|
 |
aa60fb |
From d1470a8a5d2f39b57d8d66e8d0d7e8437fcd2ae4 Mon Sep 17 00:00:00 2001
|
|
|
aa60fb |
From: Martin Babinsky <mbabinsk@redhat.com>
|
|
|
aa60fb |
Date: Wed, 2 Dec 2015 12:22:45 +0100
|
|
|
aa60fb |
Subject: [PATCH] replica install: improvements in the handling of CA-related
|
|
|
aa60fb |
IPA config entries
|
|
|
aa60fb |
|
|
|
aa60fb |
When a CA-less replica is installed, its IPA config file should be updated so
|
|
|
aa60fb |
that ca_host points to nearest CA master and all certificate requests are
|
|
|
aa60fb |
forwarded to it. A subsequent installation of CA subsystem on the replica
|
|
|
aa60fb |
should clear this entry from the config so that all certificate requests are
|
|
|
aa60fb |
handled by freshly installed local CA.
|
|
|
aa60fb |
|
|
|
aa60fb |
https://fedorahosted.org/freeipa/ticket/5506
|
|
|
aa60fb |
|
|
|
aa60fb |
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
|
|
aa60fb |
---
|
|
|
aa60fb |
ipaserver/install/ca.py | 16 ----------------
|
|
|
aa60fb |
ipaserver/install/cainstance.py | 18 ++++++++++++++++++
|
|
|
aa60fb |
ipaserver/install/server/replicainstall.py | 3 +++
|
|
|
aa60fb |
3 files changed, 21 insertions(+), 16 deletions(-)
|
|
|
aa60fb |
|
|
|
aa60fb |
diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py
|
|
|
aa60fb |
index d2fb5feeaf96e8450eddb1bc4e65ef3316b05b38..b4db8dcbfad9d482e7106cd06b3d497ccf8954f0 100644
|
|
|
aa60fb |
--- a/ipaserver/install/ca.py
|
|
|
aa60fb |
+++ b/ipaserver/install/ca.py
|
|
|
aa60fb |
@@ -12,7 +12,6 @@ from ipaplatform.paths import paths
|
|
|
aa60fb |
from ipaserver.install import installutils, certs
|
|
|
aa60fb |
from ipaserver.install.replication import replica_conn_check
|
|
|
aa60fb |
from ipalib import api, certstore, x509
|
|
|
aa60fb |
-from ConfigParser import RawConfigParser
|
|
|
aa60fb |
from ipapython.dn import DN
|
|
|
aa60fb |
from ipapython.ipa_log_manager import root_logger
|
|
|
aa60fb |
|
|
|
aa60fb |
@@ -240,21 +239,6 @@ def install_step_1(standalone, replica_config, options):
|
|
|
aa60fb |
if standalone:
|
|
|
aa60fb |
ca.start(ca.dogtag_constants.PKI_INSTANCE_NAME)
|
|
|
aa60fb |
|
|
|
aa60fb |
- # Update config file
|
|
|
aa60fb |
- try:
|
|
|
aa60fb |
- parser = RawConfigParser()
|
|
|
aa60fb |
- parser.read(paths.IPA_DEFAULT_CONF)
|
|
|
aa60fb |
- parser.set('global', 'enable_ra', 'True')
|
|
|
aa60fb |
- parser.set('global', 'ra_plugin', 'dogtag')
|
|
|
aa60fb |
- parser.set('global', 'dogtag_version',
|
|
|
aa60fb |
- str(dogtag_constants.DOGTAG_VERSION))
|
|
|
aa60fb |
- with open(paths.IPA_DEFAULT_CONF, 'w') as f:
|
|
|
aa60fb |
- parser.write(f)
|
|
|
aa60fb |
- except IOError, e:
|
|
|
aa60fb |
- print "Failed to update /etc/ipa/default.conf"
|
|
|
aa60fb |
- root_logger.error(str(e))
|
|
|
aa60fb |
- sys.exit(1)
|
|
|
aa60fb |
-
|
|
|
aa60fb |
# We need to restart apache as we drop a new config file in there
|
|
|
aa60fb |
services.knownservices.httpd.restart(capture_output=True)
|
|
|
aa60fb |
|
|
|
aa60fb |
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
|
|
|
aa60fb |
index 1a98c438786ae7dad208212fff23e3a760c95b3c..b06760308865aa42afac79d6750f4a422a5c8f95 100644
|
|
|
aa60fb |
--- a/ipaserver/install/cainstance.py
|
|
|
aa60fb |
+++ b/ipaserver/install/cainstance.py
|
|
|
aa60fb |
@@ -482,6 +482,8 @@ class CAInstance(DogtagInstance):
|
|
|
aa60fb |
self.step("importing IPA certificate profiles",
|
|
|
aa60fb |
import_included_profiles)
|
|
|
aa60fb |
self.step("adding default CA ACL", ensure_default_caacl)
|
|
|
aa60fb |
+ self.step("updating IPA configuration",
|
|
|
aa60fb |
+ lambda: update_ipa_conf(self.dogtag_constants))
|
|
|
aa60fb |
|
|
|
aa60fb |
self.start_creation(runtime=210)
|
|
|
aa60fb |
|
|
|
aa60fb |
@@ -1880,6 +1882,22 @@ def ensure_default_caacl():
|
|
|
aa60fb |
api.Backend.ldap2.disconnect()
|
|
|
aa60fb |
|
|
|
aa60fb |
|
|
|
aa60fb |
+def update_ipa_conf(dogtag_constants):
|
|
|
aa60fb |
+ """
|
|
|
aa60fb |
+ Update IPA configuration file to ensure that RA plugins are enabled and
|
|
|
aa60fb |
+ that CA host points to localhost
|
|
|
aa60fb |
+ """
|
|
|
aa60fb |
+ parser = ConfigParser.RawConfigParser()
|
|
|
aa60fb |
+ parser.read(paths.IPA_DEFAULT_CONF)
|
|
|
aa60fb |
+ parser.set('global', 'enable_ra', 'True')
|
|
|
aa60fb |
+ parser.set('global', 'ra_plugin', 'dogtag')
|
|
|
aa60fb |
+ parser.set('global', 'dogtag_version',
|
|
|
aa60fb |
+ str(dogtag_constants.DOGTAG_VERSION))
|
|
|
aa60fb |
+ parser.remove_option('global', 'ca_host')
|
|
|
aa60fb |
+ with open(paths.IPA_DEFAULT_CONF, 'w') as f:
|
|
|
aa60fb |
+ parser.write(f)
|
|
|
aa60fb |
+
|
|
|
aa60fb |
+
|
|
|
aa60fb |
if __name__ == "__main__":
|
|
|
aa60fb |
standard_logging_setup("install.log")
|
|
|
aa60fb |
ds = dsinstance.DsInstance()
|
|
|
aa60fb |
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
|
|
|
aa60fb |
index 317eda92dd4322542f035c2df4dba919a5898cc7..2ab95add90d33eb191d4e75b62cb4eceac40551b 100644
|
|
|
aa60fb |
--- a/ipaserver/install/server/replicainstall.py
|
|
|
aa60fb |
+++ b/ipaserver/install/server/replicainstall.py
|
|
|
aa60fb |
@@ -378,6 +378,9 @@ def install_check(installer):
|
|
|
aa60fb |
fd.write("ra_plugin=dogtag\n")
|
|
|
aa60fb |
fd.write("dogtag_version=%s\n" %
|
|
|
aa60fb |
dogtag.install_constants.DOGTAG_VERSION)
|
|
|
aa60fb |
+
|
|
|
aa60fb |
+ if not config.setup_ca:
|
|
|
aa60fb |
+ fd.write("ca_host={0}\n".format(config.master_host_name))
|
|
|
aa60fb |
else:
|
|
|
aa60fb |
fd.write("enable_ra=False\n")
|
|
|
aa60fb |
fd.write("ra_plugin=none\n")
|
|
|
aa60fb |
--
|
|
|
aa60fb |
2.5.0
|
|
|
aa60fb |
|