ipaserver: Add support for 4.7 (4.6.90-pre2)

With IPA 4.7 bigger changes have been introduced

Changes:
- Use of timeconf and chrony instead of ntpconf and ntpd.
- New IPAChangeConf (not used in ipaserver modules)
- New check_ldap_conf form ipaclient.install.client
- custodia instance needed for ca and kra
- no_ntp defaults to yes for client installation part
- A new option ntp_pool has been introduced (set to None).

module_utils/ansible_ipa_server.py

@@ -51,12 +51,14 @@ if NUM_VERSION >= 40500:
 
     import six
 
+    if NUM_VERSION >= 40690:
+        from ipaclient.install.ipachangeconf import IPAChangeConf
     from ipalib.install import certmonger, sysrestore
     from ipapython import ipautil
     if NUM_VERSION < 40600:
         from ipapython.ipa_log_manager import root_logger
     from ipapython.ipautil import (
-        format_netloc, ipa_generate_password, run, user_input)
+        ipa_generate_password, run, user_input)
     from ipapython.admintool import ScriptError
     from ipaplatform import services
     from ipaplatform.paths import paths
@@ -70,11 +72,21 @@ if NUM_VERSION >= 40500:
         no_matching_interface_for_ip_address_warning,
     )
     from ipapython.dnsutil import check_zone_overlap
-    from ipaclient.install import ntpconf
+    try:
+        from ipaclient.install import timeconf
+        from ipaclient.install.client import sync_time
+        time_service = "chronyd"
+    except ImportError:
+        try:
+            from ipaclient.install import ntpconf as timeconf
+        except ImportError:
+            from ipaclient import ntpconf as timeconf
+        from ipaserver.install import ntpinstance
+        time_service = "ntpd"
     from ipaserver.install import (
         adtrust, bindinstance, ca, dns, dsinstance,
         httpinstance, installutils, kra, krbinstance,
-        ntpinstance, otpdinstance, custodiainstance, replication, service,
+        otpdinstance, custodiainstance, replication, service,
         sysupgrade)
     adtrust_imported = True
     kra_imported = True
@@ -105,6 +117,11 @@ if NUM_VERSION >= 40500:
     except ImportError:
         _server_trust_ad_installed = False
 
+    try:
+        from ipaclient.install.client import check_ldap_conf
+    except ImportError:
+        check_ldap_conf = None
+
 else:
     # IPA version < 4.5
 

roles/ipaserver/library/ipaserver_prepare.py

@@ -200,7 +200,7 @@ def main():
     fd.write("realm=%s\n" % options.realm_name)
     fd.write("domain=%s\n" % options.domain_name)
     fd.write("xmlrpc_uri=https://%s/ipa/xml\n" % \
-             format_netloc(options.host_name))
+             ipautil.format_netloc(options.host_name))
     fd.write("ldap_uri=ldapi://%%2fvar%%2frun%%2fslapd-%s.socket\n" % \
              installutils.realm_to_serverid(options.realm_name))
     if options.setup_ca:

roles/ipaserver/library/ipaserver_setup_ca.py

@@ -170,6 +170,8 @@ def main():
 
     # init #################################################################
 
+    options.promote = False  # first master, no promotion
+
     fstore = sysrestore.FileStore(paths.SYSRESTORE)
 
     api_Backend_ldap2(options.host_name, options.setup_ca, connect=True)
@@ -186,6 +188,11 @@ def main():
     # setup CA ##############################################################
 
     with redirect_stdout(ansible_log):
+        if NUM_VERSION >= 40604:
+            custodia = custodiainstance.get_custodia_instance(
+                options, custodiainstance.CustodiaModes.MASTER_PEER)
+            custodia.create_instance()
+
         if options.setup_ca:
             if not options.external_cert_files and options.external_ca:
                 # stage 1 of external CA installation
@@ -193,7 +200,10 @@ def main():
                               if n in options.__dict__}
                 write_cache(cache_vars)
 
-            ca.install_step_0(False, None, options)
+            if NUM_VERSION >= 40604:
+                ca.install_step_0(False, None, options, custodia=custodia)
+            else:
+                ca.install_step_0(False, None, options)
         else:
             # Put the CA cert where other instances expect it
             x509.write_certificate(options._http_ca_cert, paths.IPA_CA_CRT)
@@ -210,13 +220,15 @@ def main():
             x509.write_certificate(options._http_ca_cert, paths.CA_BUNDLE_PEM)
             os.chmod(paths.CA_BUNDLE_PEM, 0o444)
 
-    with redirect_stdout(ansible_log):
         # we now need to enable ssl on the ds
         ds.enable_ssl()
 
-    if options.setup_ca:
+        if options.setup_ca:
-        with redirect_stdout(ansible_log):
+            with redirect_stdout(ansible_log):
-            ca.install_step_1(False, None, options)
+                if NUM_VERSION >= 40604:
+                    ca.install_step_1(False, None, options, custodia=custodia)
+                else:
+                    ca.install_step_1(False, None, options)
 
     ansible_module.exit_json(changed=True)
 

roles/ipaserver/library/ipaserver_setup_ds.py

@@ -151,7 +151,7 @@ def main():
                                ca_subject=options.ca_subject,
                                hbac_allow=not options.no_hbac_allow,
                                setup_pkinit=not options.no_pkinit)
-            if not options.dirsrv_cert_files:
+            if not options.dirsrv_cert_files and NUM_VERSION < 40690:
                 ntpinstance.ntp_ldap_enable(options.host_name, ds.suffix,
                                             options.realm_name)
 

roles/ipaserver/library/ipaserver_setup_kra.py

@@ -80,7 +80,14 @@ def main():
     # setup kra #####################################################
 
     with redirect_stdout(ansible_log):
-        kra.install(api, None, options)
+        if NUM_VERSION >= 40604:
+            custodia = custodiainstance.get_custodia_instance(
+                options, custodiainstance.CustodiaModes.MASTER_PEER)
+            custodia.create_instance()
+
+            kra.install(api, None, options, custodia=custodia)
+        else:
+            kra.install(api, None, options)
 
     # done ##########################################################
 

roles/ipaserver/library/ipaserver_setup_ntp.py

@@ -64,12 +64,28 @@ def main():
 
     # setup NTP #####################################################
 
-    ntpconf.force_ntpd(sstore)
+    if time_service == "chronyd":
-    ntp = ntpinstance.NTPInstance(fstore)
+        # We have to sync time before certificate handling on master.
-    ntp.set_output(ansible_log)
+        # As chrony configuration is moved from client here, unconfiguration of
-    with redirect_stdout(ansible_log):
+        # chrony will be handled here in uninstall() method as well by invoking
-        if not ntp.is_configured():
+        # the ipa-server-install --uninstall
-            ntp.create_instance()
+        ansible_module.log("Synchronizing time")
+        options.ntp_servers = None
+        options.ntp_pool = None
+        if sync_time(options, fstore, sstore):
+            ansible_module.log("Time synchronization was successful.")
+        else:
+            ansible_module.warn("IPA was unable to sync time with chrony!")
+            ansible_module.warn("Time synchronization is required for IPA "
+                                "to work correctly")
+    else:
+        # Configure ntpd
+        timeconf.force_ntpd(sstore)
+        ntp = ntpinstance.NTPInstance(fstore)
+        ntp.set_output(ansible_log)
+        with redirect_stdout(ansible_log):
+            if not ntp.is_configured():
+                ntp.create_instance()
 
     # done ##########################################################
 

roles/ipaserver/library/ipaserver_test.py

@@ -506,6 +506,8 @@ def main():
 
     tasks.check_ipv6_stack_enabled()
     tasks.check_selinux_status()
+    if check_ldap_conf is not None:
+        check_ldap_conf()
 
     _installation_cleanup = True
     if not options.external_ca and not options.external_cert_files and \
@@ -515,17 +517,18 @@ def main():
 
     if not options.no_ntp:
         try:
-            ntpconf.check_timedate_services()
+            timeconf.check_timedate_services()
-        except ntpconf.NTPConflictingService as e:
+        except timeconf.NTPConflictingService as e:
             ansible_module.log("Conflicting time&date synchronization service '%s'"
-                       " will be disabled in favor of ntpd" % \
+                       " will be disabled in favor of %s" % \
-                       e.conflicting_service)
+                       (e.conflicting_service, time_service))
-        except ntpconf.NTPConfigurationError:
+        except timeconf.NTPConfigurationError:
             pass
 
-    # Check to see if httpd is already configured to listen on 443
+    if hasattr(httpinstance, "httpd_443_configured"):
-    if httpinstance.httpd_443_configured():
+        # Check to see if httpd is already configured to listen on 443
-        ansible_module.fail_json(msg="httpd is already configured to listen on 443.")
+        if httpinstance.httpd_443_configured():
+            ansible_module.fail_json(msg="httpd is already configured to listen on 443.")
 
     if not options.external_cert_files:
         # Make sure the 389-ds ports are available
@@ -534,20 +537,6 @@ def main():
         except ScriptError as e:
             ansible_module.fail_json(msg=e)
 
-    if not options.no_ntp:
-        try:
-            ntpconf.check_timedate_services()
-        except ntpconf.NTPConflictingService as e:
-            ansible_module.warn(
-                "Conflicting time&date synchronization service "
-                "'%s' will be disabled" % e.conflicting_service)
-        except ntpconf.NTPConfigurationError:
-            pass
-
-    # Check to see if httpd is already configured to listen on 443
-    if httpinstance.httpd_443_configured():
-        ansible_module.fail_json(msg="httpd is already configured to listen on 443.")
-
     # check bind packages are installed
     if options.setup_dns:
         # Don't require an external DNS to say who we are if we are
@@ -560,12 +549,9 @@ def main():
     else:
         options.host_default = get_fqdn()
 
-    _host_name_overridden = False
     try:
         verify_fqdn(options.host_default, options.no_host_dns)
         options.host_name = options.host_default
-        if options.host_default != get_fqdn():
-            _host_name_overridden = True
     except BadHostError as e:
         ansible_module.fail_json(msg=e)
     options.host_name = options.host_name.lower()
@@ -581,6 +567,11 @@ def main():
     if not options.realm_name:
         options.realm_name = options.domain_name
     options.realm_name = options.realm_name.upper()
+    if NUM_VERSION >= 40690:
+        try:
+            validate_domain_name(options.realm_name, entity="realm")
+        except ValueError as e:
+            raise ScriptError("Invalid realm name: {}".format(unicode(e)))
 
     if not options.setup_adtrust:
         # If domain name and realm does not match, IPA server will not be able
@@ -686,7 +677,7 @@ def main():
         fd.write("basedn=%s\n" % ipautil.realm_to_suffix(options.realm_name))
         fd.write("realm=%s\n" % options.realm_name)
         fd.write("domain=%s\n" % options.domain_name)
-        fd.write("xmlrpc_uri=https://%s/ipa/xml\n" % format_netloc(options.host_name))
+        fd.write("xmlrpc_uri=https://%s/ipa/xml\n" % ipautil.format_netloc(options.host_name))
         fd.write("ldap_uri=ldapi://%%2fvar%%2frun%%2fslapd-%s.socket\n" %
                  installutils.realm_to_serverid(options.realm_name))
         if options.setup_ca:
@@ -744,6 +735,9 @@ def main():
         except OSError:
             ansible_module.fail_json(msg="Could not remove %s" % ipa_tempdir)
 
+    # Always set _host_name_overridden
+    options._host_name_overridden = bool(options.host_name)
+
     # done ##################################################################
 
     ansible_module.exit_json(changed=True,
@@ -753,7 +747,7 @@ def main():
                              realm=options.realm_name,
                              ip_addresses=[ str(ip) for ip in ip_addresses ],
                              hostname=options.host_name,
-                             _hostname_overridden=_host_name_overridden,
+                             _hostname_overridden=options._host_name_overridden,
                              no_host_dns=options.no_host_dns,
                              ### server ###
                              setup_adtrust=options.setup_adtrust,

roles/ipaserver/tasks/install.yml

@@ -125,8 +125,9 @@
       setup_adtrust: "{{ result_ipaserver_test.setup_adtrust }}"
       setup_kra: "{{ result_ipaserver_test.setup_kra }}"
       setup_dns: "{{ ipaserver_setup_dns }}"
-      #no_pkinit: "{{ result_ipaserver_test.no_pkinit }}"
       ### certificate system ###
+      # external_ca
+      # external_cert_files
       subject_base: "{{ result_ipaserver_test.subject_base }}"
       ca_subject: "{{ result_ipaserver_test.ca_subject }}"
       ### dns ###
@@ -138,6 +139,11 @@
       no_forwarders: "{{ ipaserver_no_forwarders }}"
       auto_forwarders: "{{ ipaserver_auto_forwarders }}"
       no_dnssec_validation: "{{ result_ipaserver_test.no_dnssec_validation }}"
+      ### ad trust ###
+      # enable_compat
+      # netbios_name
+      # rid_base
+      # secondary_rid_base
       ### additional ###
       setup_ca: "{{ result_ipaserver_test.setup_ca }}"
       _hostname_overridden: "{{ result_ipaserver_test._hostname_overridden }}"
@@ -329,13 +335,9 @@
       ipaclient_on_master: yes
       ipaclient_domain: "{{ result_ipaserver_test.domain }}"
       ipaclient_realm: "{{ result_ipaserver_test.realm }}"
-      ipaclient_server: "{{ result_ipaserver_test.hostname }}"
+      ipaclient_servers: [ "{{ result_ipaserver_test.hostname }}" ]
       ipaclient_hostname: "{{ result_ipaserver_test.hostname }}"
-      #ipaclient_no_dns_sshfp: "{{ ipaclient_no_dns_sshfp }}"
+      ipaclient_no_ntp: "{{ 'true' if result_ipaserver_test.ipa_python_version >= 40690 else 'false' }}"
-      #ipaclient_ssh_trust_dns: "{{ ipaclient_ssh_trust_dns }}"
-      #ipaclient_no_ssh: "{{ ipaclient_no_ssh }}"
-      #ipaclient_no_sshd: "{{ ipaclient_no_sshd }}"
-      #ipaclient_mkhomedir: "{{ ipaclient_mkhomedir }}"
 
   #- name: Install - Setup client
   #  command: >