From 8a7e79a7a6fad8dc87c8f148cb5098434f988ea3 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Mon, 24 Oct 2016 13:09:11 +0200
Subject: [PATCH] replica install: use one remote CA host name everywhere

Remote master and CA host names may differ. Always use the remote CA host
name and never the remote master host name in CA replica install.

https://fedorahosted.org/freeipa/ticket/6392

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
---
 install/tools/ipa-ca-install               | 8 +++-----
 ipaserver/install/ca.py                    | 2 +-
 ipaserver/install/cainstance.py            | 4 ++--
 ipaserver/install/server/replicainstall.py | 8 +++++---
 4 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install
index 079773dbd..aaacf447d 100755
--- a/install/tools/ipa-ca-install
+++ b/install/tools/ipa-ca-install
@@ -138,7 +138,7 @@ def install_replica(safe_options, options, filename):
 
     if options.promote:
         config = ReplicaConfig()
-        config.master_host_name = None
+        config.ca_host_name = None
         config.realm_name = api.env.realm
         config.host_name = api.env.host
         config.domain_name = api.env.domain
@@ -149,6 +149,7 @@ def install_replica(safe_options, options, filename):
         cafile = paths.IPA_CA_CRT
     else:
         config = create_replica_config(dirman_password, filename, options)
+        config.ca_host_name = config.master_host_name
         cafile = config.dir + '/ca.crt'
 
     global REPLICA_INFO_TOP_DIR
@@ -159,12 +160,9 @@ def install_replica(safe_options, options, filename):
         attrs = api.Backend.ldap2.get_ipa_config()
         config.subject_base = attrs.get('ipacertificatesubjectbase')[0]
 
-    if config.master_host_name is None:
+    if config.ca_host_name is None:
         config.ca_host_name = \
             service.find_providing_server('CA', api.Backend.ldap2, api.env.ca_host)
-        config.master_host_name = config.ca_host_name
-    else:
-        config.ca_host_name = config.master_host_name
 
     options.realm_name = config.realm_name
     options.domain_name = config.domain_name
diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py
index 921e49495..cd594c21d 100644
--- a/ipaserver/install/ca.py
+++ b/ipaserver/install/ca.py
@@ -38,7 +38,7 @@ def install_check(standalone, replica_config, options):
         if standalone and not options.skip_conncheck:
             principal = options.principal
             replica_conn_check(
-                replica_config.master_host_name, host_name, realm_name, True,
+                replica_config.ca_host_name, host_name, realm_name, True,
                 replica_config.ca_ds_port, options.admin_password,
                 principal=principal, ca_cert_file=options.ca_cert_file)
 
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 48b66e270..d7dffbe0e 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -1349,7 +1349,7 @@ def replica_ca_install_check(config):
         return
 
     # Check if the master has the necessary schema in its CA instance
-    ca_ldap_url = 'ldap://%s:%s' % (config.master_host_name, config.ca_ds_port)
+    ca_ldap_url = 'ldap://%s:%s' % (config.ca_host_name, config.ca_ds_port)
     objectclass = 'ipaObject'
     root_logger.debug('Checking if IPA schema is present in %s', ca_ldap_url)
     try:
@@ -1418,7 +1418,7 @@ def install_replica_ca(config, postinstall=False, ra_p12=None):
     ca.configure_instance(config.host_name,
                           config.dirman_password, config.dirman_password,
                           pkcs12_info=(cafile,), ra_p12=ra_p12,
-                          master_host=config.master_host_name,
+                          master_host=config.ca_host_name,
                           master_replication_port=config.ca_ds_port,
                           subject_base=config.subject_base)
 
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index 5ea93aea0..96f4adbfa 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -549,9 +549,10 @@ def install_check(installer):
             raise ScriptError("Directory Manager password required")
 
     config = create_replica_config(dirman_password, filename, options)
-    installer._top_dir = config.top_dir
+    config.ca_host_name = config.master_host_name
     config.setup_ca = options.setup_ca
     config.setup_kra = options.setup_kra
+    installer._top_dir = config.top_dir
 
     ca_enabled = ipautil.file_exists(config.dir + "/cacert.p12")
 
@@ -576,7 +577,7 @@ def install_check(installer):
             fd.write("dogtag_version=10\n")
 
             if not config.setup_ca:
-                fd.write("ca_host={0}\n".format(config.master_host_name))
+                fd.write("ca_host={0}\n".format(config.ca_host_name))
         else:
             fd.write("enable_ra=False\n")
             fd.write("ra_plugin=none\n")
@@ -1258,7 +1259,8 @@ def promote_check(installer):
             config.subject_base = DN(subject_base)
 
         # Find if any server has a CA
-        ca_host = service.find_providing_server('CA', conn, api.env.server)
+        ca_host = service.find_providing_server(
+                'CA', conn, config.ca_host_name)
         if ca_host is not None:
             config.ca_host_name = ca_host
             ca_enabled = True