IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

vault: Move vaults to cn=vaults,cn=kra

Browse Source 
https://fedorahosted.org/freeipa/ticket/3872

Reviewed-By: David Kupka <dkupka@redhat.com>
This commit is contained in:
Jan Cholasta 2015-06-10 10:35:43 +00:00
parent 777a9500ce
commit 81729e22d3
10 changed files with 45 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
freeipa.spec.in
View File

@ -716,6 +716,7 @@ fi
%{_usr}/share/ipa/copy-schema-to-ca.py* %{_usr}/share/ipa/copy-schema-to-ca.py*
%{_usr}/share/ipa/*.ldif %{_usr}/share/ipa/*.ldif
%{_usr}/share/ipa/*.uldif %{_usr}/share/ipa/*.uldif
%{_usr}/share/ipa/*.update
%{_usr}/share/ipa/*.template %{_usr}/share/ipa/*.template
%dir %{_usr}/share/ipa/advise %dir %{_usr}/share/ipa/advise
%dir %{_usr}/share/ipa/advise/legacy %dir %{_usr}/share/ipa/advise/legacy

1
install/share/Makefile.am
View File

@ -82,6 +82,7 @@ app_DATA = \
copy-schema-to-ca.py \ copy-schema-to-ca.py \
sasl-mapping-fallback.ldif \ sasl-mapping-fallback.ldif \
schema-update.ldif \ schema-update.ldif \
vault.update \
$(NULL) $(NULL)
EXTRA_DIST = \ EXTRA_DIST = \

13
install/updates/40-vault.update → install/share/vault.update
View File

@ -1,19 +1,24 @@
dn: cn=vaults,$SUFFIX dn: cn=kra,$SUFFIX
default: objectClass: top
default: objectClass: nsContainer
default: cn: kra
dn: cn=vaults,cn=kra,$SUFFIX
default: objectClass: top default: objectClass: top
default: objectClass: nsContainer default: objectClass: nsContainer
default: cn: vaults default: cn: vaults
dn: cn=services,cn=vaults,$SUFFIX dn: cn=services,cn=vaults,cn=kra,$SUFFIX
default: objectClass: top default: objectClass: top
default: objectClass: nsContainer default: objectClass: nsContainer
default: cn: services default: cn: services
dn: cn=shared,cn=vaults,$SUFFIX dn: cn=shared,cn=vaults,cn=kra,$SUFFIX
default: objectClass: top default: objectClass: top
default: objectClass: nsContainer default: objectClass: nsContainer
default: cn: shared default: cn: shared
dn: cn=users,cn=vaults,$SUFFIX dn: cn=users,cn=vaults,cn=kra,$SUFFIX
default: objectClass: top default: objectClass: top
default: objectClass: nsContainer default: objectClass: nsContainer
default: cn: users default: cn: users

1
install/updates/Makefile.am
View File

@ -34,7 +34,6 @@ app_DATA = \
40-automember.update \ 40-automember.update \
40-certprofile.update \ 40-certprofile.update \
40-otp.update \ 40-otp.update \
40-vault.update \
45-roles.update \ 45-roles.update \
50-7_bit_check.update \ 50-7_bit_check.update \
50-dogtag10-migration.update \ 50-dogtag10-migration.update \

2
ipa-client/man/default.conf.5
View File

@ -221,7 +221,7 @@ The following define the containers for the IPA server. Containers define where
container_sudocmdgroup: cn=sudocmdgroups,cn=sudo container_sudocmdgroup: cn=sudocmdgroups,cn=sudo
container_sudorule: cn=sudorules,cn=sudo container_sudorule: cn=sudorules,cn=sudo
container_user: cn=users,cn=accounts container_user: cn=users,cn=accounts
container_vault: cn=vaults container_vault: cn=vaults,cn=kra
container_virtual: cn=virtual operations,cn=etc container_virtual: cn=virtual operations,cn=etc
.SH "FILES" .SH "FILES"

2
ipalib/constants.py
View File

@ -99,7 +99,7 @@ DEFAULT_CONFIG = (
('container_hbacservice', DN(('cn', 'hbacservices'), ('cn', 'hbac'))), ('container_hbacservice', DN(('cn', 'hbacservices'), ('cn', 'hbac'))),
('container_hbacservicegroup', DN(('cn', 'hbacservicegroups'), ('cn', 'hbac'))), ('container_hbacservicegroup', DN(('cn', 'hbacservicegroups'), ('cn', 'hbac'))),
('container_dns', DN(('cn', 'dns'))), ('container_dns', DN(('cn', 'dns'))),
('container_vault', DN(('cn', 'vaults'))), ('container_vault', DN(('cn', 'vaults'), ('cn', 'kra'))),
('container_virtual', DN(('cn', 'virtual operations'), ('cn', 'etc'))), ('container_virtual', DN(('cn', 'virtual operations'), ('cn', 'etc'))),
('container_sudorule', DN(('cn', 'sudorules'), ('cn', 'sudo'))), ('container_sudorule', DN(('cn', 'sudorules'), ('cn', 'sudo'))),
('container_sudocmd', DN(('cn', 'sudocmds'), ('cn', 'sudo'))), ('container_sudocmd', DN(('cn', 'sudocmds'), ('cn', 'sudo'))),

1
ipaplatform/base/paths.py
View File

@ -247,6 +247,7 @@ class BasePathNamespace(object):
SCHEMA_COMPAT_ULDIF = "/usr/share/ipa/schema_compat.uldif" SCHEMA_COMPAT_ULDIF = "/usr/share/ipa/schema_compat.uldif"
IPA_JS_PLUGINS_DIR = "/usr/share/ipa/ui/js/plugins" IPA_JS_PLUGINS_DIR = "/usr/share/ipa/ui/js/plugins"
UPDATES_DIR = "/usr/share/ipa/updates/" UPDATES_DIR = "/usr/share/ipa/updates/"
VAULT_UPDATE = "/usr/share/ipa/vault.update"
PKI_CONF_SERVER_XML_TEMPLATE = "/usr/share/pki/%s/conf/server.xml" PKI_CONF_SERVER_XML_TEMPLATE = "/usr/share/pki/%s/conf/server.xml"
CACHE_IPA_SESSIONS = "/var/cache/ipa/sessions" CACHE_IPA_SESSIONS = "/var/cache/ipa/sessions"
VAR_KERBEROS_KRB5KDC_DIR = "/var/kerberos/krb5kdc/" VAR_KERBEROS_KRB5KDC_DIR = "/var/kerberos/krb5kdc/"

4
ipaserver/install/kra.py
View File

@ -46,8 +46,8 @@ def install(replica_config, options, dm_password):
dogtag_constants=dogtag.install_constants) dogtag_constants=dogtag.install_constants)
kra.configure_instance( kra.configure_instance(
api.env.host, api.env.domain, dm_password, api.env.realm, api.env.host, api.env.domain, options.dm_password,
dm_password, subject_base=subject) options.dm_password, subject_base=subject)
else: else:
kra = krainstance.install_replica_kra(replica_config) kra = krainstance.install_replica_kra(replica_config)

21
ipaserver/install/krainstance.py
View File

@ -28,11 +28,11 @@ from ipalib import api
from ipaplatform import services from ipaplatform import services
from ipaplatform.paths import paths from ipaplatform.paths import paths
from ipapython import dogtag from ipapython import dogtag
from ipapython import ipaldap
from ipapython import ipautil from ipapython import ipautil
from ipapython.dn import DN from ipapython.dn import DN
from ipaserver.install import certs from ipaserver.install import certs
from ipaserver.install import cainstance from ipaserver.install import cainstance
from ipaserver.install import ldapupdate
from ipaserver.install import service from ipaserver.install import service
from ipaserver.install.dogtaginstance import DogtagInstance from ipaserver.install.dogtaginstance import DogtagInstance
from ipaserver.install.dogtaginstance import DEFAULT_DSPORT, PKI_USER from ipaserver.install.dogtaginstance import DEFAULT_DSPORT, PKI_USER
@ -70,7 +70,7 @@ class KRAInstance(DogtagInstance):
self.basedn = DN(('o', 'kra'), ('o', 'ipaca')) self.basedn = DN(('o', 'kra'), ('o', 'ipaca'))
self.log = log_mgr.get_logger(self) self.log = log_mgr.get_logger(self)
def configure_instance(self, host_name, domain, dm_password, def configure_instance(self, realm_name, host_name, domain, dm_password,
admin_password, ds_port=DEFAULT_DSPORT, admin_password, ds_port=DEFAULT_DSPORT,
pkcs12_info=None, master_host=None, pkcs12_info=None, master_host=None,
master_replication_port=None, master_replication_port=None,
@ -93,6 +93,8 @@ class KRAInstance(DogtagInstance):
self.subject_base = DN(('O', self.realm)) self.subject_base = DN(('O', self.realm))
else: else:
self.subject_base = subject_base self.subject_base = subject_base
self.realm = realm_name
self.suffix = ipautil.realm_to_suffix(realm_name)
# Confirm that a KRA does not already exist # Confirm that a KRA does not already exist
if self.is_installed(): if self.is_installed():
@ -115,8 +117,9 @@ class KRAInstance(DogtagInstance):
self.step("configure certmonger for renewals", self.step("configure certmonger for renewals",
self.configure_certmonger_renewal) self.configure_certmonger_renewal)
self.step("configure certificate renewals", self.configure_renewal) self.step("configure certificate renewals", self.configure_renewal)
self.step("Configure HTTP to proxy connections", self.step("configure HTTP to proxy connections",
self.http_proxy) self.http_proxy)
self.step("add vault container", self.__add_vault_container)
self.start_creation(runtime=126) self.start_creation(runtime=126)
@ -335,6 +338,15 @@ class KRAInstance(DogtagInstance):
"--client-cert", paths.KRA_AGENT_PEM] "--client-cert", paths.KRA_AGENT_PEM]
ipautil.run(args) ipautil.run(args)
def __add_vault_container(self):
sub_dict = {
'SUFFIX': self.suffix,
}
ld = ldapupdate.LDAPUpdate(dm_password=self.dm_password,
sub_dict=sub_dict)
ld.update([paths.VAULT_UPDATE])
@staticmethod @staticmethod
def update_cert_config(nickname, cert, dogtag_constants=None): def update_cert_config(nickname, cert, dogtag_constants=None):
""" """
@ -391,7 +403,8 @@ def install_replica_kra(config, postinstall=False):
if _kra.is_installed(): if _kra.is_installed():
sys.exit("A KRA is already configured on this system.") sys.exit("A KRA is already configured on this system.")
_kra.configure_instance(config.host_name, config.domain_name, _kra.configure_instance(config.realm_name,
config.host_name, config.domain_name,
config.dirman_password, config.dirman_password, config.dirman_password, config.dirman_password,
pkcs12_info=(krafile,), pkcs12_info=(krafile,),
master_host=config.master_host_name, master_host=config.master_host_name,

24
ipatests/test_xmlrpc/test_vault_plugin.py
View File

@ -57,7 +57,7 @@ class test_vault_plugin(Declarative):
'value': vault_name, 'value': vault_name,
'summary': 'Added vault "%s"' % vault_name, 'summary': 'Added vault "%s"' % vault_name,
'result': { 'result': {
'dn': u'cn=%s,cn=admin,cn=users,cn=vaults,%s' 'dn': u'cn=%s,cn=admin,cn=users,cn=vaults,cn=kra,%s'
% (vault_name, api.env.basedn), % (vault_name, api.env.basedn),
'objectclass': [u'top', u'ipaVault'], 'objectclass': [u'top', u'ipaVault'],
'cn': [vault_name], 'cn': [vault_name],
@ -78,7 +78,7 @@ class test_vault_plugin(Declarative):
'summary': u'1 vault matched', 'summary': u'1 vault matched',
'result': [ 'result': [
{ {
'dn': u'cn=%s,cn=admin,cn=users,cn=vaults,%s' 'dn': u'cn=%s,cn=admin,cn=users,cn=vaults,cn=kra,%s'
% (vault_name, api.env.basedn), % (vault_name, api.env.basedn),
'cn': [vault_name], 'cn': [vault_name],
}, },
@ -97,7 +97,7 @@ class test_vault_plugin(Declarative):
'value': vault_name, 'value': vault_name,
'summary': None, 'summary': None,
'result': { 'result': {
'dn': u'cn=%s,cn=admin,cn=users,cn=vaults,%s' 'dn': u'cn=%s,cn=admin,cn=users,cn=vaults,cn=kra,%s'
% (vault_name, api.env.basedn), % (vault_name, api.env.basedn),
'cn': [vault_name], 'cn': [vault_name],
}, },
@ -152,7 +152,7 @@ class test_vault_plugin(Declarative):
'value': vault_name, 'value': vault_name,
'summary': u'Added vault "%s"' % vault_name, 'summary': u'Added vault "%s"' % vault_name,
'result': { 'result': {
'dn': u'cn=%s,cn=%s,cn=services,cn=vaults,%s' 'dn': u'cn=%s,cn=%s,cn=services,cn=vaults,cn=kra,%s'
% (vault_name, service_name, api.env.basedn), % (vault_name, service_name, api.env.basedn),
'objectclass': [u'top', u'ipaVault'], 'objectclass': [u'top', u'ipaVault'],
'cn': [vault_name], 'cn': [vault_name],
@ -175,7 +175,7 @@ class test_vault_plugin(Declarative):
'summary': u'1 vault matched', 'summary': u'1 vault matched',
'result': [ 'result': [
{ {
'dn': u'cn=%s,cn=%s,cn=services,cn=vaults,%s' 'dn': u'cn=%s,cn=%s,cn=services,cn=vaults,cn=kra,%s'
% (vault_name, service_name, api.env.basedn), % (vault_name, service_name, api.env.basedn),
'cn': [vault_name], 'cn': [vault_name],
}, },
@ -196,7 +196,7 @@ class test_vault_plugin(Declarative):
'value': vault_name, 'value': vault_name,
'summary': None, 'summary': None,
'result': { 'result': {
'dn': u'cn=%s,cn=%s,cn=services,cn=vaults,%s' 'dn': u'cn=%s,cn=%s,cn=services,cn=vaults,cn=kra,%s'
% (vault_name, service_name, api.env.basedn), % (vault_name, service_name, api.env.basedn),
'cn': [vault_name], 'cn': [vault_name],
}, },
@ -254,7 +254,7 @@ class test_vault_plugin(Declarative):
'value': vault_name, 'value': vault_name,
'summary': u'Added vault "%s"' % vault_name, 'summary': u'Added vault "%s"' % vault_name,
'result': { 'result': {
'dn': u'cn=%s,cn=shared,cn=vaults,%s' 'dn': u'cn=%s,cn=shared,cn=vaults,cn=kra,%s'
% (vault_name, api.env.basedn), % (vault_name, api.env.basedn),
'objectclass': [u'top', u'ipaVault'], 'objectclass': [u'top', u'ipaVault'],
'cn': [vault_name], 'cn': [vault_name],
@ -277,7 +277,7 @@ class test_vault_plugin(Declarative):
'summary': u'1 vault matched', 'summary': u'1 vault matched',
'result': [ 'result': [
{ {
'dn': u'cn=%s,cn=shared,cn=vaults,%s' 'dn': u'cn=%s,cn=shared,cn=vaults,cn=kra,%s'
% (vault_name, api.env.basedn), % (vault_name, api.env.basedn),
'cn': [vault_name], 'cn': [vault_name],
}, },
@ -298,7 +298,7 @@ class test_vault_plugin(Declarative):
'value': vault_name, 'value': vault_name,
'summary': None, 'summary': None,
'result': { 'result': {
'dn': u'cn=%s,cn=shared,cn=vaults,%s' 'dn': u'cn=%s,cn=shared,cn=vaults,cn=kra,%s'
% (vault_name, api.env.basedn), % (vault_name, api.env.basedn),
'cn': [vault_name], 'cn': [vault_name],
}, },
@ -356,7 +356,7 @@ class test_vault_plugin(Declarative):
'value': vault_name, 'value': vault_name,
'summary': u'Added vault "%s"' % vault_name, 'summary': u'Added vault "%s"' % vault_name,
'result': { 'result': {
'dn': u'cn=%s,cn=%s,cn=users,cn=vaults,%s' 'dn': u'cn=%s,cn=%s,cn=users,cn=vaults,cn=kra,%s'
% (vault_name, user_name, api.env.basedn), % (vault_name, user_name, api.env.basedn),
'objectclass': [u'top', u'ipaVault'], 'objectclass': [u'top', u'ipaVault'],
'cn': [vault_name], 'cn': [vault_name],
@ -379,7 +379,7 @@ class test_vault_plugin(Declarative):
'summary': u'1 vault matched', 'summary': u'1 vault matched',
'result': [ 'result': [
{ {
'dn': u'cn=%s,cn=%s,cn=users,cn=vaults,%s' 'dn': u'cn=%s,cn=%s,cn=users,cn=vaults,cn=kra,%s'
% (vault_name, user_name, api.env.basedn), % (vault_name, user_name, api.env.basedn),
'cn': [vault_name], 'cn': [vault_name],
}, },
@ -400,7 +400,7 @@ class test_vault_plugin(Declarative):
'value': vault_name, 'value': vault_name,
'summary': None, 'summary': None,
'result': { 'result': {
'dn': u'cn=%s,cn=%s,cn=users,cn=vaults,%s' 'dn': u'cn=%s,cn=%s,cn=users,cn=vaults,cn=kra,%s'
% (vault_name, user_name, api.env.basedn), % (vault_name, user_name, api.env.basedn),
'cn': [vault_name], 'cn': [vault_name],
}, },