On 03/11/2015 03:13 PM, Martin Basti wrote:
On 11/03/15 13:00, Martin Babinsky wrote:
These patches solve https://fedorahosted.org/freeipa/ticket/4933.

They are to be applied to master branch. I will rebase them for
ipa-4-1 after the review.

Thank you for the patches.

I have a few comments:

IPA-4-1
Replace simple bind with LDAPI is too big change for 4-1, we should
start TLS if possible to avoid MINSSF>0 error. The LDAPI patches should
go only into IPA master branch.

You can do something like this:
--- a/ipaserver/install/service.py
+++ b/ipaserver/install/service.py
@@ -107,6 +107,10 @@ class Service(object):
                  if not self.realm:
                      raise errors.NotFound(reason="realm is missing for
%s" % (self))
                  conn = ipaldap.IPAdmin(ldapi=self.ldapi,
realm=self.realm)
+            elif self.dm_password is not None:
+                conn = ipaldap.IPAdmin(self.fqdn, port=389,
+                                       cacert=paths.IPA_CA_CRT,
+                                       start_tls=True)
              else:
                  conn = ipaldap.IPAdmin(self.fqdn, port=389)


PATCH 0018:
1)
please add there more chatty commit message about using LDAPI

2)
I do not like much idea of adding 'realm' kwarg into __init__ method of
OpenDNSSECInstance
IIUC, it is because get_masters() method, which requires realm to use
LDAPI.

You can just add ods.realm=<realm>, before call get_master() in
ipa-dns-install
     if options.dnssec_master:
+        ods.realm=api.env.realm
         dnssec_masters = ods.get_masters()
(Honza will change it anyway during refactoring)

PATCH 0019:
1)
commit message deserves to be more chatty, can you explain there why you
removed kerberos cache?

Martin^2


Attaching updated patches.

Patch 0018 should go to both 4.1 and master branches.

Patch 0019 should go only to master.

--
Martin^3 Babinsky
From aea965b42ad52b7504dd06b8e62861e1a7be4da1 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabi...@redhat.com>
Date: Wed, 11 Mar 2015 15:37:08 +0100
Subject: [PATCH] ipa-dns-install: use STARTTLS to connect to DS

BindInstance et al. now use STARTTLS to set up secure connection to DS during
ipa-dns-install. This fixes https://fedorahosted.org/freeipa/ticket/4933

---
 install/tools/ipa-dns-install            | 12 ++++++++----
 ipaserver/install/bindinstance.py        | 12 ++++++------
 ipaserver/install/dnskeysyncinstance.py  | 14 +++++++-------
 ipaserver/install/odsexporterinstance.py | 15 +++++++--------
 ipaserver/install/opendnssecinstance.py  | 15 +++++++--------
 ipaserver/install/service.py             | 10 ++++++++--
 6 files changed, 43 insertions(+), 35 deletions(-)

diff --git a/install/tools/ipa-dns-install b/install/tools/ipa-dns-install
index 11f79f0f9be226aaee8c95deb31e7e21f8a18dbb..2b6ad02abee9428870b0a554f5b4088e77b0e852 100755
--- a/install/tools/ipa-dns-install
+++ b/install/tools/ipa-dns-install
@@ -151,7 +151,7 @@ def main():
                                              confirm=False, validate=False)
     if dm_password is None:
         sys.exit("Directory Manager password required")
-    bind = bindinstance.BindInstance(fstore, dm_password)
+    bind = bindinstance.BindInstance(fstore, dm_password, start_tls=True)
 
     # try the connection
     try:
@@ -160,7 +160,8 @@ def main():
     except errors.ACIError:
         sys.exit("Password is not valid!")
 
-    ods = opendnssecinstance.OpenDNSSECInstance(fstore, dm_password)
+    ods = opendnssecinstance.OpenDNSSECInstance(fstore, dm_password,
+                                                start_tls=True)
     if options.dnssec_master:
         dnssec_masters = ods.get_masters()
         # we can reinstall current server if it is dnssec master
@@ -214,10 +215,13 @@ def main():
     bind.create_instance()
 
     # on dnssec master this must be installed last
-    dnskeysyncd = dnskeysyncinstance.DNSKeySyncInstance(fstore, dm_password)
+    dnskeysyncd = dnskeysyncinstance.DNSKeySyncInstance(fstore, dm_password,
+                                                        start_tls=True)
     dnskeysyncd.create_instance(api.env.host, api.env.realm)
     if options.dnssec_master:
-        ods_exporter = odsexporterinstance.ODSExporterInstance(fstore, dm_password)
+        ods_exporter = odsexporterinstance.ODSExporterInstance(fstore,
+                                                               dm_password,
+                                                               start_tls=True)
 
         ods_exporter.create_instance(api.env.host, api.env.realm)
         ods.create_instance(api.env.host, api.env.realm)
diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py
index 4e630e8ddfed524d021d19016f48615fc8c0ab9d..ca73b43f6da2f0cf3ad8423b24b2ce19062d0df2 100644
--- a/ipaserver/install/bindinstance.py
+++ b/ipaserver/install/bindinstance.py
@@ -533,13 +533,13 @@ class DnsBackup(object):
 
 
 class BindInstance(service.Service):
-    def __init__(self, fstore=None, dm_password=None):
+    def __init__(self, fstore=None, dm_password=None, start_tls=False):
         service.Service.__init__(self, "named",
-            service_desc="DNS",
-            dm_password=dm_password,
-            ldapi=False,
-            autobind=ipaldap.AUTOBIND_DISABLED
-            )
+                                 service_desc="DNS",
+                                 dm_password=dm_password,
+                                 ldapi=False,
+                                 autobind=ipaldap.AUTOBIND_DISABLED,
+                                 start_tls=start_tls)
         self.dns_backup = DnsBackup(self)
         self.named_user = None
         self.domain = None
diff --git a/ipaserver/install/dnskeysyncinstance.py b/ipaserver/install/dnskeysyncinstance.py
index 5da65d87b1471710b762f90b9a33c453c7d809b7..c0a0ded6a95097e63cb3285793ab1f31e39ecf33 100644
--- a/ipaserver/install/dnskeysyncinstance.py
+++ b/ipaserver/install/dnskeysyncinstance.py
@@ -62,13 +62,13 @@ def dnssec_container_exists(fqdn, suffix, dm_password=None, ldapi=False,
 
 class DNSKeySyncInstance(service.Service):
     def __init__(self, fstore=None, dm_password=None, logger=root_logger,
-                 ldapi=False):
-        service.Service.__init__(
-            self, "ipa-dnskeysyncd",
-            service_desc="DNS key synchronization service",
-            dm_password=dm_password,
-            ldapi=ldapi
-            )
+                 ldapi=False, start_tls=False):
+        service.Service.__init__(self, "ipa-dnskeysyncd",
+                                 service_desc=
+                                 "DNS key synchronization service",
+                                 dm_password=dm_password,
+                                 ldapi=ldapi,
+                                 start_tls=start_tls)
         self.dm_password = dm_password
         self.logger = logger
         self.extra_config = [u'dnssecVersion 1', ]  # DNSSEC enabled
diff --git a/ipaserver/install/odsexporterinstance.py b/ipaserver/install/odsexporterinstance.py
index 57b1451c0566d57ef4208314cfadaf8e225a6958..e7848e0cda8bffcc493683e217701c005ba7b3e4 100644
--- a/ipaserver/install/odsexporterinstance.py
+++ b/ipaserver/install/odsexporterinstance.py
@@ -19,14 +19,13 @@ from ipalib import errors
 
 
 class ODSExporterInstance(service.Service):
-    def __init__(self, fstore=None, dm_password=None):
-        service.Service.__init__(
-            self, "ipa-ods-exporter",
-            service_desc="IPA OpenDNSSEC exporter daemon",
-            dm_password=dm_password,
-            ldapi=False,
-            autobind=ipaldap.AUTOBIND_DISABLED
-        )
+    def __init__(self, fstore=None, dm_password=None, start_tls=False):
+        service.Service.__init__(self, "ipa-ods-exporter",
+                                 service_desc="IPA OpenDNSSEC exporter daemon",
+                                 dm_password=dm_password,
+                                 ldapi=False,
+                                 autobind=ipaldap.AUTOBIND_DISABLED,
+                                 start_tls=start_tls)
         self.dm_password = dm_password
         self.ods_uid = None
         self.ods_gid = None
diff --git a/ipaserver/install/opendnssecinstance.py b/ipaserver/install/opendnssecinstance.py
index 0d2fb009ea7d0614b9fea573e85ed6913f24439c..13d9589c7cc7704f2e3b73bfaabd9fdefcfab0b6 100644
--- a/ipaserver/install/opendnssecinstance.py
+++ b/ipaserver/install/opendnssecinstance.py
@@ -61,14 +61,13 @@ def check_inst():
 
 
 class OpenDNSSECInstance(service.Service):
-    def __init__(self, fstore=None, dm_password=None):
-        service.Service.__init__(
-            self, "ods-enforcerd",
-            service_desc="OpenDNSSEC enforcer daemon",
-            dm_password=dm_password,
-            ldapi=False,
-            autobind=ipaldap.AUTOBIND_DISABLED
-        )
+    def __init__(self, fstore=None, dm_password=None, start_tls=False):
+        service.Service.__init__(self, "ods-enforcerd",
+                                 service_desc="OpenDNSSEC enforcer daemon",
+                                 dm_password=dm_password,
+                                 ldapi=False,
+                                 autobind=ipaldap.AUTOBIND_DISABLED,
+                                 start_tls=start_tls)
         self.dm_password = dm_password
         self.ods_uid = None
         self.ods_gid = None
diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py
index 3ae43d8f39cae39389ea02a14f95953fd3888cd0..4e340f602dc60319dea049fbf60bba1017365d15 100644
--- a/ipaserver/install/service.py
+++ b/ipaserver/install/service.py
@@ -72,8 +72,9 @@ def format_seconds(seconds):
 
 
 class Service(object):
-    def __init__(self, service_name, service_desc=None, sstore=None, dm_password=None, ldapi=True,
-                 autobind=ipaldap.AUTOBIND_AUTO):
+    def __init__(self, service_name, service_desc=None, sstore=None,
+                 dm_password=None, ldapi=True,
+                 autobind=ipaldap.AUTOBIND_AUTO, start_tls=False):
         self.service_name = service_name
         self.service_desc = service_desc
         self.service = services.service(service_name)
@@ -82,6 +83,7 @@ class Service(object):
         self.dm_password = dm_password
         self.ldapi = ldapi
         self.autobind = autobind
+        self.start_tls = start_tls
 
         self.fqdn = socket.gethostname()
         self.admin_conn = None
@@ -107,6 +109,10 @@ class Service(object):
                 if not self.realm:
                     raise errors.NotFound(reason="realm is missing for %s" % (self))
                 conn = ipaldap.IPAdmin(ldapi=self.ldapi, realm=self.realm)
+            elif self.start_tls:
+                conn = ipaldap.IPAdmin(self.fqdn, port=389, protocol='ldap',
+                                       cacert=paths.IPA_CA_CRT,
+                                       start_tls=self.start_tls)
             else:
                 conn = ipaldap.IPAdmin(self.fqdn, port=389)
 
-- 
2.1.0

From 61ef53bc5a831bd1f66b1f0dc0305f1f8efa2552 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabi...@redhat.com>
Date: Thu, 12 Mar 2015 14:41:30 +0100
Subject: [PATCH 2/2] ipa-dns-install: use LDAPI for all DS operations

ipa-dns-install now uses LDAPI/autobind to connect to DS during the setup of
DNS/DNSSEC-related service and thus makes -p option obsolete.

Futhermore, now it makes more sense to use LDAPI also for API Backend
connections to DS and thus all forms of Kerberos auth were removed.

This fixes https://fedorahosted.org/freeipa/ticket/4933 and brings us closer
to fixing https://fedorahosted.org/freeipa/ticket/2957

---
 install/tools/ipa-dns-install            | 50 +++++++++++---------------------
 install/tools/man/ipa-dns-install.1      |  7 +++--
 ipaserver/install/bindinstance.py        | 10 +++----
 ipaserver/install/odsexporterinstance.py |  7 +++--
 ipaserver/install/opendnssecinstance.py  |  7 +++--
 5 files changed, 34 insertions(+), 47 deletions(-)

diff --git a/install/tools/ipa-dns-install b/install/tools/ipa-dns-install
index b17dafaee467dd2e6bf6e75aa1fff48c002dfe16..4527447a7dbc69ab16bcd93e48f3c02adce684d7 100755
--- a/install/tools/ipa-dns-install
+++ b/install/tools/ipa-dns-install
@@ -21,14 +21,13 @@
 
 from optparse import OptionGroup, SUPPRESS_HELP
 
-import krbV
-
 from ipaserver.install import (service, bindinstance, ntpinstance,
     httpinstance, dnskeysyncinstance, opendnssecinstance, odsexporterinstance)
 from ipaserver.install.installutils import *
 from ipaserver.install import installutils
 from ipapython import version
 from ipapython import ipautil, sysrestore
+from ipapython.ipaldap import AUTOBIND_ENABLED
 from ipalib import api, errors, util
 from ipaplatform.paths import paths
 from ipapython.config import IPAOptionParser
@@ -40,7 +39,7 @@ log_file_name = paths.IPASERVER_INSTALL_LOG
 def parse_options():
     parser = IPAOptionParser(version=version.VERSION)
     parser.add_option("-p", "--ds-password", dest="dm_password",
-                      sensitive=True, help="admin password")
+                      sensitive=True, help=SUPPRESS_HELP)
     parser.add_option("-d", "--debug", dest="debug", action="store_true",
                       default=False, help="print debugging information")
     parser.add_option("--ip-address", dest="ip_addresses", metavar="IP_ADDRESS",
@@ -77,6 +76,9 @@ def parse_options():
         if not options.forwarders and not options.no_forwarders:
             parser.error("You must specify at least one --forwarder option or --no-forwarders option")
 
+    if options.dm_password:
+        print ("WARNING: Option -p/--ds-password is deprecated "
+               "and should not be used anymore.")
     return safe_options, options
 
 def main():
@@ -144,26 +146,16 @@ def main():
     api.bootstrap(**cfg)
     api.finalize()
 
-    # Create a BIND instance
-    if options.unattended and not options.dm_password:
-        sys.exit("\nIn unattended mode you need to provide at least the -p option")
 
-    dm_password = options.dm_password or read_password("Directory Manager",
-                                             confirm=False, validate=False)
-    if dm_password is None:
-        sys.exit("Directory Manager password required")
-    bind = bindinstance.BindInstance(fstore, dm_password, start_tls=True)
+    # create BIND and OpenDNSSec instances
 
-    # try the connection
-    try:
-        bind.ldap_connect()
-        bind.ldap_disconnect()
-    except errors.ACIError:
-        sys.exit("Password is not valid!")
+    bind = bindinstance.BindInstance(fstore, ldapi=True,
+                                     autobind=AUTOBIND_ENABLED)
 
-    ods = opendnssecinstance.OpenDNSSECInstance(fstore, dm_password,
-                                                start_tls=True)
+    ods = opendnssecinstance.OpenDNSSECInstance(fstore, ldapi=True,
+                                                autobind=AUTOBIND_ENABLED)
     if options.dnssec_master:
+        ods.realm = api.env.realm
         dnssec_masters = ods.get_masters()
         # we can reinstall current server if it is dnssec master
         if not api.env.host in dnssec_masters and dnssec_masters:
@@ -189,12 +181,7 @@ def main():
 
     root_logger.debug("will use dns_forwarders: %s\n", str(dns_forwarders))
 
-    if bind.dm_password:
-        api.Backend.ldap2.connect(bind_dn=DN(('cn', 'Directory Manager')), bind_pw=bind.dm_password)
-    else:
-        # See if our LDAP server is up and we can talk to it over GSSAPI
-        ccache = krbV.default_context().default_ccache()
-        api.Backend.ldap2.connect(ccache)
+    api.Backend.ldap2.connect(autobind=True)
 
     reverse_zones = bindinstance.check_reverse_zones(ip_addresses,
         options.reverse_zones, options, options.unattended, True)
@@ -216,13 +203,11 @@ def main():
     bind.create_instance()
 
     # on dnssec master this must be installed last
-    dnskeysyncd = dnskeysyncinstance.DNSKeySyncInstance(fstore, dm_password,
-                                                        start_tls=True)
+    dnskeysyncd = dnskeysyncinstance.DNSKeySyncInstance(fstore, ldapi=True)
     dnskeysyncd.create_instance(api.env.host, api.env.realm)
     if options.dnssec_master:
-        ods_exporter = odsexporterinstance.ODSExporterInstance(fstore,
-                                                               dm_password,
-                                                               start_tls=True)
+        ods_exporter = odsexporterinstance.ODSExporterInstance(
+            fstore, ldapi=True, autobind=AUTOBIND_ENABLED)
 
         ods_exporter.create_instance(api.env.host, api.env.realm)
         ods.create_instance(api.env.host, api.env.realm)
@@ -251,6 +236,5 @@ def main():
     return 0
 
 if __name__ == '__main__':
-    with private_ccache():
-        installutils.run_script(main, log_file_name=log_file_name,
-            operation_name='ipa-dns-install')
+    installutils.run_script(main, log_file_name=log_file_name,
+                            operation_name='ipa-dns-install')
diff --git a/install/tools/man/ipa-dns-install.1 b/install/tools/man/ipa-dns-install.1
index 40efe7d2f8e0bd1af985dd4668562391c70c6afb..23427b1b15ddf21ff1aba5617adab395d2f25112 100644
--- a/install/tools/man/ipa-dns-install.1
+++ b/install/tools/man/ipa-dns-install.1
@@ -25,9 +25,6 @@ ipa\-dns\-install [\fIOPTION\fR]...
 Adds DNS as an IPA\-managed service. This requires that the IPA server is already installed and configured.
 .SH "OPTIONS"
 .TP
-\fB\-p\fR \fIDM_PASSWORD\fR, \fB\-\-ds\-password\fR=\fIDM_PASSWORD\fR
-The password to be used by the Directory Server for the Directory Manager user
-.TP
 \fB\-d\fR, \fB\-\-debug\fR
 Enable debug logging when more verbose output is needed
 .TP
@@ -52,6 +49,10 @@ The e\-mail address of the DNS zone manager. Defaults to hostmaster@DOMAIN
 .TP
 \fB\-U\fR, \fB\-\-unattended\fR
 An unattended installation that will never prompt for user input
+.SH "DEPRECATED OPTIONS"
+.TP
+\fB\-p\fR \fIDM_PASSWORD\fR, \fB\-\-ds\-password\fR=\fIDM_PASSWORD\fR
+The password to be used by the Directory Server for the Directory Manager user
 .SH "EXIT STATUS"
 0 if the installation was successful
 
diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py
index ebda4b6730c08c9925e09d87fcc935bd149e5314..fd0759d4cc3613a5272c8e9b90bf3a62087a8724 100644
--- a/ipaserver/install/bindinstance.py
+++ b/ipaserver/install/bindinstance.py
@@ -533,13 +533,13 @@ class DnsBackup(object):
 
 
 class BindInstance(service.Service):
-    def __init__(self, fstore=None, dm_password=None, api=api,
-                 start_tls=False):
+    def __init__(self, fstore=None, dm_password=None, api=api, ldapi=False,
+                 start_tls=False, autobind=ipaldap.AUTOBIND_DISABLED):
         service.Service.__init__(self, "named",
                                  service_desc="DNS",
                                  dm_password=dm_password,
-                                 ldapi=False,
-                                 autobind=ipaldap.AUTOBIND_DISABLED,
+                                 ldapi=ldapi,
+                                 autobind=autobind,
                                  start_tls=start_tls)
         self.dns_backup = DnsBackup(self)
         self.named_user = None
@@ -584,7 +584,7 @@ class BindInstance(service.Service):
 
         self.first_instance = not dns_container_exists(
             self.fqdn, self.suffix, realm=self.realm, ldapi=True,
-            dm_password=self.dm_password)
+            dm_password=self.dm_password, autobind=self.autobind)
 
         self.__setup_sub_dict()
 
diff --git a/ipaserver/install/odsexporterinstance.py b/ipaserver/install/odsexporterinstance.py
index 859498e0365a87fc607ffa94cdf0779e81c95308..6e6fa4689c06c5dd26386c161edfa347a782b929 100644
--- a/ipaserver/install/odsexporterinstance.py
+++ b/ipaserver/install/odsexporterinstance.py
@@ -19,12 +19,13 @@ from ipalib import errors
 
 
 class ODSExporterInstance(service.Service):
-    def __init__(self, fstore=None, dm_password=None, start_tls=False):
+    def __init__(self, fstore=None, dm_password=None, ldapi=False,
+                 start_tls=False, autobind=ipaldap.AUTOBIND_DISABLED):
         service.Service.__init__(self, "ipa-ods-exporter",
                                  service_desc="IPA OpenDNSSEC exporter daemon",
                                  dm_password=dm_password,
-                                 ldapi=False,
-                                 autobind=ipaldap.AUTOBIND_DISABLED,
+                                 ldapi=ldapi,
+                                 autobind=autobind,
                                  start_tls=start_tls)
         self.dm_password = dm_password
         self.ods_uid = None
diff --git a/ipaserver/install/opendnssecinstance.py b/ipaserver/install/opendnssecinstance.py
index 06ab4dba9fb054563b51c5763adcff7258e8771b..eaac9bb52e104d7c3f288a8d85b6a410b389c150 100644
--- a/ipaserver/install/opendnssecinstance.py
+++ b/ipaserver/install/opendnssecinstance.py
@@ -61,12 +61,13 @@ def check_inst():
 
 
 class OpenDNSSECInstance(service.Service):
-    def __init__(self, fstore=None, dm_password=None, start_tls=False):
+    def __init__(self, fstore=None, dm_password=None, ldapi=False,
+                 start_tls=False, autobind=ipaldap.AUTOBIND_DISABLED):
         service.Service.__init__(self, "ods-enforcerd",
                                  service_desc="OpenDNSSEC enforcer daemon",
                                  dm_password=dm_password,
-                                 ldapi=False,
-                                 autobind=ipaldap.AUTOBIND_DISABLED,
+                                 ldapi=ldapi,
+                                 autobind=autobind,
                                  start_tls=start_tls)
         self.dm_password = dm_password
         self.ods_uid = None
-- 
2.1.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to