IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

replica install: merge RA cert import into CA install

Browse Source 
Merge all RA cert import code paths into a single code path in CA install.

https://fedorahosted.org/freeipa/ticket/6392

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
This commit is contained in:
Jan Cholasta
2016-10-26 14:28:21 +02:00
parent bddd4fac46
commit 822e1bc82a
5 changed files with 101 additions and 94 deletions
Download Patch File Download Diff File Expand all files Collapse all files

45
ipaserver/install/server/replicainstall.py
View File

@@ -713,7 +713,7 @@ def install_check(installer):
root_logger.debug('No IPA DNS servers, '
'skipping forward/reverse resolution check')
if options.setup_ca:
if ca_enabled:
options.realm_name = config.realm_name
options.host_name = config.host_name
options.subject = config.subject_base
@@ -762,6 +762,7 @@ def install_check(installer):
options.setup_ca, config.ca_ds_port, options.admin_password,
ca_cert_file=cafile)
installer._ca_enabled = ca_enabled
installer._remote_api = remote_api
installer._fstore = fstore
installer._sstore = sstore
@@ -771,6 +772,7 @@ def install_check(installer):
@common_cleanup
def install(installer):
options = installer
ca_enabled = installer._ca_enabled
fstore = installer._fstore
sstore = installer._sstore
config = installer._config
@@ -781,8 +783,6 @@ def install(installer):
http_instance = httpinstance.HTTPInstance()
http_instance.create_cert_db()
ca_enabled = ipautil.file_exists(config.dir + "/cacert.p12")
# Create DS user/group if it doesn't exist yet
dsinstance.create_ds_user()
@@ -816,7 +816,7 @@ def install(installer):
options.dm_password = config.dirman_password
if config.setup_ca:
if ca_enabled:
options.realm_name = config.realm_name
options.domain_name = config.domain_name
options.host_name = config.host_name
@@ -826,7 +826,7 @@ def install(installer):
http = install_http(config, auto_redirect=not options.no_ui_redirect,
ca_is_configured=ca_enabled)
if config.setup_ca:
if ca_enabled:
# Done after install_krb() because lightweight CA key
# retrieval setup needs to create kerberos principal.
ca.install_step_1(False, config, options)
@@ -836,11 +836,7 @@ def install(installer):
ipautil.realm_to_suffix(config.realm_name))
if ca_enabled:
CA = cainstance.CAInstance(config.realm_name, certs.NSS_DIR)
CA.dm_password = config.dirman_password
CA.configure_certmonger_renewal()
CA.import_ra_cert(config.dir + "/ra.p12")
cainstance.export_kra_agent_pem()
custodia = custodiainstance.CustodiaInstance(config.host_name,
config.realm_name)
@@ -1268,6 +1264,10 @@ def promote_check(installer):
"CA is present on some master.")
raise ScriptError(rval=3)
else:
if options.setup_ca:
root_logger.error("The remote master does not have a CA "
"installed, can't set up CA")
raise ScriptError(rval=3)
ca_enabled = False
if not options.dirsrv_cert_files:
root_logger.error("Cannot issue certificates: a CA is not "
@@ -1283,12 +1283,7 @@ def promote_check(installer):
"setup a KRA clone")
raise ScriptError(rval=3)
if options.setup_ca:
if not ca_enabled:
root_logger.error("The remote master does not have a CA "
"installed, can't set up CA")
raise ScriptError(rval=3)
if ca_enabled:
options.realm_name = config.realm_name
options.host_name = config.host_name
options.subject = config.subject_base
@@ -1365,6 +1360,7 @@ def promote_check(installer):
@common_cleanup
def promote(installer):
options = installer
ca_enabled = installer._ca_enabled
fstore = installer._fstore
sstore = installer._sstore
config = installer._config
@@ -1401,7 +1397,7 @@ def promote(installer):
http_instance.create_cert_db()
# FIXME: allow to use passed in certs instead
if installer._ca_enabled:
if ca_enabled:
configure_certmonger()
# Create DS user/group if it doesn't exist yet
@@ -1417,7 +1413,7 @@ def promote(installer):
conn.connect(ccache=ccache)
# Configure dirsrv
ds = install_replica_ds(config, options, installer._ca_enabled,
ds = install_replica_ds(config, options, ca_enabled,
remote_api,
promote=True, pkcs12_info=dirsrv_pkcs12_info)
@@ -1451,7 +1447,7 @@ def promote(installer):
ipaconf.setOption('mode', 'production')
]
if installer._ca_enabled:
if ca_enabled:
gopts.extend([
ipaconf.setOption('enable_ra', 'True'),
ipaconf.setOption('ra_plugin', 'dogtag'),
@@ -1472,15 +1468,10 @@ def promote(installer):
os.chmod(target_fname, 0o644) # must be readable for httpd
custodia = custodiainstance.CustodiaInstance(config.host_name,
config.realm_name,
installer._ca_enabled)
config.realm_name)
custodia.create_replica(config.master_host_name)
if installer._ca_enabled:
CA = cainstance.CAInstance(config.realm_name, certs.NSS_DIR)
CA.configure_certmonger_renewal()
CA.configure_agent_renewal()
cainstance.export_kra_agent_pem()
install_krb(
@@ -1492,7 +1483,7 @@ def promote(installer):
config,
auto_redirect=not options.no_ui_redirect,
promote=True, pkcs12_info=http_pkcs12_info,
ca_is_configured=installer._ca_enabled)
ca_is_configured=ca_enabled)
# Apply any LDAP updates. Needs to be done after the replica is synced-up
service.print_msg("Applying LDAP updates")
@@ -1502,7 +1493,7 @@ def promote(installer):
otpd.create_instance('OTPD', config.host_name,
ipautil.realm_to_suffix(config.realm_name))
if config.setup_ca:
if ca_enabled:
options.realm_name = config.realm_name
options.domain_name = config.domain_name
options.host_name = config.host_name