From 8fa3daece87f190659260d892aad9537c5729be9 Mon Sep 17 00:00:00 2001
From: Thomas Woerner <twoerner@redhat.com>
Date: Wed, 13 Mar 2024 13:29:15 +0100
Subject: [PATCH] ipaserver_prepare: Properly create IPA_DEFAULT_CONF
Use IPAChangeConf and realm_to_ldapi_uri to create IPA_DEFAULT_CONF.
With realm_to_ldapi_uri the ldap_uri is correctly using /run instead of
/var/run.
Before IPA_DEFAULT_CONF was created using file operations.
---
roles/ipaserver/library/ipaserver_prepare.py | 89 ++++++++++++++-----
.../module_utils/ansible_ipa_server.py | 6 +-
2 files changed, 73 insertions(+), 22 deletions(-)
diff --git a/roles/ipaserver/library/ipaserver_prepare.py b/roles/ipaserver/library/ipaserver_prepare.py
index f8277c11..1c791756 100644
--- a/roles/ipaserver/library/ipaserver_prepare.py
+++ b/roles/ipaserver/library/ipaserver_prepare.py
@@ -226,7 +226,8 @@ from ansible.module_utils.ansible_ipa_server import (
redirect_stdout, adtrust, api, default_subject_base,
default_ca_subject_dn, ipautil, installutils, ca, kra, dns,
get_server_ip_address, no_matching_interface_for_ip_address_warning,
- services, logger, tasks, update_hosts_file, ScriptError
+ services, logger, tasks, update_hosts_file, ScriptError, IPAChangeConf,
+ realm_to_ldapi_uri
)
@@ -365,6 +366,11 @@ def main():
fstore = sysrestore.FileStore(paths.SYSRESTORE)
sstore = sysrestore.StateFile(paths.SYSRESTORE)
+ domain_name = options.domain_name
+ realm_name = options.realm_name
+ host_name = options.host_name
+ setup_ca = options.setup_ca
+
# subject_base
if not options.subject_base:
options.subject_base = str(default_subject_base(options.realm_name))
@@ -391,27 +397,68 @@ def main():
# Create the management framework config file and finalize api
target_fname = paths.IPA_DEFAULT_CONF
- # pylint: disable=invalid-name, consider-using-with
- fd = open(target_fname, "w")
- fd.write("[global]\n")
- fd.write("host=%s\n" % options.host_name)
- fd.write("basedn=%s\n" % ipautil.realm_to_suffix(options.realm_name))
- fd.write("realm=%s\n" % options.realm_name)
- fd.write("domain=%s\n" % options.domain_name)
- fd.write("xmlrpc_uri=https://%s/ipa/xml\n" %
- ipautil.format_netloc(options.host_name))
- fd.write("ldap_uri=ldapi://%%2fvar%%2frun%%2fslapd-%s.socket\n" %
- installutils.realm_to_serverid(options.realm_name))
- if options.setup_ca:
- fd.write("enable_ra=True\n")
- fd.write("ra_plugin=dogtag\n")
- fd.write("dogtag_version=10\n")
+ if realm_to_ldapi_uri is not None:
+ ipaconf = IPAChangeConf("IPA Server Install")
+ ipaconf.setOptionAssignment(" = ")
+ ipaconf.setSectionNameDelimiters(("[", "]"))
+
+ xmlrpc_uri = 'https://{0}/ipa/xml'.format(
+ ipautil.format_netloc(host_name))
+ ldapi_uri = realm_to_ldapi_uri(realm_name)
+
+ # [global] section
+ gopts = [
+ ipaconf.setOption('host', host_name),
+ ipaconf.setOption('basedn',
+ ipautil.realm_to_suffix(realm_name)),
+ ipaconf.setOption('realm', realm_name),
+ ipaconf.setOption('domain', domain_name),
+ ipaconf.setOption('xmlrpc_uri', xmlrpc_uri),
+ ipaconf.setOption('ldap_uri', ldapi_uri),
+ ipaconf.setOption('mode', 'production')
+ ]
+
+ if setup_ca:
+ gopts.extend([
+ ipaconf.setOption('enable_ra', 'True'),
+ ipaconf.setOption('ra_plugin', 'dogtag'),
+ ipaconf.setOption('dogtag_version', '10')
+ ])
+ else:
+ gopts.extend([
+ ipaconf.setOption('enable_ra', 'False'),
+ ipaconf.setOption('ra_plugin', 'None')
+ ])
+
+ opts = [
+ ipaconf.setSection('global', gopts),
+ {'name': 'empty', 'type': 'empty'}
+ ]
+
+ ipaconf.newConf(target_fname, opts)
else:
- fd.write("enable_ra=False\n")
- fd.write("ra_plugin=none\n")
- fd.write("mode=production\n")
- fd.close()
- # pylint: enable=invalid-name, consider-using-with
+ # pylint: disable=invalid-name, consider-using-with
+ fd = open(target_fname, "w")
+ fd.write("[global]\n")
+ fd.write("host=%s\n" % options.host_name)
+ fd.write("basedn=%s\n" % ipautil.realm_to_suffix(
+ options.realm_name))
+ fd.write("realm=%s\n" % options.realm_name)
+ fd.write("domain=%s\n" % options.domain_name)
+ fd.write("xmlrpc_uri=https://%s/ipa/xml\n" %
+ ipautil.format_netloc(options.host_name))
+ fd.write("ldap_uri=ldapi://%%2fvar%%2frun%%2fslapd-%s.socket\n" %
+ installutils.realm_to_serverid(options.realm_name))
+ if options.setup_ca:
+ fd.write("enable_ra=True\n")
+ fd.write("ra_plugin=dogtag\n")
+ fd.write("dogtag_version=10\n")
+ else:
+ fd.write("enable_ra=False\n")
+ fd.write("ra_plugin=none\n")
+ fd.write("mode=production\n")
+ fd.close()
+ # pylint: enable=invalid-name, consider-using-with
# Must be readable for everyone
os.chmod(target_fname, 0o644)
diff --git a/roles/ipaserver/module_utils/ansible_ipa_server.py b/roles/ipaserver/module_utils/ansible_ipa_server.py
index 8bdb048b..3d01e0ec 100644
--- a/roles/ipaserver/module_utils/ansible_ipa_server.py
+++ b/roles/ipaserver/module_utils/ansible_ipa_server.py
@@ -44,7 +44,7 @@ __all__ = ["IPAChangeConf", "certmonger", "sysrestore", "root_logger",
"check_available_memory", "getargspec", "get_min_idstart",
"paths", "api", "ipautil", "adtrust_imported", "NUM_VERSION",
"time_service", "kra_imported", "dsinstance", "IPA_PYTHON_VERSION",
- "NUM_VERSION", "SerialNumber"]
+ "NUM_VERSION", "SerialNumber", "realm_to_ldapi_uri"]
import sys
import logging
@@ -121,6 +121,10 @@ try:
)
from ipapython.dnsutil import check_zone_overlap
from ipapython.dn import DN
+ try:
+ from ipapython.ipaldap import realm_to_ldapi_uri
+ except ImportError:
+ realm_to_ldapi_uri = None
try:
from ipaclient.install import timeconf
from ipaclient.install.client import sync_time
--
GitLab