IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-01-13 09:41:55 -06:00
Code Issues Packages Projects Releases Wiki Activity

use DM credentials to retrieve service keytab only in DLO

Browse Source 
In DL0 directory manager password is bundled in the supplied replica file and
the replica installer can use it to authenticate against master when
retrieving service keytabs.

In DL1, however, DM credentials are generated randomly and used during local
DS instance creation. The proper DM password is imported by custodia much
later to the process. We must not allow the installer to contact the remote
master using this random password since it would fail.

https://fedorahosted.org/freeipa/ticket/6405

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
This commit is contained in:
Martin Babinsky 2016-11-08 16:24:18 +01:00 committed by Jan Cholasta
parent 4286f3885b
commit 6181844c0c
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
ipaserver/install/service.py
View File

@ -167,6 +167,7 @@ class Service(object):
self.api = api self.api = api
self.service_user = service_user self.service_user = service_user
self.dm_password = None # silence pylint self.dm_password = None # silence pylint
self.promote = False
@property @property
def admin_conn(self): def admin_conn(self):
@ -567,7 +568,7 @@ class Service(object):
if ldap_uri.startswith("ldapi://") and os.geteuid() == 0: if ldap_uri.startswith("ldapi://") and os.geteuid() == 0:
args.extend(["-Y", "EXTERNAL"]) args.extend(["-Y", "EXTERNAL"])
elif self.dm_password is not None: elif self.dm_password is not None and not self.promote:
args.extend( args.extend(
['-D', 'cn=Directory Manager', ['-D', 'cn=Directory Manager',
'-w', self.dm_password]) '-w', self.dm_password])