pgreco / rpms / ipa

Forked from forks/areguera/rpms/ipa 4 years ago
Clone

Blame SOURCES/0180-always-start-certmonger-during-IPA-server-configurat.patch

e0ab38
From 80115a38d78db0c2a31dea06786af41eafb234f0 Mon Sep 17 00:00:00 2001
e0ab38
From: Martin Babinsky <mbabinsk@redhat.com>
e0ab38
Date: Mon, 1 Feb 2016 12:59:04 +0100
e0ab38
Subject: [PATCH] always start certmonger during IPA server configuration
e0ab38
 upgrade
e0ab38
e0ab38
This patch fixes a regression introduced by commit
e0ab38
bef0f4c5c38e7ff6415e8f8c96dc306ef7f0ce56. Instead of checking whether
e0ab38
there is CA installed in the topology, we should always start certmonger
e0ab38
service during upgrade regardless when CA was configured.
e0ab38
e0ab38
https://fedorahosted.org/freeipa/ticket/5655
e0ab38
e0ab38
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
e0ab38
Reviewed-By: Martin Basti <mbasti@redhat.com>
e0ab38
---
e0ab38
 ipaserver/install/server/upgrade.py | 33 +++++----------------------------
e0ab38
 1 file changed, 5 insertions(+), 28 deletions(-)
e0ab38
e0ab38
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
e0ab38
index 616fba5c1a5b3737481aecbb09ab5344641a3b04..1f1cfeb672809c0298c69c121ac38d6c7a482d11 100644
e0ab38
--- a/ipaserver/install/server/upgrade.py
e0ab38
+++ b/ipaserver/install/server/upgrade.py
e0ab38
@@ -292,24 +292,6 @@ def setup_firefox_extension(fstore):
e0ab38
     http.setup_firefox_extension(realm, domain)
e0ab38
 
e0ab38
 
e0ab38
-def is_ca_enabled():
e0ab38
-    """
e0ab38
-    check whether there is an active CA master
e0ab38
-    :return: True if there is an active CA in topology, False otherwise
e0ab38
-    """
e0ab38
-    ldap2 = api.Backend.ldap2
e0ab38
-    was_connected = ldap2.isconnected()
e0ab38
-
e0ab38
-    if not was_connected:
e0ab38
-        ldap2.connect()
e0ab38
-
e0ab38
-    try:
e0ab38
-        return api.Command.ca_is_enabled()['result']
e0ab38
-    finally:
e0ab38
-        if not was_connected:
e0ab38
-            ldap2.disconnect()
e0ab38
-
e0ab38
-
e0ab38
 def ca_configure_profiles_acl(ca):
e0ab38
     root_logger.info('[Authorizing RA Agent to modify profiles]')
e0ab38
 
e0ab38
@@ -1420,6 +1402,10 @@ def upgrade_configuration():
e0ab38
             )
e0ab38
         upgrade_pki(ca, fstore)
e0ab38
 
e0ab38
+    certmonger_service = services.knownservices.certmonger
e0ab38
+    if ca.is_configured() and not certmonger_service.is_running():
e0ab38
+        certmonger_service.start()
e0ab38
+
e0ab38
     ca.configure_certmonger_renewal_guard()
e0ab38
 
e0ab38
     update_dbmodules(api.env.realm)
e0ab38
@@ -1435,8 +1421,7 @@ def upgrade_configuration():
e0ab38
     http.configure_selinux_for_httpd()
e0ab38
     http.change_mod_nss_port_from_http()
e0ab38
 
e0ab38
-    if is_ca_enabled():
e0ab38
-        http.configure_certmonger_renewal_guard()
e0ab38
+    http.configure_certmonger_renewal_guard()
e0ab38
 
e0ab38
     ds.configure_dirsrv_ccache()
e0ab38
 
e0ab38
@@ -1582,14 +1567,6 @@ def upgrade_check(options):
e0ab38
         print unicode(e)
e0ab38
         sys.exit(1)
e0ab38
 
e0ab38
-    try:
e0ab38
-        ca_is_enabled = is_ca_enabled()
e0ab38
-    except Exception as e:
e0ab38
-        raise RuntimeError("Cannot connect to LDAP server: {0}".format(e))
e0ab38
-
e0ab38
-    if not services.knownservices.certmonger.is_running() and ca_is_enabled:
e0ab38
-        raise RuntimeError('Certmonger is not running. Start certmonger and run upgrade again.')
e0ab38
-
e0ab38
     if not options.skip_version_check:
e0ab38
         # check IPA version and data version
e0ab38
         try:
e0ab38
-- 
e0ab38
2.5.0
e0ab38