Re: [Freeipa-devel] [PATCH 0049] Move CA installation code into single module.
Dne 5.6.2015 v 14:16 David Kupka napsal(a):
On 06/03/2015 05:49 PM, David Kupka wrote:
Updated patch attached.
ACK. The patch needed a rebase and there was a bug in
ipa-replica-install, I took care of both, see attachment.
Pushed to master: 2acedb2d5d4a4c0987c670e14eb04b8bd9ffc034
There was also an unrelated problem in replicainstall.py which I also
fixed, see the other attachment.
Pushed to master under the one-liner rule:
e01095dfb33aaef0ab1babf86a71d70410b666ed
--
Jan Cholasta
From f958c692dd2a81a652bce555474b4b6380e920f4 Mon Sep 17 00:00:00 2001
From: David Kupka dku...@redhat.com
Date: Mon, 8 Jun 2015 05:23:56 +
Subject: [PATCH] Move CA installation code into single module.
https://fedorahosted.org/freeipa/ticket/4468
---
install/tools/ipa-ca-install | 251 +++
install/tools/ipa-replica-install | 3 +
ipaserver/install/ca.py| 267 +
ipaserver/install/server/install.py| 101 ++-
ipaserver/install/server/replicainstall.py | 53 ++
5 files changed, 330 insertions(+), 345 deletions(-)
create mode 100644 ipaserver/install/ca.py
diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install
index f087d2d..36b89b6 100755
--- a/install/tools/ipa-ca-install
+++ b/install/tools/ipa-ca-install
@@ -21,26 +21,18 @@
import sys
import os
import shutil
-from ConfigParser import RawConfigParser
from ipapython import ipautil
from ipaserver.install import installutils
from ipaserver.install import certs
-from ipaserver.install.installutils import (HostnameLocalhost, ReplicaConfig,
-expand_replica_info, read_replica_info, get_host_name, BadHostError,
-private_ccache, read_replica_info_dogtag_port, load_external_cert,
-create_replica_config)
-from ipaserver.install import dsinstance, cainstance, bindinstance
-from ipaserver.install.replication import replica_conn_check
+from ipaserver.install.installutils import (private_ccache,
+create_replica_config)
+from ipaserver.install import dsinstance, ca
from ipapython import version
-from ipalib import api, certstore, x509
+from ipalib import api
from ipapython.dn import DN
from ipapython.config import IPAOptionParser
-from ipapython import sysrestore
-from ipapython import dogtag
-from ipapython import certdb
from ipapython.ipa_log_manager import *
-from ipaplatform import services
from ipaplatform.paths import paths
log_file_name = paths.IPAREPLICA_CA_INSTALL_LOG
@@ -86,6 +78,9 @@ def parse_options():
if len(args) != 1:
parser.error(you must provide a file generated by
ipa-replica-prepare)
+
+options.external_ca = None
+options.external_cert_files = None
else:
filename = None
@@ -106,31 +101,6 @@ def get_dirman_password():
Directory Manager (existing master), confirm=False, validate=False)
-def check_ca():
-if not cainstance.check_port():
-print IPA requires port 8443 for PKI but it is currently in use.
-sys.exit(1)
-
-def install_dns_records(config, options):
-
-if not bindinstance.dns_container_exists(config.master_host_name,
- ipautil.realm_to_suffix(config.realm_name),
- dm_password=config.dirman_password):
-return
-
-bind = bindinstance.BindInstance(dm_password=config.dirman_password)
-disconnect = False
-try:
-if not api.Backend.ldap2.isconnected():
-api.Backend.ldap2.connect(bind_dn=DN(('cn', 'Directory Manager')),
- bind_pw=config.dirman_password)
-disconnect = True
-bind.add_ipa_ca_dns_records(config.host_name, config.domain_name)
-finally:
-if api.Backend.ldap2.isconnected() and disconnect:
-api.Backend.ldap2.disconnect()
-
-
def install_replica(safe_options, options, filename):
standard_logging_setup(log_file_name, debug=options.debug)
@@ -141,18 +111,12 @@ def install_replica(safe_options, options, filename):
if not ipautil.file_exists(filename):
sys.exit(Replica file %s does not exist % filename)
-global sstore
-sstore = sysrestore.StateFile(paths.SYSRESTORE)
-
if not dsinstance.DsInstance().is_configured():
sys.exit(IPA server is not configured on this system.\n)
api.bootstrap(in_server=True)
api.finalize()
-if api.env.ra_plugin == 'selfsign':
-sys.exit('A selfsign CA can not be added')
-
# get the directory manager password
dirman_password = options.password
if not dirman_password:
@@ -174,48 +138,17 @@ def install_replica(safe_options, options, filename):
REPLICA_INFO_TOP_DIR = config.top_dir
config.setup_ca = True
-if not ipautil.file_exists(config.dir + /cacert.p12):
-print 'CA cannot be installed in CA-less setup.'
-
Re: [Freeipa-devel] [PATCH 0049] Move CA installation code into single module.
Dne 8.6.2015 v 12:09 Jan Cholasta napsal(a):
Dne 8.6.2015 v 08:25 Jan Cholasta napsal(a):
Dne 5.6.2015 v 14:16 David Kupka napsal(a):
On 06/03/2015 05:49 PM, David Kupka wrote:
Updated patch attached.
ACK. The patch needed a rebase and there was a bug in
ipa-replica-install, I took care of both, see attachment.
Pushed to master: 2acedb2d5d4a4c0987c670e14eb04b8bd9ffc034
There was also an unrelated problem in replicainstall.py which I also
fixed, see the other attachment.
Pushed to master under the one-liner rule:
e01095dfb33aaef0ab1babf86a71d70410b666ed
There are some more bugs in CA-less and external CA install, see the
attached patches for fixes.
Fixed an additional issue in patch 437, see attachment.
--
Jan Cholasta
From bdcda90e2c0a202c94dff37a25bad3f6c97a16ee Mon Sep 17 00:00:00 2001
From: Jan Cholasta jchol...@redhat.com
Date: Mon, 8 Jun 2015 08:32:27 +
Subject: [PATCH 1/2] install: Fix CA-less server install
https://fedorahosted.org/freeipa/ticket/4468
---
ipaserver/install/server/install.py | 6 ++
1 file changed, 6 insertions(+)
diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
index 5be10f5..6f47723 100644
--- a/ipaserver/install/server/install.py
+++ b/ipaserver/install/server/install.py
@@ -313,6 +313,9 @@ def common_cleanup(func):
@common_cleanup
def install_check(options):
+global dirsrv_pkcs12_file
+global http_pkcs12_file
+global pkinit_pkcs12_file
global dirsrv_pkcs12_info
global http_pkcs12_info
global pkinit_pkcs12_info
@@ -637,6 +640,9 @@ def install_check(options):
@common_cleanup
def install(options):
+global dirsrv_pkcs12_file
+global http_pkcs12_file
+global pkinit_pkcs12_file
global dirsrv_pkcs12_info
global http_pkcs12_info
global pkinit_pkcs12_info
--
2.1.0
From 9afc3ed81670025c83aae874d2d9cc2c98f54d96 Mon Sep 17 00:00:00 2001
From: Jan Cholasta jchol...@redhat.com
Date: Mon, 8 Jun 2015 08:32:58 +
Subject: [PATCH 2/2] install: Fix external CA server install
https://fedorahosted.org/freeipa/ticket/4468
---
ipaserver/install/ca.py | 32 +++-
ipaserver/install/server/install.py | 7 ---
2 files changed, 19 insertions(+), 20 deletions(-)
diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py
index 8a8214c..1ef8b2c 100644
--- a/ipaserver/install/ca.py
+++ b/ipaserver/install/ca.py
@@ -25,9 +25,6 @@ def install_check(standalone, replica_config, options):
host_name = options.host_name
subject_base = options.subject
-if replica_config is None and options.external_cert_files:
-return
-
if replica_config is not None:
if standalone and api.env.ra_plugin == 'selfsign':
sys.exit('A selfsign CA can not be added')
@@ -51,17 +48,7 @@ def install_check(standalone, replica_config, options):
if standalone and api.Command.ca_is_enabled()['result']:
sys.exit(CA is already installed.\n)
-if options.external_ca:
-if cainstance.is_step_one_done():
-print(CA is already installed.\nRun the installer with
- --external-cert-file.)
-sys.exit(1)
-if ipautil.file_exists(paths.ROOT_IPA_CSR):
-print(CA CSR file %s already exists.\nIn order to continue
- remove the file and run the installer again. %
- paths.ROOT_IPA_CSR)
-sys.exit(1)
-elif options.external_cert_files:
+if options.external_cert_files:
if not cainstance.is_step_one_done():
# This can happen if someone passes external_ca_file without
# already having done the first stage of the CA install.
@@ -72,10 +59,21 @@ def install_check(standalone, replica_config, options):
external_cert_file, external_ca_file = installutils.load_external_cert(
options.external_cert_files, options.subject)
+elif options.external_ca:
+if cainstance.is_step_one_done():
+print(CA is already installed.\nRun the installer with
+ --external-cert-file.)
+sys.exit(1)
+if ipautil.file_exists(paths.ROOT_IPA_CSR):
+print(CA CSR file %s already exists.\nIn order to continue
+ remove the file and run the installer again. %
+ paths.ROOT_IPA_CSR)
+sys.exit(1)
-if not cainstance.check_port():
-print (IPA requires port 8443 for PKI but it is currently in use.)
-sys.exit(Aborting installation)
+if not options.external_cert_files:
+if not cainstance.check_port():
+print(IPA requires port 8443 for PKI but it is currently in use.)
+sys.exit(Aborting installation)
if standalone:
dirname = dsinstance.config_dirname(
diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
index 6f47723..faa9612 100644
---
Re: [Freeipa-devel] [PATCH 0049] Move CA installation code into single module.
Dne 8.6.2015 v 17:04 David Kupka napsal(a): On 06/08/2015 04:23 PM, Jan Cholasta wrote: Dne 8.6.2015 v 12:09 Jan Cholasta napsal(a): Dne 8.6.2015 v 08:25 Jan Cholasta napsal(a): Dne 5.6.2015 v 14:16 David Kupka napsal(a): On 06/03/2015 05:49 PM, David Kupka wrote: Updated patch attached. ACK. The patch needed a rebase and there was a bug in ipa-replica-install, I took care of both, see attachment. Pushed to master: 2acedb2d5d4a4c0987c670e14eb04b8bd9ffc034 There was also an unrelated problem in replicainstall.py which I also fixed, see the other attachment. Pushed to master under the one-liner rule: e01095dfb33aaef0ab1babf86a71d70410b666ed There are some more bugs in CA-less and external CA install, see the attached patches for fixes. Fixed an additional issue in patch 437, see attachment. Works for me, ACK. Thanks. Pushed to master: 4c70590c2a78b6d2cbfed585502442f733f26389 -- Jan Cholasta -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0049] Move CA installation code into single module.
On 06/03/2015 05:49 PM, David Kupka wrote:
Updated patch attached.
--
David Kupka
From ca004a585f86a5e35d02a90dc9db0753f786b84a Mon Sep 17 00:00:00 2001
From: David Kupka dku...@redhat.com
Date: Wed, 3 Jun 2015 17:43:27 +0200
Subject: [PATCH] Move CA installation code into single module.
---
install/tools/ipa-ca-install | 251 +++
install/tools/ipa-replica-install | 3 +
ipaserver/install/ca.py| 267 +
ipaserver/install/server/install.py| 101 ++-
ipaserver/install/server/replicainstall.py | 46 ++---
5 files changed, 325 insertions(+), 343 deletions(-)
create mode 100644 ipaserver/install/ca.py
diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install
index f087d2d6a5138915008395cde4c461fc7602811b..36b89b6437c21ff7538708858966915ce214ffec 100755
--- a/install/tools/ipa-ca-install
+++ b/install/tools/ipa-ca-install
@@ -21,26 +21,18 @@
import sys
import os
import shutil
-from ConfigParser import RawConfigParser
from ipapython import ipautil
from ipaserver.install import installutils
from ipaserver.install import certs
-from ipaserver.install.installutils import (HostnameLocalhost, ReplicaConfig,
-expand_replica_info, read_replica_info, get_host_name, BadHostError,
-private_ccache, read_replica_info_dogtag_port, load_external_cert,
-create_replica_config)
-from ipaserver.install import dsinstance, cainstance, bindinstance
-from ipaserver.install.replication import replica_conn_check
+from ipaserver.install.installutils import (private_ccache,
+create_replica_config)
+from ipaserver.install import dsinstance, ca
from ipapython import version
-from ipalib import api, certstore, x509
+from ipalib import api
from ipapython.dn import DN
from ipapython.config import IPAOptionParser
-from ipapython import sysrestore
-from ipapython import dogtag
-from ipapython import certdb
from ipapython.ipa_log_manager import *
-from ipaplatform import services
from ipaplatform.paths import paths
log_file_name = paths.IPAREPLICA_CA_INSTALL_LOG
@@ -86,6 +78,9 @@ def parse_options():
if len(args) != 1:
parser.error(you must provide a file generated by
ipa-replica-prepare)
+
+options.external_ca = None
+options.external_cert_files = None
else:
filename = None
@@ -106,31 +101,6 @@ def get_dirman_password():
Directory Manager (existing master), confirm=False, validate=False)
-def check_ca():
-if not cainstance.check_port():
-print IPA requires port 8443 for PKI but it is currently in use.
-sys.exit(1)
-
-def install_dns_records(config, options):
-
-if not bindinstance.dns_container_exists(config.master_host_name,
- ipautil.realm_to_suffix(config.realm_name),
- dm_password=config.dirman_password):
-return
-
-bind = bindinstance.BindInstance(dm_password=config.dirman_password)
-disconnect = False
-try:
-if not api.Backend.ldap2.isconnected():
-api.Backend.ldap2.connect(bind_dn=DN(('cn', 'Directory Manager')),
- bind_pw=config.dirman_password)
-disconnect = True
-bind.add_ipa_ca_dns_records(config.host_name, config.domain_name)
-finally:
-if api.Backend.ldap2.isconnected() and disconnect:
-api.Backend.ldap2.disconnect()
-
-
def install_replica(safe_options, options, filename):
standard_logging_setup(log_file_name, debug=options.debug)
@@ -141,18 +111,12 @@ def install_replica(safe_options, options, filename):
if not ipautil.file_exists(filename):
sys.exit(Replica file %s does not exist % filename)
-global sstore
-sstore = sysrestore.StateFile(paths.SYSRESTORE)
-
if not dsinstance.DsInstance().is_configured():
sys.exit(IPA server is not configured on this system.\n)
api.bootstrap(in_server=True)
api.finalize()
-if api.env.ra_plugin == 'selfsign':
-sys.exit('A selfsign CA can not be added')
-
# get the directory manager password
dirman_password = options.password
if not dirman_password:
@@ -174,48 +138,17 @@ def install_replica(safe_options, options, filename):
REPLICA_INFO_TOP_DIR = config.top_dir
config.setup_ca = True
-if not ipautil.file_exists(config.dir + /cacert.p12):
-print 'CA cannot be installed in CA-less setup.'
-sys.exit(1)
+api.Backend.ldap2.connect(bind_dn=DN(('cn', 'Directory Manager')),
+ bind_pw=dirman_password)
-if not options.skip_conncheck:
-replica_conn_check(
-config.master_host_name, config.host_name, config.realm_name, True,
-config.ca_ds_port, options.admin_password)
+options.realm_name = config.realm_name
+
