IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Fix upgrade when Dogtag also upgraded from 10.2 -> 10.3

Browse Source 
ipa-server-upgrade from pre-lightweight CAs version fails when
Dogtag is also being upgraded from pre-lightweight CAs version,
because Dogtag needs to be restarted after adding the lightweight
CAs container, before requesting information about the host
authority.

Move the addition of the Dogtag lightweight CAs container entry a
bit earlier in the upgrade procedure, ensuring restart.

Fixes: https://fedorahosted.org/freeipa/ticket/6011
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
This commit is contained in:
Fraser Tweedale 2016-06-30 21:01:07 +10:00 committed by Petr Vobornik
parent 5e78b54d7c
commit 3691e39a62
2 changed files with 12 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
ipaserver/install/cainstance.py
View File

@ -1701,7 +1701,7 @@ def ensure_ldap_profiles_container():
) )
def ensure_lightweight_cas_container(): def ensure_lightweight_cas_container():
ensure_entry( return ensure_entry(
DN(('ou', 'authorities'), ('ou', 'ca'), ('o', 'ipaca')), DN(('ou', 'authorities'), ('ou', 'ca'), ('o', 'ipaca')),
objectclass=['top', 'organizationalUnit'], objectclass=['top', 'organizationalUnit'],
ou=['authorities'], ou=['authorities'],
@ -1709,6 +1709,12 @@ def ensure_lightweight_cas_container():
def ensure_entry(dn, **attrs): def ensure_entry(dn, **attrs):
"""Ensure an entry exists.
If an entry with the given DN already exists, return ``False``,
otherwise add the entry and return ``True``.
"""
server_id = installutils.realm_to_serverid(api.env.realm) server_id = installutils.realm_to_serverid(api.env.realm)
dogtag_uri = 'ldapi://%%2fvar%%2frun%%2fslapd-%s.socket' % server_id dogtag_uri = 'ldapi://%%2fvar%%2frun%%2fslapd-%s.socket' % server_id
@ -1718,12 +1724,14 @@ def ensure_entry(dn, **attrs):
try: try:
conn.get_entry(dn) conn.get_entry(dn)
return False
except errors.NotFound: except errors.NotFound:
# entry doesn't exist; add it # entry doesn't exist; add it
entry = conn.make_entry(dn, **attrs) entry = conn.make_entry(dn, **attrs)
conn.add_entry(entry) conn.add_entry(entry)
return True
conn.disconnect() finally:
conn.disconnect()
def configure_profiles_acl(): def configure_profiles_acl():

2
ipaserver/install/server/upgrade.py
View File

@ -1747,6 +1747,7 @@ def upgrade_configuration():
ca_enable_pkix(ca), ca_enable_pkix(ca),
ca_configure_profiles_acl(ca), ca_configure_profiles_acl(ca),
ca_configure_lightweight_ca_acls(ca), ca_configure_lightweight_ca_acls(ca),
ca_ensure_lightweight_cas_container(ca),
ca_add_default_ocsp_uri(ca), ca_add_default_ocsp_uri(ca),
]) ])
@ -1758,7 +1759,6 @@ def upgrade_configuration():
except ipautil.CalledProcessError as e: except ipautil.CalledProcessError as e:
root_logger.error("Failed to restart %s: %s", ca.service_name, e) root_logger.error("Failed to restart %s: %s", ca.service_name, e)
ca_ensure_lightweight_cas_container(ca)
ca_enable_ldap_profile_subsystem(ca) ca_enable_ldap_profile_subsystem(ca)
# This step MUST be done after ca_enable_ldap_profile_subsystem and # This step MUST be done after ca_enable_ldap_profile_subsystem and