areguera / rpms / ipa

Forked from rpms/ipa 5 years ago
Clone

Blame SOURCES/0171-httpinstance-wait-until-the-service-entry-is-replica.patch

483b06
From 07469b2cc7bd1478836a1c755b301dbf9234d61a Mon Sep 17 00:00:00 2001
483b06
From: Jan Cholasta <jcholast@redhat.com>
483b06
Date: Mon, 22 May 2017 08:15:14 +0000
483b06
Subject: [PATCH] httpinstance: wait until the service entry is replicated
483b06
483b06
Wait until the local HTTP service entry is replicated to the remote master
483b06
before requesting the server certificate.
483b06
483b06
This prevents a replication conflict between the service entry added
483b06
locally and service entry added remotely when requesting the certificate.
483b06
483b06
https://pagure.io/freeipa/issue/6867
483b06
483b06
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
483b06
Reviewed-By: Martin Basti <mbasti@redhat.com>
483b06
---
483b06
 ipaserver/install/httpinstance.py          | 29 +++++++++++++++++++++++++++--
483b06
 ipaserver/install/server/install.py        |  4 ++--
483b06
 ipaserver/install/server/replicainstall.py |  5 +++--
483b06
 3 files changed, 32 insertions(+), 6 deletions(-)
483b06
483b06
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
483b06
index c76a1a4e484c5777ced92761916c1c586e8b2d5d..12fdddccc26b0c1132bcdca7fe2249a85997892e 100644
483b06
--- a/ipaserver/install/httpinstance.py
483b06
+++ b/ipaserver/install/httpinstance.py
483b06
@@ -32,9 +32,11 @@ import six
483b06
 from augeas import Augeas
483b06
 
483b06
 from ipalib.install import certmonger
483b06
+from ipapython import ipaldap
483b06
 from ipapython.certdb import (IPA_CA_TRUST_FLAGS,
483b06
                               EXTERNAL_CA_TRUST_FLAGS,
483b06
                               TRUSTED_PEER_TRUST_FLAGS)
483b06
+from ipaserver.install import replication
483b06
 from ipaserver.install import service
483b06
 from ipaserver.install import certs
483b06
 from ipaserver.install import installutils
483b06
@@ -127,12 +129,15 @@ class HTTPInstance(service.Service):
483b06
 
483b06
     subject_base = ipautil.dn_attribute_property('_subject_base')
483b06
 
483b06
-    def create_instance(self, realm, fqdn, domain_name, pkcs12_info=None,
483b06
+    def create_instance(self, realm, fqdn, domain_name, dm_password=None,
483b06
+                        pkcs12_info=None,
483b06
                         subject_base=None, auto_redirect=True, ca_file=None,
483b06
-                        ca_is_configured=None, promote=False):
483b06
+                        ca_is_configured=None, promote=False,
483b06
+                        master_fqdn=None):
483b06
         self.fqdn = fqdn
483b06
         self.realm = realm
483b06
         self.domain = domain_name
483b06
+        self.dm_password = dm_password
483b06
         self.suffix = ipautil.realm_to_suffix(self.realm)
483b06
         self.pkcs12_info = pkcs12_info
483b06
         self.dercert = None
483b06
@@ -148,6 +153,7 @@ class HTTPInstance(service.Service):
483b06
         if ca_is_configured is not None:
483b06
             self.ca_is_configured = ca_is_configured
483b06
         self.promote = promote
483b06
+        self.master_fqdn = master_fqdn
483b06
 
483b06
         self.step("stopping httpd", self.__stop)
483b06
         self.step("setting mod_nss port to 443", self.__set_mod_nss_port)
483b06
@@ -577,3 +583,22 @@ class HTTPInstance(service.Service):
483b06
         db = certs.CertDB(self.realm, nssdir=paths.HTTPD_ALIAS_DIR)
483b06
         db.track_server_cert(self.cert_nickname, self.principal,
483b06
                              db.passwd_fname, 'restart_httpd')
483b06
+
483b06
+    def request_service_keytab(self):
483b06
+        super(HTTPInstance, self).request_service_keytab()
483b06
+
483b06
+        if self.master_fqdn is not None:
483b06
+            service_dn = DN(('krbprincipalname', self.principal),
483b06
+                            api.env.container_service,
483b06
+                            self.suffix)
483b06
+
483b06
+            ldap_uri = ipaldap.get_ldap_uri(self.master_fqdn)
483b06
+            with ipaldap.LDAPClient(ldap_uri,
483b06
+                                    start_tls=not self.promote,
483b06
+                                    cacert=paths.IPA_CA_CRT) as remote_ldap:
483b06
+                if self.promote:
483b06
+                    remote_ldap.gssapi_bind()
483b06
+                else:
483b06
+                    remote_ldap.simple_bind(ipaldap.DIRMAN_DN,
483b06
+                                            self.dm_password)
483b06
+                replication.wait_for_entry(remote_ldap, service_dn, timeout=60)
483b06
diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
483b06
index 03380b8d0e9150224b014a1a174d7ea81ccdcf00..9dcf903f4582740f007c049fae3ec247ddf52aef 100644
483b06
--- a/ipaserver/install/server/install.py
483b06
+++ b/ipaserver/install/server/install.py
483b06
@@ -830,13 +830,13 @@ def install(installer):
483b06
     http = httpinstance.HTTPInstance(fstore)
483b06
     if options.http_cert_files:
483b06
         http.create_instance(
483b06
-            realm_name, host_name, domain_name,
483b06
+            realm_name, host_name, domain_name, dm_password,
483b06
             pkcs12_info=http_pkcs12_info, subject_base=options.subject_base,
483b06
             auto_redirect=not options.no_ui_redirect,
483b06
             ca_is_configured=setup_ca)
483b06
     else:
483b06
         http.create_instance(
483b06
-            realm_name, host_name, domain_name,
483b06
+            realm_name, host_name, domain_name, dm_password,
483b06
             subject_base=options.subject_base,
483b06
             auto_redirect=not options.no_ui_redirect,
483b06
             ca_is_configured=setup_ca)
483b06
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
483b06
index b30133ffa22d410452ae04624d49db209175bed9..20eaf98397101b49c751c325afc0591e0babcc18 100644
483b06
--- a/ipaserver/install/server/replicainstall.py
483b06
+++ b/ipaserver/install/server/replicainstall.py
483b06
@@ -163,9 +163,10 @@ def install_http(config, auto_redirect, ca_is_configured, ca_file,
483b06
     http = httpinstance.HTTPInstance()
483b06
     http.create_instance(
483b06
         config.realm_name, config.host_name, config.domain_name,
483b06
-        pkcs12_info, auto_redirect=auto_redirect, ca_file=ca_file,
483b06
+        config.dirman_password, pkcs12_info,
483b06
+        auto_redirect=auto_redirect, ca_file=ca_file,
483b06
         ca_is_configured=ca_is_configured, promote=promote,
483b06
-        subject_base=config.subject_base)
483b06
+        subject_base=config.subject_base, master_fqdn=config.master_host_name)
483b06
 
483b06
     return http
483b06
 
483b06
-- 
483b06
2.9.4
483b06