rpms / ipa

Clone
Source Code
GIT

Blame SOURCES/0105-Upgrade-configure-local-full-PKINIT-depending-on-the.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8-beta-stream-DL1 c8-beta-stream-client c8-stream-DL1 c8-stream-client c8s-stream-DL1 c8s-stream-client c9 c9-beta
  1.   460745326ba253b5c4924b624dbc2f0714a2af42
  2.   SOURCES
  3.   0105-Upgrade-configure-local-full-PKINIT-depending-on-the.patch
Blob History Raw
ac7d03 
From c40683f85776f401b3e6bb0a3a69a48a206ab633 Mon Sep 17 00:00:00 2001
ac7d03 
From: Martin Babinsky <mbabinsk@redhat.com>
ac7d03 
Date: Thu, 6 Apr 2017 18:52:05 +0200
ac7d03 
Subject: [PATCH] Upgrade: configure local/full PKINIT depending on the master
ac7d03 
 status
ac7d03
ac7d03 
The upgrader has been modified to configure either local or full PKINIT
ac7d03 
depending on the CA status. Additionally, the new PKINIT configuration
ac7d03 
will be written to the master's KDC entry.
ac7d03
ac7d03 
https://pagure.io/freeipa/issue/6830
ac7d03 
http://www.freeipa.org/page/V4/Kerberos_PKINIT
ac7d03
ac7d03 
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
ac7d03 
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
ac7d03 
Reviewed-By: Martin Basti <mbasti@redhat.com>
ac7d03 
Reviewed-By: Simo Sorce <ssorce@redhat.com>
ac7d03 
---
ac7d03 
 ipaserver/install/server/upgrade.py | 15 +++++++++------
ac7d03 
 1 file changed, 9 insertions(+), 6 deletions(-)
ac7d03
ac7d03 
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
ac7d03 
index ea2918f5037898b6b8dc601441a439b6150d54e5..8da918114066598ec5a74098d85dfef06d22bf86 100644
ac7d03 
--- a/ipaserver/install/server/upgrade.py
ac7d03 
+++ b/ipaserver/install/server/upgrade.py
ac7d03 
@@ -1485,14 +1485,17 @@ def add_default_caacl(ca):
ac7d03 
 def setup_pkinit(krb):
ac7d03 
     root_logger.info("[Setup PKINIT]")
ac7d03
ac7d03 
-    if not api.Command.ca_is_enabled()['result']:
ac7d03 
-        root_logger.info("CA is not enabled")
ac7d03 
-        return
ac7d03 
+    pkinit_is_enabled = krbinstance.is_pkinit_enabled()
ac7d03 
+    ca_is_enabled = api.Command.ca_is_enabled()['result']
ac7d03
ac7d03 
-    if not os.path.exists(paths.KDC_CERT):
ac7d03 
-        root_logger.info("Requesting PKINIT certificate")
ac7d03 
-        krb.setup_pkinit()
ac7d03 
+    if not pkinit_is_enabled:
ac7d03 
+        if ca_is_enabled:
ac7d03 
+            krb.issue_ipa_ca_signed_pkinit_certs()
ac7d03 
+        else:
ac7d03 
+            krb.issue_selfsigned_pkinit_certs()
ac7d03
ac7d03 
+    # reconfigure KDC just in case in order to handle potentially broken
ac7d03 
+    # 4.5.0 -> 4.5.1 upgrade path
ac7d03 
     replacevars = dict()
ac7d03 
     replacevars['pkinit_identity'] = 'FILE:{},{}'.format(
ac7d03 
         paths.KDC_CERT,paths.KDC_KEY)
ac7d03 
--
ac7d03 
2.12.2
ac7d03

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation