From 7a2eaa6f535b1353d46bcfa8b0b2484b15ff3863 Mon Sep 17 00:00:00 2001 From: Thomas Woerner Date: Tue, 7 Jul 2020 17:13:09 +0200 Subject: [PATCH] ipareplica: Fix missing parameters for several modules The parameters master_host_name, config_setup_ca, dirman_password have not been set for some modules. Also there was no ldap2 connection within ipareplica_setup_kra. All this resulted in improper configuration where for example KRA deployment failed in the end. A conversion warning in ipareplica_setup_adtrust has also been fixed for the setup_ca parameter. Fixes #314 (IPA replica installation failure - DS enabled SSL - second part) --- .../library/ipareplica_create_ipa_conf.py | 1 + .../library/ipareplica_ds_apply_updates.py | 1 + .../library/ipareplica_ds_enable_ssl.py | 1 + .../library/ipareplica_setup_adtrust.py | 2 +- .../library/ipareplica_setup_custodia.py | 1 + .../library/ipareplica_setup_http.py | 2 +- .../ipareplica/library/ipareplica_setup_kra.py | 18 ++++++++++++++++++ .../ipareplica/library/ipareplica_setup_krb.py | 7 +++++++ roles/ipareplica/tasks/install.yml | 8 ++++++++ 9 files changed, 39 insertions(+), 2 deletions(-) diff --git a/roles/ipareplica/library/ipareplica_create_ipa_conf.py b/roles/ipareplica/library/ipareplica_create_ipa_conf.py index 3a85a6f..c475469 100644 --- a/roles/ipareplica/library/ipareplica_create_ipa_conf.py +++ b/roles/ipareplica/library/ipareplica_create_ipa_conf.py @@ -262,6 +262,7 @@ def main(): config.subject_base = options.subject_base config.dirman_password = dirman_password config.ca_host_name = ca_host_name + config.setup_ca = options.setup_ca remote_api = gen_remote_api(master_host_name, paths.ETC_IPA) installer._remote_api = remote_api diff --git a/roles/ipareplica/library/ipareplica_ds_apply_updates.py b/roles/ipareplica/library/ipareplica_ds_apply_updates.py index 3796874..71008b3 100644 --- a/roles/ipareplica/library/ipareplica_ds_apply_updates.py +++ b/roles/ipareplica/library/ipareplica_ds_apply_updates.py @@ -177,6 +177,7 @@ def main(): config = gen_ReplicaConfig() config.dirman_password = dirman_password config.subject_base = options.subject_base + config.master_host_name = master_host_name remote_api = gen_remote_api(master_host_name, paths.ETC_IPA) diff --git a/roles/ipareplica/library/ipareplica_ds_enable_ssl.py b/roles/ipareplica/library/ipareplica_ds_enable_ssl.py index a1b638e..3e4090d 100644 --- a/roles/ipareplica/library/ipareplica_ds_enable_ssl.py +++ b/roles/ipareplica/library/ipareplica_ds_enable_ssl.py @@ -173,6 +173,7 @@ def main(): config = gen_ReplicaConfig() config.dirman_password = dirman_password config.subject_base = options.subject_base + config.master_host_name = master_host_name remote_api = gen_remote_api(master_host_name, paths.ETC_IPA) # installer._remote_api = remote_api diff --git a/roles/ipareplica/library/ipareplica_setup_adtrust.py b/roles/ipareplica/library/ipareplica_setup_adtrust.py index c830ebf..734e56d 100644 --- a/roles/ipareplica/library/ipareplica_setup_adtrust.py +++ b/roles/ipareplica/library/ipareplica_setup_adtrust.py @@ -110,7 +110,7 @@ def main(): # additional ccache=dict(required=True), _top_dir=dict(required=True), - setup_ca=dict(required=True), + setup_ca=dict(required=True, type='bool'), config_master_host_name=dict(required=True), ), supports_check_mode=True, diff --git a/roles/ipareplica/library/ipareplica_setup_custodia.py b/roles/ipareplica/library/ipareplica_setup_custodia.py index 5a74e87..2e95c26 100644 --- a/roles/ipareplica/library/ipareplica_setup_custodia.py +++ b/roles/ipareplica/library/ipareplica_setup_custodia.py @@ -169,6 +169,7 @@ def main(): config.promote = installer.promote config.kra_enabled = kra_enabled config.kra_host_name = kra_host_name + config.setup_ca = options.setup_ca remote_api = gen_remote_api(master_host_name, paths.ETC_IPA) diff --git a/roles/ipareplica/library/ipareplica_setup_http.py b/roles/ipareplica/library/ipareplica_setup_http.py index 987ea95..3fa4807 100644 --- a/roles/ipareplica/library/ipareplica_setup_http.py +++ b/roles/ipareplica/library/ipareplica_setup_http.py @@ -164,7 +164,7 @@ def main(): config.subject_base = options.subject_base config.dirman_password = dirman_password config.setup_ca = options.setup_ca - # config.master_host_name = master_host_name + config.master_host_name = master_host_name config.ca_host_name = ca_host_name config.promote = installer.promote diff --git a/roles/ipareplica/library/ipareplica_setup_kra.py b/roles/ipareplica/library/ipareplica_setup_kra.py index 3149c10..0b2f681 100644 --- a/roles/ipareplica/library/ipareplica_setup_kra.py +++ b/roles/ipareplica/library/ipareplica_setup_kra.py @@ -120,6 +120,9 @@ options: _subject_base: description: The installer _subject_base setting required: no + dirman_password: + description: Directory Manager (master) password + required: no author: - Thomas Woerner ''' @@ -173,10 +176,12 @@ def main(): _ca_enabled=dict(required=False, type='bool'), _kra_enabled=dict(required=False, type='bool'), _kra_host_name=dict(required=False), + _ca_host_name=dict(required=False), _top_dir=dict(required=True), _add_to_ipaservers=dict(required=True, type='bool'), _ca_subject=dict(required=True), _subject_base=dict(required=True), + dirman_password=dict(required=True, no_log=True), ), supports_check_mode=True, ) @@ -233,6 +238,7 @@ def main(): ca_enabled = ansible_module.params.get('_ca_enabled') kra_enabled = ansible_module.params.get('_kra_enabled') kra_host_name = ansible_module.params.get('_kra_host_name') + ca_host_name = ansible_module.params.get('_ca_host_name') options.subject_base = ansible_module.params.get('subject_base') if options.subject_base is not None: @@ -243,6 +249,7 @@ def main(): options._ca_subject = ansible_module.params.get('_ca_subject') options._subject_base = ansible_module.params.get('_subject_base') + dirman_password = ansible_module.params.get('dirman_password') # init # @@ -254,14 +261,25 @@ def main(): constants.DEFAULT_CONFIG) api_bootstrap_finalize(env) config = gen_ReplicaConfig() + config.dirman_password = dirman_password config.subject_base = options.subject_base config.promote = installer.promote config.kra_enabled = kra_enabled config.kra_host_name = kra_host_name + config.ca_host_name = ca_host_name + config.master_host_name = master_host_name remote_api = gen_remote_api(master_host_name, paths.ETC_IPA) installer._remote_api = remote_api + conn = remote_api.Backend.ldap2 + ccache = os.environ['KRB5CCNAME'] + + # There is a api.Backend.ldap2.connect call somewhere in ca, ds, dns or + # ntpinstance + api.Backend.ldap2.connect() + conn.connect(ccache=ccache) + with redirect_stdout(ansible_log): ansible_log.debug("-- INSTALL KRA --") diff --git a/roles/ipareplica/library/ipareplica_setup_krb.py b/roles/ipareplica/library/ipareplica_setup_krb.py index c8d09f7..4500a6f 100644 --- a/roles/ipareplica/library/ipareplica_setup_krb.py +++ b/roles/ipareplica/library/ipareplica_setup_krb.py @@ -63,6 +63,9 @@ options: _top_dir: description: The installer _top_dir setting required: no + dirman_password: + description: Directory Manager (master) password + required: no author: - Thomas Woerner ''' @@ -98,6 +101,7 @@ def main(): ccache=dict(required=True), _pkinit_pkcs12_info=dict(required=False, type='list'), _top_dir=dict(required=True), + dirman_password=dict(required=True, no_log=True), ), supports_check_mode=True, ) @@ -126,6 +130,7 @@ def main(): '_pkinit_pkcs12_info') options._top_dir = ansible_module.params.get('_top_dir') + dirman_password = ansible_module.params.get('dirman_password') # init # @@ -141,8 +146,10 @@ def main(): constants.DEFAULT_CONFIG) api_bootstrap_finalize(env) config = gen_ReplicaConfig() + config.dirman_password = dirman_password config.master_host_name = config_master_host_name config.subject_base = options.subject_base + config.setup_ca = options.setup_ca ccache = os.environ['KRB5CCNAME'] diff --git a/roles/ipareplica/tasks/install.yml b/roles/ipareplica/tasks/install.yml index c2a6222..ddb3f85 100644 --- a/roles/ipareplica/tasks/install.yml +++ b/roles/ipareplica/tasks/install.yml @@ -226,6 +226,8 @@ setup_adtrust: "{{ result_ipareplica_test.setup_adtrust }}" setup_kra: "{{ result_ipareplica_test.setup_kra }}" setup_dns: "{{ ipareplica_setup_dns }}" + ### server ### + setup_ca: "{{ ipareplica_setup_ca }}" ### ssl certificate ### dirsrv_cert_files: "{{ ipareplica_dirsrv_cert_files | default([]) }}" ### client ### @@ -332,6 +334,7 @@ _ca_subject: "{{ result_ipareplica_prepare._ca_subject }}" _subject_base: "{{ result_ipareplica_prepare._subject_base }}" dirman_password: "{{ ipareplica_dirman_password }}" + setup_ca: "{{ result_ipareplica_prepare.config_setup_ca }}" - name: Install - Setup KRB ipareplica_setup_krb: @@ -347,6 +350,7 @@ ccache: "{{ result_ipareplica_prepare.ccache }}" _pkinit_pkcs12_info: "{{ result_ipareplica_prepare._pkinit_pkcs12_info if result_ipareplica_prepare._pkinit_pkcs12_info != None else omit }}" _top_dir: "{{ result_ipareplica_prepare._top_dir }}" + dirman_password: "{{ ipareplica_dirman_password }}" # We need to point to the master in ipa default conf when certmonger # asks for HTTP certificate in newer ipa versions. In these versions @@ -388,6 +392,7 @@ _ca_subject: "{{ result_ipareplica_prepare._ca_subject }}" _subject_base: "{{ result_ipareplica_prepare._subject_base }}" dirman_password: "{{ ipareplica_dirman_password }}" + setup_ca: "{{ result_ipareplica_prepare.config_setup_ca }}" master: "{{ result_ipareplica_install_ca_certs.config_master_host_name }}" when: result_ipareplica_test.change_master_for_certmonger @@ -471,6 +476,7 @@ _ca_subject: "{{ result_ipareplica_prepare._ca_subject }}" _subject_base: "{{ result_ipareplica_prepare._subject_base }}" dirman_password: "{{ ipareplica_dirman_password }}" + setup_ca: "{{ result_ipareplica_prepare.config_setup_ca }}" when: result_ipareplica_test.change_master_for_certmonger - name: Install - Setup otpd @@ -611,10 +617,12 @@ _ca_enabled: "{{ result_ipareplica_prepare._ca_enabled }}" _kra_enabled: "{{ result_ipareplica_prepare._kra_enabled }}" _kra_host_name: "{{ result_ipareplica_prepare.config_kra_host_name }}" + _ca_host_name: "{{ result_ipareplica_prepare.config_ca_host_name }}" _top_dir: "{{ result_ipareplica_prepare._top_dir }}" _add_to_ipaservers: "{{ result_ipareplica_prepare._add_to_ipaservers }}" _ca_subject: "{{ result_ipareplica_prepare._ca_subject }}" _subject_base: "{{ result_ipareplica_prepare._subject_base }}" + dirman_password: "{{ ipareplica_dirman_password }}" when: result_ipareplica_test.setup_kra - name: Install - Restart KDC -- 2.26.2