|
|
db5969 |
From d279db85dbf455a6cbdacc48cbbc2081a9be5252 Mon Sep 17 00:00:00 2001
|
|
|
db5969 |
From: Jan Cholasta <jcholast@redhat.com>
|
|
|
db5969 |
Date: Mon, 23 May 2016 16:18:02 +0200
|
|
|
db5969 |
Subject: [PATCH] replica install: do not set CA renewal master flag
|
|
|
db5969 |
|
|
|
db5969 |
The CA renewal master flag was uncoditionally set on every replica during
|
|
|
db5969 |
replica install. This causes the Dogtag certificates initially shared
|
|
|
db5969 |
among all replicas to differ after renewal.
|
|
|
db5969 |
|
|
|
db5969 |
Do not set the CA renewal master flag in replica install anymore. On
|
|
|
db5969 |
upgrade, remove the flag from all but one IPA masters.
|
|
|
db5969 |
|
|
|
db5969 |
https://fedorahosted.org/freeipa/ticket/5902
|
|
|
db5969 |
|
|
|
db5969 |
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
|
|
db5969 |
---
|
|
|
db5969 |
ipaserver/install/ca.py | 6 +++++-
|
|
|
db5969 |
ipaserver/install/plugins/ca_renewal_master.py | 24 ++++++++++++++++++++++--
|
|
|
db5969 |
2 files changed, 27 insertions(+), 3 deletions(-)
|
|
|
db5969 |
|
|
|
db5969 |
diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py
|
|
|
db5969 |
index b4db8dcbfad9d482e7106cd06b3d497ccf8954f0..aa3fe991bd958c59dc369f41d4bd6fdfceee9370 100644
|
|
|
db5969 |
--- a/ipaserver/install/ca.py
|
|
|
db5969 |
+++ b/ipaserver/install/ca.py
|
|
|
db5969 |
@@ -191,7 +191,11 @@ def install_step_1(standalone, replica_config, options):
|
|
|
db5969 |
ca.stop(ca.dogtag_constants.PKI_INSTANCE_NAME)
|
|
|
db5969 |
|
|
|
db5969 |
# We need to ldap_enable the CA now that DS is up and running
|
|
|
db5969 |
- ca.ldap_enable('CA', host_name, dm_password, basedn, ['caRenewalMaster'])
|
|
|
db5969 |
+ if replica_config is None:
|
|
|
db5969 |
+ config = ['caRenewalMaster']
|
|
|
db5969 |
+ else:
|
|
|
db5969 |
+ config = []
|
|
|
db5969 |
+ ca.ldap_enable('CA', host_name, dm_password, basedn, config)
|
|
|
db5969 |
|
|
|
db5969 |
# This is done within stopped_service context, which restarts CA
|
|
|
db5969 |
ca.enable_client_auth_to_db(dogtag_constants.CS_CFG_PATH)
|
|
|
db5969 |
diff --git a/ipaserver/install/plugins/ca_renewal_master.py b/ipaserver/install/plugins/ca_renewal_master.py
|
|
|
db5969 |
index dae976f02dc7f963736ca57344345135dbc1fe3b..c0c655c912a6b02da11d0feb333716f7653768ed 100644
|
|
|
db5969 |
--- a/ipaserver/install/plugins/ca_renewal_master.py
|
|
|
db5969 |
+++ b/ipaserver/install/plugins/ca_renewal_master.py
|
|
|
db5969 |
@@ -42,6 +42,7 @@ class update_ca_renewal_master(Updater):
|
|
|
db5969 |
ldap = self.api.Backend.ldap2
|
|
|
db5969 |
base_dn = DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'),
|
|
|
db5969 |
self.api.env.basedn)
|
|
|
db5969 |
+ dn = DN(('cn', 'CA'), ('cn', self.api.env.host), base_dn)
|
|
|
db5969 |
filter = '(&(cn=CA)(ipaConfigString=caRenewalMaster))'
|
|
|
db5969 |
try:
|
|
|
db5969 |
entries = ldap.get_entries(base_dn=base_dn, filter=filter,
|
|
|
db5969 |
@@ -50,7 +51,27 @@ class update_ca_renewal_master(Updater):
|
|
|
db5969 |
pass
|
|
|
db5969 |
else:
|
|
|
db5969 |
self.debug("found CA renewal master %s", entries[0].dn[1].value)
|
|
|
db5969 |
- return False, []
|
|
|
db5969 |
+
|
|
|
db5969 |
+ master = False
|
|
|
db5969 |
+ updates = []
|
|
|
db5969 |
+
|
|
|
db5969 |
+ for entry in entries:
|
|
|
db5969 |
+ if entry.dn == dn:
|
|
|
db5969 |
+ master = True
|
|
|
db5969 |
+ continue
|
|
|
db5969 |
+
|
|
|
db5969 |
+ updates.append({
|
|
|
db5969 |
+ 'dn': entry.dn,
|
|
|
db5969 |
+ 'updates': [
|
|
|
db5969 |
+ dict(action='remove', attr='ipaConfigString',
|
|
|
db5969 |
+ value='caRenewalMaster')
|
|
|
db5969 |
+ ],
|
|
|
db5969 |
+ })
|
|
|
db5969 |
+
|
|
|
db5969 |
+ if master:
|
|
|
db5969 |
+ return False, updates
|
|
|
db5969 |
+ else:
|
|
|
db5969 |
+ return False, []
|
|
|
db5969 |
|
|
|
db5969 |
criteria = {
|
|
|
db5969 |
'cert-database': paths.HTTPD_ALIAS_DIR,
|
|
|
db5969 |
@@ -96,7 +117,6 @@ class update_ca_renewal_master(Updater):
|
|
|
db5969 |
"assuming local CA is renewal slave", config)
|
|
|
db5969 |
return (False, False, [])
|
|
|
db5969 |
|
|
|
db5969 |
- dn = DN(('cn', 'CA'), ('cn', self.api.env.host), base_dn)
|
|
|
db5969 |
update = {
|
|
|
db5969 |
'dn': dn,
|
|
|
db5969 |
'updates': [
|
|
|
db5969 |
--
|
|
|
db5969 |
2.5.5
|
|
|
db5969 |
|