mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-02-25 18:55:28 -06:00
Simplify and consolidate ipaca.ini
Fixes: https://pagure.io/freeipa/issue/5608 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Fraser Tweedale <ftweedal@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This commit is contained in:
Christian Heimes
@@ -12,7 +12,6 @@
|
|||||||
#
|
#
|
||||||
# Predefined variables
|
# Predefined variables
|
||||||
# - ipa_ca_subject
|
# - ipa_ca_subject
|
||||||
# - ipa_ds_base_dn
|
|
||||||
# - ipa_fqdn
|
# - ipa_fqdn
|
||||||
# - ipa_subject_base
|
# - ipa_subject_base
|
||||||
# - pki_admin_password
|
# - pki_admin_password
|
||||||
|
|||||||
@@ -8,15 +8,10 @@
|
|||||||
#
|
#
|
||||||
|
|
||||||
[DEFAULT]
|
[DEFAULT]
|
||||||
# hard-coded IPA default settings
|
|
||||||
ipa_security_domain_name=IPA
|
|
||||||
ipa_ds_database=ipaca
|
|
||||||
ipa_admin_nickname=ipa-ca-agent
|
|
||||||
ipa_ca_pem_file=/etc/ipa/ca.crt
|
ipa_ca_pem_file=/etc/ipa/ca.crt
|
||||||
|
|
||||||
## dynamic values
|
## dynamic values
|
||||||
# ipa_ca_subject=
|
# ipa_ca_subject=
|
||||||
# ipa_ds_base_dn=
|
|
||||||
# ipa_subject_base=
|
# ipa_subject_base=
|
||||||
# ipa_fqdn=
|
# ipa_fqdn=
|
||||||
# ipa_ocsp_uri=
|
# ipa_ocsp_uri=
|
||||||
@@ -36,8 +31,8 @@ pki_admin_cert_file=%(pki_client_dir)s/ca_admin.cert
|
|||||||
pki_admin_cert_request_type=pkcs10
|
pki_admin_cert_request_type=pkcs10
|
||||||
pki_admin_dualkey=False
|
pki_admin_dualkey=False
|
||||||
pki_admin_name=%(ipa_admin_user)s
|
pki_admin_name=%(ipa_admin_user)s
|
||||||
pki_admin_nickname=%(ipa_admin_nickname)s
|
pki_admin_nickname=ipa-ca-agent
|
||||||
pki_admin_subject_dn=cn=%(ipa_admin_nickname)s,%(ipa_subject_base)s
|
pki_admin_subject_dn=cn=ipa-ca-agent,%(ipa_subject_base)s
|
||||||
pki_admin_uid=%(ipa_admin_user)s
|
pki_admin_uid=%(ipa_admin_user)s
|
||||||
|
|
||||||
pki_ca_hostname=%(pki_security_domain_hostname)s
|
pki_ca_hostname=%(pki_security_domain_hostname)s
|
||||||
@@ -55,6 +50,10 @@ pki_client_pkcs12_password=%(pki_admin_password)s
|
|||||||
pki_ds_bind_dn=cn=Directory Manager
|
pki_ds_bind_dn=cn=Directory Manager
|
||||||
pki_ds_ldap_port=389
|
pki_ds_ldap_port=389
|
||||||
pki_ds_ldaps_port=636
|
pki_ds_ldaps_port=636
|
||||||
|
# CA: o=ipaca, KRA: o=kra,o=ipaca
|
||||||
|
pki_ds_base_dn=o=ipaca
|
||||||
|
pki_ds_database=ipaca
|
||||||
|
pki_ds_hostname=%(ipa_fqdn)s
|
||||||
pki_ds_remove_data=True
|
pki_ds_remove_data=True
|
||||||
pki_ds_secure_connection=False
|
pki_ds_secure_connection=False
|
||||||
pki_ds_secure_connection_ca_nickname=Directory Server CA certificate
|
pki_ds_secure_connection_ca_nickname=Directory Server CA certificate
|
||||||
@@ -70,7 +69,7 @@ pki_enable_proxy=True
|
|||||||
pki_restart_configured_instance=False
|
pki_restart_configured_instance=False
|
||||||
pki_security_domain_hostname=%(ipa_fqdn)s
|
pki_security_domain_hostname=%(ipa_fqdn)s
|
||||||
pki_security_domain_https_port=443
|
pki_security_domain_https_port=443
|
||||||
pki_security_domain_name=%(ipa_security_domain_name)s
|
pki_security_domain_name=IPA
|
||||||
pki_security_domain_password=%(pki_admin_password)s
|
pki_security_domain_password=%(pki_admin_password)s
|
||||||
pki_security_domain_user=%(ipa_admin_user)s
|
pki_security_domain_user=%(ipa_admin_user)s
|
||||||
pki_self_signed_token=internal
|
pki_self_signed_token=internal
|
||||||
@@ -81,6 +80,7 @@ pki_skip_installation=False
|
|||||||
pki_skip_sd_verify=False
|
pki_skip_sd_verify=False
|
||||||
|
|
||||||
pki_sslserver_token=internal
|
pki_sslserver_token=internal
|
||||||
|
pki_ssl_server_token=%(pki_sslserver_token)s
|
||||||
pki_sslserver_nickname=Server-Cert cert-pki-ca
|
pki_sslserver_nickname=Server-Cert cert-pki-ca
|
||||||
pki_sslserver_subject_dn=cn=%(ipa_fqdn)s,%(ipa_subject_base)s
|
pki_sslserver_subject_dn=cn=%(ipa_fqdn)s,%(ipa_subject_base)s
|
||||||
|
|
||||||
@@ -101,28 +101,16 @@ pki_cert_chain_nickname=caSigningCert External CA
|
|||||||
pki_pkcs12_path=
|
pki_pkcs12_path=
|
||||||
pki_pkcs12_password=
|
pki_pkcs12_password=
|
||||||
|
|
||||||
pki_ds_base_dn=%(ipa_ds_base_dn)s
|
|
||||||
pki_ds_database=%(ipa_ds_database)s
|
|
||||||
pki_ds_hostname=%(ipa_fqdn)s
|
|
||||||
|
|
||||||
|
|
||||||
[CA]
|
[CA]
|
||||||
|
pki_ds_base_dn=o=ipaca
|
||||||
|
|
||||||
pki_ca_signing_record_create=True
|
pki_ca_signing_record_create=True
|
||||||
pki_ca_signing_serial_number=1
|
pki_ca_signing_serial_number=1
|
||||||
pki_ca_signing_subject_dn=%(ipa_ca_subject)s
|
pki_ca_signing_subject_dn=%(ipa_ca_subject)s
|
||||||
|
|
||||||
pki_ca_signing_csr_path=/root/ipa.csr
|
pki_ca_signing_csr_path=/root/ipa.csr
|
||||||
|
|
||||||
# pki_ocsp_signing_csr_path=
|
|
||||||
# pki_audit_signing_csr_path=
|
|
||||||
# pki_sslserver_csr_path=
|
|
||||||
# pki_subsystem_csr_path=
|
|
||||||
|
|
||||||
# pki_ocsp_signing_cert_path=
|
|
||||||
# pki_audit_signing_cert_path=
|
|
||||||
# pki_sslserver_cert_path=
|
|
||||||
# pki_subsystem_cert_path=
|
|
||||||
|
|
||||||
pki_ca_starting_crl_number=0
|
pki_ca_starting_crl_number=0
|
||||||
|
|
||||||
pki_external=False
|
pki_external=False
|
||||||
@@ -139,7 +127,6 @@ pki_ocsp_signing_subject_dn=cn=OCSP Subsystem,%(ipa_subject_base)s
|
|||||||
pki_profiles_in_ldap=True
|
pki_profiles_in_ldap=True
|
||||||
pki_subordinate=False
|
pki_subordinate=False
|
||||||
pki_subordinate_create_new_security_domain=False
|
pki_subordinate_create_new_security_domain=False
|
||||||
### pki_subordinate_security_domain_name=%(pki_dns_domainname)s Subordinate Security Domain
|
|
||||||
|
|
||||||
pki_audit_signing_nickname=auditSigningCert cert-pki-ca
|
pki_audit_signing_nickname=auditSigningCert cert-pki-ca
|
||||||
pki_audit_signing_subject_dn=cn=CA Audit,%(ipa_subject_base)s
|
pki_audit_signing_subject_dn=cn=CA Audit,%(ipa_subject_base)s
|
||||||
@@ -158,26 +145,15 @@ pki_replica_number_range_end=100
|
|||||||
|
|
||||||
|
|
||||||
[KRA]
|
[KRA]
|
||||||
|
pki_ds_base_dn=o=kra,o=ipaca
|
||||||
|
pki_ds_create_new_db=False
|
||||||
|
pki_ds_secure_connection=True
|
||||||
|
|
||||||
pki_import_admin_cert=True
|
pki_import_admin_cert=True
|
||||||
pki_standalone=False
|
pki_standalone=False
|
||||||
pki_ds_create_new_db=False
|
|
||||||
|
|
||||||
# pki_admin_csr_path=
|
|
||||||
# pki_audit_signing_csr_path=
|
|
||||||
# pki_sslserver_csr_path=
|
|
||||||
# pki_storage_csr_path=
|
|
||||||
# pki_subsystem_csr_path=
|
|
||||||
# pki_transport_csr_path=
|
|
||||||
|
|
||||||
pki_external_step_two=False
|
pki_external_step_two=False
|
||||||
|
|
||||||
# pki_admin_cert_path=
|
|
||||||
# pki_audit_signing_cert_path=
|
|
||||||
# pki_sslserver_cert_path=
|
|
||||||
# pki_storage_cert_path=
|
|
||||||
# pki_subsystem_cert_path=
|
|
||||||
# pki_transport_cert_path=
|
|
||||||
|
|
||||||
pki_storage_nickname=storageCert cert-pki-kra
|
pki_storage_nickname=storageCert cert-pki-kra
|
||||||
pki_storage_subject_dn=cn=KRA Storage Certificate,%(ipa_subject_base)s
|
pki_storage_subject_dn=cn=KRA Storage Certificate,%(ipa_subject_base)s
|
||||||
|
|
||||||
@@ -190,4 +166,4 @@ pki_audit_signing_subject_dn=cn=KRA Audit,%(ipa_subject_base)s
|
|||||||
# Needed because CA and KRA share the same database
|
# Needed because CA and KRA share the same database
|
||||||
# We will use the dbuser created for the CA.
|
# We will use the dbuser created for the CA.
|
||||||
pki_share_db=True
|
pki_share_db=True
|
||||||
pki_share_dbuser_dn=uid=pkidbuser,ou=people,o=%(ipa_ds_database)s
|
pki_share_dbuser_dn=uid=pkidbuser,ou=people,o=ipaca
|
||||||
|
|||||||
@@ -501,7 +501,7 @@ class CAInstance(DogtagInstance):
|
|||||||
os.path.isfile(paths.PKI_TOMCAT_PASSWORD_CONF)):
|
os.path.isfile(paths.PKI_TOMCAT_PASSWORD_CONF)):
|
||||||
# generate pin which we know can be used for FIPS NSS database
|
# generate pin which we know can be used for FIPS NSS database
|
||||||
pki_pin = ipautil.ipa_generate_password()
|
pki_pin = ipautil.ipa_generate_password()
|
||||||
cfg['pki_pin'] = pki_pin
|
cfg['pki_server_database_password'] = pki_pin
|
||||||
else:
|
else:
|
||||||
pki_pin = None
|
pki_pin = None
|
||||||
|
|
||||||
|
|||||||
@@ -608,7 +608,6 @@ class DogtagInstance(service.Service):
|
|||||||
subsystem=self.subsystem,
|
subsystem=self.subsystem,
|
||||||
fqdn=self.fqdn,
|
fqdn=self.fqdn,
|
||||||
domain=api.env.domain,
|
domain=api.env.domain,
|
||||||
basedn=self.basedn, # o=ipaca / o=kra,o=ipaca
|
|
||||||
subject_base=self.subject_base,
|
subject_base=self.subject_base,
|
||||||
ca_subject=self.ca_subject,
|
ca_subject=self.ca_subject,
|
||||||
admin_user=self.admin_user,
|
admin_user=self.admin_user,
|
||||||
@@ -627,9 +626,6 @@ class PKIIniLoader:
|
|||||||
paths.USR_SHARE_IPA_DIR, 'ipaca_customize.ini'
|
paths.USR_SHARE_IPA_DIR, 'ipaca_customize.ini'
|
||||||
)
|
)
|
||||||
|
|
||||||
security_domain_name = 'IPA'
|
|
||||||
ipaca_database = 'ipaca'
|
|
||||||
admin_nickname = 'ipa-ca-agent'
|
|
||||||
token_stanzas = [
|
token_stanzas = [
|
||||||
'pki_audit_signing_token',
|
'pki_audit_signing_token',
|
||||||
'pki_subsystem_token',
|
'pki_subsystem_token',
|
||||||
@@ -639,16 +635,12 @@ class PKIIniLoader:
|
|||||||
'pki_transport_token',
|
'pki_transport_token',
|
||||||
]
|
]
|
||||||
|
|
||||||
def __init__(self, subsystem, fqdn, domain, basedn,
|
def __init__(self, subsystem, fqdn, domain,
|
||||||
subject_base, ca_subject, admin_user, admin_password,
|
subject_base, ca_subject, admin_user, admin_password,
|
||||||
dm_password, pki_config_override=None):
|
dm_password, pki_config_override=None):
|
||||||
self.pki_config_override = pki_config_override
|
self.pki_config_override = pki_config_override
|
||||||
self.defaults = dict(
|
self.defaults = dict(
|
||||||
# pretty much static
|
# pretty much static
|
||||||
ipa_security_domain_name=self.security_domain_name,
|
|
||||||
ipa_ds_database=self.ipaca_database,
|
|
||||||
ipa_ds_base_dn=basedn,
|
|
||||||
ipa_admin_nickname=self.admin_nickname,
|
|
||||||
ipa_ca_pem_file=paths.IPA_CA_CRT,
|
ipa_ca_pem_file=paths.IPA_CA_CRT,
|
||||||
# variable
|
# variable
|
||||||
ipa_ca_subject=ca_subject,
|
ipa_ca_subject=ca_subject,
|
||||||
@@ -729,7 +721,7 @@ class PKIIniLoader:
|
|||||||
}
|
}
|
||||||
|
|
||||||
# add ipaca_customize overlay,
|
# add ipaca_customize overlay,
|
||||||
# These are settings that can be modified by a user, too. We use
|
# These are settings that can be modified by a user, too. We use
|
||||||
# ipaca_customize.ini to set sensible defaults.
|
# ipaca_customize.ini to set sensible defaults.
|
||||||
with open(self.ipaca_customize) as f:
|
with open(self.ipaca_customize) as f:
|
||||||
cfgtpl.read_file(f)
|
cfgtpl.read_file(f)
|
||||||
@@ -776,11 +768,17 @@ class PKIIniLoader:
|
|||||||
def test():
|
def test():
|
||||||
import sys
|
import sys
|
||||||
|
|
||||||
loader = PKIIniLoader(
|
sharedir = os.path.abspath(os.path.join(
|
||||||
subsystem='CA',
|
os.path.dirname(os.path.join(__file__)),
|
||||||
|
os.pardir,
|
||||||
|
os.pardir,
|
||||||
|
'install',
|
||||||
|
'share',
|
||||||
|
))
|
||||||
|
|
||||||
|
base_settings = dict(
|
||||||
fqdn='replica.ipa.example',
|
fqdn='replica.ipa.example',
|
||||||
domain='ipa.example',
|
domain='ipa.example',
|
||||||
basedn='o=ipaca',
|
|
||||||
subject_base='o=IPA,o=EXAMPLE',
|
subject_base='o=IPA,o=EXAMPLE',
|
||||||
ca_subject='cn=CA,o=IPA,o=EXAMPLE',
|
ca_subject='cn=CA,o=IPA,o=EXAMPLE',
|
||||||
admin_user='admin',
|
admin_user='admin',
|
||||||
@@ -788,12 +786,14 @@ def test():
|
|||||||
dm_password='Secret2',
|
dm_password='Secret2',
|
||||||
pki_config_override='install/share/ipaca_softhsm2.ini',
|
pki_config_override='install/share/ipaca_softhsm2.ini',
|
||||||
)
|
)
|
||||||
loader.ipaca_default = 'install/share/ipaca_default.ini'
|
|
||||||
loader.ipaca_customize = 'install/share/ipaca_customize.ini'
|
for subsystem in ('CA', 'KRA'):
|
||||||
config = loader.create_spawn_config(dict(
|
print('-' * 78)
|
||||||
pki_external=True
|
loader = PKIIniLoader(subsystem=subsystem, **base_settings)
|
||||||
))
|
loader.ipaca_default = os.path.join(sharedir, 'ipaca_default.ini')
|
||||||
config.write(sys.stdout, False)
|
loader.ipaca_customize = os.path.join(sharedir, 'ipaca_customize.ini')
|
||||||
|
config = loader.create_spawn_config({})
|
||||||
|
config.write(sys.stdout, False)
|
||||||
|
|
||||||
|
|
||||||
if __name__ == '__main__':
|
if __name__ == '__main__':
|
||||||
|
|||||||
@@ -169,15 +169,13 @@ class KRAInstance(DogtagInstance):
|
|||||||
pki_client_pkcs12_password=self.admin_password,
|
pki_client_pkcs12_password=self.admin_password,
|
||||||
pki_import_admin_cert=False,
|
pki_import_admin_cert=False,
|
||||||
pki_client_admin_cert_p12=admin_p12_file,
|
pki_client_admin_cert_p12=admin_p12_file,
|
||||||
pki_ds_secure_connection=True, # always LDAPS
|
|
||||||
pki_ds_create_new_db=False,
|
|
||||||
)
|
)
|
||||||
|
|
||||||
if not (os.path.isdir(paths.PKI_TOMCAT_ALIAS_DIR) and
|
if not (os.path.isdir(paths.PKI_TOMCAT_ALIAS_DIR) and
|
||||||
os.path.isfile(paths.PKI_TOMCAT_PASSWORD_CONF)):
|
os.path.isfile(paths.PKI_TOMCAT_PASSWORD_CONF)):
|
||||||
# generate pin which we know can be used for FIPS NSS database
|
# generate pin which we know can be used for FIPS NSS database
|
||||||
pki_pin = ipautil.ipa_generate_password()
|
pki_pin = ipautil.ipa_generate_password()
|
||||||
cfg['pki_pin'] = pki_pin
|
cfg['pki_server_database_password'] = pki_pin
|
||||||
else:
|
else:
|
||||||
pki_pin = None
|
pki_pin = None
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user