|
 |
9991ea |
From c088cccb0b27e0defd5457f756a2d4c68e8eff55 Mon Sep 17 00:00:00 2001
|
|
|
9991ea |
From: Martin Kosek <mkosek@redhat.com>
|
|
|
9991ea |
Date: Tue, 11 Mar 2014 16:28:19 +0100
|
|
|
9991ea |
Subject: [PATCH 56/58] ipa-replica-install never checks for 7389 port
|
|
|
9991ea |
|
|
|
9991ea |
When creating replica from a Dogtag 9 based IPA server, the port 7389
|
|
|
9991ea |
which is required for the installation is never checked by
|
|
|
9991ea |
ipa-replica-conncheck even though it knows that it is being installed
|
|
|
9991ea |
from the Dogtag 9 based FreeIPA. If the 7389 port would be blocked by
|
|
|
9991ea |
firewall, installation would stuck with no hint to user.
|
|
|
9991ea |
|
|
|
9991ea |
Make sure that the port configuration parsed from replica info file
|
|
|
9991ea |
is used consistently in the installers.
|
|
|
9991ea |
|
|
|
9991ea |
https://fedorahosted.org/freeipa/ticket/4240
|
|
|
9991ea |
|
|
|
9991ea |
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
|
|
|
9991ea |
---
|
|
|
9991ea |
install/tools/ipa-ca-install | 17 +++++------------
|
|
|
9991ea |
install/tools/ipa-replica-install | 18 ++++++------------
|
|
|
9991ea |
ipaserver/install/cainstance.py | 12 +++++-------
|
|
|
9991ea |
ipaserver/install/installutils.py | 16 ++++++++++++++++
|
|
|
9991ea |
4 files changed, 32 insertions(+), 31 deletions(-)
|
|
|
9991ea |
|
|
|
9991ea |
diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install
|
|
|
9991ea |
index 4edd26d337a50eebe686daae539c257f706e0158..bb3e595a3df47f00b3929f546db7b04dd7eda32a 100755
|
|
|
9991ea |
--- a/install/tools/ipa-ca-install
|
|
|
9991ea |
+++ b/install/tools/ipa-ca-install
|
|
|
9991ea |
@@ -30,7 +30,7 @@ from ipaserver.install import installutils, service
|
|
|
9991ea |
from ipaserver.install import certs
|
|
|
9991ea |
from ipaserver.install.installutils import (HostnameLocalhost, ReplicaConfig,
|
|
|
9991ea |
expand_replica_info, read_replica_info, get_host_name, BadHostError,
|
|
|
9991ea |
- private_ccache)
|
|
|
9991ea |
+ private_ccache, read_replica_info_dogtag_port)
|
|
|
9991ea |
from ipaserver.install import dsinstance, cainstance, bindinstance
|
|
|
9991ea |
from ipaserver.install.replication import replica_conn_check
|
|
|
9991ea |
from ipapython import version
|
|
|
9991ea |
@@ -159,31 +159,24 @@ def main():
|
|
|
9991ea |
sys.exit(0)
|
|
|
9991ea |
config.dir = dir
|
|
|
9991ea |
config.setup_ca = True
|
|
|
9991ea |
+ config.ca_ds_port = read_replica_info_dogtag_port(config.dir)
|
|
|
9991ea |
|
|
|
9991ea |
if not ipautil.file_exists(config.dir + "/cacert.p12"):
|
|
|
9991ea |
print 'CA cannot be installed in CA-less setup.'
|
|
|
9991ea |
sys.exit(1)
|
|
|
9991ea |
|
|
|
9991ea |
- portfile = config.dir + "/dogtag_directory_port.txt"
|
|
|
9991ea |
- if not ipautil.file_exists(portfile):
|
|
|
9991ea |
- dogtag_master_ds_port = str(dogtag.Dogtag9Constants.DS_PORT)
|
|
|
9991ea |
- else:
|
|
|
9991ea |
- with open(portfile) as fd:
|
|
|
9991ea |
- dogtag_master_ds_port = fd.read()
|
|
|
9991ea |
-
|
|
|
9991ea |
if not options.skip_conncheck:
|
|
|
9991ea |
replica_conn_check(
|
|
|
9991ea |
config.master_host_name, config.host_name, config.realm_name, True,
|
|
|
9991ea |
- dogtag_master_ds_port, options.admin_password)
|
|
|
9991ea |
+ config.ca_ds_port, options.admin_password)
|
|
|
9991ea |
|
|
|
9991ea |
if options.skip_schema_check:
|
|
|
9991ea |
root_logger.info("Skipping CA DS schema check")
|
|
|
9991ea |
else:
|
|
|
9991ea |
- cainstance.replica_ca_install_check(config, dogtag_master_ds_port)
|
|
|
9991ea |
+ cainstance.replica_ca_install_check(config)
|
|
|
9991ea |
|
|
|
9991ea |
# Configure the CA if necessary
|
|
|
9991ea |
- CA = cainstance.install_replica_ca(
|
|
|
9991ea |
- config, dogtag_master_ds_port, postinstall=True)
|
|
|
9991ea |
+ CA = cainstance.install_replica_ca(config, postinstall=True)
|
|
|
9991ea |
|
|
|
9991ea |
# We need to ldap_enable the CA now that DS is up and running
|
|
|
9991ea |
CA.ldap_enable('CA', config.host_name, config.dirman_password,
|
|
|
9991ea |
diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install
|
|
|
9991ea |
index 0e7aefef48d47fefa290607e0604c014d9469fdd..e039fd1e7cb213b3269d0a5d2305a96f68e36e29 100755
|
|
|
9991ea |
--- a/install/tools/ipa-replica-install
|
|
|
9991ea |
+++ b/install/tools/ipa-replica-install
|
|
|
9991ea |
@@ -37,8 +37,8 @@ from ipaserver.install import memcacheinstance
|
|
|
9991ea |
from ipaserver.install import otpdinstance
|
|
|
9991ea |
from ipaserver.install.replication import replica_conn_check, ReplicationManager
|
|
|
9991ea |
from ipaserver.install.installutils import (ReplicaConfig, expand_replica_info,
|
|
|
9991ea |
- read_replica_info ,get_host_name,
|
|
|
9991ea |
- BadHostError, private_ccache)
|
|
|
9991ea |
+ read_replica_info, get_host_name, BadHostError, private_ccache,
|
|
|
9991ea |
+ read_replica_info_dogtag_port)
|
|
|
9991ea |
from ipaserver.plugins.ldap2 import ldap2
|
|
|
9991ea |
from ipaserver.install import cainstance
|
|
|
9991ea |
from ipalib import api, errors, util
|
|
|
9991ea |
@@ -534,6 +534,7 @@ def main():
|
|
|
9991ea |
sys.exit(0)
|
|
|
9991ea |
config.dir = dir
|
|
|
9991ea |
config.setup_ca = options.setup_ca
|
|
|
9991ea |
+ config.ca_ds_port = read_replica_info_dogtag_port(config.dir)
|
|
|
9991ea |
|
|
|
9991ea |
if config.setup_ca and not ipautil.file_exists(config.dir + "/cacert.p12"):
|
|
|
9991ea |
print 'CA cannot be installed in CA-less setup.'
|
|
|
9991ea |
@@ -541,18 +542,11 @@ def main():
|
|
|
9991ea |
|
|
|
9991ea |
installutils.verify_fqdn(config.master_host_name, options.no_host_dns)
|
|
|
9991ea |
|
|
|
9991ea |
- portfile = config.dir + "/dogtag_directory_port.txt"
|
|
|
9991ea |
- if not ipautil.file_exists(portfile):
|
|
|
9991ea |
- dogtag_master_ds_port = str(dogtag.Dogtag9Constants.DS_PORT)
|
|
|
9991ea |
- else:
|
|
|
9991ea |
- with open(portfile) as fd:
|
|
|
9991ea |
- dogtag_master_ds_port = fd.read()
|
|
|
9991ea |
-
|
|
|
9991ea |
# check connection
|
|
|
9991ea |
if not options.skip_conncheck:
|
|
|
9991ea |
replica_conn_check(
|
|
|
9991ea |
config.master_host_name, config.host_name, config.realm_name,
|
|
|
9991ea |
- options.setup_ca, dogtag_master_ds_port, options.admin_password)
|
|
|
9991ea |
+ options.setup_ca, config.ca_ds_port, options.admin_password)
|
|
|
9991ea |
|
|
|
9991ea |
|
|
|
9991ea |
# check replica host IP resolution
|
|
|
9991ea |
@@ -657,7 +651,7 @@ def main():
|
|
|
9991ea |
if options.skip_schema_check:
|
|
|
9991ea |
root_logger.info("Skipping CA DS schema check")
|
|
|
9991ea |
else:
|
|
|
9991ea |
- cainstance.replica_ca_install_check(config, dogtag_master_ds_port)
|
|
|
9991ea |
+ cainstance.replica_ca_install_check(config)
|
|
|
9991ea |
|
|
|
9991ea |
# Configure ntpd
|
|
|
9991ea |
if options.conf_ntp:
|
|
|
9991ea |
@@ -669,7 +663,7 @@ def main():
|
|
|
9991ea |
ds = install_replica_ds(config)
|
|
|
9991ea |
|
|
|
9991ea |
# Configure the CA if necessary
|
|
|
9991ea |
- CA = cainstance.install_replica_ca(config, dogtag_master_ds_port)
|
|
|
9991ea |
+ CA = cainstance.install_replica_ca(config)
|
|
|
9991ea |
|
|
|
9991ea |
# Always try to install DNS records
|
|
|
9991ea |
install_dns_records(config, options)
|
|
|
9991ea |
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
|
|
|
9991ea |
index 52c91b68c2d073a9b1c6aedc1811aa26db046e6b..126bbae66e8a9ae8d9cc6e624745ab1cc37bf4c1 100644
|
|
|
9991ea |
--- a/ipaserver/install/cainstance.py
|
|
|
9991ea |
+++ b/ipaserver/install/cainstance.py
|
|
|
9991ea |
@@ -1574,7 +1574,7 @@ def is_master(self):
|
|
|
9991ea |
return master == 'New'
|
|
|
9991ea |
|
|
|
9991ea |
|
|
|
9991ea |
-def replica_ca_install_check(config, master_ds_port):
|
|
|
9991ea |
+def replica_ca_install_check(config):
|
|
|
9991ea |
if not config.setup_ca:
|
|
|
9991ea |
return
|
|
|
9991ea |
|
|
|
9991ea |
@@ -1583,8 +1583,6 @@ def replica_ca_install_check(config, master_ds_port):
|
|
|
9991ea |
# Replica of old "self-signed" master - CA won't be installed
|
|
|
9991ea |
return
|
|
|
9991ea |
|
|
|
9991ea |
- master_ds_port = int(master_ds_port)
|
|
|
9991ea |
-
|
|
|
9991ea |
# Exit if we have an old-style (Dogtag 9) CA already installed
|
|
|
9991ea |
ca = CAInstance(config.realm_name, certs.NSS_DIR,
|
|
|
9991ea |
dogtag_constants=dogtag.Dogtag9Constants)
|
|
|
9991ea |
@@ -1592,13 +1590,13 @@ def replica_ca_install_check(config, master_ds_port):
|
|
|
9991ea |
root_logger.info('Dogtag 9 style CA instance found')
|
|
|
9991ea |
sys.exit("A CA is already configured on this system.")
|
|
|
9991ea |
|
|
|
9991ea |
- if master_ds_port != dogtag.Dogtag9Constants.DS_PORT:
|
|
|
9991ea |
+ if config.ca_ds_port != dogtag.Dogtag9Constants.DS_PORT:
|
|
|
9991ea |
root_logger.debug(
|
|
|
9991ea |
'Installing CA Replica from master with a merged database')
|
|
|
9991ea |
return
|
|
|
9991ea |
|
|
|
9991ea |
# Check if the master has the necessary schema in its CA instance
|
|
|
9991ea |
- ca_ldap_url = 'ldap://%s:%s' % (config.master_host_name, master_ds_port)
|
|
|
9991ea |
+ ca_ldap_url = 'ldap://%s:%s' % (config.master_host_name, config.ca_ds_port)
|
|
|
9991ea |
objectclass = 'ipaObject'
|
|
|
9991ea |
root_logger.debug('Checking if IPA schema is present in %s', ca_ldap_url)
|
|
|
9991ea |
try:
|
|
|
9991ea |
@@ -1627,7 +1625,7 @@ def replica_ca_install_check(config, master_ds_port):
|
|
|
9991ea |
exit('IPA schema missing on master CA directory server')
|
|
|
9991ea |
|
|
|
9991ea |
|
|
|
9991ea |
-def install_replica_ca(config, master_ds_port, postinstall=False):
|
|
|
9991ea |
+def install_replica_ca(config, postinstall=False):
|
|
|
9991ea |
"""
|
|
|
9991ea |
Install a CA on a replica.
|
|
|
9991ea |
|
|
|
9991ea |
@@ -1676,7 +1674,7 @@ def install_replica_ca(config, master_ds_port, postinstall=False):
|
|
|
9991ea |
config.dirman_password, config.dirman_password,
|
|
|
9991ea |
pkcs12_info=(cafile,),
|
|
|
9991ea |
master_host=config.master_host_name,
|
|
|
9991ea |
- master_replication_port=master_ds_port,
|
|
|
9991ea |
+ master_replication_port=config.ca_ds_port,
|
|
|
9991ea |
subject_base=config.subject_base)
|
|
|
9991ea |
|
|
|
9991ea |
# Restart httpd since we changed it's config and added ipa-pki-proxy.conf
|
|
|
9991ea |
diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py
|
|
|
9991ea |
index 32671adc895b0cb2632729e8bdb44b5df02c1314..8be8cd3ffa86256c096ddc99227210f2daeb3185 100644
|
|
|
9991ea |
--- a/ipaserver/install/installutils.py
|
|
|
9991ea |
+++ b/ipaserver/install/installutils.py
|
|
|
9991ea |
@@ -538,6 +538,22 @@ def read_replica_info(dir, rconfig):
|
|
|
9991ea |
except NoOptionError:
|
|
|
9991ea |
pass
|
|
|
9991ea |
|
|
|
9991ea |
+def read_replica_info_dogtag_port(config_dir):
|
|
|
9991ea |
+ portfile = config_dir + "/dogtag_directory_port.txt"
|
|
|
9991ea |
+ default_port = dogtag.Dogtag9Constants.DS_PORT
|
|
|
9991ea |
+ if not ipautil.file_exists(portfile):
|
|
|
9991ea |
+ dogtag_master_ds_port = default_port
|
|
|
9991ea |
+ else:
|
|
|
9991ea |
+ with open(portfile) as fd:
|
|
|
9991ea |
+ try:
|
|
|
9991ea |
+ dogtag_master_ds_port = int(fd.read())
|
|
|
9991ea |
+ except (ValueError, IOError), e:
|
|
|
9991ea |
+ root_logger.debug('Cannot parse dogtag DS port: %s', e)
|
|
|
9991ea |
+ root_logger.debug('Default to %d', default_port)
|
|
|
9991ea |
+ dogtag_master_ds_port = default_port
|
|
|
9991ea |
+
|
|
|
9991ea |
+ return dogtag_master_ds_port
|
|
|
9991ea |
+
|
|
|
9991ea |
def check_server_configuration():
|
|
|
9991ea |
"""
|
|
|
9991ea |
Check if IPA server is configured on the system.
|
|
|
9991ea |
--
|
|
|
9991ea |
1.8.5.3
|
|
|
9991ea |
|