|
 |
db5969 |
From 81d5888a2dc512cd0295b860cf8f408dea2e46a0 Mon Sep 17 00:00:00 2001
|
|
|
db5969 |
From: Fraser Tweedale <ftweedal@redhat.com>
|
|
|
db5969 |
Date: Wed, 11 May 2016 16:13:51 +1000
|
|
|
db5969 |
Subject: [PATCH] Prevent replica install from overwriting cert profiles
|
|
|
db5969 |
|
|
|
db5969 |
An earlier change that unconditionally triggers import of file-based
|
|
|
db5969 |
profiles to LDAP during server or replica install results in
|
|
|
db5969 |
replicas overwriting FreeIPA-managed profiles with profiles of the
|
|
|
db5969 |
same name shipped with Dogtag. ('caIPAserviceCert' is the affected
|
|
|
db5969 |
profile).
|
|
|
db5969 |
|
|
|
db5969 |
Avoid this situation by never overwriting existing profiles during
|
|
|
db5969 |
the LDAP import.
|
|
|
db5969 |
|
|
|
db5969 |
Fixes: https://fedorahosted.org/freeipa/ticket/5881
|
|
|
db5969 |
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
|
|
db5969 |
---
|
|
|
db5969 |
ipaserver/install/cainstance.py | 18 ++++++++++++------
|
|
|
db5969 |
1 file changed, 12 insertions(+), 6 deletions(-)
|
|
|
db5969 |
|
|
|
db5969 |
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
|
|
|
db5969 |
index b06760308865aa42afac79d6750f4a422a5c8f95..50ca5d3aeb9be24d8e1e80ad408191fca76a459c 100644
|
|
|
db5969 |
--- a/ipaserver/install/cainstance.py
|
|
|
db5969 |
+++ b/ipaserver/install/cainstance.py
|
|
|
db5969 |
@@ -1763,7 +1763,9 @@ def import_included_profiles():
|
|
|
db5969 |
conn.add_entry(entry)
|
|
|
db5969 |
profile_data = ipautil.template_file(
|
|
|
db5969 |
'/usr/share/ipa/profiles/{}.cfg'.format(profile_id), sub_dict)
|
|
|
db5969 |
- _create_dogtag_profile(profile_id, profile_data)
|
|
|
db5969 |
+
|
|
|
db5969 |
+ # Create the profile, replacing any existing profile of same name
|
|
|
db5969 |
+ _create_dogtag_profile(profile_id, profile_data, overwrite=True)
|
|
|
db5969 |
root_logger.info("Imported profile '%s'", profile_id)
|
|
|
db5969 |
|
|
|
db5969 |
api.Backend.ra_certprofile.override_port = None
|
|
|
db5969 |
@@ -1815,12 +1817,17 @@ def migrate_profiles_to_ldap(dogtag_constants):
|
|
|
db5969 |
profile_data += '\n'
|
|
|
db5969 |
profile_data += 'profileId={}\n'.format(profile_id)
|
|
|
db5969 |
profile_data += 'classId={}\n'.format(class_id)
|
|
|
db5969 |
- _create_dogtag_profile(profile_id, profile_data)
|
|
|
db5969 |
+
|
|
|
db5969 |
+ # Import the profile, but do not replace it if it already exists.
|
|
|
db5969 |
+ # This prevents replicas from replacing IPA-managed profiles with
|
|
|
db5969 |
+ # Dogtag default profiles of same name.
|
|
|
db5969 |
+ #
|
|
|
db5969 |
+ _create_dogtag_profile(profile_id, profile_data, overwrite=False)
|
|
|
db5969 |
|
|
|
db5969 |
api.Backend.ra_certprofile.override_port = None
|
|
|
db5969 |
|
|
|
db5969 |
|
|
|
db5969 |
-def _create_dogtag_profile(profile_id, profile_data):
|
|
|
db5969 |
+def _create_dogtag_profile(profile_id, profile_data, overwrite):
|
|
|
db5969 |
with api.Backend.ra_certprofile as profile_api:
|
|
|
db5969 |
# import the profile
|
|
|
db5969 |
try:
|
|
|
db5969 |
@@ -1831,9 +1838,8 @@ def _create_dogtag_profile(profile_id, profile_data):
|
|
|
db5969 |
root_logger.debug("Error migrating '{}': {}".format(
|
|
|
db5969 |
profile_id, e))
|
|
|
db5969 |
|
|
|
db5969 |
- # conflicting profile; replace it if we are
|
|
|
db5969 |
- # installing IPA, but keep it for upgrades
|
|
|
db5969 |
- if api.env.context == 'installer':
|
|
|
db5969 |
+ # profile already exists
|
|
|
db5969 |
+ if overwrite:
|
|
|
db5969 |
try:
|
|
|
db5969 |
profile_api.disable_profile(profile_id)
|
|
|
db5969 |
except errors.RemoteRetrieveError:
|
|
|
db5969 |
--
|
|
|
db5969 |
2.5.5
|
|
|
db5969 |
|