|
Packit Service |
0a38ef |
# -*- coding: utf-8 -*-
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
# Authors:
|
|
Packit Service |
0a38ef |
# Thomas Woerner <twoerner@redhat.com>
|
|
Packit Service |
0a38ef |
#
|
|
Packit Service |
0a38ef |
# Based on ipa-client-install code
|
|
Packit Service |
0a38ef |
#
|
|
Packit Service |
0a38ef |
# Copyright (C) 2017 Red Hat
|
|
Packit Service |
0a38ef |
# see file 'COPYING' for use and warranty information
|
|
Packit Service |
0a38ef |
#
|
|
Packit Service |
0a38ef |
# This program is free software; you can redistribute it and/or modify
|
|
Packit Service |
0a38ef |
# it under the terms of the GNU General Public License as published by
|
|
Packit Service |
0a38ef |
# the Free Software Foundation, either version 3 of the License, or
|
|
Packit Service |
0a38ef |
# (at your option) any later version.
|
|
Packit Service |
0a38ef |
#
|
|
Packit Service |
0a38ef |
# This program is distributed in the hope that it will be useful,
|
|
Packit Service |
0a38ef |
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
Packit Service |
0a38ef |
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
Packit Service |
0a38ef |
# GNU General Public License for more details.
|
|
Packit Service |
0a38ef |
#
|
|
Packit Service |
0a38ef |
# You should have received a copy of the GNU General Public License
|
|
Packit Service |
0a38ef |
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
ANSIBLE_METADATA = {
|
|
Packit Service |
0a38ef |
'metadata_version': '1.0',
|
|
Packit Service |
0a38ef |
'supported_by': 'community',
|
|
Packit Service |
0a38ef |
'status': ['preview'],
|
|
Packit Service |
0a38ef |
}
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
DOCUMENTATION = '''
|
|
Packit Service |
0a38ef |
---
|
|
Packit Service |
0a38ef |
module: ipaclient_test
|
|
Packit Service |
0a38ef |
short description: Tries to discover IPA server
|
|
Packit Service |
0a38ef |
description:
|
|
Packit Service |
0a38ef |
Tries to discover IPA server using DNS or host name
|
|
Packit Service |
0a38ef |
options:
|
|
Packit Service |
0a38ef |
domain:
|
|
Packit Service |
0a38ef |
description: Primary DNS domain of the IPA deployment
|
|
Packit Service |
0a38ef |
required: yes
|
|
Packit Service |
0a38ef |
servers:
|
|
Packit Service |
0a38ef |
description: Fully qualified name of IPA servers to enroll to
|
|
Packit Service |
0a38ef |
required: yes
|
|
Packit Service |
0a38ef |
realm:
|
|
Packit Service |
0a38ef |
description: Kerberos realm name of the IPA deployment
|
|
Packit Service |
0a38ef |
required: yes
|
|
Packit Service |
0a38ef |
hostname:
|
|
Packit Service |
0a38ef |
description: Fully qualified name of this host
|
|
Packit Service |
0a38ef |
required: yes
|
|
Packit Service |
0a38ef |
ntp_servers:
|
|
Packit Service |
0a38ef |
description: ntp servers to use
|
|
Packit Service |
0a38ef |
required: yes
|
|
Packit Service |
0a38ef |
ntp_pool:
|
|
Packit Service |
0a38ef |
description: ntp server pool to use
|
|
Packit Service |
0a38ef |
required: yes
|
|
Packit Service |
0a38ef |
no_ntp:
|
|
Packit Service |
0a38ef |
description: Do not configure ntp
|
|
Packit Service |
0a38ef |
required: yes
|
|
Packit Service |
0a38ef |
force_ntpd:
|
|
Packit Service |
0a38ef |
description:
|
|
Packit Service |
0a38ef |
Stop and disable any time&date synchronization services besides ntpd
|
|
Packit Service |
0a38ef |
Deprecated since 4.7
|
|
Packit Service |
0a38ef |
required: yes
|
|
Packit Service |
0a38ef |
nisdomain:
|
|
Packit Service |
0a38ef |
description: The NIS domain name
|
|
Packit Service |
0a38ef |
required: yes
|
|
Packit Service |
0a38ef |
no_nisdomain:
|
|
Packit Service |
0a38ef |
description: Do not configure NIS domain name
|
|
Packit Service |
0a38ef |
required: yes
|
|
Packit Service |
0a38ef |
kinit_attempts:
|
|
Packit Service |
0a38ef |
description: Repeat the request for host Kerberos ticket X times
|
|
Packit Service |
0a38ef |
required: yes
|
|
Packit Service |
0a38ef |
ca_cert_files:
|
|
Packit Service |
0a38ef |
description:
|
|
Packit Service |
0a38ef |
List of files containing CA certificates for the service certificate
|
|
Packit Service |
0a38ef |
files
|
|
Packit Service |
0a38ef |
required: yes
|
|
Packit Service |
0a38ef |
configure_firefox:
|
|
Packit Service |
0a38ef |
description: Configure Firefox to use IPA domain credentials
|
|
Packit Service |
0a38ef |
required: yes
|
|
Packit Service |
0a38ef |
firefox_dir:
|
|
Packit Service |
0a38ef |
description:
|
|
Packit Service |
0a38ef |
Specify directory where Firefox is installed (for example
|
|
Packit Service |
0a38ef |
'/usr/lib/firefox')
|
|
Packit Service |
0a38ef |
required: yes
|
|
Packit Service |
0a38ef |
ip_addresses:
|
|
Packit Service |
0a38ef |
description: List of Master Server IP Addresses
|
|
Packit Service |
0a38ef |
required: yes
|
|
Packit Service |
0a38ef |
all_ip_addresses:
|
|
Packit Service |
0a38ef |
description:
|
|
Packit Service |
0a38ef |
All routable IP addresses configured on any interface will be added
|
|
Packit Service |
0a38ef |
to DNS
|
|
Packit Service |
0a38ef |
required: yes
|
|
Packit Service |
0a38ef |
on_master:
|
|
Packit Service |
0a38ef |
description: Whether the configuration is done on the master or not
|
|
Packit Service |
0a38ef |
required: yes
|
|
Packit Service |
0a38ef |
enable_dns_updates:
|
|
Packit Service |
0a38ef |
description:
|
|
Packit Service |
0a38ef |
Configures the machine to attempt dns updates when the ip address
|
|
Packit Service |
0a38ef |
changes
|
|
Packit Service |
0a38ef |
required: yes
|
|
Packit Service |
0a38ef |
author:
|
|
Packit Service |
0a38ef |
- Thomas Woerner
|
|
Packit Service |
0a38ef |
'''
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
EXAMPLES = '''
|
|
Packit Service |
0a38ef |
# Complete autodiscovery, register return values as ipaclient_test
|
|
Packit Service |
0a38ef |
- name: IPA discovery
|
|
Packit Service |
0a38ef |
ipaclient_test:
|
|
Packit Service |
0a38ef |
register: register_ipaclient_test
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
# Discovery using servers, register return values as ipaclient_test
|
|
Packit Service |
0a38ef |
- name: IPA discovery
|
|
Packit Service |
0a38ef |
ipaclient_test:
|
|
Packit Service |
0a38ef |
servers: server1.domain.com,server2.domain.com
|
|
Packit Service |
0a38ef |
register: register_ipaclient_test
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
# Discovery using domain name, register return values as ipaclient_test
|
|
Packit Service |
0a38ef |
- name: IPA discovery
|
|
Packit Service |
0a38ef |
ipaclient_test:
|
|
Packit Service |
0a38ef |
domain: domain.com
|
|
Packit Service |
0a38ef |
register: register_ipaclient_test
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
# Discovery using realm, register return values as ipaclient_test
|
|
Packit Service |
0a38ef |
- name: IPA discovery
|
|
Packit Service |
0a38ef |
ipaclient_test:
|
|
Packit Service |
0a38ef |
realm: DOMAIN.COM
|
|
Packit Service |
0a38ef |
register: register_ipaclient_test
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
# Discovery using hostname, register return values as ipaclient_test
|
|
Packit Service |
0a38ef |
- name: IPA discovery
|
|
Packit Service |
0a38ef |
ipaclient_test:
|
|
Packit Service |
0a38ef |
hostname: host.domain.com
|
|
Packit Service |
0a38ef |
register: register_ipaclient_test
|
|
Packit Service |
0a38ef |
'''
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
RETURN = '''
|
|
Packit Service |
0a38ef |
servers:
|
|
Packit Service |
0a38ef |
description: The list of detected or passed in IPA servers.
|
|
Packit Service |
0a38ef |
returned: always
|
|
Packit Service |
0a38ef |
type: list
|
|
Packit Service |
0a38ef |
sample: ["server1.example.com","server2.example.com"]
|
|
Packit Service |
0a38ef |
domain:
|
|
Packit Service |
0a38ef |
description: The DNS domain of the detected or passed in IPA deployment.
|
|
Packit Service |
0a38ef |
returned: always
|
|
Packit Service |
0a38ef |
type: string
|
|
Packit Service |
0a38ef |
sample: example.com
|
|
Packit Service |
0a38ef |
realm:
|
|
Packit Service |
0a38ef |
description: The Kerberos realm of the detected or passed in IPA deployment.
|
|
Packit Service |
0a38ef |
returned: always
|
|
Packit Service |
0a38ef |
type: string
|
|
Packit Service |
0a38ef |
sample: EXAMPLE.COM
|
|
Packit Service |
0a38ef |
kdc:
|
|
Packit Service |
0a38ef |
description: The detected KDC server name.
|
|
Packit Service |
0a38ef |
returned: always
|
|
Packit Service |
0a38ef |
type: string
|
|
Packit Service |
0a38ef |
sample: server1.example.com
|
|
Packit Service |
0a38ef |
basedn:
|
|
Packit Service |
0a38ef |
description: The basedn of the detected IPA server.
|
|
Packit Service |
0a38ef |
returned: always
|
|
Packit Service |
0a38ef |
type: string
|
|
Packit Service |
0a38ef |
sample: dc=example,dc=com
|
|
Packit Service |
0a38ef |
hostname:
|
|
Packit Service |
0a38ef |
description: The detected or passed in FQDN hostname of the client.
|
|
Packit Service |
0a38ef |
returned: always
|
|
Packit Service |
0a38ef |
type: string
|
|
Packit Service |
0a38ef |
sample: client1.example.com
|
|
Packit Service |
0a38ef |
client_domain:
|
|
Packit Service |
0a38ef |
description: The domain name of the client.
|
|
Packit Service |
0a38ef |
returned: always
|
|
Packit Service |
0a38ef |
type: string
|
|
Packit Service |
0a38ef |
sample: example.com
|
|
Packit Service |
0a38ef |
dnsok:
|
|
Packit Service |
0a38ef |
description: True if DNS discovery worked and not passed in any servers.
|
|
Packit Service |
0a38ef |
returned: always
|
|
Packit Service |
0a38ef |
type: bool
|
|
Packit Service |
0a38ef |
ntp_servers:
|
|
Packit Service |
0a38ef |
description: The list of detected NTP servers.
|
|
Packit Service |
0a38ef |
returned: always
|
|
Packit Service |
0a38ef |
type: list
|
|
Packit Service |
0a38ef |
sample: ["ntp.example.com"]
|
|
Packit Service |
0a38ef |
ipa_python_version:
|
|
Packit Service |
0a38ef |
description:
|
|
Packit Service |
0a38ef |
- The IPA python version as a number:
|
|
Packit Service |
0a38ef |
- <major version>*10000+<minor version>*100+<release>
|
|
Packit Service |
0a38ef |
returned: always
|
|
Packit Service |
0a38ef |
type: int
|
|
Packit Service |
0a38ef |
sample: 040400
|
|
Packit Service |
0a38ef |
'''
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
import os
|
|
Packit Service |
0a38ef |
import socket
|
|
Packit Service |
0a38ef |
import inspect
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
try:
|
|
Packit Service |
0a38ef |
from six.moves.configparser import RawConfigParser
|
|
Packit Service |
0a38ef |
except ImportError:
|
|
Packit Service |
0a38ef |
from ConfigParser import RawConfigParser
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
from ansible.module_utils.basic import AnsibleModule
|
|
Packit Service |
0a38ef |
from ansible.module_utils.ansible_ipa_client import (
|
|
Packit Service |
0a38ef |
setup_logging,
|
|
Packit Service |
0a38ef |
paths, sysrestore, options, CheckedIPAddress, validate_domain_name,
|
|
Packit Service |
0a38ef |
logger, x509, normalize_hostname, installer, version, ScriptError,
|
|
Packit Service |
0a38ef |
CLIENT_INSTALL_ERROR, tasks, check_ldap_conf, timeconf, constants,
|
|
Packit Service |
0a38ef |
validate_hostname, nssldap_exists, gssapi, remove_file,
|
|
Packit Service |
0a38ef |
check_ip_addresses, ipadiscovery, print_port_conf_info,
|
|
Packit Service |
0a38ef |
IPA_PYTHON_VERSION
|
|
Packit Service |
0a38ef |
)
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
def get_cert_path(cert_path):
|
|
Packit Service |
0a38ef |
"""
|
|
Packit Service |
0a38ef |
If a CA certificate is passed in on the command line, use that.
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
Else if a CA file exists in paths.IPA_CA_CRT then use that.
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
Otherwise return None.
|
|
Packit Service |
0a38ef |
"""
|
|
Packit Service |
0a38ef |
if cert_path is not None:
|
|
Packit Service |
0a38ef |
return cert_path
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
if os.path.exists(paths.IPA_CA_CRT):
|
|
Packit Service |
0a38ef |
return paths.IPA_CA_CRT
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
return None
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
def is_client_configured():
|
|
Packit Service |
0a38ef |
"""
|
|
Packit Service |
0a38ef |
Check if ipa client is configured.
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
IPA client is configured when /etc/ipa/default.conf exists and
|
|
Packit Service |
0a38ef |
/var/lib/ipa-client/sysrestore/sysrestore.state exists.
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
:returns: boolean
|
|
Packit Service |
0a38ef |
"""
|
|
Packit Service |
0a38ef |
return (os.path.isfile(paths.IPA_DEFAULT_CONF) and
|
|
Packit Service |
0a38ef |
os.path.isfile(os.path.join(paths.IPA_CLIENT_SYSRESTORE,
|
|
Packit Service |
0a38ef |
sysrestore.SYSRESTORE_STATEFILE)))
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
def get_ipa_conf():
|
|
Packit Service |
0a38ef |
"""
|
|
Packit Service |
0a38ef |
Return IPA configuration read from `/etc/ipa/default.conf`.
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
:returns: dict containing key,value
|
|
Packit Service |
0a38ef |
"""
|
|
Packit Service |
0a38ef |
parser = RawConfigParser()
|
|
Packit Service |
0a38ef |
parser.read(paths.IPA_DEFAULT_CONF)
|
|
Packit Service |
0a38ef |
result = dict()
|
|
Packit Service |
0a38ef |
for item in ['basedn', 'realm', 'domain', 'server', 'host', 'xmlrpc_uri']:
|
|
Packit Service |
0a38ef |
if parser.has_option('global', item):
|
|
Packit Service |
0a38ef |
value = parser.get('global', item)
|
|
Packit Service |
0a38ef |
else:
|
|
Packit Service |
0a38ef |
value = None
|
|
Packit Service |
0a38ef |
if value:
|
|
Packit Service |
0a38ef |
result[item] = value
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
return result
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
def main():
|
|
Packit Service |
0a38ef |
module = AnsibleModule(
|
|
Packit Service |
0a38ef |
argument_spec=dict(
|
|
Packit Service |
0a38ef |
# basic
|
|
Packit Service |
0a38ef |
domain=dict(required=False, default=None),
|
|
Packit Service |
0a38ef |
servers=dict(required=False, type='list', default=None),
|
|
Packit Service |
0a38ef |
realm=dict(required=False, default=None),
|
|
Packit Service |
0a38ef |
hostname=dict(required=False, default=None),
|
|
Packit Service |
0a38ef |
ntp_servers=dict(required=False, type='list', default=None),
|
|
Packit Service |
0a38ef |
ntp_pool=dict(required=False, default=None),
|
|
Packit Service |
0a38ef |
no_ntp=dict(required=False, type='bool', default=False),
|
|
Packit Service |
0a38ef |
force_ntpd=dict(required=False, type='bool', default=False),
|
|
Packit Service |
0a38ef |
nisdomain=dict(required=False, default=None),
|
|
Packit Service |
0a38ef |
no_nisdomain=dict(required=False, type='bool', default='no'),
|
|
Packit Service |
0a38ef |
kinit_attempts=dict(required=False, type='int'),
|
|
Packit Service |
0a38ef |
ca_cert_files=dict(required=False, type='list', default=None),
|
|
Packit Service |
0a38ef |
configure_firefox=dict(required=False, type='bool', default=False),
|
|
Packit Service |
0a38ef |
firefox_dir=dict(required=False),
|
|
Packit Service |
0a38ef |
ip_addresses=dict(required=False, type='list', default=None),
|
|
Packit Service |
0a38ef |
all_ip_addresses=dict(required=False, type='bool', default=False),
|
|
Packit Service |
0a38ef |
on_master=dict(required=False, type='bool', default=False),
|
|
Packit Service |
0a38ef |
# sssd
|
|
Packit Service |
0a38ef |
enable_dns_updates=dict(required=False, type='bool',
|
|
Packit Service |
0a38ef |
default=False),
|
|
Packit Service |
0a38ef |
),
|
|
Packit Service |
0a38ef |
supports_check_mode=True,
|
|
Packit Service |
0a38ef |
)
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
# module._ansible_debug = True
|
|
Packit Service |
0a38ef |
setup_logging()
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
options.domain_name = module.params.get('domain')
|
|
Packit Service |
0a38ef |
options.servers = module.params.get('servers')
|
|
Packit Service |
0a38ef |
options.realm_name = module.params.get('realm')
|
|
Packit Service |
0a38ef |
options.host_name = module.params.get('hostname')
|
|
Packit Service |
0a38ef |
options.ntp_servers = module.params.get('ntp_servers')
|
|
Packit Service |
0a38ef |
options.ntp_pool = module.params.get('ntp_pool')
|
|
Packit Service |
0a38ef |
options.no_ntp = module.params.get('no_ntp')
|
|
Packit Service |
0a38ef |
options.force_ntpd = module.params.get('force_ntpd')
|
|
Packit Service |
0a38ef |
options.nisdomain = module.params.get('nisdomain')
|
|
Packit Service |
0a38ef |
options.no_nisdomain = module.params.get('no_nisdomain')
|
|
Packit Service |
0a38ef |
options.kinit_attempts = module.params.get('kinit_attempts')
|
|
Packit Service |
0a38ef |
options.ca_cert_files = module.params.get('ca_cert_files')
|
|
Packit Service |
0a38ef |
options.configure_firefox = module.params.get('configure_firefox')
|
|
Packit Service |
0a38ef |
options.firefox_dir = module.params.get('firefox_dir')
|
|
Packit Service |
0a38ef |
options.ip_addresses = module.params.get('ip_addresses')
|
|
Packit Service |
0a38ef |
options.all_ip_addresses = module.params.get('all_ip_addresses')
|
|
Packit Service |
0a38ef |
options.on_master = module.params.get('on_master')
|
|
Packit Service |
0a38ef |
options.enable_dns_updates = module.params.get('enable_dns_updates')
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
# Get domain from first server if domain is not set, but if there are
|
|
Packit Service |
0a38ef |
# servers
|
|
Packit Service |
0a38ef |
if options.domain_name is None and options.servers is not None:
|
|
Packit Service |
0a38ef |
if len(options.servers) > 0:
|
|
Packit Service |
0a38ef |
options.domain_name = options.servers[0][
|
|
Packit Service |
0a38ef |
options.servers[0].find(".")+1:]
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
try:
|
|
Packit Service |
0a38ef |
self = options
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
# HostNameInstallInterface
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
if options.ip_addresses is not None:
|
|
Packit Service |
0a38ef |
for value in options.ip_addresses:
|
|
Packit Service |
0a38ef |
try:
|
|
Packit Service |
0a38ef |
CheckedIPAddress(value)
|
|
Packit Service |
0a38ef |
except Exception as e:
|
|
Packit Service |
0a38ef |
raise ValueError("invalid IP address {0}: {1}".format(
|
|
Packit Service |
0a38ef |
value, e))
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
# ServiceInstallInterface
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
if options.domain_name:
|
|
Packit Service |
0a38ef |
validate_domain_name(options.domain_name)
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
if options.realm_name:
|
|
Packit Service |
0a38ef |
argspec = inspect.getargspec(validate_domain_name)
|
|
Packit Service |
0a38ef |
if "entity" in argspec.args:
|
|
Packit Service |
0a38ef |
# NUM_VERSION >= 40690:
|
|
Packit Service |
0a38ef |
validate_domain_name(options.realm_name, entity="realm")
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
# ClientInstallInterface
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
if options.kinit_attempts < 1:
|
|
Packit Service |
0a38ef |
raise ValueError("expects an integer greater than 0.")
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
# ClientInstallInterface.__init__
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
if self.servers and not self.domain_name:
|
|
Packit Service |
0a38ef |
raise RuntimeError(
|
|
Packit Service |
0a38ef |
"--server cannot be used without providing --domain")
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
if self.force_ntpd:
|
|
Packit Service |
0a38ef |
logger.warning("Option --force-ntpd has been deprecated")
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
if self.ntp_servers and self.no_ntp:
|
|
Packit Service |
0a38ef |
raise RuntimeError(
|
|
Packit Service |
0a38ef |
"--ntp-server cannot be used together with --no-ntp")
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
if self.ntp_pool and self.no_ntp:
|
|
Packit Service |
0a38ef |
raise RuntimeError(
|
|
Packit Service |
0a38ef |
"--ntp-pool cannot be used together with --no-ntp")
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
if self.no_nisdomain and self.nisdomain:
|
|
Packit Service |
0a38ef |
raise RuntimeError(
|
|
Packit Service |
0a38ef |
"--no-nisdomain cannot be used together with --nisdomain")
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
if self.ip_addresses:
|
|
Packit Service |
0a38ef |
if self.enable_dns_updates:
|
|
Packit Service |
0a38ef |
raise RuntimeError(
|
|
Packit Service |
0a38ef |
"--ip-address cannot be used together with"
|
|
Packit Service |
0a38ef |
" --enable-dns-updates")
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
if self.all_ip_addresses:
|
|
Packit Service |
0a38ef |
raise RuntimeError(
|
|
Packit Service |
0a38ef |
"--ip-address cannot be used together with"
|
|
Packit Service |
0a38ef |
"--all-ip-addresses")
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
# SSSDInstallInterface
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
self.no_sssd = False
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
# ClientInstall
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
if options.ca_cert_files is not None:
|
|
Packit Service |
0a38ef |
for value in options.ca_cert_files:
|
|
Packit Service |
0a38ef |
if not isinstance(value, list):
|
|
Packit Service |
0a38ef |
raise ValueError("Expected list, got {!r}".format(value))
|
|
Packit Service |
0a38ef |
# this is what init() does
|
|
Packit Service |
0a38ef |
value = value[-1]
|
|
Packit Service |
0a38ef |
if not os.path.exists(value):
|
|
Packit Service |
0a38ef |
raise ValueError("'%s' does not exist" % value)
|
|
Packit Service |
0a38ef |
if not os.path.isfile(value):
|
|
Packit Service |
0a38ef |
raise ValueError("'%s' is not a file" % value)
|
|
Packit Service |
0a38ef |
if not os.path.isabs(value):
|
|
Packit Service |
0a38ef |
raise ValueError("'%s' is not an absolute file path" %
|
|
Packit Service |
0a38ef |
value)
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
try:
|
|
Packit Service |
0a38ef |
x509.load_certificate_from_file(value)
|
|
Packit Service |
0a38ef |
except Exception:
|
|
Packit Service |
0a38ef |
raise ValueError("'%s' is not a valid certificate file" %
|
|
Packit Service |
0a38ef |
value)
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
# self.prompt_password = self.interactive
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
self.no_ac = False
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
# ClientInstall.__init__
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
if self.firefox_dir and not self.configure_firefox:
|
|
Packit Service |
0a38ef |
raise RuntimeError(
|
|
Packit Service |
0a38ef |
"--firefox-dir cannot be used without --configure-firefox "
|
|
Packit Service |
0a38ef |
"option")
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
except (RuntimeError, ValueError) as e:
|
|
Packit Service |
0a38ef |
module.fail_json(msg=str(e))
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
# ipaclient.install.client.init
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
# root_logger
|
|
Packit Service |
0a38ef |
options.debug = False
|
|
Packit Service |
0a38ef |
if options.domain_name:
|
|
Packit Service |
0a38ef |
options.domain = normalize_hostname(installer.domain_name)
|
|
Packit Service |
0a38ef |
else:
|
|
Packit Service |
0a38ef |
options.domain = None
|
|
Packit Service |
0a38ef |
options.server = options.servers
|
|
Packit Service |
0a38ef |
options.realm = options.realm_name
|
|
Packit Service |
0a38ef |
# installer.primary = installer.fixed_primary
|
|
Packit Service |
0a38ef |
# if installer.principal:
|
|
Packit Service |
0a38ef |
# installer.password = installer.admin_password
|
|
Packit Service |
0a38ef |
# else:
|
|
Packit Service |
0a38ef |
# installer.password = installer.host_password
|
|
Packit Service |
0a38ef |
installer.hostname = installer.host_name
|
|
Packit Service |
0a38ef |
options.conf_ntp = not options.no_ntp
|
|
Packit Service |
0a38ef |
# installer.trust_sshfp = installer.ssh_trust_dns
|
|
Packit Service |
0a38ef |
# installer.conf_ssh = not installer.no_ssh
|
|
Packit Service |
0a38ef |
# installer.conf_sshd = not installer.no_sshd
|
|
Packit Service |
0a38ef |
# installer.conf_sudo = not installer.no_sudo
|
|
Packit Service |
0a38ef |
# installer.create_sshfp = not installer.no_dns_sshfp
|
|
Packit Service |
0a38ef |
if installer.ca_cert_files:
|
|
Packit Service |
0a38ef |
installer.ca_cert_file = installer.ca_cert_files[-1]
|
|
Packit Service |
0a38ef |
else:
|
|
Packit Service |
0a38ef |
installer.ca_cert_file = None
|
|
Packit Service |
0a38ef |
# installer.location = installer.automount_location
|
|
Packit Service |
0a38ef |
installer.dns_updates = installer.enable_dns_updates
|
|
Packit Service |
0a38ef |
# installer.krb5_offline_passwords = \
|
|
Packit Service |
0a38ef |
# not installer.no_krb5_offline_passwords
|
|
Packit Service |
0a38ef |
installer.sssd = not installer.no_sssd
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
try:
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
# client
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
# global variables
|
|
Packit Service |
0a38ef |
hostname = None
|
|
Packit Service |
0a38ef |
hostname_source = None
|
|
Packit Service |
0a38ef |
nosssd_files = None
|
|
Packit Service |
0a38ef |
dnsok = False
|
|
Packit Service |
0a38ef |
cli_domain = None
|
|
Packit Service |
0a38ef |
cli_server = None
|
|
Packit Service |
0a38ef |
# subject_base = None
|
|
Packit Service |
0a38ef |
cli_realm = None
|
|
Packit Service |
0a38ef |
cli_kdc = None
|
|
Packit Service |
0a38ef |
client_domain = None
|
|
Packit Service |
0a38ef |
cli_basedn = None
|
|
Packit Service |
0a38ef |
# end of global variables
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
# client.install_check
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
logger.info("This program will set up FreeIPA client.")
|
|
Packit Service |
0a38ef |
logger.info("Version %s", version.VERSION)
|
|
Packit Service |
0a38ef |
logger.info("")
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
cli_domain_source = 'Unknown source'
|
|
Packit Service |
0a38ef |
cli_server_source = 'Unknown source'
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
# fstore = sysrestore.FileStore(paths.IPA_CLIENT_SYSRESTORE)
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
if not os.getegid() == 0:
|
|
Packit Service |
0a38ef |
raise ScriptError(
|
|
Packit Service |
0a38ef |
"You must be root to run ipa-client-install.",
|
|
Packit Service |
0a38ef |
rval=CLIENT_INSTALL_ERROR)
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
tasks.check_selinux_status()
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
# if is_ipa_client_installed(fstore, on_master=options.on_master):
|
|
Packit Service |
0a38ef |
# logger.error("IPA client is already configured on this system.")
|
|
Packit Service |
0a38ef |
# logger.info(
|
|
Packit Service |
0a38ef |
# "If you want to reinstall the IPA client, uninstall it first "
|
|
Packit Service |
0a38ef |
# "using 'ipa-client-install --uninstall'.")
|
|
Packit Service |
0a38ef |
# raise ScriptError(
|
|
Packit Service |
0a38ef |
# "IPA client is already configured on this system.",
|
|
Packit Service |
0a38ef |
# rval=CLIENT_ALREADY_CONFIGURED)
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
if check_ldap_conf is not None:
|
|
Packit Service |
0a38ef |
check_ldap_conf()
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
if options.conf_ntp:
|
|
Packit Service |
0a38ef |
try:
|
|
Packit Service |
0a38ef |
timeconf.check_timedate_services()
|
|
Packit Service |
0a38ef |
except timeconf.NTPConflictingService as e:
|
|
Packit Service |
0a38ef |
logger.info(
|
|
Packit Service |
0a38ef |
"WARNING: conflicting time&date synchronization service "
|
|
Packit Service |
0a38ef |
"'%s' will be disabled in favor of chronyd",
|
|
Packit Service |
0a38ef |
e.conflicting_service)
|
|
Packit Service |
0a38ef |
logger.info("")
|
|
Packit Service |
0a38ef |
except timeconf.NTPConfigurationError:
|
|
Packit Service |
0a38ef |
pass
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
# password, principal and keytab are checked in tasks/install.yml
|
|
Packit Service |
0a38ef |
# if options.unattended and (
|
|
Packit Service |
0a38ef |
# options.password is None and
|
|
Packit Service |
0a38ef |
# options.principal is None and
|
|
Packit Service |
0a38ef |
# options.keytab is None and
|
|
Packit Service |
0a38ef |
# options.prompt_password is False and
|
|
Packit Service |
0a38ef |
# not options.on_master
|
|
Packit Service |
0a38ef |
# ):
|
|
Packit Service |
0a38ef |
# raise ScriptError(
|
|
Packit Service |
0a38ef |
# "One of password / principal / keytab is required.",
|
|
Packit Service |
0a38ef |
# rval=CLIENT_INSTALL_ERROR)
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
if options.hostname:
|
|
Packit Service |
0a38ef |
hostname = options.hostname
|
|
Packit Service |
0a38ef |
hostname_source = 'Provided as option'
|
|
Packit Service |
0a38ef |
else:
|
|
Packit Service |
0a38ef |
hostname = socket.getfqdn()
|
|
Packit Service |
0a38ef |
hostname_source = "Machine's FQDN"
|
|
Packit Service |
0a38ef |
if hostname != hostname.lower():
|
|
Packit Service |
0a38ef |
raise ScriptError(
|
|
Packit Service |
0a38ef |
"Invalid hostname '{}', must be lower-case.".format(hostname),
|
|
Packit Service |
0a38ef |
rval=CLIENT_INSTALL_ERROR
|
|
Packit Service |
0a38ef |
)
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
if hostname in ('localhost', 'localhost.localdomain'):
|
|
Packit Service |
0a38ef |
raise ScriptError(
|
|
Packit Service |
0a38ef |
"Invalid hostname, '{}' must not be used.".format(hostname),
|
|
Packit Service |
0a38ef |
rval=CLIENT_INSTALL_ERROR)
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
if hasattr(constants, "MAXHOSTNAMELEN"):
|
|
Packit Service |
0a38ef |
try:
|
|
Packit Service |
0a38ef |
validate_hostname(hostname, maxlen=constants.MAXHOSTNAMELEN)
|
|
Packit Service |
0a38ef |
except ValueError as e:
|
|
Packit Service |
0a38ef |
raise ScriptError(
|
|
Packit Service |
0a38ef |
'invalid hostname: {}'.format(e),
|
|
Packit Service |
0a38ef |
rval=CLIENT_INSTALL_ERROR)
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
if hasattr(tasks, "is_nosssd_supported"):
|
|
Packit Service |
0a38ef |
# --no-sssd is not supported any more for rhel-based distros
|
|
Packit Service |
0a38ef |
if not tasks.is_nosssd_supported() and not options.sssd:
|
|
Packit Service |
0a38ef |
raise ScriptError(
|
|
Packit Service |
0a38ef |
"Option '--no-sssd' is incompatible with the 'authselect' "
|
|
Packit Service |
0a38ef |
"tool provided by this distribution for configuring "
|
|
Packit Service |
0a38ef |
"system authentication resources",
|
|
Packit Service |
0a38ef |
rval=CLIENT_INSTALL_ERROR)
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
# --noac is not supported any more for rhel-based distros
|
|
Packit Service |
0a38ef |
if not tasks.is_nosssd_supported() and options.no_ac:
|
|
Packit Service |
0a38ef |
raise ScriptError(
|
|
Packit Service |
0a38ef |
"Option '--noac' is incompatible with the 'authselect' "
|
|
Packit Service |
0a38ef |
"tool provided by this distribution for configuring "
|
|
Packit Service |
0a38ef |
"system authentication resources",
|
|
Packit Service |
0a38ef |
rval=CLIENT_INSTALL_ERROR)
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
# when installing with '--no-sssd' option, check whether nss-ldap is
|
|
Packit Service |
0a38ef |
# installed
|
|
Packit Service |
0a38ef |
if not options.sssd:
|
|
Packit Service |
0a38ef |
if not os.path.exists(paths.PAM_KRB5_SO):
|
|
Packit Service |
0a38ef |
raise ScriptError(
|
|
Packit Service |
0a38ef |
"The pam_krb5 package must be installed",
|
|
Packit Service |
0a38ef |
rval=CLIENT_INSTALL_ERROR)
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
(nssldap_installed, nosssd_files) = nssldap_exists()
|
|
Packit Service |
0a38ef |
(nssldap_installed, __temp) = nssldap_exists()
|
|
Packit Service |
0a38ef |
if not nssldap_installed:
|
|
Packit Service |
0a38ef |
raise ScriptError(
|
|
Packit Service |
0a38ef |
"One of these packages must be installed: nss_ldap or "
|
|
Packit Service |
0a38ef |
"nss-pam-ldapd",
|
|
Packit Service |
0a38ef |
rval=CLIENT_INSTALL_ERROR)
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
# principal and keytab are checked in tasks/install.yml
|
|
Packit Service |
0a38ef |
# if options.keytab and options.principal:
|
|
Packit Service |
0a38ef |
# raise ScriptError(
|
|
Packit Service |
0a38ef |
# "Options 'principal' and 'keytab' cannot be used together.",
|
|
Packit Service |
0a38ef |
# rval=CLIENT_INSTALL_ERROR)
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
# keytab and force_join are checked in tasks/install.yml
|
|
Packit Service |
0a38ef |
# if options.keytab and options.force_join:
|
|
Packit Service |
0a38ef |
# logger.warning("Option 'force-join' has no additional effect "
|
|
Packit Service |
0a38ef |
# "when used with together with option 'keytab'.")
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
# Added with freeipa-4.7.1 >>>
|
|
Packit Service |
0a38ef |
# Remove invalid keytab file
|
|
Packit Service |
0a38ef |
try:
|
|
Packit Service |
0a38ef |
gssapi.Credentials(
|
|
Packit Service |
0a38ef |
store={'keytab': paths.KRB5_KEYTAB},
|
|
Packit Service |
0a38ef |
usage='accept',
|
|
Packit Service |
0a38ef |
)
|
|
Packit Service |
0a38ef |
except gssapi.exceptions.GSSError:
|
|
Packit Service |
0a38ef |
logger.debug("Deleting invalid keytab: '%s'.", paths.KRB5_KEYTAB)
|
|
Packit Service |
0a38ef |
remove_file(paths.KRB5_KEYTAB)
|
|
Packit Service |
0a38ef |
# Added with freeipa-4.7.1 <<<
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
# Check if old certificate exist and show warning
|
|
Packit Service |
0a38ef |
if (
|
|
Packit Service |
0a38ef |
not options.ca_cert_file and
|
|
Packit Service |
0a38ef |
get_cert_path(options.ca_cert_file) == paths.IPA_CA_CRT
|
|
Packit Service |
0a38ef |
):
|
|
Packit Service |
0a38ef |
logger.warning("Using existing certificate '%s'.",
|
|
Packit Service |
0a38ef |
paths.IPA_CA_CRT)
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
if not check_ip_addresses(options):
|
|
Packit Service |
0a38ef |
raise ScriptError(
|
|
Packit Service |
0a38ef |
"Failed to check ip addresses, check installation log",
|
|
Packit Service |
0a38ef |
rval=CLIENT_INSTALL_ERROR)
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
# Create the discovery instance
|
|
Packit Service |
0a38ef |
ds = ipadiscovery.IPADiscovery()
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
ret = ds.search(
|
|
Packit Service |
0a38ef |
domain=options.domain,
|
|
Packit Service |
0a38ef |
servers=options.server,
|
|
Packit Service |
0a38ef |
realm=options.realm_name,
|
|
Packit Service |
0a38ef |
hostname=hostname,
|
|
Packit Service |
0a38ef |
ca_cert_path=get_cert_path(options.ca_cert_file)
|
|
Packit Service |
0a38ef |
)
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
if options.server and ret != 0:
|
|
Packit Service |
0a38ef |
# There is no point to continue with installation as server list
|
|
Packit Service |
0a38ef |
# was passed as a fixed list of server and thus we cannot discover
|
|
Packit Service |
0a38ef |
# any better result
|
|
Packit Service |
0a38ef |
logger.error(
|
|
Packit Service |
0a38ef |
"Failed to verify that %s is an IPA Server.",
|
|
Packit Service |
0a38ef |
', '.join(options.server))
|
|
Packit Service |
0a38ef |
logger.error(
|
|
Packit Service |
0a38ef |
"This may mean that the remote server is not up "
|
|
Packit Service |
0a38ef |
"or is not reachable due to network or firewall settings.")
|
|
Packit Service |
0a38ef |
print_port_conf_info()
|
|
Packit Service |
0a38ef |
raise ScriptError("Failed to verify that %s is an IPA Server." %
|
|
Packit Service |
0a38ef |
', '.join(options.server),
|
|
Packit Service |
0a38ef |
rval=CLIENT_INSTALL_ERROR)
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
if ret == ipadiscovery.BAD_HOST_CONFIG:
|
|
Packit Service |
0a38ef |
logger.error("Can't get the fully qualified name of this host")
|
|
Packit Service |
0a38ef |
logger.info("Check that the client is properly configured")
|
|
Packit Service |
0a38ef |
raise ScriptError(
|
|
Packit Service |
0a38ef |
"Can't get the fully qualified name of this host",
|
|
Packit Service |
0a38ef |
rval=CLIENT_INSTALL_ERROR)
|
|
Packit Service |
0a38ef |
if ret == ipadiscovery.NOT_FQDN:
|
|
Packit Service |
0a38ef |
raise ScriptError(
|
|
Packit Service |
0a38ef |
"{} is not a fully-qualified hostname".format(hostname),
|
|
Packit Service |
0a38ef |
rval=CLIENT_INSTALL_ERROR)
|
|
Packit Service |
0a38ef |
if ret in (ipadiscovery.NO_LDAP_SERVER, ipadiscovery.NOT_IPA_SERVER) \
|
|
Packit Service |
0a38ef |
or not ds.domain:
|
|
Packit Service |
0a38ef |
if ret == ipadiscovery.NO_LDAP_SERVER:
|
|
Packit Service |
0a38ef |
if ds.server:
|
|
Packit Service |
0a38ef |
logger.debug("%s is not an LDAP server", ds.server)
|
|
Packit Service |
0a38ef |
else:
|
|
Packit Service |
0a38ef |
logger.debug("No LDAP server found")
|
|
Packit Service |
0a38ef |
elif ret == ipadiscovery.NOT_IPA_SERVER:
|
|
Packit Service |
0a38ef |
if ds.server:
|
|
Packit Service |
0a38ef |
logger.debug("%s is not an IPA server", ds.server)
|
|
Packit Service |
0a38ef |
else:
|
|
Packit Service |
0a38ef |
logger.debug("No IPA server found")
|
|
Packit Service |
0a38ef |
else:
|
|
Packit Service |
0a38ef |
logger.debug("Domain not found")
|
|
Packit Service |
0a38ef |
if options.domain:
|
|
Packit Service |
0a38ef |
cli_domain = options.domain
|
|
Packit Service |
0a38ef |
cli_domain_source = 'Provided as option'
|
|
Packit Service |
0a38ef |
elif options.unattended:
|
|
Packit Service |
0a38ef |
raise ScriptError(
|
|
Packit Service |
0a38ef |
"Unable to discover domain, not provided on command line",
|
|
Packit Service |
0a38ef |
rval=CLIENT_INSTALL_ERROR)
|
|
Packit Service |
0a38ef |
else:
|
|
Packit Service |
0a38ef |
raise ScriptError("No interactive installation")
|
|
Packit Service |
0a38ef |
# logger.info(
|
|
Packit Service |
0a38ef |
# "DNS discovery failed to determine your DNS domain")
|
|
Packit Service |
0a38ef |
# cli_domain = user_input(
|
|
Packit Service |
0a38ef |
# "Provide the domain name of your IPA server "
|
|
Packit Service |
0a38ef |
# "(ex: example.com)",
|
|
Packit Service |
0a38ef |
# allow_empty=False)
|
|
Packit Service |
0a38ef |
# cli_domain_source = 'Provided interactively'
|
|
Packit Service |
0a38ef |
# logger.debug(
|
|
Packit Service |
0a38ef |
# "will use interactively provided domain: %s", cli_domain)
|
|
Packit Service |
0a38ef |
ret = ds.search(
|
|
Packit Service |
0a38ef |
domain=cli_domain,
|
|
Packit Service |
0a38ef |
servers=options.server,
|
|
Packit Service |
0a38ef |
hostname=hostname,
|
|
Packit Service |
0a38ef |
ca_cert_path=get_cert_path(options.ca_cert_file))
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
if not cli_domain:
|
|
Packit Service |
0a38ef |
if ds.domain:
|
|
Packit Service |
0a38ef |
cli_domain = ds.domain
|
|
Packit Service |
0a38ef |
cli_domain_source = ds.domain_source
|
|
Packit Service |
0a38ef |
logger.debug("will use discovered domain: %s", cli_domain)
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
client_domain = hostname[hostname.find(".")+1:]
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
if ret in (ipadiscovery.NO_LDAP_SERVER, ipadiscovery.NOT_IPA_SERVER) \
|
|
Packit Service |
0a38ef |
or not ds.server:
|
|
Packit Service |
0a38ef |
logger.debug("IPA Server not found")
|
|
Packit Service |
0a38ef |
if options.server:
|
|
Packit Service |
0a38ef |
cli_server = options.server
|
|
Packit Service |
0a38ef |
cli_server_source = 'Provided as option'
|
|
Packit Service |
0a38ef |
elif options.unattended:
|
|
Packit Service |
0a38ef |
raise ScriptError(
|
|
Packit Service |
0a38ef |
"Unable to find IPA Server to join",
|
|
Packit Service |
0a38ef |
rval=CLIENT_INSTALL_ERROR)
|
|
Packit Service |
0a38ef |
else:
|
|
Packit Service |
0a38ef |
raise ScriptError("No interactive installation")
|
|
Packit Service |
0a38ef |
# logger.debug("DNS discovery failed to find the IPA Server")
|
|
Packit Service |
0a38ef |
# cli_server = [
|
|
Packit Service |
0a38ef |
# user_input(
|
|
Packit Service |
0a38ef |
# "Provide your IPA server name (ex: ipa.example.com)",
|
|
Packit Service |
0a38ef |
# allow_empty=False)
|
|
Packit Service |
0a38ef |
# ]
|
|
Packit Service |
0a38ef |
# cli_server_source = 'Provided interactively'
|
|
Packit Service |
0a38ef |
# logger.debug(
|
|
Packit Service |
0a38ef |
# "will use interactively provided server: %s", cli_server[0])
|
|
Packit Service |
0a38ef |
ret = ds.search(
|
|
Packit Service |
0a38ef |
domain=cli_domain,
|
|
Packit Service |
0a38ef |
servers=cli_server,
|
|
Packit Service |
0a38ef |
hostname=hostname,
|
|
Packit Service |
0a38ef |
ca_cert_path=get_cert_path(options.ca_cert_file))
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
else:
|
|
Packit Service |
0a38ef |
# Only set dnsok to True if we were not passed in one or more
|
|
Packit Service |
0a38ef |
# servers and if DNS discovery actually worked.
|
|
Packit Service |
0a38ef |
if not options.server:
|
|
Packit Service |
0a38ef |
(server, domain) = ds.check_domain(
|
|
Packit Service |
0a38ef |
ds.domain, set(), "Validating DNS Discovery")
|
|
Packit Service |
0a38ef |
if server and domain:
|
|
Packit Service |
0a38ef |
logger.debug("DNS validated, enabling discovery")
|
|
Packit Service |
0a38ef |
dnsok = True
|
|
Packit Service |
0a38ef |
else:
|
|
Packit Service |
0a38ef |
logger.debug("DNS discovery failed, disabling discovery")
|
|
Packit Service |
0a38ef |
else:
|
|
Packit Service |
0a38ef |
logger.debug(
|
|
Packit Service |
0a38ef |
"Using servers from command line, disabling DNS discovery")
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
if not cli_server:
|
|
Packit Service |
0a38ef |
if options.server:
|
|
Packit Service |
0a38ef |
cli_server = ds.servers
|
|
Packit Service |
0a38ef |
cli_server_source = 'Provided as option'
|
|
Packit Service |
0a38ef |
logger.debug(
|
|
Packit Service |
0a38ef |
"will use provided server: %s", ', '.join(options.server))
|
|
Packit Service |
0a38ef |
elif ds.server:
|
|
Packit Service |
0a38ef |
cli_server = ds.servers
|
|
Packit Service |
0a38ef |
cli_server_source = ds.server_source
|
|
Packit Service |
0a38ef |
logger.debug("will use discovered server: %s", cli_server[0])
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
if ret == ipadiscovery.NOT_IPA_SERVER:
|
|
Packit Service |
0a38ef |
logger.error("%s is not an IPA v2 Server.", cli_server[0])
|
|
Packit Service |
0a38ef |
print_port_conf_info()
|
|
Packit Service |
0a38ef |
logger.debug("(%s: %s)", cli_server[0], cli_server_source)
|
|
Packit Service |
0a38ef |
raise ScriptError("%s is not an IPA v2 Server." % cli_server[0],
|
|
Packit Service |
0a38ef |
rval=CLIENT_INSTALL_ERROR)
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
if ret == ipadiscovery.NO_ACCESS_TO_LDAP:
|
|
Packit Service |
0a38ef |
logger.warning("Anonymous access to the LDAP server is disabled.")
|
|
Packit Service |
0a38ef |
logger.info("Proceeding without strict verification.")
|
|
Packit Service |
0a38ef |
logger.info(
|
|
Packit Service |
0a38ef |
"Note: This is not an error if anonymous access "
|
|
Packit Service |
0a38ef |
"has been explicitly restricted.")
|
|
Packit Service |
0a38ef |
ret = 0
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
if ret == ipadiscovery.NO_TLS_LDAP:
|
|
Packit Service |
0a38ef |
logger.warning(
|
|
Packit Service |
0a38ef |
"The LDAP server requires TLS is but we do not have the CA.")
|
|
Packit Service |
0a38ef |
logger.info("Proceeding without strict verification.")
|
|
Packit Service |
0a38ef |
ret = 0
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
if ret != 0:
|
|
Packit Service |
0a38ef |
logger.error(
|
|
Packit Service |
0a38ef |
"Failed to verify that %s is an IPA Server.",
|
|
Packit Service |
0a38ef |
cli_server[0])
|
|
Packit Service |
0a38ef |
logger.error(
|
|
Packit Service |
0a38ef |
"This may mean that the remote server is not up "
|
|
Packit Service |
0a38ef |
"or is not reachable due to network or firewall settings.")
|
|
Packit Service |
0a38ef |
print_port_conf_info()
|
|
Packit Service |
0a38ef |
logger.debug("(%s: %s)", cli_server[0], cli_server_source)
|
|
Packit Service |
0a38ef |
raise ScriptError("Failed to verify that %s is an IPA Server." %
|
|
Packit Service |
0a38ef |
cli_server[0],
|
|
Packit Service |
0a38ef |
rval=CLIENT_INSTALL_ERROR)
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
cli_kdc = ds.kdc
|
|
Packit Service |
0a38ef |
if dnsok and not cli_kdc:
|
|
Packit Service |
0a38ef |
logger.error(
|
|
Packit Service |
0a38ef |
"DNS domain '%s' is not configured for automatic "
|
|
Packit Service |
0a38ef |
"KDC address lookup.", ds.realm.lower())
|
|
Packit Service |
0a38ef |
logger.debug("(%s: %s)", ds.realm, ds.realm_source)
|
|
Packit Service |
0a38ef |
logger.error("KDC address will be set to fixed value.")
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
if dnsok:
|
|
Packit Service |
0a38ef |
logger.info("Discovery was successful!")
|
|
Packit Service |
0a38ef |
elif not options.unattended:
|
|
Packit Service |
0a38ef |
raise ScriptError("No interactive installation")
|
|
Packit Service |
0a38ef |
# if not options.server:
|
|
Packit Service |
0a38ef |
# logger.warning(
|
|
Packit Service |
0a38ef |
# "The failure to use DNS to find your IPA "
|
|
Packit Service |
0a38ef |
# "server indicates that your resolv.conf file is not properly "
|
|
Packit Service |
0a38ef |
# "configured.")
|
|
Packit Service |
0a38ef |
# logger.info(
|
|
Packit Service |
0a38ef |
# "Autodiscovery of servers for failover cannot work "
|
|
Packit Service |
0a38ef |
# "with this configuration.")
|
|
Packit Service |
0a38ef |
# logger.info(
|
|
Packit Service |
0a38ef |
# "If you proceed with the installation, services "
|
|
Packit Service |
0a38ef |
# "will be configured to always access the discovered server for "
|
|
Packit Service |
0a38ef |
# "all operations and will not fail over to other servers in case "
|
|
Packit Service |
0a38ef |
# "of failure.")
|
|
Packit Service |
0a38ef |
# if not user_input(
|
|
Packit Service |
0a38ef |
# "Proceed with fixed values and no DNS discovery?", False):
|
|
Packit Service |
0a38ef |
# raise ScriptError(rval=CLIENT_INSTALL_ERROR)
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
# Do not ask for time source
|
|
Packit Service |
0a38ef |
# if options.conf_ntp:
|
|
Packit Service |
0a38ef |
# if not options.on_master and not options.unattended and not (
|
|
Packit Service |
0a38ef |
# options.ntp_servers or options.ntp_pool):
|
|
Packit Service |
0a38ef |
# options.ntp_servers, options.ntp_pool = \
|
|
Packit Service |
0a38ef |
# timeconf.get_time_source()
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
cli_realm = ds.realm
|
|
Packit Service |
0a38ef |
cli_realm_source = ds.realm_source
|
|
Packit Service |
0a38ef |
logger.debug("will use discovered realm: %s", cli_realm)
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
if options.realm_name and options.realm_name != cli_realm:
|
|
Packit Service |
0a38ef |
logger.error(
|
|
Packit Service |
0a38ef |
"The provided realm name [%s] does not match discovered "
|
|
Packit Service |
0a38ef |
"one [%s]",
|
|
Packit Service |
0a38ef |
options.realm_name, cli_realm)
|
|
Packit Service |
0a38ef |
logger.debug("(%s: %s)", cli_realm, cli_realm_source)
|
|
Packit Service |
0a38ef |
raise ScriptError(
|
|
Packit Service |
0a38ef |
"The provided realm name [%s] does not match discovered "
|
|
Packit Service |
0a38ef |
"one [%s]" % (options.realm_name, cli_realm),
|
|
Packit Service |
0a38ef |
rval=CLIENT_INSTALL_ERROR)
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
cli_basedn = ds.basedn
|
|
Packit Service |
0a38ef |
cli_basedn_source = ds.basedn_source
|
|
Packit Service |
0a38ef |
logger.debug("will use discovered basedn: %s", cli_basedn)
|
|
Packit Service |
0a38ef |
# subject_base = DN(('O', cli_realm))
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
logger.info("Client hostname: %s", hostname)
|
|
Packit Service |
0a38ef |
logger.debug("Hostname source: %s", hostname_source)
|
|
Packit Service |
0a38ef |
logger.info("Realm: %s", cli_realm)
|
|
Packit Service |
0a38ef |
logger.debug("Realm source: %s", cli_realm_source)
|
|
Packit Service |
0a38ef |
logger.info("DNS Domain: %s", cli_domain)
|
|
Packit Service |
0a38ef |
logger.debug("DNS Domain source: %s", cli_domain_source)
|
|
Packit Service |
0a38ef |
logger.info("IPA Server: %s", ', '.join(cli_server))
|
|
Packit Service |
0a38ef |
logger.debug("IPA Server source: %s", cli_server_source)
|
|
Packit Service |
0a38ef |
logger.info("BaseDN: %s", cli_basedn)
|
|
Packit Service |
0a38ef |
logger.debug("BaseDN source: %s", cli_basedn_source)
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
if not options.on_master:
|
|
Packit Service |
0a38ef |
if options.ntp_servers:
|
|
Packit Service |
0a38ef |
for server in options.ntp_servers:
|
|
Packit Service |
0a38ef |
logger.info("NTP server: %s", server)
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
if options.ntp_pool:
|
|
Packit Service |
0a38ef |
logger.info("NTP pool: %s", options.ntp_pool)
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
# ipa-join would fail with IP address instead of a FQDN
|
|
Packit Service |
0a38ef |
for srv in cli_server:
|
|
Packit Service |
0a38ef |
try:
|
|
Packit Service |
0a38ef |
socket.inet_pton(socket.AF_INET, srv)
|
|
Packit Service |
0a38ef |
is_ipaddr = True
|
|
Packit Service |
0a38ef |
except socket.error:
|
|
Packit Service |
0a38ef |
try:
|
|
Packit Service |
0a38ef |
socket.inet_pton(socket.AF_INET6, srv)
|
|
Packit Service |
0a38ef |
is_ipaddr = True
|
|
Packit Service |
0a38ef |
except socket.error:
|
|
Packit Service |
0a38ef |
is_ipaddr = False
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
if is_ipaddr:
|
|
Packit Service |
0a38ef |
logger.info()
|
|
Packit Service |
0a38ef |
logger.warning(
|
|
Packit Service |
0a38ef |
"It seems that you are using an IP address "
|
|
Packit Service |
0a38ef |
"instead of FQDN as an argument to --server. The "
|
|
Packit Service |
0a38ef |
"installation may fail.")
|
|
Packit Service |
0a38ef |
break
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
# logger.info()
|
|
Packit Service |
0a38ef |
# if not options.unattended and not user_input(
|
|
Packit Service |
0a38ef |
# "Continue to configure the system with these values?", False):
|
|
Packit Service |
0a38ef |
# raise ScriptError(rval=CLIENT_INSTALL_ERROR)
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
except ScriptError as e:
|
|
Packit Service |
0a38ef |
module.fail_json(msg=str(e))
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
#########################################################################
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
# client._install
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
# May not happen in here at this time
|
|
Packit Service |
0a38ef |
# if not options.on_master:
|
|
Packit Service |
0a38ef |
# # Try removing old principals from the keytab
|
|
Packit Service |
0a38ef |
# purge_host_keytab(cli_realm)
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
# Check if ipa client is already configured
|
|
Packit Service |
0a38ef |
if is_client_configured():
|
|
Packit Service |
0a38ef |
client_already_configured = True
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
# Check that realm and domain match
|
|
Packit Service |
0a38ef |
current_config = get_ipa_conf()
|
|
Packit Service |
0a38ef |
if cli_domain != current_config.get('domain'):
|
|
Packit Service |
0a38ef |
module.fail_json(msg="IPA client already installed "
|
|
Packit Service |
0a38ef |
"with a conflicting domain")
|
|
Packit Service |
0a38ef |
if cli_realm != current_config.get('realm'):
|
|
Packit Service |
0a38ef |
module.fail_json(msg="IPA client already installed "
|
|
Packit Service |
0a38ef |
"with a conflicting realm")
|
|
Packit Service |
0a38ef |
else:
|
|
Packit Service |
0a38ef |
client_already_configured = False
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
# Done
|
|
Packit Service |
0a38ef |
module.exit_json(changed=False,
|
|
Packit Service |
0a38ef |
servers=cli_server,
|
|
Packit Service |
0a38ef |
domain=cli_domain,
|
|
Packit Service |
0a38ef |
realm=cli_realm,
|
|
Packit Service |
0a38ef |
kdc=cli_kdc,
|
|
Packit Service |
0a38ef |
basedn=str(cli_basedn),
|
|
Packit Service |
0a38ef |
hostname=hostname,
|
|
Packit Service |
0a38ef |
client_domain=client_domain,
|
|
Packit Service |
0a38ef |
dnsok=dnsok,
|
|
Packit Service |
0a38ef |
sssd=options.sssd,
|
|
Packit Service |
0a38ef |
ntp_servers=options.ntp_servers,
|
|
Packit Service |
0a38ef |
ntp_pool=options.ntp_pool,
|
|
Packit Service |
0a38ef |
client_already_configured=client_already_configured,
|
|
Packit Service |
0a38ef |
ipa_python_version=IPA_PYTHON_VERSION)
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
if __name__ == '__main__':
|
|
Packit Service |
0a38ef |
main()
|