IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

vault: Move vaults to cn=vaults,cn=kra

Browse Source 
https://fedorahosted.org/freeipa/ticket/3872

Reviewed-By: David Kupka <dkupka@redhat.com>
This commit is contained in:
Jan Cholasta 2015-06-10 10:35:43 +00:00
parent 777a9500ce
commit 81729e22d3
10 changed files with 45 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
freeipa.spec.in
View File

@ -716,6 +716,7 @@ fi
%{_usr}/share/ipa/copy-schema-to-ca.py*
%{_usr}/share/ipa/*.ldif
%{_usr}/share/ipa/*.uldif
%{_usr}/share/ipa/*.update
%{_usr}/share/ipa/*.template
%dir %{_usr}/share/ipa/advise
%dir %{_usr}/share/ipa/advise/legacy

1
install/share/Makefile.am
View File

@ -82,6 +82,7 @@ app_DATA = \
copy-schema-to-ca.py \
sasl-mapping-fallback.ldif \
schema-update.ldif \
vault.update \
$(NULL)
EXTRA_DIST = \

13
install/updates/40-vault.update → install/share/vault.update
View File

@ -1,19 +1,24 @@
dn: cn=vaults,$SUFFIX
dn: cn=kra,$SUFFIX
default: objectClass: top
default: objectClass: nsContainer
default: cn: kra
dn: cn=vaults,cn=kra,$SUFFIX
default: objectClass: top
default: objectClass: nsContainer
default: cn: vaults
dn: cn=services,cn=vaults,$SUFFIX
dn: cn=services,cn=vaults,cn=kra,$SUFFIX
default: objectClass: top
default: objectClass: nsContainer
default: cn: services
dn: cn=shared,cn=vaults,$SUFFIX
dn: cn=shared,cn=vaults,cn=kra,$SUFFIX
default: objectClass: top
default: objectClass: nsContainer
default: cn: shared
dn: cn=users,cn=vaults,$SUFFIX
dn: cn=users,cn=vaults,cn=kra,$SUFFIX
default: objectClass: top
default: objectClass: nsContainer
default: cn: users

1
install/updates/Makefile.am
View File

@ -34,7 +34,6 @@ app_DATA = \
40-automember.update \
40-certprofile.update \
40-otp.update \
40-vault.update \
45-roles.update \
50-7_bit_check.update \
50-dogtag10-migration.update \

2
ipa-client/man/default.conf.5
View File

@ -221,7 +221,7 @@ The following define the containers for the IPA server. Containers define where
container_sudocmdgroup: cn=sudocmdgroups,cn=sudo
container_sudorule: cn=sudorules,cn=sudo
container_user: cn=users,cn=accounts
container_vault: cn=vaults
container_vault: cn=vaults,cn=kra
container_virtual: cn=virtual operations,cn=etc
.SH "FILES"

2
ipalib/constants.py
View File

@ -99,7 +99,7 @@ DEFAULT_CONFIG = (
('container_hbacservice', DN(('cn', 'hbacservices'), ('cn', 'hbac'))),
('container_hbacservicegroup', DN(('cn', 'hbacservicegroups'), ('cn', 'hbac'))),
('container_dns', DN(('cn', 'dns'))),
('container_vault', DN(('cn', 'vaults'))),
('container_vault', DN(('cn', 'vaults'), ('cn', 'kra'))),
('container_virtual', DN(('cn', 'virtual operations'), ('cn', 'etc'))),
('container_sudorule', DN(('cn', 'sudorules'), ('cn', 'sudo'))),
('container_sudocmd', DN(('cn', 'sudocmds'), ('cn', 'sudo'))),

1
ipaplatform/base/paths.py
View File

@ -247,6 +247,7 @@ class BasePathNamespace(object):
SCHEMA_COMPAT_ULDIF = "/usr/share/ipa/schema_compat.uldif"
IPA_JS_PLUGINS_DIR = "/usr/share/ipa/ui/js/plugins"
UPDATES_DIR = "/usr/share/ipa/updates/"
VAULT_UPDATE = "/usr/share/ipa/vault.update"
PKI_CONF_SERVER_XML_TEMPLATE = "/usr/share/pki/%s/conf/server.xml"
CACHE_IPA_SESSIONS = "/var/cache/ipa/sessions"
VAR_KERBEROS_KRB5KDC_DIR = "/var/kerberos/krb5kdc/"

4
ipaserver/install/kra.py
View File

@ -46,8 +46,8 @@ def install(replica_config, options, dm_password):
dogtag_constants=dogtag.install_constants)
kra.configure_instance(
api.env.host, api.env.domain, dm_password,
dm_password, subject_base=subject)
api.env.realm, api.env.host, api.env.domain, options.dm_password,
options.dm_password, subject_base=subject)
else:
kra = krainstance.install_replica_kra(replica_config)

21
ipaserver/install/krainstance.py
View File

@ -28,11 +28,11 @@ from ipalib import api
from ipaplatform import services
from ipaplatform.paths import paths
from ipapython import dogtag
from ipapython import ipaldap
from ipapython import ipautil
from ipapython.dn import DN
from ipaserver.install import certs
from ipaserver.install import cainstance
from ipaserver.install import ldapupdate
from ipaserver.install import service
from ipaserver.install.dogtaginstance import DogtagInstance
from ipaserver.install.dogtaginstance import DEFAULT_DSPORT, PKI_USER
@ -70,7 +70,7 @@ class KRAInstance(DogtagInstance):
self.basedn = DN(('o', 'kra'), ('o', 'ipaca'))
self.log = log_mgr.get_logger(self)
def configure_instance(self, host_name, domain, dm_password,
def configure_instance(self, realm_name, host_name, domain, dm_password,
admin_password, ds_port=DEFAULT_DSPORT,
pkcs12_info=None, master_host=None,
master_replication_port=None,
@ -93,6 +93,8 @@ class KRAInstance(DogtagInstance):
self.subject_base = DN(('O', self.realm))
else:
self.subject_base = subject_base
self.realm = realm_name
self.suffix = ipautil.realm_to_suffix(realm_name)
# Confirm that a KRA does not already exist
if self.is_installed():
@ -115,8 +117,9 @@ class KRAInstance(DogtagInstance):
self.step("configure certmonger for renewals",
self.configure_certmonger_renewal)
self.step("configure certificate renewals", self.configure_renewal)
self.step("Configure HTTP to proxy connections",
self.step("configure HTTP to proxy connections",
self.http_proxy)
self.step("add vault container", self.__add_vault_container)
self.start_creation(runtime=126)
@ -335,6 +338,15 @@ class KRAInstance(DogtagInstance):
"--client-cert", paths.KRA_AGENT_PEM]
ipautil.run(args)
def __add_vault_container(self):
sub_dict = {
'SUFFIX': self.suffix,
}
ld = ldapupdate.LDAPUpdate(dm_password=self.dm_password,
sub_dict=sub_dict)
ld.update([paths.VAULT_UPDATE])
@staticmethod
def update_cert_config(nickname, cert, dogtag_constants=None):
"""
@ -391,7 +403,8 @@ def install_replica_kra(config, postinstall=False):
if _kra.is_installed():
sys.exit("A KRA is already configured on this system.")
_kra.configure_instance(config.host_name, config.domain_name,
_kra.configure_instance(config.realm_name,
config.host_name, config.domain_name,
config.dirman_password, config.dirman_password,
pkcs12_info=(krafile,),
master_host=config.master_host_name,

24
ipatests/test_xmlrpc/test_vault_plugin.py
View File

@ -57,7 +57,7 @@ class test_vault_plugin(Declarative):
'value': vault_name,
'summary': 'Added vault "%s"' % vault_name,
'result': {
'dn': u'cn=%s,cn=admin,cn=users,cn=vaults,%s'
'dn': u'cn=%s,cn=admin,cn=users,cn=vaults,cn=kra,%s'
% (vault_name, api.env.basedn),
'objectclass': [u'top', u'ipaVault'],
'cn': [vault_name],
@ -78,7 +78,7 @@ class test_vault_plugin(Declarative):
'summary': u'1 vault matched',
'result': [
{
'dn': u'cn=%s,cn=admin,cn=users,cn=vaults,%s'
'dn': u'cn=%s,cn=admin,cn=users,cn=vaults,cn=kra,%s'
% (vault_name, api.env.basedn),
'cn': [vault_name],
},
@ -97,7 +97,7 @@ class test_vault_plugin(Declarative):
'value': vault_name,
'summary': None,
'result': {
'dn': u'cn=%s,cn=admin,cn=users,cn=vaults,%s'
'dn': u'cn=%s,cn=admin,cn=users,cn=vaults,cn=kra,%s'
% (vault_name, api.env.basedn),
'cn': [vault_name],
},
@ -152,7 +152,7 @@ class test_vault_plugin(Declarative):
'value': vault_name,
'summary': u'Added vault "%s"' % vault_name,
'result': {
'dn': u'cn=%s,cn=%s,cn=services,cn=vaults,%s'
'dn': u'cn=%s,cn=%s,cn=services,cn=vaults,cn=kra,%s'
% (vault_name, service_name, api.env.basedn),
'objectclass': [u'top', u'ipaVault'],
'cn': [vault_name],
@ -175,7 +175,7 @@ class test_vault_plugin(Declarative):
'summary': u'1 vault matched',
'result': [
{
'dn': u'cn=%s,cn=%s,cn=services,cn=vaults,%s'
'dn': u'cn=%s,cn=%s,cn=services,cn=vaults,cn=kra,%s'
% (vault_name, service_name, api.env.basedn),
'cn': [vault_name],
},
@ -196,7 +196,7 @@ class test_vault_plugin(Declarative):
'value': vault_name,
'summary': None,
'result': {
'dn': u'cn=%s,cn=%s,cn=services,cn=vaults,%s'
'dn': u'cn=%s,cn=%s,cn=services,cn=vaults,cn=kra,%s'
% (vault_name, service_name, api.env.basedn),
'cn': [vault_name],
},
@ -254,7 +254,7 @@ class test_vault_plugin(Declarative):
'value': vault_name,
'summary': u'Added vault "%s"' % vault_name,
'result': {
'dn': u'cn=%s,cn=shared,cn=vaults,%s'
'dn': u'cn=%s,cn=shared,cn=vaults,cn=kra,%s'
% (vault_name, api.env.basedn),
'objectclass': [u'top', u'ipaVault'],
'cn': [vault_name],
@ -277,7 +277,7 @@ class test_vault_plugin(Declarative):
'summary': u'1 vault matched',
'result': [
{
'dn': u'cn=%s,cn=shared,cn=vaults,%s'
'dn': u'cn=%s,cn=shared,cn=vaults,cn=kra,%s'
% (vault_name, api.env.basedn),
'cn': [vault_name],
},
@ -298,7 +298,7 @@ class test_vault_plugin(Declarative):
'value': vault_name,
'summary': None,
'result': {
'dn': u'cn=%s,cn=shared,cn=vaults,%s'
'dn': u'cn=%s,cn=shared,cn=vaults,cn=kra,%s'
% (vault_name, api.env.basedn),
'cn': [vault_name],
},
@ -356,7 +356,7 @@ class test_vault_plugin(Declarative):
'value': vault_name,
'summary': u'Added vault "%s"' % vault_name,
'result': {
'dn': u'cn=%s,cn=%s,cn=users,cn=vaults,%s'
'dn': u'cn=%s,cn=%s,cn=users,cn=vaults,cn=kra,%s'
% (vault_name, user_name, api.env.basedn),
'objectclass': [u'top', u'ipaVault'],
'cn': [vault_name],
@ -379,7 +379,7 @@ class test_vault_plugin(Declarative):
'summary': u'1 vault matched',
'result': [
{
'dn': u'cn=%s,cn=%s,cn=users,cn=vaults,%s'
'dn': u'cn=%s,cn=%s,cn=users,cn=vaults,cn=kra,%s'
% (vault_name, user_name, api.env.basedn),
'cn': [vault_name],
},
@ -400,7 +400,7 @@ class test_vault_plugin(Declarative):
'value': vault_name,
'summary': None,
'result': {
'dn': u'cn=%s,cn=%s,cn=users,cn=vaults,%s'
'dn': u'cn=%s,cn=%s,cn=users,cn=vaults,cn=kra,%s'
% (vault_name, user_name, api.env.basedn),
'cn': [vault_name],
},