|
 |
483b06 |
From acb04249a77f62f72179899223bfeacdd2292883 Mon Sep 17 00:00:00 2001
|
|
|
483b06 |
From: Jan Cholasta <jcholast@redhat.com>
|
|
|
483b06 |
Date: Fri, 7 Apr 2017 07:44:21 +0200
|
|
|
483b06 |
Subject: [PATCH] install: request service certs after host keytab is set up
|
|
|
483b06 |
|
|
|
483b06 |
The certmonger renew agent and restart scripts use host keytab for
|
|
|
483b06 |
authentication. When they are executed during a certmonger request before
|
|
|
483b06 |
the host keytab is set up, the authentication will fail.
|
|
|
483b06 |
|
|
|
483b06 |
Make sure all certmonger requests in the installer are done after the host
|
|
|
483b06 |
keytab is set up.
|
|
|
483b06 |
|
|
|
483b06 |
https://pagure.io/freeipa/issue/6757
|
|
|
483b06 |
|
|
|
483b06 |
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
|
|
483b06 |
---
|
|
|
483b06 |
ipaserver/install/dsinstance.py | 17 +++++++----------
|
|
|
483b06 |
ipaserver/install/server/install.py | 18 +++++++-----------
|
|
|
483b06 |
ipaserver/install/server/replicainstall.py | 5 ++---
|
|
|
483b06 |
3 files changed, 16 insertions(+), 24 deletions(-)
|
|
|
483b06 |
|
|
|
483b06 |
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
|
|
|
483b06 |
index 31dbd4ec8bcaf4a7545b4f9f316fe609b845cb75..72fcb65f2eb699d0077d3c5cc02a3fcaaad9b8e5 100644
|
|
|
483b06 |
--- a/ipaserver/install/dsinstance.py
|
|
|
483b06 |
+++ b/ipaserver/install/dsinstance.py
|
|
|
483b06 |
@@ -256,7 +256,7 @@ class DsInstance(service.Service):
|
|
|
483b06 |
|
|
|
483b06 |
subject_base = ipautil.dn_attribute_property('_subject_base')
|
|
|
483b06 |
|
|
|
483b06 |
- def __common_setup(self, enable_ssl=False):
|
|
|
483b06 |
+ def __common_setup(self):
|
|
|
483b06 |
|
|
|
483b06 |
self.step("creating directory server user", create_ds_user)
|
|
|
483b06 |
self.step("creating directory server instance", self.__create_instance)
|
|
|
483b06 |
@@ -279,8 +279,6 @@ class DsInstance(service.Service):
|
|
|
483b06 |
self.step("configuring topology plugin", self.__config_topology_module)
|
|
|
483b06 |
self.step("creating indices", self.__create_indices)
|
|
|
483b06 |
self.step("enabling referential integrity plugin", self.__add_referint_module)
|
|
|
483b06 |
- if enable_ssl:
|
|
|
483b06 |
- self.step("configuring TLS for DS instance", self.__enable_ssl)
|
|
|
483b06 |
self.step("configuring certmap.conf", self.__certmap_conf)
|
|
|
483b06 |
self.step("configure new location for managed entries", self.__repoint_managed_entries)
|
|
|
483b06 |
self.step("configure dirsrv ccache", self.configure_dirsrv_ccache)
|
|
|
483b06 |
@@ -356,8 +354,12 @@ class DsInstance(service.Service):
|
|
|
483b06 |
self.steps = []
|
|
|
483b06 |
|
|
|
483b06 |
self.step("configuring TLS for DS instance", self.__enable_ssl)
|
|
|
483b06 |
+ if self.master_fqdn is None:
|
|
|
483b06 |
+ self.step("adding CA certificate entry", self.__upload_ca_cert)
|
|
|
483b06 |
+ else:
|
|
|
483b06 |
+ self.step("importing CA certificates from LDAP",
|
|
|
483b06 |
+ self.__import_ca_certs)
|
|
|
483b06 |
self.step("restarting directory server", self.__restart_instance)
|
|
|
483b06 |
- self.step("adding CA certificate entry", self.__upload_ca_cert)
|
|
|
483b06 |
|
|
|
483b06 |
self.start_creation()
|
|
|
483b06 |
|
|
|
483b06 |
@@ -391,21 +393,16 @@ class DsInstance(service.Service):
|
|
|
483b06 |
self.promote = promote
|
|
|
483b06 |
self.api = api
|
|
|
483b06 |
|
|
|
483b06 |
- self.__common_setup(enable_ssl=(not self.promote))
|
|
|
483b06 |
+ self.__common_setup()
|
|
|
483b06 |
self.step("restarting directory server", self.__restart_instance)
|
|
|
483b06 |
|
|
|
483b06 |
self.step("creating DS keytab", self.request_service_keytab)
|
|
|
483b06 |
- if self.promote:
|
|
|
483b06 |
- self.step("configuring TLS for DS instance", self.__enable_ssl)
|
|
|
483b06 |
- self.step("restarting directory server", self.__restart_instance)
|
|
|
483b06 |
-
|
|
|
483b06 |
self.step("setting up initial replication", self.__setup_replica)
|
|
|
483b06 |
self.step("adding sasl mappings to the directory", self.__configure_sasl_mappings)
|
|
|
483b06 |
self.step("updating schema", self.__update_schema)
|
|
|
483b06 |
# See LDIFs for automember configuration during replica install
|
|
|
483b06 |
self.step("setting Auto Member configuration", self.__add_replica_automember_config)
|
|
|
483b06 |
self.step("enabling S4U2Proxy delegation", self.__setup_s4u2proxy)
|
|
|
483b06 |
- self.step("importing CA certificates from LDAP", self.__import_ca_certs)
|
|
|
483b06 |
|
|
|
483b06 |
self.__common_post_setup()
|
|
|
483b06 |
|
|
|
483b06 |
diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
|
|
|
483b06 |
index f8e64ec26e85bbc6218018eec8f403a0567b45a2..bf2e248dceaae36ba0030d3eaa47976f51ce60ba 100644
|
|
|
483b06 |
--- a/ipaserver/install/server/install.py
|
|
|
483b06 |
+++ b/ipaserver/install/server/install.py
|
|
|
483b06 |
@@ -770,6 +770,13 @@ def install(installer):
|
|
|
483b06 |
realm_name, host_name, domain_name, dm_password,
|
|
|
483b06 |
options.subject_base, options.ca_subject, 1101, 1100, None)
|
|
|
483b06 |
|
|
|
483b06 |
+ krb = krbinstance.KrbInstance(fstore)
|
|
|
483b06 |
+ krb.create_instance(realm_name, host_name, domain_name,
|
|
|
483b06 |
+ dm_password, master_password,
|
|
|
483b06 |
+ setup_pkinit=not options.no_pkinit,
|
|
|
483b06 |
+ pkcs12_info=pkinit_pkcs12_info,
|
|
|
483b06 |
+ subject_base=options.subject_base)
|
|
|
483b06 |
+
|
|
|
483b06 |
if setup_ca:
|
|
|
483b06 |
if not options.external_cert_files and options.external_ca:
|
|
|
483b06 |
# stage 1 of external CA installation
|
|
|
483b06 |
@@ -793,17 +800,6 @@ def install(installer):
|
|
|
483b06 |
# we now need to enable ssl on the ds
|
|
|
483b06 |
ds.enable_ssl()
|
|
|
483b06 |
|
|
|
483b06 |
- krb = krbinstance.KrbInstance(fstore)
|
|
|
483b06 |
- krb.create_instance(realm_name, host_name, domain_name,
|
|
|
483b06 |
- dm_password, master_password,
|
|
|
483b06 |
- setup_pkinit=not options.no_pkinit,
|
|
|
483b06 |
- pkcs12_info=pkinit_pkcs12_info,
|
|
|
483b06 |
- subject_base=options.subject_base)
|
|
|
483b06 |
-
|
|
|
483b06 |
- # restart DS to enable ipa-pwd-extop plugin
|
|
|
483b06 |
- print("Restarting directory server to enable password extension plugin")
|
|
|
483b06 |
- ds.restart()
|
|
|
483b06 |
-
|
|
|
483b06 |
if setup_ca:
|
|
|
483b06 |
ca.install_step_1(False, None, options)
|
|
|
483b06 |
|
|
|
483b06 |
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
|
|
|
483b06 |
index cd6a62f9540f4a46da70e0cc5686eff5f54e7dfe..6f1a0d6d29b20d53986205a63382a385e75f80ea 100644
|
|
|
483b06 |
--- a/ipaserver/install/server/replicainstall.py
|
|
|
483b06 |
+++ b/ipaserver/install/server/replicainstall.py
|
|
|
483b06 |
@@ -1422,9 +1422,8 @@ def install(installer):
|
|
|
483b06 |
setup_pkinit=not options.no_pkinit,
|
|
|
483b06 |
promote=promote)
|
|
|
483b06 |
|
|
|
483b06 |
- # restart DS to enable ipa-pwd-extop plugin
|
|
|
483b06 |
- print("Restarting directory server to enable password extension plugin")
|
|
|
483b06 |
- ds.restart()
|
|
|
483b06 |
+ # we now need to enable ssl on the ds
|
|
|
483b06 |
+ ds.enable_ssl()
|
|
|
483b06 |
|
|
|
483b06 |
install_http(
|
|
|
483b06 |
config,
|
|
|
483b06 |
--
|
|
|
483b06 |
2.9.3
|
|
|
483b06 |
|