|
Packit Service |
ee01e6 |
#!/usr/bin/python
|
|
Packit Service |
0a38ef |
# -*- coding: utf-8 -*-
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
# Authors:
|
|
Packit Service |
0a38ef |
# Thomas Woerner <twoerner@redhat.com>
|
|
Packit Service |
0a38ef |
#
|
|
Packit Service |
0a38ef |
# Based on ipa-client-install code
|
|
Packit Service |
0a38ef |
#
|
|
Packit Service |
0a38ef |
# Copyright (C) 2017 Red Hat
|
|
Packit Service |
0a38ef |
# see file 'COPYING' for use and warranty information
|
|
Packit Service |
0a38ef |
#
|
|
Packit Service |
0a38ef |
# This program is free software; you can redistribute it and/or modify
|
|
Packit Service |
0a38ef |
# it under the terms of the GNU General Public License as published by
|
|
Packit Service |
0a38ef |
# the Free Software Foundation, either version 3 of the License, or
|
|
Packit Service |
0a38ef |
# (at your option) any later version.
|
|
Packit Service |
0a38ef |
#
|
|
Packit Service |
0a38ef |
# This program is distributed in the hope that it will be useful,
|
|
Packit Service |
0a38ef |
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
Packit Service |
0a38ef |
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
Packit Service |
0a38ef |
# GNU General Public License for more details.
|
|
Packit Service |
0a38ef |
#
|
|
Packit Service |
0a38ef |
# You should have received a copy of the GNU General Public License
|
|
Packit Service |
0a38ef |
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
ANSIBLE_METADATA = {
|
|
Packit Service |
0a38ef |
'metadata_version': '1.0',
|
|
Packit Service |
0a38ef |
'supported_by': 'community',
|
|
Packit Service |
0a38ef |
'status': ['preview'],
|
|
Packit Service |
0a38ef |
}
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
DOCUMENTATION = '''
|
|
Packit Service |
0a38ef |
---
|
|
Packit Service |
0a38ef |
module: ipaclient_setup_nss
|
|
Packit Service |
0a38ef |
short description: Create IPA client NSS database
|
|
Packit Service |
a166ed |
description: Create IPA NSS database
|
|
Packit Service |
0a38ef |
options:
|
|
Packit Service |
0a38ef |
servers:
|
|
Packit Service |
0a38ef |
description: Fully qualified name of IPA servers to enroll to
|
|
Packit Service |
0a38ef |
required: no
|
|
Packit Service |
0a38ef |
domain:
|
|
Packit Service |
0a38ef |
description: Primary DNS domain of the IPA deployment
|
|
Packit Service |
0a38ef |
required: no
|
|
Packit Service |
0a38ef |
realm:
|
|
Packit Service |
0a38ef |
description: Kerberos realm name of the IPA deployment
|
|
Packit Service |
0a38ef |
required: no
|
|
Packit Service |
0a38ef |
hostname:
|
|
Packit Service |
0a38ef |
description: Fully qualified name of this host
|
|
Packit Service |
0a38ef |
required: no
|
|
Packit Service |
0a38ef |
basedn:
|
|
Packit Service |
0a38ef |
description: The basedn of the IPA server (of the form dc=example,dc=com)
|
|
Packit Service |
0a38ef |
required: no
|
|
Packit Service |
0a38ef |
principal:
|
|
Packit Service |
0a38ef |
description:
|
|
Packit Service |
0a38ef |
User Principal allowed to promote replicas and join IPA realm
|
|
Packit Service |
0a38ef |
required: yes
|
|
Packit Service |
0a38ef |
subject_base:
|
|
Packit Service |
a166ed |
description: |
|
|
Packit Service |
0a38ef |
The certificate subject base (default O=<realm-name>).
|
|
Packit Service |
0a38ef |
RDNs are in LDAP order (most specific RDN first).
|
|
Packit Service |
0a38ef |
required: no
|
|
Packit Service |
0a38ef |
ca_enabled:
|
|
Packit Service |
0a38ef |
description: Whether the Certificate Authority is enabled or not
|
|
Packit Service |
0a38ef |
required: no
|
|
Packit Service |
0a38ef |
mkhomedir:
|
|
Packit Service |
0a38ef |
description: Create home directories for users on their first login
|
|
Packit Service |
0a38ef |
required: yes
|
|
Packit Service |
0a38ef |
on_master:
|
|
Packit Service |
0a38ef |
description: Whether the configuration is done on the master or not
|
|
Packit Service |
0a38ef |
required: yes
|
|
Packit Service |
0a38ef |
dnsok:
|
|
Packit Service |
0a38ef |
description: The installer dnsok setting
|
|
Packit Service |
0a38ef |
required: yes
|
|
Packit Service |
0a38ef |
enable_dns_updates:
|
|
Packit Service |
a166ed |
description: |
|
|
Packit Service |
0a38ef |
Configures the machine to attempt dns updates when the ip address
|
|
Packit Service |
0a38ef |
changes
|
|
Packit Service |
0a38ef |
required: yes
|
|
Packit Service |
0a38ef |
all_ip_addresses:
|
|
Packit Service |
a166ed |
description: |
|
|
Packit Service |
0a38ef |
All routable IP addresses configured on any interface will be added
|
|
Packit Service |
0a38ef |
to DNS
|
|
Packit Service |
0a38ef |
required: yes
|
|
Packit Service |
0a38ef |
ip_addresses:
|
|
Packit Service |
0a38ef |
description: List of Master Server IP Addresses
|
|
Packit Service |
0a38ef |
required: yes
|
|
Packit Service |
0a38ef |
request_cert:
|
|
Packit Service |
0a38ef |
description: Request certificate for the machine
|
|
Packit Service |
0a38ef |
required: yes
|
|
Packit Service |
0a38ef |
preserve_sssd:
|
|
Packit Service |
0a38ef |
description: Preserve old SSSD configuration if possible
|
|
Packit Service |
0a38ef |
required: yes
|
|
Packit Service |
0a38ef |
no_ssh:
|
|
Packit Service |
0a38ef |
description: Do not configure OpenSSH client
|
|
Packit Service |
0a38ef |
required: yes
|
|
Packit Service |
0a38ef |
no_sshd:
|
|
Packit Service |
0a38ef |
description: Do not configure OpenSSH server
|
|
Packit Service |
0a38ef |
required: yes
|
|
Packit Service |
0a38ef |
no_sudo:
|
|
Packit Service |
0a38ef |
description: Do not configure SSSD as data source for sudo
|
|
Packit Service |
0a38ef |
required: yes
|
|
Packit Service |
0a38ef |
fixed_primary:
|
|
Packit Service |
0a38ef |
description: Configure sssd to use fixed server as primary IPA server
|
|
Packit Service |
0a38ef |
required: yes
|
|
Packit Service |
0a38ef |
permit:
|
|
Packit Service |
0a38ef |
description: Disable access rules by default, permit all access
|
|
Packit Service |
0a38ef |
required: yes
|
|
Packit Service |
0a38ef |
no_krb5_offline_passwords:
|
|
Packit Service |
0a38ef |
description:
|
|
Packit Service |
0a38ef |
Configure SSSD not to store user password when the server is offline
|
|
Packit Service |
0a38ef |
required: yes
|
|
Packit Service |
0a38ef |
no_dns_sshfp:
|
|
Packit Service |
0a38ef |
description: Do not automatically create DNS SSHFP records
|
|
Packit Service |
0a38ef |
required: yes
|
|
Packit Service |
0a38ef |
author:
|
|
Packit Service |
0a38ef |
- Thomas Woerner
|
|
Packit Service |
0a38ef |
'''
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
EXAMPLES = '''
|
|
Packit Service |
0a38ef |
- name: Create IPA client NSS database
|
|
Packit Service |
0a38ef |
ipaclient_setup_nss:
|
|
Packit Service |
0a38ef |
servers: ["server1.example.com","server2.example.com"]
|
|
Packit Service |
0a38ef |
domain: example.com
|
|
Packit Service |
0a38ef |
realm: EXAMPLE.COM
|
|
Packit Service |
0a38ef |
basedn: dc=example,dc=com
|
|
Packit Service |
0a38ef |
hostname: client1.example.com
|
|
Packit Service |
0a38ef |
subject_base: O=EXAMPLE.COM
|
|
Packit Service |
0a38ef |
principal: admin
|
|
Packit Service |
0a38ef |
ca_enabled: yes
|
|
Packit Service |
0a38ef |
'''
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
RETURN = '''
|
|
Packit Service |
0a38ef |
'''
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
import os
|
|
Packit Service |
0a38ef |
import time
|
|
Packit Service |
0a38ef |
import inspect
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
from ansible.module_utils.basic import AnsibleModule
|
|
Packit Service |
0a38ef |
from ansible.module_utils.ansible_ipa_client import (
|
|
Packit Service |
0a38ef |
setup_logging,
|
|
Packit Service |
0a38ef |
options, sysrestore, paths, ansible_module_get_parsed_ip_addresses,
|
|
Packit Service |
0a38ef |
api, errors, create_ipa_nssdb, ipautil, ScriptError, CLIENT_INSTALL_ERROR,
|
|
Packit Service |
0a38ef |
get_certs_from_ldap, DN, certstore, x509, logger, certdb,
|
|
Packit Service |
0a38ef |
CalledProcessError, tasks, client_dns, configure_certmonger, services,
|
|
Packit Service |
0a38ef |
update_ssh_keys, save_state, configure_ldap_conf, configure_nslcd_conf,
|
|
Packit Service |
0a38ef |
nosssd_files, configure_openldap_conf, hardcode_ldap_server
|
|
Packit Service |
0a38ef |
)
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
def main():
|
|
Packit Service |
0a38ef |
module = AnsibleModule(
|
|
Packit Service |
0a38ef |
argument_spec=dict(
|
|
Packit Service |
0a38ef |
servers=dict(required=True, type='list'),
|
|
Packit Service |
0a38ef |
domain=dict(required=True),
|
|
Packit Service |
0a38ef |
realm=dict(required=True),
|
|
Packit Service |
0a38ef |
hostname=dict(required=True),
|
|
Packit Service |
0a38ef |
basedn=dict(required=True),
|
|
Packit Service |
0a38ef |
principal=dict(required=False),
|
|
Packit Service |
0a38ef |
subject_base=dict(required=True),
|
|
Packit Service |
0a38ef |
ca_enabled=dict(required=True, type='bool'),
|
|
Packit Service |
0a38ef |
mkhomedir=dict(required=False, type='bool'),
|
|
Packit Service |
0a38ef |
on_master=dict(required=False, type='bool'),
|
|
Packit Service |
0a38ef |
dnsok=dict(required=False, type='bool', default=False),
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
enable_dns_updates=dict(required=False, type='bool'),
|
|
Packit Service |
0a38ef |
all_ip_addresses=dict(required=False, type='bool', default=False),
|
|
Packit Service |
0a38ef |
ip_addresses=dict(required=False, type='list', default=None),
|
|
Packit Service |
0a38ef |
request_cert=dict(required=False, type='bool', default=False),
|
|
Packit Service |
0a38ef |
preserve_sssd=dict(required=False, type='bool'),
|
|
Packit Service |
0a38ef |
no_ssh=dict(required=False, type='bool'),
|
|
Packit Service |
0a38ef |
no_sshd=dict(required=False, type='bool'),
|
|
Packit Service |
0a38ef |
no_sudo=dict(required=False, type='bool'),
|
|
Packit Service |
0a38ef |
fixed_primary=dict(required=False, type='bool'),
|
|
Packit Service |
0a38ef |
permit=dict(required=False, type='bool'),
|
|
Packit Service |
0a38ef |
no_krb5_offline_passwords=dict(required=False, type='bool'),
|
|
Packit Service |
0a38ef |
no_dns_sshfp=dict(required=False, type='bool', default=False),
|
|
Packit Service |
0a38ef |
),
|
|
Packit Service |
0a38ef |
supports_check_mode=True,
|
|
Packit Service |
0a38ef |
)
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
module._ansible_debug = True
|
|
Packit Service |
0a38ef |
setup_logging()
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
cli_server = module.params.get('servers')
|
|
Packit Service |
0a38ef |
cli_realm = module.params.get('realm')
|
|
Packit Service |
0a38ef |
hostname = module.params.get('hostname')
|
|
Packit Service |
0a38ef |
cli_basedn = module.params.get('basedn')
|
|
Packit Service |
0a38ef |
cli_domain = module.params.get('domain')
|
|
Packit Service |
0a38ef |
options.principal = module.params.get('principal')
|
|
Packit Service |
0a38ef |
subject_base = module.params.get('subject_base')
|
|
Packit Service |
0a38ef |
ca_enabled = module.params.get('ca_enabled')
|
|
Packit Service |
0a38ef |
options.mkhomedir = module.params.get('mkhomedir')
|
|
Packit Service |
0a38ef |
options.on_master = module.params.get('on_master')
|
|
Packit Service |
0a38ef |
dnsok = module.params.get('dnsok')
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
fstore = sysrestore.FileStore(paths.IPA_CLIENT_SYSRESTORE)
|
|
Packit Service |
0a38ef |
statestore = sysrestore.StateFile(paths.IPA_CLIENT_SYSRESTORE)
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
os.environ['KRB5CCNAME'] = paths.IPA_DNS_CCACHE
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
options.dns_updates = module.params.get('enable_dns_updates')
|
|
Packit Service |
0a38ef |
options.all_ip_addresses = module.params.get('all_ip_addresses')
|
|
Packit Service |
0a38ef |
options.ip_addresses = ansible_module_get_parsed_ip_addresses(module)
|
|
Packit Service |
0a38ef |
options.request_cert = module.params.get('request_cert')
|
|
Packit Service |
0a38ef |
options.hostname = hostname
|
|
Packit Service |
0a38ef |
options.host_name = hostname
|
|
Packit Service |
0a38ef |
options.preserve_sssd = module.params.get('preserve_sssd')
|
|
Packit Service |
0a38ef |
options.no_ssh = module.params.get('no_ssh')
|
|
Packit Service |
0a38ef |
options.conf_ssh = not options.no_ssh
|
|
Packit Service |
0a38ef |
options.no_sshd = module.params.get('no_sshd')
|
|
Packit Service |
0a38ef |
options.conf_sshd = not options.no_sshd
|
|
Packit Service |
0a38ef |
options.no_sudo = module.params.get('no_sudo')
|
|
Packit Service |
0a38ef |
options.conf_sudo = not options.no_sudo
|
|
Packit Service |
0a38ef |
options.primary = module.params.get('fixed_primary')
|
|
Packit Service |
0a38ef |
options.permit = module.params.get('permit')
|
|
Packit Service |
0a38ef |
options.no_krb5_offline_passwords = module.params.get(
|
|
Packit Service |
0a38ef |
'no_krb5_offline_passwords')
|
|
Packit Service |
0a38ef |
options.krb5_offline_passwords = not options.no_krb5_offline_passwords
|
|
Packit Service |
0a38ef |
options.no_dns_sshfp = module.params.get('no_dns_sshfp')
|
|
Packit Service |
0a38ef |
options.create_sshfp = not options.no_dns_sshfp
|
|
Packit Service |
0a38ef |
options.no_sssd = False
|
|
Packit Service |
0a38ef |
options.sssd = not options.no_sssd
|
|
Packit Service |
0a38ef |
options.no_ac = False
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
CCACHE_FILE = paths.IPA_DNS_CCACHE
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
api.bootstrap(context='cli_installer',
|
|
Packit Service |
0a38ef |
confdir=paths.ETC_IPA,
|
|
Packit Service |
0a38ef |
debug=False,
|
|
Packit Service |
0a38ef |
delegate=False)
|
|
Packit Service |
0a38ef |
api.finalize()
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
api.Backend.rpcclient.connect()
|
|
Packit Service |
0a38ef |
try:
|
|
Packit Service |
0a38ef |
api.Backend.rpcclient.forward('ping')
|
|
Packit Service |
0a38ef |
except errors.KerberosError:
|
|
Packit Service |
0a38ef |
# Cannot connect to the server due to Kerberos error, trying with
|
|
Packit Service |
0a38ef |
# delegate=True
|
|
Packit Service |
0a38ef |
api.Backend.rpcclient.disconnect()
|
|
Packit Service |
0a38ef |
api.Backend.rpcclient.connect(delegate=True)
|
|
Packit Service |
0a38ef |
api.Backend.rpcclient.forward('ping')
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
##########################################################################
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
try:
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
# Create IPA NSS database
|
|
Packit Service |
0a38ef |
try:
|
|
Packit Service |
0a38ef |
create_ipa_nssdb()
|
|
Packit Service |
0a38ef |
except ipautil.CalledProcessError as e:
|
|
Packit Service |
0a38ef |
raise ScriptError(
|
|
Packit Service |
0a38ef |
"Failed to create IPA NSS database: %s" % e,
|
|
Packit Service |
0a38ef |
rval=CLIENT_INSTALL_ERROR)
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
# Get CA certificates from the certificate store
|
|
Packit Service |
0a38ef |
try:
|
|
Packit Service |
0a38ef |
ca_certs = get_certs_from_ldap(cli_server[0], cli_basedn,
|
|
Packit Service |
0a38ef |
cli_realm, ca_enabled)
|
|
Packit Service |
0a38ef |
except errors.NoCertificateError:
|
|
Packit Service |
0a38ef |
if ca_enabled:
|
|
Packit Service |
0a38ef |
ca_subject = DN(('CN', 'Certificate Authority'), subject_base)
|
|
Packit Service |
0a38ef |
else:
|
|
Packit Service |
0a38ef |
ca_subject = None
|
|
Packit Service |
0a38ef |
ca_certs = certstore.make_compat_ca_certs(ca_certs, cli_realm,
|
|
Packit Service |
0a38ef |
ca_subject)
|
|
Packit Service |
0a38ef |
ca_certs_trust = [(c, n,
|
|
Packit Service |
0a38ef |
certstore.key_policy_to_trust_flags(t, True, u))
|
|
Packit Service |
0a38ef |
for (c, n, t, u) in ca_certs]
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
if hasattr(paths, "KDC_CA_BUNDLE_PEM"):
|
|
Packit Service |
0a38ef |
x509.write_certificate_list(
|
|
Packit Service |
0a38ef |
[c for c, n, t, u in ca_certs if t is not False],
|
|
Packit Service |
0a38ef |
paths.KDC_CA_BUNDLE_PEM,
|
|
Packit Service |
0a38ef |
# mode=0o644
|
|
Packit Service |
0a38ef |
)
|
|
Packit Service |
0a38ef |
if hasattr(paths, "CA_BUNDLE_PEM"):
|
|
Packit Service |
0a38ef |
x509.write_certificate_list(
|
|
Packit Service |
0a38ef |
[c for c, n, t, u in ca_certs if t is not False],
|
|
Packit Service |
0a38ef |
paths.CA_BUNDLE_PEM,
|
|
Packit Service |
0a38ef |
# mode=0o644
|
|
Packit Service |
0a38ef |
)
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
# Add the CA certificates to the IPA NSS database
|
|
Packit Service |
0a38ef |
logger.debug("Adding CA certificates to the IPA NSS database.")
|
|
Packit Service |
0a38ef |
ipa_db = certdb.NSSDatabase(paths.IPA_NSSDB_DIR)
|
|
Packit Service |
0a38ef |
for cert, nickname, trust_flags in ca_certs_trust:
|
|
Packit Service |
0a38ef |
try:
|
|
Packit Service |
0a38ef |
ipa_db.add_cert(cert, nickname, trust_flags)
|
|
Packit Service |
0a38ef |
except CalledProcessError:
|
|
Packit Service |
0a38ef |
raise ScriptError(
|
|
Packit Service |
0a38ef |
"Failed to add %s to the IPA NSS database." % nickname,
|
|
Packit Service |
0a38ef |
rval=CLIENT_INSTALL_ERROR)
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
# Add the CA certificates to the platform-dependant systemwide CA
|
|
Packit Service |
0a38ef |
# store
|
|
Packit Service |
0a38ef |
tasks.insert_ca_certs_into_systemwide_ca_store(ca_certs)
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
if not options.on_master:
|
|
Packit Service |
0a38ef |
client_dns(cli_server[0], hostname, options)
|
|
Packit Service |
0a38ef |
configure_certmonger(fstore, subject_base, cli_realm, hostname,
|
|
Packit Service |
0a38ef |
options, ca_enabled)
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
if hasattr(paths, "SSH_CONFIG_DIR"):
|
|
Packit Service |
0a38ef |
ssh_config_dir = paths.SSH_CONFIG_DIR
|
|
Packit Service |
0a38ef |
else:
|
|
Packit Service |
0a38ef |
ssh_config_dir = services.knownservices.sshd.get_config_dir()
|
|
Packit Service |
0a38ef |
update_ssh_keys(hostname, ssh_config_dir, options.create_sshfp)
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
try:
|
|
Packit Service |
0a38ef |
os.remove(CCACHE_FILE)
|
|
Packit Service |
0a38ef |
except Exception:
|
|
Packit Service |
0a38ef |
pass
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
argspec_save_state = inspect.getargspec(save_state)
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
# Name Server Caching Daemon. Disable for SSSD, use otherwise
|
|
Packit Service |
0a38ef |
# (if installed)
|
|
Packit Service |
0a38ef |
nscd = services.knownservices.nscd
|
|
Packit Service |
0a38ef |
if nscd.is_installed():
|
|
Packit Service |
0a38ef |
if "statestore" in argspec_save_state.args:
|
|
Packit Service |
0a38ef |
save_state(nscd, statestore)
|
|
Packit Service |
0a38ef |
else:
|
|
Packit Service |
0a38ef |
save_state(nscd)
|
|
Packit Service |
0a38ef |
nscd_service_action = None
|
|
Packit Service |
0a38ef |
try:
|
|
Packit Service |
0a38ef |
if options.sssd:
|
|
Packit Service |
0a38ef |
nscd_service_action = 'stop'
|
|
Packit Service |
0a38ef |
nscd.stop()
|
|
Packit Service |
0a38ef |
else:
|
|
Packit Service |
0a38ef |
nscd_service_action = 'restart'
|
|
Packit Service |
0a38ef |
nscd.restart()
|
|
Packit Service |
0a38ef |
except Exception:
|
|
Packit Service |
0a38ef |
logger.warning(
|
|
Packit Service |
0a38ef |
"Failed to %s the %s daemon",
|
|
Packit Service |
0a38ef |
nscd_service_action, nscd.service_name)
|
|
Packit Service |
0a38ef |
if not options.sssd:
|
|
Packit Service |
0a38ef |
logger.warning(
|
|
Packit Service |
0a38ef |
"Caching of users/groups will not be available")
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
try:
|
|
Packit Service |
0a38ef |
if options.sssd:
|
|
Packit Service |
0a38ef |
nscd.disable()
|
|
Packit Service |
0a38ef |
else:
|
|
Packit Service |
0a38ef |
nscd.enable()
|
|
Packit Service |
0a38ef |
except Exception:
|
|
Packit Service |
0a38ef |
if not options.sssd:
|
|
Packit Service |
0a38ef |
logger.warning(
|
|
Packit Service |
0a38ef |
"Failed to configure automatic startup of the %s "
|
|
Packit Service |
0a38ef |
"daemon",
|
|
Packit Service |
0a38ef |
nscd.service_name)
|
|
Packit Service |
0a38ef |
logger.info(
|
|
Packit Service |
0a38ef |
"Caching of users/groups will not be "
|
|
Packit Service |
0a38ef |
"available after reboot")
|
|
Packit Service |
0a38ef |
else:
|
|
Packit Service |
0a38ef |
logger.warning(
|
|
Packit Service |
0a38ef |
"Failed to disable %s daemon. Disable it manually.",
|
|
Packit Service |
0a38ef |
nscd.service_name)
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
else:
|
|
Packit Service |
0a38ef |
# this is optional service, just log
|
|
Packit Service |
0a38ef |
if not options.sssd:
|
|
Packit Service |
0a38ef |
logger.info(
|
|
Packit Service |
0a38ef |
"%s daemon is not installed, skip configuration",
|
|
Packit Service |
0a38ef |
nscd.service_name)
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
nslcd = services.knownservices.nslcd
|
|
Packit Service |
0a38ef |
if nslcd.is_installed():
|
|
Packit Service |
0a38ef |
if "statestore" in argspec_save_state.args:
|
|
Packit Service |
0a38ef |
save_state(nslcd, statestore)
|
|
Packit Service |
0a38ef |
else:
|
|
Packit Service |
0a38ef |
save_state(nslcd)
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
retcode, conf = (0, None)
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
if not options.no_ac:
|
|
Packit Service |
0a38ef |
# Modify nsswitch/pam stack
|
|
Packit Service |
0a38ef |
argspec = inspect.getargspec(tasks.modify_nsswitch_pam_stack)
|
|
Packit Service |
0a38ef |
if "sudo" in argspec.args:
|
|
Packit Service |
0a38ef |
tasks.modify_nsswitch_pam_stack(
|
|
Packit Service |
0a38ef |
sssd=options.sssd,
|
|
Packit Service |
0a38ef |
mkhomedir=options.mkhomedir,
|
|
Packit Service |
0a38ef |
statestore=statestore,
|
|
Packit Service |
0a38ef |
sudo=options.conf_sudo
|
|
Packit Service |
0a38ef |
)
|
|
Packit Service |
0a38ef |
else:
|
|
Packit Service |
0a38ef |
tasks.modify_nsswitch_pam_stack(
|
|
Packit Service |
0a38ef |
sssd=options.sssd,
|
|
Packit Service |
0a38ef |
mkhomedir=options.mkhomedir,
|
|
Packit Service |
0a38ef |
statestore=statestore
|
|
Packit Service |
0a38ef |
)
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
if hasattr(paths, "AUTHSELECT") and paths.AUTHSELECT is not None:
|
|
Packit Service |
0a38ef |
# authselect is used
|
|
Packit Service |
0a38ef |
# if mkhomedir, make sure oddjobd is enabled and started
|
|
Packit Service |
0a38ef |
if options.mkhomedir:
|
|
Packit Service |
0a38ef |
oddjobd = services.service('oddjobd', api)
|
|
Packit Service |
0a38ef |
running = oddjobd.is_running()
|
|
Packit Service |
0a38ef |
enabled = oddjobd.is_enabled()
|
|
Packit Service |
0a38ef |
statestore.backup_state('oddjobd', 'running', running)
|
|
Packit Service |
0a38ef |
statestore.backup_state('oddjobd', 'enabled', enabled)
|
|
Packit Service |
0a38ef |
try:
|
|
Packit Service |
0a38ef |
if not enabled:
|
|
Packit Service |
0a38ef |
oddjobd.enable()
|
|
Packit Service |
0a38ef |
if not running:
|
|
Packit Service |
0a38ef |
oddjobd.start()
|
|
Packit Service |
0a38ef |
except Exception as e:
|
|
Packit Service |
0a38ef |
logger.critical("Unable to start oddjobd: %s", str(e))
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
logger.info("%s enabled", "SSSD" if options.sssd else "LDAP")
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
if options.sssd:
|
|
Packit Service |
0a38ef |
sssd = services.service('sssd', api)
|
|
Packit Service |
0a38ef |
try:
|
|
Packit Service |
0a38ef |
sssd.restart()
|
|
Packit Service |
0a38ef |
except CalledProcessError:
|
|
Packit Service |
0a38ef |
logger.warning("SSSD service restart was unsuccessful.")
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
try:
|
|
Packit Service |
0a38ef |
sssd.enable()
|
|
Packit Service |
0a38ef |
except CalledProcessError as e:
|
|
Packit Service |
0a38ef |
logger.warning(
|
|
Packit Service |
0a38ef |
"Failed to enable automatic startup of the SSSD "
|
|
Packit Service |
0a38ef |
"daemon: %s", e)
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
if not options.sssd:
|
|
Packit Service |
0a38ef |
tasks.modify_pam_to_use_krb5(statestore)
|
|
Packit Service |
0a38ef |
logger.info("Kerberos 5 enabled")
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
# Update non-SSSD LDAP configuration after authconfig calls as it
|
|
Packit Service |
0a38ef |
# would change its configuration otherways
|
|
Packit Service |
0a38ef |
if not options.sssd:
|
|
Packit Service |
0a38ef |
for configurer in [configure_ldap_conf, configure_nslcd_conf]:
|
|
Packit Service |
0a38ef |
(retcode, conf, filenames) = configurer(
|
|
Packit Service |
0a38ef |
fstore, cli_basedn, cli_realm,
|
|
Packit Service |
0a38ef |
cli_domain, cli_server, dnsok,
|
|
Packit Service |
0a38ef |
options, nosssd_files[configurer.__name__])
|
|
Packit Service |
0a38ef |
if retcode:
|
|
Packit Service |
0a38ef |
raise ScriptError(rval=CLIENT_INSTALL_ERROR)
|
|
Packit Service |
0a38ef |
if conf:
|
|
Packit Service |
0a38ef |
logger.info(
|
|
Packit Service |
0a38ef |
"%s configured using configuration file(s) %s",
|
|
Packit Service |
0a38ef |
conf, filenames)
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
if configure_openldap_conf(fstore, cli_basedn, cli_server):
|
|
Packit Service |
0a38ef |
logger.info("Configured /etc/openldap/ldap.conf")
|
|
Packit Service |
0a38ef |
else:
|
|
Packit Service |
0a38ef |
logger.info("Failed to configure /etc/openldap/ldap.conf")
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
# Check that nss is working properly
|
|
Packit Service |
0a38ef |
if not options.on_master:
|
|
Packit Service |
0a38ef |
user = options.principal
|
|
Packit Service |
0a38ef |
if user is None:
|
|
Packit Service |
0a38ef |
user = "admin@%s" % cli_domain
|
|
Packit Service |
0a38ef |
logger.info("Principal is not set when enrolling with OTP"
|
|
Packit Service |
0a38ef |
"; using principal '%s' for 'getent passwd'",
|
|
Packit Service |
0a38ef |
user)
|
|
Packit Service |
0a38ef |
elif '@' not in user:
|
|
Packit Service |
0a38ef |
user = "%s@%s" % (user, cli_domain)
|
|
Packit Service |
0a38ef |
n = 0
|
|
Packit Service |
0a38ef |
found = False
|
|
Packit Service |
0a38ef |
# Loop for up to 10 seconds to see if nss is working properly.
|
|
Packit Service |
0a38ef |
# It can sometimes take a few seconds to connect to the remote
|
|
Packit Service |
0a38ef |
# provider.
|
|
Packit Service |
0a38ef |
# Particulary, SSSD might take longer than 6-8 seconds.
|
|
Packit Service |
0a38ef |
if hasattr(paths, "GETENT"):
|
|
Packit Service |
0a38ef |
getent_cmd = paths.GETENT
|
|
Packit Service |
0a38ef |
else:
|
|
Packit Service |
0a38ef |
getent_cmd = '/usr/bin/getent'
|
|
Packit Service |
0a38ef |
while n < 10 and not found:
|
|
Packit Service |
0a38ef |
try:
|
|
Packit Service |
0a38ef |
ipautil.run([getent_cmd, "passwd", user])
|
|
Packit Service |
0a38ef |
found = True
|
|
Packit Service |
0a38ef |
except Exception:
|
|
Packit Service |
0a38ef |
time.sleep(1)
|
|
Packit Service |
0a38ef |
n = n + 1
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
if not found:
|
|
Packit Service |
0a38ef |
logger.error("Unable to find '%s' user with 'getent "
|
|
Packit Service |
0a38ef |
"passwd %s'!", user.split("@")[0], user)
|
|
Packit Service |
0a38ef |
if conf:
|
|
Packit Service |
0a38ef |
logger.info("Recognized configuration: %s", conf)
|
|
Packit Service |
0a38ef |
else:
|
|
Packit Service |
0a38ef |
logger.error(
|
|
Packit Service |
0a38ef |
"Unable to reliably detect "
|
|
Packit Service |
0a38ef |
"configuration. Check NSS setup manually.")
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
try:
|
|
Packit Service |
0a38ef |
hardcode_ldap_server(cli_server)
|
|
Packit Service |
0a38ef |
except Exception as e:
|
|
Packit Service |
0a38ef |
logger.error(
|
|
Packit Service |
0a38ef |
"Adding hardcoded server name to "
|
|
Packit Service |
0a38ef |
"/etc/ldap.conf failed: %s", str(e))
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
except ScriptError as e:
|
|
Packit Service |
0a38ef |
module.fail_json(msg=str(e))
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
##########################################################################
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
module.exit_json(changed=True,
|
|
Packit Service |
0a38ef |
ca_enabled_ra=ca_enabled)
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
if __name__ == '__main__':
|
|
Packit Service |
0a38ef |
main()
|