diff options
| -rwxr-xr-x | install/tools/ipa-ca-install | 12 | ||||
| -rwxr-xr-x | install/tools/ipa-replica-install | 11 | ||||
| -rwxr-xr-x | install/tools/ipa-server-install | 20 | ||||
| -rwxr-xr-x | install/tools/ipactl | 6 | ||||
| -rw-r--r-- | ipapython/platform/fedora16/service.py | 4 | ||||
| -rw-r--r-- | ipaserver/install/cainstance.py | 183 | ||||
| -rw-r--r-- | ipaserver/install/dsinstance.py | 2 | ||||
| -rw-r--r-- | ipaserver/install/installutils.py | 2 |
8 files changed, 22 insertions, 218 deletions
diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install index 2046b5fb8..81c118345 100755 --- a/install/tools/ipa-ca-install +++ b/install/tools/ipa-ca-install @@ -178,19 +178,15 @@ def main(): cainstance.replica_ca_install_check(config, dogtag_master_ds_port) # Configure the CA if necessary - (CA, cs) = cainstance.install_replica_ca( + CA = cainstance.install_replica_ca( config, dogtag_master_ds_port, postinstall=True) # We need to ldap_enable the CA now that DS is up and running CA.ldap_enable('CA', config.host_name, config.dirman_password, ipautil.realm_to_suffix(config.realm_name)) - if not dogtag.install_constants.SHARED_DB: - cs.add_simple_service('dogtagldap/%s@%s' % - (config.host_name, config.realm_name)) - cs.add_cert_to_service() - else: - CA.enable_client_auth_to_db() - CA.restart() + + CA.enable_client_auth_to_db() + CA.restart() # Install CA DNS records install_dns_records(config, options) diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install index 2c28f37ce..b194b85a2 100755 --- a/install/tools/ipa-replica-install +++ b/install/tools/ipa-replica-install @@ -653,7 +653,7 @@ def main(): ds = install_replica_ds(config) # Configure the CA if necessary - (CA, cs) = cainstance.install_replica_ca(config, dogtag_master_ds_port) + CA = cainstance.install_replica_ca(config, dogtag_master_ds_port) # Always try to install DNS records install_dns_records(config, options) @@ -662,13 +662,8 @@ def main(): if CA and config.setup_ca: CA.ldap_enable('CA', config.host_name, config.dirman_password, ipautil.realm_to_suffix(config.realm_name)) - if not dogtag.install_constants.SHARED_DB: - cs.add_simple_service('dogtagldap/%s@%s' % - (config.host_name, config.realm_name)) - cs.add_cert_to_service() - else: - CA.enable_client_auth_to_db() - CA.restart() + CA.enable_client_auth_to_db() + CA.restart() krb = install_krb(config, setup_pkinit=options.setup_pkinit) http = install_http(config, auto_redirect=options.ui_redirect) diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index 992da90c1..62adbd5bc 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -1009,13 +1009,6 @@ def main(): if setup_ca: - if not dogtag.install_constants.SHARED_DB: - cs = cainstance.CADSInstance( - host_name, realm_name, domain_name, dm_password) - if not cs.is_configured(): - cs.create_instance(realm_name, host_name, domain_name, - dm_password, subject_base=options.subject) - ca = cainstance.CAInstance(realm_name, certs.NSS_DIR, dogtag_constants=dogtag.install_constants) if external == 0: @@ -1055,17 +1048,8 @@ def main(): # We need to ldap_enable the CA now that DS is up and running ca.ldap_enable('CA', host_name, dm_password, ipautil.realm_to_suffix(realm_name)) - if not dogtag.install_constants.SHARED_DB: - # Turn on SSL in the dogtag LDAP instance. This will get restarted - # later, we don't need SSL now. - cs.create_certdb() - cs.enable_ssl() - # Add the IPA service for storing the PKI-IPA server certificate. - cs.add_simple_service(cs.principal) - cs.add_cert_to_service() - else: - ca.enable_client_auth_to_db() - ca.restart() + ca.enable_client_auth_to_db() + ca.restart() # Upload the CA cert to the directory ds.upload_ca_cert() diff --git a/install/tools/ipactl b/install/tools/ipactl index 2d699880c..df0d6f57e 100755 --- a/install/tools/ipactl +++ b/install/tools/ipactl @@ -45,16 +45,14 @@ def check_IPA_configuration(): def is_dirsrv_debugging_enabled(): """ - Check the IPA and PKI-CA 389-ds instances to see if debugging is - enabled. If so we suppress that in our output. + Check the 389-ds instance to see if debugging is enabled. + If so we suppress that in our output. returns True or False """ debugging = False serverid = realm_to_serverid(api.env.realm) dselist = [config_dirname(serverid)] - if not dogtag.install_constants.SHARED_DB: - dselist.append('/etc/dirsrv/slapd-PKI-IPA/') for dse in dselist: try: fd = open(dse + 'dse.ldif', 'r') diff --git a/ipapython/platform/fedora16/service.py b/ipapython/platform/fedora16/service.py index dac8c0049..f8026b9f2 100644 --- a/ipapython/platform/fedora16/service.py +++ b/ipapython/platform/fedora16/service.py @@ -128,10 +128,6 @@ class Fedora16CAService(Fedora16Service): root_logger.debug( 'The httpd proxy is not installed, skipping wait for CA') return - if dogtag.install_constants.DOGTAG_VERSION < 10: - # The server status information isn't available on DT 9 - root_logger.debug('Using Dogtag 9, skipping wait for CA') - return root_logger.debug('Waiting until the CA is running') timeout = api.env.startup_timeout op_timeout = time.time() + timeout diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 5669ebecb..d83fd7a1d 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -247,6 +247,11 @@ def is_step_one_done(): class CADSInstance(service.Service): + """Certificate Authority DS instance + + The CA DS was used with Dogtag 9. Only upgraded installations still use it. + Thus this class only does uninstallation. + """ def __init__(self, host_name=None, realm_name=None, domain_name=None, dm_password=None, dogtag_constants=None): service.Service.__init__(self, "pkids", service_desc="directory server for the CA", @@ -265,153 +270,6 @@ class CADSInstance(service.Service): self.master_host = None self.nickname = 'Server-Cert' self.subject_base = None - if host_name and realm_name: - self.principal = "dogtagldap/%s@%s" % (self.fqdn, self.realm_name) - if realm_name: - self.suffix = ipautil.realm_to_suffix(self.realm_name) - self.__setup_sub_dict() - else: - self.suffix = DN() - - if dogtag_constants is None: - dogtag_constants = dogtag.configured_constants() - self.dogtag_constants = dogtag_constants - - subject_base = ipautil.dn_attribute_property('_subject_base') - - def create_instance(self, realm_name, host_name, domain_name, - dm_password, pkcs12_info=None, ds_port=DEFAULT_DSPORT, - subject_base=None): - self.ds_port = ds_port - self.realm_name = realm_name.upper() - self.suffix = ipautil.realm_to_suffix(self.realm_name) - self.fqdn = host_name - self.dm_password = dm_password - self.domain = domain_name - self.pkcs12_info = pkcs12_info - self.subject_base = subject_base - self.principal = "dogtagldap/%s@%s" % (self.fqdn, self.realm_name) - self.__setup_sub_dict() - - self.step("creating directory server user", self.__create_ds_user) - self.step("creating directory server instance", self.__create_instance) - self.step("restarting directory server", self.restart_instance) - - self.start_creation(runtime=30) - - def __setup_sub_dict(self): - server_root = dsinstance.find_server_root() - self.sub_dict = dict(FQDN=self.fqdn, SERVERID=self.serverid, - PASSWORD=self.dm_password, SUFFIX=self.suffix, - REALM=self.realm_name, USER=PKI_DS_USER, - SERVER_ROOT=server_root, DOMAIN=self.domain, - TIME=int(time.time()), DSPORT=self.ds_port, - GROUP=dsinstance.DS_GROUP) - - def __create_ds_user(self): - try: - pwd.getpwnam(PKI_DS_USER) - root_logger.debug("ds user %s exists" % PKI_DS_USER) - except KeyError: - root_logger.debug("adding ds user %s" % PKI_DS_USER) - args = ["/usr/sbin/useradd", "-g", dsinstance.DS_GROUP, - "-c", "PKI DS System User", - "-d", "/var/lib/dirsrv", - "-s", "/sbin/nologin", - "-M", "-r", PKI_DS_USER] - try: - ipautil.run(args) - root_logger.debug("done adding user") - except ipautil.CalledProcessError, e: - root_logger.critical("failed to add user %s" % e) - - def __create_instance(self): - self.backup_state("serverid", self.serverid) - - inf_txt = ipautil.template_str(INF_TEMPLATE, self.sub_dict) - root_logger.debug("writing inf template") - inf_fd = ipautil.write_tmp_file(inf_txt) - inf_txt = re.sub(r"RootDNPwd=.*\n", "", inf_txt) - root_logger.debug(inf_txt) - if ipautil.file_exists("/usr/sbin/setup-ds.pl"): - args = ["/usr/sbin/setup-ds.pl", "--silent", "--logfile", "-", "-f", inf_fd.name] - root_logger.debug("calling setup-ds.pl") - else: - args = ["/usr/bin/ds_newinst.pl", inf_fd.name] - root_logger.debug("calling ds_newinst.pl") - try: - ipautil.run(args) - root_logger.debug("completed creating ds instance") - except ipautil.CalledProcessError, e: - root_logger.critical("failed to create ds instance %s" % e) - inf_fd.close() - - def load_pkcs12(self): - dirname = dsinstance.config_dirname(self.serverid) - dsdb = certs.CertDB(self.realm_name, nssdir=dirname) - if self.pkcs12_info: - dsdb.create_from_pkcs12(self.pkcs12_info[0], self.pkcs12_info[1]) - server_certs = dsdb.find_server_certs() - if len(server_certs) == 0: - raise RuntimeError("Could not find a suitable server cert in import in %s" % self.pkcs12_info[0]) - - # We only handle one server cert - self.nickname = server_certs[0][0] - self.dercert = dsdb.get_cert_from_db(self.nickname, pem=False) - dsdb.track_server_cert(self.nickname, self.principal, dsdb.passwd_fname, 'restart_dirsrv %s' % self.serverid) - - def create_certdb(self): - """ - Create the dogtag 389-ds instance NSS certificate database. This needs - to be done after dogtag is installed and configured. - """ - dirname = dsinstance.config_dirname(self.serverid) - dsdb = certs.CertDB(self.realm_name, nssdir=dirname, subject_base=self.subject_base) - cadb = certs.CertDB(self.realm_name, host_name=self.fqdn, subject_base=self.subject_base) - cadb.export_ca_cert('ipaCert', False) - dsdb.create_from_cacert(cadb.cacert_fname, passwd=None) - self.dercert = dsdb.create_server_cert("Server-Cert", self.fqdn, cadb) - dsdb.track_server_cert("Server-Cert", self.principal, dsdb.passwd_fname, 'restart_dirsrv %s' % self.serverid) - dsdb.create_pin_file() - - def enable_ssl(self): - conn = ipaldap.IPAdmin(self.fqdn, port=DEFAULT_DSPORT) - conn.do_simple_bind(DN(('cn', 'directory manager')), self.dm_password) - - mod = [(ldap.MOD_REPLACE, "nsSSLClientAuth", "allowed"), - (ldap.MOD_REPLACE, "nsSSL3Ciphers", - "-rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,\ -+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,\ -+fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,\ -+tls_rsa_export1024_with_des_cbc_sha")] - conn.modify_s(DN(('cn', 'encryption'), ('cn', 'config')), mod) - - mod = [(ldap.MOD_ADD, "nsslapd-security", "on"), - (ldap.MOD_ADD, "nsslapd-secureport", str(DEFAULT_DSPORT+1))] - conn.modify_s(DN(('cn', 'config')), mod) - - entry = conn.make_entry( - DN(('cn', 'RSA'), ('cn', 'encryption'), ('cn', 'config')), - objectclass=["top", "nsEncryptionModule"], - cn=["RSA"], - nsSSLPersonalitySSL=[self.nickname], - nsSSLToken=["internal (software)"], - nsSSLActivation=["on"], - ) - conn.add_entry(entry) - - conn.unbind() - - def restart_instance(self): - try: - ipaservices.knownservices.dirsrv.restart(self.serverid) - if not dsinstance.is_ds_running(self.serverid): - root_logger.critical("Failed to restart the directory server. See the installation log for details.") - sys.exit(1) - except Exception: - # TODO: roll back here? - root_logger.debug(traceback.format_exc()) - root_logger.critical("Failed to restart the directory server. See the installation log for details.") def uninstall(self): if self.is_configured(): @@ -1757,7 +1615,7 @@ def install_replica_ca(config, master_ds_port, postinstall=False): if not ipautil.file_exists(cafile): # Replica of old "self-signed" master - skip installing CA - return (None, None) + return None if not config.setup_ca: # We aren't configuring the CA in this step but we still need @@ -1766,7 +1624,7 @@ def install_replica_ca(config, master_ds_port, postinstall=False): dogtag_constants=dogtag.install_constants) ca.dm_password = config.dirman_password ca.subject_base = config.subject_base - return (ca, None) + return ca ca = CAInstance(config.realm_name, certs.NSS_DIR, dogtag_constants=dogtag.install_constants) @@ -1780,17 +1638,6 @@ def install_replica_ca(config, master_ds_port, postinstall=False): pkcs12_info = (config.dir + "/dogtagcert.p12", config.dir + "/dirsrv_pin.txt") - if not dogtag.install_constants.SHARED_DB: - cs = CADSInstance(dogtag_constants=dogtag.install_constants) - cs.create_instance(config.realm_name, config.host_name, - config.domain_name, config.dirman_password, - pkcs12_info) - cs.load_pkcs12() - cs.enable_ssl() - cs.restart_instance() - else: - cs = None - ca = CAInstance(config.realm_name, certs.NSS_DIR, dogtag_constants=dogtag.install_constants) if postinstall: @@ -1821,16 +1668,11 @@ def install_replica_ca(config, master_ds_port, postinstall=False): service.print_msg("Restarting the directory and certificate servers") ca.stop(dogtag.install_constants.PKI_INSTANCE_NAME) - if not dogtag.install_constants.SHARED_DB: - ds_name = dogtag.install_constants.DS_NAME - ipaservices.knownservices.dirsrv.stop(ds_name) - ipaservices.knownservices.dirsrv.start(ds_name) - else: - ipaservices.knownservices.dirsrv.restart() + ipaservices.knownservices.dirsrv.restart() ca.start(dogtag.install_constants.PKI_INSTANCE_NAME) - return (ca, cs) + return ca def update_cert_config(nickname, cert): """ @@ -1914,12 +1756,7 @@ def update_people_entry(uid, dercert): if __name__ == "__main__": standard_logging_setup("install.log") - if not dogtag.install_constants.SHARED_DB: - cs = CADSInstance() - cs.create_instance( - "EXAMPLE.COM", "catest.example.com", "example.com", "password") - else: - ds = dsinstance.DsInstance() + ds = dsinstance.DsInstance() ca = CAInstance("EXAMPLE.COM", "/etc/httpd/alias") ca.configure_instance("catest.example.com", "example.com", "password", "password") diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index 046480f0d..f69389968 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -209,7 +209,7 @@ class DsInstance(service.Service): self.step("configuring lockout plugin", self.__config_lockout_module) self.step("creating indices", self.__create_indices) self.step("enabling referential integrity plugin", self.__add_referint_module) - if not dogtag.install_constants.SHARED_DB or enable_ssl: + if enable_ssl: self.step("configuring ssl for ds instance", self.enable_ssl) self.step("configuring certmap.conf", self.__certmap_conf) self.step("configure autobind for root", self.__root_autobind) diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py index bc28dec43..5ed2689d7 100644 --- a/ipaserver/install/installutils.py +++ b/ipaserver/install/installutils.py @@ -46,8 +46,6 @@ from ipaserver.install import certs IPA_MODULES = [ 'httpd', 'kadmin', 'dirsrv', 'pki-cad', 'pki-tomcatd', 'install', 'krb5kdc', 'ntpd', 'named', 'ipa_memcached'] -if not dogtag.install_constants.SHARED_DB: - IPA_MODULES.append('pkids') class BadHostError(Exception): |