IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Migrate CA profiles after enabling LDAPProfileSubsystem

Browse Source 
After enabling LDAPProfileSubsystem in Dogtag, migrate the
file-based profiles into the LDAP database.

Reviewed-By: Martin Basti <mbasti@redhat.com>
This commit is contained in:
Fraser Tweedale 2015-06-16 07:38:06 -04:00 committed by Tomas Babej
parent 6e641e8d18
commit 3827137b32
2 changed files with 113 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

100
ipaserver/install/cainstance.py
View File

@ -1639,6 +1639,29 @@ def update_people_entry(dercert):
return True
def ensure_ldap_profiles_container():
server_id = installutils.realm_to_serverid(api.env.realm)
dogtag_uri = 'ldapi://%%2fvar%%2frun%%2fslapd-%s.socket' % server_id
conn = ldap2.ldap2(shared_instance=False, ldap_uri=dogtag_uri)
if not conn.isconnected():
conn.connect(autobind=True)
dn = DN(('ou', 'certificateProfiles'), ('ou', 'ca'), ('o', 'ipaca'))
try:
conn.get_entry(dn)
except errors.NotFound:
# entry doesn't exist; add it
entry = conn.make_entry(
dn,
objectclass=['top', 'organizationalUnit'],
ou=['certificateProfiles'],
)
conn.add_entry(entry)
conn.disconnect()
def configure_profiles_acl():
server_id = installutils.realm_to_serverid(api.env.realm)
dogtag_uri = 'ldapi://%%2fvar%%2frun%%2fslapd-%s.socket' % server_id
@ -1677,6 +1700,9 @@ def import_included_profiles():
if not conn.isconnected():
conn.connect(autobind=True)
api.Backend.ra_certprofile._read_password()
api.Backend.ra_certprofile.override_port = 8443
for (profile_id, desc, store_issued) in dogtag.INCLUDED_PROFILES:
dn = DN(('cn', profile_id),
api.env.container_certprofile, api.env.basedn)
@ -1685,9 +1711,6 @@ def import_included_profiles():
continue # the profile is present
except errors.NotFound:
# profile not found; add it
profile_data = ipautil.template_file(
'/usr/share/ipa/profiles/{}.cfg'.format(profile_id), sub_dict)
entry = conn.make_entry(
dn,
objectclass=['ipacertprofile'],
@ -1696,8 +1719,67 @@ def import_included_profiles():
ipacertprofilestoreissued=['TRUE' if store_issued else 'FALSE'],
)
conn.add_entry(entry)
profile_data = ipautil.template_file(
'/usr/share/ipa/profiles/{}.cfg'.format(profile_id), sub_dict)
_create_dogtag_profile(profile_id, profile_data)
root_logger.info("Imported profile '%s'", profile_id)
api.Backend.ra_certprofile.override_port = None
conn.disconnect()
def migrate_profiles_to_ldap():
"""Migrate profiles from filesystem to LDAP.
This must be run *after* switching to the LDAPProfileSubsystem
and restarting the CA.
The profile might already exist, e.g. if a replica was already
upgraded, so this case is ignored.
"""
ensure_ldap_profiles_container()
api.Backend.ra_certprofile._read_password()
api.Backend.ra_certprofile.override_port = 8443
with open(dogtag.configured_constants().CS_CFG_PATH) as f:
cs_cfg = f.read()
match = re.search(r'^profile\.list=(\S*)', cs_cfg, re.MULTILINE)
profile_ids = match.group(1).split(',')
for profile_id in profile_ids:
match = re.search(
r'^profile\.{}\.config=(\S*)'.format(profile_id),
cs_cfg, re.MULTILINE
)
if match is None:
root_logger.info("No file for profile '%s'; skipping", profile_id)
continue
filename = match.group(1)
match = re.search(
r'^profile\.{}\.class_id=(\S*)'.format(profile_id),
cs_cfg, re.MULTILINE
)
if match is None:
root_logger.info("No class_id for profile '%s'; skipping", profile_id)
continue
class_id = match.group(1)
root_logger.info("Migrating profile '%s' to LDAP", profile_id)
with open(filename) as f:
profile_data = f.read()
if profile_data[-1] != '\n':
profile_data += '\n'
profile_data += 'profileId={}\n'.format(profile_id)
profile_data += 'classId={}\n'.format(class_id)
_create_dogtag_profile(profile_id, profile_data)
api.Backend.ra_certprofile.override_port = None
def _create_dogtag_profile(profile_id, profile_data):
with api.Backend.ra_certprofile as profile_api:
# import the profile
try:
@ -1709,7 +1791,9 @@ def import_included_profiles():
try:
profile_api.disable_profile(profile_id)
except errors.RemoteRetrieveError:
pass
root_logger.debug(
"Failed to disable profile '%s' "
"(it is probably already disabled)")
profile_api.delete_profile(profile_id)
profile_api.create_profile(profile_data)
@ -1717,12 +1801,10 @@ def import_included_profiles():
try:
profile_api.enable_profile(profile_id)
except errors.RemoteRetrieveError:
pass
root_logger.debug(
"Failed to enable profile '%s' "
"(it is probably already enabled)")
api.Backend.ra_certprofile.override_port = None
root_logger.info("Imported profile '%s'", profile_id)
conn.disconnect()
if __name__ == "__main__":
standard_logging_setup("install.log")

7
ipaserver/install/server/upgrade.py
View File

@ -333,8 +333,8 @@ def ca_enable_ldap_profile_subsystem(ca):
quotes=False,
separator='=')
# TODO import file-based profiles into Dogtag
# More code needed on Dogtag side for this.
ca.restart(dogtag.configured_constants().PKI_INSTANCE_NAME)
cainstance.migrate_profiles_to_ldap()
return needs_update
@ -1479,7 +1479,6 @@ def upgrade_configuration():
certificate_renewal_update(ca),
ca_enable_pkix(ca),
ca_configure_profiles_acl(ca),
ca_enable_ldap_profile_subsystem(ca),
])
if ca_restart:
@ -1489,6 +1488,8 @@ def upgrade_configuration():
except ipautil.CalledProcessError as e:
root_logger.error("Failed to restart %s: %s", ca.service_name, e)
ca_enable_ldap_profile_subsystem(ca)
# This step MUST be done after ca_enable_ldap_profile_subsystem and
# ca_configure_profiles_acl, and the consequent restart, but does not
# itself require a restart.