install: remove dirman_pw from services

Remove directory manager's password from service's constructors

https://fedorahosted.org/freeipa/ticket/6461

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>

install/certmonger/dogtag-ipa-ca-renew-agent-submit

@@ -428,7 +428,7 @@ def renew_ca_cert():
         state = 'retrieve'
 
         if is_renewable():
-            ca = cainstance.CAInstance(host_name=api.env.host, ldapi=False)
+            ca = cainstance.CAInstance(host_name=api.env.host)
             if ca.is_renewal_master():
                 state = 'request'
     elif operation == 'POLL':
@@ -493,7 +493,7 @@ def main():
         if profile:
             handler = handlers.get(profile, request_and_store_cert)
         else:
-            ca = cainstance.CAInstance(host_name=api.env.host, ldapi=False)
+            ca = cainstance.CAInstance(host_name=api.env.host)
             if ca.is_renewal_master():
                 handler = request_and_store_cert
             else:

install/restart_scripts/renew_ca_cert

@@ -74,7 +74,7 @@ def _main():
         ipautil.kinit_keytab(principal, paths.KRB5_KEYTAB, ccache_filename)
         os.environ['KRB5CCNAME'] = ccache_filename
 
-        ca = cainstance.CAInstance(host_name=api.env.host, ldapi=False)
+        ca = cainstance.CAInstance(host_name=api.env.host)
         ca.update_cert_config(nickname, cert)
         if ca.is_renewal_master():
             cainstance.update_people_entry(cert)

install/restart_scripts/renew_ra_cert

@@ -48,7 +48,7 @@ def _main():
                              ccache_filename)
         os.environ['KRB5CCNAME'] = ccache_filename
 
-        ca = cainstance.CAInstance(host_name=api.env.host, ldapi=False)
+        ca = cainstance.CAInstance(host_name=api.env.host)
         if ca.is_renewal_master():
             # Fetch the new certificate
             db = certs.CertDB(api.env.realm)

install/tools/ipa-ca-install

@@ -190,15 +190,14 @@ def install_replica(safe_options, options, filename):
         custodia.get_ca_keys(config.ca_host_name, ca_data[0], ca_data[1])
 
         CA = cainstance.CAInstance(config.realm_name, certs.NSS_DIR,
-                                   host_name=config.host_name,
-                                   dm_password=config.dirman_password)
+                                   host_name=config.host_name)
         CA.configure_replica(config.ca_host_name,
                              subject_base=config.subject_base,
                              ca_cert_bundle=ca_data)
         # Install CA DNS records
         if bindinstance.dns_container_exists(api.env.host, api.env.basedn,
                                              ldapi=True, realm=api.env.realm):
-            bind = bindinstance.BindInstance(ldapi=True)
+            bind = bindinstance.BindInstance()
             bind.update_system_records()
     else:
         ca.install(True, config, options)

install/tools/ipa-replica-manage

@@ -1123,8 +1123,7 @@ def add_link(realm, replica1, replica2, dirman_passwd, options):
 
     if options.cacert:
         # have to install the given CA cert before doing anything else
-        ds = dsinstance.DsInstance(realm_name = realm,
-                                   dm_password = dirman_passwd)
+        ds = dsinstance.DsInstance(realm_name=realm)
         if not ds.add_ca_cert(options.cacert):
             print("Could not load the required CA certificate file [%s]" % options.cacert)
             return
@@ -1214,7 +1213,7 @@ def re_initialize(realm, thishost, fromhost, dirman_passwd, nolookup=False):
         # If the agreement doesn't have nsDS5ReplicatedAttributeListTotal it means
         # we did not replicate memberOf, do so now.
         if not agreement.single_value.get('nsDS5ReplicatedAttributeListTotal'):
-            ds = dsinstance.DsInstance(realm_name = realm, dm_password = dirman_passwd)
+            ds = dsinstance.DsInstance(realm_name=realm)
             ds.ldapi = os.getegid() == 0
             ds.init_memberof()
 

ipaserver/install/adtrustinstance.py

@@ -137,8 +137,7 @@ def __init__(self, fstore=None):
         self.host_netbios_name = None
         self.realm = None
 
-        service.Service.__init__(self, "smb", service_desc="CIFS",
-                                 dm_password=None, ldapi=True)
+        service.Service.__init__(self, "smb", service_desc="CIFS")
 
         if fstore:
             self.fstore = fstore
@@ -740,14 +739,12 @@ def __enable(self):
         # Note that self.dm_password is None for ADTrustInstance because
         # we ensure to be called as root and using ldapi to use autobind
         try:
-            self.ldap_enable('ADTRUST', self.fqdn, self.dm_password, \
-                             self.suffix)
+            self.ldap_enable('ADTRUST', self.fqdn, None, self.suffix)
         except (ldap.ALREADY_EXISTS, errors.DuplicateEntry):
             root_logger.info("ADTRUST Service startup entry already exists.")
 
         try:
-            self.ldap_enable('EXTID', self.fqdn, self.dm_password, \
-                             self.suffix)
+            self.ldap_enable('EXTID', self.fqdn, None, self.suffix)
         except (ldap.ALREADY_EXISTS, errors.DuplicateEntry):
             root_logger.info("EXTID Service startup entry already exists.")
 

ipaserver/install/bindinstance.py

@@ -228,8 +228,9 @@ def named_conf_add_include(path):
     with open(NAMED_CONF, 'a') as f:
         f.write(named_conf_include_template % {'path': path})
 
-def dns_container_exists(fqdn, suffix, dm_password=None, ldapi=False, realm=None,
-                         autobind=ipaldap.AUTOBIND_DISABLED):
+
+def dns_container_exists(fqdn, suffix, dm_password=None, ldapi=False,
+                         realm=None):
     """
     Test whether the dns container exists.
     """
@@ -240,7 +241,7 @@ def dns_container_exists(fqdn, suffix, dm_password=None, ldapi=False, realm=None
         ldap_uri = ipaldap.get_ldap_uri(fqdn, 636, ldapi=ldapi, realm=realm,
                                         cacert=CACERT)
         conn = ipaldap.LDAPClient(ldap_uri, cacert=CACERT)
-        conn.do_bind(dm_password, autobind=autobind)
+        conn.do_bind(dm_password)
     except ldap.SERVER_DOWN:
         raise RuntimeError('LDAP server on %s is not responding. Is IPA installed?' % fqdn)
 
@@ -613,15 +614,10 @@ def clear_records(self, have_ldap):
 
 
 class BindInstance(service.Service):
-    def __init__(self, fstore=None, dm_password=None, api=api, ldapi=False,
-                 start_tls=False, autobind=ipaldap.AUTOBIND_DISABLED):
+    def __init__(self, fstore=None, api=api):
         service.Service.__init__(
             self, "named",
-            service_desc="DNS",
-            dm_password=dm_password,
-            ldapi=ldapi,
-            autobind=autobind,
-            start_tls=start_tls
+            service_desc="DNS"
         )
         self.dns_backup = DnsBackup(self)
         self.named_user = None
@@ -632,7 +628,6 @@ def __init__(self, fstore=None, dm_password=None, api=api, ldapi=False,
         self.forwarders = None
         self.sub_dict = None
         self.reverse_zones = []
-        self.dm_password = dm_password
         self.api = api
         self.named_regular = services.service('named-regular')
 
@@ -665,8 +660,7 @@ def setup(self, fqdn, ip_addresses, realm_name, domain_name, forwarders,
             self.zonemgr = normalize_zonemgr(zonemgr)
 
         self.first_instance = not dns_container_exists(
-            self.fqdn, self.suffix, realm=self.realm, ldapi=True,
-            dm_password=self.dm_password, autobind=self.autobind)
+            self.fqdn, self.suffix, realm=self.realm, ldapi=True)
 
         self.__setup_sub_dict()
 
@@ -763,7 +757,7 @@ def __enable(self):
         # Instead we reply on the IPA init script to start only enabled
         # components as found in our LDAP configuration tree
         try:
-            self.ldap_enable('DNS', self.fqdn, self.dm_password, self.suffix)
+            self.ldap_enable('DNS', self.fqdn, None, self.suffix)
         except errors.DuplicateEntry:
             # service already exists (forced DNS reinstall)
             # don't crash, just report error

ipaserver/install/ca.py

@@ -241,7 +241,7 @@ def install_step_1(standalone, replica_config, options):
 
         # Install CA DNS records
         if bindinstance.dns_container_exists(host_name, basedn, dm_password):
-            bind = bindinstance.BindInstance(dm_password=dm_password)
+            bind = bindinstance.BindInstance()
             bind.update_system_records()
 
 

ipaserver/install/cainstance.py

@@ -311,15 +311,12 @@ class CAInstance(DogtagInstance):
                      ('caSigningCert cert-pki-ca', 'ipaCACertRenewal'))
     server_cert_name = 'Server-Cert cert-pki-ca'
 
-    def __init__(self, realm=None, ra_db=None, host_name=None,
-                 dm_password=None, ldapi=True):
+    def __init__(self, realm=None, ra_db=None, host_name=None):
         super(CAInstance, self).__init__(
             realm=realm,
             subsystem="CA",
             service_desc="certificate server",
             host_name=host_name,
-            dm_password=dm_password,
-            ldapi=ldapi
         )
 
         # for external CAs

ipaserver/install/custodiainstance.py

@@ -54,14 +54,13 @@ def __config_file(self):
         fd.flush()
         fd.close()
 
-    def create_instance(self, dm_password=None):
+    def create_instance(self):
         suffix = ipautil.realm_to_suffix(self.realm)
         self.step("Generating ipa-custodia config file", self.__config_file)
         self.step("Making sure custodia container exists", self.__create_container)
         self.step("Generating ipa-custodia keys", self.__gen_keys)
         super(CustodiaInstance, self).create_instance(gensvc_name='KEYS',
                                                       fqdn=self.fqdn,
-                                                      dm_password=dm_password,
                                                       ldap_suffix=suffix,
                                                       realm=self.realm)
         sysupgrade.set_upgrade_state('custodia', 'installed', True)
@@ -103,8 +102,7 @@ def __create_container(self):
             'SUFFIX': self.suffix,
         }
 
-        updater = ldapupdate.LDAPUpdate(dm_password=self.dm_password,
-                                        sub_dict=sub_dict)
+        updater = ldapupdate.LDAPUpdate(sub_dict=sub_dict)
         updater.update([os.path.join(paths.UPDATES_DIR, '73-custodia.update')])
 
     def __import_ra_key(self):

ipaserver/install/dns.py

@@ -23,7 +23,6 @@
 from ipapython.dn import DN
 from ipapython.ipa_log_manager import root_logger
 from ipapython.admintool import ScriptError
-from ipapython.ipaldap import AUTOBIND_ENABLED
 from ipapython.ipautil import user_input
 from ipaserver.install.installutils import get_server_ip_address
 from ipaserver.install.installutils import read_dns_forwarders
@@ -61,11 +60,10 @@ def _is_master():
 def _disable_dnssec():
     fstore = sysrestore.FileStore(paths.SYSRESTORE)
 
-    ods = opendnssecinstance.OpenDNSSECInstance(
-            fstore, ldapi=True, autobind=AUTOBIND_ENABLED)
+    ods = opendnssecinstance.OpenDNSSECInstance(fstore)
     ods.realm = api.env.realm
 
-    ods_exporter = odsexporterinstance.ODSExporterInstance(fstore, ldapi=True)
+    ods_exporter = odsexporterinstance.ODSExporterInstance(fstore)
     ods_exporter.realm = api.env.realm
 
     # unconfigure services first
@@ -200,8 +198,7 @@ def install_check(standalone, api, replica, options, hostname):
                 ", ".join([str(zone) for zone in dnssec_zones]))
 
     elif options.dnssec_master:
-        ods = opendnssecinstance.OpenDNSSECInstance(
-            fstore, ldapi=True)
+        ods = opendnssecinstance.OpenDNSSECInstance(fstore)
         ods.realm = api.env.realm
         dnssec_masters = ods.get_masters()
         # we can reinstall current server if it is dnssec master
@@ -317,8 +314,7 @@ def install(standalone, replica, options, api=api):
         # otherwise this is done by server/replica installer
         update_hosts_file(ip_addresses, api.env.host, fstore)
 
-    bind = bindinstance.BindInstance(fstore, ldapi=True, api=api,
-                                     autobind=AUTOBIND_ENABLED)
+    bind = bindinstance.BindInstance(fstore, api=api)
     bind.setup(api.env.host, ip_addresses, api.env.realm, api.env.domain,
                options.forwarders, options.forward_policy,
                reverse_zones, zonemgr=options.zonemgr,
@@ -333,12 +329,11 @@ def install(standalone, replica, options, api=api):
     bind.create_instance()
 
     # on dnssec master this must be installed last
-    dnskeysyncd = dnskeysyncinstance.DNSKeySyncInstance(fstore, ldapi=True)
+    dnskeysyncd = dnskeysyncinstance.DNSKeySyncInstance(fstore)
     dnskeysyncd.create_instance(api.env.host, api.env.realm)
     if options.dnssec_master:
-        ods = opendnssecinstance.OpenDNSSECInstance(fstore, ldapi=True)
-        ods_exporter = odsexporterinstance.ODSExporterInstance(
-            fstore, ldapi=True)
+        ods = opendnssecinstance.OpenDNSSECInstance(fstore)
+        ods_exporter = odsexporterinstance.ODSExporterInstance(fstore)
 
         ods_exporter.create_instance(api.env.host, api.env.realm)
         ods.create_instance(api.env.host, api.env.realm,

ipaserver/install/dnskeysyncinstance.py

@@ -33,7 +33,7 @@
 
 
 def dnssec_container_exists(fqdn, suffix, dm_password=None, ldapi=False,
-                            realm=None, autobind=ipaldap.AUTOBIND_DISABLED):
+                            realm=None):
     """
     Test whether the dns container exists.
     """
@@ -45,7 +45,7 @@ def dnssec_container_exists(fqdn, suffix, dm_password=None, ldapi=False,
                                         cacert=CACERT)
         conn = ipaldap.LDAPClient(ldap_uri, cacert=CACERT)
 
-        conn.do_bind(dm_password, autobind=autobind)
+        conn.do_bind(dm_password)
     except ldap.SERVER_DOWN:
         raise RuntimeError('LDAP server on %s is not responding. Is IPA installed?' % fqdn)
 
@@ -61,16 +61,11 @@ def remove_replica_public_keys(hostname):
 
 
 class DNSKeySyncInstance(service.Service):
-    def __init__(self, fstore=None, dm_password=None, logger=root_logger,
-                 ldapi=False, start_tls=False):
+    def __init__(self, fstore=None, logger=root_logger):
         service.Service.__init__(
             self, "ipa-dnskeysyncd",
             service_desc="DNS key synchronization service",
-            dm_password=dm_password,
-            ldapi=ldapi,
-            start_tls=start_tls
         )
-        self.dm_password = dm_password
         self.logger = logger
         self.extra_config = [u'dnssecVersion 1', ]  # DNSSEC enabled
         self.named_uid = None
@@ -171,8 +166,7 @@ def __check_dnssec_status(self):
             raise RuntimeError("OpenDNSSEC GID not found")
 
         if not dns_container_exists(
-            self.fqdn, self.suffix, realm=self.realm, ldapi=True,
-            dm_password=self.dm_password, autobind=ipaldap.AUTOBIND_AUTO
+            self.fqdn, self.suffix, realm=self.realm, ldapi=True
         ):
             raise RuntimeError("DNS container does not exist")
 
@@ -184,9 +178,7 @@ def __setup_dnssec_containers(self):
         Setup LDAP containers for DNSSEC
         """
         if dnssec_container_exists(self.fqdn, self.suffix, ldapi=True,
-                                   dm_password=self.dm_password,
-                                   realm=self.realm,
-                                   autobind=ipaldap.AUTOBIND_AUTO):
+                                   realm=self.realm):
 
             self.logger.info("DNSSEC container exists (step skipped)")
             return
@@ -413,7 +405,7 @@ def __setup_replica_keys(self):
 
     def __enable(self):
         try:
-            self.ldap_enable('DNSKeySync', self.fqdn, self.dm_password,
+            self.ldap_enable('DNSKeySync', self.fqdn, None,
                              self.suffix, self.extra_config)
         except errors.DuplicateEntry:
             self.logger.error("DNSKeySync service already exists")

ipaserver/install/dogtaginstance.py

@@ -108,15 +108,12 @@ class DogtagInstance(service.Service):
     server_cert_name = None
 
     def __init__(self, realm, subsystem, service_desc, host_name=None,
-                 dm_password=None, ldapi=True,
                  nss_db=paths.PKI_TOMCAT_ALIAS_DIR):
         """Initializer"""
 
         super(DogtagInstance, self).__init__(
             'pki-tomcatd',
-            service_desc=service_desc,
-            dm_password=dm_password,
-            ldapi=ldapi
+            service_desc=service_desc
         )
 
         self.realm = realm
@@ -164,7 +161,7 @@ def spawn_instance(self, cfg_file, nolog_list=None):
         # Define the things we don't want logged
         if nolog_list is None:
             nolog_list = []
-        nolog = tuple(nolog_list) + (self.admin_password, self.dm_password)
+        nolog = tuple(nolog_list) + (self.admin_password,)
 
         args = [paths.PKISPAWN,
                 "-s", subsystem,

ipaserver/install/dsinstance.py

@@ -217,17 +217,13 @@ def get_all_external_schema_files(root):
 info: IPA V2.0
 """
 
+
 class DsInstance(service.Service):
-    def __init__(self, realm_name=None, domain_name=None, dm_password=None,
-                 fstore=None, domainlevel=None, config_ldif=None):
+    def __init__(self, realm_name=None, domain_name=None, fstore=None,
+                 domainlevel=None, config_ldif=None):
         service.Service.__init__(self, "dirsrv",
-            service_desc="directory server",
-            dm_password=dm_password,
-            ldapi=False,
-            autobind=ipaldap.AUTOBIND_DISABLED
-            )
+                                 service_desc="directory server")
         self.nickname = 'Server-Cert'
-        self.dm_password = dm_password
         self.realm = realm_name
         self.sub_dict = None
         self.domain = domain_name
@@ -435,7 +431,6 @@ def __setup_replica(self):
         # the local server (as repica pomotion does not have the DM password.
         if self.admin_conn:
             self.ldap_disconnect()
-        self.ldapi = True
 
     def __configure_sasl_mappings(self):
         # we need to remove any existing SASL mappings in the directory as otherwise they