Detect CA installation type in ipa-replica-prepare and ipa-ca-install.

ipa-ca-install can only add a dogtag CA to an IPA install. ipa-replica-prepare can only be run on the initial master with a selfsign backend. https://fedorahosted.org/freeipa/ticket/1756 https://fedorahosted.org/freeipa/ticket/1757
2025-02-25 18:55:28 -06:00 · 2011-09-27 17:44:20 +02:00 · 2011-09-27 17:44:20 +02:00 · a41457ec3a
commit a41457ec3a
parent 2028a4095d
3 changed files with 22 additions and 7 deletions
--- a/install/tools/ipa-ca-install
+++ b/install/tools/ipa-ca-install
@ -83,6 +83,12 @@ def main():
    if not dsinstance.DsInstance().is_configured():
        sys.exit("IPA server is not configured on this system.\n")

+    api.bootstrap(in_server=True)
+    api.finalize()
+
+    if certs.ipa_self_signed():
+        sys.exit('A selfsign CA can not be added')
+
    # get the directory manager password
    dirman_password = options.password
    if not dirman_password:
@ -129,16 +135,9 @@ def main():
    if not options.skip_conncheck:
        replica_conn_check(config.master_host_name, config.host_name, config.realm_name, True, options.admin_password)

-    api.bootstrap(in_server=True)
-    api.finalize()
-
    # Configure the CA if necessary
    (CA, cs) = cainstance.install_replica_ca(config, postinstall=True)

-    if not CA:
-        # not a dogtag CA replica
-        sys.exit("Not a dogtag CA installation!")
-
    # We need to ldap_enable the CA now that DS is up and running
    CA.ldap_enable('CA', config.host_name, config.dirman_password,
                   util.realm_to_suffix(config.realm_name))
--- a/install/tools/ipa-replica-prepare
+++ b/install/tools/ipa-replica-prepare
@ -243,6 +243,9 @@ def main():
    if not options.pkinit_pkcs12 and not certs.ipa_self_signed():
        options.setup_pkinit = False

+    if certs.ipa_self_signed_master() == False:
+        sys.exit('A selfsign CA backend can only prepare on the original master')
+
    try:
        installutils.verify_fqdn(replica_fqdn, system_name_check=False)
    except RuntimeError, e:
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@ -65,6 +65,19 @@ def ipa_self_signed():
    else:
        return False

+def ipa_self_signed_master():
+    """
+    The selfsign backend is enabled only one a single master.
+
+    Return True/False whether this is that master.
+
+    Returns None if not a self-signed server.
+    """
+    if ipa_self_signed():
+        return api.env.enable_ra
+    else:
+        return None
+
 def find_cert_from_txt(cert, start=0):
    """
    Given a cert blob (str) which may or may not contian leading and