Automatically update CA certificate in LDAP on renewal.

Reviewed-By: Rob Crittenden <rcritten@redhat.com>

install/restart_scripts/renew_ca_cert

@@ -28,10 +28,12 @@ import shutil
 import traceback
 
 from ipapython import dogtag, certmonger, ipautil
+from ipapython.dn import DN
 from ipalib import api, errors, x509, util
 from ipaserver.install import certs, cainstance, installutils
 from ipaserver.plugins.ldap2 import ldap2
 from ipaplatform import services
+from ipaplatform.paths import paths
 
 def main():
     nickname = sys.argv[1]
@@ -88,6 +90,32 @@ def main():
                 syslog.LOG_ERR,
                 "Updating trust on certificate %s failed in %s" %
                 (nickname, db.secdir))
+    elif nickname == 'caSigningCert cert-pki-ca' and ca.is_renewal_master():
+        # Update CA certificate in LDAP
+        tmpdir = tempfile.mkdtemp(prefix="tmp-")
+        try:
+            principal = str('host/%s@%s' % (api.env.host, api.env.realm))
+            ccache = ipautil.kinit_hostprincipal(paths.KRB5_KEYTAB, tmpdir,
+                                                 principal)
+
+            conn = ldap2(shared_instance=False, ldap_uri=api.env.ldap_uri)
+            conn.connect(ccache=ccache)
+
+            dn = DN(('cn', 'CAcert'), ('cn', 'ipa'), ('cn', 'etc'),
+                    api.env.basedn)
+            try:
+                entry = conn.get_entry(dn, attrs_list=['cACertificate;binary'])
+                entry['cACertificate;binary'] = [cert]
+                conn.update_entry(entry)
+            except errors.EmptyModlist:
+                pass
+
+            conn.disconnect()
+        except Exception, e:
+            syslog.syslog(
+                syslog.LOG_ERR, "Updating CA certificate failed: %s" % e)
+        finally:
+            shutil.rmtree(tmpdir)
 
     # Now we can start the CA. Using the services start should fire
     # off the servlet to verify that the CA is actually up and responding so