On 2.12.2015 16:23, Jan Cholasta wrote:
Hi,
the attached patch fixes <https://fedorahosted.org/freeipa/ticket/5498>.
Note that you still have to provide admin password in
ipa-replica-install, either using --admin-password or interactively,
because:
a) Admin password is required for replica promotion. This will be fixed
with <https://fedorahosted.org/freeipa/ticket/5401>.
Patches are on the list:
<https://www.redhat.com/archives/freeipa-devel/2015-December/msg00027.html>.
Pushed.
b) Admin password is required for connection check. This will be fixed
with <https://fedorahosted.org/freeipa/ticket/5497>.
Martin Basti pointed out that admin password should not be asked
interactively during OTP replica promotion. Fixed.
Updated and rebased patch attached.
--
Jan Cholasta
From 14ea04301a876d2f955600ba7f482a7d492b7903 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jchol...@redhat.com>
Date: Wed, 2 Dec 2015 15:57:59 +0100
Subject: [PATCH] replica promotion: allow OTP bulk client enrollment
https://fedorahosted.org/freeipa/ticket/5498
---
ipaserver/install/server/replicainstall.py | 64 ++++++++++++++++++------------
1 file changed, 39 insertions(+), 25 deletions(-)
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index 8a9120a..96c470c 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -776,7 +776,9 @@ def ensure_enrolled(installer):
config = installer._config
# Perform only if we have the necessary options
- if not any([installer.admin_password, installer.keytab]):
+ if not any([installer.password,
+ installer.admin_password,
+ installer.keytab]):
sys.exit("IPA client is not configured on this system.\n"
"You must join the system by running 'ipa-client-install' "
"first. Alternatively, you may specify enrollment related "
@@ -786,6 +788,8 @@ def ensure_enrolled(installer):
service.print_msg("Configuring client side components")
try:
args = [paths.IPA_CLIENT_INSTALL, "--unattended"]
+ stdin = None
+
if installer.domain_name:
args.extend(["--domain", installer.domain_name])
if installer.server:
@@ -795,12 +799,16 @@ def ensure_enrolled(installer):
if installer.host_name:
args.extend(["--hostname", installer.host_name])
- if installer.admin_password:
- # Always set principal if password was set explicitly,
- # the password itself gets passed directly via stdin
- args.extend(["--principal", installer.principal or "admin"])
- if installer.keytab:
- args.extend(["--keytab", installer.keytab])
+ if installer.password:
+ args.extend(["--password", installer.password])
+ else:
+ if installer.admin_password:
+ # Always set principal if password was set explicitly,
+ # the password itself gets passed directly via stdin
+ args.extend(["--principal", installer.principal or "admin"])
+ stdin = installer.admin_password
+ if installer.keytab:
+ args.extend(["--keytab", installer.keytab])
if installer.no_dns_sshfp:
args.append("--no-dns-sshfp")
@@ -813,7 +821,7 @@ def ensure_enrolled(installer):
if installer.mkhomedir:
args.append("--mkhomedir")
- ipautil.run(args, stdin=installer.admin_password or None)
+ ipautil.run(args, stdin=stdin)
except Exception as e:
sys.exit("Configuration of client side components failed!\n"
@@ -972,16 +980,17 @@ def promote_check(installer):
add_to_ipaservers = not result
if add_to_ipaservers:
- if installer._ccache is None:
- del os.environ['KRB5CCNAME']
- else:
- os.environ['KRB5CCNAME'] = installer._ccache
-
- try:
- installutils.check_creds(options, config.realm_name)
- installer._ccache = os.environ.get('KRB5CCNAME')
- finally:
- os.environ['KRB5CCNAME'] = ccache
+ if not options.password or options.admin_password:
+ if installer._ccache is None:
+ del os.environ['KRB5CCNAME']
+ else:
+ os.environ['KRB5CCNAME'] = installer._ccache
+
+ try:
+ installutils.check_creds(options, config.realm_name)
+ installer._ccache = os.environ.get('KRB5CCNAME')
+ finally:
+ os.environ['KRB5CCNAME'] = ccache
conn.disconnect()
conn.connect(ccache=installer._ccache)
@@ -1348,11 +1357,14 @@ class Replica(BaseServer):
"multiple times"),
)
- dm_password = Knob(
+ dm_password = None
+
+ password = Knob(
BaseServer.dm_password,
- description="Directory Manager (existing master) password",
- cli_name='password',
- cli_metavar='PASSWORD',
+ description=("Password to join the IPA realm. Assumes bulk password "
+ "unless principal is also set. (domain level 1+)\n"
+ "Directory Manager (existing master) password. "
+ "(domain level 0)"),
)
admin_password = Knob(
@@ -1434,6 +1446,11 @@ class Replica(BaseServer):
if self.replica_file is None:
self.promote = True
+
+ if self.principal and not self.admin_password:
+ self.admin_password = self.password
+ self.password = None
+
# If any of the PKCS#12 options are selected, all are required.
if any(cert_file_req + cert_file_opt) and not all(cert_file_req):
raise RuntimeError("--dirsrv-cert-file and --http-cert-file "
@@ -1457,7 +1474,6 @@ class Replica(BaseServer):
CLIKnob(self.domain_name, '--domain'),
CLIKnob(self.host_name, '--hostname'),
CLIKnob(self.server, '--server'),
- CLIKnob(self.admin_password, '--admin-password'),
CLIKnob(self.principal, '--principal'),
)
@@ -1479,8 +1495,6 @@ class Replica(BaseServer):
"You must specify at least one of --forwarder, "
"--auto-forwarders, or --no-forwarders options")
- self.password = self.dm_password
-
@step()
def main(self):
if self.promote:
--
2.4.3
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
