mirror of
https://github.com/freeipa/ansible-freeipa.git
synced 2026-03-26 21:33:05 +00:00
81143be96a
Before "short description" was used in most plugins, modules and also in the new module templates. ansible-doc was therefore not showing the short description. To fix the issue the flag was renamed to short_description instead. Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2121362 'ansible-doc' -l lists most idm modules as 'UNDOCUMENTED'
363 lines
13 KiB
Python
363 lines
13 KiB
Python
# -*- coding: utf-8 -*-
|
|
|
|
# Authors:
|
|
# Thomas Woerner <twoerner@redhat.com>
|
|
#
|
|
# Based on ipa-client-install code
|
|
#
|
|
# Copyright (C) 2017 Red Hat
|
|
# see file 'COPYING' for use and warranty information
|
|
#
|
|
# This program is free software; you can redistribute it and/or modify
|
|
# it under the terms of the GNU General Public License as published by
|
|
# the Free Software Foundation, either version 3 of the License, or
|
|
# (at your option) any later version.
|
|
#
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
from __future__ import (absolute_import, division, print_function)
|
|
|
|
__metaclass__ = type
|
|
|
|
ANSIBLE_METADATA = {
|
|
'metadata_version': '1.0',
|
|
'supported_by': 'community',
|
|
'status': ['preview'],
|
|
}
|
|
|
|
DOCUMENTATION = '''
|
|
---
|
|
module: ipaserver_setup_ca
|
|
short_description: Setup CA
|
|
description: Setup CA
|
|
options:
|
|
dm_password:
|
|
description: Directory Manager password
|
|
required: no
|
|
password:
|
|
description: Admin user kerberos password
|
|
required: no
|
|
master_password:
|
|
description: kerberos master password (normally autogenerated)
|
|
required: no
|
|
ip_addresses:
|
|
description: List of Master Server IP Addresses
|
|
required: yes
|
|
domain:
|
|
description: Primary DNS domain of the IPA deployment
|
|
required: no
|
|
realm:
|
|
description: Kerberos realm name of the IPA deployment
|
|
required: no
|
|
hostname:
|
|
description: Fully qualified name of this host
|
|
required: yes
|
|
no_host_dns:
|
|
description: Do not use DNS for hostname lookup during installation
|
|
required: yes
|
|
pki_config_override:
|
|
description: Path to ini file with config overrides
|
|
required: yes
|
|
setup_adtrust:
|
|
description: Configure AD trust capability
|
|
required: yes
|
|
setup_kra:
|
|
description: Configure a dogtag KRA
|
|
required: yes
|
|
setup_dns:
|
|
description: Configure bind with our zone
|
|
required: yes
|
|
setup_ca:
|
|
description: Configure a dogtag CA
|
|
required: yes
|
|
idstart:
|
|
description: The starting value for the IDs range (default random)
|
|
required: no
|
|
idmax:
|
|
description: The max value for the IDs range (default idstart+199999)
|
|
required: no
|
|
no_hbac_allow:
|
|
description: Don't install allow_all HBAC rule
|
|
required: yes
|
|
no_pkinit:
|
|
description: Disable pkinit setup steps
|
|
required: yes
|
|
dirsrv_config_file:
|
|
description:
|
|
The path to LDIF file that will be used to modify configuration of
|
|
dse.ldif during installation of the directory server instance
|
|
required: yes
|
|
dirsrv_cert_files:
|
|
description:
|
|
Files containing the Directory Server SSL certificate and private key
|
|
required: yes
|
|
_dirsrv_pkcs12_info:
|
|
description: The installer _dirsrv_pkcs12_info setting
|
|
required: yes
|
|
external_ca:
|
|
description: External ca setting
|
|
required: yes
|
|
external_ca_type:
|
|
description: Type of the external CA
|
|
required: yes
|
|
external_ca_profile:
|
|
description:
|
|
Specify the certificate profile/template to use at the external CA
|
|
required: yes
|
|
external_cert_files:
|
|
description:
|
|
File containing the IPA CA certificate and the external CA certificate
|
|
chain
|
|
required: yes
|
|
subject_base:
|
|
description:
|
|
The certificate subject base (default O=<realm-name>).
|
|
RDNs are in LDAP order (most specific RDN first).
|
|
required: yes
|
|
_subject_base:
|
|
description: The installer _subject_base setting
|
|
required: yes
|
|
ca_subject:
|
|
description: The installer ca_subject setting
|
|
required: yes
|
|
_ca_subject:
|
|
description: The installer _ca_subject setting
|
|
required: yes
|
|
ca_signing_algorithm:
|
|
description: Signing algorithm of the IPA CA certificate
|
|
required: yes
|
|
_random_serial_numbers:
|
|
description: The installer _random_serial_numbers setting
|
|
required: yes
|
|
reverse_zones:
|
|
description: The reverse DNS zones to use
|
|
required: yes
|
|
no_reverse:
|
|
description: Do not create new reverse DNS zone
|
|
required: yes
|
|
auto_forwarders:
|
|
description: Use DNS forwarders configured in /etc/resolv.conf
|
|
required: yes
|
|
domainlevel:
|
|
description: The domain level
|
|
required: yes
|
|
_http_ca_cert:
|
|
description: The installer _http_ca_cert setting
|
|
required: yes
|
|
author:
|
|
- Thomas Woerner
|
|
'''
|
|
|
|
EXAMPLES = '''
|
|
'''
|
|
|
|
RETURN = '''
|
|
'''
|
|
|
|
import os
|
|
|
|
from ansible.module_utils.basic import AnsibleModule
|
|
from ansible.module_utils.ansible_ipa_server import (
|
|
AnsibleModuleLog, setup_logging, options, sysrestore, paths,
|
|
ansible_module_get_parsed_ip_addresses,
|
|
api_Backend_ldap2, redirect_stdout, ca, installutils, ds_init_info,
|
|
custodiainstance, write_cache, x509, decode_certificate
|
|
)
|
|
|
|
|
|
def main():
|
|
ansible_module = AnsibleModule(
|
|
argument_spec=dict(
|
|
# basic
|
|
dm_password=dict(required=True, no_log=True),
|
|
password=dict(required=True, no_log=True),
|
|
master_password=dict(required=True, no_log=True),
|
|
ip_addresses=dict(required=False, type='list', default=[]),
|
|
domain=dict(required=True),
|
|
realm=dict(required=True),
|
|
hostname=dict(required=False),
|
|
no_host_dns=dict(required=False, type='bool', default=False),
|
|
pki_config_override=dict(required=False),
|
|
# server
|
|
setup_adtrust=dict(required=False, type='bool', default=False),
|
|
setup_kra=dict(required=False, type='bool', default=False),
|
|
setup_dns=dict(required=False, type='bool', default=False),
|
|
setup_ca=dict(required=False, type='bool', default=False),
|
|
idstart=dict(required=True, type='int'),
|
|
idmax=dict(required=True, type='int'),
|
|
no_hbac_allow=dict(required=False, type='bool', default=False),
|
|
no_pkinit=dict(required=False, type='bool', default=False),
|
|
dirsrv_config_file=dict(required=False),
|
|
dirsrv_cert_files=dict(required=False, type='list'),
|
|
_dirsrv_pkcs12_info=dict(required=False, type='list'),
|
|
# certificate system
|
|
external_ca=dict(required=False, type='bool', default=False),
|
|
external_ca_type=dict(required=False),
|
|
external_ca_profile=dict(required=False),
|
|
external_cert_files=dict(required=False, type='list',
|
|
default=None),
|
|
subject_base=dict(required=False),
|
|
_subject_base=dict(required=False),
|
|
ca_subject=dict(required=False),
|
|
_ca_subject=dict(required=False),
|
|
ca_signing_algorithm=dict(required=False),
|
|
_random_serial_numbers=dict(required=True, type='bool'),
|
|
# dns
|
|
reverse_zones=dict(required=False, type='list', default=[]),
|
|
no_reverse=dict(required=False, type='bool', default=False),
|
|
auto_forwarders=dict(required=False, type='bool', default=False),
|
|
# additional
|
|
domainlevel=dict(required=False, type='int'),
|
|
_http_ca_cert=dict(required=False),
|
|
),
|
|
)
|
|
|
|
ansible_module._ansible_debug = True
|
|
setup_logging()
|
|
ansible_log = AnsibleModuleLog(ansible_module)
|
|
|
|
# set values ############################################################
|
|
|
|
# basic
|
|
options.dm_password = ansible_module.params.get('dm_password')
|
|
options.admin_password = ansible_module.params.get('password')
|
|
options.master_password = ansible_module.params.get('master_password')
|
|
options.ip_addresses = ansible_module_get_parsed_ip_addresses(
|
|
ansible_module)
|
|
options.domain_name = ansible_module.params.get('domain')
|
|
options.realm_name = ansible_module.params.get('realm')
|
|
options.host_name = ansible_module.params.get('hostname')
|
|
options.no_host_dns = ansible_module.params.get('no_host_dns')
|
|
options.pki_config_override = ansible_module.params.get(
|
|
'pki_config_override')
|
|
# server
|
|
options.setup_adtrust = ansible_module.params.get('setup_adtrust')
|
|
options.setup_kra = ansible_module.params.get('setup_kra')
|
|
options.setup_dns = ansible_module.params.get('setup_dns')
|
|
options.setup_ca = ansible_module.params.get('setup_ca')
|
|
options.idstart = ansible_module.params.get('idstart')
|
|
options.idmax = ansible_module.params.get('idmax')
|
|
options.no_hbac_allow = ansible_module.params.get('no_hbac_allow')
|
|
options.no_pkinit = ansible_module.params.get('no_pkinit')
|
|
options.dirsrv_config_file = ansible_module.params.get(
|
|
'dirsrv_config_file')
|
|
options.dirsrv_cert_files = ansible_module.params.get('dirsrv_cert_files')
|
|
options._dirsrv_pkcs12_info = ansible_module.params.get(
|
|
'_dirsrv_pkcs12_info')
|
|
# certificate system
|
|
options.external_ca = ansible_module.params.get('external_ca')
|
|
options.external_ca_type = ansible_module.params.get('external_ca_type')
|
|
options.external_ca_profile = ansible_module.params.get(
|
|
'external_ca_profile')
|
|
options.external_cert_files = ansible_module.params.get(
|
|
'external_cert_files')
|
|
options.subject_base = ansible_module.params.get('subject_base')
|
|
options._subject_base = ansible_module.params.get('_subject_base')
|
|
options.ca_subject = ansible_module.params.get('ca_subject')
|
|
options._ca_subject = ansible_module.params.get('_ca_subject')
|
|
options.ca_signing_algorithm = ansible_module.params.get(
|
|
'ca_signing_algorithm')
|
|
options._random_serial_numbers = ansible_module.params.get(
|
|
'_random_serial_numbers')
|
|
# dns
|
|
options.reverse_zones = ansible_module.params.get('reverse_zones')
|
|
options.no_reverse = ansible_module.params.get('no_reverse')
|
|
options.auto_forwarders = ansible_module.params.get('auto_forwarders')
|
|
# additional
|
|
options.domainlevel = ansible_module.params.get('domainlevel')
|
|
options._http_ca_cert = ansible_module.params.get('_http_ca_cert')
|
|
if options._http_ca_cert:
|
|
options._http_ca_cert = decode_certificate(options._http_ca_cert)
|
|
|
|
# init #################################################################
|
|
|
|
options.promote = False # first master, no promotion
|
|
|
|
# Repeat from ca.install_check
|
|
# ca.external_cert_file and ca.external_ca_file need to be set
|
|
if options.external_cert_files:
|
|
ca.external_cert_file, ca.external_ca_file = \
|
|
installutils.load_external_cert(
|
|
options.external_cert_files, options._ca_subject)
|
|
|
|
fstore = sysrestore.FileStore(paths.SYSRESTORE)
|
|
|
|
api_Backend_ldap2(options.host_name, options.setup_ca, connect=True)
|
|
|
|
ds = ds_init_info(ansible_log, fstore,
|
|
options.domainlevel, options.dirsrv_config_file,
|
|
options.realm_name, options.host_name,
|
|
options.domain_name, options.dm_password,
|
|
options.idstart, options.idmax,
|
|
options.subject_base, options.ca_subject,
|
|
options.no_hbac_allow, options._dirsrv_pkcs12_info,
|
|
options.no_pkinit)
|
|
|
|
# setup CA ##############################################################
|
|
|
|
if hasattr(custodiainstance, "get_custodia_instance"):
|
|
if hasattr(custodiainstance.CustodiaModes, "FIRST_MASTER"):
|
|
mode = custodiainstance.CustodiaModes.FIRST_MASTER
|
|
else:
|
|
mode = custodiainstance.CustodiaModes.MASTER_PEER
|
|
custodia = custodiainstance.get_custodia_instance(options, mode)
|
|
custodia.set_output(ansible_log)
|
|
with redirect_stdout(ansible_log):
|
|
custodia.create_instance()
|
|
|
|
if options.setup_ca:
|
|
if not options.external_cert_files and options.external_ca:
|
|
# stage 1 of external CA installation
|
|
cache_vars = {n: options.__dict__[n] for o, n in options.knobs()
|
|
if n in options.__dict__}
|
|
write_cache(cache_vars)
|
|
|
|
try:
|
|
with redirect_stdout(ansible_log):
|
|
if hasattr(custodiainstance, "get_custodia_instance"):
|
|
ca.install_step_0(False, None, options, custodia=custodia)
|
|
else:
|
|
ca.install_step_0(False, None, options)
|
|
except SystemExit:
|
|
ansible_module.exit_json(changed=True,
|
|
csr_generated=True)
|
|
else:
|
|
# Put the CA cert where other instances expect it
|
|
x509.write_certificate(options._http_ca_cert, paths.IPA_CA_CRT)
|
|
os.chmod(paths.IPA_CA_CRT, 0o444)
|
|
|
|
if not options.no_pkinit:
|
|
x509.write_certificate(options._http_ca_cert,
|
|
paths.KDC_CA_BUNDLE_PEM)
|
|
else:
|
|
with open(paths.KDC_CA_BUNDLE_PEM, 'w'):
|
|
pass
|
|
os.chmod(paths.KDC_CA_BUNDLE_PEM, 0o444)
|
|
|
|
x509.write_certificate(options._http_ca_cert, paths.CA_BUNDLE_PEM)
|
|
os.chmod(paths.CA_BUNDLE_PEM, 0o444)
|
|
|
|
with redirect_stdout(ansible_log):
|
|
# we now need to enable ssl on the ds
|
|
ds.enable_ssl()
|
|
|
|
if options.setup_ca:
|
|
with redirect_stdout(ansible_log):
|
|
if hasattr(custodiainstance, "get_custodia_instance"):
|
|
ca.install_step_1(False, None, options, custodia=custodia)
|
|
else:
|
|
ca.install_step_1(False, None, options)
|
|
|
|
ansible_module.exit_json(changed=True,
|
|
csr_generated=False)
|
|
|
|
|
|
if __name__ == '__main__':
|
|
main()
|