diff options
| -rwxr-xr-x | install/tools/ipa-csreplica-manage | 10 | ||||
| -rwxr-xr-x | install/tools/ipa-replica-manage | 13 | ||||
| -rw-r--r-- | ipaclient/install/client.py | 56 | ||||
| -rw-r--r-- | ipalib/constants.py | 4 | ||||
| -rw-r--r-- | ipaserver/install/dsinstance.py | 5 | ||||
| -rw-r--r-- | ipaserver/install/ipa_backup.py | 3 | ||||
| -rw-r--r-- | ipaserver/install/ipa_replica_prepare.py | 4 | ||||
| -rw-r--r-- | ipaserver/install/ipa_server_certinstall.py | 3 | ||||
| -rw-r--r-- | ipaserver/install/krbinstance.py | 3 | ||||
| -rw-r--r-- | ipaserver/install/replication.py | 26 | ||||
| -rw-r--r-- | ipaserver/install/server/install.py | 11 | ||||
| -rw-r--r-- | ipaserver/plugins/ldap2.py | 5 |
12 files changed, 70 insertions, 73 deletions
diff --git a/install/tools/ipa-csreplica-manage b/install/tools/ipa-csreplica-manage index a4d0a88a6..6a3b8693c 100755 --- a/install/tools/ipa-csreplica-manage +++ b/install/tools/ipa-csreplica-manage @@ -25,11 +25,11 @@ from __future__ import print_function import sys import os +from ipaplatform.paths import paths from ipapython.ipa_log_manager import root_logger from ipaserver.install import (replication, installutils, bindinstance, cainstance, certs) from ipalib import api, errors -from ipalib.constants import CACERT from ipalib.util import has_managed_topology from ipapython import ipautil, ipaldap, version from ipapython.dn import DN @@ -93,8 +93,8 @@ def list_replicas(realm, host, replica, dirman_passwd, verbose): try: # connect to main IPA LDAP server - ldap_uri = ipaldap.get_ldap_uri(host, 636, cacert=CACERT) - conn = ipaldap.LDAPClient(ldap_uri, cacert=CACERT) + ldap_uri = ipaldap.get_ldap_uri(host, 636, cacert=paths.IPA_CA_CRT) + conn = ipaldap.LDAPClient(ldap_uri, cacert=paths.IPA_CA_CRT) conn.simple_bind(bind_dn=ipaldap.DIRMAN_DN, bind_password=dirman_passwd) @@ -295,8 +295,8 @@ def add_link(realm, replica1, replica2, dirman_passwd, options): except Exception as e: sys.exit(str(e)) try: - ldap_uri = ipaldap.get_ldap_uri(replica2, 636, cacert=CACERT) - conn = ipaldap.LDAPClient(ldap_uri, cacert=CACERT) + ldap_uri = ipaldap.get_ldap_uri(replica2, 636, cacert=paths.IPA_CA_CRT) + conn = ipaldap.LDAPClient(ldap_uri, cacert=paths.IPA_CA_CRT) conn.simple_bind(bind_dn=ipaldap.DIRMAN_DN, bind_password=dirman_passwd) diff --git a/install/tools/ipa-replica-manage b/install/tools/ipa-replica-manage index 68d9a92dd..83725bc8f 100755 --- a/install/tools/ipa-replica-manage +++ b/install/tools/ipa-replica-manage @@ -39,7 +39,6 @@ from ipaserver.install import bindinstance, cainstance, certs from ipaserver.install import opendnssecinstance, dnskeysyncinstance from ipapython import version, ipaldap from ipalib import api, errors -from ipalib.constants import CACERT from ipalib.util import has_managed_topology, verify_host_resolvable from ipapython.ipa_log_manager import root_logger, standard_logging_setup from ipapython.dn import DN @@ -167,8 +166,8 @@ def list_replicas(realm, host, replica, dirman_passwd, verbose, nolookup=False): peers = {} try: - ldap_uri = ipaldap.get_ldap_uri(host, 636, cacert=CACERT) - conn = ipaldap.LDAPClient(ldap_uri, cacert=CACERT) + ldap_uri = ipaldap.get_ldap_uri(host, 636, cacert=paths.IPA_CA_CRT) + conn = ipaldap.LDAPClient(ldap_uri, cacert=paths.IPA_CA_CRT) if dirman_passwd: conn.simple_bind(bind_dn=ipaldap.DIRMAN_DN, bind_password=dirman_passwd) @@ -628,8 +627,8 @@ def clean_dangling_ruvs(realm, host, options): Cleans all RUVs and CS-RUVs that are left in the system from uninstalled replicas """ - ldap_uri = ipaldap.get_ldap_uri(host, 636, cacert=CACERT) - conn = ipaldap.LDAPClient(ldap_uri, cacert=CACERT) + ldap_uri = ipaldap.get_ldap_uri(host, 636, cacert=paths.IPA_CA_CRT) + conn = ipaldap.LDAPClient(ldap_uri, cacert=paths.IPA_CA_CRT) try: conn.simple_bind(bind_dn=ipaldap.DIRMAN_DN, bind_password=options.dirman_passwd) @@ -676,8 +675,8 @@ def clean_dangling_ruvs(realm, host, options): offlines = set() for master_cn, master_info in info.items(): try: - ldap_uri = ipaldap.get_ldap_uri(master_cn, 636, cacert=CACERT) - conn = ipaldap.LDAPClient(ldap_uri, cacert=CACERT) + ldap_uri = ipaldap.get_ldap_uri(master_cn, 636, cacert=paths.IPA_CA_CRT) + conn = ipaldap.LDAPClient(ldap_uri, cacert=paths.IPA_CA_CRT) conn.simple_bind(bind_dn=ipaldap.DIRMAN_DN, bind_password=options.dirman_passwd) master_info['online'] = True diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py index 0cf97a8a7..b98f35f1e 100644 --- a/ipaclient/install/client.py +++ b/ipaclient/install/client.py @@ -37,7 +37,6 @@ from ipaclient import ( ) from ipaclient.ipachangeconf import IPAChangeConf from ipalib import api, errors, x509 -from ipalib.constants import CACERT from ipalib.install import certmonger, certstore, service, sysrestore from ipalib.install import hostname as hostname_ from ipalib.install.kinit import kinit_keytab, kinit_password @@ -125,15 +124,15 @@ def get_cert_path(cert_path): """ If a CA certificate is passed in on the command line, use that. - Else if a CA file exists in CACERT then use that. + Else if a CA file exists in paths.IPA_CA_CRT then use that. Otherwise return None. """ if cert_path is not None: return cert_path - if os.path.exists(CACERT): - return CACERT + if os.path.exists(paths.IPA_CA_CRT): + return paths.IPA_CA_CRT return None @@ -577,7 +576,7 @@ def configure_openldap_conf(fstore, cli_basedn, cli_server): 'action': 'addifnotset', 'name': 'TLS_CACERT', 'type': 'option', - 'value': CACERT + 'value': paths.IPA_CA_CRT }, ] @@ -713,7 +712,8 @@ def configure_krb5_conf( ]) kropts.append(krbconf.setOption('default_domain', cli_domain)) - kropts.append(krbconf.setOption('pkinit_anchors', 'FILE: %s' % CACERT)) + kropts.append( + krbconf.setOption('pkinit_anchors', 'FILE: %s' % paths.IPA_CA_CRT)) ropts = [{ 'name': cli_realm, 'type': 'subsection', @@ -935,7 +935,7 @@ def configure_sssd_conf( # Note that SSSD will force StartTLS because the channel is later used for # authentication as well if password migration is enabled. Thus set # the option unconditionally. - domain.set_option('ldap_tls_cacert', CACERT) + domain.set_option('ldap_tls_cacert', paths.IPA_CA_CRT) if options.dns_updates: domain.set_option('dyndns_update', True) @@ -1552,7 +1552,7 @@ def get_certs_from_ldap(server, base_dn, realm, ca_enabled): def get_ca_certs_from_file(url): """ Get the CA cert from a user supplied file and write it into the - CACERT file. + paths.IPA_CA_CRT file. Raises errors.NoCertificateError if unable to read cert. Raises errors.FileError if unable to write cert. @@ -1585,8 +1585,8 @@ def get_ca_certs_from_file(url): def get_ca_certs_from_http(url, warn=True): """ - Use HTTP to retrieve the CA cert and write it into the CACERT file. - This is insecure and should be avoided. + Use HTTP to retrieve the CA cert and write it into the paths.IPA_CA_CRT + file. This is insecure and should be avoided. Raises errors.NoCertificateError if unable to retrieve and write cert. """ @@ -1615,7 +1615,7 @@ def get_ca_certs_from_ldap(server, basedn, realm): """ Retrieve th CA cert from the LDAP server by binding to the server with GSSAPI using the current Kerberos credentials. - Write the retrieved cert into the CACERT file. + Write the retrieved cert into the paths.IPA_CA_CRT file. Raises errors.NoCertificateError if cert is not found. Raises errors.NetworkError if LDAP connection can't be established. @@ -1650,7 +1650,7 @@ def validate_new_ca_certs(existing_ca_certs, new_ca_certs, ask, if existing_ca_certs > new_ca_certs: root_logger.warning( "The CA cert available from the IPA server does not match the\n" - "local certificate available at %s" % CACERT) + "local certificate available at %s" % paths.IPA_CA_CRT) root_logger.warning( cert_summary("Existing CA cert:", existing_ca_certs)) root_logger.warning( @@ -1671,7 +1671,7 @@ def get_ca_certs(fstore, options, server, basedn, realm): Examine the different options and determine a method for obtaining the CA cert. - If successful the CA cert will have been written into CACERT. + If successful the CA cert will have been written into paths.IPA_CA_CRT. Raises errors.NoCertificateError if not successful. @@ -1698,7 +1698,7 @@ def get_ca_certs(fstore, options, server, basedn, realm): In all cases if HTTP is used emit warning message """ - ca_file = CACERT + ".new" + ca_file = paths.IPA_CA_CRT + ".new" def ldap_url(): return urlunparse(('ldap', ipautil.format_netloc(server), @@ -1729,17 +1729,18 @@ def get_ca_certs(fstore, options, server, basedn, realm): raise errors.NoCertificateError(entry=url) root_logger.debug("CA cert provided by user, use it!") else: - if os.path.exists(CACERT): - if os.path.isfile(CACERT): + if os.path.exists(paths.IPA_CA_CRT): + if os.path.isfile(paths.IPA_CA_CRT): try: existing_ca_certs = x509.load_certificate_list_from_file( - CACERT) + paths.IPA_CA_CRT) except Exception as e: - raise errors.FileError(reason=u"Unable to load existing" + - " CA cert '%s': %s" % (CACERT, e)) + raise errors.FileError( + reason=u"Unable to load existing CA cert '%s': %s" % + (paths.IPA_CA_CRT, e)) else: raise errors.FileError(reason=u"Existing ca cert '%s' is " + - "not a plain file" % (CACERT)) + "not a plain file" % (paths.IPA_CA_CRT)) if otp_auth: if existing_ca_certs: @@ -1828,14 +1829,14 @@ def get_ca_certs(fstore, options, server, basedn, realm): ca_file, e) ) - os.rename(ca_file, CACERT) + os.rename(ca_file, paths.IPA_CA_CRT) # Make sure the file permissions are correct try: - os.chmod(CACERT, 0o644) + os.chmod(paths.IPA_CA_CRT, 0o644) except Exception as e: raise errors.FileError(reason=u"Unable set permissions on ca " - u"cert '%s': %s" % (CACERT, e)) + u"cert '%s': %s" % (paths.IPA_CA_CRT, e)) # IMPORTANT: First line of FF config file is ignored FIREFOX_CONFIG_TEMPLATE = """ @@ -2048,9 +2049,10 @@ def install_check(options): # Check if old certificate exist and show warning if ( not options.ca_cert_file and - get_cert_path(options.ca_cert_file) == CACERT + get_cert_path(options.ca_cert_file) == paths.IPA_CA_CRT ): - root_logger.warning("Using existing certificate '%s'.", CACERT) + root_logger.warning("Using existing certificate '%s'.", + paths.IPA_CA_CRT) if not check_ip_addresses(options): raise ScriptError(rval=CLIENT_INSTALL_ERROR) @@ -2673,7 +2675,7 @@ def _install(options): pass # Add CA certs to a temporary NSS database - ca_certs = x509.load_certificate_list_from_file(CACERT) + ca_certs = x509.load_certificate_list_from_file(paths.IPA_CA_CRT) ca_certs = [ cert.public_bytes(serialization.Encoding.DER) for cert in ca_certs @@ -3319,7 +3321,7 @@ def uninstall(options): tasks.remove_ca_certs_from_systemwide_ca_store() # Remove the CA cert - remove_file(CACERT) + remove_file(paths.IPA_CA_CRT) root_logger.info("Client uninstall complete.") diff --git a/ipalib/constants.py b/ipalib/constants.py index b7a0813cf..80bbdbce0 100644 --- a/ipalib/constants.py +++ b/ipalib/constants.py @@ -22,7 +22,6 @@ All constants centralised in one file. """ import socket -from ipaplatform.paths import paths from ipapython.dn import DN from ipapython.version import VERSION, API_VERSION @@ -34,9 +33,6 @@ except Exception: except Exception: FQDN = None -# Path to CA certificate bundle -CACERT = paths.IPA_CA_CRT - # regular expression NameSpace member names must match: NAME_REGEX = r'^[a-z][_a-z0-9]*[a-z0-9]$|^[a-z]$' diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index af018a067..1be5ac73c 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -47,7 +47,6 @@ from ipalib import errors from ipalib import constants from ipaplatform.constants import constants as platformconstants from ipaplatform.tasks import tasks -from ipalib.constants import CACERT from ipapython.dn import DN from ipapython.admintool import ScriptError from ipaplatform import services @@ -963,8 +962,8 @@ class DsInstance(service.Service): "-y", dmpwdfile, "-T", admpwdfile, str(DN(('uid', 'admin'), ('cn', 'users'), ('cn', 'accounts'), self.suffix))] try: - env = { 'LDAPTLS_CACERTDIR':os.path.dirname(CACERT), - 'LDAPTLS_CACERT':CACERT } + env = {'LDAPTLS_CACERTDIR': os.path.dirname(paths.IPA_CA_CRT), + 'LDAPTLS_CACERT': paths.IPA_CA_CRT} ipautil.run(args, env=env) root_logger.debug("ldappasswd done") except ipautil.CalledProcessError as e: diff --git a/ipaserver/install/ipa_backup.py b/ipaserver/install/ipa_backup.py index 6fc18706b..a4261f5fb 100644 --- a/ipaserver/install/ipa_backup.py +++ b/ipaserver/install/ipa_backup.py @@ -38,7 +38,6 @@ from ipaserver.install.replication import wait_for_task from ipaserver.install import installutils from ipaserver.session import ISO8601_DATETIME_FMT from ipapython import ipaldap -from ipalib.constants import CACERT from ipaplatform.constants import constants from ipaplatform.tasks import tasks @@ -149,7 +148,7 @@ class Backup(admintool.AdminTool): paths.SSHD_CONFIG, paths.SSH_CONFIG, paths.KRB5_CONF, - CACERT, + paths.IPA_CA_CRT, paths.IPA_DEFAULT_CONF, paths.DS_KEYTAB, paths.NTP_CONF, diff --git a/ipaserver/install/ipa_replica_prepare.py b/ipaserver/install/ipa_replica_prepare.py index 04328acbb..e7070b636 100644 --- a/ipaserver/install/ipa_replica_prepare.py +++ b/ipaserver/install/ipa_replica_prepare.py @@ -45,7 +45,7 @@ from ipapython import version from ipalib import api from ipalib import errors from ipaplatform.paths import paths -from ipalib.constants import CACERT, DOMAIN_LEVEL_0 +from ipalib.constants import DOMAIN_LEVEL_0 UNSUPPORTED_DOMAIN_LEVEL_TEMPLATE = """ Replica creation using '{command_name}' to generate replica file @@ -201,7 +201,7 @@ class ReplicaPrepare(admintool.AdminTool): cert_files=cert_files, key_password=key_password, key_nickname=key_nickname, - ca_cert_files=[CACERT], + ca_cert_files=[paths.IPA_CA_CRT], host_name=self.replica_fqdn) def ask_for_options(self): diff --git a/ipaserver/install/ipa_server_certinstall.py b/ipaserver/install/ipa_server_certinstall.py index 9cb7ed1d6..8ef25ee7b 100644 --- a/ipaserver/install/ipa_server_certinstall.py +++ b/ipaserver/install/ipa_server_certinstall.py @@ -29,7 +29,6 @@ from ipapython import admintool, ipautil from ipapython.certdb import get_ca_nickname, NSSDatabase from ipapython.dn import DN from ipalib import api, errors -from ipalib.constants import CACERT from ipaserver.install import certs, dsinstance, installutils @@ -191,7 +190,7 @@ class ServerCertInstall(admintool.AdminTool): cert_files=self.args, key_password=pkcs12_passwd, key_nickname=self.options.cert_name, - ca_cert_files=[CACERT], + ca_cert_files=[paths.IPA_CA_CRT], host_name=api.env.host) dirname = os.path.normpath(dirname) diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py index fc764b425..8de92f764 100644 --- a/ipaserver/install/krbinstance.py +++ b/ipaserver/install/krbinstance.py @@ -32,7 +32,6 @@ from ipaserver.install import installutils from ipapython import ipautil from ipapython import kernel_keyring from ipalib import api -from ipalib.constants import CACERT from ipapython.ipa_log_manager import root_logger from ipapython.dn import DN @@ -352,7 +351,7 @@ class KrbInstance(service.Service): # Finally copy the cacert in the krb directory so we don't # have any selinux issues with the file context - shutil.copyfile(CACERT, paths.CACERT_PEM) + shutil.copyfile(paths.IPA_CA_CRT, paths.CACERT_PEM) def __add_anonymous_pkinit_principal(self): princ = "WELLKNOWN/ANONYMOUS" diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py index ba35c49ad..430a0468a 100644 --- a/ipaserver/install/replication.py +++ b/ipaserver/install/replication.py @@ -30,7 +30,6 @@ import ldap from ipalib import api, errors from ipalib.cli import textui -from ipalib.constants import CACERT from ipapython.ipa_log_manager import root_logger from ipapython import ipautil, ipaldap, kerberos from ipapython.admintool import ScriptError @@ -216,8 +215,8 @@ class ReplicationManager(object): # otherwise we'll do a GSSAPI bind. protocol = 'ldap' if starttls else None ldap_uri = ipaldap.get_ldap_uri( - hostname, port, protocol=protocol, cacert=CACERT) - self.conn = ipaldap.LDAPClient(ldap_uri, cacert=CACERT, + hostname, port, protocol=protocol, cacert=paths.IPA_CA_CRT) + self.conn = ipaldap.LDAPClient(ldap_uri, cacert=paths.IPA_CA_CRT, start_tls=starttls) if dirman_passwd: self.conn.simple_bind(bind_dn=ipaldap.DIRMAN_DN, @@ -1001,9 +1000,12 @@ class ReplicationManager(object): local_port = r_port # note - there appears to be a bug in python-ldap - it does not # allow connections using two different CA certs - ldap_uri = ipaldap.get_ldap_uri(r_hostname, r_port, cacert=CACERT, + ldap_uri = ipaldap.get_ldap_uri(r_hostname, r_port, + cacert=paths.IPA_CA_CRT, protocol='ldap') - r_conn = ipaldap.LDAPClient(ldap_uri, cacert=CACERT, start_tls=True) + r_conn = ipaldap.LDAPClient(ldap_uri, + cacert=paths.IPA_CA_CRT, + start_tls=True) if r_bindpw: r_conn.simple_bind(r_binddn, r_bindpw) @@ -1045,7 +1047,7 @@ class ReplicationManager(object): def setup_winsync_replication(self, ad_dc_name, ad_binddn, ad_pwd, passsync_pw, ad_subtree, - cacert=CACERT): + cacert=paths.IPA_CA_CRT): self.ad_suffix = "" try: # Validate AD connection @@ -1110,8 +1112,9 @@ class ReplicationManager(object): raise RuntimeError("Failed to start replication") def convert_to_gssapi_replication(self, r_hostname, r_binddn, r_bindpw): - ldap_uri = ipaldap.get_ldap_uri(r_hostname, PORT, cacert=CACERT) - r_conn = ipaldap.LDAPClient(ldap_uri, cacert=CACERT) + ldap_uri = ipaldap.get_ldap_uri(r_hostname, PORT, + cacert=paths.IPA_CA_CRT) + r_conn = ipaldap.LDAPClient(ldap_uri, cacert=paths.IPA_CA_CRT) if r_bindpw: r_conn.simple_bind(r_binddn, r_bindpw) else: @@ -1141,8 +1144,9 @@ class ReplicationManager(object): """ # note - there appears to be a bug in python-ldap - it does not # allow connections using two different CA certs - ldap_uri = ipaldap.get_ldap_uri(r_hostname, PORT, cacert=CACERT) - r_conn = ipaldap.LDAPClient(ldap_uri, cacert=CACERT) + ldap_uri = ipaldap.get_ldap_uri(r_hostname, PORT, + cacert=paths.IPA_CA_CRT) + r_conn = ipaldap.LDAPClient(ldap_uri, cacert=paths.IPA_CA_CRT) if r_bindpw: r_conn.simple_bind(r_binddn, r_bindpw) else: @@ -1614,7 +1618,7 @@ class ReplicationManager(object): conn.update_entry(entry) def setup_promote_replication(self, r_hostname, r_binddn=None, - r_bindpw=None, cacert=CACERT): + r_bindpw=None, cacert=paths.IPA_CA_CRT): # note - there appears to be a bug in python-ldap - it does not # allow connections using two different CA certs ldap_uri = ipaldap.get_ldap_uri(r_hostname) diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py index decbeab19..d015c8e52 100644 --- a/ipaserver/install/server/install.py +++ b/ipaserver/install/server/install.py @@ -25,7 +25,6 @@ from ipaplatform import services from ipaplatform.paths import paths from ipaplatform.tasks import tasks from ipalib import api, constants, errors, x509 -from ipalib.constants import CACERT from ipalib.util import ( validate_domain_name, network_ip_address_warning, @@ -782,11 +781,11 @@ def install(installer): # Now put the CA cert where other instances exepct it ca_instance = cainstance.CAInstance(realm_name, certs.NSS_DIR) - ca_instance.publish_ca_cert(CACERT) + ca_instance.publish_ca_cert(paths.IPA_CA_CRT) else: # Put the CA cert where other instances expect it - x509.write_certificate(http_ca_cert, CACERT) - os.chmod(CACERT, 0o444) + x509.write_certificate(http_ca_cert, paths.IPA_CA_CRT) + os.chmod(paths.IPA_CA_CRT, 0o444) # we now need to enable ssl on the ds ds.enable_ssl() @@ -844,8 +843,8 @@ def install(installer): # Export full CA chain ca_db = certs.CertDB(realm_name) - os.chmod(CACERT, 0o644) - ca_db.publish_ca_cert(CACERT) + os.chmod(paths.IPA_CA_CRT, 0o644) + ca_db.publish_ca_cert(paths.IPA_CA_CRT) set_subject_in_config(realm_name, dm_password, ipautil.realm_to_suffix(realm_name), options.subject) diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py index 82b2dba0e..a04be38e3 100644 --- a/ipaserver/plugins/ldap2.py +++ b/ipaserver/plugins/ldap2.py @@ -31,7 +31,8 @@ import os import ldap as _ldap -from ipalib import krb_utils, constants +from ipalib import krb_utils +from ipaplatform.paths import paths from ipapython.dn import DN from ipapython.ipaldap import (LDAPClient, AUTOBIND_AUTO, AUTOBIND_ENABLED, AUTOBIND_DISABLED) @@ -154,7 +155,7 @@ class ldap2(CrudBackend, LDAPClient): assert isinstance(bind_dn, DN) if cacert is None: - cacert = constants.CACERT + cacert = paths.IPA_CA_CRT if time_limit is not _missing: self.time_limit = time_limit |