Add IPA CA entry on install / upgrade

In addition to user-created lightweight CAs, CA ACLs need to be able to refer to the "main" CA. Add an entry for the IPA CA on installation and upgrade. Part of: https://fedorahosted.org/freeipa/ticket/4559 Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2025-02-25 18:55:28 -06:00 · 2016-05-06 12:07:29 +10:00
parent 3d4db834ca
commit 7d8699580d
2 changed files with 38 additions and 0 deletions
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -433,6 +433,7 @@ class CAInstance(DogtagInstance):
            self.step("importing IPA certificate profiles",
                      import_included_profiles)
            self.step("adding default CA ACL", ensure_default_caacl)
+            self.step("adding 'ipa' CA entry", ensure_ipa_authority_entry)
            self.step("updating IPA configuration", update_ipa_conf)

        self.start_creation(runtime=210)
@@ -1900,6 +1901,42 @@ def _create_dogtag_profile(profile_id, profile_data, overwrite):
                "(it is probably already enabled)")


+def ensure_ipa_authority_entry():
+    """Add the IPA CA ipaCa object if missing."""
+
+    # find out authority id, issuer DN and subject DN of IPA CA
+    #
+    api.Backend.ra_lightweight_ca._read_password()
+    api.Backend.ra_lightweight_ca.override_port = 8443
+    with api.Backend.ra_lightweight_ca as lwca:
+        data = lwca.read_ca('host-authority')
+        attrs = dict(
+            ipacaid=data['id'],
+            ipacaissuerdn=data['issuerDN'],
+            ipacasubjectdn=data['dn'],
+        )
+    api.Backend.ra_lightweight_ca.override_port = None
+
+    is_already_connected = api.Backend.ldap2.isconnected()
+    if not is_already_connected:
+        try:
+            api.Backend.ldap2.connect(autobind=True)
+        except errors.PublicError as e:
+            root_logger.error("Cannot connect to LDAP to add CA: %s", e)
+            return
+
+    ensure_entry(
+        DN(('cn', ipalib.constants.IPA_CA_CN), api.env.container_ca, api.env.basedn),
+        objectclass=['top', 'ipaca'],
+        cn=[ipalib.constants.IPA_CA_CN],
+        description=['IPA CA'],
+        **attrs
+    )
+
+    if not is_already_connected:
+        api.Backend.ldap2.disconnect()
+
+
 def ensure_default_caacl():
    """Add the default CA ACL if missing."""
    is_already_connected = api.Backend.ldap2.isconnected()
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -1724,6 +1724,7 @@ def upgrade_configuration():
    if ca.is_configured():
        cainstance.repair_profile_caIPAserviceCert()
        ca.setup_lightweight_ca_key_retrieval()
+        cainstance.ensure_ipa_authority_entry()

    set_sssd_domain_option('ipa_server_mode', 'True')