internet/ansible-freeipa
4
0
Fork 0
mirror of https://github.com/freeipa/ansible-freeipa.git synced 2026-03-26 21:33:05 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #1246 from t-woerner/ipa_4_12_fixes

Browse Source 
Fixes for FreeIPA 4.12
This commit is contained in:
Rafael Guterres Jeffman
2024-06-28 12:23:20 -03:00
committed by GitHub
parent 935bef4b9f 5ac7143f42
commit 1dba4ba408
9 changed files with 77 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
roles/ipareplica/library/ipareplica_enable_ipa.py
View File

@@ -90,7 +90,7 @@ from ansible.module_utils.ansible_ipa_replica import (
check_imports, AnsibleModuleLog, setup_logging, installer, DN, paths,
gen_env_boostrap_finalize_core, constants, api_bootstrap_finalize,
gen_ReplicaConfig, gen_remote_api, api, redirect_stdout, service,
find_providing_servers, services
find_providing_servers, services, clean_up_hsm_nicknames
)
@@ -168,6 +168,9 @@ def main():
# Everything installed properly, activate ipa service.
services.knownservices.ipa.enable()
if options.setup_ca and clean_up_hsm_nicknames is not None:
clean_up_hsm_nicknames(api)
# Print a warning if CA role is only installed on one server
if len(ca_servers) == 1:
msg = u'''

4
roles/ipareplica/library/ipareplica_install_ca_certs.py
View File

@@ -333,9 +333,7 @@ def main():
# done #
ansible_module.exit_json(changed=True,
config_master_host_name=config.master_host_name,
config_ca_host_name=config.ca_host_name)
ansible_module.exit_json(changed=True)
if __name__ == '__main__':

27
roles/ipareplica/library/ipareplica_prepare.py
View File

@@ -250,6 +250,10 @@ options:
type: bool
default: no
required: no
client_configured:
description: Was client configured already
type: bool
required: yes
author:
- Thomas Woerner (@t-woerner)
'''
@@ -275,7 +279,8 @@ from ansible.module_utils.ansible_ipa_replica import (
check_domain_level_is_supported, errors, ScriptError, setup_logging,
logger, check_dns_resolution, service, find_providing_server, ca, kra,
dns, no_matching_interface_for_ip_address_warning, adtrust,
constants, api, redirect_stdout, replica_conn_check, tasks
constants, api, redirect_stdout, replica_conn_check, tasks,
install_ca_cert
)
from ansible.module_utils import six
@@ -353,6 +358,7 @@ def main():
skip_conncheck=dict(required=False, type='bool'),
sid_generation_always=dict(required=False, type='bool',
default=False),
ipa_client_installed=dict(required=True, type='bool'),
),
supports_check_mode=False,
)
@@ -436,6 +442,7 @@ def main():
# options._random_serial_numbers is generated by ca.install_check and
# later used by ca.install in the _setup_ca module.
options._random_serial_numbers = False
ipa_client_installed = ansible_module.params.get('ipa_client_installed')
# init #
@@ -601,10 +608,20 @@ def main():
ansible_log.debug("-- CA_CRT --")
cafile = paths.IPA_CA_CRT
if not os.path.isfile(cafile):
ansible_module.fail_json(
msg="CA cert file is not available! Please reinstall"
"the client and try again.")
if install_ca_cert is not None:
if not os.path.isfile(cafile):
ansible_module.fail_json(
msg="CA cert file is not available! Please reinstall"
"the client and try again.")
else:
if ipa_client_installed:
# host was already an IPA client, refresh client cert stores to
# ensure we have up to date CA certs.
try:
ipautil.run([paths.IPA_CERTUPDATE])
except ipautil.CalledProcessError:
ansible_module.fail_json(
msg="ipa-certupdate failed to refresh certs.")
ansible_log.debug("-- REMOTE_API --")

5
roles/ipareplica/library/ipareplica_test.py
View File

@@ -191,7 +191,7 @@ from ansible.module_utils.ansible_ipa_replica import (
paths, sysrestore, ansible_module_get_parsed_ip_addresses, service,
redirect_stdout, create_ipa_conf, ipautil,
x509, validate_domain_name, common_check,
IPA_PYTHON_VERSION, getargspec, adtrustinstance
IPA_PYTHON_VERSION, getargspec, adtrustinstance, install_ca_cert
)
@@ -542,7 +542,8 @@ def main():
# additional
client_enrolled=client_enrolled,
change_master_for_certmonger=change_master_for_certmonger,
sid_generation_always=sid_generation_always
sid_generation_always=sid_generation_always,
install_ca_certs=install_ca_cert is not None
)

14
roles/ipareplica/module_utils/ansible_ipa_replica.py
View File

@@ -49,7 +49,7 @@ __all__ = ["contextlib", "dnsexception", "dnsresolver", "dnsreversename",
"dnsname", "kernel_keyring", "krbinstance", "getargspec",
"adtrustinstance", "paths", "api", "dsinstance", "ipaldap", "Env",
"ipautil", "installutils", "IPA_PYTHON_VERSION", "NUM_VERSION",
"ReplicaConfig", "create_api"]
"ReplicaConfig", "create_api", "clean_up_hsm_nicknames"]
import sys
import logging
@@ -144,7 +144,7 @@ try:
from ipaserver.install.replication import (
ReplicationManager, replica_conn_check)
from ipaserver.install.server.replicainstall import (
make_pkcs12_info, install_replica_ds, install_krb, install_ca_cert,
make_pkcs12_info, install_replica_ds, install_krb,
install_http, install_dns_records, create_ipa_conf, check_dirsrv,
check_dns_resolution, configure_certmonger,
remove_replica_info_dir,
@@ -157,6 +157,16 @@ try:
# ensure_enrolled,
promotion_check_ipa_domain
)
try:
from ipaserver.install.server.replicainstall import \
install_ca_cert
except ImportError:
install_ca_cert = None
try:
from ipaserver.install.server.replicainstall import \
clean_up_hsm_nicknames
except ImportError:
clean_up_hsm_nicknames = None
import SSSDConfig
from subprocess import CalledProcessError

30
roles/ipareplica/tasks/install.yml
View File

@@ -209,6 +209,7 @@
server: "{{ result_ipareplica_test.server }}"
skip_conncheck: "{{ ipareplica_skip_conncheck }}"
sid_generation_always: "{{ result_ipareplica_test.sid_generation_always }}"
ipa_client_installed: "{{ result_ipareplica_test.client_enrolled }}"
register: result_ipareplica_prepare
- name: Install - Add to ipaservers
@@ -276,6 +277,7 @@
config_ca_host_name: "{{ result_ipareplica_prepare.config_ca_host_name }}"
config_ips: "{{ result_ipareplica_prepare.config_ips }}"
register: result_ipareplica_install_ca_certs
when: result_ipareplica_test.install_ca_certs
- name: Install - Setup DS
ipareplica_setup_ds:
@@ -312,7 +314,7 @@
dirman_password: "{{ __derived_dirman_password }}"
config_setup_ca: "{{ result_ipareplica_prepare.config_setup_ca }}"
config_master_host_name:
"{{ result_ipareplica_install_ca_certs.config_master_host_name }}"
"{{ result_ipareplica_prepare.config_master_host_name }}"
config_ca_host_name: "{{ result_ipareplica_prepare.config_ca_host_name }}"
config_ips: "{{ result_ipareplica_prepare.config_ips }}"
register: result_ipareplica_setup_ds
@@ -339,7 +341,7 @@
### additional ###
server: "{{ result_ipareplica_test.server }}"
config_master_host_name:
"{{ result_ipareplica_install_ca_certs.config_master_host_name }}"
"{{ result_ipareplica_prepare.config_master_host_name }}"
config_ca_host_name: "{{ result_ipareplica_prepare.config_ca_host_name }}"
ccache: "{{ result_ipareplica_prepare.ccache }}"
installer_ccache: "{{ result_ipareplica_prepare.installer_ccache }}"
@@ -362,7 +364,7 @@
subject_base: "{{ result_ipareplica_prepare.subject_base }}"
### additional ###
config_master_host_name:
"{{ result_ipareplica_install_ca_certs.config_master_host_name }}"
"{{ result_ipareplica_prepare.config_master_host_name }}"
ccache: "{{ result_ipareplica_prepare.ccache }}"
_pkinit_pkcs12_info: "{{ result_ipareplica_prepare._pkinit_pkcs12_info if result_ipareplica_prepare._pkinit_pkcs12_info != None else omit }}"
_top_dir: "{{ result_ipareplica_prepare._top_dir }}"
@@ -393,7 +395,7 @@
### additional ###
server: "{{ result_ipareplica_test.server }}"
config_master_host_name:
"{{ result_ipareplica_install_ca_certs.config_master_host_name }}"
"{{ result_ipareplica_prepare.config_master_host_name }}"
config_ca_host_name: "{{ result_ipareplica_prepare.config_ca_host_name }}"
ccache: "{{ result_ipareplica_prepare.ccache }}"
installer_ccache: "{{ result_ipareplica_prepare.installer_ccache }}"
@@ -406,7 +408,7 @@
dirman_password: "{{ __derived_dirman_password }}"
setup_ca: "{{ result_ipareplica_prepare.config_setup_ca }}"
master:
"{{ result_ipareplica_install_ca_certs.config_master_host_name }}"
"{{ result_ipareplica_prepare.config_master_host_name }}"
when: result_ipareplica_test.change_master_for_certmonger
- name: Install - DS enable SSL
@@ -420,7 +422,7 @@
subject_base: "{{ result_ipareplica_prepare.subject_base }}"
### additional ###
config_master_host_name:
"{{ result_ipareplica_install_ca_certs.config_master_host_name }}"
"{{ result_ipareplica_prepare.config_master_host_name }}"
ccache: "{{ result_ipareplica_prepare.ccache }}"
_ca_enabled: "{{ result_ipareplica_prepare._ca_enabled }}"
_ca_file: "{{ result_ipareplica_prepare._ca_file }}"
@@ -441,7 +443,7 @@
subject_base: "{{ result_ipareplica_prepare.subject_base }}"
### additional ###
config_master_host_name:
"{{ result_ipareplica_install_ca_certs.config_master_host_name }}"
"{{ result_ipareplica_prepare.config_master_host_name }}"
config_ca_host_name: "{{ result_ipareplica_prepare.config_ca_host_name }}"
ccache: "{{ result_ipareplica_prepare.ccache }}"
_ca_enabled: "{{ result_ipareplica_prepare._ca_enabled }}"
@@ -473,7 +475,7 @@
### additional ###
server: "{{ result_ipareplica_test.server }}"
config_master_host_name:
"{{ result_ipareplica_install_ca_certs.config_master_host_name }}"
"{{ result_ipareplica_prepare.config_master_host_name }}"
config_ca_host_name: "{{ result_ipareplica_prepare.config_ca_host_name }}"
ccache: "{{ result_ipareplica_prepare.ccache }}"
installer_ccache: "{{ result_ipareplica_prepare.installer_ccache }}"
@@ -498,7 +500,7 @@
subject_base: "{{ result_ipareplica_prepare.subject_base }}"
### additional ###
config_master_host_name:
"{{ result_ipareplica_install_ca_certs.config_master_host_name }}"
"{{ result_ipareplica_prepare.config_master_host_name }}"
ccache: "{{ result_ipareplica_prepare.ccache }}"
_ca_file: "{{ result_ipareplica_prepare._ca_file }}"
_top_dir: "{{ result_ipareplica_prepare._top_dir }}"
@@ -549,9 +551,9 @@
dirman_password: "{{ __derived_dirman_password }}"
config_setup_ca: "{{ result_ipareplica_prepare.config_setup_ca }}"
config_master_host_name:
"{{ result_ipareplica_install_ca_certs.config_master_host_name }}"
"{{ result_ipareplica_prepare.config_master_host_name }}"
config_ca_host_name:
"{{ result_ipareplica_install_ca_certs.config_ca_host_name }}"
"{{ result_ipareplica_prepare.config_ca_host_name }}"
config_ips: "{{ result_ipareplica_prepare.config_ips }}"
when: result_ipareplica_prepare._ca_enabled
@@ -565,7 +567,7 @@
subject_base: "{{ result_ipareplica_prepare.subject_base }}"
### additional ###
config_master_host_name:
"{{ result_ipareplica_install_ca_certs.config_master_host_name }}"
"{{ result_ipareplica_prepare.config_master_host_name }}"
ccache: "{{ result_ipareplica_prepare.ccache }}"
_ca_enabled: "{{ result_ipareplica_prepare._ca_enabled }}"
_ca_file: "{{ result_ipareplica_prepare._ca_file }}"
@@ -585,7 +587,7 @@
subject_base: "{{ result_ipareplica_prepare.subject_base }}"
### additional ###
config_master_host_name:
"{{ result_ipareplica_install_ca_certs.config_master_host_name }}"
"{{ result_ipareplica_prepare.config_master_host_name }}"
ccache: "{{ result_ipareplica_prepare.ccache }}"
_ca_enabled: "{{ result_ipareplica_prepare._ca_enabled }}"
_ca_file: "{{ result_ipareplica_prepare._ca_file }}"
@@ -645,7 +647,7 @@
subject_base: "{{ result_ipareplica_prepare.subject_base }}"
### additional ###
config_master_host_name:
"{{ result_ipareplica_install_ca_certs.config_master_host_name }}"
"{{ result_ipareplica_prepare.config_master_host_name }}"
ccache: "{{ result_ipareplica_prepare.ccache }}"
_ca_file: "{{ result_ipareplica_prepare._ca_file }}"
_top_dir: "{{ result_ipareplica_prepare._top_dir }}"

6
roles/ipaserver/library/ipaserver_prepare.py
View File

@@ -326,6 +326,12 @@ def main():
# ssl certificate
# options.dirsrv_cert_files = ansible_module.params.get(
# 'dirsrv_cert_files')
# hsm
if hasattr(ca, "hsm_version"):
options.token_name = None
options.token_library_path = None
options.token_password = None
options.token_password_file = None
# client
# options.no_ntp = ansible_module.params.get('no_ntp')
# certificate system

6
roles/ipaserver/library/ipaserver_setup_ca.py
View File

@@ -305,6 +305,12 @@ def main():
options.dirsrv_cert_files = ansible_module.params.get('dirsrv_cert_files')
options._dirsrv_pkcs12_info = ansible_module.params.get(
'_dirsrv_pkcs12_info')
# hsm
if hasattr(ca, "hsm_version"):
options.token_name = None
options.token_library_path = None
options.token_password = None
options.token_password_file = None
# certificate system
options.external_ca = ansible_module.params.get('external_ca')
options.external_ca_type = ansible_module.params.get('external_ca_type')

8
roles/ipaserver/library/ipaserver_setup_kra.py
View File

@@ -74,7 +74,7 @@ RETURN = '''
from ansible.module_utils.basic import AnsibleModule
from ansible.module_utils.ansible_ipa_server import (
check_imports, AnsibleModuleLog, setup_logging, options,
api_Backend_ldap2, redirect_stdout, api, custodiainstance, kra
api_Backend_ldap2, redirect_stdout, api, custodiainstance, kra, ca
)
@@ -106,6 +106,12 @@ def main():
options.pki_config_override = ansible_module.params.get(
'pki_config_override')
options.promote = False # first master, no promotion
# hsm
if hasattr(ca, "hsm_version"):
options.token_name = None
options.token_library_path = None
options.token_password = None
options.token_password_file = None
# init ##########################################################