From f183f70e0183e51d569ada972bd3ec73cad76a30 Mon Sep 17 00:00:00 2001 From: Tomas Krizek Date: Nov 11 2016 13:55:24 +0000 Subject: dns: check if container exists using ldapi Previously an adhoc connection was established for checking if dns(sec) container exists. A simple or external bind was used. Instead, always connect with ldapi through api.Backend.ldap2. https://fedorahosted.org/freeipa/ticket/6461 Reviewed-By: Martin Babinsky Reviewed-By: Martin Basti --- diff --git a/install/tools/ipa-csreplica-manage b/install/tools/ipa-csreplica-manage index fd384d6..532e353 100755 --- a/install/tools/ipa-csreplica-manage +++ b/install/tools/ipa-csreplica-manage @@ -281,8 +281,7 @@ def del_master(realm, hostname, options): # 7. And clean up the removed replica DNS entries if any. try: - if bindinstance.dns_container_exists(options.host, api.env.basedn, - dm_password=options.dirman_passwd): + if bindinstance.dns_container_exists(api.env.basedn): bind = bindinstance.BindInstance() bind.update_system_records() except Exception as e: diff --git a/install/tools/ipa-replica-manage b/install/tools/ipa-replica-manage index 48a28bd..68d9a92 100755 --- a/install/tools/ipa-replica-manage +++ b/install/tools/ipa-replica-manage @@ -903,8 +903,7 @@ def ensure_last_services(conn, hostname, masters, options): def cleanup_server_dns_entries(realm, hostname, suffix, options): try: - if bindinstance.dns_container_exists(options.host, suffix, - dm_password=options.dirman_passwd): + if bindinstance.dns_container_exists(suffix): bindinstance.remove_master_dns_records(hostname, realm) dnskeysyncinstance.remove_replica_public_keys(hostname) except Exception as e: diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py index d32ced7..179eb68 100644 --- a/ipaserver/install/bindinstance.py +++ b/ipaserver/install/bindinstance.py @@ -39,7 +39,7 @@ from ipaserver.dns_data_management import ( from ipaserver.install import installutils from ipaserver.install import service from ipaserver.install import sysupgrade -from ipapython import ipautil, ipaldap +from ipapython import ipautil from ipapython import dnsutil from ipapython.dnsutil import DNSName from ipapython.ipa_log_manager import root_logger @@ -58,7 +58,6 @@ from ipalib.util import (validate_zonemgr_str, normalize_zonemgr, zone_is_reverse, validate_dnssec_global_forwarder, DNSSECSignatureMissingError, EDNS0UnsupportedError, UnresolvableRecordError) -from ipalib.constants import CACERT if six.PY3: unicode = str @@ -229,26 +228,13 @@ def named_conf_add_include(path): f.write(named_conf_include_template % {'path': path}) -def dns_container_exists(fqdn, suffix, dm_password=None, ldapi=False, - realm=None): +def dns_container_exists(suffix): """ Test whether the dns container exists. """ assert isinstance(suffix, DN) - try: - # At install time we may need to use LDAPI to avoid chicken/egg - # issues with SSL certs and truting CAs - ldap_uri = ipaldap.get_ldap_uri(fqdn, 636, ldapi=ldapi, realm=realm, - cacert=CACERT) - conn = ipaldap.LDAPClient(ldap_uri, cacert=CACERT) - conn.simple_bind(ipaldap.DIRMAN_DN, dm_password) - except ldap.SERVER_DOWN: - raise RuntimeError('LDAP server on %s is not responding. Is IPA installed?' % fqdn) - - ret = conn.entry_exists(DN(('cn', 'dns'), suffix)) - conn.unbind() + return api.Backend.ldap2.entry_exists(DN(('cn', 'dns'), suffix)) - return ret def dns_zone_exists(name, api=api): try: @@ -656,8 +642,7 @@ class BindInstance(service.Service): else: self.zonemgr = normalize_zonemgr(zonemgr) - self.first_instance = not dns_container_exists( - self.fqdn, self.suffix, realm=self.realm, ldapi=True) + self.first_instance = not dns_container_exists(self.suffix) self.__setup_sub_dict() diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py index 0d80a3f..4bbcb12 100644 --- a/ipaserver/install/ca.py +++ b/ipaserver/install/ca.py @@ -223,7 +223,6 @@ def install_step_1(standalone, replica_config, options): return realm_name = options.realm_name - dm_password = options.dm_password host_name = options.host_name subject_base = options.subject @@ -285,7 +284,7 @@ def install_step_1(standalone, replica_config, options): if standalone: # Install CA DNS records - if bindinstance.dns_container_exists(host_name, basedn, dm_password): + if bindinstance.dns_container_exists(basedn): bind = bindinstance.BindInstance() bind.update_system_records() diff --git a/ipaserver/install/dnskeysyncinstance.py b/ipaserver/install/dnskeysyncinstance.py index 656242b..74a657d 100644 --- a/ipaserver/install/dnskeysyncinstance.py +++ b/ipaserver/install/dnskeysyncinstance.py @@ -19,12 +19,10 @@ from ipaserver.install import service from ipaserver.install import installutils from ipapython.ipa_log_manager import root_logger from ipapython.dn import DN -from ipapython import ipaldap from ipapython import ipautil from ipaplatform.constants import constants from ipaplatform.paths import paths from ipalib import errors, api -from ipalib.constants import CACERT from ipaserver.install.bindinstance import dns_container_exists softhsm_token_label = u'ipaDNSSEC' @@ -32,26 +30,13 @@ softhsm_slot = 0 replica_keylabel_template = u"dnssec-replica:%s" -def dnssec_container_exists(fqdn, suffix, dm_password=None, ldapi=False, - realm=None): +def dnssec_container_exists(suffix): """ Test whether the dns container exists. """ assert isinstance(suffix, DN) - try: - # At install time we may need to use LDAPI to avoid chicken/egg - # issues with SSL certs and truting CAs - ldap_uri = ipaldap.get_ldap_uri(fqdn, 636, ldapi=ldapi, realm=realm, - cacert=CACERT) - conn = ipaldap.LDAPClient(ldap_uri, cacert=CACERT) - conn.simple_bind(ipaldap.DIRMAN_DN, dm_password) - except ldap.SERVER_DOWN: - raise RuntimeError('LDAP server on %s is not responding. Is IPA installed?' % fqdn) - - ret = conn.entry_exists(DN(('cn', 'sec'), ('cn', 'dns'), suffix)) - conn.unbind() - - return ret + return api.Backend.ldap2.entry_exists( + DN(('cn', 'sec'), ('cn', 'dns'), suffix)) def remove_replica_public_keys(hostname): @@ -161,9 +146,7 @@ class DNSKeySyncInstance(service.Service): except KeyError: raise RuntimeError("OpenDNSSEC GID not found") - if not dns_container_exists( - self.fqdn, self.suffix, realm=self.realm, ldapi=True - ): + if not dns_container_exists(self.suffix): raise RuntimeError("DNS container does not exist") # ready to be installed, storing a state is required to run uninstall @@ -173,8 +156,7 @@ class DNSKeySyncInstance(service.Service): """ Setup LDAP containers for DNSSEC """ - if dnssec_container_exists(self.fqdn, self.suffix, ldapi=True, - realm=self.realm): + if dnssec_container_exists(self.suffix): self.logger.info("DNSSEC container exists (step skipped)") return diff --git a/ipaserver/install/ipa_replica_prepare.py b/ipaserver/install/ipa_replica_prepare.py index e6699d8..227d296 100644 --- a/ipaserver/install/ipa_replica_prepare.py +++ b/ipaserver/install/ipa_replica_prepare.py @@ -253,10 +253,7 @@ class ReplicaPrepare(admintool.AdminTool): except installutils.BadHostError as e: if isinstance(e, installutils.HostLookupError): if not options.ip_addresses: - if dns_container_exists( - api.env.host, api.env.basedn, - dm_password=self.dirman_password, - ldapi=True, realm=api.env.realm): + if dns_container_exists(api.env.basedn): self.log.info('You might use the --ip-address option ' 'to create a DNS entry if the DNS zone ' 'is managed by IPA.') @@ -268,9 +265,7 @@ class ReplicaPrepare(admintool.AdminTool): raise if options.ip_addresses: - if not dns_container_exists(api.env.host, api.env.basedn, - dm_password=self.dirman_password, - ldapi=True, realm=api.env.realm): + if not dns_container_exists(api.env.basedn): self.log.error( "It is not possible to add a DNS record automatically " "because DNS is not managed by IPA. Please create DNS " diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py index 6d618b6..a7b333c 100644 --- a/ipaserver/install/server/replicainstall.py +++ b/ipaserver/install/server/replicainstall.py @@ -171,9 +171,7 @@ def install_http(config, auto_redirect, ca_is_configured, ca_file, def install_dns_records(config, options, remote_api): if not bindinstance.dns_container_exists( - config.host_name, - ipautil.realm_to_suffix(config.realm_name), - realm=config.realm_name, ldapi=True): + ipautil.realm_to_suffix(config.realm_name)): return try: