mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-02-25 18:55:28 -06:00
use LDAPS during standalone CA/KRA subsystem deployment
The deployment descriptor used during CA/KRA install was modified to use LDAPS to communicate with DS backend. This will enable standalone CA/KRA installation on top of hardened directory server configuration. https://fedorahosted.org/freeipa/ticket/5570 Reviewed-By: Tomas Babej <tbabej@redhat.com>
This commit is contained in:
Martin Babinsky
committed by
Tomas Babej
Tomas Babej
parent
02d3ea1062
commit
276d16775a
@@ -480,6 +480,9 @@ class CAInstance(DogtagInstance):
|
||||
config.set("CA", "pki_ds_base_dn", self.basedn)
|
||||
config.set("CA", "pki_ds_database", "ipaca")
|
||||
|
||||
if not self.create_ra_agent_db and not self.clone:
|
||||
self._use_ldaps_during_spawn(config)
|
||||
|
||||
# Certificate subject DN's
|
||||
config.set("CA", "pki_subsystem_subject_dn",
|
||||
str(DN(('cn', 'CA Subsystem'), self.subject_base)))
|
||||
|
||||
@@ -500,3 +500,9 @@ class DogtagInstance(service.Service):
|
||||
for group in self.admin_groups:
|
||||
self.__remove_admin_from_group(group)
|
||||
self.admin_conn.delete_entry(self.admin_dn)
|
||||
|
||||
def _use_ldaps_during_spawn(self, config, ds_cacert=paths.IPA_CA_CRT):
|
||||
config.set(self.subsystem, "pki_ds_ldaps_port", "636")
|
||||
config.set(self.subsystem, "pki_ds_secure_connection", "True")
|
||||
config.set(self.subsystem, "pki_ds_secure_connection_ca_pem_file",
|
||||
ds_cacert)
|
||||
|
||||
@@ -182,6 +182,8 @@ class KRAInstance(DogtagInstance):
|
||||
config.set("KRA", "pki_ds_database", "ipaca")
|
||||
config.set("KRA", "pki_ds_create_new_db", "False")
|
||||
|
||||
self._use_ldaps_during_spawn(config)
|
||||
|
||||
# Certificate subject DNs
|
||||
config.set("KRA", "pki_subsystem_subject_dn",
|
||||
str(DN(('cn', 'CA Subsystem'), self.subject_base)))
|
||||
|
||||
Reference in New Issue
Block a user