IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Using LDAPI to setup CA and KRA agents.

Browse Source 
The CA and KRA installation code has been modified to use LDAPI
to create the CA and KRA agents directly in the CA and KRA
database. This way it's no longer necessary to use the Directory
Manager password or CA and KRA admin certificate.

https://fedorahosted.org/freeipa/ticket/5257

Reviewed-By: Martin Basti <mbasti@redhat.com>
This commit is contained in:
Endi S. Dewata 2015-08-27 06:44:29 +02:00 committed by Jan Cholasta
parent cc53526fd2
commit 72cfcfa0bd
3 changed files with 68 additions and 88 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
ipaplatform/base/paths.py
View File

@ -344,8 +344,6 @@ class BasePathNamespace(object):
SLAPD_INSTANCE_SOCKET_TEMPLATE = "/var/run/slapd-%s.socket" SLAPD_INSTANCE_SOCKET_TEMPLATE = "/var/run/slapd-%s.socket"
ALL_SLAPD_INSTANCE_SOCKETS = "/var/run/slapd-*.socket" ALL_SLAPD_INSTANCE_SOCKETS = "/var/run/slapd-*.socket"
ADMIN_CERT_PATH = '/root/.dogtag/pki-tomcat/ca_admin.cert' ADMIN_CERT_PATH = '/root/.dogtag/pki-tomcat/ca_admin.cert'
KRA_NSSDB_PASSWORD_FILE = "/root/.dogtag/pki-tomcat/kra/password.conf"
KRA_PKCS12_PASSWORD_FILE = "/root/.dogtag/pki-tomcat/kra/pkcs12_password.conf"
ENTROPY_AVAIL = '/proc/sys/kernel/random/entropy_avail' ENTROPY_AVAIL = '/proc/sys/kernel/random/entropy_avail'
LDIF2DB = '/usr/sbin/ldif2db' LDIF2DB = '/usr/sbin/ldif2db'
DB2LDIF = '/usr/sbin/db2ldif' DB2LDIF = '/usr/sbin/db2ldif'

49
ipaserver/install/cainstance.py
View File

@ -466,7 +466,7 @@ class CAInstance(DogtagInstance):
self.step("restarting certificate server", self.restart_instance) self.step("restarting certificate server", self.restart_instance)
self.step("requesting RA certificate from CA", self.__request_ra_certificate) self.step("requesting RA certificate from CA", self.__request_ra_certificate)
self.step("issuing RA agent certificate", self.__issue_ra_cert) self.step("issuing RA agent certificate", self.__issue_ra_cert)
self.step("adding RA agent as a trusted user", self.__configure_ra) self.step("adding RA agent as a trusted user", self.__create_ca_agent)
self.step("authorizing RA to modify profiles", self.__configure_profiles_acl) self.step("authorizing RA to modify profiles", self.__configure_profiles_acl)
self.step("configure certmonger for renewals", self.configure_certmonger_renewal) self.step("configure certmonger for renewals", self.configure_certmonger_renewal)
self.step("configure certificate renewals", self.configure_renewal) self.step("configure certificate renewals", self.configure_renewal)
@ -905,18 +905,26 @@ class CAInstance(DogtagInstance):
self.configure_agent_renewal() self.configure_agent_renewal()
def __configure_ra(self): def __create_ca_agent(self):
# Create an RA user in the CA LDAP server and add that user to """
# the appropriate groups so it can issue certificates without Create CA agent, assign a certificate, and add the user to
# manual intervention. the appropriate groups for accessing CA services.
conn = ipaldap.IPAdmin(self.fqdn, self.ds_port) """
conn.do_simple_bind(DN(('cn', 'Directory Manager')), self.dm_password)
decoded = base64.b64decode(self.ra_cert) # get ipaCert certificate
cert_data = base64.b64decode(self.ra_cert)
cert = x509.load_certificate(cert_data, x509.DER)
entry_dn = DN(('uid', "ipara"), ('ou', 'People'), self.basedn) # connect to CA database
server_id = installutils.realm_to_serverid(api.env.realm)
dogtag_uri = 'ldapi://%%2fvar%%2frun%%2fslapd-%s.socket' % server_id
conn = ldap2.ldap2(api, ldap_uri=dogtag_uri)
conn.connect(autobind=True)
# create ipara user with ipaCert certificate
user_dn = DN(('uid', "ipara"), ('ou', 'People'), self.basedn)
entry = conn.make_entry( entry = conn.make_entry(
entry_dn, user_dn,
objectClass=['top', 'person', 'organizationalPerson', objectClass=['top', 'person', 'organizationalPerson',
'inetOrgPerson', 'cmsuser'], 'inetOrgPerson', 'cmsuser'],
uid=["ipara"], uid=["ipara"],
@ -924,23 +932,24 @@ class CAInstance(DogtagInstance):
cn=["ipara"], cn=["ipara"],
usertype=["agentType"], usertype=["agentType"],
userstate=["1"], userstate=["1"],
userCertificate=[decoded], userCertificate=[cert_data],
description=['2;%s;%s;%s' % ( description=['2;%s;%s;%s' % (
str(self.requestId), cert.serial_number,
DN(('CN', 'Certificate Authority'), self.subject_base), DN(('CN', 'Certificate Authority'), self.subject_base),
DN(('CN', 'IPA RA'), self.subject_base))]) DN(('CN', 'IPA RA'), self.subject_base))])
conn.add_entry(entry) conn.add_entry(entry)
dn = DN(('cn', 'Certificate Manager Agents'), ('ou', 'groups'), self.basedn) # add ipara user to Certificate Manager Agents group
modlist = [(0, 'uniqueMember', '%s' % entry_dn)] group_dn = DN(('cn', 'Certificate Manager Agents'), ('ou', 'groups'),
conn.modify_s(dn, modlist) self.basedn)
conn.add_entry_to_group(user_dn, group_dn, 'uniqueMember')
dn = DN(('cn', 'Registration Manager Agents'), ('ou', 'groups'), self.basedn) # add ipara user to Registration Manager Agents group
modlist = [(0, 'uniqueMember', '%s' % entry_dn)] group_dn = DN(('cn', 'Registration Manager Agents'), ('ou', 'groups'),
conn.modify_s(dn, modlist) self.basedn)
conn.add_entry_to_group(user_dn, group_dn, 'uniqueMember')
conn.unbind() conn.disconnect()
def __configure_profiles_acl(self): def __configure_profiles_acl(self):
"""Allow the Certificate Manager Agents group to modify profiles.""" """Allow the Certificate Manager Agents group to modify profiles."""

105
ipaserver/install/krainstance.py
View File

@ -25,17 +25,21 @@ import sys
import tempfile import tempfile
from ipalib import api from ipalib import api
from ipalib import x509
from ipaplatform import services from ipaplatform import services
from ipaplatform.paths import paths from ipaplatform.paths import paths
from ipapython import certdb
from ipapython import dogtag from ipapython import dogtag
from ipapython import ipautil from ipapython import ipautil
from ipapython.dn import DN from ipapython.dn import DN
from ipaserver.install import certs from ipaserver.install import certs
from ipaserver.install import cainstance from ipaserver.install import cainstance
from ipaserver.install import installutils
from ipaserver.install import ldapupdate from ipaserver.install import ldapupdate
from ipaserver.install import service from ipaserver.install import service
from ipaserver.install.dogtaginstance import DogtagInstance from ipaserver.install.dogtaginstance import DogtagInstance
from ipaserver.install.dogtaginstance import DEFAULT_DSPORT, PKI_USER from ipaserver.install.dogtaginstance import DEFAULT_DSPORT, PKI_USER
from ipaserver.plugins import ldap2
from ipapython.ipa_log_manager import log_mgr from ipapython.ipa_log_manager import log_mgr
# When IPA is installed with DNS support, this CNAME should hold all IPA # When IPA is installed with DNS support, this CNAME should hold all IPA
@ -111,8 +115,8 @@ class KRAInstance(DogtagInstance):
self.step("configuring KRA instance", self.__spawn_instance) self.step("configuring KRA instance", self.__spawn_instance)
if not self.clone: if not self.clone:
self.step("add RA user to KRA agent group", self.step("create KRA agent",
self.__add_ra_user_to_agent_group) self.__create_kra_agent)
self.step("restarting KRA", self.restart_instance) self.step("restarting KRA", self.restart_instance)
self.step("configure certmonger for renewals", self.step("configure certmonger for renewals",
self.configure_certmonger_renewal) self.configure_certmonger_renewal)
@ -267,77 +271,46 @@ class KRAInstance(DogtagInstance):
self.log.debug("completed creating KRA instance") self.log.debug("completed creating KRA instance")
def __add_ra_user_to_agent_group(self): def __create_kra_agent(self):
""" """
Add RA agent created for CA to KRA agent group. Create KRA agent, assign a certificate, and add the user to
the appropriate groups for accessing KRA services.
""" """
# import CA certificate into temporary security database # get ipaCert certificate
args = ["/usr/bin/pki", with certdb.NSSDatabase(paths.HTTPD_ALIAS_DIR) as ipa_nssdb:
"-d", self.agent_db, cert_data = ipa_nssdb.get_cert("ipaCert")
"-C", paths.KRA_NSSDB_PASSWORD_FILE, cert = x509.load_certificate(cert_data, x509.DER)
"client-cert-import",
"--pkcs12", paths.KRACERT_P12,
"--pkcs12-password-file", paths.KRA_PKCS12_PASSWORD_FILE]
ipautil.run(args)
# trust CA certificate # connect to KRA database
args = ["/usr/bin/pki", server_id = installutils.realm_to_serverid(api.env.realm)
"-d", self.agent_db, dogtag_uri = 'ldapi://%%2fvar%%2frun%%2fslapd-%s.socket' % server_id
"-C", paths.KRA_NSSDB_PASSWORD_FILE, conn = ldap2.ldap2(api, ldap_uri=dogtag_uri)
"client-cert-mod", "Certificate Authority - %s" % api.env.realm, conn.connect(autobind=True)
"--trust", "CT,c,"]
ipautil.run(args)
# import Dogtag admin certificate into temporary security database # create ipakra user with ipaCert certificate
args = ["/usr/bin/pki", user_dn = DN(('uid', "ipakra"), ('ou', 'people'), self.basedn)
"-d", self.agent_db, entry = conn.make_entry(
"-C", paths.KRA_NSSDB_PASSWORD_FILE, user_dn,
"client-cert-import", objectClass=['top', 'person', 'organizationalPerson',
"--pkcs12", paths.DOGTAG_ADMIN_P12, 'inetOrgPerson', 'cmsuser'],
"--pkcs12-password-file", paths.KRA_PKCS12_PASSWORD_FILE] uid=["ipakra"],
ipautil.run(args) sn=["IPA KRA User"],
cn=["IPA KRA User"],
usertype=["undefined"],
userCertificate=[cert_data],
description=['2;%s;%s;%s' % (
cert.serial_number,
DN(('CN', 'Certificate Authority'), self.subject_base),
DN(('CN', 'IPA RA'), self.subject_base))])
conn.add_entry(entry)
# as Dogtag admin, create ipakra user in KRA # add ipakra user to Data Recovery Manager Agents group
args = ["/usr/bin/pki", group_dn = DN(('cn', 'Data Recovery Manager Agents'), ('ou', 'groups'),
"-d", self.agent_db, self.basedn)
"-C", paths.KRA_NSSDB_PASSWORD_FILE, conn.add_entry_to_group(user_dn, group_dn, 'uniqueMember')
"-n", "ipa-ca-agent",
"kra-user-add", "ipakra",
"--fullName", "IPA KRA User"]
ipautil.run(args)
# as Dogtag admin, add ipakra into KRA agents group conn.disconnect()
args = ["/usr/bin/pki",
"-d", self.agent_db,
"-C", paths.KRA_NSSDB_PASSWORD_FILE,
"-n", "ipa-ca-agent",
"kra-user-membership-add", "ipakra", "Data Recovery Manager Agents"]
ipautil.run(args)
# assign ipaCert to ipakra
(file, filename) = tempfile.mkstemp()
os.close(file)
try:
# export ipaCert without private key
args = ["/usr/bin/pki",
"-d", paths.HTTPD_ALIAS_DIR,
"-C", paths.ALIAS_PWDFILE_TXT,
"client-cert-show", "ipaCert",
"--cert", filename]
ipautil.run(args)
# as Dogtag admin, upload and assign ipaCert to ipakra
args = ["/usr/bin/pki",
"-d", self.agent_db,
"-C", paths.KRA_NSSDB_PASSWORD_FILE,
"-n", "ipa-ca-agent",
"kra-user-cert-add", "ipakra",
"--input", filename]
ipautil.run(args)
finally:
os.remove(filename)
def __add_vault_container(self): def __add_vault_container(self):
sub_dict = { sub_dict = {