From d279db85dbf455a6cbdacc48cbbc2081a9be5252 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Mon, 23 May 2016 16:18:02 +0200
Subject: [PATCH] replica install: do not set CA renewal master flag

The CA renewal master flag was uncoditionally set on every replica during
replica install. This causes the Dogtag certificates initially shared
among all replicas to differ after renewal.

Do not set the CA renewal master flag in replica install anymore. On
upgrade, remove the flag from all but one IPA masters.

https://fedorahosted.org/freeipa/ticket/5902

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
---
 ipaserver/install/ca.py                        |  6 +++++-
 ipaserver/install/plugins/ca_renewal_master.py | 24 ++++++++++++++++++++++--
 2 files changed, 27 insertions(+), 3 deletions(-)

diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py
index b4db8dcbfad9d482e7106cd06b3d497ccf8954f0..aa3fe991bd958c59dc369f41d4bd6fdfceee9370 100644
--- a/ipaserver/install/ca.py
+++ b/ipaserver/install/ca.py
@@ -191,7 +191,11 @@ def install_step_1(standalone, replica_config, options):
         ca.stop(ca.dogtag_constants.PKI_INSTANCE_NAME)
 
     # We need to ldap_enable the CA now that DS is up and running
-    ca.ldap_enable('CA', host_name, dm_password, basedn, ['caRenewalMaster'])
+    if replica_config is None:
+        config = ['caRenewalMaster']
+    else:
+        config = []
+    ca.ldap_enable('CA', host_name, dm_password, basedn, config)
 
     # This is done within stopped_service context, which restarts CA
     ca.enable_client_auth_to_db(dogtag_constants.CS_CFG_PATH)
diff --git a/ipaserver/install/plugins/ca_renewal_master.py b/ipaserver/install/plugins/ca_renewal_master.py
index dae976f02dc7f963736ca57344345135dbc1fe3b..c0c655c912a6b02da11d0feb333716f7653768ed 100644
--- a/ipaserver/install/plugins/ca_renewal_master.py
+++ b/ipaserver/install/plugins/ca_renewal_master.py
@@ -42,6 +42,7 @@ class update_ca_renewal_master(Updater):
         ldap = self.api.Backend.ldap2
         base_dn = DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'),
                      self.api.env.basedn)
+        dn = DN(('cn', 'CA'), ('cn', self.api.env.host), base_dn)
         filter = '(&(cn=CA)(ipaConfigString=caRenewalMaster))'
         try:
             entries = ldap.get_entries(base_dn=base_dn, filter=filter,
@@ -50,7 +51,27 @@ class update_ca_renewal_master(Updater):
             pass
         else:
             self.debug("found CA renewal master %s", entries[0].dn[1].value)
-            return False, []
+
+            master = False
+            updates = []
+
+            for entry in entries:
+                if entry.dn == dn:
+                    master = True
+                    continue
+
+                updates.append({
+                    'dn': entry.dn,
+                    'updates': [
+                        dict(action='remove', attr='ipaConfigString',
+                             value='caRenewalMaster')
+                    ],
+                })
+
+            if master:
+                return False, updates
+            else:
+                return False, []
 
         criteria = {
             'cert-database': paths.HTTPD_ALIAS_DIR,
@@ -96,7 +117,6 @@ class update_ca_renewal_master(Updater):
                     "assuming local CA is renewal slave", config)
                 return (False, False, [])
 
-        dn = DN(('cn', 'CA'), ('cn', self.api.env.host), base_dn)
         update = {
                 'dn': dn,
                 'updates': [
-- 
2.5.5