From c9fb09190ac243bcf45622693944d7e6785141b4 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Mon, 28 Aug 2017 10:50:58 +0200
Subject: [PATCH] Backport PR 1008 to ipa-4-5 Fix ipa-server-upgrade: This
entry already exists
ipa-server-upgrade fails when running the ipaload_cacrt plugin. The plugin
finds all CA certificates in /etc/httpd/alias and uploads them in LDAP
below cn=certificates,cn=ipa,cn=etc,$BASEDN.
The issue happens because there is already an entry in LDAP for IPA CA, but
with a different DN. The nickname in /etc/httpd/alias can differ from
$DOMAIN IPA CA.
To avoid the issue:
1/ during upgrade, run a new plugin that removes duplicates and restarts ldap
(to make sure that uniqueness attr plugin is working after the new plugin)
2/ modify upload_cacert plugin so that it is using $DOMAIN IPA CA instead of
cn=$nickname,cn=ipa,cn=etc,$BASEDN when uploading IPA CA.
https://pagure.io/freeipa/issue/7125
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
---
install/updates/90-post_upgrade_plugins.update | 1 +
ipalib/install/certstore.py | 19 +++++
.../plugins/update_fix_duplicate_cacrt_in_ldap.py | 84 ++++++++++++++++++++++
ipaserver/install/plugins/upload_cacrt.py | 19 ++++-
4 files changed, 120 insertions(+), 3 deletions(-)
create mode 100644 ipaserver/install/plugins/update_fix_duplicate_cacrt_in_ldap.py
diff --git a/install/updates/90-post_upgrade_plugins.update b/install/updates/90-post_upgrade_plugins.update
index 8477199e07d6729d5847e58bfa67d061bd1410c2..bbc3e29422fc0f139c2ca68a7033863e4c25f8cf 100644
--- a/install/updates/90-post_upgrade_plugins.update
+++ b/install/updates/90-post_upgrade_plugins.update
@@ -15,6 +15,7 @@ plugin: update_ca_renewal_master
plugin: update_idrange_type
plugin: update_pacs
plugin: update_service_principalalias
+plugin: update_fix_duplicate_cacrt_in_ldap
plugin: update_upload_cacrt
# update_ra_cert_store has to be executed after update_ca_renewal_master
plugin: update_ra_cert_store
diff --git a/ipalib/install/certstore.py b/ipalib/install/certstore.py
index bc2079fb12873444cbe6796eebfdfcfebd0e284d..76181fe47de585974f3fb33ec586f5c576adebb5 100644
--- a/ipalib/install/certstore.py
+++ b/ipalib/install/certstore.py
@@ -27,6 +27,7 @@ from pyasn1.error import PyAsn1Error
from ipapython.dn import DN
from ipapython.certdb import get_ca_nickname, TrustFlags
from ipalib import errors, x509
+from ipalib.constants import IPA_CA_CN
def _parse_cert(dercert):
try:
@@ -381,3 +382,21 @@ def get_ca_certs_nss(ldap, base_dn, compat_realm, compat_ipa_ca,
nss_certs.append((cert, nickname, trust_flags))
return nss_certs
+
+
+def get_ca_subject(ldap, container_ca, base_dn):
+ """
+ Look for the IPA CA certificate subject.
+ """
+ dn = DN(('cn', IPA_CA_CN), container_ca, base_dn)
+ try:
+ cacert_subject = ldap.get_entry(dn)['ipacasubjectdn'][0]
+ except errors.NotFound:
+ # if the entry doesn't exist, we are dealing with a pre-v4.4
+ # installation, where the default CA subject was always based
+ # on the subject_base.
+ attrs = ldap.get_ipa_config()
+ subject_base = attrs.get('ipacertificatesubjectbase')[0]
+ cacert_subject = DN(('CN', 'Certificate Authority'), subject_base)
+
+ return cacert_subject
diff --git a/ipaserver/install/plugins/update_fix_duplicate_cacrt_in_ldap.py b/ipaserver/install/plugins/update_fix_duplicate_cacrt_in_ldap.py
new file mode 100644
index 0000000000000000000000000000000000000000..cd4f13a8eb6b5bc9e04fcdd407907497528f8be1
--- /dev/null
+++ b/ipaserver/install/plugins/update_fix_duplicate_cacrt_in_ldap.py
@@ -0,0 +1,84 @@
+# Authors:
+# Florence Blanc-Renaud <flo@redhat.com>
+#
+# Copyright (C) 2017 Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+import logging
+
+from ipalib import Registry, errors
+from ipalib import Updater
+from ipalib.install import certstore
+from ipapython.dn import DN
+from ipapython.certdb import get_ca_nickname
+
+logger = logging.getLogger(__name__)
+
+register = Registry()
+
+
+@register()
+class update_fix_duplicate_cacrt_in_ldap(Updater):
+ """
+ When multiple entries exist for IPA CA cert in ldap, remove the duplicate
+
+ After this plugin, ds needs to be restarted. This ensures that
+ the attribute uniqueness plugin is working and prevents
+ other plugins from adding duplicates.
+ """
+
+ def execute(self, **options):
+ # If CA is disabled, no need to check for duplicates of IPA CA
+ ca_enabled = self.api.Command.ca_is_enabled()['result']
+ if not ca_enabled:
+ return True, []
+
+ # Look for the IPA CA cert subject
+ ldap = self.api.Backend.ldap2
+ cacert_subject = certstore.get_ca_subject(
+ ldap,
+ self.api.env.container_ca,
+ self.api.env.basedn)
+
+ # Find if there are other certificates with the same subject
+ # They are duplicates resulting of BZ 1480102
+ base_dn = DN(('cn', 'certificates'), ('cn', 'ipa'), ('cn', 'etc'),
+ self.api.env.basedn)
+ try:
+ filter = ldap.make_filter({'ipaCertSubject': cacert_subject})
+ result, _truncated = ldap.find_entries(
+ base_dn=base_dn,
+ filter=filter,
+ attrs_list=[])
+ except errors.NotFound:
+ # No duplicate, we're good
+ logger.debug("No duplicates for IPA CA in LDAP")
+ return True, []
+
+ logger.debug("Found %d entrie(s) for IPA CA in LDAP", len(result))
+ cacert_dn = DN(('cn', get_ca_nickname(self.api.env.realm)), base_dn)
+ for entry in result:
+ if entry.dn == cacert_dn:
+ continue
+ # Remove the duplicate
+ try:
+ ldap.delete_entry(entry)
+ logger.debug("Removed the duplicate %s", entry.dn)
+ except Exception as e:
+ logger.warning("Failed to remove the duplicate %s: %s",
+ entry.dn, e)
+
+ return True, []
diff --git a/ipaserver/install/plugins/upload_cacrt.py b/ipaserver/install/plugins/upload_cacrt.py
index a1957ca5b675b86f0df36dc820ee31305f54f863..985b74c06e80a3620eb6454c0bd9c7590b04184d 100644
--- a/ipaserver/install/plugins/upload_cacrt.py
+++ b/ipaserver/install/plugins/upload_cacrt.py
@@ -20,7 +20,7 @@
from ipalib.install import certstore
from ipaplatform.paths import paths
from ipaserver.install import certs
-from ipalib import Registry, errors
+from ipalib import Registry, errors, x509
from ipalib import Updater
from ipapython import certdb
from ipapython.dn import DN
@@ -41,6 +41,10 @@ class update_upload_cacrt(Updater):
ca_enabled = self.api.Command.ca_is_enabled()['result']
if ca_enabled:
ca_nickname = certdb.get_ca_nickname(self.api.env.realm)
+ ca_subject = certstore.get_ca_subject(
+ self.api.Backend.ldap2,
+ self.api.env.container_ca,
+ self.api.env.basedn)
else:
ca_nickname = None
server_certs = db.find_server_certs()
@@ -54,9 +58,18 @@ class update_upload_cacrt(Updater):
for nickname, trust_flags in db.list_certs():
if trust_flags.has_key:
continue
- if nickname == ca_nickname and ca_enabled:
- trust_flags = certdb.IPA_CA_TRUST_FLAGS
cert = db.get_cert_from_db(nickname, pem=False)
+ subject = DN(
+ x509.load_certificate(cert, datatype=x509.DER).subject)
+ if ca_enabled and subject == ca_subject:
+ # When ca is enabled, we can have the IPA CA cert stored
+ # in the nss db with a different nickname (for instance
+ # when the server was installed with --subject to
+ # customize the CA cert subject), but it must always be
+ # stored in LDAP with the DN cn=$DOMAIN IPA CA
+ # This is why we check the subject instead of the nickname here
+ nickname = ca_nickname
+ trust_flags = certdb.IPA_CA_TRUST_FLAGS
trust, _ca, eku = certstore.trust_flags_to_key_policy(trust_flags)
dn = DN(('cn', nickname), ('cn', 'certificates'), ('cn', 'ipa'),
--
2.13.5