diff options
Diffstat (limited to 'ipaserver/install')
-rw-r--r-- | ipaserver/install/custodiainstance.py | 51 | ||||
-rw-r--r-- | ipaserver/install/installutils.py | 8 | ||||
-rw-r--r-- | ipaserver/install/server/install.py | 8 | ||||
-rw-r--r-- | ipaserver/install/server/replicainstall.py | 9 | ||||
-rw-r--r-- | ipaserver/install/server/upgrade.py | 6 | ||||
-rw-r--r-- | ipaserver/install/service.py | 1 |
6 files changed, 80 insertions, 3 deletions
diff --git a/ipaserver/install/custodiainstance.py b/ipaserver/install/custodiainstance.py new file mode 100644 index 000000000..c21b4537d --- /dev/null +++ b/ipaserver/install/custodiainstance.py @@ -0,0 +1,51 @@ +# Copyright (C) 2015 FreeIPa Project Contributors, see 'COPYING' for license. + +from ipapython.secrets.kem import IPAKEMKeys +from ipaplatform.paths import paths +from service import SimpleServiceInstance +from ipapython import ipautil +from ipaserver.install import installutils +import os + + +class CustodiaInstance(SimpleServiceInstance): + def __init__(self): + super(CustodiaInstance, self).__init__("ipa-custodia") + self.config_file = paths.IPA_CUSTODIA_CONF + self.server_keys = os.path.join(paths.IPA_CUSTODIA_CONF_DIR, + 'server.keys') + + def __config_file(self): + template_file = os.path.basename(self.config_file) + '.template' + template = os.path.join(ipautil.SHARE_DIR, template_file) + sub_dict = dict(IPA_CUSTODIA_CONF_DIR=paths.IPA_CUSTODIA_CONF_DIR, + IPA_CUSTODIA_SOCKET=paths.IPA_CUSTODIA_SOCKET, + IPA_CUSTODIA_AUDIT_LOG=paths.IPA_CUSTODIA_AUDIT_LOG, + LDAP_URI=installutils.realm_to_ldapi_uri(self.realm)) + conf = ipautil.template_file(template, sub_dict) + fd = open(self.config_file, "w+") + fd.write(conf) + fd.flush() + fd.close() + + def create_instance(self, *args, **kwargs): + self.step("Generating ipa-custodia config file", self.__config_file) + self.step("Generating ipa-custodia keys", self.__gen_keys) + super(CustodiaInstance, self).create_instance(*args, **kwargs) + + def __gen_keys(self): + KeyStore = IPAKEMKeys({'server_keys': self.server_keys}) + KeyStore.generate_server_keys() + + def upgrade_instance(self, realm): + self.realm = realm + if not os.path.exists(self.config_file): + self.__config_file() + if not os.path.exists(self.server_keys): + self.__gen_keys() + + def __start(self): + super(CustodiaInstance, self).__start() + + def __enable(self): + super(CustodiaInstance, self).__enable() diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py index ad79f8896..acf309e78 100644 --- a/ipaserver/install/installutils.py +++ b/ipaserver/install/installutils.py @@ -36,6 +36,7 @@ from contextlib import contextmanager from dns import resolver, rdatatype from dns.exception import DNSException import ldap +import ldapurl from nss.error import NSPRError import six @@ -1097,6 +1098,13 @@ def check_version(): def realm_to_serverid(realm_name): return "-".join(realm_name.split(".")) + +def realm_to_ldapi_uri(realm_name): + serverid = realm_to_serverid(realm_name) + socketname = paths.SLAPD_INSTANCE_SOCKET_TEMPLATE % (serverid,) + return 'ldapi://' + ldapurl.ldapUrlEscape(socketname) + + def enable_and_start_oddjobd(sstore): oddjobd = services.service('oddjobd') sstore.backup_state('oddjobd', 'running', oddjobd.is_running()) diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py index 72f6e4d8d..e936b6798 100644 --- a/ipaserver/install/server/install.py +++ b/ipaserver/install/server/install.py @@ -33,7 +33,7 @@ import ipaclient.ntpconf from ipaserver.install import ( bindinstance, ca, cainstance, certs, dns, dsinstance, httpinstance, installutils, kra, krbinstance, memcacheinstance, ntpinstance, - otpdinstance, replication, service, sysupgrade) + otpdinstance, custodiainstance, replication, service, sysupgrade) from ipaserver.install.installutils import ( IPA_MODULES, BadHostError, get_fqdn, get_server_ip_address, is_ipa_configured, load_pkcs12, read_password, verify_fqdn, @@ -814,6 +814,11 @@ def install(installer): otpd.create_instance('OTPD', host_name, dm_password, ipautil.realm_to_suffix(realm_name)) + custodia = custodiainstance.CustodiaInstance() + custodia.create_instance('KEYS', host_name, dm_password, + ipautil.realm_to_suffix(realm_name), + realm_name) + # Create a HTTP instance http = httpinstance.HTTPInstance(fstore) if options.http_cert_files: @@ -1078,6 +1083,7 @@ def uninstall(installer): dsinstance.DsInstance(fstore=fstore).uninstall() if _server_trust_ad_installed: adtrustinstance.ADTRUSTInstance(fstore).uninstall() + custodiainstance.CustodiaInstance().uninstall() memcacheinstance.MemcacheInstance().uninstall() otpdinstance.OtpdInstance().uninstall() tasks.restore_network_configuration(fstore, sstore) diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py index 3087091e4..c0b0761eb 100644 --- a/ipaserver/install/server/replicainstall.py +++ b/ipaserver/install/server/replicainstall.py @@ -28,7 +28,7 @@ import ipaclient.ntpconf from ipaserver.install import ( bindinstance, ca, cainstance, certs, dns, dsinstance, httpinstance, installutils, kra, krbinstance, memcacheinstance, ntpinstance, - otpdinstance, service) + otpdinstance, custodiainstance, service) from ipaserver.install.installutils import create_replica_config from ipaserver.install.replication import ( ReplicationManager, replica_conn_check) @@ -596,6 +596,13 @@ def install(installer): CA.import_ra_cert(config.dir + "/ra.p12") CA.fix_ra_perms() + # FIXME: must be done earlier in replica to fetch keys for CA/ldap server + # before they are configured + custodia = custodiainstance.CustodiaInstance() + custodia.create_instance('KEYS', config.host_name, + config.dirman_password, + ipautil.realm_to_suffix(config.realm_name)) + # The DS instance is created before the keytab, add the SSL cert we # generated ds.add_cert_to_service() diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index 4df621947..42c9cf0f5 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -36,6 +36,7 @@ from ipaserver.install import cainstance from ipaserver.install import certs from ipaserver.install import otpdinstance from ipaserver.install import schemaupdate +from ipaserver.install import custodiainstance from ipaserver.install import sysupgrade from ipaserver.install import dnskeysyncinstance from ipaserver.install.upgradeinstance import IPAUpgrade @@ -1465,7 +1466,7 @@ def upgrade_configuration(): service.ldapi = True try: if not service.is_configured(): - # 389-ds needs to be running to create the memcache instance + # 389-ds needs to be running to create the instances # because we record the new service in cn=masters. ds.start() service.create_instance(ldap_name, fqdn, None, @@ -1514,6 +1515,9 @@ def upgrade_configuration(): except ipautil.CalledProcessError as e: root_logger.error("Failed to restart %s: %s", bind.service_name, e) + custodia = custodiainstance.CustodiaInstance() + custodia.upgrade_instance(api.env.realm) + ca_restart = any([ ca_restart, ca_upgrade_schema(ca), diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py index ac65f7b09..b2d111cdf 100644 --- a/ipaserver/install/service.py +++ b/ipaserver/install/service.py @@ -40,6 +40,7 @@ SERVICE_LIST = { 'DNS': ('named', 30), 'MEMCACHE': ('ipa_memcached', 39), 'HTTP': ('httpd', 40), + 'KEYS': ('ipa-custodia', 41), 'CA': ('%sd' % dogtag.configured_constants().PKI_INSTANCE_NAME, 50), 'KRA': ('%sd' % dogtag.configured_constants().PKI_INSTANCE_NAME, 51), 'ADTRUST': ('smb', 60), |