Using LDAPI to setup CA and KRA agents.

The CA and KRA installation code has been modified to use LDAPI
to create the CA and KRA agents directly in the CA and KRA
database. This way it's no longer necessary to use the Directory
Manager password or CA and KRA admin certificate.

https://fedorahosted.org/freeipa/ticket/5257

Reviewed-By: Martin Basti <mbasti@redhat.com>

ipaplatform/base/paths.py

@@ -344,8 +344,6 @@ class BasePathNamespace(object):
     SLAPD_INSTANCE_SOCKET_TEMPLATE = "/var/run/slapd-%s.socket"
     ALL_SLAPD_INSTANCE_SOCKETS = "/var/run/slapd-*.socket"
     ADMIN_CERT_PATH = '/root/.dogtag/pki-tomcat/ca_admin.cert'
-    KRA_NSSDB_PASSWORD_FILE = "/root/.dogtag/pki-tomcat/kra/password.conf"
-    KRA_PKCS12_PASSWORD_FILE = "/root/.dogtag/pki-tomcat/kra/pkcs12_password.conf"
     ENTROPY_AVAIL = '/proc/sys/kernel/random/entropy_avail'
     LDIF2DB = '/usr/sbin/ldif2db'
     DB2LDIF = '/usr/sbin/db2ldif'

ipaserver/install/cainstance.py

@@ -466,7 +466,7 @@ class CAInstance(DogtagInstance):
                 self.step("restarting certificate server", self.restart_instance)
                 self.step("requesting RA certificate from CA", self.__request_ra_certificate)
                 self.step("issuing RA agent certificate", self.__issue_ra_cert)
-                self.step("adding RA agent as a trusted user", self.__configure_ra)
+                self.step("adding RA agent as a trusted user", self.__create_ca_agent)
                 self.step("authorizing RA to modify profiles", self.__configure_profiles_acl)
             self.step("configure certmonger for renewals", self.configure_certmonger_renewal)
             self.step("configure certificate renewals", self.configure_renewal)
@@ -905,18 +905,26 @@ class CAInstance(DogtagInstance):
 
         self.configure_agent_renewal()
 
-    def __configure_ra(self):
-        # Create an RA user in the CA LDAP server and add that user to
-        # the appropriate groups so it can issue certificates without
-        # manual intervention.
-        conn = ipaldap.IPAdmin(self.fqdn, self.ds_port)
-        conn.do_simple_bind(DN(('cn', 'Directory Manager')), self.dm_password)
+    def __create_ca_agent(self):
+        """
+        Create CA agent, assign a certificate, and add the user to
+        the appropriate groups for accessing CA services.
+        """
 
-        decoded = base64.b64decode(self.ra_cert)
+        # get ipaCert certificate
+        cert_data = base64.b64decode(self.ra_cert)
+        cert = x509.load_certificate(cert_data, x509.DER)
 
-        entry_dn = DN(('uid', "ipara"), ('ou', 'People'), self.basedn)
+        # connect to CA database
+        server_id = installutils.realm_to_serverid(api.env.realm)
+        dogtag_uri = 'ldapi://%%2fvar%%2frun%%2fslapd-%s.socket' % server_id
+        conn = ldap2.ldap2(api, ldap_uri=dogtag_uri)
+        conn.connect(autobind=True)
+
+        # create ipara user with ipaCert certificate
+        user_dn = DN(('uid', "ipara"), ('ou', 'People'), self.basedn)
         entry = conn.make_entry(
-            entry_dn,
+            user_dn,
             objectClass=['top', 'person', 'organizationalPerson',
                          'inetOrgPerson', 'cmsuser'],
             uid=["ipara"],
@@ -924,23 +932,24 @@ class CAInstance(DogtagInstance):
             cn=["ipara"],
             usertype=["agentType"],
             userstate=["1"],
-            userCertificate=[decoded],
+            userCertificate=[cert_data],
             description=['2;%s;%s;%s' % (
-                str(self.requestId),
+                cert.serial_number,
                 DN(('CN', 'Certificate Authority'), self.subject_base),
                 DN(('CN', 'IPA RA'), self.subject_base))])
-
         conn.add_entry(entry)
 
-        dn = DN(('cn', 'Certificate Manager Agents'), ('ou', 'groups'), self.basedn)
-        modlist = [(0, 'uniqueMember', '%s' % entry_dn)]
-        conn.modify_s(dn, modlist)
+        # add ipara user to Certificate Manager Agents group
+        group_dn = DN(('cn', 'Certificate Manager Agents'), ('ou', 'groups'),
+            self.basedn)
+        conn.add_entry_to_group(user_dn, group_dn, 'uniqueMember')
 
-        dn = DN(('cn', 'Registration Manager Agents'), ('ou', 'groups'), self.basedn)
-        modlist = [(0, 'uniqueMember', '%s' % entry_dn)]
-        conn.modify_s(dn, modlist)
+        # add ipara user to Registration Manager Agents group
+        group_dn = DN(('cn', 'Registration Manager Agents'), ('ou', 'groups'),
+            self.basedn)
+        conn.add_entry_to_group(user_dn, group_dn, 'uniqueMember')
 
-        conn.unbind()
+        conn.disconnect()
 
     def __configure_profiles_acl(self):
         """Allow the Certificate Manager Agents group to modify profiles."""

ipaserver/install/krainstance.py

@@ -25,17 +25,21 @@ import sys
 import tempfile
 
 from ipalib import api
+from ipalib import x509
 from ipaplatform import services
 from ipaplatform.paths import paths
+from ipapython import certdb
 from ipapython import dogtag
 from ipapython import ipautil
 from ipapython.dn import DN
 from ipaserver.install import certs
 from ipaserver.install import cainstance
+from ipaserver.install import installutils
 from ipaserver.install import ldapupdate
 from ipaserver.install import service
 from ipaserver.install.dogtaginstance import DogtagInstance
 from ipaserver.install.dogtaginstance import DEFAULT_DSPORT, PKI_USER
+from ipaserver.plugins import ldap2
 from ipapython.ipa_log_manager import log_mgr
 
 # When IPA is installed with DNS support, this CNAME should hold all IPA
@@ -111,8 +115,8 @@ class KRAInstance(DogtagInstance):
 
         self.step("configuring KRA instance", self.__spawn_instance)
         if not self.clone:
-            self.step("add RA user to KRA agent group",
-                      self.__add_ra_user_to_agent_group)
+            self.step("create KRA agent",
+                      self.__create_kra_agent)
         self.step("restarting KRA", self.restart_instance)
         self.step("configure certmonger for renewals",
                   self.configure_certmonger_renewal)
@@ -267,77 +271,46 @@ class KRAInstance(DogtagInstance):
 
         self.log.debug("completed creating KRA instance")
 
-    def __add_ra_user_to_agent_group(self):
+    def __create_kra_agent(self):
         """
-        Add RA agent created for CA to KRA agent group.
+        Create KRA agent, assign a certificate, and add the user to
+        the appropriate groups for accessing KRA services.
         """
 
-        # import CA certificate into temporary security database
-        args = ["/usr/bin/pki",
-            "-d", self.agent_db,
-            "-C", paths.KRA_NSSDB_PASSWORD_FILE,
-            "client-cert-import",
-            "--pkcs12", paths.KRACERT_P12,
-            "--pkcs12-password-file", paths.KRA_PKCS12_PASSWORD_FILE]
-        ipautil.run(args)
+        # get ipaCert certificate
+        with certdb.NSSDatabase(paths.HTTPD_ALIAS_DIR) as ipa_nssdb:
+           cert_data = ipa_nssdb.get_cert("ipaCert")
+        cert = x509.load_certificate(cert_data, x509.DER)
 
-        # trust CA certificate
-        args = ["/usr/bin/pki",
-            "-d", self.agent_db,
-            "-C", paths.KRA_NSSDB_PASSWORD_FILE,
-            "client-cert-mod", "Certificate Authority - %s" % api.env.realm,
-            "--trust", "CT,c,"]
-        ipautil.run(args)
+        # connect to KRA database
+        server_id = installutils.realm_to_serverid(api.env.realm)
+        dogtag_uri = 'ldapi://%%2fvar%%2frun%%2fslapd-%s.socket' % server_id
+        conn = ldap2.ldap2(api, ldap_uri=dogtag_uri)
+        conn.connect(autobind=True)
 
-        # import Dogtag admin certificate into temporary security database
-        args = ["/usr/bin/pki",
-            "-d", self.agent_db,
-            "-C", paths.KRA_NSSDB_PASSWORD_FILE,
-            "client-cert-import",
-            "--pkcs12", paths.DOGTAG_ADMIN_P12,
-            "--pkcs12-password-file", paths.KRA_PKCS12_PASSWORD_FILE]
-        ipautil.run(args)
+        # create ipakra user with ipaCert certificate
+        user_dn = DN(('uid', "ipakra"), ('ou', 'people'), self.basedn)
+        entry = conn.make_entry(
+            user_dn,
+            objectClass=['top', 'person', 'organizationalPerson',
+                         'inetOrgPerson', 'cmsuser'],
+            uid=["ipakra"],
+            sn=["IPA KRA User"],
+            cn=["IPA KRA User"],
+            usertype=["undefined"],
+            userCertificate=[cert_data],
+            description=['2;%s;%s;%s' % (
+                cert.serial_number,
+                DN(('CN', 'Certificate Authority'), self.subject_base),
+                DN(('CN', 'IPA RA'), self.subject_base))])
+        conn.add_entry(entry)
 
-        # as Dogtag admin, create ipakra user in KRA
-        args = ["/usr/bin/pki",
-            "-d", self.agent_db,
-            "-C", paths.KRA_NSSDB_PASSWORD_FILE,
-            "-n", "ipa-ca-agent",
-            "kra-user-add", "ipakra",
-            "--fullName", "IPA KRA User"]
-        ipautil.run(args)
+        # add ipakra user to Data Recovery Manager Agents group
+        group_dn = DN(('cn', 'Data Recovery Manager Agents'), ('ou', 'groups'),
+                self.basedn)
+        conn.add_entry_to_group(user_dn, group_dn, 'uniqueMember')
 
-        # as Dogtag admin, add ipakra into KRA agents group
-        args = ["/usr/bin/pki",
-            "-d", self.agent_db,
-            "-C", paths.KRA_NSSDB_PASSWORD_FILE,
-            "-n", "ipa-ca-agent",
-            "kra-user-membership-add", "ipakra", "Data Recovery Manager Agents"]
-        ipautil.run(args)
-
-        # assign ipaCert to ipakra
-        (file, filename) = tempfile.mkstemp()
-        os.close(file)
-        try:
-            # export ipaCert without private key
-            args = ["/usr/bin/pki",
-                "-d", paths.HTTPD_ALIAS_DIR,
-                "-C", paths.ALIAS_PWDFILE_TXT,
-                "client-cert-show", "ipaCert",
-                "--cert", filename]
-            ipautil.run(args)
-
-            # as Dogtag admin, upload and assign ipaCert to ipakra
-            args = ["/usr/bin/pki",
-                "-d", self.agent_db,
-                "-C", paths.KRA_NSSDB_PASSWORD_FILE,
-                "-n", "ipa-ca-agent",
-                "kra-user-cert-add", "ipakra",
-                "--input", filename]
-            ipautil.run(args)
-
-        finally:
-            os.remove(filename)
+        conn.disconnect()
 
     def __add_vault_container(self):
         sub_dict = {