internet/ansible-freeipa
4
0
Fork 0
mirror of https://github.com/freeipa/ansible-freeipa.git synced 2026-05-15 05:52:24 +00:00
Code Issues Projects Releases Wiki Activity

New role for ipaserver installation

Browse Source 
The support for external cert files is not complete yet.
This commit is contained in:
Thomas Woerner
2017-12-01 13:15:34 +01:00
parent 86323feb80
commit 079049fa66
39 changed files with 5207 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

536
roles/ipaserver/library/ipaserver.py Normal file
View File

@@ -0,0 +1,536 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
# Authors:
# Florence Blanc-Renaud <frenaud@redhat.com>
# Thomas Woerner <twoerner@redhat.com>
#
# Copyright (C) 2017 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
ANSIBLE_METADATA = {'metadata_version': '1.0',
'status': ['preview'],
'supported_by': 'community'}
DOCUMENTATION = '''
---
module: ipaserver
short description: Configures a server machine as IPA server
description:
Configures a server machine to use IPA for authentication and
identity services.
The enrollment requires one authentication method among the 3 following:
- Kerberos principal and password (principal/password)
- Kerberos keytab file (keytab)
- One-Time-Password (otp)
options:
state:
description: the server state
required: false
default: present
choices: [ "present", "absent" ]
domain:
description: The primary DNS domain of an existing IPA deployment
required: true
realm:
description: The Kerberos realm of an existing IPA deployment
required: true
password:
description: The password for the kerberos admin
required: true
dm_password:
description: The password for the Directory Manager
required: true
# ip_addresses:
# description: Master Server IP Addresses
# required: false
# hostname:
# description: Fully qualified name of this host
# required: false
mkhomedir:
description: Create home directories for users on their first login
required: false
default: no
setup_dns:
description: Configure bind with our zone
required: false
default: no
no_host_dns:
description: Do not use DNS for hostname lookup during installation
required: false
default: no
no_ntp:
description: Do not configure ntp
required: false
default: no
idstart:
description: The starting value for the IDs range (default random)
required: false
idmax:
description: The max value for the IDs range (default: idstart+199999)
required: false
no_hbac_allow:
description: Don't install allow_all HBAC rule
required: false
default: no
# ignore_topology_disconnect:
# description: Do not check whether server uninstall disconnects the topology (domain level 1+)
# required: false
# default: no
# ignore_last_of_role:
# description: Do not check whether server uninstall removes last CA/DNS server or DNSSec master (domain level 1+)
# required: false
no_pkinit:
description: Disables pkinit setup steps
required: false
no_ui_redirect:
description: Do not automatically redirect to the Web UI
required: false
ssh_trust_dns:
description: Configure OpenSSH client to trust DNS SSHFP records
required: false
no_ssh:
description: Do not configure OpenSSH client
required: false
no_sshd:
description: Do not configure OpenSSH server
required: false
no_dns_sshfp:
description: Do not automatically create DNS SSHFP records
required: false
dirsrv_config_file:
description: The path to LDIF file that will be used to modify configuration of dse.ldif during installation of the directory server instance
required: false
external_ca:
description: Generate a CSR for the IPA CA certificate to be signed by an external CA
required: false
external_ca_type:
description: Type of the external CA
required: false
external_cert_files:
description: File containing the IPA CA certificate and the external CA certificate chain
required: false
dirsrv_cert_files:
description: File containing the Directory Server SSL certificate and private key
required: false
dirsrv_pin:
description: The password to unlock the Directory Server private key
required: false
dirsrv_cert_name:
description: Name of the Directory Server SSL certificate to install
required: false
http_cert_files:
description: File containing the Apache Server SSL certificate and private key
required: false
http_pin:
description: The password to unlock the Apache Server private key
required: false
http_cert_name:
description: Name of the Apache Server SSL certificate to install
required: false
pkinit_cert_files:
description: File containing the Kerberos KDC SSL certificate and private key
required: false
pkinit_pin:
description: The password to unlock the Kerberos KDC private key
required: false
pkinit_cert_name:
description: Name of the Kerberos KDC SSL certificate to install
required: false
ca_cert_files:
description: File containing CA certificates for the service certificate files
required: false
subject:
description: The certificate subject base (default O=<realm-name>)
required: false
ca_signing_algorithm:
description: Signing algorithm of the IPA CA certificate
required: false
forwarders:
description: Add DNS forwarders
required: false
author:
- Florence Blanc-Renaud
- Thomas Woerner
'''
EXAMPLES = '''
# Example from Ansible Playbooks
# Unenroll server
- ipaserver:
state: absent
# Enroll server using admin credentials, with auto-discovery
- ipaserver:
password: MySecretPassword
dm_password: MySecretPassword
'''
RETURN = '''
tbd
'''
import os
from six.moves.configparser import RawConfigParser
from ansible.module_utils.basic import AnsibleModule
try:
from ipalib.install.sysrestore import SYSRESTORE_STATEFILE
except ImportError:
from ipapython.sysrestore import SYSRESTORE_STATEFILE
from ipaplatform.paths import paths
def is_server_configured():
"""
Check if ipa server is configured.
IPA server is configured when /etc/ipa/default.conf exists and
/var/lib/ipa/sysrestore/sysrestore.state exists.
:returns: boolean
"""
return (os.path.isfile(paths.IPA_DEFAULT_CONF) and
os.path.isfile(os.path.join(paths.SYSRESTORE,
SYSRESTORE_STATEFILE)))
def get_ipa_conf():
"""
Return IPA configuration read from /etc/ipa/default.conf
:returns: dict containing key,value
"""
parser = RawConfigParser()
parser.read(paths.IPA_DEFAULT_CONF)
result = dict()
for item in ['basedn', 'realm', 'domain', 'server', 'host', 'xmlrpc_uri']:
if parser.has_option('global', item):
value = parser.get('global', item)
else:
value = None
if value:
result[item] = value
return result
def main():
module = AnsibleModule(
supports_check_mode=True,
argument_spec=dict(
state=dict(default='present', choices=['present', 'absent']),
# basic
dm_password=dict(required=False, no_log=True),
password=dict(required=False, no_log=True),
# ip_addresses=dict(required=False, type='list'),
domain=dict(required=True),
realm=dict(required=True),
# hostname=dict(required=False),
ca_cert_files=dict(required=False, type='list'),
no_host_dns=dict(required=False, type='bool', default=False),
# server
# setup_adtrust=dict(required=False, type='bool', default=F#alse),
# setup_kra=dict(required=False, type='bool', default=False),
setup_dns=dict(required=False, type='bool', default=False),
idstart=dict(required=False, type='int', default=0),
idmax=dict(required=False, type='int', default=0),
no_hbac_allow=dict(required=False, type='bool', default=False),
no_pkinit=dict(required=False, type='bool', default=False),
no_ui_redirect=dict(required=False, type='bool', default=False),
dirsrv_config_file=dict(required=False),
# ssl certificate
dirsrv_cert_files=dict(required=False, type='list'),
dirsrv_pin=dict(required=False),
dirsrv_cert_name=dict(required=False),
http_cert_files=dict(required=False, type='list'),
http_pin=dict(required=False),
http_cert_name=dict(required=False),
pkinit_cert_files=dict(required=False, type='list'),
pkinit_pin=dict(required=False),
pkinit_cert_name=dict(required=False),
# client
mkhomedir=dict(required=False, type='bool', default=False),
no_ntp=dict(required=False, type='bool', default=False),
ssh_trust_dns=dict(required=False, type='bool', default=False),
no_ssh=dict(required=False, type='bool', default=False),
no_sshd=dict(required=False, type='bool', default=False),
no_dns_sshfp=dict(required=False, type='bool', default=False),
# certificate system
external_ca=dict(required=False),
external_ca_type=dict(default='generic',
choices=['generic', 'ms-cs']),
external_cert_files=dict(required=False, type='list'),
subject_base=dict(required=False),
ca_signing_algorithm=dict(required=False),
# dns
allow_zone_overlap=dict(required=False, type='bool', default=False),
reverse_zones=dict(required=False, type='list'),
no_reverse=dict(required=False, type='bool', default=False),
auto_reverse=dict(required=False, type='bool', default=False),
zone_manager=dict(required=False),
forwarders=dict(required=False, type='list'),
no_forwarders=dict(required=False, type='bool', default=False),
auto_forwarders=dict(required=False, type='bool', default=False),
forward_policy=dict(default='first', choices=['first', 'only']),
no_dnssec_validation=dict(required=False, type='bool', default=False),
# ad trust
enable_compat=dict(required=False, type='bool', default=False),
netbios_name=dict(required=False),
rid_base=dict(required=False),
secondary_rid_base=dict(required=False),
),
)
module._ansible_debug = True
state = module.params.get('state')
domain = module.params.get('domain')
realm = module.params.get('realm')
password = module.params.get('password')
dm_password = module.params.get('dm_password')
#ip_addresses = module.params.get('ip_addresses')
#hostname = module.params.get('hostname')
mkhomedir = module.params.get('mkhomedir')
setup_dns = module.params.get('setup_dns')
no_host_dns = module.params.get('no_host_dns')
no_ntp = module.params.get('no_ntp')
idstart = module.params.get('idstart')
idmax = module.params.get('idmax')
no_hbac_allow = module.params.get('no_hbac_allow')
ignore_topology_disconnect = module.params.get('ignore_topology_disconnect')
ignore_last_of_role = module.params.get('ignore_last_of_role')
no_pkinit = module.params.get('no_pkinit')
no_ui_redirect = module.params.get('no_ui_redirect')
ssh_trust_dns = module.params.get('ssh_trust_dns')
no_ssh = module.params.get('no_ssh')
no_sshd = module.params.get('no_sshd')
no_dns_sshfp = module.params.get('no_dns_sshfp')
dirsrv_config_file = module.params.get('dirsrv_config_file')
external_ca = module.params.get('external_ca')
external_ca_type = module.params.get('external_ca_type')
external_cert_files = module.params.get('external_cert_files')
dirsrv_cert_files=module.params.get('dirsrv_cert_files')
dirsrv_pin=module.params.get('dirsrv_pin')
dirsrv_cert_name=module.params.get('dirsrv_cert_name')
http_cert_files=module.params.get('http_cert_files')
http_pin=module.params.get('http_pin')
http_cert_name=module.params.get('http_cert_name')
pkinit_cert_files=module.params.get('pkinit_cert_files')
pkinit_pin=module.params.get('pkinit_pin')
pkinit_cert_name=module.params.get('pkinit_cert_name')
ca_cert_files=module.params.get('ca_cert_files')
subject=module.params.get('subject')
ca_signing_algorithm=module.params.get('ca_signing_algorithm')
forwarders = module.params.get('forwarders')
if state == 'present':
if not password or not dm_password:
module.fail_json(
msg="Password and dm password need to be specified")
# Check if ipa server is already configured
if is_server_configured():
# Check that realm and domain match
current_config = get_ipa_conf()
if domain and domain != current_config.get('domain'):
module.fail_json(msg="IPA server already installed "
"with a conflicting domain")
if realm and realm != current_config.get('realm'):
module.fail_json(msg="IPA server already installed "
"with a conflicting realm")
# server is already configured and no inconsistency
# detected
return module.exit_json(changed=False, domain=domain, realm=realm)
# ipa server not installed
if module.check_mode:
# Do nothing, just return changed=True
return module.exit_json(changed=True)
# basic options
cmd = [
module.get_bin_path("ipa-server-install"),
"-U",
"--ds-password", dm_password,
"--admin-password", password,
"--domain", domain,
"--realm", realm,
]
#for ip in ip_addresses:
# cmd.append("--ip-address=%s" % ip)
#if hostname:
# cmd.append("--hostname=%s" % hostname)
for cert_file in ca_cert_files:
cmd.append("--ca-cert-file=%s" % cert_file)
if no_host_dns:
cmd.append("--no-host-dns")
# server options
#if setup_adtrust:
# cmd.append("--setup-adtrust")
#if setup_kra:
# cmd.append("--setup-kra")
if setup_dns:
cmd.append("--setup-dns")
if idstart:
cmd.append("--idstart=%d", idstart)
if idmax:
cmd.append("--idstart=%d", idmax)
if no_hbac_allow:
cmd.append("--no_hbac_allow")
if no_pkinit:
cmd.append("--no-pkinit")
if no_ui_redirect:
cmd.append("--no-ui-redirect")
if dirsrv_config_file:
cmd.append("--dirsrv-config-file=%s" % dirsrv_config_file)
# ssl certificate options
for cert_file in dirsrv_cert_files:
cmd.append("--dirsrv-cert-file=%s" % cert_file)
if dirsrv_pin:
cmd.append("--dirsrv-pin=%s" % dirserv_pin)
if dirsrv_cert_name:
cmd.append("--dirsrv-cert-name=%s" % dirsrv_cert_name)
for cert_file in http_cert_files:
cmd.append("--http-cert-file=%s" % cert_file)
if http_pin:
cmd.append("--http-pin=%s" % http_pin)
if http_cert_name:
cmd.append("--http-cert-name=%s" % http_cert_name)
for cert_file in pkinit_cert_files:
cmd.append("--pkinit-cert-file=%s" % cert_file)
if pkinit_pin:
cmd.append("--pkinit-pin=%s" % pkinit_pin)
if pkinit_cert_name:
cmd.append("--pkinit-cert-name=%s" % pkinit_cert_name)
# client options
if mkhomedir:
cmd.append("--mkhomedir")
if no_ntp:
cmd.append("--no-ntp")
if ssh_trust_dns:
cmd.append("--ssh-trust-dns")
if no_ssh:
cmd.append("--no-ssh")
if no_sshd:
cmd.append("--no-sshd")
if no_dns_sshfp:
cmd.append("--no-dns-sshfp")
# certificate system options
if external_ca:
cmd.append("--external-ca")
if external_ca_type:
cmd.append("--external-ca-type=%s" % external_ca_type)
for cert_file in external_cert_files:
cmd.append("--external-cert-file=%s" % cert_file)
if subject_base:
cmd.append("--subject=%s" % subject)
if ca_signing_algorithm:
cmd.append("--ca-signing-algorithm=%s" % ca_signing_algorithm)
# dns options
if allow_zone_overlop:
cmd.append("--allow-zone-overlap")
for reverse_zone in reverse_zones:
cmd.append("--reverse-zone=%s" % reverse_zone)
if no_reverse:
cmd.append("--no-reverse")
if auto_reverse:
cmd.append("--auto-reverse")
if zonemgr:
cmd.append("--zonemgr=%s" % zonemgr)
for forwarder in forwarders:
cmd.append("--forwarder=%s" % forwarder)
if no_forwarders:
cmd.append("--no-forwarders")
if auto_forwarders:
cmd.append("--auto-forwarders")
if forward_policy:
cmd.append("--forward-policy=%s" % forward_policy)
if no_dnssec_validation:
cmd.append("--no-dnssec-validation")
# ad trust options
#if enable_compat:
# cmd.append("--enable-compat")
#if netbios_name:
# cmd.append("--netbios-name=%s" % netbios_name)
#if rid_base:
# cmd.append("--rid-base=%s" % rid_base)
#if secondary_rid_base:
# cmd.append("--secondary-rid-base=%s" % rid_base)
else: # state == adsent
if not is_server_configured():
# Nothing to do
module.exit_json(changed=False)
# Server is configured
# If in check mode, do nothing but return changed=True
if module.check_mode:
module.exit_json(changed=True)
cmd = [
module.get_bin_path('ipa-server-install'),
"--uninstall",
"-U",
]
if ignore_topology_disconnect:
cmd.append("--ignore-topology-disconnect")
if ignore_last_of_role:
cmd.append("--ignore-last-of-role")
retcode, stdout, stderr = module.run_command(cmd)
if retcode != 0:
module.fail_json(msg="Failed to uninstall IPA server: %s" % stderr)
module.exit_json(changed=True)
if __name__ == '__main__':
main()

96
roles/ipaserver/library/ipaserver_enable_ipa.py Normal file
View File

@@ -0,0 +1,96 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
# Authors:
# Thomas Woerner <twoerner@redhat.com>
#
# Based on ipa-client-install code
#
# Copyright (C) 2017 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
from __future__ import print_function
ANSIBLE_METADATA = {
'metadata_version': '1.0',
'supported_by': 'community',
'status': ['preview'],
}
DOCUMENTATION = '''
---
module: enable_ipa
short description:
description:
options:
author:
- Thomas Woerner
'''
EXAMPLES = '''
'''
RETURN = '''
'''
from ansible.module_utils.basic import AnsibleModule
from ansible.module_utils.ansible_ipa_server import *
def main():
ansible_module = AnsibleModule(
argument_spec = dict(
hostname=dict(required=False),
setup_ca=dict(required=True, type='bool'),
),
)
ansible_module._ansible_debug = True
ansible_log = AnsibleModuleLog(ansible_module)
# set values #############################################################
options.host_name = ansible_module.params.get('hostname')
options.setup_ca = ansible_module.params.get('setup_ca')
# Configuration for ipalib, we will bootstrap and finalize later, after
# we are sure we have the configuration file ready.
cfg = dict(
context='installer',
confdir=paths.ETC_IPA,
in_server=True,
# make sure host name specified by user is used instead of default
host=options.host_name,
)
if options.setup_ca:
# we have an IPA-integrated CA
cfg['ca_host'] = options.host_name
api.bootstrap(**cfg)
api.finalize()
api.Backend.ldap2.connect()
# setup ds ######################################################
fstore = sysrestore.FileStore(paths.SYSRESTORE)
sstore = sysrestore.StateFile(paths.SYSRESTORE)
with redirect_stdout(ansible_log):
services.knownservices.ipa.enable()
ansible_module.exit_json(changed=True)
if __name__ == '__main__':
main()

94
roles/ipaserver/library/ipaserver_load_cache.py Normal file
View File

@@ -0,0 +1,94 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
# Authors:
# Thomas Woerner <twoerner@redhat.com>
#
# Based on ipa-client-install code
#
# Copyright (C) 2017 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
from __future__ import print_function
ANSIBLE_METADATA = {
'metadata_version': '1.0',
'supported_by': 'community',
'status': ['preview'],
}
DOCUMENTATION = '''
---
module: ipaserver_load_cache
short description:
description:
options:
dm_password:
author:
- Thomas Woerner
'''
EXAMPLES = '''
'''
RETURN = '''
'''
from ansible.module_utils.basic import AnsibleModule
from ansible.module_utils.ansible_ipa_server import *
def main():
ansible_module = AnsibleModule(
argument_spec = dict(
### basic ###
dm_password=dict(required=True, no_log=True),
),
)
ansible_module._ansible_debug = True
ansible_log = AnsibleModuleLog(ansible_module)
# set values ############################################################
### basic ###
options.dm_password = ansible_module.params.get('dm_password')
# restore cache #########################################################
if ipautil.file_exists(paths.ROOT_IPA_CACHE):
if options.dm_password is None:
ansible_module.fail_json(msg="Directory Manager password required")
try:
cache_vars = read_cache(dm_password)
options.__dict__.update(cache_vars)
if cache_vars.get('external_ca', False):
options.external_ca = False
options.interactive = False
except Exception as e:
ansible_module.fail_json(
msg="Cannot process the cache file: %s" % str(e))
kwargs = { "changed": True }
for name in options.__dict__:
kwargs[name] = options.__dict__[name]
ansible_module.exit_json(kwargs)
# done ##################################################################
ansible_module.exit_json(changed=False)
if __name__ == '__main__':
main()

93
roles/ipaserver/library/ipaserver_master_password.py Normal file
View File

@@ -0,0 +1,93 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
# Authors:
# Thomas Woerner <twoerner@redhat.com>
#
# Based on ipa-client-install code
#
# Copyright (C) 2017 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
ANSIBLE_METADATA = {
'metadata_version': '1.0',
'supported_by': 'community',
'status': ['preview'],
}
DOCUMENTATION = '''
---
module: master_password
short description: Generate kerberos master password if not given
description:
Generate kerberos master password if not given
options:
master_password:
description: kerberos master password (normally autogenerated)
required: false
author:
- Thomas Woerner
'''
EXAMPLES = '''
'''
RETURN = '''
value:
description: The master password
returned: always
'''
import os
from ansible.module_utils.basic import AnsibleModule
from ansible.module_utils.ansible_ipa_server import *
def main():
module = AnsibleModule(
argument_spec = dict(
#basic
dm_password=dict(required=True, no_log=True),
master_password=dict(required=False, no_log=True),
),
supports_check_mode = True,
)
module._ansible_debug = True
options.dm_password = module.params.get('dm_password')
options.master_password = module.params.get('master_password')
fstore = sysrestore.FileStore(paths.SYSRESTORE)
sstore = sysrestore.StateFile(paths.SYSRESTORE)
# This will override any settings passed in on the cmdline
if os.path.isfile(paths.ROOT_IPA_CACHE):
# dm_password check removed, checked already
try:
cache_vars = read_cache(options.dm_password)
options.__dict__.update(cache_vars)
except Exception as e:
module.fail_json(msg="Cannot process the cache file: %s" % str(e))
if not options.master_password:
options.master_password = ipa_generate_password()
module.exit_json(changed=True,
value=options.master_password)
if __name__ == '__main__':
main()

262
roles/ipaserver/library/ipaserver_prepare.py Normal file
View File

@@ -0,0 +1,262 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
# Authors:
# Thomas Woerner <twoerner@redhat.com>
#
# Based on ipa-client-install code
#
# Copyright (C) 2017 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
from __future__ import print_function
ANSIBLE_METADATA = {
'metadata_version': '1.0',
'supported_by': 'community',
'status': ['preview'],
}
DOCUMENTATION = '''
---
module: ipaserver_prepare
short description:
description:
options:
dm_password:
password:
ip_addresses:
domain:
realm:
hostname:
ca_cert_files:
no_host_dns:
setup_adtrust:
setup_kra:
setup_dns:
external_ca:
external_cert_files:
subject_base:
ca_subject:
reverse_zones:
no_reverse:
auto_reverse:
forwarders:
no_forwarders:
auto_forwarders:
forward_policy:
enable_compat:
netbios_name:
rid_base:
secondary_rid_base:
setup_ca:
_hostname_overridden:
author:
- Thomas Woerner
'''
EXAMPLES = '''
'''
RETURN = '''
'''
from ansible.module_utils.basic import AnsibleModule
from ansible.module_utils.ansible_ipa_server import *
def main():
ansible_module = AnsibleModule(
argument_spec = dict(
### basic ###
dm_password=dict(required=True, no_log=True),
password=dict(required=True, no_log=True),
ip_addresses=dict(required=False, type='list', default=[]),
domain=dict(required=True),
realm=dict(required=True),
hostname=dict(required=False),
ca_cert_files=dict(required=False, type='list', default=[]),
no_host_dns=dict(required=False, type='bool', default=False),
### server ###
setup_adtrust=dict(required=False, type='bool', default=False),
setup_kra=dict(required=False, type='bool', default=False),
setup_dns=dict(required=False, type='bool', default=False),
### ssl certificate ###
### client ###
### certificate system ###
external_ca=dict(required=False),
external_cert_files=dict(required=False, type='list', default=[]),
subject_base=dict(required=False),
ca_subject=dict(required=False),
### dns ###
reverse_zones=dict(required=False, type='list', default=[]),
no_reverse=dict(required=False, type='bool', default=False),
auto_reverse=dict(required=False, type='bool', default=False),
forwarders=dict(required=False, type='list', default=[]),
no_forwarders=dict(required=False, type='bool', default=False),
auto_forwarders=dict(required=False, type='bool', default=False),
forward_policy=dict(required=False),
### ad trust ###
enable_compat=dict(required=False, type='bool', default=False),
netbios_name=dict(required=False),
rid_base=dict(required=False, type='int'),
secondary_rid_base=dict(required=False, type='int'),
### additional ###
setup_ca=dict(required=False, type='bool', default=False),
_hostname_overridden=dict(required=False, type='bool',
default=False),
),
supports_check_mode = True,
)
ansible_module._ansible_debug = True
ansible_log = AnsibleModuleLog(ansible_module)
# set values ####################################################
options.dm_password = ansible_module.params.get('dm_password')
options.admin_password = ansible_module.params.get('password')
options.ip_addresses = ansible_module.params.get('ip_addresses')
options.domain_name = ansible_module.params.get('domain')
options.realm_name = ansible_module.params.get('realm')
options.host_name = ansible_module.params.get('hostname')
options.ca_cert_files = ansible_module.params.get('ca_cert_files')
options.no_host_dns = ansible_module.params.get('no_host_dns')
### server ###
options.setup_adtrust = ansible_module.params.get('setup_adtrust')
options.setup_kra = ansible_module.params.get('setup_kra')
options.setup_dns = ansible_module.params.get('setup_dns')
#options.no_pkinit = ansible_module.params.get('no_pkinit')
### ssl certificate ###
#options.dirsrv_cert_files = ansible_module.params.get('dirsrv_cert_files')
### client ###
#options.no_ntp = ansible_module.params.get('no_ntp')
### certificate system ###
options.external_ca = ansible_module.params.get('external_ca')
options.external_cert_files = ansible_module.params.get(
'external_cert_files')
options.subject_base = ansible_module.params.get('subject_base')
options.ca_subject = ansible_module.params.get('ca_subject')
### dns ###
options.reverse_zones = ansible_module.params.get('reverse_zones')
options.no_reverse = ansible_module.params.get('no_reverse')
options.auto_reverse = ansible_module.params.get('auto_reverse')
options.forwarders = ansible_module.params.get('forwarders')
options.no_forwarders = ansible_module.params.get('no_forwarders')
options.auto_forwarders = ansible_module.params.get('auto_forwarders')
options.forward_policy = ansible_module.params.get('forward_policy')
### additional ###
options.setup_ca = ansible_module.params.get('setup_ca')
options._host_name_overridden = ansible_module.params.get(
'_hostname_overridden')
# init ##################################################################
fstore = sysrestore.FileStore(paths.SYSRESTORE)
sstore = sysrestore.StateFile(paths.SYSRESTORE)
# Configuration for ipalib, we will bootstrap and finalize later, after
# we are sure we have the configuration file ready.
cfg = dict(
context='installer',
confdir=paths.ETC_IPA,
in_server=True,
# make sure host name specified by user is used instead of default
host=options.host_name,
)
if options.setup_ca:
# we have an IPA-integrated CA
cfg['ca_host'] = options.host_name
# Create the management framework config file and finalize api
target_fname = paths.IPA_DEFAULT_CONF
fd = open(target_fname, "w")
fd.write("[global]\n")
fd.write("host=%s\n" % options.host_name)
fd.write("basedn=%s\n" % ipautil.realm_to_suffix(options.realm_name))
fd.write("realm=%s\n" % options.realm_name)
fd.write("domain=%s\n" % options.domain_name)
fd.write("xmlrpc_uri=https://%s/ipa/xml\n" % \
format_netloc(options.host_name))
fd.write("ldap_uri=ldapi://%%2fvar%%2frun%%2fslapd-%s.socket\n" % \
installutils.realm_to_serverid(options.realm_name))
if options.setup_ca:
fd.write("enable_ra=True\n")
fd.write("ra_plugin=dogtag\n")
fd.write("dogtag_version=10\n")
else:
fd.write("enable_ra=False\n")
fd.write("ra_plugin=none\n")
fd.write("mode=production\n")
fd.close()
# Must be readable for everyone
os.chmod(target_fname, 0o644)
api.bootstrap(**cfg)
api.finalize()
if options.setup_ca:
with redirect_stdout(ansible_log):
ca.install_check(False, None, options)
if options.setup_kra:
with redirect_stdout(ansible_log):
kra.install_check(api, None, options)
if options.setup_dns:
with redirect_stdout(ansible_log):
dns.install_check(False, api, False, options, options.host_name)
ip_addresses = dns.ip_addresses
else:
ip_addresses = get_server_ip_address(options.host_name,
not options.interactive, False,
options.ip_addresses)
# check addresses here, dns module is doing own check
no_matching_interface_for_ip_address_warning(ip_addresses)
options.ip_addresses = ip_addresses
options.reverse_zones = dns.reverse_zones
instance_name = "-".join(options.realm_name.split("."))
dirsrv = services.knownservices.dirsrv
if (options.external_cert_files
and dirsrv.is_installed(instance_name)
and not dirsrv.is_running(instance_name)):
logger.debug('Starting Directory Server')
services.knownservices.dirsrv.start(instance_name)
if options.setup_adtrust:
with redirect_stdout(ansible_log):
adtrust.install_check(False, options, api)
_update_hosts_file = False
# options needs to update hosts file when DNS subsystem will be
# installed or custom addresses are used
if options.ip_addresses or options.setup_dns:
_update_hosts_file = True
if options._host_name_overridden:
tasks.backup_hostname(fstore, sstore)
tasks.set_hostname(options.host_name)
if _update_hosts_file:
update_hosts_file(ip_addresses, options.host_name, fstore)
ansible_module.exit_json(changed=True)
if __name__ == '__main__':
main()

138
roles/ipaserver/library/ipaserver_set_ds_password.py Normal file
View File

@@ -0,0 +1,138 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
# Authors:
# Thomas Woerner <twoerner@redhat.com>
#
# Based on ipa-client-install code
#
# Copyright (C) 2017 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
from __future__ import print_function
ANSIBLE_METADATA = {
'metadata_version': '1.0',
'supported_by': 'community',
'status': ['preview'],
}
DOCUMENTATION = '''
---
module: set_ds_password
short description:
description:
options:
author:
- Thomas Woerner
'''
EXAMPLES = '''
'''
RETURN = '''
'''
from ansible.module_utils.basic import AnsibleModule
from ansible.module_utils.ansible_ipa_server import *
def main():
ansible_module = AnsibleModule(
argument_spec = dict(
### basic ###
dm_password=dict(required=True, no_log=True),
password=dict(required=True, no_log=True),
domain=dict(required=True),
realm=dict(required=True),
hostname=dict(required=True),
### server ###
setup_ca=dict(required=True, type='bool'),
idstart=dict(required=True, type='int'),
idmax=dict(required=True, type='int'),
no_hbac_allow=dict(required=False, type='bool', default=False),
no_pkinit=dict(required=False, type='bool', default=False),
dirsrv_config_file=dict(required=False),
_dirsrv_pkcs12_info=dict(required=False),
### ssl certificate ###
dirsrv_cert_files=dict(required=False, type='list', default=[]),
subject_base=dict(required=False),
ca_subject=dict(required=False),
### certificate system ###
external_cert_files=dict(required=False, type='list', default=[]),
### additional ###
domainlevel=dict(required=False, type='int',
default=MAX_DOMAIN_LEVEL),
),
)
ansible_module._ansible_debug = True
ansible_log = AnsibleModuleLog(ansible_module)
# set values ####################################################
### basic ###
options.dm_password = ansible_module.params.get('dm_password')
options.admin_password = ansible_module.params.get('password')
options.domain_name = ansible_module.params.get('domain')
options.realm_name = ansible_module.params.get('realm')
options.host_name = ansible_module.params.get('hostname')
### server ###
options.setup_ca = ansible_module.params.get('setup_ca')
options.idstart = ansible_module.params.get('idstart')
options.idmax = ansible_module.params.get('idmax')
options.no_hbac_allow = ansible_module.params.get('no_hbac_allow')
options.no_pkinit = ansible_module.params.get('no_pkinit')
options.dirsrv_config_file = ansible_module.params.get('dirsrv_config_file')
options._dirsrv_pkcs12_info = ansible_module.params.get(
'_dirsrv_pkcs12_info')
### ssl certificate ###
options.dirsrv_cert_files = ansible_module.params.get('dirsrv_cert_files')
options.subject_base = ansible_module.params.get('subject_base')
options.ca_subject = ansible_module.params.get('ca_subject')
### certificate system ###
options.external_cert_files = ansible_module.params.get(
'external_cert_files')
### additional ###
options.domainlevel = ansible_module.params.get('domainlevel')
options.domain_level = options.domainlevel
# init ##########################################################
fstore = sysrestore.FileStore(paths.SYSRESTORE)
sstore = sysrestore.StateFile(paths.SYSRESTORE)
api_Backend_ldap2(options.host_name, options.setup_ca, connect=True)
ds = ds_init_info(ansible_log, fstore,
options.domainlevel, options.dirsrv_config_file,
options.realm_name, options.host_name,
options.domain_name, options.dm_password,
options.idstart, options.idmax,
options.subject_base, options.ca_subject,
options.no_hbac_allow, options._dirsrv_pkcs12_info,
options.no_pkinit)
# set ds password ###############################################
with redirect_stdout(ansible_log):
ds.change_admin_password(options.admin_password)
# done ##########################################################
ansible_module.exit_json(changed=True)
if __name__ == '__main__':
main()

88
roles/ipaserver/library/ipaserver_setup_adtrust.py Normal file
View File

@@ -0,0 +1,88 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
# Authors:
# Thomas Woerner <twoerner@redhat.com>
#
# Based on ipa-client-install code
#
# Copyright (C) 2017 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
from __future__ import print_function
ANSIBLE_METADATA = {
'metadata_version': '1.0',
'supported_by': 'community',
'status': ['preview'],
}
DOCUMENTATION = '''
---
module: setup_adtrust
short description:
description:
options:
author:
- Thomas Woerner
'''
EXAMPLES = '''
'''
RETURN = '''
'''
from ansible.module_utils.basic import AnsibleModule
from ansible.module_utils.ansible_ipa_server import *
def main():
ansible_module = AnsibleModule(
argument_spec = dict(
# basic
hostname=dict(required=False),
setup_ca=dict(required=True, type='bool', default=False),
setup_adtrust=dict(required=True, type='bool', default=False),
),
)
ansible_module._ansible_debug = True
ansible_log = AnsibleModuleLog(ansible_module)
# set values ####################################################
options.host_name = ansible_module.params.get('hostname')
options.setup_ca = ansible_module.params.get('setup_ca')
options.setup_adtrust = ansible_module.params.get('setup_adtrust')
# init ##########################################################
fstore = sysrestore.FileStore(paths.SYSRESTORE)
sstore = sysrestore.StateFile(paths.SYSRESTORE)
api_Backend_ldap2_connect(options.host_name, options.setup_ca)
# setup ds ######################################################
with redirect_stdout(ansible_log):
adtrust.install(False, options, fstore, api)
# done ##########################################################
ansible_module.exit_json(changed=True)
if __name__ == '__main__':
main()

223
roles/ipaserver/library/ipaserver_setup_ca.py Normal file
View File

@@ -0,0 +1,223 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
# Authors:
# Thomas Woerner <twoerner@redhat.com>
#
# Based on ipa-client-install code
#
# Copyright (C) 2017 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
from __future__ import print_function
ANSIBLE_METADATA = {
'metadata_version': '1.0',
'supported_by': 'community',
'status': ['preview'],
}
DOCUMENTATION = '''
---
module: ipaserver_setup_ca
short description:
description:
options:
dm_password:
password:
master_password:
ip_addresses:
domain:
realm:
hostname:
no_host_dns:
setup_adtrust:
setup_kra:
setup_dns:
setup_ca:
idstart:
idmax:
no_hbac_allow:
no_pkinit:
dirsrv_config_file:
dirsrv_cert_files:
_dirsrv_pkcs12_info:
external_ca:
subject_base:
_subject_base:
ca_subject:
_ca_subject:
ca_signing_algorithm:
reverse_zones:
no_reverse:
auto_forwarders:
domainlevel:
_http_ca_cert:
author:
- Thomas Woerner
'''
EXAMPLES = '''
'''
RETURN = '''
'''
from ansible.module_utils.basic import AnsibleModule
from ansible.module_utils.ansible_ipa_server import *
def main():
ansible_module = AnsibleModule(
argument_spec = dict(
### basic ###
dm_password=dict(required=True, no_log=True),
password=dict(required=True, no_log=True),
master_password=dict(required=True, no_log=True),
ip_addresses=dict(required=False, type='list', default=[]),
domain=dict(required=True),
realm=dict(required=True),
hostname=dict(required=False),
no_host_dns=dict(required=False, type='bool', default=False),
### server ###
setup_adtrust=dict(required=False, type='bool', default=False),
setup_kra=dict(required=False, type='bool', default=False),
setup_dns=dict(required=False, type='bool', default=False),
setup_ca=dict(required=False, type='bool', default=False),
idstart=dict(required=True, type='int'),
idmax=dict(required=True, type='int'),
no_hbac_allow=dict(required=False, type='bool', default=False),
no_pkinit=dict(required=False, type='bool', default=False),
dirsrv_config_file=dict(required=False),
dirsrv_cert_files=dict(required=False),
_dirsrv_pkcs12_info=dict(required=False),
### certificate system ###
external_ca=dict(required=False, type='bool', default=False),
external_cert_files=dict(required=False, type='list', default=[]),
subject_base=dict(required=False),
_subject_base=dict(required=False),
ca_subject=dict(required=False),
_ca_subject=dict(required=False),
ca_signing_algorithm=dict(required=False),
### dns ###
reverse_zones=dict(required=False, type='list', default=[]),
no_reverse=dict(required=False, type='bool', default=False),
auto_forwarders=dict(required=False, type='bool', default=False),
### additional ###
domainlevel=dict(required=False, type='int'),
_http_ca_cert=dict(required=False),
),
)
ansible_module._ansible_debug = True
ansible_log = AnsibleModuleLog(ansible_module)
# set values ############################################################
### basic ###
options.dm_password = ansible_module.params.get('dm_password')
options.admin_password = ansible_module.params.get('password')
options.master_password = ansible_module.params.get('master_password')
options.ip_addresses = ansible_module.params.get('ip_addresses')
options.domain_name = ansible_module.params.get('domain')
options.realm_name = ansible_module.params.get('realm')
options.host_name = ansible_module.params.get('hostname')
options.no_host_dns = ansible_module.params.get('no_host_dns')
### server ###
options.setup_adtrust = ansible_module.params.get('setup_adtrust')
options.setup_kra = ansible_module.params.get('setup_kra')
options.setup_dns = ansible_module.params.get('setup_dns')
options.setup_ca = ansible_module.params.get('setup_ca')
options.idstart = ansible_module.params.get('idstart')
options.idmax = ansible_module.params.get('idmax')
options.no_hbac_allow = ansible_module.params.get('no_hbac_allow')
options.no_pkinit = ansible_module.params.get('no_pkinit')
options.dirsrv_config_file = ansible_module.params.get('dirsrv_config_file')
options.dirsrv_cert_files = ansible_module.params.get('dirsrv_cert_files')
options._dirsrv_pkcs12_info = ansible_module.params.get(
'_dirsrv_pkcs12_info')
### certificate system ###
options.external_ca = ansible_module.params.get('external_ca')
options.external_cert_files = ansible_module.params.get(
'external_cert_files')
options.subject_base = ansible_module.params.get('subject_base')
options._subject_base = ansible_module.params.get('_subject_base')
options.ca_subject = ansible_module.params.get('ca_subject')
options._ca_subject = ansible_module.params.get('_ca_subject')
options.ca_signing_algorithm = ansible_module.params.get(
'ca_signing_algorithm')
### dns ###
options.reverse_zones = ansible_module.params.get('reverse_zones')
options.no_reverse = ansible_module.params.get('no_reverse')
options.auto_forwarders = ansible_module.params.get('auto_forwarders')
### additional ###
options.domainlevel = ansible_module.params.get('domainlevel')
options._http_ca_cert = ansible_module.params.get('_http_ca_cert')
#options._update_hosts_file = ansible_module.params.get('update_hosts_file')
# init #################################################################
fstore = sysrestore.FileStore(paths.SYSRESTORE)
api_Backend_ldap2(options.host_name, options.setup_ca, connect=True)
ds = ds_init_info(ansible_log, fstore,
options.domainlevel, options.dirsrv_config_file,
options.realm_name, options.host_name,
options.domain_name, options.dm_password,
options.idstart, options.idmax,
options.subject_base, options.ca_subject,
options.no_hbac_allow, options._dirsrv_pkcs12_info,
options.no_pkinit)
# setup CA ##############################################################
with redirect_stdout(ansible_log):
if options.setup_ca:
if not options.external_cert_files and options.external_ca:
# stage 1 of external CA installation
cache_vars = {n: options.__dict__[n] for o, n in options.knobs()
if n in options.__dict__}
write_cache(cache_vars)
ca.install_step_0(False, None, options)
else:
# Put the CA cert where other instances expect it
x509.write_certificate(options._http_ca_cert, paths.IPA_CA_CRT)
os.chmod(paths.IPA_CA_CRT, 0o444)
if not options.no_pkinit:
x509.write_certificate(options._http_ca_cert,
paths.KDC_CA_BUNDLE_PEM)
else:
with open(paths.KDC_CA_BUNDLE_PEM, 'w'):
pass
os.chmod(paths.KDC_CA_BUNDLE_PEM, 0o444)
x509.write_certificate(options._http_ca_cert, paths.CA_BUNDLE_PEM)
os.chmod(paths.CA_BUNDLE_PEM, 0o444)
with redirect_stdout(ansible_log):
# we now need to enable ssl on the ds
ds.enable_ssl()
if options.setup_ca:
with redirect_stdout(ansible_log):
ca.install_step_1(False, None, options)
ansible_module.exit_json(changed=True)
if __name__ == '__main__':
main()

93
roles/ipaserver/library/ipaserver_setup_custodia.py Normal file
View File

@@ -0,0 +1,93 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
# Authors:
# Thomas Woerner <twoerner@redhat.com>
#
# Based on ipa-client-install code
#
# Copyright (C) 2017 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
from __future__ import print_function
ANSIBLE_METADATA = {
'metadata_version': '1.0',
'supported_by': 'community',
'status': ['preview'],
}
DOCUMENTATION = '''
---
module: ipaserver_setup_custodia
short description:
description:
options:
realm:
hostname:
setup_ca:
author:
- Thomas Woerner
'''
EXAMPLES = '''
'''
RETURN = '''
'''
from ansible.module_utils.basic import AnsibleModule
from ansible.module_utils.ansible_ipa_server import *
def main():
ansible_module = AnsibleModule(
argument_spec = dict(
# basic
realm=dict(required=True),
hostname=dict(required=False),
setup_ca=dict(required=False, type='bool', default=False),
),
)
ansible_module._ansible_debug = True
ansible_log = AnsibleModuleLog(ansible_module)
# set values ############################################################
options.realm_name = ansible_module.params.get('realm')
options.host_name = ansible_module.params.get('hostname')
options.setup_ca = ansible_module.params.get('setup_ca')
# init ##################################################################
fstore = sysrestore.FileStore(paths.SYSRESTORE)
api_Backend_ldap2(options.host_name, options.setup_ca, connect=True)
# setup custodia ########################################################
custodia = custodiainstance.CustodiaInstance(options.host_name,
options.realm_name)
custodia.set_output(ansible_log)
with redirect_stdout(ansible_log):
custodia.create_instance()
# done ##################################################################
ansible_module.exit_json(changed=True)
if __name__ == '__main__':
main()

119
roles/ipaserver/library/ipaserver_setup_dns.py Normal file
View File

@@ -0,0 +1,119 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
# Authors:
# Thomas Woerner <twoerner@redhat.com>
#
# Based on ipa-client-install code
#
# Copyright (C) 2017 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
from __future__ import print_function
ANSIBLE_METADATA = {
'metadata_version': '1.0',
'supported_by': 'community',
'status': ['preview'],
}
DOCUMENTATION = '''
---
module: setup_dns
short description:
description:
options:
hostname:
setup_dns:
setup_ca:
zonemgr:
forwarders:
forward_policy:
no_dnssec_validation:
author:
- Thomas Woerner
'''
EXAMPLES = '''
'''
RETURN = '''
'''
from ansible.module_utils.basic import AnsibleModule
from ansible.module_utils.ansible_ipa_server import *
def main():
ansible_module = AnsibleModule(
argument_spec = dict(
### basic ###
hostname=dict(required=True),
### server ###
setup_dns=dict(required=True, type='bool'),
setup_ca=dict(required=True, type='bool'),
### dns ###
zonemgr=dict(required=False),
forwarders=dict(required=True, type='list'),
forward_policy=dict(default='first', choices=['first', 'only']),
no_dnssec_validation=dict(required=False, type='bool',
default=False),
),
)
ansible_module._ansible_debug = True
ansible_log = AnsibleModuleLog(ansible_module)
# set values ############################################################
### basic ###
options.host_name = ansible_module.params.get('hostname')
### server ###
options.setup_dns = ansible_module.params.get('setup_dns')
options.setup_ca = ansible_module.params.get('setup_ca')
### dns ###
options.zonemgr = ansible_module.params.get('zonemgr')
options.forwarders = ansible_module.params.get('forwarders')
options.forward_policy = ansible_module.params.get('forward_policy')
options.no_dnssec_validation = ansible_module.params.get(
'no_dnssec_validation')
# init ##################################################################
fstore = sysrestore.FileStore(paths.SYSRESTORE)
api_Backend_ldap2(options.host_name, options.setup_ca, connect=True)
# setup dns #############################################################
with redirect_stdout(ansible_log):
if options.setup_dns:
dns.install(False, False, options)
else:
# Create a BIND instance
bind = bindinstance.BindInstance(fstore)
bind.set_output(ansible_log)
bind.setup(host_name, ip_addresses, realm_name,
domain_name, (), 'first', (),
zonemgr=options.zonemgr,
no_dnssec_validation=options.no_dnssec_validation)
bind.create_file_with_system_records()
# done ##################################################################
ansible_module.exit_json(changed=True)
if __name__ == '__main__':
main()

171
roles/ipaserver/library/ipaserver_setup_ds.py Normal file
View File

@@ -0,0 +1,171 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
# Authors:
# Thomas Woerner <twoerner@redhat.com>
#
# Based on ipa-client-install code
#
# Copyright (C) 2017 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
from __future__ import print_function
ANSIBLE_METADATA = {
'metadata_version': '1.0',
'supported_by': 'community',
'status': ['preview'],
}
DOCUMENTATION = '''
---
module: ipaserver_setup_ds
short description:
description:
options:
dm_password:
password:
domain:
realm:
hostname:
idstart:
idmax:
no_pkinit:
no_hbac_allow:
subject_base:
ca_subject:
setup_ca
author:
- Thomas Woerner
'''
EXAMPLES = '''
'''
RETURN = '''
'''
from ansible.module_utils.basic import AnsibleModule
from ansible.module_utils.ansible_ipa_server import *
def main():
ansible_module = AnsibleModule(
argument_spec = dict(
### basic ###
dm_password=dict(required=True, no_log=True),
password=dict(required=True, no_log=True),
domain=dict(required=True),
realm=dict(required=True),
hostname=dict(required=False),
### server ###
idstart=dict(required=True, type='int'),
idmax=dict(required=True, type='int'),
no_hbac_allow=dict(required=False, type='bool', default=False),
no_pkinit=dict(required=False, type='bool', default=False),
dirsrv_config_file=dict(required=False),
### ssl certificate ###
dirsrv_cert_files=dict(required=False, type='list', default=[]),
### certificate system ###
external_cert_files=dict(required=False, type='list', default=[]),
subject_base=dict(required=False),
ca_subject=dict(required=False),
### additional ###
setup_ca=dict(required=False, type='bool', default=False),
),
)
ansible_module._ansible_debug = True
ansible_log = AnsibleModuleLog(ansible_module)
# set values ############################################################
### basic ###
options.dm_password = ansible_module.params.get('dm_password')
options.domain_name = ansible_module.params.get('domain')
options.realm_name = ansible_module.params.get('realm')
options.host_name = ansible_module.params.get('hostname')
### server ###
options.idstart = ansible_module.params.get('idstart')
options.idmax = ansible_module.params.get('idmax')
options.no_pkinit = ansible_module.params.get('no_pkinit')
options.no_hbac_allow = ansible_module.params.get('no_hbac_allow')
options.dirsrv_config_file = ansible_module.params.get('dirsrv_config_file')
### ssl certificate ###
options.dirsrv_cert_files = ansible_module.params.get('dirsrv_cert_files')
### certificate system ###
options.external_cert_files = ansible_module.params.get(
'external_cert_files')
options.subject_base = ansible_module.params.get('subject_base')
options.ca_subject = ansible_module.params.get('ca_subject')
### additional ###
options.setup_ca = ansible_module.params.get('setup_ca')
# init ##################################################################
fstore = sysrestore.FileStore(paths.SYSRESTORE)
# api Backend connect only if external_cert_files is not set
api_Backend_ldap2(options.host_name, options.setup_ca, connect=False)
# setup DS ##############################################################
# Create a directory server instance
if not options.external_cert_files:
ds = dsinstance.DsInstance(fstore=fstore,
domainlevel=options.domainlevel,
config_ldif=options.dirsrv_config_file)
ds.set_output(ansible_log)
if options.dirsrv_cert_files:
_dirsrv_pkcs12_info=options.dirsrv_pkcs12_info
else:
_dirsrv_pkcs12_info=None
with redirect_stdout(ansible_log):
ds.create_instance(options.realm_name, options.host_name,
options.domain_name,
options.dm_password, _dirsrv_pkcs12_info,
idstart=options.idstart, idmax=options.idmax,
subject_base=options.subject_base,
ca_subject=options.ca_subject,
hbac_allow=not options.no_hbac_allow,
setup_pkinit=not options.no_pkinit)
if not options.dirsrv_cert_files:
ntpinstance.ntp_ldap_enable(options.host_name, ds.suffix,
options.realm_name)
else:
api.Backend.ldap2.connect()
ds = dsinstance.DsInstance(fstore=fstore,
domainlevel=options.domainlevel)
ds.set_output(ansible_log)
with redirect_stdout(ansible_log):
ds.init_info(
options.realm_name, options.host_name, options.domain_name,
options.dm_password,
options.subject_base, options.ca_subject, 1101, 1100, None,
setup_pkinit=not options.no_pkinit)
# done ##################################################################
ansible_module.exit_json(changed=True)
if __name__ == '__main__':
main()

206
roles/ipaserver/library/ipaserver_setup_http.py Normal file
View File

@@ -0,0 +1,206 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
# Authors:
# Thomas Woerner <twoerner@redhat.com>
#
# Based on ipa-client-install code
#
# Copyright (C) 2017 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
from __future__ import print_function
ANSIBLE_METADATA = {
'metadata_version': '1.0',
'supported_by': 'community',
'status': ['preview'],
}
DOCUMENTATION = '''
---
module: setup_ds
short description:
description:
options:
author:
- Thomas Woerner
'''
EXAMPLES = '''
'''
RETURN = '''
'''
from ansible.module_utils.basic import AnsibleModule
from ansible.module_utils.ansible_ipa_server import *
def main():
ansible_module = AnsibleModule(
argument_spec = dict(
# basic
dm_password=dict(required=True, no_log=True),
password=dict(required=True, no_log=True),
master_password=dict(required=True, no_log=True),
domain=dict(required=True),
realm=dict(required=True),
hostname=dict(required=False),
ip_addresses=dict(required=False, type='list', default=[]),
reverse_zones=dict(required=False, type='list', default=[]),
http_cert_files=dict(required=False, type='list', default=[]),
setup_adtrust=dict(required=False, type='bool', default=False),
setup_kra=dict(required=False, type='bool', default=False),
setup_dns=dict(required=False, type='bool', default=False),
setup_ca=dict(required=False, type='bool', default=False),
no_host_dns=dict(required=False, type='bool', default=False),
no_pkinit=dict(required=False, type='bool', default=False),
no_hbac_allow=dict(required=False, type='bool', default=False),
no_ui_redirect=dict(required=False, type='bool', default=False),
external_cert_files=dict(required=False, type='list', default=[]),
subject_base=dict(required=False),
_subject_base=dict(required=False),
ca_subject=dict(required=False),
_ca_subject=dict(required=False),
idstart=dict(required=True, type='int'),
idmax=dict(required=True, type='int'),
domainlevel=dict(required=False, type='int'),
dirsrv_config_file=dict(required=False),
dirsrv_cert_files=dict(required=False, type='list', default=[]),
no_reverse=dict(required=False, type='bool', default=False),
auto_forwarders=dict(required=False, type='bool', default=False),
#_update_hosts_file=dict(required=False, type='bool', default=False),
_dirsrv_pkcs12_info=dict(required=False),
),
)
ansible_module._ansible_debug = True
ansible_log = AnsibleModuleLog(ansible_module)
# set values ############################################################
options.dm_password = ansible_module.params.get('dm_password')
options.admin_password = ansible_module.params.get('password')
options.master_password = ansible_module.params.get('master_password')
options.domain_name = ansible_module.params.get('domain')
options.realm_name = ansible_module.params.get('realm')
options.host_name = ansible_module.params.get('hostname')
options.ip_addresses = ansible_module.params.get('ip_addresses')
options.reverse_zones = ansible_module.params.get('reverse_zones')
options.http_cert_files = ansible_module.params.get('http_cert_files')
options.setup_adtrust = ansible_module.params.get('setup_adtrust')
options.setup_kra = ansible_module.params.get('setup_kra')
options.setup_dns = ansible_module.params.get('setup_dns')
options.setup_ca = ansible_module.params.get('setup_ca')
options.no_host_dns = ansible_module.params.get('no_host_dns')
options.no_pkinit = ansible_module.params.get('no_pkinit')
options.no_hbac_allow = ansible_module.params.get('no_hbac_allow')
options.no_ui_redirect = ansible_module.params.get('no_ui_redirect')
options.external_cert_files = ansible_module.params.get(
'external_cert_files')
options.subject_base = ansible_module.params.get('subject_base')
options._subject_base = ansible_module.params.get('_subject_base')
options.ca_subject = ansible_module.params.get('ca_subject')
options._ca_subject = ansible_module.params.get('_ca_subject')
options.no_reverse = ansible_module.params.get('no_reverse')
options.auto_forwarders = ansible_module.params.get('auto_forwarders')
options.idstart = ansible_module.params.get('idstart')
options.idmax = ansible_module.params.get('idmax')
options.domainlevel = ansible_module.params.get('domainlevel')
options.dirsrv_config_file = ansible_module.params.get('dirsrv_config_file')
options.dirsrv_cert_files = ansible_module.params.get('dirsrv_cert_files')
#options._update_hosts_file = ansible_module.params.get('_update_hosts_file')
options._dirsrv_pkcs12_info = ansible_module.params.get(
'_dirsrv_pkcs12_info')
# init ##################################################################
fstore = sysrestore.FileStore(paths.SYSRESTORE)
api_Backend_ldap2(options.host_name, options.setup_ca, connect=True)
ds = ds_init_info(ansible_log, fstore,
options.domainlevel, options.dirsrv_config_file,
options.realm_name, options.host_name,
options.domain_name, options.dm_password,
options.idstart, options.idmax,
options.subject_base, options.ca_subject,
options.no_hbac_allow, options._dirsrv_pkcs12_info,
options.no_pkinit)
# krb
krb = krbinstance.KrbInstance(fstore)
krb.set_output(ansible_log)
with redirect_stdout(ansible_log):
krb.init_info(options.realm_name, options.host_name,
setup_pkinit=not options.no_pkinit,
subject_base=options.subject_base)
# setup HTTP ############################################################
# Create a HTTP instance
http = httpinstance.HTTPInstance(fstore)
http.set_output(ansible_log)
with redirect_stdout(ansible_log):
if options.http_cert_files:
http.create_instance(
options.realm_name, options.host_name, options.domain_name, options.dm_password,
pkcs12_info=options._http_pkcs12_info, subject_base=options.subject_base,
auto_redirect=not options.no_ui_redirect,
ca_is_configured=options.setup_ca)
else:
http.create_instance(
options.realm_name, options.host_name, options.domain_name, options.dm_password,
subject_base=options.subject_base,
auto_redirect=not options.no_ui_redirect,
ca_is_configured=options.setup_ca)
tasks.restore_context(paths.CACHE_IPA_SESSIONS)
ca.set_subject_base_in_config(options.subject_base)
# configure PKINIT now that all required services are in place
krb.enable_ssl()
# Apply any LDAP updates. Needs to be done after the configuration file
# is created. DS is restarted in the process.
service.print_msg("Applying LDAP updates")
ds.apply_updates()
# Restart krb after configurations have been changed
service.print_msg("Restarting the KDC")
krb.restart()
# done ##################################################################
ansible_module.exit_json(changed=True)
if __name__ == '__main__':
main()

90
roles/ipaserver/library/ipaserver_setup_kra.py Normal file
View File

@@ -0,0 +1,90 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
# Authors:
# Thomas Woerner <twoerner@redhat.com>
#
# Based on ipa-client-install code
#
# Copyright (C) 2017 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
from __future__ import print_function
ANSIBLE_METADATA = {
'metadata_version': '1.0',
'supported_by': 'community',
'status': ['preview'],
}
DOCUMENTATION = '''
---
module: setup_kra
short description:
description:
options:
author:
- Thomas Woerner
'''
EXAMPLES = '''
'''
RETURN = '''
'''
from ansible.module_utils.basic import AnsibleModule
from ansible.module_utils.ansible_ipa_server import *
def main():
ansible_module = AnsibleModule(
argument_spec = dict(
# basic
dm_password=dict(required=True, no_log=True),
hostname=dict(required=True),
setup_ca=dict(required=True, type='bool'),
setup_kra=dict(required=True, type='bool'),
),
)
ansible_module._ansible_debug = True
ansible_log = AnsibleModuleLog(ansible_module)
# set values ####################################################
options.dm_password = ansible_module.params.get('dm_password')
options.host_name = ansible_module.params.get('hostname')
options.setup_ca = ansible_module.params.get('setup_ca')
options.setup_kra = ansible_module.params.get('setup_kra')
# init ##########################################################
fstore = sysrestore.FileStore(paths.SYSRESTORE)
sstore = sysrestore.StateFile(paths.SYSRESTORE)
api_Backend_ldap2(options.host_name, options.setup_ca, connect=True)
# setup kra #####################################################
with redirect_stdout(ansible_log):
kra.install(api, None, options)
# done ##########################################################
ansible_module.exit_json(changed=True)
if __name__ == '__main__':
main()

155
roles/ipaserver/library/ipaserver_setup_krb.py Normal file
View File

@@ -0,0 +1,155 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
# Authors:
# Thomas Woerner <twoerner@redhat.com>
#
# Based on ipa-client-install code
#
# Copyright (C) 2017 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
from __future__ import print_function
ANSIBLE_METADATA = {
'metadata_version': '1.0',
'supported_by': 'community',
'status': ['preview'],
}
DOCUMENTATION = '''
---
module: setup_ds
short description:
description:
options:
author:
- Thomas Woerner
'''
EXAMPLES = '''
'''
RETURN = '''
'''
from ansible.module_utils.basic import AnsibleModule
from ansible.module_utils.ansible_ipa_server import *
def main():
ansible_module = AnsibleModule(
argument_spec = dict(
# basic
dm_password=dict(required=True, no_log=True),
password=dict(required=True, no_log=True),
master_password=dict(required=True, no_log=True),
domain=dict(required=True),
realm=dict(required=True),
hostname=dict(required=False),
ip_addresses=dict(required=False, type='list', default=[]),
reverse_zones=dict(required=False, type='list', default=[]),
setup_adtrust=dict(required=False, type='bool', default=False),
setup_kra=dict(required=False, type='bool', default=False),
setup_dns=dict(required=False, type='bool', default=False),
setup_ca=dict(required=False, type='bool', default=False),
no_host_dns=dict(required=False, type='bool', default=False),
no_pkinit=dict(required=False, type='bool', default=False),
no_hbac_allow=dict(required=False, type='bool', default=False),
external_cert_files=dict(required=False, type='list', default=[]),
subject_base=dict(required=False),
ca_subject=dict(required=False),
idstart=dict(required=True, type='int'),
idmax=dict(required=True, type='int'),
no_reverse=dict(required=False, type='bool', default=False),
auto_forwarders=dict(required=False, type='bool', default=False),
_pkinit_pkcs12_info=dict(required=False),
),
)
ansible_module._ansible_debug = True
ansible_log = AnsibleModuleLog(ansible_module)
# set values ############################################################
options.dm_password = ansible_module.params.get('dm_password')
options.admin_password = ansible_module.params.get('password')
options.master_password = ansible_module.params.get('master_password')
options.domain_name = ansible_module.params.get('domain')
options.realm_name = ansible_module.params.get('realm')
options.host_name = ansible_module.params.get('hostname')
options.ip_addresses = ansible_module.params.get('ip_addresses')
options.reverse_zones = ansible_module.params.get('reverse_zones')
options.setup_adtrust = ansible_module.params.get('setup_adtrust')
options.setup_kra = ansible_module.params.get('setup_kra')
options.setup_dns = ansible_module.params.get('setup_dns')
options.setup_ca = ansible_module.params.get('setup_ca')
options.no_host_dns = ansible_module.params.get('no_host_dns')
options.no_pkinit = ansible_module.params.get('no_pkinit')
options.no_hbac_allow = ansible_module.params.get('no_hbac_allow')
options.external_cert_files = ansible_module.params.get(
'external_cert_files')
options.subject_base = ansible_module.params.get('subject_base')
options.ca_subject = ansible_module.params.get('ca_subject')
options.no_reverse = ansible_module.params.get('no_reverse')
options.auto_forwarders = ansible_module.params.get('auto_forwarders')
options.idstart = ansible_module.params.get('idstart')
options.idmax = ansible_module.params.get('idmax')
options._pkinit_pkcs12_info = ansible_module.params.get(
'_pkinit_pkcs12_info')
#options._update_hosts_file = ansible_module.params.get('update_hosts_file')
# init ##################################################################
fstore = sysrestore.FileStore(paths.SYSRESTORE)
api_Backend_ldap2(options.host_name, options.setup_ca, connect=True)
# setup KRB #############################################################
krb = krbinstance.KrbInstance(fstore)
krb.set_output(ansible_log)
with redirect_stdout(ansible_log):
if not options.external_cert_files:
krb.create_instance(options.realm_name, options.host_name,
options.domain_name,
options.dm_password, options.master_password,
setup_pkinit=not options.no_pkinit,
pkcs12_info=options._pkinit_pkcs12_info,
subject_base=options.subject_base)
else:
krb.init_info(options.realm_name, options.host_name,
setup_pkinit=not options.no_pkinit,
subject_base=options.subject_base)
ansible_module.exit_json(changed=True)
if __name__ == '__main__':
main()

79
roles/ipaserver/library/ipaserver_setup_ntp.py Normal file
View File

@@ -0,0 +1,79 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
# Authors:
# Thomas Woerner <twoerner@redhat.com>
#
# Based on ipa-client-install code
#
# Copyright (C) 2017 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
from __future__ import print_function
ANSIBLE_METADATA = {
'metadata_version': '1.0',
'supported_by': 'community',
'status': ['preview'],
}
DOCUMENTATION = '''
---
module: setup_ntp
short description:
description:
options:
author:
- Thomas Woerner
'''
EXAMPLES = '''
'''
RETURN = '''
'''
from ansible.module_utils.basic import AnsibleModule
from ansible.module_utils.ansible_ipa_server import *
def main():
ansible_module = AnsibleModule(
argument_spec = dict(),
)
ansible_module._ansible_debug = True
ansible_log = AnsibleModuleLog(ansible_module)
# init ##########################################################
fstore = sysrestore.FileStore(paths.SYSRESTORE)
sstore = sysrestore.StateFile(paths.SYSRESTORE)
# setup NTP #####################################################
ntpconf.force_ntpd(sstore)
ntp = ntpinstance.NTPInstance(fstore)
ntp.set_output(ansible_log)
with redirect_stdout(ansible_log):
if not ntp.is_configured():
ntp.create_instance()
# done ##########################################################
ansible_module.exit_json(changed=True)
if __name__ == '__main__':
main()

91
roles/ipaserver/library/ipaserver_setup_otpd.py Normal file
View File

@@ -0,0 +1,91 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
# Authors:
# Thomas Woerner <twoerner@redhat.com>
#
# Based on ipa-client-install code
#
# Copyright (C) 2017 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
from __future__ import print_function
ANSIBLE_METADATA = {
'metadata_version': '1.0',
'supported_by': 'community',
'status': ['preview'],
}
DOCUMENTATION = '''
---
module: setup_otpd
short description:
description:
options:
author:
- Thomas Woerner
'''
EXAMPLES = '''
'''
RETURN = '''
'''
from ansible.module_utils.basic import AnsibleModule
from ansible.module_utils.ansible_ipa_server import *
def main():
ansible_module = AnsibleModule(
argument_spec = dict(
# basic
realm=dict(required=True),
hostname=dict(required=False),
setup_ca=dict(required=False, type='bool', default=False),
),
)
ansible_module._ansible_debug = True
ansible_log = AnsibleModuleLog(ansible_module)
# set values ####################################################
options.realm_name = ansible_module.params.get('realm')
options.host_name = ansible_module.params.get('hostname')
options.setup_ca = ansible_module.params.get('setup_ca')
# init ##########################################################
fstore = sysrestore.FileStore(paths.SYSRESTORE)
sstore = sysrestore.StateFile(paths.SYSRESTORE)
api_Backend_ldap2(options.host_name, options.setup_ca, connect=True)
# setup ds ######################################################
otpd = otpdinstance.OtpdInstance()
otpd.set_output(ansible_log)
with redirect_stdout(ansible_log):
otpd.create_instance('OTPD', options.host_name,
ipautil.realm_to_suffix(options.realm_name))
# done ##########################################################
ansible_module.exit_json(changed=True)
if __name__ == '__main__':
main()

777
roles/ipaserver/library/ipaserver_test.py Normal file
View File

@@ -0,0 +1,777 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
# Authors:
# Thomas Woerner <twoerner@redhat.com>
#
# Based on ipa-client-install code
#
# Copyright (C) 2017 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
ANSIBLE_METADATA = {
'metadata_version': '1.0',
'supported_by': 'community',
'status': ['preview'],
}
DOCUMENTATION = '''
---
module: ipaserver_test
short description:
description:
options:
author:
- Thomas Woerner
'''
EXAMPLES = '''
'''
RETURN = '''
'''
import os
import sys
import logging
import tempfile, shutil
from ansible.module_utils.basic import AnsibleModule
from ansible.module_utils.ansible_ipa_server import *
def main():
ansible_module = AnsibleModule(
argument_spec = dict(
### basic ###
dm_password=dict(required=True, no_log=True),
password=dict(required=True, no_log=True),
master_password=dict(required=False, no_log=True),
ip_addresses=dict(required=False, type='list', default=[]),
domain=dict(required=False),
realm=dict(required=False),
hostname=dict(required=False),
ca_cert_files=dict(required=False, type='list', default=[]),
# no_host_dns=dict(required=False, type='bool', default=False),
### server ###
setup_adtrust=dict(required=False, type='bool', default=False),
setup_kra=dict(required=False, type='bool', default=False),
setup_dns=dict(required=False, type='bool', default=False),
idstart=dict(required=False, type='int'),
idmax=dict(required=False, type='int'),
# no_hbac_allow
no_pkinit=dict(required=False, type='bool', default=False),
# no_ui_redirect
dirsrv_config_file=dict(required=False),
### ssl certificate ###
dirsrv_cert_files=dict(required=False, type='list', default=[]),
http_cert_files=dict(required=False, type='list', default=[]),
pkinit_cert_files=dict(required=False, type='list', default=[]),
# dirsrv_pin
# http_pin
# pkinit_pin
# dirsrv_name
# http_name
# pkinit_name
### client ###
# mkhomedir
no_ntp=dict(required=False, type='bool', default=False),
# ssh_trust_dns
# no_ssh
# no_sshd
# no_dns_sshfp
### certificate system ###
external_ca=dict(required=False, type='bool', default=False),
external_ca_type=dict(required=False),
external_cert_files=dict(required=False, type='list', default=[]),
subject_base=dict(required=False),
ca_subject=dict(required=False),
# ca_signing_algorithm
### dns ###
allow_zone_overlap=dict(required=False, type='bool', default=False),
reverse_zones=dict(required=False, type='list', default=[]),
no_reverse=dict(required=False, type='bool', default=False),
auto_reverse=dict(required=False, type='bool', default=False),
zonemgr=dict(required=False),
forwarders=dict(required=False, type='list', default=[]),
no_forwarders=dict(required=False, type='bool', default=False),
auto_forwarders=dict(required=False, type='bool', default=False),
forward_policy=dict(default='first', choices=['first', 'only']),
no_dnssec_validation=dict(required=False, type='bool',
default=False),
### ad trust ###
enable_compat=dict(required=False, type='bool', default=False),
netbios_name=dict(required=False),
rid_base=dict(required=False, type='int'),
secondary_rid_base=dict(required=False, type='int'),
### additional ###
allow_repair=dict(required=False, type='bool', default=False),
),
supports_check_mode = True,
)
ansible_module._ansible_debug = True
ansible_log = AnsibleModuleLog(ansible_module)
# set values ############################################################
### basic ###
options.dm_password = ansible_module.params.get('dm_password')
options.admin_password = ansible_module.params.get('password')
options.master_password = ansible_module.params.get('master_password')
options.ip_addresses = ansible_module.params.get('ip_addresses')
options.domain_name = ansible_module.params.get('domain')
options.realm_name = ansible_module.params.get('realm')
options.host_name = ansible_module.params.get('hostname')
options.ca_cert_files = ansible_module.params.get('ca_cert_files')
# no_host_dns
### server ###
options.setup_adtrust = ansible_module.params.get('setup_adtrust')
options.setup_dns = ansible_module.params.get('setup_dns')
options.setup_kra = ansible_module.params.get('setup_kra')
options.idstart = ansible_module.params.get('idstart')
options.idmax = ansible_module.params.get('idmax')
# no_hbac_allow
options.no_pkinit = ansible_module.params.get('no_pkinit')
# no_ui_redirect
options.dirsrv_config_file = ansible_module.params.get('dirsrv_config_file')
### ssl certificate ###
options.dirsrv_cert_files = ansible_module.params.get('dirsrv_cert_files')
options.http_cert_files = ansible_module.params.get('http_cert_files')
options.pkinit_cert_files = ansible_module.params.get('pkinit_cert_files')
# dirsrv_pin
# http_pin
# pkinit_pin
# dirsrv_name
# http_name
# pkinit_name
### client ###
# mkhomedir
options.no_ntp = ansible_module.params.get('no_ntp')
# ssh_trust_dns
# no_ssh
# no_sshd
# no_dns_sshfp
### certificate system ###
options.external_ca = ansible_module.params.get('external_ca')
options.external_ca_type = ansible_module.params.get('external_ca_type')
options.external_cert_files = ansible_module.params.get(
'external_cert_files')
options.subject_base = ansible_module.params.get('subject_base')
options.ca_subject = ansible_module.params.get('ca_subject')
# ca_signing_algorithm
### dns ###
options.allow_zone_overlap= ansible_module.params.get('allow_zone_overlap')
options.reverse_zones = ansible_module.params.get('reverse_zones')
options.no_reverse = ansible_module.params.get('no_reverse')
options.auto_reverse = ansible_module.params.get('auto_reverse')
options.zonemgr = ansible_module.params.get('zonemgr')
options.forwarders = ansible_module.params.get('forwarders')
options.no_forwarders = ansible_module.params.get('no_forwarders')
options.auto_forwarders = ansible_module.params.get('auto_forwarders')
options.forward_policy = ansible_module.params.get('forward_policy')
options.no_dnssec_validation = ansible_module.params.get(
'no_dnssec_validation')
### ad trust ###
options.enable_compat = ansible_module.params.get('enable_compat')
options.netbios_name = ansible_module.params.get('netbios_name')
options.rid_base = ansible_module.params.get('rid_base')
options.secondary_rid_base = ansible_module.params.get('secondary_rid_base')
### additional ###
allow_repair = ansible_module.params.get('allow_repair')
# version specific ######################################################
if options.setup_adtrust and not adtrust_imported:
#if "adtrust" not in options._allow_missing:
ansible_module.fail_json(msg="adtrust can not be imported")
#else:
# options.setup_adtrust = False
# ansible_module.warn(msg="adtrust is not supported, disabling")
if options.setup_kra and not kra_imported:
#if "kra" not in options._allow_missing:
ansible_module.fail_json(msg="kra can not be imported")
#else:
# options.setup_kra = False
# ansible_module.warn(msg="kra is not supported, disabling")
# validation #############################################################
if options.dm_password is None:
ansible_module.fail_json(msg="Directory Manager password required")
if options.admin_password is None:
ansible_module.fail_json(msg="IPA admin password required")
# This will override any settings passed in on the cmdline
if os.path.isfile(paths.ROOT_IPA_CACHE):
# dm_password check removed, checked already
try:
cache_vars = read_cache(options.dm_password)
options.__dict__.update(cache_vars)
if cache_vars.get('external_ca', False):
options.external_ca = False
options.interactive = False
except Exception as e:
ansible_module.fail_json(msg="Cannot process the cache file: %s" % str(e))
# default values ########################################################
# idstart and idmax
if options.idstart is None:
options.idstart = random.randint(1, 10000) * 200000
if options.idmax is None or options.idmax == 0:
options.idmax = options.idstart + 199999
# validation ############################################################
# domain_level
if options.domain_level < MIN_DOMAIN_LEVEL:
ansible_module.fail_json(
msg="Domain Level cannot be lower than %d" % MIN_DOMAIN_LEVEL)
elif options.domain_level > MAX_DOMAIN_LEVEL:
ansible_module.fail_json(
msg="Domain Level cannot be higher than %d" % MAX_DOMAIN_LEVEL)
# dirsrv_config_file
if options.dirsrv_config_file is not None:
if not os.path.exists(options.dirsrv_config_file):
ansible_module.fail_json(
msg="File %s does not exist." % options.dirsrv_config_file)
# domain_name
if (options.setup_dns and not options.allow_zone_overlap):
check_zone_overlap(options.domain_name, False)
# dm_password
with redirect_stdout(ansible_log):
validate_dm_password(options.dm_password)
# admin_password
with redirect_stdout(ansible_log):
validate_admin_password(options.admin_password)
# pkinit is not supported on DL0, don't allow related options
# replica install: if not self.replica_file is None:
if (not options._replica_install and \
not options.domain_level > DOMAIN_LEVEL_0) or \
(options._replica_install and self.replica_file is not None):
if (options.no_pkinit or options.pkinit_cert_files is not None or
options.pkinit_pin is not None):
ansible_module.fail_json(
msg="pkinit on domain level 0 is not supported. Please "
"don't use any pkinit-related options.")
options.no_pkinit = True
# If any of the key file options are selected, all are required.
cert_file_req = (options.dirsrv_cert_files, options.http_cert_files)
cert_file_opt = (options.pkinit_cert_files,)
if not options.no_pkinit:
cert_file_req += cert_file_opt
if options.no_pkinit and options.pkinit_cert_files:
ansible_module.fail_json(
msg="no-pkinit and pkinit-cert-file cannot be specified together"
)
if any(cert_file_req + cert_file_opt) and not all(cert_file_req):
ansible_module.fail_json(
msg="dirsrv-cert-file, http-cert-file, and pkinit-cert-file "
"or no-pkinit are required if any key file options are used."
)
if not options.interactive:
if options.dirsrv_cert_files and options.dirsrv_pin is None:
ansible_module.fail_json(
msg="You must specify dirsrv-pin with dirsrv-cert-file")
if options.http_cert_files and options.http_pin is None:
ansible_module.fail_json(
msg="You must specify http-pin with http-cert-file")
if options.pkinit_cert_files and options.pkinit_pin is None:
ansible_module.fail_json(
msg="You must specify pkinit-pin with pkinit-cert-file")
if not options.setup_dns:
# lists
for x in [ "forwarders", "reverse_zones" ]:
if len(getattr(options, x)) > 1:
ansible_module.fail_json(
msg="You cannot specify %s without setting setup-dns" % x)
# bool and str values
for x in [ "auto_forwarders", "no_forwarders",
"auto_reverse", "no_reverse", "no_dnssec_validation",
"forward_policy" ]:
if getattr(options, x) == True:
ansible_module.fail_json(
msg="You cannot specify %s without setting setup-dns" % x)
elif len(options.forwarders) > 0 and options.no_forwarders:
ansible_module.fail_json(
msg="You cannot specify forwarders together with no-forwarders")
elif options.auto_forwarders and options.no_forwarders:
ansible_module.fail_json(
msg="You cannot specify auto-forwarders together with no-forwarders")
elif len(options.reverse_zones) > 0 and options.no_reverse:
ansible_module.fail_json(
msg="You cannot specify reverse-zones together with no-reverse")
elif options.auto_reverse and options.no_reverse:
ansible_module.fail_json(
msg="You cannot specify auto-reverse together with no-reverse")
if not options._replica_install:
if options.external_cert_files and options.dirsrv_cert_files:
ansible_module.fail_json(
msg="Service certificate file options cannot be used with the "
"external CA options.")
if options.external_ca_type and not options.external_ca:
ansible_module.fail_json(
msg="You cannot specify external-ca-type without external-ca")
#if options.uninstalling:
# if (options.realm_name or options.admin_password or
# options.master_password):
# ansible_module.fail_json(
# msg="In uninstall mode, -a, -r and -P options are not "
# "allowed")
#elif not options.interactive:
# if (not options.realm_name or not options.dm_password or
# not options.admin_password):
# ansible_module.fail_json(msg=
# "In unattended mode you need to provide at least -r, "
# "-p and -a options")
# if options.setup_dns:
# if (not options.forwarders and
# not options.no_forwarders and
# not options.auto_forwarders):
# ansible_module.fail_json(msg=
# "You must specify at least one of --forwarder, "
# "--auto-forwarders, or --no-forwarders options")
if (not options.realm_name or not options.dm_password or
not options.admin_password):
ansible_module.fail_json(
msg="You need to provide at least realm_name, dm_password "
"and admin_password")
if options.setup_dns:
if len(options.forwarders) < 1 and not options.no_forwarders and \
not options.auto_forwarders:
ansible_module.fail_json(
msg="You must specify at least one of forwarders, "
"auto-forwarders or no-forwarders")
#any_ignore_option_true = any(
# [options.ignore_topology_disconnect, options.ignore_last_of_role])
#if any_ignore_option_true and not options.uninstalling:
# ansible_module.fail_json(
# msg="ignore-topology-disconnect and ignore-last-of-role "
# "can be used only during uninstallation")
if options.idmax < options.idstart:
ansible_module.fail_json(
msg="idmax (%s) cannot be smaller than idstart (%s)" %
(options.idmax, options.idstart))
else:
# replica install
if options.replica_file is None:
if options.servers and not options.domain_name:
ansible_module.fail_json(
msg="servers cannot be used without providing domain")
else:
if not ipautil.file_exists(options.replica_file):
ansible_module.fail_json(
msg="Replica file %s does not exist" % options.replica_file)
if any(cert_file_req + cert_file_opt):
ansible_module.fail_json(
msg="You cannot specify dirsrv-cert-file, http-cert-file, "
"or pkinit-cert-file together with replica file")
conflicting = { "realm": options.realm_name,
"domain": options.domain_name,
"hostname": options.host_name,
"servers": options.servers,
"principal": options.principal }
conflicting_names = [ name for name in conflicting
if conflicting[name] is not None ]
if len(conflicting_names) > 0:
ansible_module.fail_json(
msg="You cannot specify %s option(s) with replica file." % \
", ".join(conflicting_names))
if options.setup_dns:
if len(options.forwarders) < 1 and not options.no_forwarders and \
not options.auto_forwarders:
ansible_module.fail_json(
msg="You must specify at least one of forwarders, "
"auto-forwarders or no-forwarders")
if NUM_VERSION >= 40200 and options.master_password:
ansible_module.warn("Specifying master-password is deprecated")
options._installation_cleanup = True
if not options.external_ca and len(options.external_cert_files) < 1 and \
is_ipa_configured() and not allow_repair:
options._installation_cleanup = False
ansible_module.fail_json(msg=
"IPA server is already configured on this system. If you want "
"to reinstall the IPA server, please uninstall it first.")
client_fstore = sysrestore.FileStore(paths.IPA_CLIENT_SYSRESTORE)
if client_fstore.has_files() and not allow_repair:
options._installation_cleanup = False
ansible_module.fail_json(
msg="IPA client is already configured on this system. "
"Please uninstall it before configuring the IPA server.")
# validate reverse_zones
if not options.allow_zone_overlap:
for zone in options.reverse_zones:
with redirect_stdout(ansible_log):
dnsutil.check_zone_overlap(zone)
# validate zonemgr
if options.zonemgr:
try:
# IDNA support requires unicode
encoding = getattr(sys.stdin, 'encoding', None)
if encoding is None:
encoding = 'utf-8'
value = options.zonemgr.decode(encoding)
with redirect_stdout(ansible_log):
bindinstance.validate_zonemgr_str(value)
except ValueError as e:
# FIXME we can do this in better way
# https://fedorahosted.org/freeipa/ticket/4804
# decode to proper stderr encoding
stderr_encoding = getattr(sys.stderr, 'encoding', None)
if stderr_encoding is None:
stderr_encoding = 'utf-8'
error = unicode(e).encode(stderr_encoding)
ansible_module.fail_json(msg=error)
# external cert file paths are absolute
for path in options.external_cert_files:
if not os.path.isabs(path):
ansible_module.fail_json(
msg="External cert file '%s' must use an absolute path" % path)
options.setup_ca = True
# We only set up the CA if the PKCS#12 options are not given.
if options.dirsrv_cert_files and len(options.dirsrv_cert_files) > 0:
options.setup_ca = False
else:
options.setup_ca = True
if not options.setup_ca and options.ca_subject:
ansible_module.fail_json(msg=
"--ca-subject cannot be used with CA-less installation")
if not options.setup_ca and options.subject_base:
ansible_module.fail_json(msg=
"--subject-base cannot be used with CA-less installation")
if not options.setup_ca and options.setup_kra:
ansible_module.fail_json(msg=
"--setup-kra cannot be used with CA-less installation")
# ca_subject
if options.ca_subject:
subject_validator(VALID_SUBJECT_ATTRS, options.ca_subject)
# IPv6 and SELinux check
tasks.check_ipv6_stack_enabled()
tasks.check_selinux_status()
_installation_cleanup = True
if (not options.external_ca and not options.external_cert_files and
is_ipa_configured() and not allow_repair):
_installation_cleanup = False
ansible_module.fail_json(msg="IPA server is already configured on this system.")
if not options.no_ntp:
try:
ntpconf.check_timedate_services()
except ntpconf.NTPConflictingService as e:
ansible_module.log("Conflicting time&date synchronization service '%s'"
" will be disabled in favor of ntpd" % \
e.conflicting_service)
except ntpconf.NTPConfigurationError:
pass
# Check to see if httpd is already configured to listen on 443
if httpinstance.httpd_443_configured():
ansible_module.fail_json(msg="httpd is already configured to listen on 443.")
if not options.external_cert_files:
# Make sure the 389-ds ports are available
try:
check_dirsrv(True)
except ScriptError as e:
if not allow_repair:
ansible_module.fail_json(msg=e)
if not options.no_ntp:
try:
ntpconf.check_timedate_services()
except ntpconf.NTPConflictingService as e:
ansible_module.warn(
"Conflicting time&date synchronization service "
"'%s' will be disabled" % e.conflicting_service)
except ntpconf.NTPConfigurationError:
pass
# Check to see if httpd is already configured to listen on 443
if httpinstance.httpd_443_configured() and not allow_repair:
ansible_module.fail_json(msg="httpd is already configured to listen on 443.")
# check bind packages are installed
if options.setup_dns:
# Don't require an external DNS to say who we are if we are
# setting up a local DNS server.
options.no_host_dns = True
# host name
if options.host_name:
options.host_default = options.host_name
else:
options.host_default = get_fqdn()
_host_name_overridden = False
try:
verify_fqdn(options.host_default, options.no_host_dns)
options.host_name = options.host_default
if options.host_default != get_fqdn():
_host_name_overridden = True
except BadHostError as e:
ansible_module.fail_json(msg=e)
options.host_name = options.host_name.lower()
if not options.domain_name:
options.domain_name = options.host_name[options.host_name.find(".")+1:]
try:
validate_domain_name(options.domain_name)
except ValueError as e:
ansible_module.fail_json(msg="Invalid domain name: %s" % unicode(e))
options.domain_name = options.domain_name.lower()
if not options.realm_name:
options.realm_name = options.domain_name
options.realm_name = options.realm_name.upper()
if not options.setup_adtrust:
# If domain name and realm does not match, IPA server will not be able
# to establish trust with Active Directory. Fail.
if options.domain_name.upper() != options.realm_name:
ansible_module.fail_json(
msg="Realm name does not match the domain name: "
"You will not be able to establish trusts with Active "
"Directory.")
#########################################################################
http_pkcs12_file = None
http_pkcs12_info = None
http_ca_cert = None
dirsrv_pkcs12_file = None
dirsrv_pkcs12_info = None
dirsrv_ca_cert = None
pkinit_pkcs12_file = None
pkinit_pkcs12_info = None
pkinit_ca_cert = None
if options.http_cert_files:
if options.http_pin is None:
ansible_module.fail_json(msg=
"Apache Server private key unlock password required")
http_pkcs12_file, http_pin, http_ca_cert = load_pkcs12(
cert_files=options.http_cert_files,
key_password=options.http_pin,
key_nickname=options.http_cert_name,
ca_cert_files=options.ca_cert_files,
host_name=options.host_name)
http_pkcs12_info = (http_pkcs12_file.name, options.http_pin)
if options.dirsrv_cert_files:
if options.dirsrv_pin is None:
ansible_module.fail_json(msg=
"Directory Server private key unlock password required")
dirsrv_pkcs12_file, dirsrv_pin, dirsrv_ca_cert = load_pkcs12(
cert_files=options.dirsrv_cert_files,
key_password=options.dirsrv_pin,
key_nickname=options.dirsrv_cert_name,
ca_cert_files=options.ca_cert_files,
host_name=options.host_name)
dirsrv_pkcs12_info = (dirsrv_pkcs12_file.name, options.dirsrv_pin)
if options.pkinit_cert_files:
if options.pkinit_pin is None:
ansible_module.fail_json(msg=
"Kerberos KDC private key unlock password required")
pkinit_pkcs12_file, pkinit_pin, pkinit_ca_cert = load_pkcs12(
cert_files=options.pkinit_cert_files,
key_password=options.pkinit_pin,
key_nickname=options.pkinit_cert_name,
ca_cert_files=options.ca_cert_files,
realm_name=options.realm_name)
pkinit_pkcs12_info = (pkinit_pkcs12_file.name, options.pkinit_pin)
if (options.http_cert_files and options.dirsrv_cert_files and
http_ca_cert != dirsrv_ca_cert):
ansible_module.fail_json(msg=
"Apache Server SSL certificate and Directory Server SSL "
"certificate are not signed by the same CA certificate")
if (options.http_cert_files and options.pkinit_cert_files and
http_ca_cert != pkinit_ca_cert):
ansible_module.fail_json(msg=
"Apache Server SSL certificate and PKINIT KDC "
"certificate are not signed by the same CA certificate")
# subject_base
if not options.subject_base:
options.subject_base = str(default_subject_base(options.realm_name))
# set options.subject for old ipa releases
options.subject = options.subject_base
if not options.ca_subject:
options.ca_subject = str(default_ca_subject_dn(options.subject_base))
# temporary ipa configuration ###########################################
ipa_tempdir = tempfile.mkdtemp(prefix="ipaconf")
try:
# Configuration for ipalib, we will bootstrap and finalize later, after
# we are sure we have the configuration file ready.
cfg = dict(
context='installer',
confdir=ipa_tempdir,
in_server=True,
# make sure host name specified by user is used instead of default
host=options.host_name,
)
if options.setup_ca:
# we have an IPA-integrated CA
cfg['ca_host'] = options.host_name
# Create the management framework config file and finalize api
target_fname = "%s/default.conf" % ipa_tempdir
fd = open(target_fname, "w")
fd.write("[global]\n")
fd.write("host=%s\n" % options.host_name)
fd.write("basedn=%s\n" % ipautil.realm_to_suffix(options.realm_name))
fd.write("realm=%s\n" % options.realm_name)
fd.write("domain=%s\n" % options.domain_name)
fd.write("xmlrpc_uri=https://%s/ipa/xml\n" % format_netloc(options.host_name))
fd.write("ldap_uri=ldapi://%%2fvar%%2frun%%2fslapd-%s.socket\n" %
installutils.realm_to_serverid(options.realm_name))
if options.setup_ca:
fd.write("enable_ra=True\n")
fd.write("ra_plugin=dogtag\n")
fd.write("dogtag_version=10\n")
else:
fd.write("enable_ra=False\n")
fd.write("ra_plugin=none\n")
fd.write("mode=production\n")
fd.close()
# Must be readable for everyone
os.chmod(target_fname, 0o644)
api.bootstrap(**cfg)
api.finalize()
# install checks ####################################################
if options.setup_ca:
ca.install_check(False, None, options)
if options.setup_kra:
kra.install_check(api, None, options)
if options.setup_dns:
with redirect_stdout(ansible_log):
dns.install_check(False, api, False, options, options.host_name)
ip_addresses = dns.ip_addresses
else:
ip_addresses = get_server_ip_address(options.host_name,
False, False,
options.ip_addresses)
# check addresses here, dns ansible_module is doing own check
no_matching_interface_for_ip_address_warning(ip_addresses)
options.ip_addresses = ip_addresses
options.reverse_zones = dns.reverse_zones
instance_name = "-".join(options.realm_name.split("."))
dirsrv = services.knownservices.dirsrv
if (options.external_cert_files
and dirsrv.is_installed(instance_name)
and not dirsrv.is_running(instance_name)):
logger.debug('Starting Directory Server')
services.knownservices.dirsrv.start(instance_name)
if options.setup_adtrust:
adtrust.install_check(False, options, api)
finally:
try:
shutil.rmtree(ipa_tempdir, ignore_errors=True)
except OSError:
ansible_module.fail_json(msg="Could not remove %s" % ipa_tempdir)
# done ##################################################################
ansible_module.exit_json(changed=True,
ipa_python_version=IPA_PYTHON_VERSION,
### basic ###
domain=options.domain_name,
realm=options.realm_name,
ip_addresses=[ str(ip) for ip in ip_addresses ],
hostname=options.host_name,
_hostname_overridden=_host_name_overridden,
no_host_dns=options.no_host_dns,
### server ###
setup_adtrust=options.setup_adtrust,
setup_kra=options.setup_kra,
setup_ca=options.setup_ca,
idstart=options.idstart,
idmax=options.idmax,
no_pkinit=options.no_pkinit,
### ssl certificate ###
_dirsrv_pkcs12_file=dirsrv_pkcs12_file,
_dirsrv_pkcs12_info=dirsrv_pkcs12_info,
_dirsrv_ca_cert=dirsrv_ca_cert,
_http_pkcs12_file=http_pkcs12_file,
_http_pkcs12_info=http_pkcs12_info,
_http_ca_cert=http_ca_cert,
_pkinit_pkcs12_file=pkinit_pkcs12_file,
_pkinit_pkcs12_info=pkinit_pkcs12_info,
_pkinit_ca_cert=pkinit_ca_cert,
### certificate system ###
subject_base=options.subject_base,
_subject_base=options._subject_base,
ca_subject=options.ca_subject,
_ca_subject=options._ca_subject,
### dns ###
reverse_zones=options.reverse_zones,
forwarders=options.forwarders,
### additional ###
_installation_cleanup=_installation_cleanup,
domainlevel=options.domainlevel)
if __name__ == '__main__':
main()