From 2e031c9469f0313014dbe8c47d0be3fee370f287 Mon Sep 17 00:00:00 2001
From: Martin Kosek <mkosek@redhat.com>
Date: Thu, 13 Mar 2014 08:25:11 +0100
Subject: [PATCH] Update Dogtag 9 database during replica installation
When Dogtag 10 based FreeIPA replica is being installed for a Dogtag 9
based master, the PKI database is not updated and miss several ACLs
which prevent some of the PKI functions, e.g. an ability to create
other clones.
Add an update file to do the database update. Content is based on
recommendation from PKI team:
* https://bugzilla.redhat.com/show_bug.cgi?id=1075118#c9
This update file can be removed when Dogtag database upgrades are done
in PKI component. Upstream tickets:
* https://fedorahosted.org/pki/ticket/710 (database upgrade framework)
* https://fedorahosted.org/pki/ticket/906 (checking database version)
Also make sure that PKI service is restarted in the end of the installation
as the other services to make sure it picks changes done during LDAP
updates.
https://fedorahosted.org/freeipa/ticket/4243
---
install/tools/ipa-replica-install | 4 ++++
install/tools/ipa-server-install | 4 ++++
install/updates/50-dogtag10-migration.update | 18 ++++++++++++++++++
install/updates/Makefile.am | 1 +
4 files changed, 27 insertions(+)
create mode 100644 install/updates/50-dogtag10-migration.update
diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install
index e039fd1e7cb213b3269d0a5d2305a96f68e36e29..4418b41784313121e73b560ee84715ddeba8bc54 100755
--- a/install/tools/ipa-replica-install
+++ b/install/tools/ipa-replica-install
@@ -704,6 +704,10 @@ def main():
service.print_msg("Restarting the KDC")
krb.restart()
+ if CA and config.setup_ca:
+ service.print_msg("Restarting the certificate server")
+ CA.restart(dogtag.configured_constants().PKI_INSTANCE_NAME)
+
if options.setup_dns:
install_bind(config, options)
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index 458ebba550d0fe7675bd874e23c7d730c53297e6..dfbbb91bf3bb8461333193b5a3e72c3ec06d4582 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -1186,6 +1186,10 @@ def main():
service.print_msg("Restarting the KDC")
krb.restart()
+ if setup_ca:
+ service.print_msg("Restarting the certificate server")
+ ca.restart(dogtag.configured_constants().PKI_INSTANCE_NAME)
+
# Create a BIND instance
bind = bindinstance.BindInstance(fstore, dm_password)
bind.setup(host_name, ip_address, realm_name, domain_name, dns_forwarders,
diff --git a/install/updates/50-dogtag10-migration.update b/install/updates/50-dogtag10-migration.update
new file mode 100644
index 0000000000000000000000000000000000000000..d718923544f0cb00f61b7b56940695e3891c4780
--- /dev/null
+++ b/install/updates/50-dogtag10-migration.update
@@ -0,0 +1,18 @@
+# PKI/Dogtag does not automatically upgrade it's database. When Dogtag 10
+# based replica is being installed from a Dogtag 9 based replica,
+# the database will miss ACLs added in Dogtag 10 resulting in limited
+# functionality.
+#
+# This update file can be removed when Dogtag database upgrades are done
+# in PKI component. Upstream tickets:
+# * https://fedorahosted.org/pki/ticket/710 (database upgrade framework)
+# * https://fedorahosted.org/pki/ticket/906 (checking database version)
+
+dn: cn=aclResources,o=ipaca
+addifexist:resourceACLS:'certServer.ca.account:login,logout:allow (login,logout) user="anybody":Anybody can login and logout'
+addifexist:resourceACLS:'certServer.ca.certrequests:execute:allow (execute) group="Certificate Manager Agents":Agents may execute cert request operations'
+addifexist:resourceACLS:'certServer.ca.certs:execute:allow (execute) group="Certificate Manager Agents":Agents may execute cert operations'
+addifexist:resourceACLS:'certServer.ca.groups:execute:allow (execute) group="Administrators":Admins may execute group operations'
+addifexist:resourceACLS:'certServer.ca.users:execute:allow (execute) group="Administrators":Admins may execute user operations'
+replace:resourceACLS:'certServer.securitydomain.domainxml:read,modify:allow (read) user="anybody";allow (modify) group="Subsystem Group":Anybody is allowed to read domain.xml but only Subsystem group is allowed to modify the domain.xml::certServer.securitydomain.domainxml:read,modify:allow (read) user="anybody";allow (modify) group="Subsystem Group" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise RA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators":Anybody is allowed to read domain.xml but only Subsystem group and Enterprise Administrators are allowed to modify the domain.xml'
+replace:resourceACLS:'certServer.ca.connectorInfo:read,modify:allow (modify,read) group="Enterprise KRA Administrators":Only Enterprise Administrators are allowed to update the connector information::certServer.ca.connectorInfo:read,modify:allow (read) group="Enterprise KRA Administrators";allow (modify) group="Enterprise KRA Administrators" || group="Subsystem Group":Only Enterprise Administrators and Subsystem Group are allowed to update the connector information'
diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am
index 40c3b3c8916faa267254a29d0f458ca53201950c..fb73c410dbcd1978c3a5deeb184dc10cdba866ae 100644
--- a/install/updates/Makefile.am
+++ b/install/updates/Makefile.am
@@ -36,6 +36,7 @@ app_DATA = \
40-otp.update \
45-roles.update \
50-7_bit_check.update \
+ 50-dogtag10-migration.update \
50-lockout-policy.update \
50-groupuuid.update \
50-hbacservice.update \
--
1.8.5.3