Remove DL0 specific code from cainstance and ca in ipaserver/install

cainstance.replica_ca_install_check is only used in ca.install_check if replica_config is not None (replica installation). As it is immediately stopped if promote is not set, therefore it can be removed. The check for cafile in ca.install_check has been dropped. promote is set to True in ca.install_step_0 if replica_config is not None for cainstance.configure_instance. See: https://pagure.io/freeipa/issue/7689 Signed-off-by: Thomas Woerner <twoerner@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2025-01-26 16:16:31 -06:00 · 2018-09-10 14:30:44 +02:00 · 2018-09-10 14:30:44 +02:00 · 9af0b0949e
commit 9af0b0949e
parent 418da605c9
2 changed files with 4 additions and 47 deletions
--- a/ipaserver/install/ca.py
+++ b/ipaserver/install/ca.py
@ -140,10 +140,6 @@ def install_check(standalone, replica_config, options):
        if standalone and api.env.ra_plugin == 'selfsign':
            raise ScriptError('A selfsign CA can not be added')

-        cafile = os.path.join(replica_config.dir, 'cacert.p12')
-        if not options.promote and not os.path.isfile(cafile):
-            raise ScriptError('CA cannot be installed in CA-less setup.')
-
        if standalone and not options.skip_conncheck:
            principal = options.principal
            replica_conn_check(
@ -153,8 +149,6 @@ def install_check(standalone, replica_config, options):

        if options.skip_schema_check:
            logger.info("Skipping CA DS schema check")
-        else:
-            cainstance.replica_ca_install_check(replica_config, options.promote)

        return

@ -278,10 +272,9 @@ def install_step_0(standalone, replica_config, options, custodia):
        promote = False
    else:
        cafile = os.path.join(replica_config.dir, 'cacert.p12')
-        if options.promote:
-            custodia.get_ca_keys(
-                cafile,
-                replica_config.dirman_password)
+        custodia.get_ca_keys(
+            cafile,
+            replica_config.dirman_password)

        ca_signing_algorithm = None
        ca_type = None
@ -294,7 +287,7 @@ def install_step_0(standalone, replica_config, options, custodia):
        master_replication_port = replica_config.ca_ds_port
        ra_p12 = os.path.join(replica_config.dir, 'ra.p12')
        ra_only = not replica_config.setup_ca
-        promote = options.promote
+        promote = True

    # if upgrading from CA-less to CA-ful, need to rewrite
    # certmap.conf and subject_base configuration
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@ -58,7 +58,6 @@ from ipaplatform.tasks import tasks
 from ipapython import directivesetter
 from ipapython import dogtag
 from ipapython import ipautil
-from ipapython import ipaldap
 from ipapython.certdb import get_ca_nickname
 from ipapython.dn import DN
 from ipapython.ipa_log_manager import standard_logging_setup
@ -1396,41 +1395,6 @@ class CAInstance(DogtagInstance):
                  )


-def replica_ca_install_check(config, promote):
-    if promote:
-        return
-
-    # Check if the master has the necessary schema in its CA instance
-    ca_ldap_url = 'ldap://%s:%s' % (config.ca_host_name, config.ca_ds_port)
-    objectclass = 'ipaObject'
-    logger.debug('Checking if IPA schema is present in %s', ca_ldap_url)
-    try:
-        with ipaldap.LDAPClient(
-                ca_ldap_url,
-                start_tls=True,
-                cacert=config.dir + "/ca.crt",
-                force_schema_updates=False) as connection:
-            connection.simple_bind(bind_dn=ipaldap.DIRMAN_DN,
-                                   bind_password=config.dirman_password)
-            rschema = connection.schema
-            result = rschema.get_obj(ldap.schema.models.ObjectClass,
-                                     objectclass)
-    except Exception:
-        logger.critical(
-            'CA DS schema check failed. Make sure the PKI service on the '
-            'remote master is operational.')
-        raise
-    if result:
-        logger.debug('Check OK')
-    else:
-        logger.critical(
-            'The master CA directory server does not have necessary schema. '
-            'Please run copy-schema-to-ca.py on all CA masters.\n'
-            'If you are certain that this is a false positive, use '
-            '--skip-schema-check.')
-        sys.exit('IPA schema missing on master CA directory server')
-
-
 def __update_entry_from_cert(make_filter, make_entry, cert):
    """
    Given a certificate and functions to make a filter based on the