#!/usr/bin/python # Copyright 2016 Red Hat, Inc. # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. import argparse import logging import os import shutil import sys from ipalib import api, errors from ipapython import version from novajoin import configure_ipa from novajoin.errors import ConfigurationError IPACONF = '/etc/ipa/default.conf' logging.basicConfig(format='%(message)s') logger = logging.getLogger() if __name__ == '__main__': logger.setLevel(logging.INFO) try: parser = argparse.ArgumentParser( description='novajoin Install Options' ) parser = configure_ipa.ipa_options(parser) opts = parser.parse_args() configure_ipa.validate_options(opts) except ConfigurationError as e: # pylint: disable=broad-except logger.info(str(e)) # emit message to console logger.debug(e, exc_info=1) # add backtrace information to logfile logger.info('Installation aborted.') sys.exit(1) if not opts.precreate and not os.path.exists('/etc/ipa/default.conf'): sys.exit('Must be enrolled in IPA or see precreate') if opts.debug: logger.setLevel(logging.DEBUG) args = {'context': 'novajoin'} if opts.precreate: if opts.domain: args['domain'] = opts.domain if opts.realm: args['realm'] = opts.realm if opts.server: args['xmlrpc_uri'] = u'https://%s/ipa/json' % opts.server precreate_opts_specified = (opts.precreate and opts.domain and opts.realm and opts.server) # suppress the Forwarding messages from ipa # This is not needed in versions newer than 4.7 if version.NUM_VERSION < 40600: from ipapython.ipa_log_manager import log_mgr console = log_mgr.get_handler('console') console.setLevel(logging.WARN) novajoin = configure_ipa.NovajoinRole(user=opts.user, hostname=opts.hostname) ccache_dir = None if not opts.no_kinit: if precreate_opts_specified: krb5_conf = novajoin.create_krb5_conf(opts) os.environ['KRB5_CONFIG'] = krb5_conf else: krb5_conf = None try: ccache_dir = novajoin.kinit(opts.principal, opts.realm, opts.password, krb5_conf) # We use the ccache that we just created inside the kinit # function. os.environ['KRB5CCNAME'] = novajoin.ccache_name except ConfigurationError: if krb5_conf: os.remove(krb5_conf) nss_db = None cafile = None if precreate_opts_specified: # IPA v4.5.0 switched client from NSS to OpenSSL if version.NUM_VERSION >= 40500: cafile = novajoin.create_cafile(opts.server, opts.realm) # Workaround for https://pagure.io/freeipa/issue/7145 try: args['tls_ca_cert'] = cafile.decode('UTF-8') except AttributeError: args['tls_ca_cert'] = cafile else: nss_db = novajoin.create_nssdb(opts.server, opts.realm) try: args['nss_dir'] = nss_db.secdir.decode('UTF-8') except AttributeError: args['nss_dir'] = nss_db.secdir api.bootstrap(**args) api.finalize() logging.debug('Connect to IPA backend') try: if cafile: api.Backend.rpcclient.connect(ca_certfile=cafile) elif nss_db: api.Backend.rpcclient.connect(nss_dir=nss_db.secdir) else: api.Backend.rpcclient.connect() except errors.CCacheError: if nss_db: nss_db.close() sys.exit("No Kerberos credentials") novajoin.configure_ipa(opts.precreate, opts.otp_filename) if nss_db: nss_db.close() if cafile: os.remove(cafile) if krb5_conf: os.remove(krb5_conf) if ccache_dir: shutil.rmtree(ccache_dir)