|
|
2737e7 |
From 7746bb807a15137c6dbc36f9d0ea0c3e9377ab8c Mon Sep 17 00:00:00 2001
|
|
|
2737e7 |
From: Christian Heimes <cheimes@redhat.com>
|
|
|
2737e7 |
Date: Tue, 17 Jul 2018 08:53:39 +0200
|
|
|
2737e7 |
Subject: [PATCH] Fix KRA replica installation from CA master
|
|
|
2737e7 |
|
|
|
2737e7 |
ipa-replica-install --kra-install can fail when the topology already has
|
|
|
2737e7 |
a KRA, but replica is installed from a master with just CA. In that
|
|
|
2737e7 |
case, Custodia may pick a machine that doesn't have the KRA auditing and
|
|
|
2737e7 |
signing certs in its NSSDB.
|
|
|
2737e7 |
|
|
|
2737e7 |
Example:
|
|
|
2737e7 |
* master with CA
|
|
|
2737e7 |
* replica1 with CA and KRA
|
|
|
2737e7 |
* new replica gets installed from master
|
|
|
2737e7 |
|
|
|
2737e7 |
The replica installer now always picks a KRA peer.
|
|
|
2737e7 |
|
|
|
2737e7 |
The change fixes test scenario TestInstallWithCA1::()::test_replica2_ipa_dns_install
|
|
|
2737e7 |
|
|
|
2737e7 |
Fixes: https://pagure.io/freeipa/issue/7518
|
|
|
2737e7 |
See: https://pagure.io/freeipa/issue/7008
|
|
|
2737e7 |
Signed-off-by: Christian Heimes <cheimes@redhat.com>
|
|
|
2737e7 |
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
|
|
2737e7 |
---
|
|
|
2737e7 |
ipaserver/install/server/replicainstall.py | 5 ++++-
|
|
|
2737e7 |
1 file changed, 4 insertions(+), 1 deletion(-)
|
|
|
2737e7 |
|
|
|
2737e7 |
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
|
|
|
2737e7 |
index a47412e39b9e2c603206c56a935de17321c71e91..d8c55370d33d59efdf838f7ba01efedae7857406 100644
|
|
|
2737e7 |
--- a/ipaserver/install/server/replicainstall.py
|
|
|
2737e7 |
+++ b/ipaserver/install/server/replicainstall.py
|
|
|
2737e7 |
@@ -1482,7 +1482,10 @@ def install(installer):
|
|
|
2737e7 |
otpd.create_instance('OTPD', config.host_name,
|
|
|
2737e7 |
ipautil.realm_to_suffix(config.realm_name))
|
|
|
2737e7 |
|
|
|
2737e7 |
- if ca_enabled:
|
|
|
2737e7 |
+ if kra_enabled:
|
|
|
2737e7 |
+ # A KRA peer always provides a CA, too.
|
|
|
2737e7 |
+ mode = custodiainstance.CustodiaModes.KRA_PEER
|
|
|
2737e7 |
+ elif ca_enabled:
|
|
|
2737e7 |
mode = custodiainstance.CustodiaModes.CA_PEER
|
|
|
2737e7 |
else:
|
|
|
2737e7 |
mode = custodiainstance.CustodiaModes.MASTER_PEER
|
|
|
2737e7 |
--
|
|
|
2737e7 |
2.17.1
|
|
|
2737e7 |
|