mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-01-14 02:11:56 -06:00
Upgrade: configure local/full PKINIT depending on the master status
The upgrader has been modified to configure either local or full PKINIT depending on the CA status. Additionally, the new PKINIT configuration will be written to the master's KDC entry. https://pagure.io/freeipa/issue/6830 http://www.freeipa.org/page/V4/Kerberos_PKINIT Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com>
This commit is contained in:
parent
2374b648d0
commit
a194055c92
@ -1485,14 +1485,17 @@ def add_default_caacl(ca):
|
|||||||
def setup_pkinit(krb):
|
def setup_pkinit(krb):
|
||||||
root_logger.info("[Setup PKINIT]")
|
root_logger.info("[Setup PKINIT]")
|
||||||
|
|
||||||
if not api.Command.ca_is_enabled()['result']:
|
pkinit_is_enabled = krbinstance.is_pkinit_enabled()
|
||||||
root_logger.info("CA is not enabled")
|
ca_is_enabled = api.Command.ca_is_enabled()['result']
|
||||||
return
|
|
||||||
|
|
||||||
if not os.path.exists(paths.KDC_CERT):
|
if not pkinit_is_enabled:
|
||||||
root_logger.info("Requesting PKINIT certificate")
|
if ca_is_enabled:
|
||||||
krb.setup_pkinit()
|
krb.issue_ipa_ca_signed_pkinit_certs()
|
||||||
|
else:
|
||||||
|
krb.issue_selfsigned_pkinit_certs()
|
||||||
|
|
||||||
|
# reconfigure KDC just in case in order to handle potentially broken
|
||||||
|
# 4.5.0 -> 4.5.1 upgrade path
|
||||||
replacevars = dict()
|
replacevars = dict()
|
||||||
replacevars['pkinit_identity'] = 'FILE:{},{}'.format(
|
replacevars['pkinit_identity'] = 'FILE:{},{}'.format(
|
||||||
paths.KDC_CERT,paths.KDC_KEY)
|
paths.KDC_CERT,paths.KDC_KEY)
|
||||||
|
Loading…
Reference in New Issue
Block a user