Import CA certs from certificate store to DS NSS database on replica install.

Part of https://fedorahosted.org/freeipa/ticket/3259 Part of https://fedorahosted.org/freeipa/ticket/3520 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2025-02-25 18:55:28 -06:00 · 2014-06-12 10:23:19 +02:00
parent 88706c5674
commit 82d682fa64
2 changed files with 29 additions and 1 deletions
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -384,6 +384,7 @@ class DsInstance(service.Service):
        # See LDIFs for automember configuration during replica install
        self.step("setting Auto Member configuration", self.__add_replica_automember_config)
        self.step("enabling S4U2Proxy delegation", self.__setup_s4u2proxy)
        self.step("importing CA certificates from LDAP", self.__import_ca_certs)
        self.__common_post_setup()
@@ -716,6 +717,18 @@ class DsInstance(service.Service):
        conn.unbind()
    def __import_ca_certs(self):
        dirname = config_dirname(self.serverid)
        dsdb = certs.CertDB(self.realm, nssdir=dirname,
                            subject_base=self.subject_base)
        conn = ipaldap.IPAdmin(self.fqdn)
        conn.do_simple_bind(DN(('cn', 'directory manager')), self.dm_password)
        self.import_ca_certs(dsdb, self.ca_is_configured, conn)
        conn.unbind()
    def __add_default_layout(self):
        self._ldap_mod("bootstrap-template.ldif", self.sub_dict)
--- a/ipaserver/install/service.py
+++ b/ipaserver/install/service.py
@@ -27,7 +27,7 @@ import datetime
 from ipapython import sysrestore, ipautil, dogtag, ipaldap
 from ipapython.dn import DN
 from ipapython.ipa_log_manager import *
-from ipalib import errors
+from ipalib import errors, certstore
 from ipaplatform import services
 from ipaplatform.paths import paths
@@ -269,6 +269,21 @@ class Service(object):
        except Exception, e:
            root_logger.critical("Could not add certificate to service %s entry: %s" % (self.principal, str(e)))
    def import_ca_certs(self, db, ca_is_configured, conn=None):
        if conn is None:
            if not self.admin_conn:
                self.ldap_connect()
            conn = self.admin_conn
        try:
            ca_certs = certstore.get_ca_certs_nss(
                conn, self.suffix, self.realm, ca_is_configured)
        except errors.NotFound:
            pass
        else:
            for cert, nickname, trust_flags in ca_certs:
                db.add_cert(cert, nickname, trust_flags)
    def is_configured(self):
        return self.sstore.has_state(self.service_name)