rpms / ipa

Clone
Source Code
GIT

Files

  1.   35e84f4e05b37a9f2eb6472a44416cbcc05ba072
  2.   SOURCES
  3.   0200-replica-install-improvements-in-the-handling-of-CA-r.patch
Blob Blame History Raw 
From d1470a8a5d2f39b57d8d66e8d0d7e8437fcd2ae4 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabinsk@redhat.com>
Date: Wed, 2 Dec 2015 12:22:45 +0100
Subject: [PATCH] replica install: improvements in the handling of CA-related
 IPA config entries

When a CA-less replica is installed, its IPA config file should be updated so
that ca_host points to nearest CA master and all certificate requests are
forwarded to it. A subsequent installation of CA subsystem on the replica
should clear this entry from the config so that all certificate requests are
handled by freshly installed local CA.

https://fedorahosted.org/freeipa/ticket/5506

Reviewed-By: Martin Basti <mbasti@redhat.com>
---
 ipaserver/install/ca.py                    | 16 ----------------
 ipaserver/install/cainstance.py            | 18 ++++++++++++++++++
 ipaserver/install/server/replicainstall.py |  3 +++
 3 files changed, 21 insertions(+), 16 deletions(-)

diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py
index d2fb5feeaf96e8450eddb1bc4e65ef3316b05b38..b4db8dcbfad9d482e7106cd06b3d497ccf8954f0 100644
--- a/ipaserver/install/ca.py
+++ b/ipaserver/install/ca.py
@@ -12,7 +12,6 @@ from ipaplatform.paths import paths
 from ipaserver.install import installutils, certs
 from ipaserver.install.replication import replica_conn_check
 from ipalib import api, certstore, x509
-from ConfigParser import RawConfigParser
 from ipapython.dn import DN
 from ipapython.ipa_log_manager import root_logger
 
@@ -240,21 +239,6 @@ def install_step_1(standalone, replica_config, options):
     if standalone:
         ca.start(ca.dogtag_constants.PKI_INSTANCE_NAME)
 
-        # Update config file
-        try:
-            parser = RawConfigParser()
-            parser.read(paths.IPA_DEFAULT_CONF)
-            parser.set('global', 'enable_ra', 'True')
-            parser.set('global', 'ra_plugin', 'dogtag')
-            parser.set('global', 'dogtag_version',
-                       str(dogtag_constants.DOGTAG_VERSION))
-            with open(paths.IPA_DEFAULT_CONF, 'w') as f:
-                parser.write(f)
-        except IOError, e:
-            print "Failed to update /etc/ipa/default.conf"
-            root_logger.error(str(e))
-            sys.exit(1)
-
         # We need to restart apache as we drop a new config file in there
         services.knownservices.httpd.restart(capture_output=True)
 
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 1a98c438786ae7dad208212fff23e3a760c95b3c..b06760308865aa42afac79d6750f4a422a5c8f95 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -482,6 +482,8 @@ class CAInstance(DogtagInstance):
             self.step("importing IPA certificate profiles",
                       import_included_profiles)
             self.step("adding default CA ACL", ensure_default_caacl)
+            self.step("updating IPA configuration",
+                      lambda: update_ipa_conf(self.dogtag_constants))
 
         self.start_creation(runtime=210)
 
@@ -1880,6 +1882,22 @@ def ensure_default_caacl():
         api.Backend.ldap2.disconnect()
 
 
+def update_ipa_conf(dogtag_constants):
+    """
+    Update IPA configuration file to ensure that RA plugins are enabled and
+    that CA host points to localhost
+    """
+    parser = ConfigParser.RawConfigParser()
+    parser.read(paths.IPA_DEFAULT_CONF)
+    parser.set('global', 'enable_ra', 'True')
+    parser.set('global', 'ra_plugin', 'dogtag')
+    parser.set('global', 'dogtag_version',
+               str(dogtag_constants.DOGTAG_VERSION))
+    parser.remove_option('global', 'ca_host')
+    with open(paths.IPA_DEFAULT_CONF, 'w') as f:
+        parser.write(f)
+
+
 if __name__ == "__main__":
     standard_logging_setup("install.log")
     ds = dsinstance.DsInstance()
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index 317eda92dd4322542f035c2df4dba919a5898cc7..2ab95add90d33eb191d4e75b62cb4eceac40551b 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -378,6 +378,9 @@ def install_check(installer):
             fd.write("ra_plugin=dogtag\n")
             fd.write("dogtag_version=%s\n" %
                      dogtag.install_constants.DOGTAG_VERSION)
+
+            if not config.setup_ca:
+                fd.write("ca_host={0}\n".format(config.master_host_name))
         else:
             fd.write("enable_ra=False\n")
             fd.write("ra_plugin=none\n")
-- 
2.5.0

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation