|
 |
db5969 |
From 1eb9cc7556357b1b8d6d826321cb38b1f96c1b7e Mon Sep 17 00:00:00 2001
|
|
|
db5969 |
From: Fraser Tweedale <ftweedal@redhat.com>
|
|
|
db5969 |
Date: Wed, 18 May 2016 14:10:39 +1000
|
|
|
db5969 |
Subject: [PATCH] Detect and repair incorrect caIPAserviceCert config
|
|
|
db5969 |
|
|
|
db5969 |
A regression caused replica installation to replace the FreeIPA
|
|
|
db5969 |
version of caIPAserviceCert with the version shipped by Dogtag.
|
|
|
db5969 |
|
|
|
db5969 |
During upgrade, detect and repair occurrences of this problem.
|
|
|
db5969 |
|
|
|
db5969 |
Part of: https://fedorahosted.org/freeipa/ticket/5881
|
|
|
db5969 |
|
|
|
db5969 |
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
|
|
db5969 |
---
|
|
|
db5969 |
ipaserver/install/cainstance.py | 49 ++++++++++++++++++++++++++++++++++---
|
|
|
db5969 |
ipaserver/install/server/upgrade.py | 3 +++
|
|
|
db5969 |
2 files changed, 49 insertions(+), 3 deletions(-)
|
|
|
db5969 |
|
|
|
db5969 |
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
|
|
|
db5969 |
index 50ca5d3aeb9be24d8e1e80ad408191fca76a459c..a8a57c4ffdbec453c76a01b88a7d4a188c03be33 100644
|
|
|
db5969 |
--- a/ipaserver/install/cainstance.py
|
|
|
db5969 |
+++ b/ipaserver/install/cainstance.py
|
|
|
db5969 |
@@ -1717,14 +1717,18 @@ def configure_profiles_acl():
|
|
|
db5969 |
conn.disconnect()
|
|
|
db5969 |
return updated
|
|
|
db5969 |
|
|
|
db5969 |
-def import_included_profiles():
|
|
|
db5969 |
+
|
|
|
db5969 |
+def __get_profile_config(profile_id):
|
|
|
db5969 |
sub_dict = dict(
|
|
|
db5969 |
DOMAIN=ipautil.format_netloc(api.env.domain),
|
|
|
db5969 |
IPA_CA_RECORD=IPA_CA_RECORD,
|
|
|
db5969 |
CRL_ISSUER='CN=Certificate Authority,o=ipaca',
|
|
|
db5969 |
SUBJECT_DN_O=dsinstance.DsInstance().find_subject_base(),
|
|
|
db5969 |
)
|
|
|
db5969 |
+ return ipautil.template_file(
|
|
|
db5969 |
+ '/usr/share/ipa/profiles/{}.cfg'.format(profile_id), sub_dict)
|
|
|
db5969 |
|
|
|
db5969 |
+def import_included_profiles():
|
|
|
db5969 |
server_id = installutils.realm_to_serverid(api.env.realm)
|
|
|
db5969 |
dogtag_uri = 'ldapi://%%2fvar%%2frun%%2fslapd-%s.socket' % server_id
|
|
|
db5969 |
conn = ldap2.ldap2(api, ldap_uri=dogtag_uri)
|
|
|
db5969 |
@@ -1761,10 +1765,9 @@ def import_included_profiles():
|
|
|
db5969 |
ipacertprofilestoreissued=['TRUE' if store_issued else 'FALSE'],
|
|
|
db5969 |
)
|
|
|
db5969 |
conn.add_entry(entry)
|
|
|
db5969 |
- profile_data = ipautil.template_file(
|
|
|
db5969 |
- '/usr/share/ipa/profiles/{}.cfg'.format(profile_id), sub_dict)
|
|
|
db5969 |
|
|
|
db5969 |
# Create the profile, replacing any existing profile of same name
|
|
|
db5969 |
+ profile_data = __get_profile_config(profile_id)
|
|
|
db5969 |
_create_dogtag_profile(profile_id, profile_data, overwrite=True)
|
|
|
db5969 |
root_logger.info("Imported profile '%s'", profile_id)
|
|
|
db5969 |
|
|
|
db5969 |
@@ -1772,6 +1775,46 @@ def import_included_profiles():
|
|
|
db5969 |
conn.disconnect()
|
|
|
db5969 |
|
|
|
db5969 |
|
|
|
db5969 |
+def repair_profile_caIPAserviceCert():
|
|
|
db5969 |
+ """
|
|
|
db5969 |
+ A regression caused replica installation to replace the FreeIPA
|
|
|
db5969 |
+ version of caIPAserviceCert with the version shipped by Dogtag.
|
|
|
db5969 |
+
|
|
|
db5969 |
+ This function detects and repairs occurrences of this problem.
|
|
|
db5969 |
+
|
|
|
db5969 |
+ """
|
|
|
db5969 |
+ api.Backend.ra_certprofile._read_password()
|
|
|
db5969 |
+ api.Backend.ra_certprofile.override_port = 8443
|
|
|
db5969 |
+
|
|
|
db5969 |
+ profile_id = 'caIPAserviceCert'
|
|
|
db5969 |
+
|
|
|
db5969 |
+ with api.Backend.ra_certprofile as profile_api:
|
|
|
db5969 |
+ try:
|
|
|
db5969 |
+ cur_config = profile_api.read_profile(profile_id).splitlines()
|
|
|
db5969 |
+ except errors.RemoteRetrieveError as e:
|
|
|
db5969 |
+ # no profile there to check/repair
|
|
|
db5969 |
+ api.Backend.ra_certprofile.override_port = None
|
|
|
db5969 |
+ return
|
|
|
db5969 |
+
|
|
|
db5969 |
+ indicators = [
|
|
|
db5969 |
+ "policyset.serverCertSet.1.default.params.name="
|
|
|
db5969 |
+ "CN=$request.req_subject_name.cn$, OU=pki-ipa, O=IPA ",
|
|
|
db5969 |
+ "policyset.serverCertSet.9.default.params.crlDistPointsPointName_0="
|
|
|
db5969 |
+ "https://ipa.example.com/ipa/crl/MasterCRL.bin",
|
|
|
db5969 |
+ ]
|
|
|
db5969 |
+ need_repair = all(l in cur_config for l in indicators)
|
|
|
db5969 |
+
|
|
|
db5969 |
+ if need_repair:
|
|
|
db5969 |
+ root_logger.debug(
|
|
|
db5969 |
+ "Detected that profile '{}' has been replaced with "
|
|
|
db5969 |
+ "incorrect version; begin repair.".format(profile_id))
|
|
|
db5969 |
+ _create_dogtag_profile(
|
|
|
db5969 |
+ profile_id, __get_profile_config(profile_id), overwrite=True)
|
|
|
db5969 |
+ root_logger.debug("Repair of profile '{}' complete.".format(profile_id))
|
|
|
db5969 |
+
|
|
|
db5969 |
+ api.Backend.ra_certprofile.override_port = None
|
|
|
db5969 |
+
|
|
|
db5969 |
+
|
|
|
db5969 |
def migrate_profiles_to_ldap(dogtag_constants):
|
|
|
db5969 |
"""Migrate profiles from filesystem to LDAP.
|
|
|
db5969 |
|
|
|
db5969 |
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
|
|
|
db5969 |
index c53b19a937d559b25da256670a5205ab40e0cadb..b0cd789d58408f720774adb276843a1b6ab6007d 100644
|
|
|
db5969 |
--- a/ipaserver/install/server/upgrade.py
|
|
|
db5969 |
+++ b/ipaserver/install/server/upgrade.py
|
|
|
db5969 |
@@ -1554,6 +1554,9 @@ def upgrade_configuration():
|
|
|
db5969 |
ca_import_included_profiles(ca)
|
|
|
db5969 |
add_default_caacl(ca)
|
|
|
db5969 |
|
|
|
db5969 |
+ if ca.is_configured():
|
|
|
db5969 |
+ cainstance.repair_profile_caIPAserviceCert()
|
|
|
db5969 |
+
|
|
|
db5969 |
set_sssd_domain_option('ipa_server_mode', 'True')
|
|
|
db5969 |
|
|
|
db5969 |
if ds_running and not ds.is_running():
|
|
|
db5969 |
--
|
|
|
db5969 |
2.5.5
|
|
|
db5969 |
|