On Fri, 10 Dec 2010 14:03:08 +0100
Jakub Hrozek <jhro...@redhat.com> wrote:
> Two comments:
> If I understand it correctly, only HTTP instance should now use the
> cert in /usr/share/ipa/html/ca.crt, perhaps the CACERT variable in
> ipaserver/install/dsinstance.py should be changed to point to
> /etc/ipa/ca.crt, too.
Fixed
> The conn.connect() call in ipa-replica-install could pass
> tls_cacertfile=CACERT since we already called install_ca_cert().
As well
> My installation testing with this patch went OK.
New patch attached.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
>From 6f1958b74b20c7a412527526925dd0a304c80d3e Mon Sep 17 00:00:00 2001
From: Simo Sorce <sso...@redhat.com>
Date: Tue, 7 Dec 2010 18:23:05 -0500
Subject: [PATCH 1/2] Split dsinstance configuration
This is so that master and replica creation can perform different operations as
they need slightly diffeent settings to be applied.
---
install/tools/ipa-replica-install | 59 ++++++++-----------
ipaserver/install/dsinstance.py | 112 ++++++++++++++++++++++++++----------
ipaserver/install/replication.py | 3 +-
3 files changed, 107 insertions(+), 67 deletions(-)
diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install
index 65107f027fddcf888a51d7270cc48ce7bcdd8a10..c539e751766bb68e35f8a6978217c227ec38fa27 100755
--- a/install/tools/ipa-replica-install
+++ b/install/tools/ipa-replica-install
@@ -26,14 +26,14 @@ from ConfigParser import SafeConfigParser
from ipapython import ipautil
-from ipaserver.install import dsinstance, replication, installutils, krbinstance, service
+from ipaserver.install import dsinstance, installutils, krbinstance, service
from ipaserver.install import bindinstance, httpinstance, ntpinstance, certs
from ipaserver.plugins.ldap2 import ldap2
from ipapython import version
from ipalib import api, errors, util
from ipapython.config import IPAOptionParser
-CACERT="/usr/share/ipa/html/ca.crt"
+CACERT="/etc/ipa/ca.crt"
class HostnameLocalhost(Exception):
pass
@@ -163,7 +163,7 @@ def install_ca(config):
return ca
-def install_ds(config):
+def install_replica_ds(config):
dsinstance.check_existing_installation()
dsinstance.check_ports()
@@ -176,13 +176,10 @@ def install_ds(config):
config.dir + "/dirsrv_pin.txt")
ds = dsinstance.DsInstance()
- # idstart and idmax are configured so that the range is seen as depleted
- # by the DNA plugin and the replica will go and get a new range from the
- # master.
- # This way all servers use the initially defined range by default.
- ds.create_instance(config.ds_user, config.realm_name, config.host_name,
- config.domain_name, config.dirman_password,
- pkcs12_info, idstart=1101, idmax=1100)
+ ds.create_replica(config.ds_user, config.realm_name,
+ config.master_host_name, config.host_name,
+ config.domain_name, config.dirman_password,
+ pkcs12_info)
return ds
@@ -203,13 +200,16 @@ def install_krb(config, setup_pkinit=False):
setup_pkinit, pkcs12_info)
def install_ca_cert(config):
- if ipautil.file_exists(config.dir + "/ca.crt"):
- try:
- shutil.copy(config.dir + "/ca.crt", CACERT)
- os.chmod(CACERT, 0444)
- except Exception, e:
- print "error copying files: " + str(e)
- sys.exit(1)
+ cafile = config.dir + "/ca.crt"
+ if not ipautil.file_exists(cafile):
+ raise RuntimeError("Ca cert file is not available")
+
+ try:
+ shutil.copy(cafile, CACERT)
+ os.chmod(CACERT, 0444)
+ except Exception, e:
+ print "error copying files: " + str(e)
+ sys.exit(1)
def install_http(config):
# if we have a pkcs12 file, create the cert db from
@@ -354,13 +354,16 @@ def main():
if options.setup_pkinit:
check_pkinit()
+ # Install CA cert so that we can do SSL connections with ldap
+ install_ca_cert(config)
+
# Try out the password
- ldapuri = 'ldap://%s' % config.master_host_name
+ ldapuri = 'ldaps://%s' % config.master_host_name
try:
conn = ldap2(shared_instance=False, ldap_uri=ldapuri, base_dn='')
- conn.connect(
- bind_dn='cn=directory manager', bind_pw=config.dirman_password
- )
+ conn.connect(bind_dn='cn=directory manager',
+ bind_pw=config.dirman_password,
+ tls_cacertfile=CACERT)
try:
entry = conn.find_entries(u'fqdn=%s' % host, ['dn', 'fqdn'], u'%s,%s' % (api.env.container_host, api.env.basedn))
print "The host %s already exists.\n" % host
@@ -377,9 +380,6 @@ def main():
except errors.LDAPError:
sys.exit("\nUnable to connect to LDAP server %s" % config.master_host_name)
- # Install CA cert so that we can do SSL connections with ldap
- install_ca_cert(config)
-
# Configure ntpd
if options.conf_ntp:
ntp = ntpinstance.NTPInstance()
@@ -389,16 +389,7 @@ def main():
CA = install_ca(config)
# Configure dirsrv
- ds = install_ds(config)
-
- try:
- repl = replication.ReplicationManager(config.host_name, config.dirman_password)
- ret = repl.setup_replication(config.master_host_name, config.realm_name)
- except Exception, e:
- logging.debug("Connection error: %s" % e)
- raise RuntimeError("Unable to connect to LDAP server %s." % config.host_name)
- if ret != 0:
- raise RuntimeError("Failed to start replication")
+ ds = install_replica_ds(config)
install_krb(config, setup_pkinit=options.setup_pkinit)
install_http(config)
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index d4f0683c07432a45ca480355173c2b37682f0a23..03066984e0a0277bca9378cabdfb2fc229a355f3 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -40,12 +40,13 @@ from ldap.dn import escape_dn_chars
from ipaserver import ipaldap
from ipaserver.install import ldapupdate
from ipaserver.install import httpinstance
+from ipaserver.install import replication
from ipalib import util, errors
from ipaserver.plugins.ldap2 import ldap2
SERVER_ROOT_64 = "/usr/lib64/dirsrv"
SERVER_ROOT_32 = "/usr/lib/dirsrv"
-CACERT="/usr/share/ipa/html/ca.crt"
+CACERT="/erc/ipa/ca.crt"
def find_server_root():
if ipautil.dir_exists(SERVER_ROOT_64):
@@ -188,24 +189,7 @@ class DsInstance(service.Service):
self.fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore')
- def create_instance(self, ds_user, realm_name, fqdn, domain_name,
- dm_password, pkcs12_info=None, self_signed_ca=False,
- idstart=1100, idmax=999999, subject_base=None,
- hbac_allow=True):
- self.ds_user = ds_user
- self.realm_name = realm_name.upper()
- self.serverid = realm_to_serverid(self.realm_name)
- self.suffix = util.realm_to_suffix(self.realm_name)
- self.fqdn = fqdn
- self.dm_password = dm_password
- self.domain = domain_name
- self.pkcs12_info = pkcs12_info
- self.self_signed_ca = self_signed_ca
- self.idstart = idstart
- self.idmax = idmax
- self.principal = "ldap/%...@%s" % (self.fqdn, self.realm_name)
- self.subject_base = subject_base
- self.__setup_sub_dict()
+ def __common_setup(self):
self.step("creating directory server user", self.__create_ds_user)
self.step("creating directory server instance", self.__create_instance)
@@ -225,24 +209,90 @@ class DsInstance(service.Service):
self.step("configuring certmap.conf", self.__certmap_conf)
self.step("restarting directory server", self.__restart_instance)
self.step("configuring user private groups", self.__user_private_groups)
- self.step("adding default layout", self.__add_default_layout)
- self.step("adding delegation layout", self.__add_delegation_layout)
- self.step("configuring Posix uid/gid generation as first master",
- self.__config_uidgid_gen_first_master)
- self.step("adding master entry as first master",
- self.__add_master_entry_first_master)
- self.step("initializing group membership",
- self.init_memberof)
- if hbac_allow:
- self.step("creating default HBAC rule allow_all", self.add_hbac)
+
+ def __common_post_setup(self):
+ self.step("initializing group membership", self.init_memberof)
+ self.step("adding master entry", self.__add_master_entry)
+ self.step("configuring Posix uid/gid generation",
+ self.__config_uidgid_gen)
self.step("enabling compatibility plugin",
self.__enable_compat_plugin)
self.step("tuning directory server", self.__tuning)
self.step("configuring directory to start on boot", self.__enable)
+ def create_instance(self, ds_user, realm_name, fqdn, domain_name,
+ dm_password, pkcs12_info=None, self_signed_ca=False,
+ idstart=1100, idmax=999999, subject_base=None,
+ hbac_allow=True):
+ self.ds_user = ds_user
+ self.realm_name = realm_name.upper()
+ self.serverid = realm_to_serverid(self.realm_name)
+ self.suffix = util.realm_to_suffix(self.realm_name)
+ self.fqdn = fqdn
+ self.dm_password = dm_password
+ self.domain = domain_name
+ self.pkcs12_info = pkcs12_info
+ self.self_signed_ca = self_signed_ca
+ self.idstart = idstart
+ self.idmax = idmax
+ self.principal = "ldap/%...@%s" % (self.fqdn, self.realm_name)
+ self.subject_base = subject_base
+
+ self.__setup_sub_dict()
+ self.__common_setup()
+
+ self.step("adding default layout", self.__add_default_layout)
+ self.step("adding delegation layout", self.__add_delegation_layout)
+ if hbac_allow:
+ self.step("creating default HBAC rule allow_all", self.add_hbac)
+
+ self.__common_post_setup()
+
self.start_creation("Configuring directory server", 60)
+ def create_replica(self, ds_user, realm_name, master_fqdn, fqdn,
+ domain_name, dm_password, pkcs12_info=None):
+ self.ds_user = ds_user
+ self.realm_name = realm_name.upper()
+ self.serverid = realm_to_serverid(self.realm_name)
+ self.suffix = util.realm_to_suffix(self.realm_name)
+ self.master_fqdn = master_fqdn
+ self.fqdn = fqdn
+ self.dm_password = dm_password
+ self.domain = domain_name
+ self.pkcs12_info = pkcs12_info
+ self.principal = "ldap/%...@%s" % (self.fqdn, self.realm_name)
+
+ self.self_signed_ca = False
+ self.subject_base = None
+ # idstart and idmax are configured so that the range is seen as
+ # depleted by the DNA plugin and the replica will go and get a
+ # new range from the master.
+ # This way all servers use the initially defined range by default.
+ self.idstart = 1101
+ self.idmax = 1100
+
+ self.__setup_sub_dict()
+ self.__common_setup()
+
+ self.step("Setting up initial replication", self.__setup_replica)
+
+ self.__common_post_setup()
+
+ self.start_creation("Configuring directory server", 60)
+
+
+ def __setup_replica(self):
+ try:
+ repl = replication.ReplicationManager(self.fqdn, self.dm_password)
+ ret = repl.setup_replication(self.master_fqdn, self.realm_name)
+ except Exception, e:
+ logging.debug("Connection error: %s" % e)
+ raise RuntimeError("Unable to connect to LDAP server %s." % self.fqdn)
+ if ret != 0:
+ raise RuntimeError("Failed to start replication")
+
def __enable(self):
self.backup_state("enabled", self.is_enabled())
self.chkconfig_on()
@@ -378,12 +428,12 @@ class DsInstance(service.Service):
def __set_unique_attrs(self):
self._ldap_mod("unique-attributes.ldif", self.sub_dict)
- def __config_uidgid_gen_first_master(self):
+ def __config_uidgid_gen(self):
if not has_managed_entries(self.fqdn, self.dm_password):
raise errors.NotFound(reason='Missing Managed Entries Plugin')
self._ldap_mod("dna.ldif", self.sub_dict)
- def __add_master_entry_first_master(self):
+ def __add_master_entry(self):
self._ldap_mod("master-entry.ldif", self.sub_dict)
def __add_winsync_module(self):
diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py
index 340a82ef33f471b92d780d258d09d6a634c9ad25..ed1badc1e17e331a20798d2e9980e71f55c5496a 100644
--- a/ipaserver/install/replication.py
+++ b/ipaserver/install/replication.py
@@ -20,14 +20,13 @@
import time, logging
import ldap
-from ipaserver.install import dsinstance
from ipaserver import ipaldap
from ldap import modlist
from ipalib import util
from ipalib import errors
DIRMAN_CN = "cn=directory manager"
-CACERT = "/usr/share/ipa/html/ca.crt"
+CACERT = "/etc/ipa/ca.crt"
# the default container used by AD for user entries
WIN_USER_CONTAINER = "cn=Users"
# the default container used by IPA for user entries
--
1.7.3.2
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
