mirror of
https://github.com/freeipa/ansible-freeipa.git
synced 2026-05-15 05:52:24 +00:00
ipaserver: Add support for 4.7 (4.6.90-pre2)
With IPA 4.7 bigger changes have been introduced Changes: - Use of timeconf and chrony instead of ntpconf and ntpd. - New IPAChangeConf (not used in ipaserver modules) - New check_ldap_conf form ipaclient.install.client - custodia instance needed for ca and kra - no_ntp defaults to yes for client installation part - A new option ntp_pool has been introduced (set to None).
This commit is contained in:
Thomas Woerner
@@ -200,7 +200,7 @@ def main():
|
||||
fd.write("realm=%s\n" % options.realm_name)
|
||||
fd.write("domain=%s\n" % options.domain_name)
|
||||
fd.write("xmlrpc_uri=https://%s/ipa/xml\n" % \
|
||||
format_netloc(options.host_name))
|
||||
ipautil.format_netloc(options.host_name))
|
||||
fd.write("ldap_uri=ldapi://%%2fvar%%2frun%%2fslapd-%s.socket\n" % \
|
||||
installutils.realm_to_serverid(options.realm_name))
|
||||
if options.setup_ca:
|
||||
|
||||
@@ -170,6 +170,8 @@ def main():
|
||||
|
||||
# init #################################################################
|
||||
|
||||
options.promote = False # first master, no promotion
|
||||
|
||||
fstore = sysrestore.FileStore(paths.SYSRESTORE)
|
||||
|
||||
api_Backend_ldap2(options.host_name, options.setup_ca, connect=True)
|
||||
@@ -186,6 +188,11 @@ def main():
|
||||
# setup CA ##############################################################
|
||||
|
||||
with redirect_stdout(ansible_log):
|
||||
if NUM_VERSION >= 40604:
|
||||
custodia = custodiainstance.get_custodia_instance(
|
||||
options, custodiainstance.CustodiaModes.MASTER_PEER)
|
||||
custodia.create_instance()
|
||||
|
||||
if options.setup_ca:
|
||||
if not options.external_cert_files and options.external_ca:
|
||||
# stage 1 of external CA installation
|
||||
@@ -193,7 +200,10 @@ def main():
|
||||
if n in options.__dict__}
|
||||
write_cache(cache_vars)
|
||||
|
||||
ca.install_step_0(False, None, options)
|
||||
if NUM_VERSION >= 40604:
|
||||
ca.install_step_0(False, None, options, custodia=custodia)
|
||||
else:
|
||||
ca.install_step_0(False, None, options)
|
||||
else:
|
||||
# Put the CA cert where other instances expect it
|
||||
x509.write_certificate(options._http_ca_cert, paths.IPA_CA_CRT)
|
||||
@@ -210,13 +220,15 @@ def main():
|
||||
x509.write_certificate(options._http_ca_cert, paths.CA_BUNDLE_PEM)
|
||||
os.chmod(paths.CA_BUNDLE_PEM, 0o444)
|
||||
|
||||
with redirect_stdout(ansible_log):
|
||||
# we now need to enable ssl on the ds
|
||||
ds.enable_ssl()
|
||||
|
||||
if options.setup_ca:
|
||||
with redirect_stdout(ansible_log):
|
||||
ca.install_step_1(False, None, options)
|
||||
if options.setup_ca:
|
||||
with redirect_stdout(ansible_log):
|
||||
if NUM_VERSION >= 40604:
|
||||
ca.install_step_1(False, None, options, custodia=custodia)
|
||||
else:
|
||||
ca.install_step_1(False, None, options)
|
||||
|
||||
ansible_module.exit_json(changed=True)
|
||||
|
||||
|
||||
@@ -151,7 +151,7 @@ def main():
|
||||
ca_subject=options.ca_subject,
|
||||
hbac_allow=not options.no_hbac_allow,
|
||||
setup_pkinit=not options.no_pkinit)
|
||||
if not options.dirsrv_cert_files:
|
||||
if not options.dirsrv_cert_files and NUM_VERSION < 40690:
|
||||
ntpinstance.ntp_ldap_enable(options.host_name, ds.suffix,
|
||||
options.realm_name)
|
||||
|
||||
|
||||
@@ -80,7 +80,14 @@ def main():
|
||||
# setup kra #####################################################
|
||||
|
||||
with redirect_stdout(ansible_log):
|
||||
kra.install(api, None, options)
|
||||
if NUM_VERSION >= 40604:
|
||||
custodia = custodiainstance.get_custodia_instance(
|
||||
options, custodiainstance.CustodiaModes.MASTER_PEER)
|
||||
custodia.create_instance()
|
||||
|
||||
kra.install(api, None, options, custodia=custodia)
|
||||
else:
|
||||
kra.install(api, None, options)
|
||||
|
||||
# done ##########################################################
|
||||
|
||||
|
||||
@@ -64,12 +64,28 @@ def main():
|
||||
|
||||
# setup NTP #####################################################
|
||||
|
||||
ntpconf.force_ntpd(sstore)
|
||||
ntp = ntpinstance.NTPInstance(fstore)
|
||||
ntp.set_output(ansible_log)
|
||||
with redirect_stdout(ansible_log):
|
||||
if not ntp.is_configured():
|
||||
ntp.create_instance()
|
||||
if time_service == "chronyd":
|
||||
# We have to sync time before certificate handling on master.
|
||||
# As chrony configuration is moved from client here, unconfiguration of
|
||||
# chrony will be handled here in uninstall() method as well by invoking
|
||||
# the ipa-server-install --uninstall
|
||||
ansible_module.log("Synchronizing time")
|
||||
options.ntp_servers = None
|
||||
options.ntp_pool = None
|
||||
if sync_time(options, fstore, sstore):
|
||||
ansible_module.log("Time synchronization was successful.")
|
||||
else:
|
||||
ansible_module.warn("IPA was unable to sync time with chrony!")
|
||||
ansible_module.warn("Time synchronization is required for IPA "
|
||||
"to work correctly")
|
||||
else:
|
||||
# Configure ntpd
|
||||
timeconf.force_ntpd(sstore)
|
||||
ntp = ntpinstance.NTPInstance(fstore)
|
||||
ntp.set_output(ansible_log)
|
||||
with redirect_stdout(ansible_log):
|
||||
if not ntp.is_configured():
|
||||
ntp.create_instance()
|
||||
|
||||
# done ##########################################################
|
||||
|
||||
|
||||
@@ -506,6 +506,8 @@ def main():
|
||||
|
||||
tasks.check_ipv6_stack_enabled()
|
||||
tasks.check_selinux_status()
|
||||
if check_ldap_conf is not None:
|
||||
check_ldap_conf()
|
||||
|
||||
_installation_cleanup = True
|
||||
if not options.external_ca and not options.external_cert_files and \
|
||||
@@ -515,17 +517,18 @@ def main():
|
||||
|
||||
if not options.no_ntp:
|
||||
try:
|
||||
ntpconf.check_timedate_services()
|
||||
except ntpconf.NTPConflictingService as e:
|
||||
timeconf.check_timedate_services()
|
||||
except timeconf.NTPConflictingService as e:
|
||||
ansible_module.log("Conflicting time&date synchronization service '%s'"
|
||||
" will be disabled in favor of ntpd" % \
|
||||
e.conflicting_service)
|
||||
except ntpconf.NTPConfigurationError:
|
||||
" will be disabled in favor of %s" % \
|
||||
(e.conflicting_service, time_service))
|
||||
except timeconf.NTPConfigurationError:
|
||||
pass
|
||||
|
||||
# Check to see if httpd is already configured to listen on 443
|
||||
if httpinstance.httpd_443_configured():
|
||||
ansible_module.fail_json(msg="httpd is already configured to listen on 443.")
|
||||
if hasattr(httpinstance, "httpd_443_configured"):
|
||||
# Check to see if httpd is already configured to listen on 443
|
||||
if httpinstance.httpd_443_configured():
|
||||
ansible_module.fail_json(msg="httpd is already configured to listen on 443.")
|
||||
|
||||
if not options.external_cert_files:
|
||||
# Make sure the 389-ds ports are available
|
||||
@@ -534,20 +537,6 @@ def main():
|
||||
except ScriptError as e:
|
||||
ansible_module.fail_json(msg=e)
|
||||
|
||||
if not options.no_ntp:
|
||||
try:
|
||||
ntpconf.check_timedate_services()
|
||||
except ntpconf.NTPConflictingService as e:
|
||||
ansible_module.warn(
|
||||
"Conflicting time&date synchronization service "
|
||||
"'%s' will be disabled" % e.conflicting_service)
|
||||
except ntpconf.NTPConfigurationError:
|
||||
pass
|
||||
|
||||
# Check to see if httpd is already configured to listen on 443
|
||||
if httpinstance.httpd_443_configured():
|
||||
ansible_module.fail_json(msg="httpd is already configured to listen on 443.")
|
||||
|
||||
# check bind packages are installed
|
||||
if options.setup_dns:
|
||||
# Don't require an external DNS to say who we are if we are
|
||||
@@ -560,12 +549,9 @@ def main():
|
||||
else:
|
||||
options.host_default = get_fqdn()
|
||||
|
||||
_host_name_overridden = False
|
||||
try:
|
||||
verify_fqdn(options.host_default, options.no_host_dns)
|
||||
options.host_name = options.host_default
|
||||
if options.host_default != get_fqdn():
|
||||
_host_name_overridden = True
|
||||
except BadHostError as e:
|
||||
ansible_module.fail_json(msg=e)
|
||||
options.host_name = options.host_name.lower()
|
||||
@@ -581,6 +567,11 @@ def main():
|
||||
if not options.realm_name:
|
||||
options.realm_name = options.domain_name
|
||||
options.realm_name = options.realm_name.upper()
|
||||
if NUM_VERSION >= 40690:
|
||||
try:
|
||||
validate_domain_name(options.realm_name, entity="realm")
|
||||
except ValueError as e:
|
||||
raise ScriptError("Invalid realm name: {}".format(unicode(e)))
|
||||
|
||||
if not options.setup_adtrust:
|
||||
# If domain name and realm does not match, IPA server will not be able
|
||||
@@ -686,7 +677,7 @@ def main():
|
||||
fd.write("basedn=%s\n" % ipautil.realm_to_suffix(options.realm_name))
|
||||
fd.write("realm=%s\n" % options.realm_name)
|
||||
fd.write("domain=%s\n" % options.domain_name)
|
||||
fd.write("xmlrpc_uri=https://%s/ipa/xml\n" % format_netloc(options.host_name))
|
||||
fd.write("xmlrpc_uri=https://%s/ipa/xml\n" % ipautil.format_netloc(options.host_name))
|
||||
fd.write("ldap_uri=ldapi://%%2fvar%%2frun%%2fslapd-%s.socket\n" %
|
||||
installutils.realm_to_serverid(options.realm_name))
|
||||
if options.setup_ca:
|
||||
@@ -744,6 +735,9 @@ def main():
|
||||
except OSError:
|
||||
ansible_module.fail_json(msg="Could not remove %s" % ipa_tempdir)
|
||||
|
||||
# Always set _host_name_overridden
|
||||
options._host_name_overridden = bool(options.host_name)
|
||||
|
||||
# done ##################################################################
|
||||
|
||||
ansible_module.exit_json(changed=True,
|
||||
@@ -753,7 +747,7 @@ def main():
|
||||
realm=options.realm_name,
|
||||
ip_addresses=[ str(ip) for ip in ip_addresses ],
|
||||
hostname=options.host_name,
|
||||
_hostname_overridden=_host_name_overridden,
|
||||
_hostname_overridden=options._host_name_overridden,
|
||||
no_host_dns=options.no_host_dns,
|
||||
### server ###
|
||||
setup_adtrust=options.setup_adtrust,
|
||||
|
||||
Reference in New Issue
Block a user