/usr/sbin/ipa-ca-install is in freeipa-server 4.3.1-0ubuntu1.
This file is owned by root:root, with mode 0o755.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 | #! /usr/bin/python2 -E
# Authors: Rob Crittenden <rcritten@redhat.com>
#
# Copyright (C) 2011 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
import sys
import os
import shutil
import tempfile
from ipapython import ipautil
from ipaserver.install import installutils
from ipaserver.install import certs
from ipaserver.install.installutils import create_replica_config
from ipaserver.install.installutils import check_creds, ReplicaConfig
from ipaserver.install import dsinstance, ca
from ipaserver.install import cainstance, custodiainstance, service
from ipapython import version
from ipalib import api
from ipalib.constants import DOMAIN_LEVEL_0
from ipapython.dn import DN
from ipapython.config import IPAOptionParser
from ipapython.ipa_log_manager import *
from ipaplatform.paths import paths
log_file_name = paths.IPAREPLICA_CA_INSTALL_LOG
REPLICA_INFO_TOP_DIR = None
def parse_options():
usage = "%prog [options] REPLICA_FILE"
parser = IPAOptionParser(usage=usage, version=version.VERSION)
parser.add_option("-d", "--debug", dest="debug", action="store_true",
default=False, help="gather extra debugging information")
parser.add_option("-p", "--password", dest="password", sensitive=True,
help="Directory Manager (existing master) password")
parser.add_option("-w", "--admin-password", dest="admin_password", sensitive=True,
help="Admin user Kerberos password used for connection check")
parser.add_option("--no-host-dns", dest="no_host_dns", action="store_true",
default=False,
help="Do not use DNS for hostname lookup during installation")
parser.add_option("--skip-conncheck", dest="skip_conncheck", action="store_true",
default=False, help="skip connection check to remote master")
parser.add_option("--skip-schema-check", dest="skip_schema_check", action="store_true",
default=False, help="skip check for updated CA DS schema on the remote master")
parser.add_option("-U", "--unattended", dest="unattended", action="store_true",
default=False, help="unattended installation never prompts the user")
parser.add_option("--external-ca", dest="external_ca", action="store_true",
default=False, help="Generate a CSR to be signed by an external CA")
parser.add_option("--external-ca-type", dest="external_ca_type",
type="choice", choices=("generic", "ms-cs"),
help="Type of the external CA")
parser.add_option("--external-cert-file", dest="external_cert_files",
action="append", metavar="FILE",
help="File containing the IPA CA certificate and the external CA certificate chain")
parser.add_option("--ca-signing-algorithm", dest="ca_signing_algorithm",
type="choice",
choices=('SHA1withRSA', 'SHA256withRSA', 'SHA512withRSA'),
help="Signing algorithm of the IPA CA certificate")
parser.add_option("-P", "--principal", dest="principal", sensitive=True,
default=None, help="User allowed to manage replicas")
options, args = parser.parse_args()
safe_options = parser.get_safe_opts(options)
if args:
filename = args[0]
if len(args) != 1:
parser.error("you must provide a file generated by "
"ipa-replica-prepare")
options.external_ca = None
options.external_cert_files = None
else:
filename = None
if options.external_ca:
if options.external_cert_files:
parser.error("You cannot specify --external-cert-file "
"together with --external-ca")
if options.external_ca_type and not options.external_ca:
parser.error(
"You cannot specify --external-ca-type without --external-ca")
return safe_options, options, filename
def get_dirman_password():
return installutils.read_password(
"Directory Manager (existing master)", confirm=False, validate=False)
def install_replica(safe_options, options, filename):
if options.promote:
if filename is not None:
sys.exit("Too many parameters provided. "
"No replica file is required")
else:
if filename is None:
sys.exit("A replica file is required")
if not ipautil.file_exists(filename):
sys.exit("Replica file %s does not exist" % filename)
if not options.promote:
# Check if we have admin creds already, otherwise acquire them
check_creds(options, api.env.realm)
# get the directory manager password
dirman_password = options.password
if not dirman_password:
if options.unattended:
sys.exit('Directory Manager password required')
try:
dirman_password = get_dirman_password()
except KeyboardInterrupt:
sys.exit(0)
if dirman_password is None:
sys.exit("Directory Manager password required")
if (not options.promote and not options.admin_password and
not options.skip_conncheck and options.unattended):
sys.exit('admin password required')
if options.promote:
config = ReplicaConfig()
config.master_host_name = None
config.realm_name = api.env.realm
config.host_name = api.env.host
config.domain_name = api.env.domain
config.dirman_password = dirman_password
config.ca_ds_port = 389
config.top_dir = tempfile.mkdtemp("ipa")
config.dir = config.top_dir
cafile = paths.IPA_CA_CRT
else:
config = create_replica_config(dirman_password, filename, options)
cafile = config.dir + '/ca.crt'
global REPLICA_INFO_TOP_DIR
REPLICA_INFO_TOP_DIR = config.top_dir
config.setup_ca = True
conn = api.Backend.ldap2
conn.connect(bind_dn=DN(('cn', 'Directory Manager')),
bind_pw=dirman_password)
if config.subject_base is None:
attrs = conn.get_ipa_config()
config.subject_base = attrs.get('ipacertificatesubjectbase')[0]
if config.master_host_name is None:
config.ca_host_name = \
service.find_providing_server('CA', conn, api.env.ca_host)
config.master_host_name = config.ca_host_name
else:
config.ca_host_name = config.master_host_name
options.realm_name = config.realm_name
options.domain_name = config.domain_name
options.dm_password = config.dirman_password
options.host_name = config.host_name
options.subject = config.subject_base
if os.path.exists(cafile):
options.ca_cert_file = cafile
else:
options.ca_cert_file = None
ca.install_check(True, config, options)
if options.promote:
ca_data = (os.path.join(config.dir, 'cacert.p12'),
config.dirman_password)
custodia = custodiainstance.CustodiaInstance(config.host_name,
config.realm_name)
custodia.get_ca_keys(config.ca_host_name, ca_data[0], ca_data[1])
CA = cainstance.CAInstance(config.realm_name, certs.NSS_DIR,
host_name=config.host_name,
dm_password=config.dirman_password)
CA.configure_replica(config.ca_host_name,
subject_base=config.subject_base,
ca_cert_bundle=ca_data)
else:
ca.install(True, config, options)
def install_master(safe_options, options):
dm_password = options.password
if not dm_password:
if options.unattended:
sys.exit('Directory Manager password required')
try:
dm_password = get_dirman_password()
except KeyboardInterrupt:
sys.exit(0)
if dm_password is None:
sys.exit("Directory Manager password required")
api.Backend.ldap2.connect(bind_dn=DN(('cn', 'Directory Manager')),
bind_pw=dm_password)
config = api.Command['config_show']()['result']
subject_base = config['ipacertificatesubjectbase'][0]
options.realm_name = api.env.realm
options.domain_name = api.env.domain
options.dm_password = dm_password
options.host_name = api.env.host
options.subject = subject_base
ca.install_check(True, None, options)
ca.install(True, None, options)
def install(safe_options, options, filename):
options.promote = False
try:
if filename is None:
install_master(safe_options, options)
else:
install_replica(safe_options, options, filename)
finally:
# Clean up if we created custom credentials
created_ccache_file = getattr(options, 'created_ccache_file', None)
if created_ccache_file is not None:
try:
os.unlink(created_ccache_file)
except OSError:
pass
def promote(safe_options, options, filename):
options.promote = True
with ipautil.private_ccache():
ccache = os.environ['KRB5CCNAME']
ipautil.kinit_keytab(
'host/{env.host}@{env.realm}'.format(env=api.env),
paths.KRB5_KEYTAB,
ccache)
conn = api.Backend.ldap2
conn.connect(ccache=ccache)
ca_host = service.find_providing_server('CA', conn)
conn.disconnect()
if ca_host is None:
install_master(safe_options, options)
else:
install_replica(safe_options, options, filename)
def main():
safe_options, options, filename = parse_options()
if os.geteuid() != 0:
sys.exit("\nYou must be root to run this script.\n")
if not dsinstance.DsInstance().is_configured():
sys.exit("IPA server is not configured on this system.\n")
if (not options.external_cert_files and
cainstance.is_ca_installed_locally()):
sys.exit("CA is already installed on this host.")
standard_logging_setup(paths.IPASERVER_CA_INSTALL_LOG, debug=options.debug)
root_logger.debug("%s was invoked with options: %s,%s",
sys.argv[0], safe_options, filename)
root_logger.debug("IPA version %s", version.VENDOR_VERSION)
# override ra_plugin setting read from default.conf so that we have
# functional dogtag backend plugins during CA install
api.bootstrap(in_server=True, ra_plugin='dogtag')
api.finalize()
domain_level = dsinstance.get_domain_level(api)
if domain_level > DOMAIN_LEVEL_0:
promote(safe_options, options, filename)
else:
install(safe_options, options, filename)
# execute ipactl to refresh services status
ipautil.run(['ipactl', 'start', '--ignore-service-failures'],
raiseonerr=False)
fail_message = '''
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
'''
if __name__ == '__main__':
try:
installutils.run_script(main, log_file_name=log_file_name,
operation_name='ipa-ca-install',
fail_message=fail_message)
finally:
# always try to remove decrypted replica file
try:
if REPLICA_INFO_TOP_DIR:
shutil.rmtree(REPLICA_INFO_TOP_DIR)
except OSError:
pass
|