diff options
author | Simo Sorce <simo@redhat.com> | 2015-08-20 17:10:23 -0400 |
---|---|---|
committer | Simo Sorce <simo@redhat.com> | 2015-10-01 16:20:49 -0400 |
commit | c369af1f93e2808662606031bc093e770b370cb2 (patch) | |
tree | a11269d094cc9c416a36f96a7d42a3c048e4c05e /install | |
parent | d0638bd593eb1c4cd5ed7775b6356796e3e91901 (diff) | |
download | freeipa-c369af1f93e2808662606031bc093e770b370cb2.tar.gz freeipa-c369af1f93e2808662606031bc093e770b370cb2.tar.xz freeipa-c369af1f93e2808662606031bc093e770b370cb2.zip |
Allow ipa-ca-install to use the new promotion code
This makes it possible to install a CA after-the-fact on a server
that has been promoted (and has no replica file available).
Signed-off-by: Simo Sorce <simo@redhat.com>
Diffstat (limited to 'install')
-rwxr-xr-x | install/tools/ipa-ca-install | 94 |
1 files changed, 79 insertions, 15 deletions
diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install index 6564e4d03..46fb36aa2 100755 --- a/install/tools/ipa-ca-install +++ b/install/tools/ipa-ca-install @@ -21,12 +21,16 @@ import sys import os import shutil +import tempfile from ipapython import ipautil from ipaserver.install import installutils from ipaserver.install import certs from ipaserver.install.installutils import create_replica_config +from ipaserver.install.installutils import check_creds, ReplicaConfig from ipaserver.install import dsinstance, ca +from ipaserver.install import cainstance, custodiainstance +from ipapython import dogtag from ipapython import version from ipalib import api from ipapython.dn import DN @@ -67,6 +71,10 @@ def parse_options(): type="choice", choices=('SHA1withRSA', 'SHA256withRSA', 'SHA512withRSA'), help="Signing algorithm of the IPA CA certificate") + parser.add_option("-P", "--principal", dest="principal", sensitive=True, + default=None, help="User allowed to manage replicas") + parser.add_option("-r", "--replica", dest="replica", action="store_true", + default=False, help="Create a CA clone on the replica") options, args = parser.parse_args() safe_options = parser.get_safe_opts(options) @@ -107,15 +115,24 @@ def install_replica(safe_options, options, filename): sys.argv[0], filename, safe_options) root_logger.debug('IPA version %s', version.VENDOR_VERSION) - if not ipautil.file_exists(filename): - sys.exit("Replica file %s does not exist" % filename) - if not dsinstance.DsInstance().is_configured(): sys.exit("IPA server is not configured on this system.\n") api.bootstrap(in_server=True) api.finalize() + domain_level = dsinstance.get_domain_level(api) + if domain_level > 0: + options.promote = True + else: + options.promote = False + if not ipautil.file_exists(filename): + sys.exit("Replica file %s does not exist" % filename) + + + # Check if we have admin creds already, otherwise acquire them + check_creds(options, api.env.realm) + # get the directory manager password dirman_password = options.password if not dirman_password: @@ -132,13 +149,36 @@ def install_replica(safe_options, options, filename): options.unattended: sys.exit('admin password required') - config = create_replica_config(dirman_password, filename, options) + if options.promote: + config = ReplicaConfig() + config.master_host_name = None + config.realm_name = api.env.realm + config.host_name = api.env.host + config.domain_name = api.env.domain + config.dirman_password = dirman_password + config.ca_ds_port = dogtag.install_constants.DS_PORT + config.top_dir = tempfile.mkdtemp("ipa") + config.dir = config.top_dir + else: + config = create_replica_config(dirman_password, filename, options) + global REPLICA_INFO_TOP_DIR REPLICA_INFO_TOP_DIR = config.top_dir config.setup_ca = True - api.Backend.ldap2.connect(bind_dn=DN(('cn', 'Directory Manager')), - bind_pw=dirman_password) + conn = api.Backend.ldap2 + conn.connect(bind_dn=DN(('cn', 'Directory Manager')), + bind_pw=dirman_password) + + if config.subject_base is None: + attrs = conn.get_ipa_config() + config.subject_base = attrs.get('ipacertificatesubjectbase')[0] + + if config.master_host_name is None: + config.ca_host_name = cainstance.find_ca_server(api.env.ca_host, conn) + config.master_host_name = config.ca_host_name + else: + config.ca_host_name = config.master_host_name options.realm_name = config.realm_name options.domain_name = config.domain_name @@ -147,7 +187,22 @@ def install_replica(safe_options, options, filename): options.subject = config.subject_base ca.install_check(True, config, options) - ca.install(True, config, options) + if options.promote: + ca_data = (os.path.join(config.dir, 'cacert.p12'), + config.dirman_password) + custodia = custodiainstance.CustodiaInstance(config.host_name, + config.realm_name) + custodia.get_ca_keys(config.ca_host_name, ca_data[0], ca_data[1]) + + CA = cainstance.CAInstance(config.realm_name, certs.NSS_DIR, + dogtag_constants=dogtag.install_constants, + host_name=config.host_name, + dm_password=config.dirman_password) + CA.configure_replica(config.ca_host_name, + subject_base=config.subject_base, + ca_cert_bundle=ca_data) + else: + ca.install(True, config, options) def install_master(safe_options, options): @@ -198,10 +253,20 @@ def main(): if os.geteuid() != 0: sys.exit("\nYou must be root to run this script.\n") - if filename is not None: - install_replica(safe_options, options, filename) - else: - install_master(safe_options, options) + try: + if options.replica or filename is not None: + install_replica(safe_options, options, filename) + else: + install_master(safe_options, options) + + finally: + # Clean up if we created custom credentials + created_ccache_file = getattr(options, 'created_ccache_file', None) + if created_ccache_file is not None: + try: + os.unlink(created_ccache_file) + except OSError: + pass fail_message = ''' Your system may be partly configured. @@ -210,10 +275,9 @@ Run /usr/sbin/ipa-server-install --uninstall to clean up. if __name__ == '__main__': try: - with ipautil.private_ccache(): - installutils.run_script(main, log_file_name=log_file_name, - operation_name='ipa-ca-install', - fail_message=fail_message) + installutils.run_script(main, log_file_name=log_file_name, + operation_name='ipa-ca-install', + fail_message=fail_message) finally: # always try to remove decrypted replica file try: |