Add profiles and default CA ACL on migration

Profiles and the default CA ACL were not being added during replica
install from pre-4.2 servers.  Update ipa-replica-install to add
these if they are missing.

Also update the caacl plugin to prevent deletion of the default CA
ACL and instruct the administrator to disable it instead.

To ensure that the cainstance installation can add profiles, supply
the RA certificate as part of the instance configuration.
Certmonger renewal setup is avoided at this point because the NSSDB
gets reinitialised later in installation procedure.

Also move the addition of the default CA ACL from dsinstance
installation to cainstance installation.

Fixes: https://fedorahosted.org/freeipa/ticket/5459
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
This commit is contained in:
Fraser Tweedale 2015-11-23 12:09:32 +11:00 committed by Jan Cholasta
parent 6fe0a89807
commit 620036d26e
9 changed files with 90 additions and 56 deletions

View File

@ -31,7 +31,6 @@ app_DATA = \
caJarSigningCert.cfg.template \
custodia.conf.template \
default-aci.ldif \
default-caacl.ldif \
default-hbac.ldif \
default-smb-group.ldif \
default-trust-view.ldif \

View File

@ -1,11 +0,0 @@
# default CA ACL that grants use of caIPAserviceCert on top-level CA to all hosts and services
dn: ipauniqueid=autogenerate,cn=caacls,cn=ca,$SUFFIX
changetype: add
objectclass: ipaassociation
objectclass: ipacaacl
ipauniqueid: autogenerate
cn: hosts_services_caIPAserviceCert
ipaenabledflag: TRUE
ipamembercertprofile: cn=caIPAserviceCert,cn=certprofiles,cn=ca,$SUFFIX
hostcategory: all
servicecategory: all

View File

@ -16,3 +16,4 @@ addifexist:resourceACLS:certServer.ca.groups:execute:allow (execute) group="Admi
addifexist:resourceACLS:certServer.ca.users:execute:allow (execute) group="Administrators":Admins may execute user operations
replace:resourceACLS:certServer.securitydomain.domainxml:read,modify:allow (read) user="anybody";allow (modify) group="Subsystem Group":Anybody is allowed to read domain.xml but only Subsystem group is allowed to modify the domain.xml::certServer.securitydomain.domainxml:read,modify:allow (read) user="anybody";allow (modify) group="Subsystem Group" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise RA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators":Anybody is allowed to read domain.xml but only Subsystem group and Enterprise Administrators are allowed to modify the domain.xml
replace:resourceACLS:certServer.ca.connectorInfo:read,modify:allow (modify,read) group="Enterprise KRA Administrators":Only Enterprise Administrators are allowed to update the connector information::certServer.ca.connectorInfo:read,modify:allow (read) group="Enterprise KRA Administrators";allow (modify) group="Enterprise KRA Administrators" || group="Subsystem Group":Only Enterprise Administrators and Subsystem Group are allowed to update the connector information
addifexist:resourceACLS:certServer.profile.configuration:read,modify:allow (read,modify) group="Certificate Manager Agents":Certificate Manager agents may modify (create/update/delete) and read profiles

View File

@ -307,6 +307,14 @@ class caacl_del(LDAPDelete):
msg_summary = _('Deleted CA ACL "%(value)s"')
def pre_callback(self, ldap, dn, *keys, **options):
if keys[0] == 'hosts_services_caIPAserviceCert':
raise errors.ProtectedEntryError(
label=_("CA ACL"),
key=keys[0],
reason=_("default CA ACL can be only disabled"))
return dn
@register()
class caacl_mod(LDAPUpdate):

View File

@ -138,9 +138,10 @@ def install_step_0(standalone, replica_config, options):
if standalone:
api.Backend.ldap2.disconnect()
cainstance.install_replica_ca(replica_config, postinstall)
cainstance.install_replica_ca(replica_config, postinstall,
ra_p12=getattr(options, 'ra_p12', None))
if standalone:
if standalone and not api.Backend.ldap2.isconnected():
api.Backend.ldap2.connect(bind_dn=DN(('cn', 'Directory Manager')),
bind_pw=dm_password)

View File

@ -410,7 +410,7 @@ class CAInstance(DogtagInstance):
cert_file=None, cert_chain_file=None,
master_replication_port=None,
subject_base=None, ca_signing_algorithm=None,
ca_type=None):
ca_type=None, ra_p12=None):
"""Create a CA instance.
For Dogtag 9, this may involve creating the pki-ca instance.
@ -484,7 +484,10 @@ class CAInstance(DogtagInstance):
self.step("requesting RA certificate from CA", self.__request_ra_certificate)
self.step("issuing RA agent certificate", self.__issue_ra_cert)
self.step("adding RA agent as a trusted user", self.__create_ca_agent)
self.step("authorizing RA to modify profiles", self.__configure_profiles_acl)
elif ra_p12 is not None:
self.step("importing RA certificate from PKCS #12 file",
lambda: self.import_ra_cert(ra_p12, configure_renewal=False))
self.step("authorizing RA to modify profiles", configure_profiles_acl)
self.step("configure certmonger for renewals", self.configure_certmonger_renewal)
self.step("configure certificate renewals", self.configure_renewal)
if not self.clone:
@ -492,9 +495,12 @@ class CAInstance(DogtagInstance):
self.step("configure Server-Cert certificate renewal", self.track_servercert)
self.step("Configure HTTP to proxy connections",
self.http_proxy)
if not self.clone:
self.step("restarting certificate server", self.restart_instance)
self.step("Importing IPA certificate profiles", import_included_profiles)
self.step("restarting certificate server", self.restart_instance)
self.step("migrating certificate profiles to LDAP",
migrate_profiles_to_ldap)
self.step("importing IPA certificate profiles",
import_included_profiles)
self.step("adding default CA ACL", ensure_default_caacl)
self.start_creation(runtime=210)
@ -921,7 +927,7 @@ class CAInstance(DogtagInstance):
export_kra_agent_pem()
def import_ra_cert(self, rafile):
def import_ra_cert(self, rafile, configure_renewal=True):
"""
Cloned RAs will use the same RA agent cert as the master so we
need to import from a PKCS#12 file.
@ -937,7 +943,8 @@ class CAInstance(DogtagInstance):
finally:
os.remove(agent_name)
self.configure_agent_renewal()
if configure_renewal:
self.configure_agent_renewal()
export_kra_agent_pem()
@ -987,10 +994,6 @@ class CAInstance(DogtagInstance):
conn.disconnect()
def __configure_profiles_acl(self):
"""Allow the Certificate Manager Agents group to modify profiles."""
configure_profiles_acl()
def __run_certutil(self, args, database=None, pwd_file=None, stdin=None):
if not database:
database = self.ra_agent_db
@ -1654,7 +1657,7 @@ def replica_ca_install_check(config):
exit('IPA schema missing on master CA directory server')
def install_replica_ca(config, postinstall=False):
def install_replica_ca(config, postinstall=False, ra_p12=None):
"""
Install a CA on a replica.
@ -1691,7 +1694,7 @@ def install_replica_ca(config, postinstall=False):
ca.create_ra_agent_db = False
ca.configure_instance(config.host_name,
config.dirman_password, config.dirman_password,
pkcs12_info=(cafile,),
pkcs12_info=(cafile,), ra_p12=ra_p12,
master_host=config.master_host_name,
master_replication_port=config.ca_ds_port,
subject_base=config.subject_base)
@ -1816,6 +1819,14 @@ def update_people_entry(dercert):
return True
def ensure_ldap_profiles_container():
ensure_entry(
DN(('ou', 'certificateProfiles'), ('ou', 'ca'), ('o', 'ipaca')),
objectclass=['top', 'organizationalUnit'],
ou=['certificateProfiles'],
)
def ensure_entry(dn, **attrs):
server_id = installutils.realm_to_serverid(api.env.realm)
dogtag_uri = 'ldapi://%%2fvar%%2frun%%2fslapd-%s.socket' % server_id
@ -1823,40 +1834,39 @@ def ensure_ldap_profiles_container():
if not conn.isconnected():
conn.connect(autobind=True)
dn = DN(('ou', 'certificateProfiles'), ('ou', 'ca'), ('o', 'ipaca'))
try:
conn.get_entry(dn)
except errors.NotFound:
# entry doesn't exist; add it
entry = conn.make_entry(
dn,
objectclass=['top', 'organizationalUnit'],
ou=['certificateProfiles'],
)
entry = conn.make_entry(dn, **attrs)
conn.add_entry(entry)
conn.disconnect()
def configure_profiles_acl():
"""Allow the Certificate Manager Agents group to modify profiles."""
server_id = installutils.realm_to_serverid(api.env.realm)
dogtag_uri = 'ldapi://%%2fvar%%2frun%%2fslapd-%s.socket' % server_id
updated = False
dn = DN(('cn', 'aclResources'), ('o', 'ipaca'))
rule = (
new_rules = [
'certServer.profile.configuration:read,modify:allow (read,modify) '
'group="Certificate Manager Agents":'
'Certificate Manager agents may modify (create/update/delete) and read profiles'
)
modlist = [(ldap.MOD_ADD, 'resourceACLS', [rule])]
'Certificate Manager agents may modify (create/update/delete) and read profiles',
'certServer.ca.account:login,logout:allow (login,logout) '
'user="anybody":Anybody can login and logout',
]
conn = ldap2.ldap2(api, ldap_uri=dogtag_uri)
if not conn.isconnected():
conn.connect(autobind=True)
rules = conn.get_entry(dn).get('resourceACLS', [])
if rule not in rules:
conn.conn.modify_s(str(dn), modlist)
cur_rules = conn.get_entry(dn).get('resourceACLS', [])
add_rules = [rule for rule in new_rules if rule not in cur_rules]
if add_rules:
conn.conn.modify_s(str(dn), [(ldap.MOD_ADD, 'resourceACLS', add_rules)])
updated = True
conn.disconnect()
@ -1876,6 +1886,17 @@ def import_included_profiles():
if not conn.isconnected():
conn.connect(autobind=True)
ensure_entry(
DN(('cn', 'ca'), api.env.basedn),
objectclass=['top', 'nsContainer'],
cn=['ca'],
)
ensure_entry(
DN(api.env.container_certprofile, api.env.basedn),
objectclass=['top', 'nsContainer'],
cn=['certprofiles'],
)
api.Backend.ra_certprofile._read_password()
api.Backend.ra_certprofile.override_port = 8443
@ -1981,6 +2002,33 @@ def _create_dogtag_profile(profile_id, profile_data):
"(it is probably already enabled)")
def ensure_default_caacl():
"""Add the default CA ACL if missing."""
if not api.Backend.ldap2.isconnected():
try:
api.Backend.ldap2.connect(autobind=True)
except errors.PublicError as e:
root_logger.error("Cannot connect to LDAP to add CA ACLs: %s", e)
return
ensure_entry(
DN(('cn', 'ca'), api.env.basedn),
objectclass=['top', 'nsContainer'],
cn=['ca'],
)
ensure_entry(
DN(api.env.container_caacl, api.env.basedn),
objectclass=['top', 'nsContainer'],
cn=['certprofiles'],
)
if not api.Command.caacl_find()['result']:
api.Command.caacl_add(u'hosts_services_caIPAserviceCert',
hostcategory=u'all', servicecategory=u'all')
api.Command.caacl_add_profile(u'hosts_services_caIPAserviceCert',
certprofile=(u'caIPAserviceCert',))
if __name__ == "__main__":
standard_logging_setup("install.log")
ds = dsinstance.DsInstance()

View File

@ -332,7 +332,6 @@ class DsInstance(service.Service):
self.step("adding range check plugin", self.__add_range_check_plugin)
if hbac_allow:
self.step("creating default HBAC rule allow_all", self.add_hbac)
self.step("creating default CA ACL rule", self.add_caacl)
self.step("adding sasl mappings to the directory",
self.__configure_sasl_mappings)
self.step("adding entries for topology management", self.__add_topology_entries)
@ -874,9 +873,6 @@ class DsInstance(service.Service):
def add_hbac(self):
self._ldap_mod("default-hbac.ldif", self.sub_dict)
def add_caacl(self):
self._ldap_mod("default-caacl.ldif", self.sub_dict)
def change_admin_password(self, password):
root_logger.debug("Changing admin password")
dirname = config_dirname(self.serverid)

View File

@ -672,6 +672,9 @@ def install(installer):
options.domain_name = config.domain_name
options.host_name = config.host_name
if ipautil.file_exists(config.dir + "/cacert.p12"):
options.ra_p12 = config.dir + "/ra.p12"
ca.install(False, config, options)
krb = install_krb(config, setup_pkinit=not options.no_pkinit)

View File

@ -1328,18 +1328,7 @@ def add_default_caacl(ca):
return
if ca.is_configured():
if not api.Backend.ldap2.isconnected():
try:
api.Backend.ldap2.connect(autobind=True)
except ipalib.errors.PublicError as e:
root_logger.error("Cannot connect to LDAP to add CA ACLs: %s", e)
return
if not api.Command.caacl_find()['result']:
api.Command.caacl_add(u'hosts_services_caIPAserviceCert',
hostcategory=u'all', servicecategory=u'all')
api.Command.caacl_add_profile(u'hosts_services_caIPAserviceCert',
certprofile=(u'caIPAserviceCert',))
cainstance.ensure_default_caacl()
sysupgrade.set_upgrade_state('caacl', 'add_default_caacl', True)