summaryrefslogtreecommitdiffstats
path: root/ipaserver
diff options
context:
space:
mode:
Diffstat (limited to 'ipaserver')
-rw-r--r--ipaserver/install/cainstance.py105
-rw-r--r--ipaserver/install/dsinstance.py14
-rw-r--r--ipaserver/install/installutils.py7
-rw-r--r--ipaserver/install/replication.py20
4 files changed, 115 insertions, 31 deletions
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 163f5c86..68e1485c 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -60,10 +60,10 @@ from ipalib import util
from ipapython.ipa_log_manager import *
HTTPD_CONFD = "/etc/httpd/conf.d/"
-DEFAULT_DSPORT=7389
+DEFAULT_DSPORT = dogtag.install_constants.DS_PORT
PKI_USER = "pkiuser"
-PKI_DS_USER = "pkisrv"
+PKI_DS_USER = dogtag.install_constants.DS_USER
# We need to reset the template because the CA uses the regular boot
@@ -232,6 +232,17 @@ def get_crl_files(path=None):
elif f.endswith(".der"):
yield os.path.join(path, f)
+
+def is_step_one_done():
+ '''Read CS.cfg and determine if step one of an external CA install is done
+ '''
+ test = installutils.get_directive(
+ dogtag.install_constants.CS_CFG_PATH, 'preop.ca.type', '=')
+ if test == "otherca":
+ return True
+ return False
+
+
class CADSInstance(service.Service):
def __init__(self, host_name=None, realm_name=None, domain_name=None, dm_password=None, dogtag_constants=None):
service.Service.__init__(self, "pkids",
@@ -518,6 +529,7 @@ class CAInstance(service.Service):
admin_password, ds_port=DEFAULT_DSPORT,
pkcs12_info=None, master_host=None, csr_file=None,
cert_file=None, cert_chain_file=None,
+ master_replication_port=None,
subject_base=None):
"""Create a CA instance.
@@ -538,6 +550,7 @@ class CAInstance(service.Service):
if self.pkcs12_info is not None:
self.clone = True
self.master_host = master_host
+ self.master_replication_port = master_replication_port
if subject_base is None:
self.subject_base = DN(('O', self.realm))
else:
@@ -656,7 +669,11 @@ class CAInstance(service.Service):
"pki_security_domain_user": "admin",
"pki_security_domain_password": self.admin_password,
"pki_clone_replication_security": "TLS",
- "pki_clone_uri": \
+ "pki_clone_replication_master_port":
+ str(self.master_replication_port),
+ "pki_clone_replication_clone_port":
+ dogtag.install_constants.DS_PORT,
+ "pki_clone_uri":
"https://%s" % ipautil.format_netloc(self.master_host, 443)
}
replacevars.update(clone_vars)
@@ -839,6 +856,8 @@ class CAInstance(service.Service):
args.append("admin")
args.append("-sd_admin_password")
args.append(self.admin_password)
+ args.append("-clone_master_port")
+ args.append(str(self.master_replication_port))
args.append("-clone_start_tls")
args.append("true")
args.append("-clone_uri")
@@ -1275,6 +1294,43 @@ class CAInstance(service.Service):
'OU=pki-ipa, O=IPA', str(self.subject_base)):
print "Updating subject_base in CA template failed"
+ def enable_client_auth_to_db(self):
+ """
+ Enable client auth connection to the internal db.
+ """
+ caconfig = dogtag.install_constants.CS_CFG_PATH
+
+ # Enable file publishing, disable LDAP
+ installutils.set_directive(caconfig,
+ 'authz.instance.DirAclAuthz.ldap.ldapauth.authtype',
+ 'SslClientAuth', quotes=False, separator='=')
+ installutils.set_directive(caconfig,
+ 'authz.instance.DirAclAuthz.ldap.ldapauth.bindDN',
+ 'uid=pkidbuser,ou=people,o=ipa-ca', quotes=False, separator='=')
+ installutils.set_directive(caconfig,
+ 'authz.instance.DirAclAuthz.ldap.ldapauth.clientCertNickname',
+ 'subsystemCert cert-pki-ca', quotes=False, separator='=')
+ installutils.set_directive(caconfig,
+ 'authz.instance.DirAclAuthz.ldap.ldapconn.port',
+ str(dogtag.install_constants.DS_SECURE_PORT),
+ quotes=False, separator='=')
+ installutils.set_directive(caconfig,
+ 'authz.instance.DirAclAuthz.ldap.ldapconn.secureConn',
+ 'true', quotes=False, separator='=')
+
+ installutils.set_directive(caconfig, 'internaldb.ldapauth.authtype',
+ 'SslClientAuth', quotes=False, separator='=')
+ installutils.set_directive(caconfig, 'internaldb.ldapauth.bindDN',
+ 'uid=pkidbuser,ou=people,o=ipa-ca', quotes=False, separator='=')
+ installutils.set_directive(caconfig,
+ 'internaldb.ldapauth.clientCertNickname',
+ 'subsystemCert cert-pki-ca', quotes=False, separator='=')
+ installutils.set_directive(caconfig, 'internaldb.ldapconn.port',
+ str(dogtag.install_constants.DS_SECURE_PORT),
+ quotes=False, separator='=')
+ installutils.set_directive(caconfig, 'internaldb.ldapconn.secureConn',
+ 'true', quotes=False, separator='=')
+
def uninstall(self):
if self.is_configured():
self.print_msg("Unconfiguring CA")
@@ -1501,7 +1557,7 @@ class CAInstance(service.Service):
return master == 'New'
-def install_replica_ca(config, postinstall=False):
+def install_replica_ca(config, master_ds_port, postinstall=False):
"""
Install a CA on a replica.
@@ -1539,13 +1595,18 @@ def install_replica_ca(config, postinstall=False):
if ipautil.file_exists(config.dir + "/dogtagcert.p12"):
pkcs12_info = (config.dir + "/dogtagcert.p12",
config.dir + "/dirsrv_pin.txt")
- cs = CADSInstance(dogtag_constants=dogtag.install_constants)
- cs.create_instance(config.realm_name, config.host_name,
- config.domain_name, config.dirman_password,
- pkcs12_info)
- cs.load_pkcs12()
- cs.enable_ssl()
- cs.restart_instance()
+
+ if not dogtag.install_constants.SHARED_DB:
+ cs = CADSInstance(dogtag_constants=dogtag.install_constants)
+ cs.create_instance(config.realm_name, config.host_name,
+ config.domain_name, config.dirman_password,
+ pkcs12_info)
+ cs.load_pkcs12()
+ cs.enable_ssl()
+ cs.restart_instance()
+ else:
+ cs = None
+
ca = CAInstance(config.realm_name, certs.NSS_DIR,
dogtag_constants=dogtag.install_constants)
if postinstall:
@@ -1555,6 +1616,7 @@ def install_replica_ca(config, postinstall=False):
ca.configure_instance(config.host_name, config.dirman_password,
config.dirman_password, pkcs12_info=(cafile,),
master_host=config.master_host_name,
+ master_replication_port=master_ds_port,
subject_base=config.subject_base)
if postinstall:
@@ -1573,8 +1635,14 @@ def install_replica_ca(config, postinstall=False):
service.print_msg("Restarting the directory and certificate servers")
ca.stop(dogtag.install_constants.PKI_INSTANCE_NAME)
- ipaservices.knownservices.dirsrv.stop("PKI-IPA")
- ipaservices.knownservices.dirsrv.start("PKI-IPA")
+
+ if not dogtag.install_constants.SHARED_DB:
+ ds_name = dogtag.install_constants.DS_NAME
+ ipaservices.knownservices.dirsrv.stop(ds_name)
+ ipaservices.knownservices.dirsrv.start(ds_name)
+ else:
+ ipaservices.knownservices.dirsrv.restart()
+
ca.start(dogtag.install_constants.PKI_INSTANCE_NAME)
return (ca, cs)
@@ -1592,7 +1660,7 @@ def update_cert_config(nickname, cert):
'ocspSigningCert cert-pki-ca': 'ca.ocsp_signing.cert',
'caSigningCert cert-pki-ca': 'ca.signing.cert',
'subsystemCert cert-pki-ca': 'ca.subsystem.cert',
- 'Server-Cert cert-pki-ca': 'ca.sslserver.cert' }
+ 'Server-Cert cert-pki-ca': 'ca.sslserver.cert'}
installutils.set_directive(dogtag.configured_constants().CS_CFG_PATH,
directives[nickname],
@@ -1601,7 +1669,12 @@ def update_cert_config(nickname, cert):
if __name__ == "__main__":
standard_logging_setup("install.log")
- cs = CADSInstance()
- cs.create_instance("EXAMPLE.COM", "catest.example.com", "example.com", "password")
+ if not dogtag.install_constants.SHARED_DB:
+ cs = CADSInstance()
+ cs.create_instance(
+ "EXAMPLE.COM", "catest.example.com", "example.com", "password")
+ else:
+ ds = dsinstance.DsInstance()
+
ca = CAInstance("EXAMPLE.COM", "/etc/httpd/alias")
ca.configure_instance("catest.example.com", "password", "password")
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index fe42282d..c178a4da 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -31,6 +31,7 @@ import tempfile
from ipapython import ipautil
from ipapython import sysrestore
from ipapython import services as ipaservices
+from ipapython import dogtag
import service
import installutils
@@ -166,6 +167,8 @@ class DsInstance(service.Service):
ldapi=False,
autobind=service.DISABLED
)
+ self.nickname = 'Server-Cert'
+ self.dm_password = dm_password
self.realm_name = realm_name
self.sub_dict = None
self.domain = domain_name
@@ -192,7 +195,7 @@ class DsInstance(service.Service):
subject_base = ipautil.dn_attribute_property('_subject_base')
- def __common_setup(self):
+ def __common_setup(self, enable_ssl=False):
self.step("creating directory server user", self.__create_ds_user)
self.step("creating directory server instance", self.__create_instance)
@@ -209,7 +212,8 @@ class DsInstance(service.Service):
self.step("configuring lockout plugin", self.__config_lockout_module)
self.step("creating indices", self.__create_indices)
self.step("enabling referential integrity plugin", self.__add_referint_module)
- self.step("configuring ssl for ds instance", self.__enable_ssl)
+ if not dogtag.install_constants.SHARED_DB or enable_ssl:
+ self.step("configuring ssl for ds instance", self.enable_ssl)
self.step("configuring certmap.conf", self.__certmap_conf)
self.step("configure autobind for root", self.__root_autobind)
self.step("configure new location for managed entries", self.__repoint_managed_entries)
@@ -284,7 +288,7 @@ class DsInstance(service.Service):
self.idmax = 1100
self.__setup_sub_dict()
- self.__common_setup()
+ self.__common_setup(True)
self.step("setting up initial replication", self.__setup_replica)
self.step("adding replication acis", self.__add_replication_acis)
@@ -525,7 +529,7 @@ class DsInstance(service.Service):
def generate_random(self):
return ipautil.ipa_generate_password()
- def __enable_ssl(self):
+ def enable_ssl(self):
dirname = config_dirname(self.serverid)
dsdb = certs.CertDB(self.realm_name, nssdir=dirname, subject_base=self.subject_base)
if self.pkcs12_info:
@@ -601,6 +605,8 @@ class DsInstance(service.Service):
def __certmap_conf(self):
shutil.copyfile(ipautil.SHARE_DIR + "certmap.conf.template",
config_dirname(self.serverid) + "certmap.conf")
+ installutils.update_file(config_dirname(self.serverid) + "certmap.conf",
+ 'domain_name', self.realm_name)
def __enable_ldapi(self):
self._ldap_mod("ldapi.ldif", self.sub_dict)
diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py
index 754d5fc9..3368533d 100644
--- a/ipaserver/install/installutils.py
+++ b/ipaserver/install/installutils.py
@@ -38,7 +38,7 @@ from dns import resolver, rdatatype
from dns.exception import DNSException
import ldap
-from ipapython import ipautil, sysrestore, admintool
+from ipapython import ipautil, sysrestore, admintool, dogtag
from ipapython.admintool import ScriptError
from ipapython.ipa_log_manager import *
from ipalib.util import validate_hostname
@@ -48,8 +48,11 @@ from ipapython.dn import DN
# Used to determine install status
IPA_MODULES = [
- 'httpd', 'kadmin', 'dirsrv', 'pki-cad', 'pki-tomcatd', 'pkids', 'install',
+ 'httpd', 'kadmin', 'dirsrv', 'pki-cad', 'pki-tomcatd', 'install',
'krb5kdc', 'ntpd', 'named', 'ipa_memcached']
+if not dogtag.install_constants.SHARED_DB:
+ IPA_MODULES.append('pkids')
+
class BadHostError(Exception):
pass
diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py
index 260e7bba..23de883a 100644
--- a/ipaserver/install/replication.py
+++ b/ipaserver/install/replication.py
@@ -27,7 +27,7 @@ from ipaserver import ipaldap
from ipapython import services as ipaservices
from ldap import modlist
from ipalib import api, util, errors
-from ipapython import ipautil
+from ipapython import ipautil, dogtag
from ipapython.dn import DN
CACERT = "/etc/ipa/ca.crt"
@@ -59,7 +59,7 @@ STRIP_ATTRS = ('modifiersName',
def replica_conn_check(master_host, host_name, realm, check_ca,
- admin_password=None):
+ dogtag_master_ds_port, admin_password=None):
"""
Check the ports used by the replica both locally and remotely to be sure
that replication will work.
@@ -77,10 +77,10 @@ def replica_conn_check(master_host, host_name, realm, check_ca,
args.extend(["--password", admin_password])
nolog=(admin_password,)
- if check_ca:
+ if check_ca and dogtag_master_ds_port == dogtag.Dogtag9Constants.DS_PORT:
args.append('--check-ca')
- (stdin, stderr, returncode) = ipautil.run(args,raiseonerr=False,capture_output=False,
- nolog=nolog)
+ (stdin, stderr, returncode) = ipautil.run(
+ args, raiseonerr=False, capture_output=False, nolog=nolog)
if returncode != 0:
sys.exit("Connection check failed!" +
@@ -958,10 +958,12 @@ class ReplicationManager(object):
newschedule = '2358-2359 0'
- filter = '(&(nsDS5ReplicaHost=%s)' \
- '(|(objectclass=nsDSWindowsReplicationAgreement)' \
- '(objectclass=nsds5ReplicationAgreement)))' % hostname
- entries = conn.getList(DN(('cn', 'config')), ldap.SCOPE_SUBTREE, filter)
+ filter = ('(&(nsDS5ReplicaHost=%s)'
+ '(&(!(nsDS5ReplicaRoot=o=ipaca))'
+ '(|(objectclass=nsDSWindowsReplicationAgreement)'
+ '(objectclass=nsds5ReplicationAgreement))))' % hostname)
+ entries = conn.getList(
+ DN(('cn', 'config')), ldap.SCOPE_SUBTREE, filter)
if len(entries) == 0:
root_logger.error("Unable to find replication agreement for %s" %
(hostname))
generated by cgit (git 2.34.1) at 2025-09-04 12:19:26 +0000