pgreco / rpms / ipa

Forked from forks/areguera/rpms/ipa 4 years ago
Clone
Source Code
GIT

Blame SOURCES/0075-renew-agent-restart-scripts-connect-to-LDAP-after-ki.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8-beta-stream-DL1 c8-beta-stream-client c8-stream-DL1 c8-stream-client
  1.   bef1ab628ca8d534452090a549d788a6daef9fb5
  2.   SOURCES
  3.   0075-renew-agent-restart-scripts-connect-to-LDAP-after-ki.patch
Blob History Raw
ac7d03 
From 429f07426014c51025d136b505165a43f5e0df21 Mon Sep 17 00:00:00 2001
ac7d03 
From: Jan Cholasta <jcholast@redhat.com>
ac7d03 
Date: Fri, 7 Apr 2017 07:51:01 +0200
ac7d03 
Subject: [PATCH] renew agent, restart scripts: connect to LDAP after kinit
ac7d03
ac7d03 
Connect to LDAP after kinit is done, otherwise GSSAPI authentication will
ac7d03 
fail.
ac7d03
ac7d03 
https://pagure.io/freeipa/issue/6757
ac7d03
ac7d03 
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
ac7d03 
---
ac7d03 
 install/certmonger/dogtag-ipa-ca-renew-agent-submit | 6 ++++--
ac7d03 
 install/restart_scripts/renew_ca_cert               | 6 ++++--
ac7d03 
 install/restart_scripts/renew_ra_cert               | 6 ++++--
ac7d03 
 3 files changed, 12 insertions(+), 6 deletions(-)
ac7d03
ac7d03 
diff --git a/install/certmonger/dogtag-ipa-ca-renew-agent-submit b/install/certmonger/dogtag-ipa-ca-renew-agent-submit
ac7d03 
index 3389447a99d9ab9dac159b0d57ca02f60698ce0c..7a3d9551884c0fe43566dd9012699211a39294eb 100755
ac7d03 
--- a/install/certmonger/dogtag-ipa-ca-renew-agent-submit
ac7d03 
+++ b/install/certmonger/dogtag-ipa-ca-renew-agent-submit
ac7d03 
@@ -518,7 +518,6 @@ def main():
ac7d03
ac7d03 
     api.bootstrap(in_server=True, context='renew', confdir=paths.ETC_IPA)
ac7d03 
     api.finalize()
ac7d03 
-    api.Backend.ldap2.connect()
ac7d03
ac7d03 
     operation = os.environ.get('CERTMONGER_OPERATION')
ac7d03 
     if operation not in ('SUBMIT', 'POLL'):
ac7d03 
@@ -532,6 +531,8 @@ def main():
ac7d03 
         os.environ['KRB5CCNAME'] = ccache_filename
ac7d03 
         kinit_keytab(principal, paths.KRB5_KEYTAB, ccache_filename)
ac7d03
ac7d03 
+        api.Backend.ldap2.connect()
ac7d03 
+
ac7d03 
         profile = os.environ.get('CERTMONGER_CA_PROFILE')
ac7d03 
         if is_replicated():
ac7d03 
             if profile or is_renewal_master():
ac7d03 
@@ -547,9 +548,10 @@ def main():
ac7d03 
             print(item)
ac7d03 
         return res[0]
ac7d03 
     finally:
ac7d03 
+        if api.Backend.ldap2.isconnected():
ac7d03 
+            api.Backend.ldap2.disconnect()
ac7d03 
         certs.renewal_lock.release()
ac7d03 
         shutil.rmtree(tmpdir)
ac7d03 
-        api.Backend.ldap2.disconnect()
ac7d03
ac7d03
ac7d03 
 try:
ac7d03 
diff --git a/install/restart_scripts/renew_ca_cert b/install/restart_scripts/renew_ca_cert
ac7d03 
index bbeae1ae1da5a230f3de1c2569c2324606ae9789..7a54b4c7e05a35b40b17e46b75ff8d47db1b2d23 100644
ac7d03 
--- a/install/restart_scripts/renew_ca_cert
ac7d03 
+++ b/install/restart_scripts/renew_ca_cert
ac7d03 
@@ -42,7 +42,6 @@ def _main():
ac7d03
ac7d03 
     api.bootstrap(in_server=True, context='restart', confdir=paths.ETC_IPA)
ac7d03 
     api.finalize()
ac7d03 
-    api.Backend.ldap2.connect()
ac7d03
ac7d03 
     dogtag_service = services.knownservices['pki_tomcatd']
ac7d03
ac7d03 
@@ -77,6 +76,8 @@ def _main():
ac7d03 
         kinit_keytab(principal, paths.KRB5_KEYTAB, ccache_filename)
ac7d03 
         os.environ['KRB5CCNAME'] = ccache_filename
ac7d03
ac7d03 
+        api.Backend.ldap2.connect()
ac7d03 
+
ac7d03 
         ca = cainstance.CAInstance(host_name=api.env.host)
ac7d03 
         ca.update_cert_config(nickname, cert)
ac7d03 
         if ca.is_renewal_master():
ac7d03 
@@ -184,8 +185,9 @@ def _main():
ac7d03 
                 if conn is not None and conn.isconnected():
ac7d03 
                     conn.disconnect()
ac7d03 
     finally:
ac7d03 
+        if api.Backend.ldap2.isconnected():
ac7d03 
+            api.Backend.ldap2.disconnect()
ac7d03 
         shutil.rmtree(tmpdir)
ac7d03 
-        api.Backend.ldap2.disconnect()
ac7d03
ac7d03 
     # Now we can start the CA. Using the services start should fire
ac7d03 
     # off the servlet to verify that the CA is actually up and responding so
ac7d03 
diff --git a/install/restart_scripts/renew_ra_cert b/install/restart_scripts/renew_ra_cert
ac7d03 
index 5c71d5791fa8254de686d1c3a8d01e2cda4d493b..486ee786629076687864f6ef9c3a69b8e389dc28 100644
ac7d03 
--- a/install/restart_scripts/renew_ra_cert
ac7d03 
+++ b/install/restart_scripts/renew_ra_cert
ac7d03 
@@ -38,7 +38,6 @@ from ipaplatform.paths import paths
ac7d03 
 def _main():
ac7d03 
     api.bootstrap(in_server=True, context='restart', confdir=paths.ETC_IPA)
ac7d03 
     api.finalize()
ac7d03 
-    api.Backend.ldap2.connect()
ac7d03
ac7d03 
     tmpdir = tempfile.mkdtemp(prefix="tmp-")
ac7d03 
     try:
ac7d03 
@@ -47,6 +46,8 @@ def _main():
ac7d03 
         kinit_keytab(principal, paths.KRB5_KEYTAB, ccache_filename)
ac7d03 
         os.environ['KRB5CCNAME'] = ccache_filename
ac7d03
ac7d03 
+        api.Backend.ldap2.connect()
ac7d03 
+
ac7d03 
         ca = cainstance.CAInstance(host_name=api.env.host)
ac7d03 
         ra_certpath = paths.RA_AGENT_PEM
ac7d03 
         if ca.is_renewal_master():
ac7d03 
@@ -71,8 +72,9 @@ def _main():
ac7d03 
             # Load it into dogtag
ac7d03 
             cainstance.update_people_entry(dercert)
ac7d03 
     finally:
ac7d03 
+        if api.Backend.ldap2.isconnected():
ac7d03 
+            api.Backend.ldap2.disconnect()
ac7d03 
         shutil.rmtree(tmpdir)
ac7d03 
-        api.Backend.ldap2.disconnect()
ac7d03
ac7d03
ac7d03 
 def main():
ac7d03 
--
ac7d03 
2.9.3
ac7d03

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation