Hi,
the attached patches fix several shortcomings in ipa-kra-install, see
commit messages.
<https://fedorahosted.org/freeipa/ticket/3872>
(Patch 434 was introduced in
<https://www.redhat.com/archives/freeipa-devel/2015-June/msg00035.html>.)
Honza
--
Jan Cholasta
>From 7a668e773b9c7a600e8ab9581aa70ab5629123fc Mon Sep 17 00:00:00 2001
From: Jan Cholasta <[email protected]>
Date: Wed, 10 Jun 2015 10:35:43 +0000
Subject: [PATCH 1/3] vault: Move vaults to cn=vaults,cn=kra
https://fedorahosted.org/freeipa/ticket/3872
---
freeipa.spec.in | 1 +
install/share/Makefile.am | 1 +
install/share/vault.update | 24 ++++++++++++++++++++++++
install/updates/40-vault.update | 19 -------------------
install/updates/Makefile.am | 1 -
ipa-client/man/default.conf.5 | 2 +-
ipalib/constants.py | 2 +-
ipaplatform/base/paths.py | 1 +
ipaserver/install/kra.py | 4 ++--
ipaserver/install/krainstance.py | 21 +++++++++++++++++----
ipatests/test_xmlrpc/test_vault_plugin.py | 24 ++++++++++++------------
11 files changed, 60 insertions(+), 40 deletions(-)
create mode 100644 install/share/vault.update
delete mode 100644 install/updates/40-vault.update
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 23c3d1a..64b24c8 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -716,6 +716,7 @@ fi
%{_usr}/share/ipa/copy-schema-to-ca.py*
%{_usr}/share/ipa/*.ldif
%{_usr}/share/ipa/*.uldif
+%{_usr}/share/ipa/*.update
%{_usr}/share/ipa/*.template
%dir %{_usr}/share/ipa/advise
%dir %{_usr}/share/ipa/advise/legacy
diff --git a/install/share/Makefile.am b/install/share/Makefile.am
index 31f391b..5d8397b 100644
--- a/install/share/Makefile.am
+++ b/install/share/Makefile.am
@@ -82,6 +82,7 @@ app_DATA = \
copy-schema-to-ca.py \
sasl-mapping-fallback.ldif \
schema-update.ldif \
+ vault.update \
$(NULL)
EXTRA_DIST = \
diff --git a/install/share/vault.update b/install/share/vault.update
new file mode 100644
index 0000000..dcd1e2a
--- /dev/null
+++ b/install/share/vault.update
@@ -0,0 +1,24 @@
+dn: cn=kra,$SUFFIX
+default: objectClass: top
+default: objectClass: nsContainer
+default: cn: kra
+
+dn: cn=vaults,cn=kra,$SUFFIX
+default: objectClass: top
+default: objectClass: nsContainer
+default: cn: vaults
+
+dn: cn=services,cn=vaults,cn=kra,$SUFFIX
+default: objectClass: top
+default: objectClass: nsContainer
+default: cn: services
+
+dn: cn=shared,cn=vaults,cn=kra,$SUFFIX
+default: objectClass: top
+default: objectClass: nsContainer
+default: cn: shared
+
+dn: cn=users,cn=vaults,cn=kra,$SUFFIX
+default: objectClass: top
+default: objectClass: nsContainer
+default: cn: users
diff --git a/install/updates/40-vault.update b/install/updates/40-vault.update
deleted file mode 100644
index 5a6b8c6..0000000
--- a/install/updates/40-vault.update
+++ /dev/null
@@ -1,19 +0,0 @@
-dn: cn=vaults,$SUFFIX
-default: objectClass: top
-default: objectClass: nsContainer
-default: cn: vaults
-
-dn: cn=services,cn=vaults,$SUFFIX
-default: objectClass: top
-default: objectClass: nsContainer
-default: cn: services
-
-dn: cn=shared,cn=vaults,$SUFFIX
-default: objectClass: top
-default: objectClass: nsContainer
-default: cn: shared
-
-dn: cn=users,cn=vaults,$SUFFIX
-default: objectClass: top
-default: objectClass: nsContainer
-default: cn: users
diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am
index fc6bd62..1c7da35 100644
--- a/install/updates/Makefile.am
+++ b/install/updates/Makefile.am
@@ -34,7 +34,6 @@ app_DATA = \
40-automember.update \
40-certprofile.update \
40-otp.update \
- 40-vault.update \
45-roles.update \
50-7_bit_check.update \
50-dogtag10-migration.update \
diff --git a/ipa-client/man/default.conf.5 b/ipa-client/man/default.conf.5
index 0973f1a..e345e93 100644
--- a/ipa-client/man/default.conf.5
+++ b/ipa-client/man/default.conf.5
@@ -221,7 +221,7 @@ The following define the containers for the IPA server. Containers define where
container_sudocmdgroup: cn=sudocmdgroups,cn=sudo
container_sudorule: cn=sudorules,cn=sudo
container_user: cn=users,cn=accounts
- container_vault: cn=vaults
+ container_vault: cn=vaults,cn=kra
container_virtual: cn=virtual operations,cn=etc
.SH "FILES"
diff --git a/ipalib/constants.py b/ipalib/constants.py
index 93d7aaa..0ffdcbf 100644
--- a/ipalib/constants.py
+++ b/ipalib/constants.py
@@ -99,7 +99,7 @@ DEFAULT_CONFIG = (
('container_hbacservice', DN(('cn', 'hbacservices'), ('cn', 'hbac'))),
('container_hbacservicegroup', DN(('cn', 'hbacservicegroups'), ('cn', 'hbac'))),
('container_dns', DN(('cn', 'dns'))),
- ('container_vault', DN(('cn', 'vaults'))),
+ ('container_vault', DN(('cn', 'vaults'), ('cn', 'kra'))),
('container_virtual', DN(('cn', 'virtual operations'), ('cn', 'etc'))),
('container_sudorule', DN(('cn', 'sudorules'), ('cn', 'sudo'))),
('container_sudocmd', DN(('cn', 'sudocmds'), ('cn', 'sudo'))),
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index 9ba8752..b83e948 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -247,6 +247,7 @@ class BasePathNamespace(object):
SCHEMA_COMPAT_ULDIF = "/usr/share/ipa/schema_compat.uldif"
IPA_JS_PLUGINS_DIR = "/usr/share/ipa/ui/js/plugins"
UPDATES_DIR = "/usr/share/ipa/updates/"
+ VAULT_UPDATE = "/usr/share/ipa/vault.update"
PKI_CONF_SERVER_XML_TEMPLATE = "/usr/share/pki/%s/conf/server.xml"
CACHE_IPA_SESSIONS = "/var/cache/ipa/sessions"
VAR_KERBEROS_KRB5KDC_DIR = "/var/kerberos/krb5kdc/"
diff --git a/ipaserver/install/kra.py b/ipaserver/install/kra.py
index 2ff8df5..8083c74 100644
--- a/ipaserver/install/kra.py
+++ b/ipaserver/install/kra.py
@@ -46,8 +46,8 @@ def install(replica_config, options, dm_password):
dogtag_constants=dogtag.install_constants)
kra.configure_instance(
- api.env.host, api.env.domain, dm_password,
- dm_password, subject_base=subject)
+ api.env.realm, api.env.host, api.env.domain, options.dm_password,
+ options.dm_password, subject_base=subject)
else:
kra = krainstance.install_replica_kra(replica_config)
diff --git a/ipaserver/install/krainstance.py b/ipaserver/install/krainstance.py
index 7c1bded..50ab424 100644
--- a/ipaserver/install/krainstance.py
+++ b/ipaserver/install/krainstance.py
@@ -28,11 +28,11 @@ from ipalib import api
from ipaplatform import services
from ipaplatform.paths import paths
from ipapython import dogtag
-from ipapython import ipaldap
from ipapython import ipautil
from ipapython.dn import DN
from ipaserver.install import certs
from ipaserver.install import cainstance
+from ipaserver.install import ldapupdate
from ipaserver.install import service
from ipaserver.install.dogtaginstance import DogtagInstance
from ipaserver.install.dogtaginstance import DEFAULT_DSPORT, PKI_USER
@@ -70,7 +70,7 @@ class KRAInstance(DogtagInstance):
self.basedn = DN(('o', 'kra'), ('o', 'ipaca'))
self.log = log_mgr.get_logger(self)
- def configure_instance(self, host_name, domain, dm_password,
+ def configure_instance(self, realm_name, host_name, domain, dm_password,
admin_password, ds_port=DEFAULT_DSPORT,
pkcs12_info=None, master_host=None,
master_replication_port=None,
@@ -93,6 +93,8 @@ class KRAInstance(DogtagInstance):
self.subject_base = DN(('O', self.realm))
else:
self.subject_base = subject_base
+ self.realm = realm_name
+ self.suffix = ipautil.realm_to_suffix(realm_name)
# Confirm that a KRA does not already exist
if self.is_installed():
@@ -115,8 +117,9 @@ class KRAInstance(DogtagInstance):
self.step("configure certmonger for renewals",
self.configure_certmonger_renewal)
self.step("configure certificate renewals", self.configure_renewal)
- self.step("Configure HTTP to proxy connections",
+ self.step("configure HTTP to proxy connections",
self.http_proxy)
+ self.step("add vault container", self.__add_vault_container)
self.start_creation(runtime=126)
@@ -335,6 +338,15 @@ class KRAInstance(DogtagInstance):
"--client-cert", paths.KRA_AGENT_PEM]
ipautil.run(args)
+ def __add_vault_container(self):
+ sub_dict = {
+ 'SUFFIX': self.suffix,
+ }
+
+ ld = ldapupdate.LDAPUpdate(dm_password=self.dm_password,
+ sub_dict=sub_dict)
+ ld.update([paths.VAULT_UPDATE])
+
@staticmethod
def update_cert_config(nickname, cert, dogtag_constants=None):
"""
@@ -391,7 +403,8 @@ def install_replica_kra(config, postinstall=False):
if _kra.is_installed():
sys.exit("A KRA is already configured on this system.")
- _kra.configure_instance(config.host_name, config.domain_name,
+ _kra.configure_instance(config.realm_name,
+ config.host_name, config.domain_name,
config.dirman_password, config.dirman_password,
pkcs12_info=(krafile,),
master_host=config.master_host_name,
diff --git a/ipatests/test_xmlrpc/test_vault_plugin.py b/ipatests/test_xmlrpc/test_vault_plugin.py
index 4b18672..9a40547 100644
--- a/ipatests/test_xmlrpc/test_vault_plugin.py
+++ b/ipatests/test_xmlrpc/test_vault_plugin.py
@@ -57,7 +57,7 @@ class test_vault_plugin(Declarative):
'value': vault_name,
'summary': 'Added vault "%s"' % vault_name,
'result': {
- 'dn': u'cn=%s,cn=admin,cn=users,cn=vaults,%s'
+ 'dn': u'cn=%s,cn=admin,cn=users,cn=vaults,cn=kra,%s'
% (vault_name, api.env.basedn),
'objectclass': [u'top', u'ipaVault'],
'cn': [vault_name],
@@ -78,7 +78,7 @@ class test_vault_plugin(Declarative):
'summary': u'1 vault matched',
'result': [
{
- 'dn': u'cn=%s,cn=admin,cn=users,cn=vaults,%s'
+ 'dn': u'cn=%s,cn=admin,cn=users,cn=vaults,cn=kra,%s'
% (vault_name, api.env.basedn),
'cn': [vault_name],
},
@@ -97,7 +97,7 @@ class test_vault_plugin(Declarative):
'value': vault_name,
'summary': None,
'result': {
- 'dn': u'cn=%s,cn=admin,cn=users,cn=vaults,%s'
+ 'dn': u'cn=%s,cn=admin,cn=users,cn=vaults,cn=kra,%s'
% (vault_name, api.env.basedn),
'cn': [vault_name],
},
@@ -152,7 +152,7 @@ class test_vault_plugin(Declarative):
'value': vault_name,
'summary': u'Added vault "%s"' % vault_name,
'result': {
- 'dn': u'cn=%s,cn=%s,cn=services,cn=vaults,%s'
+ 'dn': u'cn=%s,cn=%s,cn=services,cn=vaults,cn=kra,%s'
% (vault_name, service_name, api.env.basedn),
'objectclass': [u'top', u'ipaVault'],
'cn': [vault_name],
@@ -175,7 +175,7 @@ class test_vault_plugin(Declarative):
'summary': u'1 vault matched',
'result': [
{
- 'dn': u'cn=%s,cn=%s,cn=services,cn=vaults,%s'
+ 'dn': u'cn=%s,cn=%s,cn=services,cn=vaults,cn=kra,%s'
% (vault_name, service_name, api.env.basedn),
'cn': [vault_name],
},
@@ -196,7 +196,7 @@ class test_vault_plugin(Declarative):
'value': vault_name,
'summary': None,
'result': {
- 'dn': u'cn=%s,cn=%s,cn=services,cn=vaults,%s'
+ 'dn': u'cn=%s,cn=%s,cn=services,cn=vaults,cn=kra,%s'
% (vault_name, service_name, api.env.basedn),
'cn': [vault_name],
},
@@ -254,7 +254,7 @@ class test_vault_plugin(Declarative):
'value': vault_name,
'summary': u'Added vault "%s"' % vault_name,
'result': {
- 'dn': u'cn=%s,cn=shared,cn=vaults,%s'
+ 'dn': u'cn=%s,cn=shared,cn=vaults,cn=kra,%s'
% (vault_name, api.env.basedn),
'objectclass': [u'top', u'ipaVault'],
'cn': [vault_name],
@@ -277,7 +277,7 @@ class test_vault_plugin(Declarative):
'summary': u'1 vault matched',
'result': [
{
- 'dn': u'cn=%s,cn=shared,cn=vaults,%s'
+ 'dn': u'cn=%s,cn=shared,cn=vaults,cn=kra,%s'
% (vault_name, api.env.basedn),
'cn': [vault_name],
},
@@ -298,7 +298,7 @@ class test_vault_plugin(Declarative):
'value': vault_name,
'summary': None,
'result': {
- 'dn': u'cn=%s,cn=shared,cn=vaults,%s'
+ 'dn': u'cn=%s,cn=shared,cn=vaults,cn=kra,%s'
% (vault_name, api.env.basedn),
'cn': [vault_name],
},
@@ -356,7 +356,7 @@ class test_vault_plugin(Declarative):
'value': vault_name,
'summary': u'Added vault "%s"' % vault_name,
'result': {
- 'dn': u'cn=%s,cn=%s,cn=users,cn=vaults,%s'
+ 'dn': u'cn=%s,cn=%s,cn=users,cn=vaults,cn=kra,%s'
% (vault_name, user_name, api.env.basedn),
'objectclass': [u'top', u'ipaVault'],
'cn': [vault_name],
@@ -379,7 +379,7 @@ class test_vault_plugin(Declarative):
'summary': u'1 vault matched',
'result': [
{
- 'dn': u'cn=%s,cn=%s,cn=users,cn=vaults,%s'
+ 'dn': u'cn=%s,cn=%s,cn=users,cn=vaults,cn=kra,%s'
% (vault_name, user_name, api.env.basedn),
'cn': [vault_name],
},
@@ -400,7 +400,7 @@ class test_vault_plugin(Declarative):
'value': vault_name,
'summary': None,
'result': {
- 'dn': u'cn=%s,cn=%s,cn=users,cn=vaults,%s'
+ 'dn': u'cn=%s,cn=%s,cn=users,cn=vaults,cn=kra,%s'
% (vault_name, user_name, api.env.basedn),
'cn': [vault_name],
},
--
2.1.0
>From 6e8bfe13fe6b5592bef76b80947506a3f5987be9 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <[email protected]>
Date: Wed, 10 Jun 2015 08:22:30 +0000
Subject: [PATCH 2/3] install: Initialize API early in server and replica
install
https://fedorahosted.org/freeipa/ticket/4468
---
ipaserver/install/server/install.py | 90 +++++-----
ipaserver/install/server/replicainstall.py | 278 +++++++++++++++--------------
2 files changed, 191 insertions(+), 177 deletions(-)
diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
index 59a9d1e..89473dc 100644
--- a/ipaserver/install/server/install.py
+++ b/ipaserver/install/server/install.py
@@ -301,6 +301,8 @@ def install_check(installer):
external_ca_file = installer._external_ca_file
http_ca_cert = installer._ca_cert
+ dogtag_constants = dogtag.install_constants
+
tasks.check_selinux_status()
if options.master_password:
@@ -550,6 +552,51 @@ def install_check(installer):
else:
admin_password = options.admin_password
+ # Configuration for ipalib, we will bootstrap and finalize later, after
+ # we are sure we have the configuration file ready.
+ cfg = dict(
+ context='installer',
+ in_server=True,
+ )
+
+ # Create the management framework config file and finalize api
+ target_fname = paths.IPA_DEFAULT_CONF
+ fd = open(target_fname, "w")
+ fd.write("[global]\n")
+ fd.write("host=%s\n" % host_name)
+ fd.write("basedn=%s\n" % ipautil.realm_to_suffix(realm_name))
+ fd.write("realm=%s\n" % realm_name)
+ fd.write("domain=%s\n" % domain_name)
+ fd.write("xmlrpc_uri=https://%s/ipa/xml\n"; % format_netloc(host_name))
+ fd.write("ldap_uri=ldapi://%%2fvar%%2frun%%2fslapd-%s.socket\n" %
+ installutils.realm_to_serverid(realm_name))
+ if setup_ca:
+ fd.write("enable_ra=True\n")
+ fd.write("ra_plugin=dogtag\n")
+ fd.write("dogtag_version=%s\n" % dogtag_constants.DOGTAG_VERSION)
+ else:
+ fd.write("enable_ra=False\n")
+ fd.write("ra_plugin=none\n")
+ fd.write("mode=production\n")
+ fd.close()
+
+ # Must be readable for everyone
+ os.chmod(target_fname, 0644)
+
+ system_hostname = get_fqdn()
+ if host_name != system_hostname:
+ root_logger.debug("Chosen hostname (%s) differs from system hostname "
+ "(%s) - change it" % (host_name, system_hostname))
+ # update `api.env.ca_host` to correct hostname
+ # https://fedorahosted.org/freeipa/ticket/4936
+ api.env.ca_host = host_name
+
+ api.bootstrap(**cfg)
+ if setup_ca:
+ # ensure profile backend is available
+ import ipaserver.plugins.dogtag
+ api.finalize()
+
if setup_ca:
ca.install_check(False, None, options)
@@ -656,38 +703,6 @@ def install(installer):
# failure to enable root cause investigation
installer._installation_cleanup = False
- # Configuration for ipalib, we will bootstrap and finalize later, after
- # we are sure we have the configuration file ready.
- cfg = dict(
- context='installer',
- in_server=True,
- )
-
- # Create the management framework config file and finalize api
- target_fname = paths.IPA_DEFAULT_CONF
- fd = open(target_fname, "w")
- fd.write("[global]\n")
- fd.write("host=%s\n" % host_name)
- fd.write("basedn=%s\n" % ipautil.realm_to_suffix(realm_name))
- fd.write("realm=%s\n" % realm_name)
- fd.write("domain=%s\n" % domain_name)
- fd.write("xmlrpc_uri=https://%s/ipa/xml\n"; % format_netloc(host_name))
- fd.write("ldap_uri=ldapi://%%2fvar%%2frun%%2fslapd-%s.socket\n" %
- installutils.realm_to_serverid(realm_name))
- if setup_ca:
- fd.write("enable_ra=True\n")
- fd.write("ra_plugin=dogtag\n")
- fd.write("dogtag_version=%s\n" % dogtag_constants.DOGTAG_VERSION)
- else:
- fd.write("enable_ra=False\n")
- fd.write("ra_plugin=none\n")
- fd.write("enable_kra=%s\n" % setup_kra)
- fd.write("mode=production\n")
- fd.close()
-
- # Must be readable for everyone
- os.chmod(target_fname, 0644)
-
if installer.interactive:
print ""
print "The following operations may take some minutes to complete."
@@ -696,19 +711,8 @@ def install(installer):
system_hostname = get_fqdn()
if host_name != system_hostname:
- root_logger.debug("Chosen hostname (%s) differs from system hostname "
- "(%s) - change it" % (host_name, system_hostname))
# configure /etc/sysconfig/network to contain the custom hostname
tasks.backup_and_replace_hostname(fstore, sstore, host_name)
- # update `api.env.ca_host` to correct hostname
- # https://fedorahosted.org/freeipa/ticket/4936
- api.env.ca_host = host_name
-
- api.bootstrap(**cfg)
- if setup_ca:
- # ensure profile backend is available
- import ipaserver.plugins.dogtag
- api.finalize()
# Create DS user/group if it doesn't exist yet
dsinstance.create_ds_user()
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index 9455117..0429a40 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -355,6 +355,143 @@ def install_check(installer):
config.setup_ca = options.setup_ca
config.setup_kra = options.setup_kra
+ # Create the management framework config file
+ # Note: We must do this before bootstraping and finalizing ipalib.api
+ old_umask = os.umask(022) # must be readable for httpd
+ try:
+ fd = open(paths.IPA_DEFAULT_CONF, "w")
+ fd.write("[global]\n")
+ fd.write("host=%s\n" % config.host_name)
+ fd.write("basedn=%s\n" %
+ str(ipautil.realm_to_suffix(config.realm_name)))
+ fd.write("realm=%s\n" % config.realm_name)
+ fd.write("domain=%s\n" % config.domain_name)
+ fd.write("xmlrpc_uri=https://%s/ipa/xml\n"; %
+ ipautil.format_netloc(config.host_name))
+ fd.write("ldap_uri=ldapi://%%2fvar%%2frun%%2fslapd-%s.socket\n" %
+ installutils.realm_to_serverid(config.realm_name))
+ if ipautil.file_exists(config.dir + "/cacert.p12"):
+ fd.write("enable_ra=True\n")
+ fd.write("ra_plugin=dogtag\n")
+ fd.write("dogtag_version=%s\n" %
+ dogtag.install_constants.DOGTAG_VERSION)
+ else:
+ fd.write("enable_ra=False\n")
+ fd.write("ra_plugin=none\n")
+
+ fd.write("enable_kra=%s\n" % config.setup_kra)
+
+ fd.write("mode=production\n")
+ fd.close()
+ finally:
+ os.umask(old_umask)
+
+ api.bootstrap(in_server=True, context='installer')
+ api.finalize()
+
+ installutils.verify_fqdn(config.master_host_name, options.no_host_dns)
+
+ cafile = config.dir + "/ca.crt"
+
+ ldapuri = 'ldaps://%s' % ipautil.format_netloc(config.master_host_name)
+ remote_api = create_api(mode=None)
+ remote_api.bootstrap(in_server=True, context='installer',
+ ldap_uri=ldapuri)
+ remote_api.finalize()
+ conn = remote_api.Backend.ldap2
+ replman = None
+ try:
+ # Try out the password
+ conn.connect(bind_dn=DIRMAN_DN, bind_pw=config.dirman_password,
+ tls_cacertfile=cafile)
+ replman = ReplicationManager(config.realm_name,
+ config.master_host_name,
+ config.dirman_password)
+
+ # Check that we don't already have a replication agreement
+ try:
+ (agreement_cn, agreement_dn) = replman.agreement_dn(
+ config.host_name)
+ entry = conn.get_entry(agreement_dn, ['*'])
+ except errors.NotFound:
+ pass
+ else:
+ root_logger.info('Error: A replication agreement for this '
+ 'host already exists.')
+ print('A replication agreement for this host already exists. '
+ 'It needs to be removed.')
+ print "Run this on the master that generated the info file:"
+ print(" %% ipa-replica-manage del %s --force" %
+ config.host_name)
+ sys.exit(3)
+
+ # Detect the current domain level
+ try:
+ current = remote_api.Command['domainlevel_get']()['result']
+ except errors.NotFound:
+ # If we're joining an older master, domain entry is not
+ # available
+ current = 0
+
+ # Detect if current level is out of supported range
+ # for this IPA version
+ under_lower_bound = current < constants.MIN_DOMAIN_LEVEL
+ above_upper_bound = current > constants.MAX_DOMAIN_LEVEL
+
+ if under_lower_bound or above_upper_bound:
+ message = ("This version of FreeIPA does not support "
+ "the Domain Level which is currently set for "
+ "this domain. The Domain Level needs to be "
+ "raised before installing a replica with "
+ "this version is allowed to be installed "
+ "within this domain.")
+ root_logger.error(message)
+ print(message)
+ sys.exit(3)
+
+ # Check pre-existing host entry
+ try:
+ entry = conn.find_entries(u'fqdn=%s' % config.host_name,
+ ['fqdn'], DN(api.env.container_host,
+ api.env.basedn))
+ except errors.NotFound:
+ pass
+ else:
+ root_logger.info('Error: Host %s already exists on the master '
+ 'server.' % config.host_name)
+ print('The host %s already exists on the master server.' %
+ config.host_name)
+ print "You should remove it before proceeding:"
+ print " %% ipa host-del %s" % config.host_name
+ sys.exit(3)
+
+ dns_masters = remote_api.Object['dnsrecord'].get_dns_masters()
+ if dns_masters:
+ if not options.no_host_dns:
+ master = config.master_host_name
+ root_logger.debug('Check forward/reverse DNS resolution')
+ resolution_ok = (
+ check_dns_resolution(master, dns_masters) and
+ check_dns_resolution(config.host_name, dns_masters))
+ if not resolution_ok and installer.interactive:
+ if not ipautil.user_input("Continue?", False):
+ sys.exit(0)
+ else:
+ root_logger.debug('No IPA DNS servers, '
+ 'skipping forward/reverse resolution check')
+
+ except errors.ACIError:
+ sys.exit("\nThe password provided is incorrect for LDAP server "
+ "%s" % config.master_host_name)
+ except errors.LDAPError:
+ sys.exit("\nUnable to connect to LDAP server %s" %
+ config.master_host_name)
+ finally:
+ if replman and replman.conn:
+ replman.conn.unbind()
+ if conn.isconnected():
+ conn.disconnect()
+
if options.setup_ca:
options.realm_name = config.realm_name
options.host_name = config.host_name
@@ -369,8 +506,6 @@ def install_check(installer):
print str(e)
sys.exit(1)
- installutils.verify_fqdn(config.master_host_name, options.no_host_dns)
-
if options.setup_dns:
dns.install_check(False, True, options, config.host_name)
else:
@@ -384,11 +519,11 @@ def install_check(installer):
config.master_host_name, config.host_name, config.realm_name,
options.setup_ca, config.ca_ds_port, options.admin_password)
- cafile = config.dir + "/ca.crt"
if not ipautil.file_exists(cafile):
raise RuntimeError("CA cert file is not available. Please run "
"ipa-replica-prepare to create a new replica file.")
+ installer._remote_api = remote_api
installer._fstore = fstore
installer._sstore = sstore
installer._config = config
@@ -403,144 +538,19 @@ def install(installer):
dogtag_constants = dogtag.install_constants
- # Create the management framework config file
- # Note: We must do this before bootstraping and finalizing ipalib.api
- old_umask = os.umask(022) # must be readable for httpd
- try:
- fd = open(paths.IPA_DEFAULT_CONF, "w")
- fd.write("[global]\n")
- fd.write("host=%s\n" % config.host_name)
- fd.write("basedn=%s\n" %
- str(ipautil.realm_to_suffix(config.realm_name)))
- fd.write("realm=%s\n" % config.realm_name)
- fd.write("domain=%s\n" % config.domain_name)
- fd.write("xmlrpc_uri=https://%s/ipa/xml\n"; %
- ipautil.format_netloc(config.host_name))
- fd.write("ldap_uri=ldapi://%%2fvar%%2frun%%2fslapd-%s.socket\n" %
- installutils.realm_to_serverid(config.realm_name))
- if ipautil.file_exists(config.dir + "/cacert.p12"):
- fd.write("enable_ra=True\n")
- fd.write("ra_plugin=dogtag\n")
- fd.write("dogtag_version=%s\n" % dogtag_constants.DOGTAG_VERSION)
- else:
- fd.write("enable_ra=False\n")
- fd.write("ra_plugin=none\n")
-
- fd.write("enable_kra=%s\n" % config.setup_kra)
-
- fd.write("mode=production\n")
- fd.close()
- finally:
- os.umask(old_umask)
-
- api.bootstrap(in_server=True, context='installer')
- api.finalize()
-
# Create DS user/group if it doesn't exist yet
dsinstance.create_ds_user()
cafile = config.dir + "/ca.crt"
- ldapuri = 'ldaps://%s' % ipautil.format_netloc(config.master_host_name)
- remote_api = create_api(mode=None)
- remote_api.bootstrap(in_server=True, context='installer',
- ldap_uri=ldapuri, basedn=DN())
- remote_api.finalize()
+ remote_api = installer._remote_api
conn = remote_api.Backend.ldap2
- replman = None
try:
- try:
- # Try out the password
- conn.connect(bind_dn=DIRMAN_DN, bind_pw=config.dirman_password,
- tls_cacertfile=cafile)
- replman = ReplicationManager(config.realm_name,
- config.master_host_name,
- config.dirman_password)
-
- # Check that we don't already have a replication agreement
- try:
- (agreement_cn, agreement_dn) = replman.agreement_dn(
- config.host_name)
- entry = conn.get_entry(agreement_dn, ['*'])
- except errors.NotFound:
- pass
- else:
- root_logger.info('Error: A replication agreement for this '
- 'host already exists.')
- print('A replication agreement for this host already exists. '
- 'It needs to be removed.')
- print "Run this on the master that generated the info file:"
- print(" %% ipa-replica-manage del %s --force" %
- config.host_name)
- sys.exit(3)
-
- # Detect the current domain level
- try:
- current = remote_api.Command['domainlevel_get']()['result']
- except errors.NotFound:
- # If we're joining an older master, domain entry is not
- # available
- current = 0
-
- # Detect if current level is out of supported range
- # for this IPA version
- under_lower_bound = current < constants.MIN_DOMAIN_LEVEL
- above_upper_bound = current > constants.MAX_DOMAIN_LEVEL
-
- if under_lower_bound or above_upper_bound:
- message = ("This version of FreeIPA does not support "
- "the Domain Level which is currently set for "
- "this domain. The Domain Level needs to be "
- "raised before installing a replica with "
- "this version is allowed to be installed "
- "within this domain.")
- root_logger.error(message)
- print(message)
- sys.exit(3)
-
- # Check pre-existing host entry
- try:
- entry = conn.find_entries(u'fqdn=%s' % config.host_name,
- ['fqdn'], DN(api.env.container_host,
- api.env.basedn))
- except errors.NotFound:
- pass
- else:
- root_logger.info('Error: Host %s already exists on the master '
- 'server.' % config.host_name)
- print('The host %s already exists on the master server.' %
- config.host_name)
- print "You should remove it before proceeding:"
- print " %% ipa host-del %s" % config.host_name
- sys.exit(3)
-
- # Install CA cert so that we can do SSL connections with ldap
- install_ca_cert(conn, api.env.basedn, api.env.realm, cafile)
-
- dns_masters = remote_api.Object['dnsrecord'].get_dns_masters()
- if dns_masters:
- if not options.no_host_dns:
- master = config.master_host_name
- root_logger.debug('Check forward/reverse DNS resolution')
- resolution_ok = (
- check_dns_resolution(master, dns_masters) and
- check_dns_resolution(config.host_name, dns_masters))
- if not resolution_ok and installer.interactive:
- if not ipautil.user_input("Continue?", False):
- sys.exit(0)
- else:
- root_logger.debug('No IPA DNS servers, '
- 'skipping forward/reverse resolution check')
-
- except errors.ACIError:
- sys.exit("\nThe password provided is incorrect for LDAP server "
- "%s" % config.master_host_name)
- except errors.LDAPError:
- sys.exit("\nUnable to connect to LDAP server %s" %
- config.master_host_name)
- finally:
- if replman and replman.conn:
- replman.conn.unbind()
+ conn.connect(bind_dn=DIRMAN_DN, bind_pw=config.dirman_password,
+ tls_cacertfile=cafile)
+
+ # Install CA cert so that we can do SSL connections with ldap
+ install_ca_cert(conn, api.env.basedn, api.env.realm, cafile)
# Configure ntpd
if not options.no_ntp:
--
2.1.0
>From 35a1032ee5e3095e0177a0f0cf19834ac5ef699d Mon Sep 17 00:00:00 2001
From: Jan Cholasta <[email protected]>
Date: Wed, 10 Jun 2015 08:50:42 +0000
Subject: [PATCH 3/3] vault: Fix ipa-kra-install
Use state in LDAP rather than local state to check if KRA is installed.
Use correct log file names.
https://fedorahosted.org/freeipa/ticket/3872
---
API.txt | 6 +++
VERSION | 4 +-
ipalib/plugins/vault.py | 38 ++++++++++++-----
ipaplatform/base/paths.py | 4 +-
ipaserver/install/installutils.py | 16 --------
ipaserver/install/ipa_kra_install.py | 22 ++++++----
ipaserver/install/kra.py | 65 +++++++++++++-----------------
ipaserver/install/server/install.py | 7 ++--
ipaserver/install/server/replicainstall.py | 41 +++++++++----------
ipaserver/install/service.py | 1 +
ipaserver/plugins/dogtag.py | 2 +-
11 files changed, 106 insertions(+), 100 deletions(-)
diff --git a/API.txt b/API.txt
index 9e3f223..9e41ece 100644
--- a/API.txt
+++ b/API.txt
@@ -2487,6 +2487,12 @@ option: Str('version?', exclude='webui')
output: Output('commands', <type 'dict'>, None)
output: Output('methods', <type 'dict'>, None)
output: Output('objects', <type 'dict'>, None)
+command: kra_is_enabled
+args: 0,1,3
+option: Str('version?', exclude='webui')
+output: Output('result', <type 'bool'>, None)
+output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
+output: PrimaryKey('value', None, None)
command: krbtpolicy_mod
args: 1,9,3
arg: Str('uid', attribute=True, cli_name='user', multivalue=False, primary_key=True, query=True, required=False)
diff --git a/VERSION b/VERSION
index 535b3e2..a8d484c 100644
--- a/VERSION
+++ b/VERSION
@@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000
# #
########################################################
IPA_API_VERSION_MAJOR=2
-IPA_API_VERSION_MINOR=126
-# Last change: edewata - added vault-archive and vault-retrieve
+IPA_API_VERSION_MINOR=127
+# Last change: jcholast - add kra_is_enabled
diff --git a/ipalib/plugins/vault.py b/ipalib/plugins/vault.py
index e1e64aa..f80ecfd 100644
--- a/ipalib/plugins/vault.py
+++ b/ipalib/plugins/vault.py
@@ -33,7 +33,7 @@ from ipalib import output
from ipalib.crud import PKQuery, Retrieve, Update
from ipalib.plugable import Registry
from ipalib.plugins.baseldap import LDAPObject, LDAPCreate, LDAPDelete,\
- LDAPSearch, LDAPUpdate, LDAPRetrieve
+ LDAPSearch, LDAPUpdate, LDAPRetrieve, pkey_to_value
from ipalib.request import context
from ipalib.plugins.user import split_principal
from ipalib import _, ngettext
@@ -320,7 +320,7 @@ class vault_add(LDAPCreate):
**options):
assert isinstance(dn, DN)
- if not self.api.env.enable_kra:
+ if not self.api.Command.kra_is_enabled()['result']:
raise errors.InvocationError(
format=_('KRA service is not enabled'))
@@ -344,7 +344,7 @@ class vault_del(LDAPDelete):
def pre_callback(self, ldap, dn, *keys, **options):
assert isinstance(dn, DN)
- if not self.api.env.enable_kra:
+ if not self.api.Command.kra_is_enabled()['result']:
raise errors.InvocationError(
format=_('KRA service is not enabled'))
@@ -390,7 +390,7 @@ class vault_find(LDAPSearch):
**options):
assert isinstance(base_dn, DN)
- if not self.api.env.enable_kra:
+ if not self.api.Command.kra_is_enabled()['result']:
raise errors.InvocationError(
format=_('KRA service is not enabled'))
@@ -422,7 +422,7 @@ class vault_mod(LDAPUpdate):
assert isinstance(dn, DN)
- if not self.api.env.enable_kra:
+ if not self.api.Command.kra_is_enabled()['result']:
raise errors.InvocationError(
format=_('KRA service is not enabled'))
@@ -438,7 +438,7 @@ class vault_show(LDAPRetrieve):
def pre_callback(self, ldap, dn, attrs_list, *keys, **options):
assert isinstance(dn, DN)
- if not self.api.env.enable_kra:
+ if not self.api.Command.kra_is_enabled()['result']:
raise errors.InvocationError(
format=_('KRA service is not enabled'))
@@ -486,7 +486,7 @@ class vaultconfig_show(Retrieve):
def execute(self, *args, **options):
- if not self.api.env.enable_kra:
+ if not self.api.Command.kra_is_enabled()['result']:
raise errors.InvocationError(
format=_('KRA service is not enabled'))
@@ -624,7 +624,7 @@ class vault_archive_encrypted(Update):
def execute(self, *args, **options):
- if not self.api.env.enable_kra:
+ if not self.api.Command.kra_is_enabled()['result']:
raise errors.InvocationError(
format=_('KRA service is not enabled'))
@@ -774,7 +774,7 @@ class vault_retrieve_encrypted(Retrieve):
def execute(self, *args, **options):
- if not self.api.env.enable_kra:
+ if not self.api.Command.kra_is_enabled()['result']:
raise errors.InvocationError(
format=_('KRA service is not enabled'))
@@ -813,3 +813,23 @@ class vault_retrieve_encrypted(Retrieve):
kra_account.logout()
return result
+
+
+@register()
+class kra_is_enabled(Command):
+ NO_CLI = True
+
+ has_output = output.standard_value
+
+ def execute(self, *args, **options):
+ base_dn = DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'),
+ self.api.env.basedn)
+ filter = '(&(objectClass=ipaConfigObject)(cn=KRA))'
+ try:
+ self.api.Backend.ldap2.find_entries(
+ base_dn=base_dn, filter=filter, attrs_list=[])
+ except errors.NotFound:
+ result = False
+ else:
+ result = True
+ return dict(result=result, value=pkey_to_value(None, options))
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index b83e948..174c7d1 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -309,6 +309,8 @@ class BasePathNamespace(object):
IPARESTORE_LOG = "/var/log/iparestore.log"
IPASERVER_CA_INSTALL_LOG = "/var/log/ipaserver-ca-install.log"
IPASERVER_INSTALL_LOG = "/var/log/ipaserver-install.log"
+ IPASERVER_KRA_INSTALL_LOG = "/var/log/ipaserver-kra-install.log"
+ IPASERVER_KRA_UNINSTALL_LOG = "/var/log/ipaserver-kra-uninstall.log"
IPASERVER_UNINSTALL_LOG = "/var/log/ipaserver-uninstall.log"
IPAUPGRADE_LOG = "/var/log/ipaupgrade.log"
KADMIND_LOG = "/var/log/kadmind.log"
@@ -316,8 +318,6 @@ class BasePathNamespace(object):
PKI_CA_LOG_DIR = "/var/log/pki-ca"
PKI_CA_INSTALL_LOG = "/var/log/pki-ca-install.log"
PKI_CA_UNINSTALL_LOG = "/var/log/pki-ca-uninstall.log"
- PKI_KRA_INSTALL_LOG = "/var/log/pki-kra-install.log"
- PKI_KRA_UNINSTALL_LOG = "/var/log/pki-kra-uninstall.log"
VAR_LOG_PKI_DIR = "/var/log/pki/"
TOMCAT_TOPLEVEL_DIR = "/var/log/pki/pki-tomcat"
TOMCAT_CA_DIR = "/var/log/pki/pki-tomcat/ca"
diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py
index 9d0998f..5fb2bb2 100644
--- a/ipaserver/install/installutils.py
+++ b/ipaserver/install/installutils.py
@@ -584,22 +584,6 @@ def read_replica_info_dogtag_port(config_dir):
return dogtag_master_ds_port
-def read_replica_info_kra_enabled(config_dir):
- """
- Check the replica info to determine if a KRA has been installed
- on the master
- """
- default_file = config_dir + "/default.conf"
- if not ipautil.file_exists(default_file):
- return False
- else:
- with open(default_file) as fd:
- config = SafeConfigParser()
- config.readfp(fd)
-
- enable_kra = config.getboolean("global", "enable_kra")
- return enable_kra
-
def create_replica_config(dirman_password, filename, options):
top_dir = None
diff --git a/ipaserver/install/ipa_kra_install.py b/ipaserver/install/ipa_kra_install.py
index edb6225..d75a242 100644
--- a/ipaserver/install/ipa_kra_install.py
+++ b/ipaserver/install/ipa_kra_install.py
@@ -23,7 +23,10 @@ from ipalib import api
from ipaplatform import services
from ipaplatform.paths import paths
from ipapython import admintool
+from ipapython import dogtag
from ipapython import ipautil
+from ipapython.dn import DN
+from ipaserver.install import krainstance
from ipaserver.install import installutils
from ipaserver.install.installutils import create_replica_config
from ipaserver.install import dogtaginstance
@@ -80,7 +83,7 @@ class KRAInstall(admintool.AdminTool):
class KRAUninstaller(KRAInstall):
- log_file_name = paths.PKI_KRA_UNINSTALL_LOG
+ log_file_name = paths.IPASERVER_KRA_UNINSTALL_LOG
def validate_options(self, needs_root=True):
super(KRAUninstaller, self).validate_options(needs_root=True)
@@ -88,18 +91,20 @@ class KRAUninstaller(KRAInstall):
if self.args:
self.option_parser.error("Too many parameters provided.")
- if not api.env.enable_kra:
+ dogtag_constants = dogtag.configured_constants(api)
+ _kra = krainstance.KRAInstance(api, dogtag_constants=dogtag_constants)
+ if not _kra.is_installed():
self.option_parser.error(
"Cannot uninstall. There is no KRA installed on this system."
)
def run(self):
super(KRAUninstaller, self).run()
- kra.uninstall()
+ kra.uninstall(True)
class KRAInstaller(KRAInstall):
- log_file_name = paths.PKI_KRA_INSTALL_LOG
+ log_file_name = paths.IPASERVER_KRA_INSTALL_LOG
INSTALLER_START_MESSAGE = '''
===================================================================
@@ -161,15 +166,18 @@ class KRAInstaller(KRAInstall):
self.replica_file,
self.options)
+ self.options.dm_password = self.options.password
self.options.setup_ca = False
+ api.Backend.ldap2.connect(bind_dn=DN('cn=Directory Manager'),
+ bind_pw=self.options.dm_password)
+
try:
- kra.install_check(replica_config, self.options, api.env.enable_kra,
- int(api.env.dogtag_version))
+ kra.install_check(api, replica_config, self.options)
except RuntimeError as e:
raise admintool.ScriptError(str(e))
- kra.install(replica_config, self.options, self.options.password)
+ kra.install(api, replica_config, self.options)
# Restart apache for new proxy config file
services.knownservices.httpd.restart(capture_output=True)
diff --git a/ipaserver/install/kra.py b/ipaserver/install/kra.py
index 8083c74..b55dfb7 100644
--- a/ipaserver/install/kra.py
+++ b/ipaserver/install/kra.py
@@ -2,25 +2,25 @@
# Copyright (C) 2015 FreeIPA Contributors see COPYING for license
#
-import os
-from ConfigParser import RawConfigParser
-from ipalib import api
-from ipaplatform.paths import paths
+from ipalib import api, errors
from ipapython import dogtag
+from ipapython.dn import DN
from ipaserver.install import cainstance
from ipaserver.install import krainstance
from ipaserver.install import dsinstance
from ipaserver.install import service
-from ipaserver.install.installutils import read_replica_info_kra_enabled
-def install_check(replica_config, options, enable_kra, dogtag_version):
- if enable_kra:
+def install_check(api, replica_config, options):
+ dogtag_constants = dogtag.configured_constants(api=api)
+ kra = krainstance.KRAInstance(api.env.realm,
+ dogtag_constants=dogtag_constants)
+ if kra.is_installed():
raise RuntimeError("KRA is already installed.")
if not options.setup_ca:
if cainstance.is_ca_installed_locally():
- if dogtag_version >= 10:
+ if api.env.dogtag_version >= 10:
# correct dogtag version of CA installed
pass
else:
@@ -31,14 +31,11 @@ def install_check(replica_config, options, enable_kra, dogtag_version):
"Dogtag CA is not installed. Please install the CA first")
if replica_config is not None:
- if not read_replica_info_kra_enabled(replica_config.dir):
- raise RuntimeError(
- "Either KRA is not installed on the master system or "
- "your replica file is out of date"
- )
+ if not api.Command.kra_is_enabled()['result']:
+ raise RuntimeError("KRA is not installed on the master system")
-def install(replica_config, options, dm_password):
+def install(api, replica_config, options):
subject = dsinstance.DsInstance().find_subject_base()
if replica_config is None:
kra = krainstance.KRAInstance(
@@ -55,31 +52,25 @@ def install(replica_config, options, dm_password):
ds = dsinstance.DsInstance()
ds.restart()
- kra.enable_client_auth_to_db(kra.dogtag_constants.KRA_CS_CFG_PATH)
-
- # Update config file
- parser = RawConfigParser()
- parser.read(paths.IPA_DEFAULT_CONF)
- parser.set('global', 'enable_kra', 'True')
-
- with open(paths.IPA_DEFAULT_CONF, 'w') as f:
- parser.write(f)
+ kra.ldap_enable('KRA', api.env.host, options.dm_password, api.env.basedn)
+ kra.enable_client_auth_to_db(kra.dogtag_constants.KRA_CS_CFG_PATH)
-def uninstall():
- dogtag_constants = dogtag.configured_constants(api=api)
- kra_instance = krainstance.KRAInstance(
- api.env.realm, dogtag_constants=dogtag_constants)
- kra_instance.stop_tracking_certificates()
- if kra_instance.is_installed():
- kra_instance.uninstall()
+def uninstall(standalone):
+ dogtag_constants = dogtag.configured_constants(api)
+ kra = krainstance.KRAInstance(api.env.realm,
+ dogtag_constants=dogtag_constants)
- # Check if config file exists, then update it
- if os.path.exists(paths.IPA_DEFAULT_CONF):
- parser = RawConfigParser()
- parser.read(paths.IPA_DEFAULT_CONF)
- parser.set('global', 'enable_kra', 'False')
+ if standalone:
+ kra.ldap_connect()
+ try:
+ kra.admin_conn.delete_entry(DN(('cn', 'KRA'), ('cn', api.env.host),
+ ('cn', 'masters'), ('cn', 'ipa'),
+ ('cn', 'etc'), api.env.basedn))
+ except errors.NotFound:
+ pass
- with open(paths.IPA_DEFAULT_CONF, 'w') as f:
- parser.write(f)
+ kra.stop_tracking_certificates()
+ if kra.is_installed():
+ kra.uninstall()
diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
index 89473dc..bde3485 100644
--- a/ipaserver/install/server/install.py
+++ b/ipaserver/install/server/install.py
@@ -602,8 +602,7 @@ def install_check(installer):
if setup_kra:
try:
- kra.install_check(None, options, False,
- dogtag.install_constants.DOGTAG_VERSION)
+ kra.install_check(api, None, options)
except RuntimeError as e:
print str(e)
sys.exit(1)
@@ -865,7 +864,7 @@ def install(installer):
http.restart()
if setup_kra:
- kra.install(None, options, dm_password)
+ kra.install(api, None, options)
# Set the admin user kerberos password
ds.change_admin_password(admin_password)
@@ -1060,7 +1059,7 @@ def uninstall(installer):
ntpinstance.NTPInstance(fstore).uninstall()
- kra.uninstall()
+ kra.uninstall(False)
ca.uninstall(dogtag_constants)
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index 0429a40..011669c 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -379,8 +379,6 @@ def install_check(installer):
fd.write("enable_ra=False\n")
fd.write("ra_plugin=none\n")
- fd.write("enable_kra=%s\n" % config.setup_kra)
-
fd.write("mode=production\n")
fd.close()
finally:
@@ -480,6 +478,18 @@ def install_check(installer):
root_logger.debug('No IPA DNS servers, '
'skipping forward/reverse resolution check')
+ if options.setup_ca:
+ options.realm_name = config.realm_name
+ options.host_name = config.host_name
+ options.subject = config.subject_base
+ ca.install_check(False, config, options)
+
+ if config.setup_kra:
+ try:
+ kra.install_check(remote_api, config, options)
+ except RuntimeError as e:
+ print str(e)
+ sys.exit(1)
except errors.ACIError:
sys.exit("\nThe password provided is incorrect for LDAP server "
"%s" % config.master_host_name)
@@ -492,20 +502,6 @@ def install_check(installer):
if conn.isconnected():
conn.disconnect()
- if options.setup_ca:
- options.realm_name = config.realm_name
- options.host_name = config.host_name
- options.subject = config.subject_base
- ca.install_check(False, config, options)
-
- if config.setup_kra:
- try:
- kra.install_check(config, options, False,
- dogtag.install_constants.DOGTAG_VERSION)
- except RuntimeError as e:
- print str(e)
- sys.exit(1)
-
if options.setup_dns:
dns.install_check(False, True, options, config.host_name)
else:
@@ -567,14 +563,18 @@ def install(installer):
if conn.isconnected():
conn.disconnect()
+ options.dm_password = config.dirman_password
+
if config.setup_ca:
options.realm_name = config.realm_name
options.domain_name = config.domain_name
- options.dm_password = config.dirman_password
options.host_name = config.host_name
ca.install(False, config, options)
+ if options.setup_kra:
+ kra.install(api, config, options)
+
krb = install_krb(config, setup_pkinit=not options.no_pkinit)
http = install_http(config, auto_redirect=not options.no_ui_redirect)
@@ -590,11 +590,8 @@ def install(installer):
service.print_msg("Applying LDAP updates")
ds.apply_updates()
- if options.setup_kra:
- kra.install(config, options, config.dirman_password)
- else:
- service.print_msg("Restarting the directory server")
- ds.restart()
+ service.print_msg("Restarting the directory server")
+ ds.restart()
service.print_msg("Restarting the KDC")
krb.restart()
diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py
index e4e5dd3..88307a0 100644
--- a/ipaserver/install/service.py
+++ b/ipaserver/install/service.py
@@ -41,6 +41,7 @@ SERVICE_LIST = {
'MEMCACHE': ('ipa_memcached', 39),
'HTTP': ('httpd', 40),
'CA': ('%sd' % dogtag.configured_constants().PKI_INSTANCE_NAME, 50),
+ 'KRA': ('%sd' % dogtag.configured_constants().PKI_INSTANCE_NAME, 51),
'ADTRUST': ('smb', 60),
'EXTID': ('winbind', 70),
'OTPD': ('ipa-otpd', 80),
diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py
index e60cced..a5b7d23 100644
--- a/ipaserver/plugins/dogtag.py
+++ b/ipaserver/plugins/dogtag.py
@@ -1909,7 +1909,7 @@ class kra(Backend):
Raises a generic exception if KRA is not enabled.
"""
- if not api.env.enable_kra:
+ if not self.api.Command.kra_is_enabled()['result']:
# TODO: replace this with a more specific exception
raise RuntimeError('KRA service is not enabled')
--
2.1.0
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
