websms/freeipa
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Imported Debian patch 4.8.10-2

Browse Source
This commit is contained in:
Timo Aaltonen
2020-11-23 20:48:56 +02:00
committed by Mario Fetka
parent 8bc559c5a1
commit 358acdd85f
917 changed files with 1185414 additions and 1069733 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
install/tools/Makefile.am
View File

@@ -28,10 +28,14 @@ dist_noinst_DATA = \
ipa-cacert-manage.in \
ipa-winsync-migrate.in \
ipa-pkinit-manage.in \
ipa-crlgen-manage.in \
ipa-cert-fix.in \
ipa-custodia.in \
ipa-custodia-check.in \
ipa-httpd-kdcproxy.in \
ipa-httpd-pwdreader.in \
ipa-pki-retrieve-key.in \
ipa-pki-wait-running.in \
$(NULL)
nodist_sbin_SCRIPTS = \
@@ -58,6 +62,8 @@ nodist_sbin_SCRIPTS = \
ipa-cacert-manage \
ipa-winsync-migrate \
ipa-pkinit-manage \
ipa-crlgen-manage \
ipa-cert-fix \
$(NULL)
appdir = $(libexecdir)/ipa/
@@ -65,11 +71,9 @@ nodist_app_SCRIPTS = \
ipa-custodia \
ipa-custodia-check \
ipa-httpd-kdcproxy \
ipa-pki-retrieve-key \
$(NULL)
dist_app_SCRIPTS = \
ipa-httpd-pwdreader \
ipa-pki-retrieve-key \
ipa-pki-wait-running \
$(NULL)
PYTHON_SHEBANG = \

92
install/tools/Makefile.in
View File

@@ -1,7 +1,7 @@
# Makefile.in generated by automake 1.16.1 from Makefile.am.
# Makefile.in generated by automake 1.16.2 from Makefile.am.
# @configure_input@
# Copyright (C) 1994-2018 Free Software Foundation, Inc.
# Copyright (C) 1994-2020 Free Software Foundation, Inc.
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@@ -102,8 +102,8 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \
$(top_srcdir)/server.m4 $(top_srcdir)/configure.ac
am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
$(ACLOCAL_M4)
DIST_COMMON = $(srcdir)/Makefile.am $(dist_app_SCRIPTS) \
$(dist_noinst_DATA) $(am__DIST_COMMON)
DIST_COMMON = $(srcdir)/Makefile.am $(dist_noinst_DATA) \
$(am__DIST_COMMON)
mkinstalldirs = $(install_sh) -d
CONFIG_HEADER = $(top_builddir)/config.h
CONFIG_CLEAN_FILES =
@@ -135,10 +135,8 @@ am__uninstall_files_from_dir = { \
|| { echo " ( cd '$$dir' && rm -f" $$files ")"; \
$(am__cd) "$$dir" && rm -f $$files; }; \
}
am__installdirs = "$(DESTDIR)$(appdir)" "$(DESTDIR)$(appdir)" \
"$(DESTDIR)$(sbindir)"
SCRIPTS = $(dist_app_SCRIPTS) $(nodist_app_SCRIPTS) \
$(nodist_sbin_SCRIPTS)
am__installdirs = "$(DESTDIR)$(appdir)" "$(DESTDIR)$(sbindir)"
SCRIPTS = $(nodist_app_SCRIPTS) $(nodist_sbin_SCRIPTS)
AM_V_P = $(am__v_P_@AM_V@)
am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
am__v_P_0 = false
@@ -280,6 +278,8 @@ JSLINT = @JSLINT@
KRAD_LIBS = @KRAD_LIBS@
KRB5KDC_SERVICE = @KRB5KDC_SERVICE@
KRB5_CFLAGS = @KRB5_CFLAGS@
KRB5_GSSAPI_CFLAGS = @KRB5_GSSAPI_CFLAGS@
KRB5_GSSAPI_LIBS = @KRB5_GSSAPI_LIBS@
KRB5_LIBS = @KRB5_LIBS@
LD = @LD@
LDAP_CFLAGS = @LDAP_CFLAGS@
@@ -322,11 +322,10 @@ NM = @NM@
NMEDIT = @NMEDIT@
NSPR_CFLAGS = @NSPR_CFLAGS@
NSPR_LIBS = @NSPR_LIBS@
NSS_CFLAGS = @NSS_CFLAGS@
NSS_LIBS = @NSS_LIBS@
NUM_VERSION = @NUM_VERSION@
OBJDUMP = @OBJDUMP@
OBJEXT = @OBJEXT@
ODS_GROUP = @ODS_GROUP@
ODS_USER = @ODS_USER@
OTOOL = @OTOOL@
OTOOL64 = @OTOOL64@
@@ -347,8 +346,6 @@ POPT_LIBS = @POPT_LIBS@
POSUB = @POSUB@
PYLINT = @PYLINT@
PYTHON = @PYTHON@
PYTHON2 = @PYTHON2@
PYTHON3 = @PYTHON3@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_INSTALL_EXTRA_OPTIONS = @PYTHON_INSTALL_EXTRA_OPTIONS@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
@@ -436,7 +433,9 @@ program_transform_name = @program_transform_name@
psdir = @psdir@
pyexecdir = @pyexecdir@
pythondir = @pythondir@
runstatedir = @runstatedir@
sbindir = @sbindir@
selinux_makefile = @selinux_makefile@
sharedstatedir = @sharedstatedir@
srcdir = @srcdir@
sysconfdir = @sysconfdir@
@@ -476,10 +475,14 @@ dist_noinst_DATA = \
ipa-cacert-manage.in \
ipa-winsync-migrate.in \
ipa-pkinit-manage.in \
ipa-crlgen-manage.in \
ipa-cert-fix.in \
ipa-custodia.in \
ipa-custodia-check.in \
ipa-httpd-kdcproxy.in \
ipa-httpd-pwdreader.in \
ipa-pki-retrieve-key.in \
ipa-pki-wait-running.in \
$(NULL)
nodist_sbin_SCRIPTS = \
@@ -506,6 +509,8 @@ nodist_sbin_SCRIPTS = \
ipa-cacert-manage \
ipa-winsync-migrate \
ipa-pkinit-manage \
ipa-crlgen-manage \
ipa-cert-fix \
$(NULL)
appdir = $(libexecdir)/ipa/
@@ -513,11 +518,9 @@ nodist_app_SCRIPTS = \
ipa-custodia \
ipa-custodia-check \
ipa-httpd-kdcproxy \
ipa-pki-retrieve-key \
$(NULL)
dist_app_SCRIPTS = \
ipa-httpd-pwdreader \
ipa-pki-retrieve-key \
ipa-pki-wait-running \
$(NULL)
PYTHON_SHEBANG = \
@@ -559,41 +562,6 @@ $(top_srcdir)/configure: $(am__configure_deps)
$(ACLOCAL_M4): $(am__aclocal_m4_deps)
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
$(am__aclocal_m4_deps):
install-dist_appSCRIPTS: $(dist_app_SCRIPTS)
@$(NORMAL_INSTALL)
@list='$(dist_app_SCRIPTS)'; test -n "$(appdir)" || list=; \
if test -n "$$list"; then \
echo " $(MKDIR_P) '$(DESTDIR)$(appdir)'"; \
$(MKDIR_P) "$(DESTDIR)$(appdir)" || exit 1; \
fi; \
for p in $$list; do \
if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
if test -f "$$d$$p"; then echo "$$d$$p"; echo "$$p"; else :; fi; \
done | \
sed -e 'p;s,.*/,,;n' \
-e 'h;s|.*|.|' \
-e 'p;x;s,.*/,,;$(transform)' | sed 'N;N;N;s,\n, ,g' | \
$(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1; } \
{ d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \
if ($$2 == $$4) { files[d] = files[d] " " $$1; \
if (++n[d] == $(am__install_max)) { \
print "f", d, files[d]; n[d] = 0; files[d] = "" } } \
else { print "f", d "/" $$4, $$1 } } \
END { for (d in files) print "f", d, files[d] }' | \
while read type dir files; do \
if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \
test -z "$$files" || { \
echo " $(INSTALL_SCRIPT) $$files '$(DESTDIR)$(appdir)$$dir'"; \
$(INSTALL_SCRIPT) $$files "$(DESTDIR)$(appdir)$$dir" || exit $$?; \
} \
; done
uninstall-dist_appSCRIPTS:
@$(NORMAL_UNINSTALL)
@list='$(dist_app_SCRIPTS)'; test -n "$(appdir)" || exit 0; \
files=`for p in $$list; do echo "$$p"; done | \
sed -e 's,.*/,,;$(transform)'`; \
dir='$(DESTDIR)$(appdir)'; $(am__uninstall_files_from_dir)
install-nodist_appSCRIPTS: $(nodist_app_SCRIPTS)
@$(NORMAL_INSTALL)
@list='$(nodist_app_SCRIPTS)'; test -n "$(appdir)" || list=; \
@@ -833,7 +801,7 @@ check: check-recursive
all-am: Makefile $(SCRIPTS) $(DATA)
installdirs: installdirs-recursive
installdirs-am:
for dir in "$(DESTDIR)$(appdir)" "$(DESTDIR)$(appdir)" "$(DESTDIR)$(sbindir)"; do \
for dir in "$(DESTDIR)$(appdir)" "$(DESTDIR)$(sbindir)"; do \
test -z "$$dir" || $(MKDIR_P) "$$dir"; \
done
install: install-recursive
@@ -887,7 +855,7 @@ info: info-recursive
info-am:
install-data-am: install-dist_appSCRIPTS install-nodist_appSCRIPTS
install-data-am: install-nodist_appSCRIPTS
install-dvi: install-dvi-recursive
@@ -931,8 +899,7 @@ ps: ps-recursive
ps-am:
uninstall-am: uninstall-dist_appSCRIPTS uninstall-nodist_appSCRIPTS \
uninstall-nodist_sbinSCRIPTS
uninstall-am: uninstall-nodist_appSCRIPTS uninstall-nodist_sbinSCRIPTS
.MAKE: $(am__recursive_targets) install-am install-strip
@@ -940,27 +907,28 @@ uninstall-am: uninstall-dist_appSCRIPTS uninstall-nodist_appSCRIPTS \
check-am clean clean-generic clean-libtool cscopelist-am ctags \
ctags-am distclean distclean-generic distclean-libtool \
distclean-tags distdir dvi dvi-am html html-am info info-am \
install install-am install-data install-data-am \
install-dist_appSCRIPTS install-dvi install-dvi-am \
install-exec install-exec-am install-html install-html-am \
install-info install-info-am install-man \
install install-am install-data install-data-am install-dvi \
install-dvi-am install-exec install-exec-am install-html \
install-html-am install-info install-info-am install-man \
install-nodist_appSCRIPTS install-nodist_sbinSCRIPTS \
install-pdf install-pdf-am install-ps install-ps-am \
install-strip installcheck installcheck-am installdirs \
installdirs-am maintainer-clean maintainer-clean-generic \
mostlyclean mostlyclean-generic mostlyclean-libtool pdf pdf-am \
ps ps-am tags tags-am uninstall uninstall-am \
uninstall-dist_appSCRIPTS uninstall-nodist_appSCRIPTS \
uninstall-nodist_sbinSCRIPTS
uninstall-nodist_appSCRIPTS uninstall-nodist_sbinSCRIPTS
.PRECIOUS: Makefile
# special handling of Python scripts with auto-generated shebang line
$(PYTHON_SHEBANG):%: %.in Makefile
$(AM_V_GEN)sed -e 's|@PYTHONSHEBANG[@]|#!$(PYTHON) -E|g' $< > $@
$(AM_V_GEN)sed -e 's|^#!/usr/bin/python3.*|#!$(PYTHON) -I|g' $< > $@
$(AM_V_GEN)chmod +x $@
.PHONY: python_scripts_sub
python_scripts_sub: $(PYTHON_SHEBANG)
# Tell versions [3.59,3.63) of GNU make to not export all variables.
# Otherwise a system limit (for SysV at least) may be exceeded.
.NOEXPORT:

12
install/tools/ipa-adtrust-install.in
View File

@@ -1,4 +1,4 @@
@PYTHONSHEBANG@
#!/usr/bin/python3
#
# Authors: Sumit Bose <sbose@redhat.com>
# Based on ipa-server-install by Karl MacMillan <kmacmillan@mentalrootkit.com>
@@ -213,8 +213,14 @@ def main():
adtrust.install(True, options, fstore, api)
# Enable configured services and update DNS SRV records
service.enable_services(api.env.host)
api.Command.dns_update_system_records()
service.sync_services_state(api.env.host)
dns_help = adtrust.generate_dns_service_records_help(api)
if dns_help:
for line in dns_help:
service.print_msg(line, sys.stdout)
else:
api.Command.dns_update_system_records()
print("""
=============================================================================

2
install/tools/ipa-advise.in
View File

@@ -1,4 +1,4 @@
@PYTHONSHEBANG@
#!/usr/bin/python3
# Authors: Tomas Babej <tbabej@redhat.com>
#
# Copyright (C) 2013 Red Hat

2
install/tools/ipa-backup.in
View File

@@ -1,4 +1,4 @@
@PYTHONSHEBANG@
#!/usr/bin/python3
# Authors: Rob Crittenden <rcritten@redhat.com>
#
# Copyright (C) 2013 Red Hat

24
install/tools/ipa-ca-install.in
View File

@@ -1,4 +1,4 @@
@PYTHONSHEBANG@
#!/usr/bin/python3
# Authors: Rob Crittenden <rcritten@redhat.com>
#
# Copyright (C) 2011 Red Hat
@@ -35,8 +35,9 @@ from ipaserver.install.installutils import check_creds, ReplicaConfig
from ipaserver.install import dsinstance, ca
from ipaserver.install import cainstance, service
from ipaserver.install import custodiainstance
from ipaserver.masters import find_providing_server
from ipapython import version
from ipalib import api
from ipalib import api, x509
from ipalib.constants import DOMAIN_LEVEL_1
from ipapython.config import IPAOptionParser
from ipapython.ipa_log_manager import standard_logging_setup
@@ -67,13 +68,13 @@ def parse_options():
default=False, help="unattended installation never prompts the user")
parser.add_option("--external-ca", dest="external_ca", action="store_true",
default=False, help="Generate a CSR to be signed by an external CA")
ext_cas = tuple(x.value for x in cainstance.ExternalCAType)
ext_cas = tuple(x.value for x in x509.ExternalCAType)
parser.add_option("--external-ca-type", dest="external_ca_type",
type="choice", choices=ext_cas,
metavar="{{{0}}}".format(",".join(ext_cas)),
help="Type of the external CA. Default: generic")
parser.add_option("--external-ca-profile", dest="external_ca_profile",
type='constructor', constructor=cainstance.ExternalCAProfile,
type='constructor', constructor=x509.ExternalCAProfile,
default=None, metavar="PROFILE-SPEC",
help="Specify the certificate profile/template to use "
"at the external CA")
@@ -85,6 +86,7 @@ def parse_options():
type="choice", choices=ca_algos,
metavar="{{{0}}}".format(",".join(ca_algos)),
help="Signing algorithm of the IPA CA certificate")
parser.add_option("-P", "--principal", dest="principal", sensitive=True,
default=None, help="User allowed to manage replicas")
parser.add_option("--subject-base", dest="subject_base",
@@ -100,6 +102,10 @@ def parse_options():
"(default CN=Certificate Authority,O=<realm-name>). "
"RDNs are in LDAP order (most specific RDN first)."))
parser.add_option("--pki-config-override", dest="pki_config_override",
default=None,
help="Path to ini file with config overrides.")
options, args = parser.parse_args()
safe_options = parser.get_safe_opts(options)
@@ -183,8 +189,9 @@ def install_replica(safe_options, options):
config.subject_base = attrs.get('ipacertificatesubjectbase')[0]
if config.ca_host_name is None:
config.ca_host_name = \
service.find_providing_server('CA', api.Backend.ldap2, api.env.ca_host)
config.ca_host_name = find_providing_server(
'CA', api.Backend.ldap2, [api.env.ca_host]
)
options.realm_name = config.realm_name
options.domain_name = config.domain_name
@@ -258,7 +265,8 @@ def install(safe_options, options):
paths.KRB5_KEYTAB,
ccache)
ca_host = service.find_providing_server('CA', api.Backend.ldap2)
ca_host = find_providing_server('CA', api.Backend.ldap2)
if ca_host is None:
install_master(safe_options, options)
else:
@@ -303,7 +311,7 @@ def main():
api.Backend.ldap2.connect()
# Enable configured services and update DNS SRV records
service.enable_services(api.env.host)
service.sync_services_state(api.env.host)
api.Command.dns_update_system_records()
api.Backend.ldap2.disconnect()

2
install/tools/ipa-cacert-manage.in
View File

@@ -1,4 +1,4 @@
@PYTHONSHEBANG@
#!/usr/bin/python3
# Authors: Jan Cholasta <jcholast@redhat.com>
#
# Copyright (C) 2014 Red Hat

8
install/tools/ipa-cert-fix.in Normal file
View File

@@ -0,0 +1,8 @@
#!/usr/bin/python3
#
# Copyright (C) 2019 FreeIPA Contributors see COPYING for license
#
from ipaserver.install.ipa_cert_fix import IPACertFix
IPACertFix.run_cli()

2
install/tools/ipa-compat-manage.in
View File

@@ -1,4 +1,4 @@
@PYTHONSHEBANG@
#!/usr/bin/python3
# Authors: Rob Crittenden <rcritten@redhat.com>
# Authors: Simo Sorce <ssorce@redhat.com>
#

8
install/tools/ipa-crlgen-manage.in Normal file
View File

@@ -0,0 +1,8 @@
#!/usr/bin/python3
#
# Copyright (C) 2019 FreeIPA Contributors see COPYING for license
#
from ipaserver.install.ipa_crlgen_manage import CRLGenManage
CRLGenManage.run_cli()

14
install/tools/ipa-csreplica-manage.in
View File

@@ -1,4 +1,4 @@
@PYTHONSHEBANG@
#!/usr/bin/python3
# Authors: Rob Crittenden <rcritten@redhat.com>
#
# Based on ipa-replica-manage by Karl MacMillan <kmacmillan@mentalrootkit.com>
@@ -134,17 +134,19 @@ def list_replicas(realm, host, replica, dirman_passwd, verbose):
print('%s' % entry.single_value.get('nsds5replicahost'))
if verbose:
print(" last init status: %s" % entry.single_value.get(
'nsds5replicalastinitstatus'))
print(" last init ended: %s" % str(
ipautil.parse_generalized_time(
entry.single_value['nsds5replicalastinitend'])))
initstatus = entry.single_value.get('nsds5replicalastinitstatus')
if initstatus is not None:
print(" last init status: %s" % initstatus)
print(" last init ended: %s" % str(
ipautil.parse_generalized_time(
entry.single_value['nsds5replicalastinitend'])))
print(" last update status: %s" % entry.single_value.get(
'nsds5replicalastupdatestatus'))
print(" last update ended: %s" % str(
ipautil.parse_generalized_time(
entry.single_value['nsds5replicalastupdateend'])))
def del_link(realm, replica1, replica2, dirman_passwd, force=False):
repl2 = None

8
install/tools/ipa-custodia-check.in
View File

@@ -1,4 +1,4 @@
@PYTHONSHEBANG@
#!/usr/bin/python3
"""Test client for ipa-custodia
The test script is expected to be executed on an IPA server with existing
@@ -18,9 +18,9 @@ from jwcrypto.common import json_decode
from jwcrypto.jwk import JWK
from ipalib import api
from ipalib.facts import is_ipa_configured
from ipaplatform.paths import paths
import ipapython.version
from ipaserver.install.installutils import is_ipa_configured
try:
# FreeIPA >= 4.5
@@ -89,7 +89,7 @@ parser.add_argument(
)
class IPACustodiaTester(object):
class IPACustodiaTester:
files = [
paths.IPA_DEFAULT_CONF,
paths.KRB5_KEYTAB,
@@ -102,7 +102,7 @@ class IPACustodiaTester(object):
self.args = args
if not api.isdone('bootstrap'):
# bootstrap to initialize api.env
api.bootstrap()
api.bootstrap(log=None)
self.debug("IPA API bootstrapped")
self.realm = api.env.realm
self.host = api.env.host

2
install/tools/ipa-custodia.in
View File

@@ -1,4 +1,4 @@
@PYTHONSHEBANG@
#!/usr/bin/python3
# Copyright (C) 2017 IPA Project Contributors, see COPYING for license
from ipaserver.secrets.service import main

2
install/tools/ipa-dns-install.in
View File

@@ -1,4 +1,4 @@
@PYTHONSHEBANG@
#!/usr/bin/python3
# Authors: Martin Nagy <mnagy@redhat.com>
# Based on ipa-server-install by Karl MacMillan <kmacmillan@mentalrootkit.com>
#

10
install/tools/ipa-httpd-kdcproxy.in
View File

@@ -1,4 +1,4 @@
@PYTHONSHEBANG@
#!/usr/bin/python3
# Authors:
# Christian Heimes <cheimes@redhat.com>
#
@@ -63,7 +63,7 @@ class FatalError(Error):
"""
class KDCProxyConfig(object):
class KDCProxyConfig:
ipaconfig_flag = 'ipaKDCProxyEnabled'
def __init__(self, time_limit=TIME_LIMIT):
@@ -186,8 +186,10 @@ class KDCProxyConfig(object):
def main(debug=DEBUG, time_limit=TIME_LIMIT):
# initialize API without file logging
if not api.isdone('bootstrap'):
api.bootstrap(context='server', confdir=paths.ETC_IPA,
log=None, debug=debug)
api.bootstrap(
context='server', confdir=paths.ETC_IPA, log=None,
debug=debug
)
standard_logging_setup(verbose=True, debug=debug)
try:

25
install/tools/ipa-httpd-pwdreader
View File

@@ -1,25 +0,0 @@
#!/bin/bash
# This program is a handler written for Apache mod_ssl's SSLPassPhraseDialog.
#
# If you'd like to write your custom binary providing passwords to mod_ssl,
# see the documentation of the aforementioned directive of the mod_ssl module.
USAGE="./ipa-pwdreader host:port RSA|DSA|ECC|number"
if [ "$#" -ne 2 ]; then
echo "Wrong number of arguments!" 1>&2
echo "$USAGE" 1>&2
exit 1
fi
fname=${1/:/-}-$2
pwdpath=/var/lib/ipa/passwds/$fname
# Make sure the values passed in do not contain path information
checkpath=$(/usr/bin/realpath -e ${pwdpath} 2>/dev/null)
if [ $pwdpath == "${checkpath}" ]; then
cat $pwdpath
else
echo "Invalid path ${pwdpath}" 1>&2
fi

43
install/tools/ipa-httpd-pwdreader.in Executable file
View File

@@ -0,0 +1,43 @@
#!/usr/bin/python3
"""mod_ssl password reader
This program is a handler written for Apache mod_ssl's SSLPassPhraseDialog.
If you'd like to write your custom binary providing passwords to mod_ssl,
see the documentation of the aforementioned directive of the mod_ssl module.
"""
import argparse
import os
from ipaplatform.paths import paths
HTTPD_PASSWD_DIR = os.path.realpath(
os.path.dirname(paths.HTTPD_PASSWD_FILE_FMT)
)
parser = argparse.ArgumentParser(description="mod_ssl password reader")
parser.add_argument(
"host_port", help="host:port",
)
parser.add_argument(
"keytype", help="RSA|DSA|ECC|number",
)
def main():
args = parser.parse_args()
host_port = args.host_port.replace(":", "-")
keytype = args.keytype
pwdpath = os.path.realpath(
os.path.join(HTTPD_PASSWD_DIR, f"{host_port}-{keytype}")
)
if not pwdpath.startswith(HTTPD_PASSWD_DIR):
parser.error(f"Invalid path {pwdpath}\n")
try:
with open(pwdpath) as f:
print(f.read(), end="")
except OSError as e:
parser.error(str(e))
if __name__ == "__main__":
main()

2
install/tools/ipa-kra-install.in
View File

@@ -1,4 +1,4 @@
@PYTHONSHEBANG@
#!/usr/bin/python3
# Authors: Ade Lee <alee@redhat.com>
#
# Copyright (C) 2014 Red Hat

2
install/tools/ipa-ldap-updater.in
View File

@@ -1,4 +1,4 @@
@PYTHONSHEBANG@
#!/usr/bin/python3
# Authors: Rob Crittenden <rcritten@redhat.com>
#
# Copyright (C) 2008 Red Hat

2
install/tools/ipa-managed-entries.in
View File

@@ -1,4 +1,4 @@
@PYTHONSHEBANG@
#!/usr/bin/python3
# Authors: Jr Aquino <jr.aquino@citrix.com>
#
# Copyright (C) 2011 Red Hat

2
install/tools/ipa-nis-manage.in
View File

@@ -1,4 +1,4 @@
@PYTHONSHEBANG@
#!/usr/bin/python3
# Authors: Rob Crittenden <rcritten@redhat.com>
# Authors: Simo Sorce <ssorce@redhat.com>
#

2
install/tools/ipa-otptoken-import.in
View File

@@ -1,4 +1,4 @@
@PYTHONSHEBANG@
#!/usr/bin/python3
# Authors: Nathaniel McCallum <npmccallum@redhat.com>
#
# Copyright (C) 2014 Red Hat

67
install/tools/ipa-pki-retrieve-key.in
View File

@@ -1,10 +1,11 @@
@PYTHONSHEBANG@
#!/usr/bin/python3
from __future__ import print_function
import argparse
import os
import sys
import traceback
from requests import HTTPError
from ipalib import constants
from ipalib.config import Env
@@ -16,27 +17,65 @@ def main():
env = Env()
env._finalize()
keyname = "ca_wrapped/" + sys.argv[1]
servername = sys.argv[2]
parser = argparse.ArgumentParser("ipa-pki-retrieve-key")
parser.add_argument("keyname", type=str)
parser.add_argument("servername", type=str)
args = parser.parse_args()
keyname = "ca_wrapped/{}".format(args.keyname)
service = constants.PKI_GSSAPI_SERVICE_NAME
client_keyfile = os.path.join(paths.PKI_TOMCAT, service + '.keys')
client_keytab = os.path.join(paths.PKI_TOMCAT, service + '.keytab')
for filename in [client_keyfile, client_keytab]:
if not os.access(filename, os.R_OK):
parser.error(
"File '{}' missing or not readable.\n".format(filename)
)
# pylint: disable=no-member
client = CustodiaClient(
client_service='%s@%s' % (service, env.host), server=servername,
realm=env.realm, ldap_uri="ldaps://" + env.host,
keyfile=client_keyfile, keytab=client_keytab,
)
client_service="{}@{}".format(service, env.host),
server=args.servername,
realm=env.realm,
ldap_uri="ldaps://" + env.host,
keyfile=client_keyfile,
keytab=client_keytab,
)
OID_AES128_CBC = "2.16.840.1.101.3.4.1.2"
try:
# Initially request a key wrapped using AES128-CBC.
# This uses the recent ability to specify additional
# parameters to a Custodia resource.
path = f'{keyname}/{OID_AES128_CBC}' # aes128-cbc
resp = client.fetch_key(path, store=False)
except HTTPError as e:
if e.response.status_code == 404:
# The 404 indicates one of two conditions:
#
# a) The server is an older version that does not support
# extra Custodia parameters. We should retry without
# specifying an algorithm.
#
# b) The key does not exist. At this point we cannot
# distinguish (a) and (b) but if we retry without
# specifying an algorithm, the second attempt will
# also fail with status 404.
#
# So the correct way to handle both scenarios is to
# retry without the algorithm parameter.
#
resp = client.fetch_key(keyname, store=False)
else:
raise # something else went wrong; re-raise
# Print the response JSON to stdout; it is already in the format
# that Dogtag's ExternalProcessKeyRetriever expects
print(client.fetch_key(keyname, store=False))
print(resp)
try:
if __name__ == '__main__':
main()
except BaseException:
traceback.print_exc()
sys.exit(1)

132
install/tools/ipa-pki-wait-running.in Normal file
View File

@@ -0,0 +1,132 @@
#!/usr/bin/python3
"""Wait until pki-tomcatd is up
The script polls on Dogtag's HTTP port and wait until the admin interface
reports status 'running' for the CA sub system.
/etc/systemd/system/pki-tomcatd@pki-tomcat.service.d/ipa.conf
[Service]
ExecStartPost=/usr/libexec/ipa/ipa-pki-wait-running
"""
import os
import logging
import sys
import time
from xml.etree import ElementTree
from ipalib import api
from ipaplatform.paths import paths
from pki.client import PKIConnection
from pki.system import SystemStatusClient
from requests.exceptions import ConnectionError, Timeout, RequestException
logger = logging.getLogger('ipa-pki-wait-running')
# check the CA subsystem. All pki-tomcatd instances in IPA have a CA
SUBSYSTEM = 'ca'
# time out for TCP connection attempts
CONNECTION_TIMEOUT = 1.0
EXIT_SUCCESS = 0
EXIT_FAILURE = 1
if hasattr(time, 'monotonic'):
curtime = time.monotonic
else:
curtime = time.time
def check_installed(subsystem):
"""Check if the subsystem is configured
"""
catalina_base = os.environ.get(
'CATALINA_BASE', '/var/lib/pki/pki-tomcat'
)
# /var/lib/pki/pki-tomcat/conf -> /etc/pki/pki-tomcat
cs_cfg = os.path.join(catalina_base, 'conf', subsystem, 'CS.cfg')
if os.path.isfile(cs_cfg):
logger.debug("File %s exists.", cs_cfg)
return True
else:
logger.info("File %s does not exist.", cs_cfg)
return False
def get_conn(hostname, subsystem):
"""Create a connection object
"""
conn = PKIConnection(
hostname=hostname,
subsystem=subsystem,
cert_paths=paths.IPA_CA_CRT
)
logger.info(
"Created connection %s://%s:%s/%s",
conn.protocol, conn.hostname, conn.port, conn.subsystem
)
return conn
def get_status(conn, timeout):
"""Get status from subsystem and return parsed (status, error)
"""
client = SystemStatusClient(conn)
response = client.get_status(timeout=timeout)
root = ElementTree.fromstring(response)
status = root.findtext("Status")
error = root.findtext("Error")
logging.debug("Got status '%s', error '%s'", status, error)
return status, error
def main():
if not check_installed(SUBSYSTEM):
logger.info(
"subsystem %s is not installed, exiting", SUBSYSTEM
)
sys.exit(EXIT_SUCCESS)
# bootstrap ipalib.api to parse config file
api.bootstrap(confdir=paths.ETC_IPA, log=None)
timeout = api.env.startup_timeout
conn = get_conn(api.env.host, subsystem=SUBSYSTEM)
end = curtime() + timeout
while curtime() < end:
try:
status, error = get_status(conn, CONNECTION_TIMEOUT)
except (ConnectionError, Timeout) as e:
logger.info("Connection failed: %s", e)
except RequestException as e:
logger.error("Request failed unexpectedly, %s ", e)
else:
if status == 'running':
logger.info("Success, subsystem %s is running!", SUBSYSTEM)
sys.exit(EXIT_SUCCESS)
elif error is not None:
logger.info(
"Subsystem %s failed with error '%s', giving up!",
SUBSYSTEM, error
)
sys.exit(EXIT_FAILURE)
else:
logger.info("Status is '%s', waiting...", status)
# wait and try again
time.sleep(1)
# giving up
logger.error(
"Reached end of wait timeout %s, giving up", timeout
)
sys.exit(EXIT_FAILURE)
if __name__ == '__main__':
logging.basicConfig(
format='%(name)s: %(message)s',
level=logging.INFO
)
main()

2
install/tools/ipa-pkinit-manage.in
View File

@@ -1,4 +1,4 @@
@PYTHONSHEBANG@
#!/usr/bin/python3
#
# Copyright (C) 2017 FreeIPA Contributors see COPYING for license
#

10
install/tools/ipa-replica-conncheck.in
View File

@@ -1,4 +1,4 @@
@PYTHONSHEBANG@
#!/usr/bin/python3
# Authors: Martin Kosek <mkosek@redhat.com>
#
# Copyright (C) 2011 Red Hat
@@ -22,7 +22,7 @@ from __future__ import print_function
import logging
import ipaclient.install.ipachangeconf
from ipapython import ipachangeconf
from ipapython.config import IPAOptionParser
from ipapython.dn import DN
from ipapython import version
@@ -57,7 +57,7 @@ CCACHE_FILE = None
KRB5_CONFIG = None
class SshExec(object):
class SshExec:
def __init__(self, user, addr):
self.user = user
self.addr = addr
@@ -95,7 +95,7 @@ class SshExec(object):
capture_output=True, capture_error=True)
class CheckedPort(object):
class CheckedPort:
def __init__(self, port, port_type, description):
self.port = port
self.port_type = port_type
@@ -229,7 +229,7 @@ def sigterm_handler(signum, frame):
def configure_krb5_conf(realm, kdc, filename):
krbconf = ipaclient.install.ipachangeconf.IPAChangeConf("IPA Installer")
krbconf = ipachangeconf.IPAChangeConf("IPA Installer")
krbconf.setOptionAssignment((" = ", " "))
krbconf.setSectionNameDelimiters(("[","]"))
krbconf.setSubSectionDelimiters(("{","}"))

2
install/tools/ipa-replica-install.in
View File

@@ -1,4 +1,4 @@
@PYTHONSHEBANG@
#!/usr/bin/python3
# Authors: Karl MacMillan <kmacmillan@mentalrootkit.com>
#
# Copyright (C) 2007 Red Hat

27
install/tools/ipa-replica-manage.in
View File

@@ -1,4 +1,4 @@
@PYTHONSHEBANG@
#!/usr/bin/python3
# Authors: Karl MacMillan <kmacmillan@mentalrootkit.com>
#
# Copyright (C) 2007 Red Hat
@@ -23,16 +23,13 @@ from __future__ import print_function
import logging
import sys
import os
import re
import ldap
import socket
import traceback
from urllib.parse import urlparse
from xmlrpc.client import MAXINT
# pylint: disable=import-error
from six.moves.urllib.parse import urlparse
from six.moves.xmlrpc_client import MAXINT
# pylint: enable=import-error
import ldap
from ipaclient.install import ipadiscovery
from ipapython import ipautil
@@ -239,16 +236,19 @@ def list_replicas(realm, host, replica, dirman_passwd, verbose, nolookup=False):
print('%s: %s' % (entry.single_value.get('nsds5replicahost'), ent_type))
if verbose:
print(" last init status: %s" % entry.single_value.get(
'nsds5replicalastinitstatus'))
print(" last init ended: %s" % str(ipautil.parse_generalized_time(
entry.single_value['nsds5replicalastinitend'])))
initstatus = entry.single_value.get('nsds5replicalastinitstatus')
if initstatus is not None:
print(" last init status: %s" % initstatus)
print(" last init ended: %s" % str(
ipautil.parse_generalized_time(
entry.single_value['nsds5replicalastinitend'])))
print(" last update status: %s" % entry.single_value.get(
'nsds5replicalastupdatestatus'))
print(" last update ended: %s" % str(
ipautil.parse_generalized_time(
entry.single_value['nsds5replicalastupdateend'])))
def del_link(realm, replica1, replica2, dirman_passwd, force=False):
"""
Delete a replication agreement from host A to host B.
@@ -279,6 +279,7 @@ def del_link(realm, replica1, replica2, dirman_passwd, force=False):
return False
except Exception as e:
print("Failed to determine agreement type for '%s': %s" % (replica2, e))
return False
if type1 == replication.IPA_REPLICA and managed_topology:
exit_on_managed_topology(what)
@@ -1221,7 +1222,6 @@ def re_initialize(realm, thishost, fromhost, dirman_passwd, nolookup=False):
# we did not replicate memberOf, do so now.
if not agreement.single_value.get('nsDS5ReplicatedAttributeListTotal'):
ds = dsinstance.DsInstance(realm_name=realm)
ds.ldapi = os.getegid() == 0
ds.init_memberof()
def force_sync(realm, thishost, fromhost, dirman_passwd, nolookup=False):
@@ -1241,12 +1241,11 @@ def force_sync(realm, thishost, fromhost, dirman_passwd, nolookup=False):
repl.force_sync(repl.conn, fromhost)
else:
ds = dsinstance.DsInstance(realm_name=realm)
ds.ldapi = os.getegid() == 0
ds.replica_manage_time_skew(prevent=False)
repl = replication.ReplicationManager(realm, fromhost, dirman_passwd)
repl.force_sync(repl.conn, thishost)
agreement = repl.get_replication_agreement(thishost)
repl.wait_for_repl_init(repl.conn, agreement.dn)
repl.wait_for_repl_update(repl.conn, agreement.dn)
ds.replica_manage_time_skew(prevent=True)
def show_DNA_ranges(hostname, master, realm, dirman_passwd, nextrange=False,

2
install/tools/ipa-restore.in
View File

@@ -1,4 +1,4 @@
@PYTHONSHEBANG@
#!/usr/bin/python3
# Authors: Rob Crittenden <rcritten@redhat.com>
#
# Copyright (C) 2013 Red Hat

2
install/tools/ipa-server-certinstall.in
View File

@@ -1,4 +1,4 @@
@PYTHONSHEBANG@
#!/usr/bin/python3
# Authors: Jan Cholasta <jcholast@redhat.com>
#
# Copyright (C) 2013 Red Hat

2
install/tools/ipa-server-install.in
View File

@@ -1,4 +1,4 @@
@PYTHONSHEBANG@
#!/usr/bin/python3
# Authors: Karl MacMillan <kmacmillan@mentalrootkit.com>
# Simo Sorce <ssorce@redhat.com>
# Rob Crittenden <rcritten@redhat.com>

2
install/tools/ipa-server-upgrade.in
View File

@@ -1,4 +1,4 @@
@PYTHONSHEBANG@
#!/usr/bin/python3
#
# Copyright (C) 2015 FreeIPA Contributors see COPYING for license
#

2
install/tools/ipa-winsync-migrate.in
View File

@@ -1,4 +1,4 @@
@PYTHONSHEBANG@
#!/usr/bin/python3
# Authors: Tomas Babej <tbabej@redhat.com>
#
# Copyright (C) 2015 Red Hat

587
install/tools/ipactl.in
View File

@@ -1,7 +1,7 @@
@PYTHONSHEBANG@
#!/usr/bin/python3
# Authors: Simo Sorce <ssorce@redhat.com>
#
# Copyright (C) 2008-2010 Red Hat
# Copyright (C) 2008, 2019 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
@@ -18,587 +18,8 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
from __future__ import print_function
import sys
import os
import json
import ldapurl
from ipaserver.install import service, installutils
from ipaserver.install.dsinstance import config_dirname
from ipaserver.install.installutils import is_ipa_configured, ScriptError
from ipalib import api, errors
from ipapython.ipaldap import LDAPClient
from ipapython.ipautil import wait_for_open_ports, wait_for_open_socket
from ipapython.ipautil import run
from ipapython import config
from ipaplatform.tasks import tasks
from ipapython.dn import DN
from ipaplatform import services
from ipaplatform.paths import paths
MSG_HINT_IGNORE_SERVICE_FAILURE = (
"Hint: You can use --ignore-service-failure option for forced start in "
"case that a non-critical service failed"
)
class IpactlError(ScriptError):
pass
def check_IPA_configuration():
if not is_ipa_configured():
# LSB status code 6: program is not configured
raise IpactlError("IPA is not configured " +
"(see man pages of ipa-server-install for help)", 6)
def deduplicate(lst):
"""Remove duplicates and preserve order.
Returns copy of list with preserved order and removed duplicates.
"""
new_lst = []
s = set(lst)
for i in lst:
if i in s:
s.remove(i)
new_lst.append(i)
return new_lst
def is_dirsrv_debugging_enabled():
"""
Check the 389-ds instance to see if debugging is enabled.
If so we suppress that in our output.
returns True or False
"""
debugging = False
serverid = installutils.realm_to_serverid(api.env.realm)
dselist = [config_dirname(serverid)]
for dse in dselist:
try:
fd = open(dse + 'dse.ldif', 'r')
except IOError:
continue
lines = fd.readlines()
fd.close()
for line in lines:
if line.lower().startswith('nsslapd-errorlog-level'):
_option, value = line.split(':')
if int(value) > 0:
debugging = True
return debugging
def get_capture_output(service, debug):
"""
We want to display any output of a start/stop command with the
exception of 389-ds when debugging is enabled because it outputs
tons and tons of information.
"""
if service == 'dirsrv' and not debug and is_dirsrv_debugging_enabled():
print(' debugging enabled, suppressing output.')
return True
else:
return False
def parse_options():
usage = "%prog start|stop|restart|status\n"
parser = config.IPAOptionParser(usage=usage,
formatter=config.IPAFormatter())
parser.add_option("-d", "--debug", action="store_true", dest="debug",
help="Display debugging information")
parser.add_option("-f", "--force", action="store_true", dest="force",
help="Force IPA to start. Combine options "
"--skip-version-check and --ignore-service-failures")
parser.add_option("--ignore-service-failures", action="store_true",
dest="ignore_service_failures",
help="If any service start fails, do not rollback the "
"services, continue with the operation")
parser.add_option("--skip-version-check", action="store_true",
dest="skip_version_check", default=False,
help="skip version check")
options, args = parser.parse_args()
safe_options = parser.get_safe_opts(options)
if options.force:
options.ignore_service_failures = True
options.skip_version_check = True
return safe_options, options, args
def emit_err(err):
sys.stderr.write(err + '\n')
def version_check():
try:
installutils.check_version()
except (installutils.UpgradeMissingVersionError,
installutils.UpgradeDataOlderVersionError) as exc:
emit_err("IPA version error: %s" % exc)
except installutils.UpgradeVersionError as e:
emit_err("IPA version error: %s" % e)
else:
return
emit_err("Automatically running upgrade, for details see {}".format(
paths.IPAUPGRADE_LOG))
emit_err("Be patient, this may take a few minutes.")
# Fork out to call ipa-server-upgrade so that logging is sane.
result = run([paths.IPA_SERVER_UPGRADE], raiseonerr=False,
capture_error=True)
if result.returncode != 0:
emit_err("Automatic upgrade failed: %s" % result.error_output)
emit_err("See the upgrade log for more details and/or run {} again".
format(paths.IPA_SERVER_UPGRADE))
raise IpactlError("Aborting ipactl")
def get_config(dirsrv):
base = DN(('cn', api.env.host), ('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'), api.env.basedn)
srcfilter = '(ipaConfigString=enabledService)'
attrs = ['cn', 'ipaConfigString']
if not dirsrv.is_running():
raise IpactlError("Failed to get list of services to probe status:\n" +
"Directory Server is stopped", 3)
try:
# The start/restart functions already wait for the server to be
# started. What we are doing with this wait is really checking to see
# if the server is listening at all.
lurl = ldapurl.LDAPUrl(api.env.ldap_uri)
if lurl.urlscheme == 'ldapi':
wait_for_open_socket(lurl.hostport, timeout=api.env.startup_timeout)
else:
(host, port) = lurl.hostport.split(':')
wait_for_open_ports(host, [int(port)], timeout=api.env.startup_timeout)
con = LDAPClient(api.env.ldap_uri)
con.external_bind()
res = con.get_entries(
base,
filter=srcfilter,
attrs_list=attrs,
scope=con.SCOPE_SUBTREE,
time_limit=10)
except errors.NetworkError:
# LSB status code 3: program is not running
raise IpactlError("Failed to get list of services to probe status:\n" +
"Directory Server is stopped", 3)
except errors.NotFound:
masters_list = []
dn = DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'), api.env.basedn)
attrs = ['cn']
try:
entries = con.get_entries(dn, con.SCOPE_ONELEVEL, attrs_list=attrs)
except Exception as e:
masters_list.append("No master found because of error: %s" % str(e))
else:
for master_entry in entries:
masters_list.append(master_entry.single_value['cn'])
masters = "\n".join(masters_list)
raise IpactlError("Failed to get list of services to probe status!\n"
"Configured hostname '%s' does not match any master server in LDAP:\n%s"
% (api.env.host, masters))
except Exception as e:
raise IpactlError("Unknown error when retrieving list of services from LDAP: " + str(e))
svc_list = []
for entry in res:
name = entry.single_value['cn']
for p in entry['ipaConfigString']:
if p.startswith('startOrder '):
try:
order = int(p.split()[1])
except ValueError:
raise IpactlError("Expected order as integer in: %s:%s" % (
name, p))
svc_list.append([order, name])
ordered_list = []
for (order, svc) in sorted(svc_list):
if svc in service.SERVICE_LIST:
ordered_list.append(service.SERVICE_LIST[svc][0])
return ordered_list
def get_config_from_file():
svc_list = []
try:
f = open(tasks.get_svc_list_file(), 'r')
svc_list = json.load(f)
except Exception as e:
raise IpactlError("Unknown error when retrieving list of services from file: " + str(e))
# the framework can start/stop a number of related services we are not
# authoritative for, so filter the list through SERVICES_LIST and order it
# accordingly too.
def_svc_list = []
for svc in service.SERVICE_LIST:
s = service.SERVICE_LIST[svc]
def_svc_list.append([s[1], s[0]])
ordered_list = []
for _order, svc in sorted(def_svc_list):
if svc in svc_list:
ordered_list.append(svc)
return ordered_list
def stop_services(svc_list):
for svc in svc_list:
svc_off = services.service(svc, api=api)
try:
svc_off.stop(capture_output=False)
except Exception:
pass
def stop_dirsrv(dirsrv):
try:
dirsrv.stop(capture_output=False)
except Exception:
pass
def ipa_start(options):
if not options.skip_version_check:
version_check()
else:
print("Skipping version check")
if os.path.isfile(tasks.get_svc_list_file()):
emit_err("Existing service file detected!")
emit_err("Assuming stale, cleaning and proceeding")
# remove file with list of started services
# This is ok as systemd will just skip services
# that are already running and just return, so that the
# stop() method of the base class will simply fill in the
# service file again
os.unlink(paths.SVC_LIST_FILE)
dirsrv = services.knownservices.dirsrv
try:
print("Starting Directory Service")
dirsrv.start(capture_output=get_capture_output('dirsrv', options.debug))
except Exception as e:
raise IpactlError("Failed to start Directory Service: " + str(e))
try:
svc_list = get_config(dirsrv)
except Exception as e:
emit_err("Failed to read data from service file: " + str(e))
emit_err("Shutting down")
if not options.ignore_service_failures:
stop_dirsrv(dirsrv)
if isinstance(e, IpactlError):
# do not display any other error message
raise IpactlError(rval=e.rval) # pylint: disable=no-member
else:
raise IpactlError()
if len(svc_list) == 0:
# no service to start
return
svc_list = deduplicate(svc_list)
for svc in svc_list:
svchandle = services.service(svc, api=api)
try:
print("Starting %s Service" % svc)
svchandle.start(capture_output=get_capture_output(svc, options.debug))
except Exception:
emit_err("Failed to start %s Service" % svc)
# if ignore_service_failures is specified, skip rollback and
# continue with the next service
if options.ignore_service_failures:
emit_err("Forced start, ignoring %s Service, continuing normal operation" % svc)
continue
emit_err("Shutting down")
stop_services(svc_list)
stop_dirsrv(dirsrv)
emit_err(MSG_HINT_IGNORE_SERVICE_FAILURE)
raise IpactlError("Aborting ipactl")
def ipa_stop(options):
dirsrv = services.knownservices.dirsrv
try:
svc_list = get_config_from_file()
except Exception as e:
# Issue reading the file ? Let's try to get data from LDAP as a
# fallback
try:
dirsrv.start(capture_output=False)
svc_list = get_config(dirsrv)
except Exception as e:
emit_err("Failed to read data from Directory Service: " + str(e))
emit_err("Shutting down")
try:
# just try to stop it, do not read a result
dirsrv.stop()
finally:
raise IpactlError()
svc_list = deduplicate(svc_list)
for svc in reversed(svc_list):
svchandle = services.service(svc, api=api)
try:
print("Stopping %s Service" % svc)
svchandle.stop(capture_output=False)
except Exception:
emit_err("Failed to stop %s Service" % svc)
try:
print("Stopping Directory Service")
dirsrv.stop(capture_output=False)
except Exception:
raise IpactlError("Failed to stop Directory Service")
# remove file with list of started services
try:
os.unlink(paths.SVC_LIST_FILE)
except OSError:
pass
def ipa_restart(options):
if not options.skip_version_check:
try:
version_check()
except Exception as e:
try:
ipa_stop(options)
except Exception:
# We don't care about errors that happened while stopping.
# We need to raise the upgrade error.
pass
raise e
else:
print("Skipping version check")
dirsrv = services.knownservices.dirsrv
new_svc_list = []
dirsrv_restart = True
if not dirsrv.is_running():
try:
print("Starting Directory Service")
dirsrv.start(capture_output=get_capture_output('dirsrv', options.debug))
dirsrv_restart = False
except Exception as e:
raise IpactlError("Failed to start Directory Service: " + str(e))
try:
new_svc_list = get_config(dirsrv)
except Exception as e:
emit_err("Failed to read data from Directory Service: " + str(e))
emit_err("Shutting down")
try:
dirsrv.stop(capture_output=False)
except Exception:
pass
if isinstance(e, IpactlError):
# do not display any other error message
raise IpactlError(rval=e.rval) # pylint: disable=no-member
else:
raise IpactlError()
old_svc_list = []
try:
old_svc_list = get_config_from_file()
except Exception as e:
emit_err("Failed to get service list from file: " + str(e))
# fallback to what's in LDAP
old_svc_list = new_svc_list
# match service to start/stop
svc_list = []
for s in new_svc_list:
if s in old_svc_list:
svc_list.append(s)
#remove commons
for s in svc_list:
if s in old_svc_list:
old_svc_list.remove(s)
for s in svc_list:
if s in new_svc_list:
new_svc_list.remove(s)
if len(old_svc_list) != 0:
# we need to definitely stop some services
old_svc_list = deduplicate(old_svc_list)
for svc in reversed(old_svc_list):
svchandle = services.service(svc, api=api)
try:
print("Stopping %s Service" % svc)
svchandle.stop(capture_output=False)
except Exception:
emit_err("Failed to stop %s Service" % svc)
try:
if dirsrv_restart:
print("Restarting Directory Service")
dirsrv.restart(capture_output=get_capture_output('dirsrv', options.debug))
except Exception as e:
emit_err("Failed to restart Directory Service: " + str(e))
emit_err("Shutting down")
if not options.ignore_service_failures:
stop_services(reversed(svc_list))
stop_dirsrv(dirsrv)
raise IpactlError("Aborting ipactl")
if len(svc_list) != 0:
# there are services to restart
svc_list = deduplicate(svc_list)
for svc in svc_list:
svchandle = services.service(svc, api=api)
try:
print("Restarting %s Service" % svc)
svchandle.restart(capture_output=get_capture_output(svc, options.debug))
except Exception:
emit_err("Failed to restart %s Service" % svc)
# if ignore_service_failures is specified,
# skip rollback and continue with the next service
if options.ignore_service_failures:
emit_err("Forced restart, ignoring %s Service, continuing normal operation" % svc)
continue
emit_err("Shutting down")
stop_services(svc_list)
stop_dirsrv(dirsrv)
emit_err(MSG_HINT_IGNORE_SERVICE_FAILURE)
raise IpactlError("Aborting ipactl")
if len(new_svc_list) != 0:
# we still need to start some services
new_svc_list = deduplicate(new_svc_list)
for svc in new_svc_list:
svchandle = services.service(svc, api=api)
try:
print("Starting %s Service" % svc)
svchandle.start(capture_output=get_capture_output(svc, options.debug))
except Exception:
emit_err("Failed to start %s Service" % svc)
# if ignore_service_failures is specified, skip rollback and
# continue with the next service
if options.ignore_service_failures:
emit_err("Forced start, ignoring %s Service, continuing normal operation" % svc)
continue
emit_err("Shutting down")
stop_services(svc_list)
stop_dirsrv(dirsrv)
emit_err(MSG_HINT_IGNORE_SERVICE_FAILURE)
raise IpactlError("Aborting ipactl")
def ipa_status(options):
try:
dirsrv = services.knownservices.dirsrv
if dirsrv.is_running():
svc_list = get_config(dirsrv)
else:
svc_list = get_config_from_file()
except IpactlError as e:
if os.path.exists(tasks.get_svc_list_file()):
raise e
else:
svc_list = []
except Exception as e:
raise IpactlError("Failed to get list of services to probe status: " + str(e))
dirsrv = services.knownservices.dirsrv
try:
if dirsrv.is_running():
print("Directory Service: RUNNING")
else:
print("Directory Service: STOPPED")
if len(svc_list) == 0:
print(("Directory Service must be running in order to " +
"obtain status of other services"))
except:
raise IpactlError("Failed to get Directory Service status")
if len(svc_list) == 0:
return
svc_list = deduplicate(svc_list)
for svc in svc_list:
svchandle = services.service(svc, api=api)
try:
if svchandle.is_running():
print("%s Service: RUNNING" % svc)
else:
print("%s Service: STOPPED" % svc)
except Exception:
emit_err("Failed to get %s Service status" % svc)
def main():
if not os.getegid() == 0:
# LSB status code 4: user had insufficient privilege
raise IpactlError("You must be root to run ipactl.", 4)
_safe_options, options, args = parse_options()
if len(args) != 1:
# LSB status code 2: invalid or excess argument(s)
raise IpactlError("You must specify one action", 2)
elif args[0] != "start" and args[0] != "stop" and args[0] != "restart" and args[0] != "status":
raise IpactlError("Unrecognized action [" + args[0] + "]", 2)
# check if IPA is configured at all
try:
check_IPA_configuration()
except IpactlError as e:
if args[0].lower() == "status":
# Different LSB return code for status command:
# 4 - program or service status is unknown
# This should differentiate uninstalled IPA from status
# code 3 - program is not running
e.rval = 4
raise e
else:
raise e
api.bootstrap(in_server=True,
context='ipactl',
confdir=paths.ETC_IPA,
debug=options.debug)
api.finalize()
if '.' not in api.env.host:
raise IpactlError("Invalid hostname '%s' in IPA configuration!\n"
"The hostname must be fully-qualified" % api.env.host)
if args[0].lower() == "start":
ipa_start(options)
elif args[0].lower() == "stop":
ipa_stop(options)
elif args[0].lower() == "restart":
ipa_restart(options)
elif args[0].lower() == "status":
ipa_status(options)
from ipaserver.install import installutils
from ipaserver.install.ipactl import main
if __name__ == '__main__':
installutils.run_script(main, operation_name='ipactl')

2
install/tools/man/Makefile.am
View File

@@ -27,6 +27,8 @@ dist_man1_MANS = \
ipa-cacert-manage.1 \
ipa-winsync-migrate.1 \
ipa-pkinit-manage.1 \
ipa-crlgen-manage.1 \
ipa-cert-fix.1 \
$(NULL)
dist_man8_MANS = \

15
install/tools/man/Makefile.in
View File

@@ -1,7 +1,7 @@
# Makefile.in generated by automake 1.16.1 from Makefile.am.
# Makefile.in generated by automake 1.16.2 from Makefile.am.
# @configure_input@
# Copyright (C) 1994-2018 Free Software Foundation, Inc.
# Copyright (C) 1994-2020 Free Software Foundation, Inc.
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@@ -219,6 +219,8 @@ JSLINT = @JSLINT@
KRAD_LIBS = @KRAD_LIBS@
KRB5KDC_SERVICE = @KRB5KDC_SERVICE@
KRB5_CFLAGS = @KRB5_CFLAGS@
KRB5_GSSAPI_CFLAGS = @KRB5_GSSAPI_CFLAGS@
KRB5_GSSAPI_LIBS = @KRB5_GSSAPI_LIBS@
KRB5_LIBS = @KRB5_LIBS@
LD = @LD@
LDAP_CFLAGS = @LDAP_CFLAGS@
@@ -261,11 +263,10 @@ NM = @NM@
NMEDIT = @NMEDIT@
NSPR_CFLAGS = @NSPR_CFLAGS@
NSPR_LIBS = @NSPR_LIBS@
NSS_CFLAGS = @NSS_CFLAGS@
NSS_LIBS = @NSS_LIBS@
NUM_VERSION = @NUM_VERSION@
OBJDUMP = @OBJDUMP@
OBJEXT = @OBJEXT@
ODS_GROUP = @ODS_GROUP@
ODS_USER = @ODS_USER@
OTOOL = @OTOOL@
OTOOL64 = @OTOOL64@
@@ -286,8 +287,6 @@ POPT_LIBS = @POPT_LIBS@
POSUB = @POSUB@
PYLINT = @PYLINT@
PYTHON = @PYTHON@
PYTHON2 = @PYTHON2@
PYTHON3 = @PYTHON3@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_INSTALL_EXTRA_OPTIONS = @PYTHON_INSTALL_EXTRA_OPTIONS@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
@@ -375,7 +374,9 @@ program_transform_name = @program_transform_name@
psdir = @psdir@
pyexecdir = @pyexecdir@
pythondir = @pythondir@
runstatedir = @runstatedir@
sbindir = @sbindir@
selinux_makefile = @selinux_makefile@
sharedstatedir = @sharedstatedir@
srcdir = @srcdir@
sysconfdir = @sysconfdir@
@@ -411,6 +412,8 @@ dist_man1_MANS = \
ipa-cacert-manage.1 \
ipa-winsync-migrate.1 \
ipa-pkinit-manage.1 \
ipa-crlgen-manage.1 \
ipa-cert-fix.1 \
$(NULL)
dist_man8_MANS = \

5
install/tools/man/ipa-backup.1
View File

@@ -51,6 +51,9 @@ Include the IPA service log files in the backup.
\fB\-\-online\fR
Perform the backup on\-line. Requires the \-\-data option.
.TP
\fB\-\-disable\-role\-check\fR
Perform the backup even if this host does not have all the roles in use in the cluster. This is not recommended.
.TP
\fB\-\-v\fR, \fB\-\-verbose\fR
Print debugging information
.TP
@@ -85,4 +88,4 @@ The log file for backups
.PP
.SH "SEE ALSO"
.BR ipa\-restore(1)
.BR gpg2(1)
.BR gpg2(1)

3
install/tools/man/ipa-ca-install.1
View File

@@ -73,6 +73,9 @@ The CA certificate subject DN (default CN=Certificate Authority,O=REALM.NAME).
\fB\-\-subject\-base\fR=\fISUBJECT\fR
The subject base for certificates issued by IPA (default O=REALM.NAME). RDNs are in LDAP order (most specific RDN first).
.TP
\fB\-\-pki\-config\-override\fR=\fIFILE\fR
File containing overrides for CA installation.
.TP
\fB\-\-ca\-signing\-algorithm\fR=\fIALGORITHM\fR
Signing algorithm of the IPA CA certificate. Possible values are SHA1withRSA, SHA256withRSA, SHA512withRSA. Default value is SHA256withRSA. Use this option with --external-ca if the external CA does not support the default signing algorithm.
.TP

22
install/tools/man/ipa-cacert-manage.1
View File

@@ -21,9 +21,11 @@
ipa\-cacert\-manage \- Manage CA certificates in IPA
.SH "SYNOPSIS"
\fBipa\-cacert\-manage\fR [\fIOPTIONS\fR...] renew
.RE
.br
\fBipa\-cacert\-manage\fR [\fIOPTIONS\fR...] install \fICERTFILE\fR...
.RE
.br
\fBipa\-cacert\-manage\fR [\fIOPTIONS\fR...] delete \fINICKNAME\fR
.br
\fBipa\-cacert\-manage\fR [\fIOPTIONS\fR...] list
.SH "DESCRIPTION"
\fBipa\-cacert\-manage\fR can be used to manage CA certificates in IPA.
@@ -54,6 +56,16 @@ Please do not forget to run ipa-certupdate on the master, all the replicas and a
.sp
The supported formats for the certificate files are DER, PEM and PKCS#7 format.
.RE
.TP
\fBdelete\fR
\- Remove a CA certificate
.sp
.RS
Remove a CA from IPA. The nickname of a CA to be removed can be found using the list command. The CA chain is validated before allowing a CA to be removed so leaf certificates in a chain need to be removed first.
.sp
Please do not forget to run ipa-certupdate on the master, all the replicas and all the clients after this command in order to update IPA certificates databases.
.RE
.TP
\fBlist\fR
\- List the stored CA certificates
.sp
@@ -79,7 +91,6 @@ Output only errors.
.TP
\fB\-\-log\-file\fR=\fIFILE\fR
Log to the given file.
.RE
.SH "RENEW OPTIONS"
.TP
\fB\-\-self\-signed\fR
@@ -112,7 +123,6 @@ If no template is specified, the template name "SubCA" is used.
.TP
\fB\-\-external\-cert\-file\fR=\fIFILE\fR
File containing the IPA CA certificate and the external CA certificate chain. The file is accepted in PEM and DER certificate and PKCS#7 certificate chain formats. This option may be used multiple times.
.RE
.SH "INSTALL OPTIONS"
.TP
\fB\-n\fR \fINICKNAME\fR, \fB\-\-nickname\fR=\fINICKNAME\fR
@@ -130,6 +140,10 @@ T \- CA trusted to issue client certificates
.IP
p \- not trusted
.RE
.SH "DELETE OPTIONS"
.TP
\fB\-f\fR, \fB\-\-force\fR
Force a CA certificate to be removed even if chain validation fails.
.SH "EXIT STATUS"
0 if the command was successful

66
install/tools/man/ipa-cert-fix.1 Normal file
View File

@@ -0,0 +1,66 @@
.\"
.\" Copyright (C) 2019 FreeIPA Contributors see COPYING for license
.\"
.TH "ipa-cert-fix" "1" "Mar 25 2019" "FreeIPA" "FreeIPA Manual Pages"
.SH "NAME"
ipa\-cert\-fix \- Renew expired certificates
.SH "SYNOPSIS"
ipa\-cert\-fix [options]
.SH "DESCRIPTION"
\fIipa-cert-fix\fR is a tool for recovery when expired certificates
prevent the normal operation of FreeIPA. It should ONLY be used in
such scenarios, and backup of the system, especially certificates
and keys, is \fBSTRONGLY RECOMMENDED\fR.
Do not use this program unless expired certificates are inhibiting
normal operation and renewal procedures.
To renew the IPA CA certificate, use \fIipa-cacert-manage(1)\fR.
This tool cannot renew certificates signed by external CAs. To
install new, externally-signed HTTP, LDAP or KDC certificates, use
\fIipa-server-certinstall(1)\fR.
\fIipa-cert-fix\fR will examine FreeIPA and Certificate System
certificates and renew certificates that are expired, or close to
expiry (less than two weeks). If any "shared" certificates are
renewed, \fIipa-cert-fix\fR will set the current server to be the CA
renewal master, and add the new shared certificate(s) to LDAP for
replication to other CA servers. Shared certificates include all
Dogtag system certificates except the HTTPS certificate, and the IPA
RA certificate.
To repair certificates across multiple CA servers, first ensure that
LDAP replication is working across the topology. Then run
\fIipa-cert-fix\fR on one CA server. Before running
\fIipa-cert-fix\fR on another CA server, trigger Certmonger renewals
for shared certificates via \fIgetcert-resubmit(1)\fR (on the other
CA server). This is to avoid unnecessary renewal of shared
certificates.
.SH "OPTIONS"
.TP
\fB\-\-version\fR
Show the program's version and exit.
.TP
\fB\-h\fR, \fB\-\-help\fR
Show the help for this program.
.TP
\fB\-v\fR, \fB\-\-verbose\fR
Print debugging information.
.TP
\fB\-q\fR, \fB\-\-quiet\fR
Output only errors (output from child processes may still be shown).
.TP
\fB\-\-log\-file\fR=\fIFILE\fR
Log to the given file.
.SH "EXIT STATUS"
0 if the command was successful
1 if an error occurred
.SH "SEE ALSO"
.BR ipa-cacert-manage(1)
.BR ipa-server-certinstall(1)
.BR getcert-resubmit(1)

47
install/tools/man/ipa-crlgen-manage.1 Normal file
View File

@@ -0,0 +1,47 @@
.\"
.\" Copyright (C) 2019 FreeIPA Contributors see COPYING for license
.\"
.TH "ipa-crlgen-manage" "1" "Feb 12 2019" "FreeIPA" "FreeIPA Manual Pages"
.SH "NAME"
ipa\-crlgen\-manage \- Enables or disables CRL generation
.SH "SYNOPSIS"
ipa\-crlgen\-manage [options] <enable|disable|status>
.SH "DESCRIPTION"
Run the command with the \fBenable\fR option to enable CRL generation on the
local host. This requires that the IPA server is already installed and
configured, including a CA. The command will restart Dogtag and Apache.
Run the command with the \fBdisable\fR option to disable CRL generation on the
local host. The command will restart Dogtag and Apache.
Run the command with the \fBstatus\fR option to determine the current status
of CRL generation. If the local host is configured for CRL generation, the
command also prints the last CRL generation date and number.
Important: the administrator must ensure that there is only one IPA server
generating CRLs. In order to transfer the CRL generation from one server to
another, please run \fBipa-crlgen-manage disable\fR on the current CRL
generation master, followed by \fBipa-crlgen-manage enable\fR on the new
CRL generation master.
.SH "OPTIONS"
.TP
\fB\-\-version\fR
Show the program's version and exit.
.TP
\fB\-h\fR, \fB\-\-help\fR
Show the help for this program.
.TP
\fB\-v\fR, \fB\-\-verbose\fR
Print debugging information.
.TP
\fB\-q\fR, \fB\-\-quiet\fR
Output only errors.
.TP
\fB\-\-log\-file\fR=\fIFILE\fR
Log to the given file.
.SH "EXIT STATUS"
0 if the command was successful
1 if an error occurred
2 if the local host is not an IPA server

3
install/tools/man/ipa-kra-install.1
View File

@@ -51,6 +51,9 @@ Output only errors
.TP
\fB\-\-log-file\fR=\fRFILE\fR
Log to the given file
.TP
\fB\-\-pki\-config\-override\fR=\fIFILE\fR
File containing overrides for KRA installation.
.SH "EXIT STATUS"
0 if the command was successful

7
install/tools/man/ipa-replica-install.1
View File

@@ -47,7 +47,7 @@ One Time Password for joining a machine to the IPA realm.
Path to host keytab.
.TP
\fB\-\-server\fR
The fully qualified domain name of the IPA server to enroll to.
The fully qualified domain name of the IPA server to enroll to. The IPA server must provide the CA role if \fB\-\-setup-ca\fR option is specified, and the KRA role if \fB\-\-setup-kra\fR option is specified.
.TP
\fB\-n\fR, \fB\-\-domain\fR=\fIDOMAIN\fR
The primary DNS domain of an existing IPA deployment, e.g. example.com.
@@ -140,6 +140,9 @@ Name of the Apache Server SSL certificate to install
\fB\-\-pkinit\-cert\-name\fR=NAME
Name of the Kerberos KDC SSL certificate to install
.TP
\fB\-\-pki\-config\-override\fR=\fIFILE\fR
File containing overrides for CA and KRA installation.
.TP
\fB\-\-skip\-schema\-check\fR
Skip check for updated CA DS schema on the remote master
@@ -275,3 +278,5 @@ path.
1 if an error occurred
3 if the host exists in the IPA server or a replication agreement to the remote master already exists
4 if the remote master specified for enrollment does not provide required services such as CA or KRA

17
install/tools/man/ipa-server-certinstall.1
View File

@@ -47,8 +47,23 @@ The password to unlock the private key
\fB\-\-cert\-name\fR=\fINAME\fR
Name of the certificate to install
.TP
\fB\-\-dirman\-password\fR=\fIDIRMAN_PASSWORD\fR
\fB\-p\fR, \fB\-\-dirman\-password\fR=\fIDIRMAN_PASSWORD\fR
Directory Manager password
.TP
\fB\-\-version\fR
Show the program's version and exit
.TP
\fB\-h\fR, \fB\-\-help\fR
Show the help for this program
.TP
\fB\-v\fR, \fB\-\-verbose\fR
Print debugging information
.TP
\fB\-q\fR, \fB\-\-quiet\fR
Output only errors
.TP
\fB\-\-log\-file\fR=\fIFILE\fR
Log to the given file
.SH "EXIT STATUS"
0 if the installation was successful

3
install/tools/man/ipa-server-install.1
View File

@@ -152,6 +152,9 @@ Name of the Kerberos KDC SSL certificate to install.
\fB\-\-ca\-cert\-file\fR=\fIFILE\fR
File containing the CA certificate of the CA which issued the Directory Server, Apache Server and Kerberos KDC certificates. The file is accepted in PEM and DER certificate and PKCS#7 certificate chain formats. This option may be used multiple times. Use this option if the CA certificate is not present in the certificate files.
.TP
\fB\-\-pki\-config\-override\fR=\fIFILE\fR
File containing overrides for CA and KRA installation.
.TP
\fB\-\-ca\-subject\fR=\fISUBJECT\fR
The CA certificate subject DN (default CN=Certificate Authority,O=REALM.NAME). RDNs are in LDAP order (most specific RDN first).
.TP