mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-23 23:50:03 -06:00
Add profiles and default CA ACL on migration
Profiles and the default CA ACL were not being added during replica install from pre-4.2 servers. Update ipa-replica-install to add these if they are missing. Also update the caacl plugin to prevent deletion of the default CA ACL and instruct the administrator to disable it instead. To ensure that the cainstance installation can add profiles, supply the RA certificate as part of the instance configuration. Certmonger renewal setup is avoided at this point because the NSSDB gets reinitialised later in installation procedure. Also move the addition of the default CA ACL from dsinstance installation to cainstance installation. Fixes: https://fedorahosted.org/freeipa/ticket/5459 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
This commit is contained in:
parent
6fe0a89807
commit
620036d26e
@ -31,7 +31,6 @@ app_DATA = \
|
||||
caJarSigningCert.cfg.template \
|
||||
custodia.conf.template \
|
||||
default-aci.ldif \
|
||||
default-caacl.ldif \
|
||||
default-hbac.ldif \
|
||||
default-smb-group.ldif \
|
||||
default-trust-view.ldif \
|
||||
|
@ -1,11 +0,0 @@
|
||||
# default CA ACL that grants use of caIPAserviceCert on top-level CA to all hosts and services
|
||||
dn: ipauniqueid=autogenerate,cn=caacls,cn=ca,$SUFFIX
|
||||
changetype: add
|
||||
objectclass: ipaassociation
|
||||
objectclass: ipacaacl
|
||||
ipauniqueid: autogenerate
|
||||
cn: hosts_services_caIPAserviceCert
|
||||
ipaenabledflag: TRUE
|
||||
ipamembercertprofile: cn=caIPAserviceCert,cn=certprofiles,cn=ca,$SUFFIX
|
||||
hostcategory: all
|
||||
servicecategory: all
|
@ -16,3 +16,4 @@ addifexist:resourceACLS:certServer.ca.groups:execute:allow (execute) group="Admi
|
||||
addifexist:resourceACLS:certServer.ca.users:execute:allow (execute) group="Administrators":Admins may execute user operations
|
||||
replace:resourceACLS:certServer.securitydomain.domainxml:read,modify:allow (read) user="anybody";allow (modify) group="Subsystem Group":Anybody is allowed to read domain.xml but only Subsystem group is allowed to modify the domain.xml::certServer.securitydomain.domainxml:read,modify:allow (read) user="anybody";allow (modify) group="Subsystem Group" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise RA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators":Anybody is allowed to read domain.xml but only Subsystem group and Enterprise Administrators are allowed to modify the domain.xml
|
||||
replace:resourceACLS:certServer.ca.connectorInfo:read,modify:allow (modify,read) group="Enterprise KRA Administrators":Only Enterprise Administrators are allowed to update the connector information::certServer.ca.connectorInfo:read,modify:allow (read) group="Enterprise KRA Administrators";allow (modify) group="Enterprise KRA Administrators" || group="Subsystem Group":Only Enterprise Administrators and Subsystem Group are allowed to update the connector information
|
||||
addifexist:resourceACLS:certServer.profile.configuration:read,modify:allow (read,modify) group="Certificate Manager Agents":Certificate Manager agents may modify (create/update/delete) and read profiles
|
||||
|
@ -307,6 +307,14 @@ class caacl_del(LDAPDelete):
|
||||
|
||||
msg_summary = _('Deleted CA ACL "%(value)s"')
|
||||
|
||||
def pre_callback(self, ldap, dn, *keys, **options):
|
||||
if keys[0] == 'hosts_services_caIPAserviceCert':
|
||||
raise errors.ProtectedEntryError(
|
||||
label=_("CA ACL"),
|
||||
key=keys[0],
|
||||
reason=_("default CA ACL can be only disabled"))
|
||||
return dn
|
||||
|
||||
|
||||
@register()
|
||||
class caacl_mod(LDAPUpdate):
|
||||
|
@ -138,9 +138,10 @@ def install_step_0(standalone, replica_config, options):
|
||||
if standalone:
|
||||
api.Backend.ldap2.disconnect()
|
||||
|
||||
cainstance.install_replica_ca(replica_config, postinstall)
|
||||
cainstance.install_replica_ca(replica_config, postinstall,
|
||||
ra_p12=getattr(options, 'ra_p12', None))
|
||||
|
||||
if standalone:
|
||||
if standalone and not api.Backend.ldap2.isconnected():
|
||||
api.Backend.ldap2.connect(bind_dn=DN(('cn', 'Directory Manager')),
|
||||
bind_pw=dm_password)
|
||||
|
||||
|
@ -410,7 +410,7 @@ class CAInstance(DogtagInstance):
|
||||
cert_file=None, cert_chain_file=None,
|
||||
master_replication_port=None,
|
||||
subject_base=None, ca_signing_algorithm=None,
|
||||
ca_type=None):
|
||||
ca_type=None, ra_p12=None):
|
||||
"""Create a CA instance.
|
||||
|
||||
For Dogtag 9, this may involve creating the pki-ca instance.
|
||||
@ -484,7 +484,10 @@ class CAInstance(DogtagInstance):
|
||||
self.step("requesting RA certificate from CA", self.__request_ra_certificate)
|
||||
self.step("issuing RA agent certificate", self.__issue_ra_cert)
|
||||
self.step("adding RA agent as a trusted user", self.__create_ca_agent)
|
||||
self.step("authorizing RA to modify profiles", self.__configure_profiles_acl)
|
||||
elif ra_p12 is not None:
|
||||
self.step("importing RA certificate from PKCS #12 file",
|
||||
lambda: self.import_ra_cert(ra_p12, configure_renewal=False))
|
||||
self.step("authorizing RA to modify profiles", configure_profiles_acl)
|
||||
self.step("configure certmonger for renewals", self.configure_certmonger_renewal)
|
||||
self.step("configure certificate renewals", self.configure_renewal)
|
||||
if not self.clone:
|
||||
@ -492,9 +495,12 @@ class CAInstance(DogtagInstance):
|
||||
self.step("configure Server-Cert certificate renewal", self.track_servercert)
|
||||
self.step("Configure HTTP to proxy connections",
|
||||
self.http_proxy)
|
||||
if not self.clone:
|
||||
self.step("restarting certificate server", self.restart_instance)
|
||||
self.step("Importing IPA certificate profiles", import_included_profiles)
|
||||
self.step("restarting certificate server", self.restart_instance)
|
||||
self.step("migrating certificate profiles to LDAP",
|
||||
migrate_profiles_to_ldap)
|
||||
self.step("importing IPA certificate profiles",
|
||||
import_included_profiles)
|
||||
self.step("adding default CA ACL", ensure_default_caacl)
|
||||
|
||||
self.start_creation(runtime=210)
|
||||
|
||||
@ -921,7 +927,7 @@ class CAInstance(DogtagInstance):
|
||||
|
||||
export_kra_agent_pem()
|
||||
|
||||
def import_ra_cert(self, rafile):
|
||||
def import_ra_cert(self, rafile, configure_renewal=True):
|
||||
"""
|
||||
Cloned RAs will use the same RA agent cert as the master so we
|
||||
need to import from a PKCS#12 file.
|
||||
@ -937,7 +943,8 @@ class CAInstance(DogtagInstance):
|
||||
finally:
|
||||
os.remove(agent_name)
|
||||
|
||||
self.configure_agent_renewal()
|
||||
if configure_renewal:
|
||||
self.configure_agent_renewal()
|
||||
|
||||
export_kra_agent_pem()
|
||||
|
||||
@ -987,10 +994,6 @@ class CAInstance(DogtagInstance):
|
||||
|
||||
conn.disconnect()
|
||||
|
||||
def __configure_profiles_acl(self):
|
||||
"""Allow the Certificate Manager Agents group to modify profiles."""
|
||||
configure_profiles_acl()
|
||||
|
||||
def __run_certutil(self, args, database=None, pwd_file=None, stdin=None):
|
||||
if not database:
|
||||
database = self.ra_agent_db
|
||||
@ -1654,7 +1657,7 @@ def replica_ca_install_check(config):
|
||||
exit('IPA schema missing on master CA directory server')
|
||||
|
||||
|
||||
def install_replica_ca(config, postinstall=False):
|
||||
def install_replica_ca(config, postinstall=False, ra_p12=None):
|
||||
"""
|
||||
Install a CA on a replica.
|
||||
|
||||
@ -1691,7 +1694,7 @@ def install_replica_ca(config, postinstall=False):
|
||||
ca.create_ra_agent_db = False
|
||||
ca.configure_instance(config.host_name,
|
||||
config.dirman_password, config.dirman_password,
|
||||
pkcs12_info=(cafile,),
|
||||
pkcs12_info=(cafile,), ra_p12=ra_p12,
|
||||
master_host=config.master_host_name,
|
||||
master_replication_port=config.ca_ds_port,
|
||||
subject_base=config.subject_base)
|
||||
@ -1816,6 +1819,14 @@ def update_people_entry(dercert):
|
||||
return True
|
||||
|
||||
def ensure_ldap_profiles_container():
|
||||
ensure_entry(
|
||||
DN(('ou', 'certificateProfiles'), ('ou', 'ca'), ('o', 'ipaca')),
|
||||
objectclass=['top', 'organizationalUnit'],
|
||||
ou=['certificateProfiles'],
|
||||
)
|
||||
|
||||
|
||||
def ensure_entry(dn, **attrs):
|
||||
server_id = installutils.realm_to_serverid(api.env.realm)
|
||||
dogtag_uri = 'ldapi://%%2fvar%%2frun%%2fslapd-%s.socket' % server_id
|
||||
|
||||
@ -1823,40 +1834,39 @@ def ensure_ldap_profiles_container():
|
||||
if not conn.isconnected():
|
||||
conn.connect(autobind=True)
|
||||
|
||||
dn = DN(('ou', 'certificateProfiles'), ('ou', 'ca'), ('o', 'ipaca'))
|
||||
try:
|
||||
conn.get_entry(dn)
|
||||
except errors.NotFound:
|
||||
# entry doesn't exist; add it
|
||||
entry = conn.make_entry(
|
||||
dn,
|
||||
objectclass=['top', 'organizationalUnit'],
|
||||
ou=['certificateProfiles'],
|
||||
)
|
||||
entry = conn.make_entry(dn, **attrs)
|
||||
conn.add_entry(entry)
|
||||
|
||||
conn.disconnect()
|
||||
|
||||
|
||||
def configure_profiles_acl():
|
||||
"""Allow the Certificate Manager Agents group to modify profiles."""
|
||||
server_id = installutils.realm_to_serverid(api.env.realm)
|
||||
dogtag_uri = 'ldapi://%%2fvar%%2frun%%2fslapd-%s.socket' % server_id
|
||||
updated = False
|
||||
|
||||
dn = DN(('cn', 'aclResources'), ('o', 'ipaca'))
|
||||
rule = (
|
||||
new_rules = [
|
||||
'certServer.profile.configuration:read,modify:allow (read,modify) '
|
||||
'group="Certificate Manager Agents":'
|
||||
'Certificate Manager agents may modify (create/update/delete) and read profiles'
|
||||
)
|
||||
modlist = [(ldap.MOD_ADD, 'resourceACLS', [rule])]
|
||||
'Certificate Manager agents may modify (create/update/delete) and read profiles',
|
||||
|
||||
'certServer.ca.account:login,logout:allow (login,logout) '
|
||||
'user="anybody":Anybody can login and logout',
|
||||
]
|
||||
|
||||
conn = ldap2.ldap2(api, ldap_uri=dogtag_uri)
|
||||
if not conn.isconnected():
|
||||
conn.connect(autobind=True)
|
||||
rules = conn.get_entry(dn).get('resourceACLS', [])
|
||||
if rule not in rules:
|
||||
conn.conn.modify_s(str(dn), modlist)
|
||||
cur_rules = conn.get_entry(dn).get('resourceACLS', [])
|
||||
add_rules = [rule for rule in new_rules if rule not in cur_rules]
|
||||
if add_rules:
|
||||
conn.conn.modify_s(str(dn), [(ldap.MOD_ADD, 'resourceACLS', add_rules)])
|
||||
updated = True
|
||||
|
||||
conn.disconnect()
|
||||
@ -1876,6 +1886,17 @@ def import_included_profiles():
|
||||
if not conn.isconnected():
|
||||
conn.connect(autobind=True)
|
||||
|
||||
ensure_entry(
|
||||
DN(('cn', 'ca'), api.env.basedn),
|
||||
objectclass=['top', 'nsContainer'],
|
||||
cn=['ca'],
|
||||
)
|
||||
ensure_entry(
|
||||
DN(api.env.container_certprofile, api.env.basedn),
|
||||
objectclass=['top', 'nsContainer'],
|
||||
cn=['certprofiles'],
|
||||
)
|
||||
|
||||
api.Backend.ra_certprofile._read_password()
|
||||
api.Backend.ra_certprofile.override_port = 8443
|
||||
|
||||
@ -1981,6 +2002,33 @@ def _create_dogtag_profile(profile_id, profile_data):
|
||||
"(it is probably already enabled)")
|
||||
|
||||
|
||||
def ensure_default_caacl():
|
||||
"""Add the default CA ACL if missing."""
|
||||
if not api.Backend.ldap2.isconnected():
|
||||
try:
|
||||
api.Backend.ldap2.connect(autobind=True)
|
||||
except errors.PublicError as e:
|
||||
root_logger.error("Cannot connect to LDAP to add CA ACLs: %s", e)
|
||||
return
|
||||
|
||||
ensure_entry(
|
||||
DN(('cn', 'ca'), api.env.basedn),
|
||||
objectclass=['top', 'nsContainer'],
|
||||
cn=['ca'],
|
||||
)
|
||||
ensure_entry(
|
||||
DN(api.env.container_caacl, api.env.basedn),
|
||||
objectclass=['top', 'nsContainer'],
|
||||
cn=['certprofiles'],
|
||||
)
|
||||
|
||||
if not api.Command.caacl_find()['result']:
|
||||
api.Command.caacl_add(u'hosts_services_caIPAserviceCert',
|
||||
hostcategory=u'all', servicecategory=u'all')
|
||||
api.Command.caacl_add_profile(u'hosts_services_caIPAserviceCert',
|
||||
certprofile=(u'caIPAserviceCert',))
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
standard_logging_setup("install.log")
|
||||
ds = dsinstance.DsInstance()
|
||||
|
@ -332,7 +332,6 @@ class DsInstance(service.Service):
|
||||
self.step("adding range check plugin", self.__add_range_check_plugin)
|
||||
if hbac_allow:
|
||||
self.step("creating default HBAC rule allow_all", self.add_hbac)
|
||||
self.step("creating default CA ACL rule", self.add_caacl)
|
||||
self.step("adding sasl mappings to the directory",
|
||||
self.__configure_sasl_mappings)
|
||||
self.step("adding entries for topology management", self.__add_topology_entries)
|
||||
@ -874,9 +873,6 @@ class DsInstance(service.Service):
|
||||
def add_hbac(self):
|
||||
self._ldap_mod("default-hbac.ldif", self.sub_dict)
|
||||
|
||||
def add_caacl(self):
|
||||
self._ldap_mod("default-caacl.ldif", self.sub_dict)
|
||||
|
||||
def change_admin_password(self, password):
|
||||
root_logger.debug("Changing admin password")
|
||||
dirname = config_dirname(self.serverid)
|
||||
|
@ -672,6 +672,9 @@ def install(installer):
|
||||
options.domain_name = config.domain_name
|
||||
options.host_name = config.host_name
|
||||
|
||||
if ipautil.file_exists(config.dir + "/cacert.p12"):
|
||||
options.ra_p12 = config.dir + "/ra.p12"
|
||||
|
||||
ca.install(False, config, options)
|
||||
|
||||
krb = install_krb(config, setup_pkinit=not options.no_pkinit)
|
||||
|
@ -1328,18 +1328,7 @@ def add_default_caacl(ca):
|
||||
return
|
||||
|
||||
if ca.is_configured():
|
||||
if not api.Backend.ldap2.isconnected():
|
||||
try:
|
||||
api.Backend.ldap2.connect(autobind=True)
|
||||
except ipalib.errors.PublicError as e:
|
||||
root_logger.error("Cannot connect to LDAP to add CA ACLs: %s", e)
|
||||
return
|
||||
|
||||
if not api.Command.caacl_find()['result']:
|
||||
api.Command.caacl_add(u'hosts_services_caIPAserviceCert',
|
||||
hostcategory=u'all', servicecategory=u'all')
|
||||
api.Command.caacl_add_profile(u'hosts_services_caIPAserviceCert',
|
||||
certprofile=(u'caIPAserviceCert',))
|
||||
cainstance.ensure_default_caacl()
|
||||
|
||||
sysupgrade.set_upgrade_state('caacl', 'add_default_caacl', True)
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user