
+ self.log.info("Copying additional files")
+
+ self.copy_info_file("/usr/share/ipa/html/ca.crt", "ca.crt")
+ preferences_filename = "/usr/share/ipa/html/preferences.html"
+ if ipautil.file_exists(preferences_filename):
+ self.copy_info_file(preferences_filename, "preferences.html")
+ self.copy_info_file("/usr/share/ipa/html/krb.js", "krb.js")
+ self.copy_info_file(
+ "/usr/share/ipa/html/kerberosauth.xpi", "kerberosauth.xpi")
+ self.copy_info_file(
+ "/usr/share/ipa/html/configure.jar", "configure.jar")
+ cacert_filename = "/var/kerberos/krb5kdc/cacert.pem"
+ if ipautil.file_exists(cacert_filename):
+ self.copy_info_file(cacert_filename, "cacert.pem")
+
+ def save_config(self):
+ self.log.info("Finalizing configuration")
+
+ config = SafeConfigParser()
+ config.add_section("realm")
+ config.set("realm", "realm_name", api.env.realm)
+ config.set("realm", "master_host_name", api.env.host)
+ config.set("realm", "domain_name", api.env.domain)
+ config.set("realm", "destination_host", self.replica_fqdn)
+ config.set("realm", "subject_base", str(self.subject_base))
+ config.set("realm", "version", str(version.NUM_VERSION))
+
+ with open(os.path.join(self.dir, "realm_info"), "w") as fd:
+ config.write(fd)
+
+ def package_replica_file(self):
+ replicafile = "/var/lib/ipa/replica-info-%s" % self.replica_fqdn
+ encfile = "%s.gpg" % replicafile
+
+ self.log.info("Packaging replica information into %s", encfile)
+ ipautil.run(
+ ["/bin/tar", "cf", replicafile, "-C", self.top_dir, "realm_info"])
+ ipautil.encrypt_file(
+ replicafile, encfile, self.dirman_password, self.top_dir)
+
+ os.chmod(encfile, 0600)
+
+ installutils.remove_file(replicafile)
+
+ def add_dns_records(self):
+ options = self.options
+
+ self.log.info("Adding DNS records for %s", self.replica_fqdn)
+ api.Backend.ldap2.connect(
+ bind_dn=DN(('cn', 'Directory Manager')),
+ bind_pw=self.dirman_password)
+
+ name, domain = self.replica_fqdn.split(".", 1)
+
+ ip = options.ip_address
+ ip_address = str(ip)
+
+ if options.reverse_zone:
+ reverse_zone = bindinstance.normalize_zone(options.reverse_zone)
+ else:
+ reverse_zone = bindinstance.find_reverse_zone(ip)
+ if reverse_zone is None and not options.no_reverse:
+ reverse_zone = bindinstance.get_reverse_zone_default(ip)
+
+ try:
+ add_zone(domain)
+ except errors.PublicError, e:
+ raise admintool.ScriptError(
+ "Could not create forward DNS zone for the replica: %s" % e)
+
+ try:
+ add_fwd_rr(domain, name, ip_address)
+ except errors.PublicError, e:
+ raise admintool.ScriptError(
+ "Could not add forward DNS record for the replica: %s" % e)
+
+ if reverse_zone is not None:
+ self.log.info("Using reverse zone %s", reverse_zone)
+ try:
+ add_zone(reverse_zone)
+ except errors.PublicError, e:
+ raise admintool.ScriptError(
+ "Could not create reverse DNS zone for replica: %s" % e)
+ try:
+ add_ptr_rr(reverse_zone, ip_address, self.replica_fqdn)
+ except errors.PublicError, e:
+ raise admintool.ScriptError(
+ "Could not add reverse DNS record for the replica: %s" % e)
+
+ def copy_info_file(self, source, dest):
+ """Copy a file into the info directory
+
+ :param source: The source file (an absolute path)
+ :param dest: The destination file (relative to the info directory)
+ """
+ dest_path = os.path.join(self.dir, dest)
+ self.log.debug('Copying %s to %s', source, dest_path)
+ try:
+ shutil.copy(source, dest_path)
+ except IOError, e:
+ raise admintool.ScriptError("File copy failed: %s" % e)
+
+ def remove_info_file(self, filename):
+ """Remove a file from the info directory
+
+ :param filename: The unneeded file (relative to the info directory)
+ """
+ installutils.remove_file(os.path.join(self.dir, filename))
+
+ def export_certdb(self, fname, passwd_fname, is_kdc=False):
+ """Export a cert database
+
+ :param fname: The file to export to (relative to the info directory)
+ :param passwd_fname: File that holds the cert DB password
+ :param is_kdc: True if we're exporting KDC certs
+ """
+ options = self.options
+ hostname = self.replica_fqdn
+ subject_base = self.subject_base
+
+ if is_kdc:
+ nickname = "KDC-Cert"
+ else:
+ nickname = "Server-Cert"
+
+ try:
+ self_signed = certs.ipa_self_signed()
+
+ db = certs.CertDB(
+ api.env.realm, nssdir=self.dir, subject_base=subject_base)
+ db.create_passwd_file()
+ ca_db = certs.CertDB(
+ api.env.realm, host_name=api.env.host,
+ subject_base=subject_base)
+ if is_kdc:
+ ca_db.create_kdc_cert("KDC-Cert", hostname, self.dir)
+ else:
+ db.create_from_cacert(ca_db.cacert_fname)
+ db.create_server_cert(nickname, hostname, ca_db)
+
+ pkcs12_fname = os.path.join(self.dir, fname + ".p12")
+
+ try:
+ if is_kdc:
+ ca_db.export_pem_p12(pkcs12_fname, passwd_fname,
+ nickname, os.path.join(self.dir, "kdc.pem"))
+ else:
+ db.export_pkcs12(pkcs12_fname, passwd_fname, nickname)
+ except ipautil.CalledProcessError, e:
+ self.log.info("error exporting Server certificate: %s", e)
+ installutils.remove_file(pkcs12_fname)
+ installutils.remove_file(passwd_fname)
+
+ self.remove_info_file("cert8.db")
+ self.remove_info_file("key3.db")
+ self.remove_info_file("secmod.db")
+ self.remove_info_file("noise.txt")
+
+ if is_kdc:
+ self.remove_info_file("kdc.pem")
+
+ orig_filename = passwd_fname + ".orig"
+ if ipautil.file_exists(orig_filename):
+ installutils.remove_file(orig_filename)
+ except errors.CertificateOperationError, e:
+ raise admintool.ScriptError(str(e))
+
+ def export_ra_pkcs12(self):
+ agent_fd, agent_name = tempfile.mkstemp()
+ os.write(agent_fd, self.dirman_password)
+ os.close(agent_fd)
+
+ try:
+ db = certs.CertDB(api.env.realm, host_name=api.env.host)
+
+ if db.has_nickname("ipaCert"):
+ pkcs12_fname = os.path.join(self.dir, "ra.p12")
+ db.export_pkcs12(pkcs12_fname, agent_name, "ipaCert")
+ finally:
+ os.remove(agent_name)
generated by cgit (git 2.34.1) at 2024-06-09 11:10:51 +0000