On 09/20/2012 05:58 AM, Ade Lee wrote:
Changes to use a single database for dogtag and IPA
New servers that are installed with dogtag 10 instances will use
a single database instance for dogtag and IPA, albeit with different
suffixes. Dogtag will communicate with the instance through a
database user with permissions to modify the dogtag suffix only.
This user will authenticate using client auth using the subsystem cert
for the instance.
This patch includes changes to allow the creation of masters and clones
with single ds instances.
I have tested being able to create a master and a clone using f17 and
dogtag 10. Note that you will need to use the latest builds on the
dogtag repo to get some changes that were checked in today. We'll kick
off another official f18 dogtag build in a day or so.
This is a pretty big change - so I expect many issues to come up as
things get tested. But as this will take awhile to get resolved, its
better to get this out for review as fast as possible.
Happy reviewing.
Ade
Attaching a rebased patch with a couple of style issues fixed.
- PEP8 compliance (remove trailing whitespace, use parentheses rather
than \ for line continuation, wrap touched lines at 80 characters)
- for files, use the with statement instead of the "open/close sandwich"
- don't mix tabs and spaces in install/share/certmap.conf.template
I've also adjusted the spec file, as we need dogtag 10.0 and pki-server
now obsoletes pki-setup.
I still need selinux in permissive mode to install on f17, and I still
need to exclude *.i686 packages when updating.
--
PetrĀ³
From 70197be93ad2b9c27d48fe5e0aa1af5a93ff487e Mon Sep 17 00:00:00 2001
From: Ade Lee <a...@redhat.com>
Date: Wed, 19 Sep 2012 23:35:42 -0400
Subject: [PATCH] Changes to use a single database for dogtag and IPA
New servers that are installed with dogtag 10 instances will use
a single database instance for dogtag and IPA, albeit with different
suffixes. Dogtag will communicate with the instance through a
database user with permissions to modify the dogtag suffix only.
This user will authenticate using client auth using the subsystem cert
for the instance.
This patch includes changes to allow the creation of masters and clones
with single ds instances.
---
freeipa.spec.in | 6 +-
install/share/certmap.conf.template | 19 ++++---
install/tools/ipa-ca-install | 23 ++++++--
install/tools/ipa-csreplica-manage | 2 +-
install/tools/ipa-replica-conncheck | 19 +++++--
install/tools/ipa-replica-install | 29 +++++++---
install/tools/ipa-replica-prepare | 8 ++-
install/tools/ipa-server-install | 91 +++++++++++++++++-------------
install/tools/ipactl | 6 +-
ipapython/dogtag.py | 12 +++-
ipaserver/install/cainstance.py | 107 ++++++++++++++++++++++++++++++------
ipaserver/install/dsinstance.py | 14 +++--
ipaserver/install/installutils.py | 7 ++-
ipaserver/install/replication.py | 13 +++--
14 files changed, 257 insertions(+), 99 deletions(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index ef9678ec25d5ab8ed064657904c17a4f52e85eac..dde19d45ff75364c01c287de6ac1ae6e6f5e4963 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -142,9 +142,9 @@ Requires: selinux-policy >= 3.9.7-27
%endif
Requires(post): selinux-policy-base
Requires: slapi-nis >= 0.40
-Requires: pki-ca >= 9.0.18
-Requires: pki-silent >= 9.0.18
-Requires: pki-setup >= 9.0.18
+Requires: pki-ca >= 10.0.0-0.34
+Requires: pki-silent >= 10.0.0-0.34
+Requires: pki-server >= 10.0.0-0.34
Requires: dogtag-pki-common-theme
Requires: dogtag-pki-ca-theme
%if 0%{?fedora} >= 18
diff --git a/install/share/certmap.conf.template b/install/share/certmap.conf.template
index 676d3ef354c9dae4dce8c4682176e656088991b2..40b4e6cb1513bed586248e0c214730861b9715cf 100644
--- a/install/share/certmap.conf.template
+++ b/install/share/certmap.conf.template
@@ -71,12 +71,15 @@
# attr names - a comma separated list of attributes to form the filter
#
-certmap default default
+certmap default default
#default:DNComps
-#default:FilterComps e, uid
-#default:verifycert on
-#default:CmapLdapAttr certSubjectDN
-#default:library <path_to_shared_lib_or_dll>
-#default:InitFn <Init function's name>
-default:DNComps
-default:FilterComps uid
+#default:FilterComps e, uid
+#default:verifycert on
+#default:CmapLdapAttr certSubjectDN
+#default:library <path_to_shared_lib_or_dll>
+#default:InitFn <Init function's name>
+default:DNComps
+default:FilterComps uid
+certmap ipaca CN=Certificate Authority,O=domain_name
+ipaca:CmapLdapAttr seeAlso
+ipaca:verifycert on
diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install
index 1c1b96a91fbbef455a68b158cc0191b91f2232f9..df3aebc111069d2d164fee6336182089c09a7195 100755
--- a/install/tools/ipa-ca-install
+++ b/install/tools/ipa-ca-install
@@ -142,17 +142,32 @@ def main():
config.dir = dir
config.setup_ca = True
+ portfile = config.dir + "/dogtag_directory_port.txt"
+ if not ipautil.file_exists(portfile):
+ dogtag_master_ds_port = "7389"
+ else:
+ with open(portfile) as fd:
+ dogtag_master_ds_port = fd.read()
+
if not options.skip_conncheck:
- replica_conn_check(config.master_host_name, config.host_name, config.realm_name, True, options.admin_password)
+ replica_conn_check(
+ config.master_host_name, config.host_name, config.realm_name, True,
+ dogtag_master_ds_port, options.admin_password)
# Configure the CA if necessary
- (CA, cs) = cainstance.install_replica_ca(config, postinstall=True)
+ (CA, cs) = cainstance.install_replica_ca(
+ config, dogtag_master_ds_port, postinstall=True)
# We need to ldap_enable the CA now that DS is up and running
CA.ldap_enable('CA', config.host_name, config.dirman_password,
ipautil.realm_to_suffix(config.realm_name))
- cs.add_simple_service('dogtagldap/%s@%s' % (config.host_name, config.realm_name))
- cs.add_cert_to_service()
+ if not dogtag.install_constants.SHARED_DB:
+ cs.add_simple_service('dogtagldap/%s@%s' %
+ (config.host_name, config.realm_name))
+ cs.add_cert_to_service()
+ else:
+ CA.enable_client_auth_to_db()
+ CA.restart()
# We need to restart apache as we drop a new config file in there
ipaservices.knownservices.httpd.restart(capture_output=True)
diff --git a/install/tools/ipa-csreplica-manage b/install/tools/ipa-csreplica-manage
index 39cfa58511ae552cae64798c7559303fda27866a..272daacfedbb45db4307b04201954ad0a96b0614 100755
--- a/install/tools/ipa-csreplica-manage
+++ b/install/tools/ipa-csreplica-manage
@@ -34,7 +34,7 @@ from ipalib import api, errors, util
from ipapython.dn import DN
CACERT = "/etc/ipa/ca.crt"
-PORT = 7389
+PORT = dogtag.install_constants.DS_PORT
# dict of command name and tuples of min/max num of args needed
commands = {
diff --git a/install/tools/ipa-replica-conncheck b/install/tools/ipa-replica-conncheck
index 169e9dc9f1d28dcc7c36b09f4382b8948d5ae831..7ed91ce450ed82686f72d2ae9276960ae9287b3f 100755
--- a/install/tools/ipa-replica-conncheck
+++ b/install/tools/ipa-replica-conncheck
@@ -21,6 +21,7 @@
from ipapython.config import IPAOptionParser
from ipapython import version
from ipapython import ipautil
+from ipapython import dogtag
from ipapython.ipautil import CalledProcessError
from ipaserver.install import installutils
import ipaclient.ipachangeconf
@@ -59,10 +60,6 @@ BASE_PORTS = [
CheckedPort(443, SOCK_STREAM, "HTTP Server: Secure port"),
]
-CA_PORTS = [
- CheckedPort(7389, SOCK_STREAM, "PKI-CA: Directory Service port"),
- ]
-
def print_info(msg):
if not QUIET:
print msg
@@ -99,6 +96,10 @@ def parse_options():
default=False,
help="Check also ports for Certificate Authority")
+ common_group.add_option("-C", "--dogtag-master-ds-port",
+ dest="dogtag_master_ds_port",
+ help="Port for Certificate Authority database")
+
common_group.add_option("", "--hostname", dest="hostname",
help="The hostname of this server (FQDN). "
"By default a nodename from uname(2) is used.")
@@ -281,7 +282,9 @@ def main():
required_ports = BASE_PORTS
if options.check_ca:
- required_ports.extend(CA_PORTS)
+ ca_port = CheckedPort(int(options.dogtag_master_ds_port), SOCK_STREAM,
+ "PKI-CA: Directory Service port")
+ required_ports.extend([ca_port])
if options.replica:
print_info("Check connection from master to remote replica '%s':" % options.replica)
@@ -358,6 +361,9 @@ def main():
remote_check_opts = ['--replica %s' % options.hostname]
if options.check_ca:
remote_check_opts.append('--check-ca')
+ remote_check_opts.extend(["--dogtag-master-ds-port",
+ str(dogtag.install_constants.DS_PORT)])
+
print_info("Execute check on remote master")
@@ -383,6 +389,9 @@ def main():
remote_check_opts = ['--replica %s' % options.hostname]
if options.check_ca:
remote_check_opts.append('--check-ca')
+ remote_check_opts.extend(["--dogtag-master-ds-port",
+ str(dogtag.install_constants.DS_PORT)])
+
print_info("/usr/sbin/ipa-replica-conncheck " + " ".join(remote_check_opts))
time.sleep(3600)
print_info("Connection check timeout: terminating listening program")
diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install
index 55417b72fd430ce90e85310f01d5b91d1390e0ae..01b9c95042385713d9e91e8dbf8b2f17cbcc6afa 100755
--- a/install/tools/ipa-replica-install
+++ b/install/tools/ipa-replica-install
@@ -459,9 +459,19 @@ def main():
installutils.verify_fqdn(config.master_host_name, options.no_host_dns)
+ portfile = config.dir + "/dogtag_directory_port.txt"
+ if not ipautil.file_exists(portfile):
+ dogtag_master_ds_port = "7389"
+ else:
+ with open(portfile) as fd:
+ dogtag_master_ds_port = fd.read()
+
# check connection
if not options.skip_conncheck:
- replica_conn_check(config.master_host_name, config.host_name, config.realm_name, options.setup_ca, options.admin_password)
+ replica_conn_check(
+ config.master_host_name, config.host_name, config.realm_name,
+ options.setup_ca, dogtag_master_ds_port, options.admin_password)
+
# check replica host IP resolution
config.ip = installutils.get_server_ip_address(config.host_name, fstore, True, options)
@@ -574,21 +584,26 @@ def main():
ntp = ntpinstance.NTPInstance()
ntp.create_instance()
+ # Configure dirsrv
+ ds = install_replica_ds(config)
+
# Configure the CA if necessary
- (CA, cs) = cainstance.install_replica_ca(config)
+ (CA, cs) = cainstance.install_replica_ca(config, dogtag_master_ds_port)
# Always try to install DNS records
install_dns_records(config, options)
- # Configure dirsrv
- ds = install_replica_ds(config)
-
# We need to ldap_enable the CA now that DS is up and running
if CA and config.setup_ca:
CA.ldap_enable('CA', config.host_name, config.dirman_password,
ipautil.realm_to_suffix(config.realm_name))
- cs.add_simple_service('dogtagldap/%s@%s' % (config.host_name, config.realm_name))
- cs.add_cert_to_service()
+ if not dogtag.install_constants.SHARED_DB:
+ cs.add_simple_service('dogtagldap/%s@%s' %
+ (config.host_name, config.realm_name))
+ cs.add_cert_to_service()
+ else:
+ CA.enable_client_auth_to_db()
+ CA.restart()
krb = install_krb(config, setup_pkinit=options.setup_pkinit)
http = install_http(config, auto_redirect=options.ui_redirect)
diff --git a/install/tools/ipa-replica-prepare b/install/tools/ipa-replica-prepare
index dea52ea1e1e88f22083152e326d34ccfc7037842..5a566d61df521d3801c41a07753a2af728a7b6e7 100755
--- a/install/tools/ipa-replica-prepare
+++ b/install/tools/ipa-replica-prepare
@@ -209,8 +209,8 @@ def save_config(dir, realm_name, host_name,
config.set("realm", "destination_host", dest_host)
config.set("realm", "subject_base", str(subject_base))
config.set("realm", "version", str(version.NUM_VERSION))
- fd = open(dir + "/realm_info", "w")
- config.write(fd)
+ with open(dir + "/realm_info", "w") as fd:
+ config.write(fd)
def remove_file(fname, ignore_errors=True):
try:
@@ -369,6 +369,10 @@ def main():
except errors.CertificateOperationError, e:
print "%s" % e
sys.exit(1)
+ print "Saving dogtag Directory Server port"
+ port_fname = dir + "/dogtag_directory_port.txt"
+ with open(port_fname, "w") as fd:
+ fd.write("%s\n" % str(dogtag.install_constants.DS_PORT))
if options.http_pin:
passwd = options.http_pin
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index 37d37b81a25c391e6b029b5918d440846a617210..1663f70617b18861abf7f0110b0eef4e44bc47b5 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -481,9 +481,11 @@ def uninstall():
print "ipa-client-install returned: " + str(e)
ntpinstance.NTPInstance(fstore).uninstall()
- cads_instance = cainstance.CADSInstance(dogtag_constants=dogtag_constants)
- if cads_instance.is_configured():
- cads_instance.uninstall()
+ if not dogtag.install_constants.SHARED_DB:
+ cads_instance = cainstance.CADSInstance(
+ dogtag_constants=dogtag_constants)
+ if cads_instance.is_configured():
+ cads_instance.uninstall()
ca_instance = cainstance.CAInstance(
api.env.realm, certs.NSS_DIR, dogtag_constants=dogtag_constants)
if ca_instance.is_configured():
@@ -616,11 +618,11 @@ def main():
return uninstall()
if options.external_ca:
- if cainstance.CADSInstance().is_configured():
+ if cainstance.is_step_one_done():
print "CA is already installed.\nRun the installer with --external_cert_file and --external_ca_file."
sys.exit(1)
elif options.external_cert_file:
- if not cainstance.CADSInstance().is_configured():
+ if not cainstance.is_step_one_done():
# This can happen if someone passes external_ca_file without
# already having done the first stage of the CA install.
print "CA is not installed yet. To install with an external CA is a two-stage process.\nFirst run the installer with --external-ca."
@@ -901,6 +903,30 @@ def main():
if not ntp.is_configured():
ntp.create_instance()
+ # Create a directory server instance
+ ds = dsinstance.DsInstance(fstore=fstore)
+
+ if options.dirsrv_pin:
+ [pw_fd, pw_name] = tempfile.mkstemp()
+ os.write(pw_fd, options.dirsrv_pin)
+ os.close(pw_fd)
+
+ if options.dirsrv_pkcs12:
+ pkcs12_info = (options.dirsrv_pkcs12, pw_name)
+ try:
+ ds.create_instance(realm_name, host_name, domain_name,
+ dm_password, pkcs12_info,
+ subject_base=options.subject,
+ hbac_allow=not options.hbac_allow)
+ finally:
+ os.remove(pw_name)
+ else:
+ ds.create_instance(realm_name, host_name, domain_name,
+ dm_password, self_signed_ca=options.selfsign,
+ idstart=options.idstart, idmax=options.idmax,
+ subject_base=options.subject,
+ hbac_allow=not options.hbac_allow)
+
if options.selfsign:
ca = certs.CertDB(realm_name, host_name=host_name,
subject_base=options.subject)
@@ -921,9 +947,13 @@ def main():
else:
external = 0
- cs = cainstance.CADSInstance(host_name, realm_name, domain_name, dm_password)
- if not cs.is_configured():
- cs.create_instance(realm_name, host_name, domain_name, dm_password, subject_base=options.subject)
+ if not dogtag.install_constants.SHARED_DB:
+ cs = cainstance.CADSInstance(
+ host_name, realm_name, domain_name, dm_password)
+ if not cs.is_configured():
+ cs.create_instance(realm_name, host_name, domain_name,
+ dm_password, subject_base=options.subject)
+
ca = cainstance.CAInstance(realm_name, certs.NSS_DIR,
dogtag_constants=dogtag.install_constants)
if external == 0:
@@ -954,42 +984,25 @@ def main():
# Now put the CA cert where other instances exepct it
ca.publish_ca_cert("/etc/ipa/ca.crt")
- # Create a directory server instance
- ds = dsinstance.DsInstance(fstore=fstore)
-
- if options.dirsrv_pin:
- [pw_fd, pw_name] = tempfile.mkstemp()
- os.write(pw_fd, options.dirsrv_pin)
- os.close(pw_fd)
-
- if options.dirsrv_pkcs12:
- pkcs12_info = (options.dirsrv_pkcs12, pw_name)
- try:
- ds.create_instance(realm_name, host_name, domain_name,
- dm_password, pkcs12_info,
- subject_base=options.subject,
- hbac_allow=not options.hbac_allow)
- finally:
- os.remove(pw_name)
- else:
- ds.create_instance(realm_name, host_name, domain_name,
- dm_password, self_signed_ca=options.selfsign,
- idstart=options.idstart, idmax=options.idmax,
- subject_base=options.subject,
- hbac_allow=not options.hbac_allow)
+ # we now need to enable ssl on the ds
+ ds.enable_ssl()
+ ds.restart()
# We need to ldap_enable the CA now that DS is up and running
if not options.selfsign:
ca.ldap_enable('CA', host_name, dm_password,
ipautil.realm_to_suffix(realm_name))
-
- # Turn on SSL in the dogtag LDAP instance. This will get restarted
- # later, we don't need SSL now.
- cs.create_certdb()
- cs.enable_ssl()
- # Add the IPA service for storing the PKI-IPA server certificate.
- cs.add_simple_service(cs.principal)
- cs.add_cert_to_service()
+ if not dogtag.install_constants.SHARED_DB:
+ # Turn on SSL in the dogtag LDAP instance. This will get restarted
+ # later, we don't need SSL now.
+ cs.create_certdb()
+ cs.enable_ssl()
+ # Add the IPA service for storing the PKI-IPA server certificate.
+ cs.add_simple_service(cs.principal)
+ cs.add_cert_to_service()
+ else:
+ ca.enable_client_auth_to_db()
+ ca.restart()
# Create a kerberos instance
if options.pkinit_pin:
diff --git a/install/tools/ipactl b/install/tools/ipactl
index d4b2c0878f2b62fd12198f76bef01ef70e9f3de1..b07a4a3230073bd7e3a7851c414b165d8f829d9f 100755
--- a/install/tools/ipactl
+++ b/install/tools/ipactl
@@ -29,6 +29,7 @@ try:
from ipalib import api, errors
from ipapython import sysrestore
from ipapython import config
+ from ipapython import dogtag
from ipapython.dn import DN
import ldap
import ldap.sasl
@@ -63,7 +64,10 @@ def is_dirsrv_debugging_enabled():
"""
debugging = False
serverid = realm_to_serverid(api.env.realm)
- for dse in ['/etc/dirsrv/slapd-PKI-IPA/', config_dirname(serverid)]:
+ dselist = [config_dirname(serverid)]
+ if not dogtag.install_constants.SHARED_DB:
+ dselist.append('/etc/dirsrv/slapd-PKI-IPA/')
+ for dse in dselist:
try:
fd = open(dse + 'dse.ldif', 'r')
except IOError:
diff --git a/ipapython/dogtag.py b/ipapython/dogtag.py
index 22a5a6d19fc2c36612e3f48901764a9b1f9b1c25..b2af70265d22bab7bc6acca4dab378a63344ec35 100644
--- a/ipapython/dogtag.py
+++ b/ipapython/dogtag.py
@@ -47,6 +47,8 @@ class Dogtag10Constants(object):
AGENT_SECURE_PORT = 8443
EE_SECURE_PORT = 8443
AJP_PORT = 8009
+ DS_PORT = 389
+ DS_SECURE_PORT = 636
SPAWN_BINARY = '/usr/sbin/pkispawn'
DESTROY_BINARY = '/usr/sbin/pkidestroy'
@@ -64,13 +66,19 @@ class Dogtag10Constants(object):
IPA_SERVICE_PROFILE = '%s/caIPAserviceCert.cfg' % SERVICE_PROFILE_DIR
SIGN_PROFILE = '%s/caJarSigningCert.cfg' % SERVICE_PROFILE_DIR
+ SHARED_DB = True
+ DS_USER = "dirsrv"
+ DS_NAME = "dirsrv"
+
class Dogtag9Constants(object):
DOGTAG_VERSION = 9
UNSECURE_PORT = 9180
AGENT_SECURE_PORT = 9443
EE_SECURE_PORT = 9444
AJP_PORT = 9447
+ DS_PORT = 7389
+ DS_SECURE_PORT = 7636
SPAWN_BINARY = '/bin/pkicreate'
DESTROY_BINARY = '/bin/pkisilent'
@@ -92,7 +100,9 @@ class Dogtag9Constants(object):
IPA_SERVICE_PROFILE = '%s/caIPAserviceCert.cfg' % SERVICE_PROFILE_DIR
SIGN_PROFILE = '%s/caJarSigningCert.cfg' % SERVICE_PROFILE_DIR
-
+ SHARED_DB = False
+ DS_USER = "pkisrv"
+ DS_NAME = "PKI-IPA"
if os.path.exists('/usr/sbin/pkispawn'):
install_constants = Dogtag10Constants
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index e08df06a840b91c7fe2d4d6dd1ee204a4abaf2f0..6d73c48df526361ce17586c2b7580b70dccdf5a5 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -60,10 +60,10 @@
from ipapython.ipa_log_manager import *
HTTPD_CONFD = "/etc/httpd/conf.d/"
-DEFAULT_DSPORT=7389
+DEFAULT_DSPORT = dogtag.install_constants.DS_PORT
PKI_USER = "pkiuser"
-PKI_DS_USER = "pkisrv"
+PKI_DS_USER = dogtag.install_constants.DS_USER
# We need to reset the template because the CA uses the regular boot
@@ -215,6 +215,17 @@ def get_outputList(data):
return outputdict
+
+def is_step_one_done():
+ '''Read CS.cfg and determine if step one of an external CA install is done
+ '''
+ test = installutils.get_directive(
+ dogtag.install_constants.CS_CFG_PATH, 'preop.ca.type', '=')
+ if test == "otherca":
+ return True
+ return False
+
+
class CADSInstance(service.Service):
def __init__(self, host_name=None, realm_name=None, domain_name=None, dm_password=None, dogtag_constants=None):
service.Service.__init__(self, "pkids", dm_password=dm_password, ldapi=False, autobind=service.DISABLED)
@@ -490,6 +501,7 @@ def configure_instance(self, host_name, dm_password,
admin_password, ds_port=DEFAULT_DSPORT,
pkcs12_info=None, master_host=None, csr_file=None,
cert_file=None, cert_chain_file=None,
+ master_replication_port=None,
subject_base=None):
"""Create a CA instance.
@@ -510,6 +522,7 @@ def configure_instance(self, host_name, dm_password,
if self.pkcs12_info is not None:
self.clone = True
self.master_host = master_host
+ self.master_replication_port = master_replication_port
if subject_base is None:
self.subject_base = DN(('O', self.realm))
else:
@@ -623,8 +636,12 @@ def __spawn_instance(self):
"pki_security_domain_hostname": self.master_host,
"pki_security_domain_https_port": "443",
"pki_security_domain_password": self.admin_password,
- "pki_clone_replication_security": "SSL",
- "pki_clone_uri": \
+ "pki_clone_replication_security": "TLS",
+ "pki_clone_replication_master_port":
+ str(self.master_replication_port),
+ "pki_clone_replication_clone_port":
+ dogtag.install_constants.DS_PORT,
+ "pki_clone_uri":
"https://%s"; % ipautil.format_netloc(self.master_host, 443)
}
replacevars.update(clone_vars)
@@ -807,6 +824,8 @@ def __configure_instance(self):
args.append("admin")
args.append("-sd_admin_password")
args.append(self.admin_password)
+ args.append("-clone_master_port")
+ args.append(str(self.master_replication_port))
args.append("-clone_start_tls")
args.append("true")
args.append("-clone_uri")
@@ -1220,6 +1239,43 @@ def __set_subject_in_config(self):
'OU=pki-ipa, O=IPA', str(self.subject_base)):
print "Updating subject_base in CA template failed"
+ def enable_client_auth_to_db(self):
+ """
+ Enable client auth connection to the internal db.
+ """
+ caconfig = dogtag.install_constants.CS_CFG_PATH
+
+ # Enable file publishing, disable LDAP
+ installutils.set_directive(caconfig,
+ 'authz.instance.DirAclAuthz.ldap.ldapauth.authtype',
+ 'SslClientAuth', quotes=False, separator='=')
+ installutils.set_directive(caconfig,
+ 'authz.instance.DirAclAuthz.ldap.ldapauth.bindDN',
+ 'uid=pkidbuser,ou=people,o=ipa-ca', quotes=False, separator='=')
+ installutils.set_directive(caconfig,
+ 'authz.instance.DirAclAuthz.ldap.ldapauth.clientCertNickname',
+ 'subsystemCert cert-pki-ca', quotes=False, separator='=')
+ installutils.set_directive(caconfig,
+ 'authz.instance.DirAclAuthz.ldap.ldapconn.port',
+ str(dogtag.install_constants.DS_SECURE_PORT),
+ quotes=False, separator='=')
+ installutils.set_directive(caconfig,
+ 'authz.instance.DirAclAuthz.ldap.ldapconn.secureConn',
+ 'true', quotes=False, separator='=')
+
+ installutils.set_directive(caconfig, 'internaldb.ldapauth.authtype',
+ 'SslClientAuth', quotes=False, separator='=')
+ installutils.set_directive(caconfig, 'internaldb.ldapauth.bindDN',
+ 'uid=pkidbuser,ou=people,o=ipa-ca', quotes=False, separator='=')
+ installutils.set_directive(caconfig,
+ 'internaldb.ldapauth.clientCertNickname',
+ 'subsystemCert cert-pki-ca', quotes=False, separator='=')
+ installutils.set_directive(caconfig, 'internaldb.ldapconn.port',
+ str(dogtag.install_constants.DS_SECURE_PORT),
+ quotes=False, separator='=')
+ installutils.set_directive(caconfig, 'internaldb.ldapconn.secureConn',
+ 'true', quotes=False, separator='=')
+
def uninstall(self):
if self.is_configured():
self.print_msg("Unconfiguring CA")
@@ -1404,7 +1460,7 @@ def is_master(self):
return master == 'New'
-def install_replica_ca(config, postinstall=False):
+def install_replica_ca(config, master_ds_port, postinstall=False):
"""
Install a CA on a replica.
@@ -1442,22 +1498,28 @@ def install_replica_ca(config, postinstall=False):
if ipautil.file_exists(config.dir + "/dogtagcert.p12"):
pkcs12_info = (config.dir + "/dogtagcert.p12",
config.dir + "/dirsrv_pin.txt")
- cs = CADSInstance(dogtag_constants=dogtag.install_constants)
- cs.create_instance(config.realm_name, config.host_name,
- config.domain_name, config.dirman_password,
- pkcs12_info)
- cs.load_pkcs12()
- cs.enable_ssl()
- cs.restart_instance()
+
+ if not dogtag.install_constants.SHARED_DB:
+ cs = CADSInstance(dogtag_constants=dogtag.install_constants)
+ cs.create_instance(config.realm_name, config.host_name,
+ config.domain_name, config.dirman_password,
+ pkcs12_info)
+ cs.load_pkcs12()
+ cs.enable_ssl()
+ cs.restart_instance()
+ else:
+ cs = None
+
ca = CAInstance(config.realm_name, certs.NSS_DIR,
dogtag_constants=dogtag.install_constants)
if postinstall:
# If installing this afterward the Apache NSS database already
# exists, don't remove it.
ca.create_ra_agent_db = False
ca.configure_instance(config.host_name, config.dirman_password,
config.dirman_password, pkcs12_info=(cafile,),
master_host=config.master_host_name,
+ master_replication_port=master_ds_port,
subject_base=config.subject_base)
# The dogtag DS instance needs to be restarted after installation.
@@ -1471,8 +1533,14 @@ def install_replica_ca(config, postinstall=False):
service.print_msg("Restarting the directory and certificate servers")
ca.stop(dogtag.install_constants.PKI_INSTANCE_NAME)
- ipaservices.knownservices.dirsrv.stop("PKI-IPA")
- ipaservices.knownservices.dirsrv.start("PKI-IPA")
+
+ if not dogtag.install_constants.SHARED_DB:
+ ds_name = dogtag.install_constants.DS_NAME
+ ipaservices.knownservices.dirsrv.stop(ds_name)
+ ipaservices.knownservices.dirsrv.start(ds_name)
+ else:
+ ipaservices.knownservices.dirsrv.restart()
+
ca.start(dogtag.install_constants.PKI_INSTANCE_NAME)
return (ca, cs)
@@ -1490,16 +1558,21 @@ def update_cert_config(nickname, cert):
'ocspSigningCert cert-pki-ca': 'ca.ocsp_signing.cert',
'caSigningCert cert-pki-ca': 'ca.signing.cert',
'subsystemCert cert-pki-ca': 'ca.subsystem.cert',
- 'Server-Cert cert-pki-ca': 'ca.sslserver.cert' }
+ 'Server-Cert cert-pki-ca': 'ca.sslserver.cert'}
installutils.set_directive(dogtag.configured_constants().CS_CFG_PATH,
directives[nickname],
base64.b64encode(cert),
quotes=False, separator='=')
if __name__ == "__main__":
standard_logging_setup("install.log")
- cs = CADSInstance()
- cs.create_instance("EXAMPLE.COM", "catest.example.com", "example.com", "password")
+ if not dogtag.install_constants.SHARED_DB:
+ cs = CADSInstance()
+ cs.create_instance(
+ "EXAMPLE.COM", "catest.example.com", "example.com", "password")
+ else:
+ ds = dsinstance.DsInstance()
+
ca = CAInstance("EXAMPLE.COM", "/etc/httpd/alias")
ca.configure_instance("catest.example.com", "password", "password")
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 2c9832d0277560ea85bdc29c7167a46430c78771..0d9b7e4ee6946d2fe30ff0c2280e1f911f5d11d1 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -31,6 +31,7 @@
from ipapython import ipautil
from ipapython import sysrestore
from ipapython import services as ipaservices
+from ipapython import dogtag
import service
import installutils
@@ -161,6 +162,8 @@ def is_ds_running(server_id=''):
class DsInstance(service.Service):
def __init__(self, realm_name=None, domain_name=None, dm_password=None, fstore=None):
service.Service.__init__(self, "dirsrv", dm_password=dm_password, ldapi=False, autobind=service.DISABLED)
+ self.nickname = 'Server-Cert'
+ self.dm_password = dm_password
self.realm_name = realm_name
self.sub_dict = None
self.domain = domain_name
@@ -187,7 +190,7 @@ def __init__(self, realm_name=None, domain_name=None, dm_password=None, fstore=N
subject_base = ipautil.dn_attribute_property('_subject_base')
- def __common_setup(self):
+ def __common_setup(self, enable_ssl=False):
self.step("creating directory server user", self.__create_ds_user)
self.step("creating directory server instance", self.__create_instance)
@@ -204,7 +207,8 @@ def __common_setup(self):
self.step("configuring lockout plugin", self.__config_lockout_module)
self.step("creating indices", self.__create_indices)
self.step("enabling referential integrity plugin", self.__add_referint_module)
- self.step("configuring ssl for ds instance", self.__enable_ssl)
+ if not dogtag.install_constants.SHARED_DB or enable_ssl:
+ self.step("configuring ssl for ds instance", self.enable_ssl)
self.step("configuring certmap.conf", self.__certmap_conf)
self.step("configure autobind for root", self.__root_autobind)
self.step("configure new location for managed entries", self.__repoint_managed_entries)
@@ -279,7 +283,7 @@ def create_replica(self, realm_name, master_fqdn, fqdn,
self.idmax = 1100
self.__setup_sub_dict()
- self.__common_setup()
+ self.__common_setup(True)
self.step("setting up initial replication", self.__setup_replica)
self.step("adding replication acis", self.__add_replication_acis)
@@ -520,7 +524,7 @@ def __add_enrollment_module(self):
def generate_random(self):
return ipautil.ipa_generate_password()
- def __enable_ssl(self):
+ def enable_ssl(self):
dirname = config_dirname(self.serverid)
dsdb = certs.CertDB(self.realm_name, nssdir=dirname, subject_base=self.subject_base)
if self.pkcs12_info:
@@ -596,6 +600,8 @@ def __create_indices(self):
def __certmap_conf(self):
shutil.copyfile(ipautil.SHARE_DIR + "certmap.conf.template",
config_dirname(self.serverid) + "certmap.conf")
+ installutils.update_file(config_dirname(self.serverid) + "certmap.conf",
+ 'domain_name', self.realm_name)
def __enable_ldapi(self):
self._ldap_mod("ldapi.ldif", self.sub_dict)
diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py
index 754d5fc98f3122cc82064c039236f5916eabf469..3368533d1537db26cd3ce35c3d6ed111167967e0 100644
--- a/ipaserver/install/installutils.py
+++ b/ipaserver/install/installutils.py
@@ -38,18 +38,21 @@
from dns.exception import DNSException
import ldap
-from ipapython import ipautil, sysrestore, admintool
+from ipapython import ipautil, sysrestore, admintool, dogtag
from ipapython.admintool import ScriptError
from ipapython.ipa_log_manager import *
from ipalib.util import validate_hostname
from ipapython import config
from ipalib import errors
from ipapython.dn import DN
# Used to determine install status
IPA_MODULES = [
- 'httpd', 'kadmin', 'dirsrv', 'pki-cad', 'pki-tomcatd', 'pkids', 'install',
+ 'httpd', 'kadmin', 'dirsrv', 'pki-cad', 'pki-tomcatd', 'install',
'krb5kdc', 'ntpd', 'named', 'ipa_memcached']
+if not dogtag.install_constants.SHARED_DB:
+ IPA_MODULES.append('pkids')
+
class BadHostError(Exception):
pass
diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py
index 564097e7653ac57b6c6862a654442aed55c1d457..06466f2995763c07b167a8312ab8bd4d6bf08522 100644
--- a/ipaserver/install/replication.py
+++ b/ipaserver/install/replication.py
@@ -59,7 +59,7 @@
def replica_conn_check(master_host, host_name, realm, check_ca,
- admin_password=None):
+ dogtag_master_ds_port, admin_password=None):
"""
Check the ports used by the replica both locally and remotely to be sure
that replication will work.
@@ -79,6 +79,7 @@ def replica_conn_check(master_host, host_name, realm, check_ca,
if check_ca:
args.append('--check-ca')
+ args.extend(["--dogtag-master-ds-port", dogtag_master_ds_port])
(stdin, stderr, returncode) = ipautil.run(args,raiseonerr=False,capture_output=False,
nolog=nolog)
@@ -946,10 +947,12 @@ def force_sync(self, conn, hostname):
newschedule = '2358-2359 0'
- filter = '(&(nsDS5ReplicaHost=%s)' \
- '(|(objectclass=nsDSWindowsReplicationAgreement)' \
- '(objectclass=nsds5ReplicationAgreement)))' % hostname
- entries = conn.getList(DN(('cn', 'config')), ldap.SCOPE_SUBTREE, filter)
+ filter = ('(&(nsDS5ReplicaHost=%s)'
+ '(&(!(nsDS5ReplicaRoot=o=ipaca))'
+ '(|(objectclass=nsDSWindowsReplicationAgreement)'
+ '(objectclass=nsds5ReplicationAgreement))))' % hostname)
+ entries = conn.getList(
+ DN(('cn', 'config')), ldap.SCOPE_SUBTREE, filter)
if len(entries) == 0:
root_logger.error("Unable to find replication agreement for %s" %
(hostname))
--
1.7.11.4
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
