Fix migration from pre-lightweight CAs master

Some container objects are not added when migrating from a pre-lightweight CAs master, causing replica installation to fail. Make sure that the containers exist and add an explanatory comment. Fixes: https://fedorahosted.org/freeipa/ticket/5963 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2025-02-25 18:55:28 -06:00 · 2016-06-17 14:31:08 +10:00 · 2016-06-17 14:31:08 +10:00 · 3ac3882631
commit 3ac3882631
parent 0334693cfc
1 changed files with 30 additions and 1 deletions
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@ -416,6 +416,8 @@ class CAInstance(DogtagInstance):
            self.step("authorizing RA to modify profiles", configure_profiles_acl)
            self.step("authorizing RA to manage lightweight CAs",
                      configure_lightweight_ca_acls)
+            self.step("Ensure lightweight CAs container exists",
+                      ensure_lightweight_cas_container)
            self.step("configure certmonger for renewals", self.configure_certmonger_renewal)
            self.step("configure certificate renewals", self.configure_renewal)
            if not self.clone:
@ -1345,6 +1347,8 @@ class CAInstance(DogtagInstance):
                  self.enable_pkix)
        self.step("set up client auth to db", self.__client_auth_to_db)
        self.step("destroying installation admin user", self.teardown_admin)
+        self.step("Ensure lightweight CAs container exists",
+                  ensure_lightweight_cas_container)
        self.step("Configure lightweight CA key retrieval",
                  self.setup_lightweight_ca_key_retrieval)
        self.step("starting instance", self.start_instance)
@ -1415,6 +1419,18 @@ class CAInstance(DogtagInstance):
        pent = pwd.getpwnam(constants.PKI_USER)

        root_logger.info('Creating Custodia keys')
+        custodia_basedn = DN(
+            ('cn', 'custodia'), ('cn', 'ipa'), ('cn', 'etc'), api.env.basedn)
+        ensure_entry(
+            custodia_basedn,
+            objectclass=['top', 'nsContainer'],
+            cn=['custodia'],
+        )
+        ensure_entry(
+            DN(('cn', 'dogtag'), custodia_basedn),
+            objectclass=['top', 'nsContainer'],
+            cn=['dogtag'],
+        )
        keyfile = os.path.join(paths.PKI_TOMCAT, service + '.keys')
        keystore = IPAKEMKeys({'server_keys': keyfile})
        keystore.generate_keys(service)
@ -1956,7 +1972,15 @@ def _create_dogtag_profile(profile_id, profile_data, overwrite):


 def ensure_ipa_authority_entry():
-    """Add the IPA CA ipaCa object if missing."""
+    """Add the IPA CA ipaCa object if missing.
+
+    This requires the "host authority" authority entry to have been
+    created, which Dogtag will do automatically upon startup, if the
+    ou=authorities,ou=ca,o=ipaca container exists.  Therefore, the
+    ``ensure_lightweight_cas_container`` function must be executed,
+    and Dogtag restarted, before executing this function.
+
+    """

    # find out authority id, issuer DN and subject DN of IPA CA
    #
@ -1979,6 +2003,11 @@ def ensure_ipa_authority_entry():
            root_logger.error("Cannot connect to LDAP to add CA: %s", e)
            return

+    ensure_entry(
+        DN(api.env.container_ca, api.env.basedn),
+        objectclass=['top', 'nsContainer'],
+        cn=['cas'],
+    )
    ensure_entry(
        DN(('cn', ipalib.constants.IPA_CA_CN), api.env.container_ca, api.env.basedn),
        objectclass=['top', 'ipaca'],