IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Remove DL0 specific code from cainstance and ca in ipaserver/install

Browse Source 
cainstance.replica_ca_install_check is only used in ca.install_check if
replica_config is not None (replica installation). As it is immediately
stopped if promote is not set, therefore it can be removed.

The check for cafile in ca.install_check has been dropped. promote is set
to True in ca.install_step_0 if replica_config is not None for
cainstance.configure_instance.

See: https://pagure.io/freeipa/issue/7689
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This commit is contained in:
Thomas Woerner 2018-09-10 14:30:44 +02:00
parent 418da605c9
commit 9af0b0949e
2 changed files with 4 additions and 47 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
ipaserver/install/ca.py
View File

@ -140,10 +140,6 @@ def install_check(standalone, replica_config, options):
if standalone and api.env.ra_plugin == 'selfsign': if standalone and api.env.ra_plugin == 'selfsign':
raise ScriptError('A selfsign CA can not be added') raise ScriptError('A selfsign CA can not be added')
cafile = os.path.join(replica_config.dir, 'cacert.p12')
if not options.promote and not os.path.isfile(cafile):
raise ScriptError('CA cannot be installed in CA-less setup.')
if standalone and not options.skip_conncheck: if standalone and not options.skip_conncheck:
principal = options.principal principal = options.principal
replica_conn_check( replica_conn_check(
@ -153,8 +149,6 @@ def install_check(standalone, replica_config, options):
if options.skip_schema_check: if options.skip_schema_check:
logger.info("Skipping CA DS schema check") logger.info("Skipping CA DS schema check")
else:
cainstance.replica_ca_install_check(replica_config, options.promote)
return return
@ -278,10 +272,9 @@ def install_step_0(standalone, replica_config, options, custodia):
promote = False promote = False
else: else:
cafile = os.path.join(replica_config.dir, 'cacert.p12') cafile = os.path.join(replica_config.dir, 'cacert.p12')
if options.promote: custodia.get_ca_keys(
custodia.get_ca_keys( cafile,
cafile, replica_config.dirman_password)
replica_config.dirman_password)
ca_signing_algorithm = None ca_signing_algorithm = None
ca_type = None ca_type = None
@ -294,7 +287,7 @@ def install_step_0(standalone, replica_config, options, custodia):
master_replication_port = replica_config.ca_ds_port master_replication_port = replica_config.ca_ds_port
ra_p12 = os.path.join(replica_config.dir, 'ra.p12') ra_p12 = os.path.join(replica_config.dir, 'ra.p12')
ra_only = not replica_config.setup_ca ra_only = not replica_config.setup_ca
promote = options.promote promote = True
# if upgrading from CA-less to CA-ful, need to rewrite # if upgrading from CA-less to CA-ful, need to rewrite
# certmap.conf and subject_base configuration # certmap.conf and subject_base configuration

36
ipaserver/install/cainstance.py
View File

@ -58,7 +58,6 @@ from ipaplatform.tasks import tasks
from ipapython import directivesetter from ipapython import directivesetter
from ipapython import dogtag from ipapython import dogtag
from ipapython import ipautil from ipapython import ipautil
from ipapython import ipaldap
from ipapython.certdb import get_ca_nickname from ipapython.certdb import get_ca_nickname
from ipapython.dn import DN from ipapython.dn import DN
from ipapython.ipa_log_manager import standard_logging_setup from ipapython.ipa_log_manager import standard_logging_setup
@ -1396,41 +1395,6 @@ class CAInstance(DogtagInstance):
) )
def replica_ca_install_check(config, promote):
if promote:
return
# Check if the master has the necessary schema in its CA instance
ca_ldap_url = 'ldap://%s:%s' % (config.ca_host_name, config.ca_ds_port)
objectclass = 'ipaObject'
logger.debug('Checking if IPA schema is present in %s', ca_ldap_url)
try:
with ipaldap.LDAPClient(
ca_ldap_url,
start_tls=True,
cacert=config.dir + "/ca.crt",
force_schema_updates=False) as connection:
connection.simple_bind(bind_dn=ipaldap.DIRMAN_DN,
bind_password=config.dirman_password)
rschema = connection.schema
result = rschema.get_obj(ldap.schema.models.ObjectClass,
objectclass)
except Exception:
logger.critical(
'CA DS schema check failed. Make sure the PKI service on the '
'remote master is operational.')
raise
if result:
logger.debug('Check OK')
else:
logger.critical(
'The master CA directory server does not have necessary schema. '
'Please run copy-schema-to-ca.py on all CA masters.\n'
'If you are certain that this is a false positive, use '
'--skip-schema-check.')
sys.exit('IPA schema missing on master CA directory server')
def __update_entry_from_cert(make_filter, make_entry, cert): def __update_entry_from_cert(make_filter, make_entry, cert):
""" """
Given a certificate and functions to make a filter based on the Given a certificate and functions to make a filter based on the