From d1470a8a5d2f39b57d8d66e8d0d7e8437fcd2ae4 Mon Sep 17 00:00:00 2001 From: Martin Babinsky Date: Wed, 2 Dec 2015 12:22:45 +0100 Subject: [PATCH] replica install: improvements in the handling of CA-related IPA config entries When a CA-less replica is installed, its IPA config file should be updated so that ca_host points to nearest CA master and all certificate requests are forwarded to it. A subsequent installation of CA subsystem on the replica should clear this entry from the config so that all certificate requests are handled by freshly installed local CA. https://fedorahosted.org/freeipa/ticket/5506 Reviewed-By: Martin Basti --- ipaserver/install/ca.py | 16 ---------------- ipaserver/install/cainstance.py | 18 ++++++++++++++++++ ipaserver/install/server/replicainstall.py | 3 +++ 3 files changed, 21 insertions(+), 16 deletions(-) diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py index d2fb5feeaf96e8450eddb1bc4e65ef3316b05b38..b4db8dcbfad9d482e7106cd06b3d497ccf8954f0 100644 --- a/ipaserver/install/ca.py +++ b/ipaserver/install/ca.py @@ -12,7 +12,6 @@ from ipaplatform.paths import paths from ipaserver.install import installutils, certs from ipaserver.install.replication import replica_conn_check from ipalib import api, certstore, x509 -from ConfigParser import RawConfigParser from ipapython.dn import DN from ipapython.ipa_log_manager import root_logger @@ -240,21 +239,6 @@ def install_step_1(standalone, replica_config, options): if standalone: ca.start(ca.dogtag_constants.PKI_INSTANCE_NAME) - # Update config file - try: - parser = RawConfigParser() - parser.read(paths.IPA_DEFAULT_CONF) - parser.set('global', 'enable_ra', 'True') - parser.set('global', 'ra_plugin', 'dogtag') - parser.set('global', 'dogtag_version', - str(dogtag_constants.DOGTAG_VERSION)) - with open(paths.IPA_DEFAULT_CONF, 'w') as f: - parser.write(f) - except IOError, e: - print "Failed to update /etc/ipa/default.conf" - root_logger.error(str(e)) - sys.exit(1) - # We need to restart apache as we drop a new config file in there services.knownservices.httpd.restart(capture_output=True) diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 1a98c438786ae7dad208212fff23e3a760c95b3c..b06760308865aa42afac79d6750f4a422a5c8f95 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -482,6 +482,8 @@ class CAInstance(DogtagInstance): self.step("importing IPA certificate profiles", import_included_profiles) self.step("adding default CA ACL", ensure_default_caacl) + self.step("updating IPA configuration", + lambda: update_ipa_conf(self.dogtag_constants)) self.start_creation(runtime=210) @@ -1880,6 +1882,22 @@ def ensure_default_caacl(): api.Backend.ldap2.disconnect() +def update_ipa_conf(dogtag_constants): + """ + Update IPA configuration file to ensure that RA plugins are enabled and + that CA host points to localhost + """ + parser = ConfigParser.RawConfigParser() + parser.read(paths.IPA_DEFAULT_CONF) + parser.set('global', 'enable_ra', 'True') + parser.set('global', 'ra_plugin', 'dogtag') + parser.set('global', 'dogtag_version', + str(dogtag_constants.DOGTAG_VERSION)) + parser.remove_option('global', 'ca_host') + with open(paths.IPA_DEFAULT_CONF, 'w') as f: + parser.write(f) + + if __name__ == "__main__": standard_logging_setup("install.log") ds = dsinstance.DsInstance() diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py index 317eda92dd4322542f035c2df4dba919a5898cc7..2ab95add90d33eb191d4e75b62cb4eceac40551b 100644 --- a/ipaserver/install/server/replicainstall.py +++ b/ipaserver/install/server/replicainstall.py @@ -378,6 +378,9 @@ def install_check(installer): fd.write("ra_plugin=dogtag\n") fd.write("dogtag_version=%s\n" % dogtag.install_constants.DOGTAG_VERSION) + + if not config.setup_ca: + fd.write("ca_host={0}\n".format(config.master_host_name)) else: fd.write("enable_ra=False\n") fd.write("ra_plugin=none\n") -- 2.5.0