|
Packit |
8cb997 |
#!/usr/bin/python
|
|
Packit |
8cb997 |
# -*- coding: utf-8 -*-
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
# Authors:
|
|
Packit |
8cb997 |
# Thomas Woerner <twoerner@redhat.com>
|
|
Packit |
8cb997 |
#
|
|
Packit |
8cb997 |
# Based on ipa-client-install code
|
|
Packit |
8cb997 |
#
|
|
Packit |
8cb997 |
# Copyright (C) 2017 Red Hat
|
|
Packit |
8cb997 |
# see file 'COPYING' for use and warranty information
|
|
Packit |
8cb997 |
#
|
|
Packit |
8cb997 |
# This program is free software; you can redistribute it and/or modify
|
|
Packit |
8cb997 |
# it under the terms of the GNU General Public License as published by
|
|
Packit |
8cb997 |
# the Free Software Foundation, either version 3 of the License, or
|
|
Packit |
8cb997 |
# (at your option) any later version.
|
|
Packit |
8cb997 |
#
|
|
Packit |
8cb997 |
# This program is distributed in the hope that it will be useful,
|
|
Packit |
8cb997 |
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
Packit |
8cb997 |
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
Packit |
8cb997 |
# GNU General Public License for more details.
|
|
Packit |
8cb997 |
#
|
|
Packit |
8cb997 |
# You should have received a copy of the GNU General Public License
|
|
Packit |
8cb997 |
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
ANSIBLE_METADATA = {
|
|
Packit |
8cb997 |
'metadata_version': '1.0',
|
|
Packit |
8cb997 |
'supported_by': 'community',
|
|
Packit |
8cb997 |
'status': ['preview'],
|
|
Packit |
8cb997 |
}
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
DOCUMENTATION = '''
|
|
Packit |
8cb997 |
---
|
|
Packit |
8cb997 |
module: ipaserver_test
|
|
Packit |
8cb997 |
short description: IPA server test
|
|
Packit |
8cb997 |
description: IPA server test
|
|
Packit |
8cb997 |
options:
|
|
Packit |
8cb997 |
force:
|
|
Packit |
8cb997 |
description: Installer force parameter
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
dm_password:
|
|
Packit |
8cb997 |
description: Directory Manager password
|
|
Packit |
8cb997 |
required: no
|
|
Packit |
8cb997 |
password:
|
|
Packit |
8cb997 |
description: Admin user kerberos password
|
|
Packit |
8cb997 |
required: no
|
|
Packit |
8cb997 |
master_password:
|
|
Packit |
8cb997 |
description: kerberos master password (normally autogenerated)
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
domain:
|
|
Packit |
8cb997 |
description: Primary DNS domain of the IPA deployment
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
realm:
|
|
Packit |
8cb997 |
description: Kerberos realm name of the IPA deployment
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
hostname:
|
|
Packit |
8cb997 |
description: Fully qualified name of this host
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
ca_cert_files:
|
|
Packit |
8cb997 |
description:
|
|
Packit |
8cb997 |
List of files containing CA certificates for the service certificate
|
|
Packit |
8cb997 |
files
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
no_host_dns:
|
|
Packit |
8cb997 |
description: Do not use DNS for hostname lookup during installation
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
pki_config_override:
|
|
Packit |
8cb997 |
description: Path to ini file with config overrides
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
setup_adtrust:
|
|
Packit |
8cb997 |
description: Configure AD trust capability
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
setup_kra:
|
|
Packit |
8cb997 |
description: Configure a dogtag KRA
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
setup_dns:
|
|
Packit |
8cb997 |
description: Configure bind with our zone
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
idstart:
|
|
Packit |
8cb997 |
description: The starting value for the IDs range (default random)
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
idmax:
|
|
Packit |
8cb997 |
description: The max value for the IDs range (default: idstart+199999)
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
no_pkinit:
|
|
Packit |
8cb997 |
description: Disable pkinit setup steps
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
dirsrv_config_file:
|
|
Packit |
8cb997 |
description:
|
|
Packit |
8cb997 |
The path to LDIF file that will be used to modify configuration of
|
|
Packit |
8cb997 |
dse.ldif during installation of the directory server instance
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
dirsrv_cert_files:
|
|
Packit |
8cb997 |
description:
|
|
Packit |
8cb997 |
Files containing the Directory Server SSL certificate and private key
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
http_cert_files:
|
|
Packit |
8cb997 |
description:
|
|
Packit |
8cb997 |
File containing the Apache Server SSL certificate and private key
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
pkinit_cert_files:
|
|
Packit |
8cb997 |
description:
|
|
Packit |
8cb997 |
File containing the Kerberos KDC SSL certificate and private key
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
dirsrv_pin:
|
|
Packit |
8cb997 |
description: The password to unlock the Directory Server private key
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
http_pin:
|
|
Packit |
8cb997 |
description: The password to unlock the Apache Server private key
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
pkinit_pin:
|
|
Packit |
8cb997 |
description: The password to unlock the Kerberos KDC private key
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
dirsrv_cert_name:
|
|
Packit |
8cb997 |
description: Name of the Directory Server SSL certificate to install
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
http_cert_name:
|
|
Packit |
8cb997 |
description: Name of the Apache Server SSL certificate to install
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
pkinit_cert_name:
|
|
Packit |
8cb997 |
description: Name of the Kerberos KDC SSL certificate to install
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
ntp_servers:
|
|
Packit |
8cb997 |
description: ntp servers to use
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
ntp_pool:
|
|
Packit |
8cb997 |
description: ntp server pool to use
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
no_ntp:
|
|
Packit |
8cb997 |
description: Do not configure ntp
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
external_ca:
|
|
Packit |
8cb997 |
description: External ca setting
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
external_ca_type:
|
|
Packit |
8cb997 |
description: Type of the external CA
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
external_ca_profile:
|
|
Packit |
8cb997 |
description:
|
|
Packit |
8cb997 |
Specify the certificate profile/template to use at the external CA
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
external_cert_files:
|
|
Packit |
8cb997 |
description:
|
|
Packit |
8cb997 |
File containing the IPA CA certificate and the external CA certificate
|
|
Packit |
8cb997 |
chain
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
subject_base:
|
|
Packit |
8cb997 |
description:
|
|
Packit |
8cb997 |
The certificate subject base (default O=<realm-name>).
|
|
Packit |
8cb997 |
RDNs are in LDAP order (most specific RDN first).
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
ca_subject:
|
|
Packit |
8cb997 |
description: The installer ca_subject setting
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
allow_zone_overlap:
|
|
Packit |
8cb997 |
description: Create DNS zone even if it already exists
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
reverse_zones:
|
|
Packit |
8cb997 |
description: The reverse DNS zones to use
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
no_reverse:
|
|
Packit |
8cb997 |
description: Do not create new reverse DNS zone
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
auto_reverse:
|
|
Packit |
8cb997 |
description: Create necessary reverse zones
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
zonemgr:
|
|
Packit |
8cb997 |
description: DNS zone manager e-mail address. Defaults to hostmaster@DOMAIN
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
forwarders:
|
|
Packit |
8cb997 |
description: Add DNS forwarders
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
no_forwarders:
|
|
Packit |
8cb997 |
description: Do not add any DNS forwarders, use root servers instead
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
auto_forwarders:
|
|
Packit |
8cb997 |
description: Use DNS forwarders configured in /etc/resolv.conf
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
forward_policy:
|
|
Packit |
8cb997 |
description: DNS forwarding policy for global forwarders
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
no_dnssec_validation:
|
|
Packit |
8cb997 |
description: Disable DNSSEC validation
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
enable_compat:
|
|
Packit |
8cb997 |
description: Enable support for trusted domains for old clients
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
netbios_name:
|
|
Packit |
8cb997 |
description: NetBIOS name of the IPA domain
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
rid_base:
|
|
Packit |
8cb997 |
description: Start value for mapping UIDs and GIDs to RIDs
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
secondary_rid_base:
|
|
Packit |
8cb997 |
description:
|
|
Packit |
8cb997 |
Start value of the secondary range for mapping UIDs and GIDs to RIDs
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
author:
|
|
Packit |
8cb997 |
- Thomas Woerner
|
|
Packit |
8cb997 |
'''
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
EXAMPLES = '''
|
|
Packit |
8cb997 |
'''
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
RETURN = '''
|
|
Packit |
8cb997 |
'''
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
import os
|
|
Packit |
8cb997 |
import sys
|
|
Packit |
8cb997 |
import six
|
|
Packit |
8cb997 |
import inspect
|
|
Packit |
8cb997 |
import random
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
from ansible.module_utils.basic import AnsibleModule
|
|
Packit |
8cb997 |
from ansible.module_utils.ansible_ipa_server import (
|
|
Packit |
8cb997 |
AnsibleModuleLog, options, adtrust_imported, kra_imported, PKIIniLoader,
|
|
Packit |
8cb997 |
MIN_DOMAIN_LEVEL, MAX_DOMAIN_LEVEL, check_zone_overlap,
|
|
Packit |
8cb997 |
redirect_stdout, validate_dm_password, validate_admin_password,
|
|
Packit |
8cb997 |
NUM_VERSION, is_ipa_configured, sysrestore, paths, bindinstance,
|
|
Packit |
8cb997 |
read_cache, ca, tasks, check_ldap_conf, timeconf, httpinstance,
|
|
Packit |
8cb997 |
check_dirsrv, ScriptError, get_fqdn, verify_fqdn, BadHostError,
|
|
Packit |
8cb997 |
validate_domain_name, load_pkcs12, IPA_PYTHON_VERSION
|
|
Packit |
8cb997 |
)
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
if six.PY3:
|
|
Packit |
8cb997 |
unicode = str
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
def main():
|
|
Packit |
8cb997 |
ansible_module = AnsibleModule(
|
|
Packit |
8cb997 |
argument_spec=dict(
|
|
Packit |
8cb997 |
# basic
|
|
Packit |
8cb997 |
force=dict(required=False, type='bool', default=False),
|
|
Packit |
8cb997 |
dm_password=dict(required=True, no_log=True),
|
|
Packit |
8cb997 |
password=dict(required=True, no_log=True),
|
|
Packit |
8cb997 |
master_password=dict(required=False, no_log=True),
|
|
Packit |
8cb997 |
domain=dict(required=False),
|
|
Packit |
8cb997 |
realm=dict(required=False),
|
|
Packit |
8cb997 |
hostname=dict(required=False),
|
|
Packit |
8cb997 |
ca_cert_files=dict(required=False, type='list', default=[]),
|
|
Packit |
8cb997 |
no_host_dns=dict(required=False, type='bool', default=False),
|
|
Packit |
8cb997 |
pki_config_override=dict(required=False),
|
|
Packit |
8cb997 |
# server
|
|
Packit |
8cb997 |
setup_adtrust=dict(required=False, type='bool', default=False),
|
|
Packit |
8cb997 |
setup_kra=dict(required=False, type='bool', default=False),
|
|
Packit |
8cb997 |
setup_dns=dict(required=False, type='bool', default=False),
|
|
Packit |
8cb997 |
idstart=dict(required=False, type='int'),
|
|
Packit |
8cb997 |
idmax=dict(required=False, type='int'),
|
|
Packit |
8cb997 |
# no_hbac_allow
|
|
Packit |
8cb997 |
no_pkinit=dict(required=False, type='bool', default=False),
|
|
Packit |
8cb997 |
# no_ui_redirect
|
|
Packit |
8cb997 |
dirsrv_config_file=dict(required=False),
|
|
Packit |
8cb997 |
# ssl certificate
|
|
Packit |
8cb997 |
dirsrv_cert_files=dict(required=False, type='list', default=None),
|
|
Packit |
8cb997 |
http_cert_files=dict(required=False, type='list', defaullt=None),
|
|
Packit |
8cb997 |
pkinit_cert_files=dict(required=False, type='list', default=None),
|
|
Packit |
8cb997 |
dirsrv_pin=dict(required=False),
|
|
Packit |
8cb997 |
http_pin=dict(required=False),
|
|
Packit |
8cb997 |
pkinit_pin=dict(required=False),
|
|
Packit |
8cb997 |
dirsrv_cert_name=dict(required=False),
|
|
Packit |
8cb997 |
http_cert_name=dict(required=False),
|
|
Packit |
8cb997 |
pkinit_cert_name=dict(required=False),
|
|
Packit |
8cb997 |
# client
|
|
Packit |
8cb997 |
# mkhomedir
|
|
Packit |
8cb997 |
ntp_servers=dict(required=False, type='list', default=None),
|
|
Packit |
8cb997 |
ntp_pool=dict(required=False, default=None),
|
|
Packit |
8cb997 |
no_ntp=dict(required=False, type='bool', default=False),
|
|
Packit |
8cb997 |
# ssh_trust_dns
|
|
Packit |
8cb997 |
# no_ssh
|
|
Packit |
8cb997 |
# no_sshd
|
|
Packit |
8cb997 |
# no_dns_sshfp
|
|
Packit |
8cb997 |
# certificate system
|
|
Packit |
8cb997 |
external_ca=dict(required=False, type='bool', default=False),
|
|
Packit |
8cb997 |
external_ca_type=dict(required=False),
|
|
Packit |
8cb997 |
external_ca_profile=dict(required=False),
|
|
Packit |
8cb997 |
external_cert_files=dict(required=False, type='list',
|
|
Packit |
8cb997 |
default=None),
|
|
Packit |
8cb997 |
subject_base=dict(required=False),
|
|
Packit |
8cb997 |
ca_subject=dict(required=False),
|
|
Packit |
8cb997 |
# ca_signing_algorithm
|
|
Packit |
8cb997 |
# dns
|
|
Packit |
8cb997 |
allow_zone_overlap=dict(required=False, type='bool',
|
|
Packit |
8cb997 |
default=False),
|
|
Packit |
8cb997 |
reverse_zones=dict(required=False, type='list', default=[]),
|
|
Packit |
8cb997 |
no_reverse=dict(required=False, type='bool', default=False),
|
|
Packit |
8cb997 |
auto_reverse=dict(required=False, type='bool', default=False),
|
|
Packit |
8cb997 |
zonemgr=dict(required=False),
|
|
Packit |
8cb997 |
forwarders=dict(required=False, type='list', default=[]),
|
|
Packit |
8cb997 |
no_forwarders=dict(required=False, type='bool', default=False),
|
|
Packit |
8cb997 |
auto_forwarders=dict(required=False, type='bool', default=False),
|
|
Packit |
8cb997 |
forward_policy=dict(default=None, choices=['first', 'only']),
|
|
Packit |
8cb997 |
no_dnssec_validation=dict(required=False, type='bool',
|
|
Packit |
8cb997 |
default=False),
|
|
Packit |
8cb997 |
# ad trust
|
|
Packit |
8cb997 |
enable_compat=dict(required=False, type='bool', default=False),
|
|
Packit |
8cb997 |
netbios_name=dict(required=False),
|
|
Packit |
8cb997 |
rid_base=dict(required=False, type='int', default=1000),
|
|
Packit |
8cb997 |
secondary_rid_base=dict(required=False, type='int',
|
|
Packit |
8cb997 |
default=100000000),
|
|
Packit |
8cb997 |
# additional
|
|
Packit |
8cb997 |
),
|
|
Packit |
8cb997 |
supports_check_mode=True,
|
|
Packit |
8cb997 |
)
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
ansible_module._ansible_debug = True
|
|
Packit |
8cb997 |
ansible_log = AnsibleModuleLog(ansible_module)
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
# set values ############################################################
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
# basic
|
|
Packit |
8cb997 |
options.force = ansible_module.params.get('force')
|
|
Packit |
8cb997 |
options.dm_password = ansible_module.params.get('dm_password')
|
|
Packit |
8cb997 |
options.admin_password = ansible_module.params.get('password')
|
|
Packit |
8cb997 |
options.master_password = ansible_module.params.get('master_password')
|
|
Packit |
8cb997 |
options.domain_name = ansible_module.params.get('domain')
|
|
Packit |
8cb997 |
options.realm_name = ansible_module.params.get('realm')
|
|
Packit |
8cb997 |
options.host_name = ansible_module.params.get('hostname')
|
|
Packit |
8cb997 |
options.ca_cert_files = ansible_module.params.get('ca_cert_files')
|
|
Packit |
8cb997 |
options.no_host_dns = ansible_module.params.get('no_host_dns')
|
|
Packit |
8cb997 |
options.pki_config_override = ansible_module.params.get(
|
|
Packit |
8cb997 |
'pki_config_override')
|
|
Packit |
8cb997 |
# server
|
|
Packit |
8cb997 |
options.setup_adtrust = ansible_module.params.get('setup_adtrust')
|
|
Packit |
8cb997 |
options.setup_dns = ansible_module.params.get('setup_dns')
|
|
Packit |
8cb997 |
options.setup_kra = ansible_module.params.get('setup_kra')
|
|
Packit |
8cb997 |
options.idstart = ansible_module.params.get('idstart')
|
|
Packit |
8cb997 |
options.idmax = ansible_module.params.get('idmax')
|
|
Packit |
8cb997 |
# no_hbac_allow
|
|
Packit |
8cb997 |
options.no_pkinit = ansible_module.params.get('no_pkinit')
|
|
Packit |
8cb997 |
# no_ui_redirect
|
|
Packit |
8cb997 |
options.dirsrv_config_file = ansible_module.params.get(
|
|
Packit |
8cb997 |
'dirsrv_config_file')
|
|
Packit |
8cb997 |
# ssl certificate
|
|
Packit |
8cb997 |
options.dirsrv_cert_files = ansible_module.params.get('dirsrv_cert_files')
|
|
Packit |
8cb997 |
options.http_cert_files = ansible_module.params.get('http_cert_files')
|
|
Packit |
8cb997 |
options.pkinit_cert_files = ansible_module.params.get('pkinit_cert_files')
|
|
Packit |
8cb997 |
options.dirsrv_pin = ansible_module.params.get('dirsrv_pin')
|
|
Packit |
8cb997 |
options.http_pin = ansible_module.params.get('http_pin')
|
|
Packit |
8cb997 |
options.pkinit_pin = ansible_module.params.get('pkinit_pin')
|
|
Packit |
8cb997 |
options.dirsrv_cert_name = ansible_module.params.get('dirsrv_cert_name')
|
|
Packit |
8cb997 |
options.http_cert_name = ansible_module.params.get('http_cert_name')
|
|
Packit |
8cb997 |
options.pkinit_cert_name = ansible_module.params.get('pkinit_cert_name')
|
|
Packit |
8cb997 |
# client
|
|
Packit |
8cb997 |
# mkhomedir
|
|
Packit |
8cb997 |
options.ntp_servers = ansible_module.params.get('ntp_servers')
|
|
Packit |
8cb997 |
options.ntp_pool = ansible_module.params.get('ntp_pool')
|
|
Packit |
8cb997 |
options.no_ntp = ansible_module.params.get('no_ntp')
|
|
Packit |
8cb997 |
# ssh_trust_dns
|
|
Packit |
8cb997 |
# no_ssh
|
|
Packit |
8cb997 |
# no_sshd
|
|
Packit |
8cb997 |
# no_dns_sshfp
|
|
Packit |
8cb997 |
# certificate system
|
|
Packit |
8cb997 |
options.external_ca = ansible_module.params.get('external_ca')
|
|
Packit |
8cb997 |
options.external_ca_type = ansible_module.params.get('external_ca_type')
|
|
Packit |
8cb997 |
options.external_ca_profile = ansible_module.params.get(
|
|
Packit |
8cb997 |
'external_ca_profile')
|
|
Packit |
8cb997 |
options.external_cert_files = ansible_module.params.get(
|
|
Packit |
8cb997 |
'external_cert_files')
|
|
Packit |
8cb997 |
options.subject_base = ansible_module.params.get('subject_base')
|
|
Packit |
8cb997 |
options.ca_subject = ansible_module.params.get('ca_subject')
|
|
Packit |
8cb997 |
# ca_signing_algorithm
|
|
Packit |
8cb997 |
# dns
|
|
Packit |
8cb997 |
options.allow_zone_overlap = ansible_module.params.get(
|
|
Packit |
8cb997 |
'allow_zone_overlap')
|
|
Packit |
8cb997 |
options.reverse_zones = ansible_module.params.get('reverse_zones')
|
|
Packit |
8cb997 |
options.no_reverse = ansible_module.params.get('no_reverse')
|
|
Packit |
8cb997 |
options.auto_reverse = ansible_module.params.get('auto_reverse')
|
|
Packit |
8cb997 |
options.zonemgr = ansible_module.params.get('zonemgr')
|
|
Packit |
8cb997 |
options.forwarders = ansible_module.params.get('forwarders')
|
|
Packit |
8cb997 |
options.no_forwarders = ansible_module.params.get('no_forwarders')
|
|
Packit |
8cb997 |
options.auto_forwarders = ansible_module.params.get('auto_forwarders')
|
|
Packit |
8cb997 |
options.forward_policy = ansible_module.params.get('forward_policy')
|
|
Packit |
8cb997 |
options.no_dnssec_validation = ansible_module.params.get(
|
|
Packit |
8cb997 |
'no_dnssec_validation')
|
|
Packit |
8cb997 |
# ad trust
|
|
Packit |
8cb997 |
options.enable_compat = ansible_module.params.get('enable_compat')
|
|
Packit |
8cb997 |
options.netbios_name = ansible_module.params.get('netbios_name')
|
|
Packit |
8cb997 |
options.rid_base = ansible_module.params.get('rid_base')
|
|
Packit |
8cb997 |
options.secondary_rid_base = ansible_module.params.get(
|
|
Packit |
8cb997 |
'secondary_rid_base')
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
# additional
|
|
Packit |
8cb997 |
options.kasp_db_file = None
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
# version specific ######################################################
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
if options.setup_adtrust and not adtrust_imported:
|
|
Packit |
8cb997 |
# if "adtrust" not in options._allow_missing:
|
|
Packit |
8cb997 |
ansible_module.fail_json(msg="adtrust can not be imported")
|
|
Packit |
8cb997 |
# else:
|
|
Packit |
8cb997 |
# options.setup_adtrust = False
|
|
Packit |
8cb997 |
# ansible_module.warn(msg="adtrust is not supported, disabling")
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
if options.setup_kra and not kra_imported:
|
|
Packit |
8cb997 |
# if "kra" not in options._allow_missing:
|
|
Packit |
8cb997 |
ansible_module.fail_json(msg="kra can not be imported")
|
|
Packit |
8cb997 |
# else:
|
|
Packit |
8cb997 |
# options.setup_kra = False
|
|
Packit |
8cb997 |
# ansible_module.warn(msg="kra is not supported, disabling")
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
if options.pki_config_override is not None:
|
|
Packit |
8cb997 |
if PKIIniLoader is None:
|
|
Packit |
8cb997 |
ansible_module.warn("The use of pki_config_override is not "
|
|
Packit |
8cb997 |
"supported for this IPA version")
|
|
Packit |
8cb997 |
else:
|
|
Packit |
8cb997 |
# From DogtagInstallInterface @pki_config_override.validator
|
|
Packit |
8cb997 |
try:
|
|
Packit |
8cb997 |
PKIIniLoader.verify_pki_config_override(
|
|
Packit |
8cb997 |
options.pki_config_override)
|
|
Packit |
8cb997 |
except ValueError as e:
|
|
Packit |
8cb997 |
ansible_module.fail_json(
|
|
Packit |
8cb997 |
msg="pki_config_override: %s" % str(e))
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
# default values ########################################################
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
# idstart and idmax
|
|
Packit |
8cb997 |
if options.idstart is None:
|
|
Packit |
8cb997 |
options.idstart = random.randint(1, 10000) * 200000
|
|
Packit |
8cb997 |
if options.idmax is None or options.idmax == 0:
|
|
Packit |
8cb997 |
options.idmax = options.idstart + 199999
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
# ServerInstallInterface.__init__ #######################################
|
|
Packit |
8cb997 |
try:
|
|
Packit |
8cb997 |
self = options
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
# If any of the key file options are selected, all are required.
|
|
Packit |
8cb997 |
cert_file_req = (self.dirsrv_cert_files, self.http_cert_files)
|
|
Packit |
8cb997 |
cert_file_opt = (self.pkinit_cert_files,)
|
|
Packit |
8cb997 |
if not self.no_pkinit:
|
|
Packit |
8cb997 |
cert_file_req += cert_file_opt
|
|
Packit |
8cb997 |
if self.no_pkinit and self.pkinit_cert_files:
|
|
Packit |
8cb997 |
raise RuntimeError(
|
|
Packit |
8cb997 |
"--no-pkinit and --pkinit-cert-file cannot be specified "
|
|
Packit |
8cb997 |
"together"
|
|
Packit |
8cb997 |
)
|
|
Packit |
8cb997 |
if any(cert_file_req + cert_file_opt) and not all(cert_file_req):
|
|
Packit |
8cb997 |
raise RuntimeError(
|
|
Packit |
8cb997 |
"--dirsrv-cert-file, --http-cert-file, and --pkinit-cert-file "
|
|
Packit |
8cb997 |
"or --no-pkinit are required if any key file options are used."
|
|
Packit |
8cb997 |
)
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
if not self.interactive:
|
|
Packit |
8cb997 |
if self.dirsrv_cert_files and self.dirsrv_pin is None:
|
|
Packit |
8cb997 |
raise RuntimeError(
|
|
Packit |
8cb997 |
"You must specify --dirsrv-pin with --dirsrv-cert-file")
|
|
Packit |
8cb997 |
if self.http_cert_files and self.http_pin is None:
|
|
Packit |
8cb997 |
raise RuntimeError(
|
|
Packit |
8cb997 |
"You must specify --http-pin with --http-cert-file")
|
|
Packit |
8cb997 |
if self.pkinit_cert_files and self.pkinit_pin is None:
|
|
Packit |
8cb997 |
raise RuntimeError(
|
|
Packit |
8cb997 |
"You must specify --pkinit-pin with --pkinit-cert-file")
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
if not self.setup_dns:
|
|
Packit |
8cb997 |
if self.forwarders:
|
|
Packit |
8cb997 |
raise RuntimeError(
|
|
Packit |
8cb997 |
"You cannot specify a --forwarder option without the "
|
|
Packit |
8cb997 |
"--setup-dns option")
|
|
Packit |
8cb997 |
if self.auto_forwarders:
|
|
Packit |
8cb997 |
raise RuntimeError(
|
|
Packit |
8cb997 |
"You cannot specify a --auto-forwarders option without "
|
|
Packit |
8cb997 |
"the --setup-dns option")
|
|
Packit |
8cb997 |
if self.no_forwarders:
|
|
Packit |
8cb997 |
raise RuntimeError(
|
|
Packit |
8cb997 |
"You cannot specify a --no-forwarders option without the "
|
|
Packit |
8cb997 |
"--setup-dns option")
|
|
Packit |
8cb997 |
if self.forward_policy:
|
|
Packit |
8cb997 |
raise RuntimeError(
|
|
Packit |
8cb997 |
"You cannot specify a --forward-policy option without the "
|
|
Packit |
8cb997 |
"--setup-dns option")
|
|
Packit |
8cb997 |
if self.reverse_zones:
|
|
Packit |
8cb997 |
raise RuntimeError(
|
|
Packit |
8cb997 |
"You cannot specify a --reverse-zone option without the "
|
|
Packit |
8cb997 |
"--setup-dns option")
|
|
Packit |
8cb997 |
if self.auto_reverse:
|
|
Packit |
8cb997 |
raise RuntimeError(
|
|
Packit |
8cb997 |
"You cannot specify a --auto-reverse option without the "
|
|
Packit |
8cb997 |
"--setup-dns option")
|
|
Packit |
8cb997 |
if self.no_reverse:
|
|
Packit |
8cb997 |
raise RuntimeError(
|
|
Packit |
8cb997 |
"You cannot specify a --no-reverse option without the "
|
|
Packit |
8cb997 |
"--setup-dns option")
|
|
Packit |
8cb997 |
if self.no_dnssec_validation:
|
|
Packit |
8cb997 |
raise RuntimeError(
|
|
Packit |
8cb997 |
"You cannot specify a --no-dnssec-validation option "
|
|
Packit |
8cb997 |
"without the --setup-dns option")
|
|
Packit |
8cb997 |
elif self.forwarders and self.no_forwarders:
|
|
Packit |
8cb997 |
raise RuntimeError(
|
|
Packit |
8cb997 |
"You cannot specify a --forwarder option together with "
|
|
Packit |
8cb997 |
"--no-forwarders")
|
|
Packit |
8cb997 |
elif self.auto_forwarders and self.no_forwarders:
|
|
Packit |
8cb997 |
raise RuntimeError(
|
|
Packit |
8cb997 |
"You cannot specify a --auto-forwarders option together with "
|
|
Packit |
8cb997 |
"--no-forwarders")
|
|
Packit |
8cb997 |
elif self.reverse_zones and self.no_reverse:
|
|
Packit |
8cb997 |
raise RuntimeError(
|
|
Packit |
8cb997 |
"You cannot specify a --reverse-zone option together with "
|
|
Packit |
8cb997 |
"--no-reverse")
|
|
Packit |
8cb997 |
elif self.auto_reverse and self.no_reverse:
|
|
Packit |
8cb997 |
raise RuntimeError(
|
|
Packit |
8cb997 |
"You cannot specify a --auto-reverse option together with "
|
|
Packit |
8cb997 |
"--no-reverse")
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
if not self.setup_adtrust:
|
|
Packit |
8cb997 |
if self.add_agents:
|
|
Packit |
8cb997 |
raise RuntimeError(
|
|
Packit |
8cb997 |
"You cannot specify an --add-agents option without the "
|
|
Packit |
8cb997 |
"--setup-adtrust option")
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
if self.enable_compat:
|
|
Packit |
8cb997 |
raise RuntimeError(
|
|
Packit |
8cb997 |
"You cannot specify an --enable-compat option without the "
|
|
Packit |
8cb997 |
"--setup-adtrust option")
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
if self.netbios_name:
|
|
Packit |
8cb997 |
raise RuntimeError(
|
|
Packit |
8cb997 |
"You cannot specify a --netbios-name option without the "
|
|
Packit |
8cb997 |
"--setup-adtrust option")
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
if self.no_msdcs:
|
|
Packit |
8cb997 |
raise RuntimeError(
|
|
Packit |
8cb997 |
"You cannot specify a --no-msdcs option without the "
|
|
Packit |
8cb997 |
"--setup-adtrust option")
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
if not hasattr(self, 'replica_install'):
|
|
Packit |
8cb997 |
if self.external_cert_files and self.dirsrv_cert_files:
|
|
Packit |
8cb997 |
raise RuntimeError(
|
|
Packit |
8cb997 |
"Service certificate file options cannot be used with the "
|
|
Packit |
8cb997 |
"external CA options.")
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
if self.external_ca_type and not self.external_ca:
|
|
Packit |
8cb997 |
raise RuntimeError(
|
|
Packit |
8cb997 |
"You cannot specify --external-ca-type without "
|
|
Packit |
8cb997 |
"--external-ca")
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
if self.external_ca_profile and not self.external_ca:
|
|
Packit |
8cb997 |
raise RuntimeError(
|
|
Packit |
8cb997 |
"You cannot specify --external-ca-profile without "
|
|
Packit |
8cb997 |
"--external-ca")
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
if self.uninstalling:
|
|
Packit |
8cb997 |
if (self.realm_name or self.admin_password or
|
|
Packit |
8cb997 |
self.master_password):
|
|
Packit |
8cb997 |
raise RuntimeError(
|
|
Packit |
8cb997 |
"In uninstall mode, -a, -r and -P options are not "
|
|
Packit |
8cb997 |
"allowed")
|
|
Packit |
8cb997 |
elif not self.interactive:
|
|
Packit |
8cb997 |
if (not self.realm_name or not self.dm_password or
|
|
Packit |
8cb997 |
not self.admin_password):
|
|
Packit |
8cb997 |
raise RuntimeError(
|
|
Packit |
8cb997 |
"In unattended mode you need to provide at least -r, "
|
|
Packit |
8cb997 |
"-p and -a options")
|
|
Packit |
8cb997 |
if self.setup_dns:
|
|
Packit |
8cb997 |
if (not self.forwarders and
|
|
Packit |
8cb997 |
not self.no_forwarders and
|
|
Packit |
8cb997 |
not self.auto_forwarders):
|
|
Packit |
8cb997 |
raise RuntimeError(
|
|
Packit |
8cb997 |
"You must specify at least one of --forwarder, "
|
|
Packit |
8cb997 |
"--auto-forwarders, or --no-forwarders options")
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
any_ignore_option_true = any(
|
|
Packit |
8cb997 |
[self.ignore_topology_disconnect, self.ignore_last_of_role])
|
|
Packit |
8cb997 |
if any_ignore_option_true and not self.uninstalling:
|
|
Packit |
8cb997 |
raise RuntimeError(
|
|
Packit |
8cb997 |
"'--ignore-topology-disconnect/--ignore-last-of-role' "
|
|
Packit |
8cb997 |
"options can be used only during uninstallation")
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
if self.idmax < self.idstart:
|
|
Packit |
8cb997 |
raise RuntimeError(
|
|
Packit |
8cb997 |
"idmax (%s) cannot be smaller than idstart (%s)" %
|
|
Packit |
8cb997 |
(self.idmax, self.idstart))
|
|
Packit |
8cb997 |
else:
|
|
Packit |
8cb997 |
# replica installers
|
|
Packit |
8cb997 |
if self.servers and not self.domain_name:
|
|
Packit |
8cb997 |
raise RuntimeError(
|
|
Packit |
8cb997 |
"The --server option cannot be used without providing "
|
|
Packit |
8cb997 |
"domain via the --domain option")
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
if self.setup_dns:
|
|
Packit |
8cb997 |
if (not self.forwarders and
|
|
Packit |
8cb997 |
not self.no_forwarders and
|
|
Packit |
8cb997 |
not self.auto_forwarders):
|
|
Packit |
8cb997 |
raise RuntimeError(
|
|
Packit |
8cb997 |
"You must specify at least one of --forwarder, "
|
|
Packit |
8cb997 |
"--auto-forwarders, or --no-forwarders options")
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
except RuntimeError as e:
|
|
Packit |
8cb997 |
ansible_module.fail_json(msg=e)
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
# #######################################################################
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
# If any of the key file options are selected, all are required.
|
|
Packit |
8cb997 |
cert_file_req = (options.dirsrv_cert_files, options.http_cert_files)
|
|
Packit |
8cb997 |
cert_file_opt = (options.pkinit_cert_files,)
|
|
Packit |
8cb997 |
if not options.no_pkinit:
|
|
Packit |
8cb997 |
cert_file_req += cert_file_opt
|
|
Packit |
8cb997 |
if options.no_pkinit and options.pkinit_cert_files:
|
|
Packit |
8cb997 |
ansible_module.fail_json(
|
|
Packit |
8cb997 |
msg="no-pkinit and pkinit-cert-file cannot be specified together"
|
|
Packit |
8cb997 |
)
|
|
Packit |
8cb997 |
if any(cert_file_req + cert_file_opt) and not all(cert_file_req):
|
|
Packit |
8cb997 |
ansible_module.fail_json(
|
|
Packit |
8cb997 |
msg="dirsrv-cert-file, http-cert-file, and pkinit-cert-file "
|
|
Packit |
8cb997 |
"or no-pkinit are required if any key file options are used."
|
|
Packit |
8cb997 |
)
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
if not options.interactive:
|
|
Packit |
8cb997 |
if options.dirsrv_cert_files and options.dirsrv_pin is None:
|
|
Packit |
8cb997 |
ansible_module.fail_json(
|
|
Packit |
8cb997 |
msg="You must specify dirsrv-pin with dirsrv-cert-file")
|
|
Packit |
8cb997 |
if options.http_cert_files and options.http_pin is None:
|
|
Packit |
8cb997 |
ansible_module.fail_json(
|
|
Packit |
8cb997 |
msg="You must specify http-pin with http-cert-file")
|
|
Packit |
8cb997 |
if options.pkinit_cert_files and options.pkinit_pin is None:
|
|
Packit |
8cb997 |
ansible_module.fail_json(
|
|
Packit |
8cb997 |
msg="You must specify pkinit-pin with pkinit-cert-file")
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
if not options.setup_dns:
|
|
Packit |
8cb997 |
# lists
|
|
Packit |
8cb997 |
for x in ["forwarders", "reverse_zones"]:
|
|
Packit |
8cb997 |
if len(getattr(options, x)) > 1:
|
|
Packit |
8cb997 |
ansible_module.fail_json(
|
|
Packit |
8cb997 |
msg="You cannot specify %s without setting setup-dns" % x)
|
|
Packit |
8cb997 |
# bool and str values
|
|
Packit |
8cb997 |
for x in ["auto_forwarders", "no_forwarders",
|
|
Packit |
8cb997 |
"auto_reverse", "no_reverse", "no_dnssec_validation",
|
|
Packit |
8cb997 |
"forward_policy"]:
|
|
Packit |
8cb997 |
if getattr(options, x):
|
|
Packit |
8cb997 |
ansible_module.fail_json(
|
|
Packit |
8cb997 |
msg="You cannot specify %s without setting setup-dns" % x)
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
elif len(options.forwarders) > 0 and options.no_forwarders:
|
|
Packit |
8cb997 |
ansible_module.fail_json(
|
|
Packit |
8cb997 |
msg="You cannot specify forwarders together with no-forwarders")
|
|
Packit |
8cb997 |
elif options.auto_forwarders and options.no_forwarders:
|
|
Packit |
8cb997 |
ansible_module.fail_json(
|
|
Packit |
8cb997 |
msg="You cannot specify auto-forwarders together with "
|
|
Packit |
8cb997 |
"no-forwarders")
|
|
Packit |
8cb997 |
elif len(options.reverse_zones) > 0 and options.no_reverse:
|
|
Packit |
8cb997 |
ansible_module.fail_json(
|
|
Packit |
8cb997 |
msg="You cannot specify reverse-zones together with no-reverse")
|
|
Packit |
8cb997 |
elif options.auto_reverse and options.no_reverse:
|
|
Packit |
8cb997 |
ansible_module.fail_json(
|
|
Packit |
8cb997 |
msg="You cannot specify auto-reverse together with no-reverse")
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
if not hasattr(self, 'replica_install'):
|
|
Packit |
8cb997 |
if options.external_cert_files and options.dirsrv_cert_files:
|
|
Packit |
8cb997 |
ansible_module.fail_json(
|
|
Packit |
8cb997 |
msg="Service certificate file options cannot be used with the "
|
|
Packit |
8cb997 |
"external CA options.")
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
if options.external_ca_type and not options.external_ca:
|
|
Packit |
8cb997 |
ansible_module.fail_json(
|
|
Packit |
8cb997 |
msg="You cannot specify external-ca-type without external-ca")
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
# if options.uninstalling:
|
|
Packit |
8cb997 |
# if (options.realm_name or options.admin_password or
|
|
Packit |
8cb997 |
# options.master_password):
|
|
Packit |
8cb997 |
# ansible_module.fail_json(
|
|
Packit |
8cb997 |
# msg="In uninstall mode, -a, -r and -P options are not "
|
|
Packit |
8cb997 |
# "allowed")
|
|
Packit |
8cb997 |
# elif not options.interactive:
|
|
Packit |
8cb997 |
# if (not options.realm_name or not options.dm_password or
|
|
Packit |
8cb997 |
# not options.admin_password):
|
|
Packit |
8cb997 |
# ansible_module.fail_json(msg=
|
|
Packit |
8cb997 |
# "In unattended mode you need to provide at least -r, "
|
|
Packit |
8cb997 |
# "-p and -a options")
|
|
Packit |
8cb997 |
# if options.setup_dns:
|
|
Packit |
8cb997 |
# if (not options.forwarders and
|
|
Packit |
8cb997 |
# not options.no_forwarders and
|
|
Packit |
8cb997 |
# not options.auto_forwarders):
|
|
Packit |
8cb997 |
# ansible_module.fail_json(msg=
|
|
Packit |
8cb997 |
# "You must specify at least one of --forwarder, "
|
|
Packit |
8cb997 |
# "--auto-forwarders, or --no-forwarders options")
|
|
Packit |
8cb997 |
if (not options.realm_name or not options.dm_password or
|
|
Packit |
8cb997 |
not options.admin_password):
|
|
Packit |
8cb997 |
ansible_module.fail_json(
|
|
Packit |
8cb997 |
msg="You need to provide at least realm_name, dm_password "
|
|
Packit |
8cb997 |
"and admin_password")
|
|
Packit |
8cb997 |
if options.setup_dns:
|
|
Packit |
8cb997 |
if len(options.forwarders) < 1 and not options.no_forwarders and \
|
|
Packit |
8cb997 |
not options.auto_forwarders:
|
|
Packit |
8cb997 |
ansible_module.fail_json(
|
|
Packit |
8cb997 |
msg="You must specify at least one of forwarders, "
|
|
Packit |
8cb997 |
"auto-forwarders or no-forwarders")
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
# any_ignore_option_true = any(
|
|
Packit |
8cb997 |
# [options.ignore_topology_disconnect, options.ignore_last_of_role])
|
|
Packit |
8cb997 |
# if any_ignore_option_true and not options.uninstalling:
|
|
Packit |
8cb997 |
# ansible_module.fail_json(
|
|
Packit |
8cb997 |
# msg="ignore-topology-disconnect and ignore-last-of-role "
|
|
Packit |
8cb997 |
# "can be used only during uninstallation")
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
if options.idmax < options.idstart:
|
|
Packit |
8cb997 |
ansible_module.fail_json(
|
|
Packit |
8cb997 |
msg="idmax (%s) cannot be smaller than idstart (%s)" %
|
|
Packit |
8cb997 |
(options.idmax, options.idstart))
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
# validation #############################################################
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
if options.dm_password is None:
|
|
Packit |
8cb997 |
ansible_module.fail_json(msg="Directory Manager password required")
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
if options.admin_password is None:
|
|
Packit |
8cb997 |
ansible_module.fail_json(msg="IPA admin password required")
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
# validation ############################################################
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
# domain_level
|
|
Packit |
8cb997 |
if options.domain_level < MIN_DOMAIN_LEVEL:
|
|
Packit |
8cb997 |
ansible_module.fail_json(
|
|
Packit |
8cb997 |
msg="Domain Level cannot be lower than %d" % MIN_DOMAIN_LEVEL)
|
|
Packit |
8cb997 |
elif options.domain_level > MAX_DOMAIN_LEVEL:
|
|
Packit |
8cb997 |
ansible_module.fail_json(
|
|
Packit |
8cb997 |
msg="Domain Level cannot be higher than %d" % MAX_DOMAIN_LEVEL)
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
# dirsrv_config_file
|
|
Packit |
8cb997 |
if options.dirsrv_config_file is not None:
|
|
Packit |
8cb997 |
if not os.path.exists(options.dirsrv_config_file):
|
|
Packit |
8cb997 |
ansible_module.fail_json(
|
|
Packit |
8cb997 |
msg="File %s does not exist." % options.dirsrv_config_file)
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
# domain_name
|
|
Packit |
8cb997 |
# Validation is done later on in ipaserver_prepare dns.install_check
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
# dm_password
|
|
Packit |
8cb997 |
with redirect_stdout(ansible_log):
|
|
Packit |
8cb997 |
validate_dm_password(options.dm_password)
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
# admin_password
|
|
Packit |
8cb997 |
with redirect_stdout(ansible_log):
|
|
Packit |
8cb997 |
validate_admin_password(options.admin_password)
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
# pkinit is not supported on DL0, don't allow related options
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
"""
|
|
Packit |
8cb997 |
# replica install: if not options.replica_file is None:
|
|
Packit |
8cb997 |
if (not options._replica_install and \
|
|
Packit |
8cb997 |
not options.domain_level > DOMAIN_LEVEL_0) or \
|
|
Packit |
8cb997 |
(options._replica_install and options.replica_file is not None):
|
|
Packit |
8cb997 |
if (options.no_pkinit or options.pkinit_cert_files is not None or
|
|
Packit |
8cb997 |
options.pkinit_pin is not None):
|
|
Packit |
8cb997 |
ansible_module.fail_json(
|
|
Packit |
8cb997 |
msg="pkinit on domain level 0 is not supported. Please "
|
|
Packit |
8cb997 |
"don't use any pkinit-related options.")
|
|
Packit |
8cb997 |
options.no_pkinit = True
|
|
Packit |
8cb997 |
"""
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
if options.setup_dns:
|
|
Packit |
8cb997 |
if len(options.forwarders) < 1 and not options.no_forwarders and \
|
|
Packit |
8cb997 |
not options.auto_forwarders:
|
|
Packit |
8cb997 |
ansible_module.fail_json(
|
|
Packit |
8cb997 |
msg="You must specify at least one of forwarders, "
|
|
Packit |
8cb997 |
"auto-forwarders or no-forwarders")
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
if NUM_VERSION >= 40200 and options.master_password and \
|
|
Packit |
8cb997 |
not options.external_cert_files:
|
|
Packit |
8cb997 |
ansible_module.warn(
|
|
Packit |
8cb997 |
"Specifying kerberos master-password is deprecated")
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
options._installation_cleanup = True
|
|
Packit |
8cb997 |
if not options.external_ca and not options.external_cert_files and \
|
|
Packit |
8cb997 |
is_ipa_configured():
|
|
Packit |
8cb997 |
options._installation_cleanup = False
|
|
Packit |
8cb997 |
ansible_module.log(
|
|
Packit |
8cb997 |
"IPA server is already configured on this system. If you want "
|
|
Packit |
8cb997 |
"to reinstall the IPA server, please uninstall it first.")
|
|
Packit |
8cb997 |
ansible_module.exit_json(changed=False,
|
|
Packit |
8cb997 |
server_already_configured=True)
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
client_fstore = sysrestore.FileStore(paths.IPA_CLIENT_SYSRESTORE)
|
|
Packit |
8cb997 |
if client_fstore.has_files():
|
|
Packit |
8cb997 |
options._installation_cleanup = False
|
|
Packit |
8cb997 |
ansible_module.log(
|
|
Packit |
8cb997 |
"IPA client is already configured on this system. "
|
|
Packit |
8cb997 |
"Please uninstall it before configuring the IPA server.")
|
|
Packit |
8cb997 |
ansible_module.exit_json(changed=False,
|
|
Packit |
8cb997 |
client_already_configured=True)
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
# validate reverse_zones
|
|
Packit |
8cb997 |
if not options.allow_zone_overlap:
|
|
Packit |
8cb997 |
for zone in options.reverse_zones:
|
|
Packit |
8cb997 |
with redirect_stdout(ansible_log):
|
|
Packit |
8cb997 |
check_zone_overlap(zone)
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
# validate zonemgr
|
|
Packit |
8cb997 |
if options.zonemgr:
|
|
Packit |
8cb997 |
if six.PY3:
|
|
Packit |
8cb997 |
with redirect_stdout(ansible_log):
|
|
Packit |
8cb997 |
bindinstance.validate_zonemgr_str(options.zonemgr)
|
|
Packit |
8cb997 |
else:
|
|
Packit |
8cb997 |
try:
|
|
Packit |
8cb997 |
# IDNA support requires unicode
|
|
Packit |
8cb997 |
encoding = getattr(sys.stdin, 'encoding', None)
|
|
Packit |
8cb997 |
if encoding is None:
|
|
Packit |
8cb997 |
encoding = 'utf-8'
|
|
Packit |
8cb997 |
value = options.zonemgr
|
|
Packit |
8cb997 |
if not isinstance(value, unicode):
|
|
Packit |
8cb997 |
value = options.zonemgr.decode(encoding)
|
|
Packit |
8cb997 |
else:
|
|
Packit |
8cb997 |
value = options.zonemgr
|
|
Packit |
8cb997 |
with redirect_stdout(ansible_log):
|
|
Packit |
8cb997 |
bindinstance.validate_zonemgr_str(value)
|
|
Packit |
8cb997 |
except ValueError as e:
|
|
Packit |
8cb997 |
# FIXME we can do this in better way
|
|
Packit |
8cb997 |
# https://fedorahosted.org/freeipa/ticket/4804
|
|
Packit |
8cb997 |
# decode to proper stderr encoding
|
|
Packit |
8cb997 |
stderr_encoding = getattr(sys.stderr, 'encoding', None)
|
|
Packit |
8cb997 |
if stderr_encoding is None:
|
|
Packit |
8cb997 |
stderr_encoding = 'utf-8'
|
|
Packit |
8cb997 |
error = unicode(e).encode(stderr_encoding)
|
|
Packit |
8cb997 |
ansible_module.fail_json(msg=error)
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
# external cert file paths are absolute
|
|
Packit |
8cb997 |
if options.external_cert_files:
|
|
Packit |
8cb997 |
for path in options.external_cert_files:
|
|
Packit |
8cb997 |
if not os.path.isabs(path):
|
|
Packit |
8cb997 |
ansible_module.fail_json(
|
|
Packit |
8cb997 |
msg="External cert file '%s' must use an absolute "
|
|
Packit |
8cb997 |
"path" % path)
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
options.setup_ca = True
|
|
Packit |
8cb997 |
# We only set up the CA if the PKCS#12 options are not given.
|
|
Packit |
8cb997 |
if options.dirsrv_cert_files and len(options.dirsrv_cert_files) > 0:
|
|
Packit |
8cb997 |
options.setup_ca = False
|
|
Packit |
8cb997 |
else:
|
|
Packit |
8cb997 |
options.setup_ca = True
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
if not options.setup_ca and options.ca_subject:
|
|
Packit |
8cb997 |
ansible_module.fail_json(
|
|
Packit |
8cb997 |
msg="--ca-subject cannot be used with CA-less installation")
|
|
Packit |
8cb997 |
if not options.setup_ca and options.subject_base:
|
|
Packit |
8cb997 |
ansible_module.fail_json(
|
|
Packit |
8cb997 |
msg="--subject-base cannot be used with CA-less installation")
|
|
Packit |
8cb997 |
if not options.setup_ca and options.setup_kra:
|
|
Packit |
8cb997 |
ansible_module.fail_json(
|
|
Packit |
8cb997 |
msg="--setup-kra cannot be used with CA-less installation")
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
# This will override any settings passed in on the cmdline
|
|
Packit |
8cb997 |
if os.path.isfile(paths.ROOT_IPA_CACHE):
|
|
Packit |
8cb997 |
# dm_password check removed, checked already
|
|
Packit |
8cb997 |
try:
|
|
Packit |
8cb997 |
cache_vars = read_cache(options.dm_password)
|
|
Packit |
8cb997 |
options.__dict__.update(cache_vars)
|
|
Packit |
8cb997 |
if cache_vars.get('external_ca', False):
|
|
Packit |
8cb997 |
options.external_ca = False
|
|
Packit |
8cb997 |
options.interactive = False
|
|
Packit |
8cb997 |
except Exception as e:
|
|
Packit |
8cb997 |
ansible_module.fail_json(
|
|
Packit |
8cb997 |
msg="Cannot process the cache file: %s" % str(e))
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
# ca_subject
|
|
Packit |
8cb997 |
if options.ca_subject:
|
|
Packit |
8cb997 |
ca.subject_validator(ca.VALID_SUBJECT_ATTRS, options.ca_subject)
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
# IPv6 and SELinux check
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
tasks.check_ipv6_stack_enabled()
|
|
Packit |
8cb997 |
tasks.check_selinux_status()
|
|
Packit |
8cb997 |
if check_ldap_conf is not None:
|
|
Packit |
8cb997 |
check_ldap_conf()
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
_installation_cleanup = True
|
|
Packit |
8cb997 |
if not options.external_ca and not options.external_cert_files and \
|
|
Packit |
8cb997 |
is_ipa_configured():
|
|
Packit |
8cb997 |
_installation_cleanup = False
|
|
Packit |
8cb997 |
ansible_module.fail_json(
|
|
Packit |
8cb997 |
msg="IPA server is already configured on this system.")
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
if not options.no_ntp:
|
|
Packit |
8cb997 |
try:
|
|
Packit |
8cb997 |
timeconf.check_timedate_services()
|
|
Packit |
8cb997 |
except timeconf.NTPConflictingService as e:
|
|
Packit |
8cb997 |
ansible_module.log(
|
|
Packit |
8cb997 |
"WARNING: conflicting time&date synchronization service "
|
|
Packit |
8cb997 |
"'%s' will be disabled in favor of chronyd" %
|
|
Packit |
8cb997 |
e.conflicting_service)
|
|
Packit |
8cb997 |
except timeconf.NTPConfigurationError:
|
|
Packit |
8cb997 |
pass
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
if hasattr(httpinstance, "httpd_443_configured"):
|
|
Packit |
8cb997 |
# Check to see if httpd is already configured to listen on 443
|
|
Packit |
8cb997 |
if httpinstance.httpd_443_configured():
|
|
Packit |
8cb997 |
ansible_module.fail_json(
|
|
Packit |
8cb997 |
msg="httpd is already configured to listen on 443.")
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
if not options.external_cert_files:
|
|
Packit |
8cb997 |
# Make sure the 389-ds ports are available
|
|
Packit |
8cb997 |
try:
|
|
Packit |
8cb997 |
check_dirsrv(True)
|
|
Packit |
8cb997 |
except ScriptError as e:
|
|
Packit |
8cb997 |
ansible_module.fail_json(msg=e)
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
# check bind packages are installed
|
|
Packit |
8cb997 |
if options.setup_dns:
|
|
Packit |
8cb997 |
# Don't require an external DNS to say who we are if we are
|
|
Packit |
8cb997 |
# setting up a local DNS server.
|
|
Packit |
8cb997 |
options.no_host_dns = True
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
# host name
|
|
Packit |
8cb997 |
if options.host_name:
|
|
Packit |
8cb997 |
host_default = options.host_name
|
|
Packit |
8cb997 |
else:
|
|
Packit |
8cb997 |
host_default = get_fqdn()
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
try:
|
|
Packit |
8cb997 |
verify_fqdn(host_default, options.no_host_dns)
|
|
Packit |
8cb997 |
host_name = host_default
|
|
Packit |
8cb997 |
except BadHostError as e:
|
|
Packit |
8cb997 |
ansible_module.fail_json(msg=e)
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
host_name = host_name.lower()
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
if not options.domain_name:
|
|
Packit |
8cb997 |
domain_name = host_name[host_name.find(".")+1:]
|
|
Packit |
8cb997 |
try:
|
|
Packit |
8cb997 |
validate_domain_name(domain_name)
|
|
Packit |
8cb997 |
except ValueError as e:
|
|
Packit |
8cb997 |
ansible_module.fail_json(
|
|
Packit |
8cb997 |
msg="Invalid domain name: %s" % unicode(e))
|
|
Packit |
8cb997 |
else:
|
|
Packit |
8cb997 |
domain_name = options.domain_name
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
domain_name = domain_name.lower()
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
if not options.realm_name:
|
|
Packit |
8cb997 |
realm_name = domain_name.upper()
|
|
Packit |
8cb997 |
else:
|
|
Packit |
8cb997 |
realm_name = options.realm_name.upper()
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
argspec = inspect.getargspec(validate_domain_name)
|
|
Packit |
8cb997 |
if "entity" in argspec.args:
|
|
Packit |
8cb997 |
# NUM_VERSION >= 40690:
|
|
Packit |
8cb997 |
try:
|
|
Packit |
8cb997 |
validate_domain_name(realm_name, entity="realm")
|
|
Packit |
8cb997 |
except ValueError as e:
|
|
Packit |
8cb997 |
raise ScriptError("Invalid realm name: {}".format(unicode(e)))
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
if not options.setup_adtrust:
|
|
Packit |
8cb997 |
# If domain name and realm does not match, IPA server will not be able
|
|
Packit |
8cb997 |
# to establish trust with Active Directory. Fail.
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
if domain_name.upper() != realm_name:
|
|
Packit |
8cb997 |
ansible_module.warn(
|
|
Packit |
8cb997 |
"Realm name does not match the domain name: "
|
|
Packit |
8cb997 |
"You will not be able to establish trusts with Active "
|
|
Packit |
8cb997 |
"Directory.")
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
# Do not ask for time source
|
|
Packit |
8cb997 |
# if not options.no_ntp and not options.unattended and not (
|
|
Packit |
8cb997 |
# options.ntp_servers or options.ntp_pool):
|
|
Packit |
8cb997 |
# options.ntp_servers, options.ntp_pool = timeconf.get_time_source()
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
#########################################################################
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
http_pkcs12_file = None
|
|
Packit |
8cb997 |
http_pkcs12_info = None
|
|
Packit |
8cb997 |
http_ca_cert = None
|
|
Packit |
8cb997 |
dirsrv_pkcs12_file = None
|
|
Packit |
8cb997 |
dirsrv_pkcs12_info = None
|
|
Packit |
8cb997 |
dirsrv_ca_cert = None
|
|
Packit |
8cb997 |
pkinit_pkcs12_file = None
|
|
Packit |
8cb997 |
pkinit_pkcs12_info = None
|
|
Packit |
8cb997 |
pkinit_ca_cert = None
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
if options.http_cert_files:
|
|
Packit |
8cb997 |
if options.http_pin is None:
|
|
Packit |
8cb997 |
ansible_module.fail_json(
|
|
Packit |
8cb997 |
msg="Apache Server private key unlock password required")
|
|
Packit |
8cb997 |
http_pkcs12_file, http_pin, http_ca_cert = load_pkcs12(
|
|
Packit |
8cb997 |
cert_files=options.http_cert_files,
|
|
Packit |
8cb997 |
key_password=options.http_pin,
|
|
Packit |
8cb997 |
key_nickname=options.http_cert_name,
|
|
Packit |
8cb997 |
ca_cert_files=options.ca_cert_files,
|
|
Packit |
8cb997 |
host_name=host_name)
|
|
Packit |
8cb997 |
http_pkcs12_info = (http_pkcs12_file.name, http_pin)
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
if options.dirsrv_cert_files:
|
|
Packit |
8cb997 |
if options.dirsrv_pin is None:
|
|
Packit |
8cb997 |
ansible_module.fail_json(
|
|
Packit |
8cb997 |
msg="Directory Server private key unlock password required")
|
|
Packit |
8cb997 |
dirsrv_pkcs12_file, dirsrv_pin, dirsrv_ca_cert = load_pkcs12(
|
|
Packit |
8cb997 |
cert_files=options.dirsrv_cert_files,
|
|
Packit |
8cb997 |
key_password=options.dirsrv_pin,
|
|
Packit |
8cb997 |
key_nickname=options.dirsrv_cert_name,
|
|
Packit |
8cb997 |
ca_cert_files=options.ca_cert_files,
|
|
Packit |
8cb997 |
host_name=host_name)
|
|
Packit |
8cb997 |
dirsrv_pkcs12_info = (dirsrv_pkcs12_file.name, dirsrv_pin)
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
if options.pkinit_cert_files:
|
|
Packit |
8cb997 |
if options.pkinit_pin is None:
|
|
Packit |
8cb997 |
ansible_module.fail_json(
|
|
Packit |
8cb997 |
msg="Kerberos KDC private key unlock password required")
|
|
Packit |
8cb997 |
pkinit_pkcs12_file, pkinit_pin, pkinit_ca_cert = load_pkcs12(
|
|
Packit |
8cb997 |
cert_files=options.pkinit_cert_files,
|
|
Packit |
8cb997 |
key_password=options.pkinit_pin,
|
|
Packit |
8cb997 |
key_nickname=options.pkinit_cert_name,
|
|
Packit |
8cb997 |
ca_cert_files=options.ca_cert_files,
|
|
Packit |
8cb997 |
realm_name=realm_name)
|
|
Packit |
8cb997 |
pkinit_pkcs12_info = (pkinit_pkcs12_file.name, pkinit_pin)
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
if options.http_cert_files and options.dirsrv_cert_files and \
|
|
Packit |
8cb997 |
http_ca_cert != dirsrv_ca_cert:
|
|
Packit |
8cb997 |
ansible_module.fail_json(
|
|
Packit |
8cb997 |
msg="Apache Server SSL certificate and Directory Server SSL "
|
|
Packit |
8cb997 |
"certificate are not signed by the same CA certificate")
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
if options.http_cert_files and options.pkinit_cert_files and \
|
|
Packit |
8cb997 |
http_ca_cert != pkinit_ca_cert:
|
|
Packit |
8cb997 |
ansible_module.fail_json(
|
|
Packit |
8cb997 |
msg="Apache Server SSL certificate and PKINIT KDC "
|
|
Packit |
8cb997 |
"certificate are not signed by the same CA certificate")
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
# done ##################################################################
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
ansible_module.exit_json(changed=False,
|
|
Packit |
8cb997 |
ipa_python_version=IPA_PYTHON_VERSION,
|
|
Packit |
8cb997 |
# basic
|
|
Packit |
8cb997 |
domain=options.domain_name,
|
|
Packit |
8cb997 |
realm=realm_name,
|
|
Packit |
8cb997 |
hostname=host_name,
|
|
Packit |
8cb997 |
_hostname_overridden=bool(options.host_name),
|
|
Packit |
8cb997 |
no_host_dns=options.no_host_dns,
|
|
Packit |
8cb997 |
# server
|
|
Packit |
8cb997 |
setup_adtrust=options.setup_adtrust,
|
|
Packit |
8cb997 |
setup_kra=options.setup_kra,
|
|
Packit |
8cb997 |
setup_ca=options.setup_ca,
|
|
Packit |
8cb997 |
idstart=options.idstart,
|
|
Packit |
8cb997 |
idmax=options.idmax,
|
|
Packit |
8cb997 |
no_pkinit=options.no_pkinit,
|
|
Packit |
8cb997 |
# ssl certificate
|
|
Packit |
8cb997 |
_dirsrv_pkcs12_info=dirsrv_pkcs12_info,
|
|
Packit |
8cb997 |
_dirsrv_ca_cert=dirsrv_ca_cert,
|
|
Packit |
8cb997 |
_http_pkcs12_info=http_pkcs12_info,
|
|
Packit |
8cb997 |
_http_ca_cert=http_ca_cert,
|
|
Packit |
8cb997 |
_pkinit_pkcs12_info=pkinit_pkcs12_info,
|
|
Packit |
8cb997 |
_pkinit_ca_cert=pkinit_ca_cert,
|
|
Packit |
8cb997 |
# certificate system
|
|
Packit |
8cb997 |
external_ca=options.external_ca,
|
|
Packit |
8cb997 |
external_ca_type=options.external_ca_type,
|
|
Packit |
8cb997 |
external_ca_profile=options.external_ca_profile,
|
|
Packit |
8cb997 |
# ad trust
|
|
Packit |
8cb997 |
rid_base=options.rid_base,
|
|
Packit |
8cb997 |
secondary_rid_base=options.secondary_rid_base,
|
|
Packit |
8cb997 |
# client
|
|
Packit |
8cb997 |
ntp_servers=options.ntp_servers,
|
|
Packit |
8cb997 |
ntp_pool=options.ntp_pool,
|
|
Packit |
8cb997 |
# additional
|
|
Packit |
8cb997 |
_installation_cleanup=_installation_cleanup,
|
|
Packit |
8cb997 |
domainlevel=options.domainlevel)
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
if __name__ == '__main__':
|
|
Packit |
8cb997 |
main()
|