|
|
95ea96 |
From 06654aba40bd79eff8bd44ac629bb5bb9b8f9c26 Mon Sep 17 00:00:00 2001
|
|
|
2737e7 |
From: =?UTF-8?q?Tibor=20Dudl=C3=A1k?= <tdudlak@redhat.com>
|
|
|
2737e7 |
Date: Thu, 26 Jul 2018 11:46:55 +0200
|
|
|
2737e7 |
Subject: [PATCH] Do not set ca_host when --setup-ca is used
|
|
|
2737e7 |
|
|
|
2737e7 |
Setting ca_host caused replication failures on DL0
|
|
|
2737e7 |
because it was trying to connect to wrong CA host.
|
|
|
2737e7 |
Trying to avoid corner-case in ipaserver/plugins/dogtag.py
|
|
|
2737e7 |
when api.env.host nor api.env.ca_host had not CA configured
|
|
|
2737e7 |
and there was ca_host set to api.env.ca_host variable.
|
|
|
2737e7 |
|
|
|
2737e7 |
See: https://pagure.io/freeipa/issue/7566
|
|
|
2737e7 |
Resolves: https://pagure.io/freeipa/issue/7629
|
|
|
2737e7 |
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
|
|
2737e7 |
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
2737e7 |
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
|
|
2737e7 |
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
|
|
2737e7 |
---
|
|
|
2737e7 |
ipaserver/install/cainstance.py | 24 ++++++++++++++++++++++
|
|
|
2737e7 |
ipaserver/install/server/replicainstall.py | 7 +++++--
|
|
|
2737e7 |
2 files changed, 29 insertions(+), 2 deletions(-)
|
|
|
2737e7 |
|
|
|
2737e7 |
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
|
|
|
95ea96 |
index 6dbf69b3e5833f220a4d7d640b66a8fcf824f445..ffcebd719a16ebc5a991b35507b96411ad31eb10 100644
|
|
|
2737e7 |
--- a/ipaserver/install/cainstance.py
|
|
|
2737e7 |
+++ b/ipaserver/install/cainstance.py
|
|
|
95ea96 |
@@ -451,6 +451,11 @@ class CAInstance(DogtagInstance):
|
|
|
2737e7 |
self.step("updating IPA configuration", update_ipa_conf)
|
|
|
2737e7 |
self.step("enabling CA instance", self.__enable_instance)
|
|
|
2737e7 |
if not promote:
|
|
|
2737e7 |
+ if self.clone:
|
|
|
2737e7 |
+ # DL0 workaround; see docstring of __expose_ca_in_ldap
|
|
|
2737e7 |
+ self.step("exposing CA instance on LDAP",
|
|
|
2737e7 |
+ self.__expose_ca_in_ldap)
|
|
|
2737e7 |
+
|
|
|
2737e7 |
self.step("migrating certificate profiles to LDAP",
|
|
|
2737e7 |
migrate_profiles_to_ldap)
|
|
|
2737e7 |
self.step("importing IPA certificate profiles",
|
|
|
95ea96 |
@@ -1268,6 +1273,25 @@ class CAInstance(DogtagInstance):
|
|
|
2737e7 |
config = []
|
|
|
2737e7 |
self.ldap_configure('CA', self.fqdn, None, basedn, config)
|
|
|
2737e7 |
|
|
|
2737e7 |
+ def __expose_ca_in_ldap(self):
|
|
|
2737e7 |
+ """
|
|
|
2737e7 |
+ In a case when replica is created on DL0 we need to make
|
|
|
2737e7 |
+ sure that query for CA service record of this replica in
|
|
|
2737e7 |
+ ldap will succeed in time of installation.
|
|
|
2737e7 |
+ This method is needed for sucessfull replica installation
|
|
|
2737e7 |
+ on DL0 and should be removed alongside with code for DL0.
|
|
|
2737e7 |
+
|
|
|
2737e7 |
+ To suppress deprecation warning message this method is
|
|
|
2737e7 |
+ not invoking ldap_enable() but _ldap_enable() method.
|
|
|
2737e7 |
+ """
|
|
|
2737e7 |
+
|
|
|
2737e7 |
+ basedn = ipautil.realm_to_suffix(self.realm)
|
|
|
2737e7 |
+ if not self.clone:
|
|
|
2737e7 |
+ config = ['caRenewalMaster']
|
|
|
2737e7 |
+ else:
|
|
|
2737e7 |
+ config = []
|
|
|
2737e7 |
+ self._ldap_enable(u'enabledService', "CA", self.fqdn, basedn, config)
|
|
|
2737e7 |
+
|
|
|
2737e7 |
def setup_lightweight_ca_key_retrieval(self):
|
|
|
2737e7 |
if sysupgrade.get_upgrade_state('dogtag', 'setup_lwca_key_retrieval'):
|
|
|
2737e7 |
return
|
|
|
2737e7 |
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
|
|
|
95ea96 |
index e78a2b992fbd44b8ee3ccd8183ebd6e13dfd1749..42c723b57699340d7dfa67f581ab7d4d4fdcf551 100644
|
|
|
2737e7 |
--- a/ipaserver/install/server/replicainstall.py
|
|
|
2737e7 |
+++ b/ipaserver/install/server/replicainstall.py
|
|
|
95ea96 |
@@ -241,9 +241,12 @@ def create_ipa_conf(fstore, config, ca_enabled, master=None):
|
|
|
2737e7 |
gopts.extend([
|
|
|
2737e7 |
ipaconf.setOption('enable_ra', 'True'),
|
|
|
2737e7 |
ipaconf.setOption('ra_plugin', 'dogtag'),
|
|
|
2737e7 |
- ipaconf.setOption('dogtag_version', '10'),
|
|
|
2737e7 |
- ipaconf.setOption('ca_host', config.ca_host_name)
|
|
|
2737e7 |
+ ipaconf.setOption('dogtag_version', '10')
|
|
|
2737e7 |
])
|
|
|
2737e7 |
+
|
|
|
2737e7 |
+ if not config.setup_ca:
|
|
|
2737e7 |
+ gopts.append(ipaconf.setOption('ca_host', config.ca_host_name))
|
|
|
2737e7 |
+
|
|
|
2737e7 |
else:
|
|
|
2737e7 |
gopts.extend([
|
|
|
2737e7 |
ipaconf.setOption('enable_ra', 'False'),
|
|
|
2737e7 |
--
|
|
|
2737e7 |
2.17.1
|
|
|
2737e7 |
|