[Freeipa-devel] [PATCH 522] replica promotion: allow OTP bulk client enrollment

Jan Cholasta Wed, 02 Dec 2015 07:25:58 -0800

Hi,

the attached patch fixes <https://fedorahosted.org/freeipa/ticket/5498>.

Note that you still have to provide admin password inipa-replica-install, either using --admin-password or interactively,because:

a) Admin password is required for replica promotion. This will be fixedwith <https://fedorahosted.org/freeipa/ticket/5401>.

Patches are on the list:<https://www.redhat.com/archives/freeipa-devel/2015-December/msg00027.html>.

b) Admin password is required for connection check. This will be fixedwith <https://fedorahosted.org/freeipa/ticket/5497>.


Honza

--
Jan Cholasta

From 251df9d82f59183cec876ed2dbc6efe05d21ffb1 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jchol...@redhat.com>
Date: Wed, 2 Dec 2015 15:57:59 +0100
Subject: [PATCH] replica promotion: allow OTP bulk client enrollment

https://fedorahosted.org/freeipa/ticket/5498
---
 ipaserver/install/server/replicainstall.py | 42 +++++++++++++++++++-----------
 1 file changed, 27 insertions(+), 15 deletions(-)

diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index 74069f0..0f0a9c7 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -756,7 +756,9 @@ def ensure_enrolled(installer):
     config = installer._config
 
     # Perform only if we have the necessary options
-    if not any([installer.admin_password, installer.keytab]):
+    if not any([installer.password,
+                installer.admin_password,
+                installer.keytab]):
         sys.exit("IPA client is not configured on this system.\n"
                  "You must join the system by running 'ipa-client-install' "
                  "first. Alternatively, you may specify enrollment related "
@@ -766,6 +768,8 @@ def ensure_enrolled(installer):
     service.print_msg("Configuring client side components")
     try:
         args = [paths.IPA_CLIENT_INSTALL, "--unattended"]
+        stdin = None
+
         if installer.domain_name:
             args.extend(["--domain", installer.domain_name])
         if installer.server:
@@ -775,12 +779,16 @@ def ensure_enrolled(installer):
         if installer.host_name:
             args.extend(["--hostname", installer.host_name])
 
-        if installer.admin_password:
-            # Always set principal if password was set explicitly,
-            # the password itself gets passed directly via stdin
-            args.extend(["--principal", installer.principal or "admin"])
-        if installer.keytab:
-            args.extend(["--keytab", installer.keytab])
+        if installer.password:
+            args.extend(["--password", installer.password])
+        else:
+            if installer.admin_password:
+                # Always set principal if password was set explicitly,
+                # the password itself gets passed directly via stdin
+                args.extend(["--principal", installer.principal or "admin"])
+                stdin = installer.admin_password
+            if installer.keytab:
+                args.extend(["--keytab", installer.keytab])
 
         if installer.no_dns_sshfp:
             args.append("--no-dns-sshfp")
@@ -793,7 +801,7 @@ def ensure_enrolled(installer):
         if installer.mkhomedir:
             args.append("--mkhomedir")
 
-        ipautil.run(args, stdin=installer.admin_password or None)
+        ipautil.run(args, stdin=stdin)
 
     except Exception as e:
         sys.exit("Configuration of client side components failed!\n"
@@ -1164,11 +1172,14 @@ class Replica(BaseServer):
                      "multiple times"),
     )
 
-    dm_password = Knob(
+    dm_password = None
+
+    password = Knob(
         BaseServer.dm_password,
-        description="Directory Manager (existing master) password",
-        cli_name='password',
-        cli_metavar='PASSWORD',
+        description=("Password to join the IPA realm. Assumes bulk password "
+                     "unless principal is also set. (domain level 1+)\n"
+                     "Directory Manager (existing master) password. "
+                     "(domain level 0)"),
     )
 
     admin_password = Knob(
@@ -1246,6 +1257,10 @@ class Replica(BaseServer):
 
         if self.replica_file is None:
             self.promote = True
+
+            if self.principal and not self.admin_password:
+                self.admin_password = self.password
+                self.password = None
         else:
             if not ipautil.file_exists(self.replica_file):
                 raise RuntimeError("Replica file %s does not exist"
@@ -1258,7 +1273,6 @@ class Replica(BaseServer):
                 CLIKnob(self.domain_name, '--domain'),
                 CLIKnob(self.host_name, '--hostname'),
                 CLIKnob(self.server, '--server'),
-                CLIKnob(self.admin_password, '--admin-password'),
                 CLIKnob(self.principal, '--principal'),
             )
 
@@ -1281,8 +1295,6 @@ class Replica(BaseServer):
                     "You must specify at least one of --forwarder, "
                     "--auto-forwarders, or --no-forwarders options")
 
-        self.password = self.dm_password
-
     @step()
     def main(self):
         if self.promote:
-- 
2.4.3

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH 522] replica promotion: allow OTP bulk client enrollment

Reply via email to