Hi, the attached patch fixes <https://fedorahosted.org/freeipa/ticket/5498>.
Note that you still have to provide admin password in ipa-replica-install, either using --admin-password or interactively, because:
a) Admin password is required for replica promotion. This will be fixed with <https://fedorahosted.org/freeipa/ticket/5401>.
Patches are on the list: <https://www.redhat.com/archives/freeipa-devel/2015-December/msg00027.html>.
b) Admin password is required for connection check. This will be fixed with <https://fedorahosted.org/freeipa/ticket/5497>.
Honza -- Jan Cholasta
From 251df9d82f59183cec876ed2dbc6efe05d21ffb1 Mon Sep 17 00:00:00 2001 From: Jan Cholasta <jchol...@redhat.com> Date: Wed, 2 Dec 2015 15:57:59 +0100 Subject: [PATCH] replica promotion: allow OTP bulk client enrollment https://fedorahosted.org/freeipa/ticket/5498 --- ipaserver/install/server/replicainstall.py | 42 +++++++++++++++++++----------- 1 file changed, 27 insertions(+), 15 deletions(-) diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py index 74069f0..0f0a9c7 100644 --- a/ipaserver/install/server/replicainstall.py +++ b/ipaserver/install/server/replicainstall.py @@ -756,7 +756,9 @@ def ensure_enrolled(installer): config = installer._config # Perform only if we have the necessary options - if not any([installer.admin_password, installer.keytab]): + if not any([installer.password, + installer.admin_password, + installer.keytab]): sys.exit("IPA client is not configured on this system.\n" "You must join the system by running 'ipa-client-install' " "first. Alternatively, you may specify enrollment related " @@ -766,6 +768,8 @@ def ensure_enrolled(installer): service.print_msg("Configuring client side components") try: args = [paths.IPA_CLIENT_INSTALL, "--unattended"] + stdin = None + if installer.domain_name: args.extend(["--domain", installer.domain_name]) if installer.server: @@ -775,12 +779,16 @@ def ensure_enrolled(installer): if installer.host_name: args.extend(["--hostname", installer.host_name]) - if installer.admin_password: - # Always set principal if password was set explicitly, - # the password itself gets passed directly via stdin - args.extend(["--principal", installer.principal or "admin"]) - if installer.keytab: - args.extend(["--keytab", installer.keytab]) + if installer.password: + args.extend(["--password", installer.password]) + else: + if installer.admin_password: + # Always set principal if password was set explicitly, + # the password itself gets passed directly via stdin + args.extend(["--principal", installer.principal or "admin"]) + stdin = installer.admin_password + if installer.keytab: + args.extend(["--keytab", installer.keytab]) if installer.no_dns_sshfp: args.append("--no-dns-sshfp") @@ -793,7 +801,7 @@ def ensure_enrolled(installer): if installer.mkhomedir: args.append("--mkhomedir") - ipautil.run(args, stdin=installer.admin_password or None) + ipautil.run(args, stdin=stdin) except Exception as e: sys.exit("Configuration of client side components failed!\n" @@ -1164,11 +1172,14 @@ class Replica(BaseServer): "multiple times"), ) - dm_password = Knob( + dm_password = None + + password = Knob( BaseServer.dm_password, - description="Directory Manager (existing master) password", - cli_name='password', - cli_metavar='PASSWORD', + description=("Password to join the IPA realm. Assumes bulk password " + "unless principal is also set. (domain level 1+)\n" + "Directory Manager (existing master) password. " + "(domain level 0)"), ) admin_password = Knob( @@ -1246,6 +1257,10 @@ class Replica(BaseServer): if self.replica_file is None: self.promote = True + + if self.principal and not self.admin_password: + self.admin_password = self.password + self.password = None else: if not ipautil.file_exists(self.replica_file): raise RuntimeError("Replica file %s does not exist" @@ -1258,7 +1273,6 @@ class Replica(BaseServer): CLIKnob(self.domain_name, '--domain'), CLIKnob(self.host_name, '--hostname'), CLIKnob(self.server, '--server'), - CLIKnob(self.admin_password, '--admin-password'), CLIKnob(self.principal, '--principal'), ) @@ -1281,8 +1295,6 @@ class Replica(BaseServer): "You must specify at least one of --forwarder, " "--auto-forwarders, or --no-forwarders options") - self.password = self.dm_password - @step() def main(self): if self.promote: -- 2.4.3
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code