Martin Kosek wrote:
On Wed, 2011-06-22 at 08:51 -0400, Rob Crittenden wrote:
Rob Crittenden wrote:


Haven't had a chance to explore this one yet. It sure would be nice if
dogtag would tell us what the two differing base DNs are though...

This patch should resolve the remaining issues. It requires a patch to
bind-dyndb-ldap, I have a candidate patch in
https://bugzilla.redhat.com/show_bug.cgi?id=710261

rob

Hmm, good work there. Bind, SSSD on custom-hostname IPA master is
working now. IPA client and CA-powered replica too.

I found only one issue - ipactl is not working because it uses
socket.gethostname() instead of api.env.host. So if you fix this
one-liner its ACK from me.

Martin


Fixed

rob
>From 54155dc5862c13155722aa2ec791fd07f0459131 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcrit...@redhat.com>
Date: Wed, 22 Jun 2011 08:46:25 -0400
Subject: [PATCH] Let the framework be able to override the hostname.

The hostname is passed in during the server installation. We should use
this hostname for the resulting server as well. It was being discarded
and we always used the system hostname value.

Important changes:
- configure ipa_hostname in sssd on masters
- set PKI_HOSTNAME so the hostname is passed to dogtag installer
- set the hostname when doing ldapi binds

This also reorders some things in the dogtag installer to eliminate an
unnecessary restart. We were restarting the service twice in a row with
very little time in between and this could result in a slew of reported
errors, though the server installed ok.

ticket 1052
---
 install/tools/ipa-replica-install |    1 +
 install/tools/ipa-server-install  |    3 ++-
 install/tools/ipactl              |    2 +-
 ipalib/config.py                  |    4 ----
 ipalib/constants.py               |   12 ++++++++++--
 ipaserver/install/cainstance.py   |   29 ++++++++++++++---------------
 ipaserver/plugins/ldap2.py        |    4 ++++
 tests/test_ipalib/test_config.py  |    1 -
 8 files changed, 32 insertions(+), 24 deletions(-)

diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install
index a0bb9d9..b70f36f 100755
--- a/install/tools/ipa-replica-install
+++ b/install/tools/ipa-replica-install
@@ -429,6 +429,7 @@ def main():
     # Note: We must do this before bootstraping and finalizing ipalib.api
     fd = open("/etc/ipa/default.conf", "w")
     fd.write("[global]\n")
+    fd.write("host=" + config.host_name + "\n")
     fd.write("basedn=" + util.realm_to_suffix(config.realm_name) + "\n")
     fd.write("realm=" + config.realm_name + "\n")
     fd.write("domain=" + config.domain_name + "\n")
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index 7c81dbe..9487387 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -678,6 +678,7 @@ def main():
     # Create the management framework config file and finalize api
     fd = open("/etc/ipa/default.conf", "w")
     fd.write("[global]\n")
+    fd.write("host=" + host_name + "\n")
     fd.write("basedn=" + util.realm_to_suffix(realm_name) + "\n")
     fd.write("realm=" + realm_name + "\n")
     fd.write("domain=" + domain_name + "\n")
@@ -916,7 +917,7 @@ def main():
 
     # Call client install script
     try:
-        run(["/usr/sbin/ipa-client-install", "--on-master", "--unattended", "--domain", domain_name, "--server", host_name, "--realm", realm_name])
+        run(["/usr/sbin/ipa-client-install", "--on-master", "--unattended", "--domain", domain_name, "--server", host_name, "--realm", realm_name, "--hostname", host_name])
     except Exception, e:
         sys.exit("Configuration of client side components failed!\nipa-client-install returned: " + str(e))
 
diff --git a/install/tools/ipactl b/install/tools/ipactl
index 4ce2606..01b88a5 100755
--- a/install/tools/ipactl
+++ b/install/tools/ipactl
@@ -71,7 +71,7 @@ def emit_err(err):
     sys.stderr.write(err + '\n')
 
 def get_config():
-    base = "cn=%s,cn=masters,cn=ipa,cn=etc,%s" % (socket.gethostname(),
+    base = "cn=%s,cn=masters,cn=ipa,cn=etc,%s" % (api.env.host,
                                                   api.env.basedn)
     srcfilter = '(ipaConfigString=enabledService)'
     attrs = ['cn', 'ipaConfigString']
diff --git a/ipalib/config.py b/ipalib/config.py
index 888785a..410e5f0 100644
--- a/ipalib/config.py
+++ b/ipalib/config.py
@@ -447,7 +447,6 @@ class Env(object):
         self.__doing('_bootstrap')
 
         # Set run-time variables (cannot be overridden):
-        self.host = getfqdn()
         self.ipalib = path.dirname(path.abspath(__file__))
         self.site_packages = path.dirname(self.ipalib)
         self.script = path.abspath(sys.argv[0])
@@ -550,9 +549,6 @@ class Env(object):
         if 'log' not in self:
             self.log = self._join('logdir', '%s.log' % self.context)
 
-        # FIXME: move into ca plugin
-        if 'ca_host' not in self:
-            self.ca_host = self.host
         self._merge(**defaults)
 
     def _finalize(self, **lastchance):
diff --git a/ipalib/constants.py b/ipalib/constants.py
index 202f5fa..23e8025 100644
--- a/ipalib/constants.py
+++ b/ipalib/constants.py
@@ -21,6 +21,14 @@
 """
 All constants centralised in one file.
 """
+import socket
+try:
+    FQDN = socket.getfqdn()
+except:
+    try:
+        FQDN = socket.gethostname()
+    except:
+        FQDN = None
 
 # The parameter system treats all these values as None:
 NULLS = (None, '', u'', tuple(), [])
@@ -127,7 +135,7 @@ DEFAULT_CONFIG = (
     ('mode', 'production'),
 
     # CA plugin:
-    ('ca_host', object),  # Set in Env._finalize_core()
+    ('ca_host', FQDN),  # Set in Env._finalize_core()
     ('ca_port', 9180),
     ('ca_agent_port', 9443),
     ('ca_ee_port', 9444),
@@ -160,7 +168,7 @@ DEFAULT_CONFIG = (
     # raised.
 
     # Non-overridable vars set in Env._bootstrap():
-    ('host', object),
+    ('host', FQDN),
     ('ipalib', object),  # The directory containing ipalib/__init__.py
     ('site_packages', object),  # The directory contaning ipalib
     ('script', object),  # sys.argv[0]
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 62fce4b..54de10f 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -520,7 +520,6 @@ class CAInstance(service.Service):
         # Step 1 of external is getting a CSR so we don't need to do these
         # steps until we get a cert back from the external CA.
         if self.external != 1:
-            self.step("restarting certificate server", self.__restart_instance)
             if not self.clone:
                 self.step("creating CA agent PKCS#12 file in /root", self.__create_ca_agent_pkcs12)
             if self.create_ra_agent_db:
@@ -559,7 +558,7 @@ class CAInstance(service.Service):
                 '-redirect', 'conf=/etc/pki-ca',
                 '-redirect', 'logs=/var/log/pki-ca',
         ]
-        ipautil.run(args)
+        ipautil.run(args, env={'PKI_HOSTNAME':self.fqdn})
 
     def __enable(self):
         self.backup_state("enabled", self.is_enabled())
@@ -675,7 +674,7 @@ class CAInstance(service.Service):
             # Define the things we don't want logged
             nolog = (self.admin_password, self.dm_password,)
 
-            ipautil.run(args, nolog=nolog)
+            ipautil.run(args, env={'PKI_HOSTNAME':self.fqdn}, nolog=nolog)
         except ipautil.CalledProcessError, e:
             logging.critical("failed to configure ca instance %s" % e)
             raise RuntimeError('Configuration of CA failed')
@@ -685,11 +684,22 @@ class CAInstance(service.Service):
             print "ipa-server-install --external_cert_file=/path/to/signed_certificate --external_ca_file=/path/to/external_ca_certificate"
             sys.exit(0)
 
+        # Turn off Nonces (again)
+        if installutils.update_file('/var/lib/pki-ca/conf/CS.cfg', 'ca.enableNonces=true', 'ca.enableNonces=false') != 0:
+            raise RuntimeError("Disabling nonces failed")
+        pent = pwd.getpwnam(PKI_USER)
+        os.chown('/var/lib/pki-ca/conf/CS.cfg', pent.pw_uid, pent.pw_gid )
+
+        # pkisilent makes a copy of the CA PKCS#12 file for us but gives
+        # it a lousy name.
+        if ipautil.file_exists("/root/tmp-ca.p12"):
+            shutil.move("/root/tmp-ca.p12", "/root/cacert.p12")
+
         try:
             # After configuration the service is running and configured
             # but must be restarted for configuration to take effect.
             # The service status in this case will be 4.
-            self.restart()
+            self.__restart_instance()
         except ipautil.CalledProcessError, e:
             logging.critical("failed to restart ca instance after pkisilent configuration %s" % e)
             raise RuntimeError('Restarting CA after pkisilent configuration failed')
@@ -704,17 +714,6 @@ class CAInstance(service.Service):
 
         logging.debug("completed creating ca instance")
 
-        # Turn off Nonces (again)
-        if installutils.update_file('/var/lib/pki-ca/conf/CS.cfg', 'ca.enableNonces=true', 'ca.enableNonces=false') != 0:
-            raise RuntimeError("Disabling nonces failed")
-        pent = pwd.getpwnam(PKI_USER)
-        os.chown('/var/lib/pki-ca/conf/CS.cfg', pent.pw_uid, pent.pw_gid )
-
-        # pkisilent makes a copy of the CA PKCS#12 file for us but gives
-        # it a lousy name.
-        if ipautil.file_exists("/root/tmp-ca.p12"):
-            shutil.move("/root/tmp-ca.p12", "/root/cacert.p12")
-
     def __restart_instance(self):
         try:
             self.restart()
diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py
index e4cc72d..c375252 100644
--- a/ipaserver/plugins/ldap2.py
+++ b/ipaserver/plugins/ldap2.py
@@ -160,6 +160,8 @@ def get_schema(url, conn=None):
 
         if conn is None:
             conn = _ldap.initialize(url)
+            if url.startswith('ldapi://'):
+                conn.set_option(_ldap.OPT_HOST_NAME, api.env.host)
             conn.sasl_interactive_bind_s('', SASL_AUTH)
 
         schema_entry = conn.search_s(
@@ -321,6 +323,8 @@ class ldap2(CrudBackend, Encoder):
 
         try:
             conn = _ldap.initialize(self.ldap_uri)
+            if self.ldap_uri.startswith('ldapi://'):
+                conn.set_option(_ldap.OPT_HOST_NAME, api.env.host)
             if ccache is not None:
                 os.environ['KRB5CCNAME'] = ccache
                 conn.sasl_interactive_bind_s('', SASL_AUTH)
diff --git a/tests/test_ipalib/test_config.py b/tests/test_ipalib/test_config.py
index 97d7548..e729a62 100644
--- a/tests/test_ipalib/test_config.py
+++ b/tests/test_ipalib/test_config.py
@@ -441,7 +441,6 @@ class test_Env(ClassChecker):
         (o, home) = self.new()
         o._bootstrap()
         ipalib = path.dirname(path.abspath(config.__file__))
-        assert o.host == socket.gethostname()
         assert o.ipalib == ipalib
         assert o.site_packages == path.dirname(ipalib)
         assert o.script == path.abspath(sys.argv[0])
-- 
1.7.4

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to