From 06654aba40bd79eff8bd44ac629bb5bb9b8f9c26 Mon Sep 17 00:00:00 2001

From: =?UTF-8?q?Tibor=20Dudl=C3=A1k?= <tdudlak@redhat.com>

Date: Thu, 26 Jul 2018 11:46:55 +0200

Subject: [PATCH] Do not set ca_host when --setup-ca is used

Setting ca_host caused replication failures on DL0

because it was trying to connect to wrong CA host.

Trying to avoid corner-case in ipaserver/plugins/dogtag.py

when api.env.host nor api.env.ca_host had not CA configured

and there was ca_host set to api.env.ca_host variable.

See: https://pagure.io/freeipa/issue/7566

Resolves: https://pagure.io/freeipa/issue/7629

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>

Reviewed-By: Christian Heimes <cheimes@redhat.com>

Reviewed-By: Rob Crittenden <rcritten@redhat.com>

---

 ipaserver/install/cainstance.py            | 24 ++++++++++++++++++++++

 ipaserver/install/server/replicainstall.py |  7 +++++--

 2 files changed, 29 insertions(+), 2 deletions(-)

diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py

index 6dbf69b3e5833f220a4d7d640b66a8fcf824f445..ffcebd719a16ebc5a991b35507b96411ad31eb10 100644

--- a/ipaserver/install/cainstance.py

+++ b/ipaserver/install/cainstance.py

@@ -451,6 +451,11 @@ class CAInstance(DogtagInstance):

                 self.step("updating IPA configuration", update_ipa_conf)

                 self.step("enabling CA instance", self.__enable_instance)

                 if not promote:

+                    if self.clone:

+                        # DL0 workaround; see docstring of __expose_ca_in_ldap

+                        self.step("exposing CA instance on LDAP",

+                                  self.__expose_ca_in_ldap)

+

                     self.step("migrating certificate profiles to LDAP",

                               migrate_profiles_to_ldap)

                     self.step("importing IPA certificate profiles",

@@ -1268,6 +1273,25 @@ class CAInstance(DogtagInstance):

             config = []

         self.ldap_configure('CA', self.fqdn, None, basedn, config)

+    def __expose_ca_in_ldap(self):

+        """

+        In a case when replica is created on DL0 we need to make

+        sure that query for CA service record of this replica in

+        ldap will succeed in time of installation.

+        This method is needed for sucessfull replica installation

+        on DL0 and should be removed alongside with code for DL0.

+

+        To suppress deprecation warning message this method is

+        not invoking ldap_enable() but _ldap_enable() method.

+        """

+

+        basedn = ipautil.realm_to_suffix(self.realm)

+        if not self.clone:

+            config = ['caRenewalMaster']

+        else:

+            config = []

+        self._ldap_enable(u'enabledService', "CA", self.fqdn, basedn, config)

+

     def setup_lightweight_ca_key_retrieval(self):

         if sysupgrade.get_upgrade_state('dogtag', 'setup_lwca_key_retrieval'):

             return

diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py

index e78a2b992fbd44b8ee3ccd8183ebd6e13dfd1749..42c723b57699340d7dfa67f581ab7d4d4fdcf551 100644

--- a/ipaserver/install/server/replicainstall.py

+++ b/ipaserver/install/server/replicainstall.py

@@ -241,9 +241,12 @@ def create_ipa_conf(fstore, config, ca_enabled, master=None):

         gopts.extend([

             ipaconf.setOption('enable_ra', 'True'),

             ipaconf.setOption('ra_plugin', 'dogtag'),

-            ipaconf.setOption('dogtag_version', '10'),

-            ipaconf.setOption('ca_host', config.ca_host_name)

+            ipaconf.setOption('dogtag_version', '10')

         ])

+

+        if not config.setup_ca:

+            gopts.append(ipaconf.setOption('ca_host', config.ca_host_name))

+

     else:

         gopts.extend([

             ipaconf.setOption('enable_ra', 'False'),

-- 

2.17.1