On 03/12/2015 03:59 PM, Martin Babinsky wrote:
On 03/11/2015 03:13 PM, Martin Basti wrote:
On 11/03/15 13:00, Martin Babinsky wrote:
These patches solve https://fedorahosted.org/freeipa/ticket/4933.

They are to be applied to master branch. I will rebase them for
ipa-4-1 after the review.

Thank you for the patches.

I have a few comments:

IPA-4-1
Replace simple bind with LDAPI is too big change for 4-1, we should
start TLS if possible to avoid MINSSF>0 error. The LDAPI patches should
go only into IPA master branch.

You can do something like this:
--- a/ipaserver/install/service.py
+++ b/ipaserver/install/service.py
@@ -107,6 +107,10 @@ class Service(object):
                  if not self.realm:
                      raise errors.NotFound(reason="realm is missing for
%s" % (self))
                  conn = ipaldap.IPAdmin(ldapi=self.ldapi,
realm=self.realm)
+            elif self.dm_password is not None:
+                conn = ipaldap.IPAdmin(self.fqdn, port=389,
+                                       cacert=paths.IPA_CA_CRT,
+                                       start_tls=True)
              else:
                  conn = ipaldap.IPAdmin(self.fqdn, port=389)


PATCH 0018:
1)
please add there more chatty commit message about using LDAPI

2)
I do not like much idea of adding 'realm' kwarg into __init__ method of
OpenDNSSECInstance
IIUC, it is because get_masters() method, which requires realm to use
LDAPI.

You can just add ods.realm=<realm>, before call get_master() in
ipa-dns-install
     if options.dnssec_master:
+        ods.realm=api.env.realm
         dnssec_masters = ods.get_masters()
(Honza will change it anyway during refactoring)

PATCH 0019:
1)
commit message deserves to be more chatty, can you explain there why you
removed kerberos cache?

Martin^2


Attaching updated patches.

Patch 0018 should go to both 4.1 and master branches.

Patch 0019 should go only to master.




One more update.

Patch 0018 is for both 4.1 and master.
Patch 0019 is for master only.

--
Martin^3 Babinsky
From b8fa778811cdde75da7faa5a2bc37a20655db372 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabi...@redhat.com>
Date: Thu, 12 Mar 2015 16:14:22 +0100
Subject: [PATCH] ipa-dns-install: use STARTTLS to connect to DS

BindInstance et al. now use STARTTLS to set up secure connection to DS during
ipa-dns-install. This fixes https://fedorahosted.org/freeipa/ticket/4933
---
 install/tools/ipa-dns-install            | 12 ++++++++----
 ipaserver/install/bindinstance.py        | 10 ++++++----
 ipaserver/install/dnskeysyncinstance.py  |  7 ++++---
 ipaserver/install/odsexporterinstance.py |  5 +++--
 ipaserver/install/opendnssecinstance.py  |  5 +++--
 ipaserver/install/service.py             | 10 ++++++++--
 6 files changed, 32 insertions(+), 17 deletions(-)

diff --git a/install/tools/ipa-dns-install b/install/tools/ipa-dns-install
index 11f79f0f9be226aaee8c95deb31e7e21f8a18dbb..2b6ad02abee9428870b0a554f5b4088e77b0e852 100755
--- a/install/tools/ipa-dns-install
+++ b/install/tools/ipa-dns-install
@@ -151,7 +151,7 @@ def main():
                                              confirm=False, validate=False)
     if dm_password is None:
         sys.exit("Directory Manager password required")
-    bind = bindinstance.BindInstance(fstore, dm_password)
+    bind = bindinstance.BindInstance(fstore, dm_password, start_tls=True)
 
     # try the connection
     try:
@@ -160,7 +160,8 @@ def main():
     except errors.ACIError:
         sys.exit("Password is not valid!")
 
-    ods = opendnssecinstance.OpenDNSSECInstance(fstore, dm_password)
+    ods = opendnssecinstance.OpenDNSSECInstance(fstore, dm_password,
+                                                start_tls=True)
     if options.dnssec_master:
         dnssec_masters = ods.get_masters()
         # we can reinstall current server if it is dnssec master
@@ -214,10 +215,13 @@ def main():
     bind.create_instance()
 
     # on dnssec master this must be installed last
-    dnskeysyncd = dnskeysyncinstance.DNSKeySyncInstance(fstore, dm_password)
+    dnskeysyncd = dnskeysyncinstance.DNSKeySyncInstance(fstore, dm_password,
+                                                        start_tls=True)
     dnskeysyncd.create_instance(api.env.host, api.env.realm)
     if options.dnssec_master:
-        ods_exporter = odsexporterinstance.ODSExporterInstance(fstore, dm_password)
+        ods_exporter = odsexporterinstance.ODSExporterInstance(fstore,
+                                                               dm_password,
+                                                               start_tls=True)
 
         ods_exporter.create_instance(api.env.host, api.env.realm)
         ods.create_instance(api.env.host, api.env.realm)
diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py
index 4e630e8ddfed524d021d19016f48615fc8c0ab9d..a6839f5882d8994b99deee459ecb0160bb47cfef 100644
--- a/ipaserver/install/bindinstance.py
+++ b/ipaserver/install/bindinstance.py
@@ -533,13 +533,15 @@ class DnsBackup(object):
 
 
 class BindInstance(service.Service):
-    def __init__(self, fstore=None, dm_password=None):
-        service.Service.__init__(self, "named",
+    def __init__(self, fstore=None, dm_password=None, start_tls=False):
+        service.Service.__init__(
+            self, "named",
             service_desc="DNS",
             dm_password=dm_password,
             ldapi=False,
-            autobind=ipaldap.AUTOBIND_DISABLED
-            )
+            autobind=ipaldap.AUTOBIND_DISABLED,
+            start_tls=start_tls
+        )
         self.dns_backup = DnsBackup(self)
         self.named_user = None
         self.domain = None
diff --git a/ipaserver/install/dnskeysyncinstance.py b/ipaserver/install/dnskeysyncinstance.py
index 5da65d87b1471710b762f90b9a33c453c7d809b7..94edde2c1f19ac87827c2cf91a8f23e720f22b51 100644
--- a/ipaserver/install/dnskeysyncinstance.py
+++ b/ipaserver/install/dnskeysyncinstance.py
@@ -62,13 +62,14 @@ def dnssec_container_exists(fqdn, suffix, dm_password=None, ldapi=False,
 
 class DNSKeySyncInstance(service.Service):
     def __init__(self, fstore=None, dm_password=None, logger=root_logger,
-                 ldapi=False):
+                 ldapi=False, start_tls=False):
         service.Service.__init__(
             self, "ipa-dnskeysyncd",
             service_desc="DNS key synchronization service",
             dm_password=dm_password,
-            ldapi=ldapi
-            )
+            ldapi=ldapi,
+            start_tls=start_tls
+        )
         self.dm_password = dm_password
         self.logger = logger
         self.extra_config = [u'dnssecVersion 1', ]  # DNSSEC enabled
diff --git a/ipaserver/install/odsexporterinstance.py b/ipaserver/install/odsexporterinstance.py
index 57b1451c0566d57ef4208314cfadaf8e225a6958..3f2674e541f8fea261734968e437708ee5578cc1 100644
--- a/ipaserver/install/odsexporterinstance.py
+++ b/ipaserver/install/odsexporterinstance.py
@@ -19,13 +19,14 @@ from ipalib import errors
 
 
 class ODSExporterInstance(service.Service):
-    def __init__(self, fstore=None, dm_password=None):
+    def __init__(self, fstore=None, dm_password=None, start_tls=False):
         service.Service.__init__(
             self, "ipa-ods-exporter",
             service_desc="IPA OpenDNSSEC exporter daemon",
             dm_password=dm_password,
             ldapi=False,
-            autobind=ipaldap.AUTOBIND_DISABLED
+            autobind=ipaldap.AUTOBIND_DISABLED,
+            start_tls=start_tls
         )
         self.dm_password = dm_password
         self.ods_uid = None
diff --git a/ipaserver/install/opendnssecinstance.py b/ipaserver/install/opendnssecinstance.py
index 0d2fb009ea7d0614b9fea573e85ed6913f24439c..981f3bb1b16d1d4cf5655626d0dc914ad75b3021 100644
--- a/ipaserver/install/opendnssecinstance.py
+++ b/ipaserver/install/opendnssecinstance.py
@@ -61,13 +61,14 @@ def check_inst():
 
 
 class OpenDNSSECInstance(service.Service):
-    def __init__(self, fstore=None, dm_password=None):
+    def __init__(self, fstore=None, dm_password=None, start_tls=False):
         service.Service.__init__(
             self, "ods-enforcerd",
             service_desc="OpenDNSSEC enforcer daemon",
             dm_password=dm_password,
             ldapi=False,
-            autobind=ipaldap.AUTOBIND_DISABLED
+            autobind=ipaldap.AUTOBIND_DISABLED,
+            start_tls=start_tls
         )
         self.dm_password = dm_password
         self.ods_uid = None
diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py
index 3ae43d8f39cae39389ea02a14f95953fd3888cd0..e95b4f75628bf4d1b349e99f4905cfca10ee22e6 100644
--- a/ipaserver/install/service.py
+++ b/ipaserver/install/service.py
@@ -72,8 +72,9 @@ def format_seconds(seconds):
 
 
 class Service(object):
-    def __init__(self, service_name, service_desc=None, sstore=None, dm_password=None, ldapi=True,
-                 autobind=ipaldap.AUTOBIND_AUTO):
+    def __init__(self, service_name, service_desc=None, sstore=None,
+                 dm_password=None, ldapi=True, autobind=ipaldap.AUTOBIND_AUTO,
+                 start_tls=False):
         self.service_name = service_name
         self.service_desc = service_desc
         self.service = services.service(service_name)
@@ -82,6 +83,7 @@ class Service(object):
         self.dm_password = dm_password
         self.ldapi = ldapi
         self.autobind = autobind
+        self.start_tls = start_tls
 
         self.fqdn = socket.gethostname()
         self.admin_conn = None
@@ -107,6 +109,10 @@ class Service(object):
                 if not self.realm:
                     raise errors.NotFound(reason="realm is missing for %s" % (self))
                 conn = ipaldap.IPAdmin(ldapi=self.ldapi, realm=self.realm)
+            elif self.start_tls:
+                conn = ipaldap.IPAdmin(self.fqdn, port=389, protocol='ldap',
+                                       cacert=paths.IPA_CA_CRT,
+                                       start_tls=self.start_tls)
             else:
                 conn = ipaldap.IPAdmin(self.fqdn, port=389)
 
-- 
2.1.0

From e893d191839d63bd650f0574f8bcaa94ecc64ad2 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabi...@redhat.com>
Date: Thu, 12 Mar 2015 17:05:39 +0100
Subject: [PATCH 2/2] ipa-dns-install: use LDAPI for all DS operations

ipa-dns-install now uses LDAPI/autobind to connect to DS during the setup of
DNS/DNSSEC-related service and thus makes -p option obsolete.

Futhermore, now it makes more sense to use LDAPI also for API Backend
connections to DS and thus all forms of Kerberos auth were removed.

This fixes https://fedorahosted.org/freeipa/ticket/4933 and brings us closer
to fixing https://fedorahosted.org/freeipa/ticket/2957
---
 install/tools/ipa-dns-install            | 50 +++++++++++---------------------
 install/tools/man/ipa-dns-install.1      |  7 +++--
 ipaserver/install/bindinstance.py        | 10 +++----
 ipaserver/install/odsexporterinstance.py |  7 +++--
 ipaserver/install/opendnssecinstance.py  |  7 +++--
 5 files changed, 34 insertions(+), 47 deletions(-)

diff --git a/install/tools/ipa-dns-install b/install/tools/ipa-dns-install
index b17dafaee467dd2e6bf6e75aa1fff48c002dfe16..4527447a7dbc69ab16bcd93e48f3c02adce684d7 100755
--- a/install/tools/ipa-dns-install
+++ b/install/tools/ipa-dns-install
@@ -21,14 +21,13 @@
 
 from optparse import OptionGroup, SUPPRESS_HELP
 
-import krbV
-
 from ipaserver.install import (service, bindinstance, ntpinstance,
     httpinstance, dnskeysyncinstance, opendnssecinstance, odsexporterinstance)
 from ipaserver.install.installutils import *
 from ipaserver.install import installutils
 from ipapython import version
 from ipapython import ipautil, sysrestore
+from ipapython.ipaldap import AUTOBIND_ENABLED
 from ipalib import api, errors, util
 from ipaplatform.paths import paths
 from ipapython.config import IPAOptionParser
@@ -40,7 +39,7 @@ log_file_name = paths.IPASERVER_INSTALL_LOG
 def parse_options():
     parser = IPAOptionParser(version=version.VERSION)
     parser.add_option("-p", "--ds-password", dest="dm_password",
-                      sensitive=True, help="admin password")
+                      sensitive=True, help=SUPPRESS_HELP)
     parser.add_option("-d", "--debug", dest="debug", action="store_true",
                       default=False, help="print debugging information")
     parser.add_option("--ip-address", dest="ip_addresses", metavar="IP_ADDRESS",
@@ -77,6 +76,9 @@ def parse_options():
         if not options.forwarders and not options.no_forwarders:
             parser.error("You must specify at least one --forwarder option or --no-forwarders option")
 
+    if options.dm_password:
+        print ("WARNING: Option -p/--ds-password is deprecated "
+               "and should not be used anymore.")
     return safe_options, options
 
 def main():
@@ -144,26 +146,16 @@ def main():
     api.bootstrap(**cfg)
     api.finalize()
 
-    # Create a BIND instance
-    if options.unattended and not options.dm_password:
-        sys.exit("\nIn unattended mode you need to provide at least the -p option")
 
-    dm_password = options.dm_password or read_password("Directory Manager",
-                                             confirm=False, validate=False)
-    if dm_password is None:
-        sys.exit("Directory Manager password required")
-    bind = bindinstance.BindInstance(fstore, dm_password, start_tls=True)
+    # create BIND and OpenDNSSec instances
 
-    # try the connection
-    try:
-        bind.ldap_connect()
-        bind.ldap_disconnect()
-    except errors.ACIError:
-        sys.exit("Password is not valid!")
+    bind = bindinstance.BindInstance(fstore, ldapi=True,
+                                     autobind=AUTOBIND_ENABLED)
 
-    ods = opendnssecinstance.OpenDNSSECInstance(fstore, dm_password,
-                                                start_tls=True)
+    ods = opendnssecinstance.OpenDNSSECInstance(fstore, ldapi=True,
+                                                autobind=AUTOBIND_ENABLED)
     if options.dnssec_master:
+        ods.realm = api.env.realm
         dnssec_masters = ods.get_masters()
         # we can reinstall current server if it is dnssec master
         if not api.env.host in dnssec_masters and dnssec_masters:
@@ -189,12 +181,7 @@ def main():
 
     root_logger.debug("will use dns_forwarders: %s\n", str(dns_forwarders))
 
-    if bind.dm_password:
-        api.Backend.ldap2.connect(bind_dn=DN(('cn', 'Directory Manager')), bind_pw=bind.dm_password)
-    else:
-        # See if our LDAP server is up and we can talk to it over GSSAPI
-        ccache = krbV.default_context().default_ccache()
-        api.Backend.ldap2.connect(ccache)
+    api.Backend.ldap2.connect(autobind=True)
 
     reverse_zones = bindinstance.check_reverse_zones(ip_addresses,
         options.reverse_zones, options, options.unattended, True)
@@ -216,13 +203,11 @@ def main():
     bind.create_instance()
 
     # on dnssec master this must be installed last
-    dnskeysyncd = dnskeysyncinstance.DNSKeySyncInstance(fstore, dm_password,
-                                                        start_tls=True)
+    dnskeysyncd = dnskeysyncinstance.DNSKeySyncInstance(fstore, ldapi=True)
     dnskeysyncd.create_instance(api.env.host, api.env.realm)
     if options.dnssec_master:
-        ods_exporter = odsexporterinstance.ODSExporterInstance(fstore,
-                                                               dm_password,
-                                                               start_tls=True)
+        ods_exporter = odsexporterinstance.ODSExporterInstance(
+            fstore, ldapi=True, autobind=AUTOBIND_ENABLED)
 
         ods_exporter.create_instance(api.env.host, api.env.realm)
         ods.create_instance(api.env.host, api.env.realm)
@@ -251,6 +236,5 @@ def main():
     return 0
 
 if __name__ == '__main__':
-    with private_ccache():
-        installutils.run_script(main, log_file_name=log_file_name,
-            operation_name='ipa-dns-install')
+    installutils.run_script(main, log_file_name=log_file_name,
+                            operation_name='ipa-dns-install')
diff --git a/install/tools/man/ipa-dns-install.1 b/install/tools/man/ipa-dns-install.1
index 40efe7d2f8e0bd1af985dd4668562391c70c6afb..23427b1b15ddf21ff1aba5617adab395d2f25112 100644
--- a/install/tools/man/ipa-dns-install.1
+++ b/install/tools/man/ipa-dns-install.1
@@ -25,9 +25,6 @@ ipa\-dns\-install [\fIOPTION\fR]...
 Adds DNS as an IPA\-managed service. This requires that the IPA server is already installed and configured.
 .SH "OPTIONS"
 .TP
-\fB\-p\fR \fIDM_PASSWORD\fR, \fB\-\-ds\-password\fR=\fIDM_PASSWORD\fR
-The password to be used by the Directory Server for the Directory Manager user
-.TP
 \fB\-d\fR, \fB\-\-debug\fR
 Enable debug logging when more verbose output is needed
 .TP
@@ -52,6 +49,10 @@ The e\-mail address of the DNS zone manager. Defaults to hostmaster@DOMAIN
 .TP
 \fB\-U\fR, \fB\-\-unattended\fR
 An unattended installation that will never prompt for user input
+.SH "DEPRECATED OPTIONS"
+.TP
+\fB\-p\fR \fIDM_PASSWORD\fR, \fB\-\-ds\-password\fR=\fIDM_PASSWORD\fR
+The password to be used by the Directory Server for the Directory Manager user
 .SH "EXIT STATUS"
 0 if the installation was successful
 
diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py
index 679dc5b9581a70964bad33041aa312a6efe5a72c..97dcb3d950fb63d0e9bf6332868efd52190b27a7 100644
--- a/ipaserver/install/bindinstance.py
+++ b/ipaserver/install/bindinstance.py
@@ -533,14 +533,14 @@ class DnsBackup(object):
 
 
 class BindInstance(service.Service):
-    def __init__(self, fstore=None, dm_password=None, api=api,
-                 start_tls=False):
+    def __init__(self, fstore=None, dm_password=None, api=api, ldapi=False,
+                 start_tls=False, autobind=ipaldap.AUTOBIND_DISABLED):
         service.Service.__init__(
             self, "named",
             service_desc="DNS",
             dm_password=dm_password,
-            ldapi=False,
-            autobind=ipaldap.AUTOBIND_DISABLED,
+            ldapi=ldapi,
+            autobind=autobind,
             start_tls=start_tls
         )
         self.dns_backup = DnsBackup(self)
@@ -586,7 +586,7 @@ class BindInstance(service.Service):
 
         self.first_instance = not dns_container_exists(
             self.fqdn, self.suffix, realm=self.realm, ldapi=True,
-            dm_password=self.dm_password)
+            dm_password=self.dm_password, autobind=self.autobind)
 
         self.__setup_sub_dict()
 
diff --git a/ipaserver/install/odsexporterinstance.py b/ipaserver/install/odsexporterinstance.py
index 463e9a675cf6ade05917c25e96bf3b6a05388b6d..5b6245bc48803b4c5545299e4386213319ae859a 100644
--- a/ipaserver/install/odsexporterinstance.py
+++ b/ipaserver/install/odsexporterinstance.py
@@ -19,13 +19,14 @@ from ipalib import errors
 
 
 class ODSExporterInstance(service.Service):
-    def __init__(self, fstore=None, dm_password=None, start_tls=False):
+    def __init__(self, fstore=None, dm_password=None, ldapi=False,
+                 start_tls=False, autobind=ipaldap.AUTOBIND_DISABLED):
         service.Service.__init__(
             self, "ipa-ods-exporter",
             service_desc="IPA OpenDNSSEC exporter daemon",
             dm_password=dm_password,
-            ldapi=False,
-            autobind=ipaldap.AUTOBIND_DISABLED,
+            ldapi=ldapi,
+            autobind=autobind,
             start_tls=start_tls
         )
         self.dm_password = dm_password
diff --git a/ipaserver/install/opendnssecinstance.py b/ipaserver/install/opendnssecinstance.py
index 2a2c3126f75ef1709f0091df0bc347896a5032fd..c9c7bd1f6852f6154add6705243ac94859385a11 100644
--- a/ipaserver/install/opendnssecinstance.py
+++ b/ipaserver/install/opendnssecinstance.py
@@ -61,13 +61,14 @@ def check_inst():
 
 
 class OpenDNSSECInstance(service.Service):
-    def __init__(self, fstore=None, dm_password=None, start_tls=False):
+    def __init__(self, fstore=None, dm_password=None, ldapi=False,
+                 start_tls=False, autobind=ipaldap.AUTOBIND_DISABLED):
         service.Service.__init__(
             self, "ods-enforcerd",
             service_desc="OpenDNSSEC enforcer daemon",
             dm_password=dm_password,
-            ldapi=False,
-            autobind=ipaldap.AUTOBIND_DISABLED,
+            ldapi=ldapi,
+            autobind=autobind,
             start_tls=start_tls
         )
         self.dm_password = dm_password
-- 
2.1.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to