mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-25 08:21:05 -06:00
replica install: improvements in the handling of CA-related IPA config entries
When a CA-less replica is installed, its IPA config file should be updated so that ca_host points to nearest CA master and all certificate requests are forwarded to it. A subsequent installation of CA subsystem on the replica should clear this entry from the config so that all certificate requests are handled by freshly installed local CA. https://fedorahosted.org/freeipa/ticket/5506 Reviewed-By: Martin Basti <mbasti@redhat.com>
This commit is contained in:
parent
95d659b634
commit
a497288b3e
@ -7,8 +7,6 @@ from __future__ import print_function
|
||||
import sys
|
||||
import os.path
|
||||
|
||||
from six.moves.configparser import RawConfigParser
|
||||
|
||||
from ipaserver.install import cainstance, dsinstance, bindinstance
|
||||
from ipapython import ipautil, certdb
|
||||
from ipaplatform import services
|
||||
@ -236,20 +234,6 @@ def install_step_1(standalone, replica_config, options):
|
||||
if standalone:
|
||||
ca.start('pki-tomcat')
|
||||
|
||||
# Update config file
|
||||
try:
|
||||
parser = RawConfigParser()
|
||||
parser.read(paths.IPA_DEFAULT_CONF)
|
||||
parser.set('global', 'enable_ra', 'True')
|
||||
parser.set('global', 'ra_plugin', 'dogtag')
|
||||
parser.set('global', 'dogtag_version', '10')
|
||||
with open(paths.IPA_DEFAULT_CONF, 'w') as f:
|
||||
parser.write(f)
|
||||
except IOError as e:
|
||||
print("Failed to update /etc/ipa/default.conf")
|
||||
root_logger.error(str(e))
|
||||
sys.exit(1)
|
||||
|
||||
# We need to restart apache as we drop a new config file in there
|
||||
services.knownservices.httpd.restart(capture_output=True)
|
||||
|
||||
|
@ -41,7 +41,7 @@ import shlex
|
||||
import pipes
|
||||
|
||||
from six.moves import urllib
|
||||
from six.moves.configparser import ConfigParser
|
||||
from six.moves.configparser import ConfigParser, RawConfigParser
|
||||
|
||||
from ipalib import api
|
||||
from ipalib import pkcs10, x509
|
||||
@ -429,6 +429,7 @@ class CAInstance(DogtagInstance):
|
||||
self.step("importing IPA certificate profiles",
|
||||
import_included_profiles)
|
||||
self.step("adding default CA ACL", ensure_default_caacl)
|
||||
self.step("updating IPA configuration", update_ipa_conf)
|
||||
|
||||
self.start_creation(runtime=210)
|
||||
|
||||
@ -1343,6 +1344,7 @@ class CAInstance(DogtagInstance):
|
||||
self.track_servercert)
|
||||
self.step("Configure HTTP to proxy connections",
|
||||
self.http_proxy)
|
||||
self.step("updating IPA configuration", update_ipa_conf)
|
||||
self.step("Restart HTTP server to pick up changes",
|
||||
self.__restart_http_instance)
|
||||
|
||||
@ -1768,6 +1770,21 @@ def ensure_default_caacl():
|
||||
api.Backend.ldap2.disconnect()
|
||||
|
||||
|
||||
def update_ipa_conf():
|
||||
"""
|
||||
Update IPA configuration file to ensure that RA plugins are enabled and
|
||||
that CA host points to localhost
|
||||
"""
|
||||
parser = RawConfigParser()
|
||||
parser.read(paths.IPA_DEFAULT_CONF)
|
||||
parser.set('global', 'enable_ra', 'True')
|
||||
parser.set('global', 'ra_plugin', 'dogtag')
|
||||
parser.set('global', 'dogtag_version', '10')
|
||||
parser.remove_option('global', 'ca_host')
|
||||
with open(paths.IPA_DEFAULT_CONF, 'w') as f:
|
||||
parser.write(f)
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
standard_logging_setup("install.log")
|
||||
ds = dsinstance.DsInstance()
|
||||
|
@ -483,6 +483,9 @@ def install_check(installer):
|
||||
fd.write("enable_ra=True\n")
|
||||
fd.write("ra_plugin=dogtag\n")
|
||||
fd.write("dogtag_version=10\n")
|
||||
|
||||
if not config.setup_ca:
|
||||
fd.write("ca_host={0}\n".format(config.master_host_name))
|
||||
else:
|
||||
fd.write("enable_ra=False\n")
|
||||
fd.write("ra_plugin=none\n")
|
||||
@ -1174,6 +1177,10 @@ def promote(installer):
|
||||
ipaconf.setOption('enable_ra', 'True'),
|
||||
ipaconf.setOption('ra_plugin', 'dogtag'),
|
||||
ipaconf.setOption('dogtag_version', '10')]
|
||||
|
||||
if not options.setup_ca:
|
||||
gopts.append(ipaconf.setOption('ca_host', config.ca_host_name))
|
||||
|
||||
opts = [ipaconf.setSection('global', gopts)]
|
||||
|
||||
ipaconf.changeConf(target_fname, opts)
|
||||
|
Loading…
Reference in New Issue
Block a user