Upgrade CA schema during upgrade

New schema (for LDAP-based profiles) was introduced in Dogtag, but Dogtag does not yet have a reliable method for upgrading its schema. Use FreeIPA's schema update machinery to add the new attributeTypes and objectClasses defined by Dogtag. Also update the pki dependencies to 10.2.5, which provides the schema update file. Reviewed-By: Martin Basti <mbasti@redhat.com>
2025-02-25 18:55:28 -06:00 · 2015-06-16 07:40:36 -04:00 · 2015-06-16 07:40:36 -04:00 · 6e641e8d18
commit 6e641e8d18
parent fe6819eb9d
2 changed files with 26 additions and 3 deletions
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@ -96,7 +96,7 @@ BuildRequires:  python-backports-ssl_match_hostname
 BuildRequires:  softhsm-devel >= 2.0.0rc1-1
 BuildRequires:  openssl-devel
 BuildRequires:  p11-kit-devel
-BuildRequires:  pki-base >= 10.2.4-1
+BuildRequires:  pki-base >= 10.2.5
 BuildRequires:  python-pytest-multihost >= 0.5
 BuildRequires:  python-pytest-sourceorder
 BuildRequires:  python-kdcproxy >= 0.3
@ -141,8 +141,8 @@ Requires(post): systemd-units
 Requires: selinux-policy >= %{selinux_policy_version}
 Requires(post): selinux-policy-base
 Requires: slapi-nis >= 0.54.2-1
-Requires: pki-ca >= 10.2.4-1
-Requires: pki-kra >= 10.2.4-1
+Requires: pki-ca >= 10.2.5
+Requires: pki-kra >= 10.2.5
 Requires(preun): python systemd-units
 Requires(postun): python systemd-units
 Requires: python-dns >= 1.11.1
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@ -31,6 +31,7 @@ from ipaserver.install import service
 from ipaserver.install import cainstance
 from ipaserver.install import certs
 from ipaserver.install import otpdinstance
+from ipaserver.install import schemaupdate
 from ipaserver.install import sysupgrade
 from ipaserver.install import dnskeysyncinstance
 from ipaserver.install.upgradeinstance import IPAUpgrade
@ -1254,6 +1255,27 @@ def update_mod_nss_protocol(http):
    sysupgrade.set_upgrade_state('nss.conf', 'protocol_updated_tls12', True)


+def ca_upgrade_schema(ca):
+    root_logger.info('[Upgrading CA schema]')
+    if not ca.is_configured():
+        root_logger.info('CA is not configured')
+        return False
+
+    schema_files=['/usr/share/pki/server/conf/schema-certProfile.ldif']
+    try:
+        modified = schemaupdate.update_schema(schema_files, ldapi=True)
+    except Exception as e:
+        root_logger.error("%s", e)
+        raise RuntimeError('CA schema upgrade failed.', 1)
+    else:
+        if modified:
+            root_logger.info('CA schema update complete')
+            return True
+        else:
+            root_logger.info('CA schema update complete (no changes)')
+            return False
+
+
 def add_default_caacl(ca):
    root_logger.info('[Add default CA ACL]')

@ -1452,6 +1474,7 @@ def upgrade_configuration():

    ca_restart = any([
        ca_restart,
+        ca_upgrade_schema(ca),
        upgrade_ca_audit_cert_validity(ca),
        certificate_renewal_update(ca),
        ca_enable_pkix(ca),