mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-01-11 00:31:56 -06:00
Extract ca_renewal cert update subroutine
When the CA renewal master renews certificates that are shared across CA replicas, it puts them in LDAP for the other CA replicas to see. The code to create/update these entries lives in the dogtag-ipa-ca-renew-agent renewal helper, but it will be useful for the ipa-cert-fix program too. Extract it to a subroutine in the cainstance module. Part of: https://pagure.io/freeipa/issue/7885 Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
This commit is contained in:
parent
0b21e2ab9f
commit
a2a006c746
@ -270,23 +270,9 @@ def store_cert(**kwargs):
|
|||||||
return (REJECTED, "New certificate requests not supported")
|
return (REJECTED, "New certificate requests not supported")
|
||||||
cert = x509.load_pem_x509_certificate(cert.encode('ascii'))
|
cert = x509.load_pem_x509_certificate(cert.encode('ascii'))
|
||||||
|
|
||||||
dn = DN(('cn', nickname), ('cn', 'ca_renewal'),
|
|
||||||
('cn', 'ipa'), ('cn', 'etc'), api.env.basedn)
|
|
||||||
try:
|
try:
|
||||||
with ldap_connect() as conn:
|
with ldap_connect() as conn:
|
||||||
try:
|
cainstance.update_ca_renewal_entry(conn, nickname, cert)
|
||||||
entry = conn.get_entry(dn, ['usercertificate'])
|
|
||||||
entry['usercertificate'] = [cert]
|
|
||||||
conn.update_entry(entry)
|
|
||||||
except errors.NotFound:
|
|
||||||
entry = conn.make_entry(
|
|
||||||
dn,
|
|
||||||
objectclass=['top', 'pkiuser', 'nscontainer'],
|
|
||||||
cn=[nickname],
|
|
||||||
usercertificate=[cert])
|
|
||||||
conn.add_entry(entry)
|
|
||||||
except errors.EmptyModlist:
|
|
||||||
pass
|
|
||||||
except Exception as e:
|
except Exception as e:
|
||||||
attempts += 1
|
attempts += 1
|
||||||
if attempts < 10:
|
if attempts < 10:
|
||||||
|
@ -1619,6 +1619,32 @@ def update_authority_entry(cert):
|
|||||||
return __update_entry_from_cert(make_filter, make_entry, cert)
|
return __update_entry_from_cert(make_filter, make_entry, cert)
|
||||||
|
|
||||||
|
|
||||||
|
def update_ca_renewal_entry(conn, nickname, cert):
|
||||||
|
"""
|
||||||
|
Update the ca_renewal entry for the given nickname.
|
||||||
|
|
||||||
|
:param conn: A *connected* LDAP handle
|
||||||
|
:param nickname: NSSDB nickname
|
||||||
|
:param cert: python-cryptography X509Certificate
|
||||||
|
|
||||||
|
"""
|
||||||
|
dn = DN(('cn', nickname), ('cn', 'ca_renewal'),
|
||||||
|
('cn', 'ipa'), ('cn', 'etc'), api.env.basedn)
|
||||||
|
try:
|
||||||
|
entry = conn.get_entry(dn, ['usercertificate'])
|
||||||
|
entry['usercertificate'] = [cert]
|
||||||
|
conn.update_entry(entry)
|
||||||
|
except errors.NotFound:
|
||||||
|
entry = conn.make_entry(
|
||||||
|
dn,
|
||||||
|
objectclass=['top', 'pkiuser', 'nscontainer'],
|
||||||
|
cn=[nickname],
|
||||||
|
usercertificate=[cert])
|
||||||
|
conn.add_entry(entry)
|
||||||
|
except errors.EmptyModlist:
|
||||||
|
pass
|
||||||
|
|
||||||
|
|
||||||
def ensure_ldap_profiles_container():
|
def ensure_ldap_profiles_container():
|
||||||
ensure_entry(
|
ensure_entry(
|
||||||
DN(('ou', 'certificateProfiles'), ('ou', 'ca'), ('o', 'ipaca')),
|
DN(('ou', 'certificateProfiles'), ('ou', 'ca'), ('o', 'ipaca')),
|
||||||
|
Loading…
Reference in New Issue
Block a user