renew agent, restart scripts: connect to LDAP after kinit

Connect to LDAP after kinit is done, otherwise GSSAPI authentication will fail. https://pagure.io/freeipa/issue/6757 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2025-01-26 16:16:31 -06:00 · 2017-04-07 07:51:01 +02:00 · 2017-04-07 07:51:01 +02:00 · a6a89e2414
commit a6a89e2414
parent 3884a671cb
3 changed files with 12 additions and 6 deletions
--- a/install/certmonger/dogtag-ipa-ca-renew-agent-submit
+++ b/install/certmonger/dogtag-ipa-ca-renew-agent-submit
@ -518,7 +518,6 @@ def main():

    api.bootstrap(in_server=True, context='renew', confdir=paths.ETC_IPA)
    api.finalize()
-    api.Backend.ldap2.connect()

    operation = os.environ.get('CERTMONGER_OPERATION')
    if operation not in ('SUBMIT', 'POLL'):
@ -532,6 +531,8 @@ def main():
        os.environ['KRB5CCNAME'] = ccache_filename
        kinit_keytab(principal, paths.KRB5_KEYTAB, ccache_filename)

+        api.Backend.ldap2.connect()
+
        profile = os.environ.get('CERTMONGER_CA_PROFILE')
        if is_replicated():
            if profile or is_renewal_master():
@ -547,9 +548,10 @@ def main():
            print(item)
        return res[0]
    finally:
+        if api.Backend.ldap2.isconnected():
+            api.Backend.ldap2.disconnect()
        certs.renewal_lock.release()
        shutil.rmtree(tmpdir)
-        api.Backend.ldap2.disconnect()


 try:
--- a/install/restart_scripts/renew_ca_cert
+++ b/install/restart_scripts/renew_ca_cert
@ -42,7 +42,6 @@ def _main():

    api.bootstrap(in_server=True, context='restart', confdir=paths.ETC_IPA)
    api.finalize()
-    api.Backend.ldap2.connect()

    dogtag_service = services.knownservices['pki_tomcatd']

@ -77,6 +76,8 @@ def _main():
        kinit_keytab(principal, paths.KRB5_KEYTAB, ccache_filename)
        os.environ['KRB5CCNAME'] = ccache_filename

+        api.Backend.ldap2.connect()
+
        ca = cainstance.CAInstance(host_name=api.env.host)
        ca.update_cert_config(nickname, cert)
        if ca.is_renewal_master():
@ -184,8 +185,9 @@ def _main():
                if conn is not None and conn.isconnected():
                    conn.disconnect()
    finally:
+        if api.Backend.ldap2.isconnected():
+            api.Backend.ldap2.disconnect()
        shutil.rmtree(tmpdir)
-        api.Backend.ldap2.disconnect()

    # Now we can start the CA. Using the services start should fire
    # off the servlet to verify that the CA is actually up and responding so
--- a/install/restart_scripts/renew_ra_cert
+++ b/install/restart_scripts/renew_ra_cert
@ -38,7 +38,6 @@ from ipaplatform.paths import paths
 def _main():
    api.bootstrap(in_server=True, context='restart', confdir=paths.ETC_IPA)
    api.finalize()
-    api.Backend.ldap2.connect()

    tmpdir = tempfile.mkdtemp(prefix="tmp-")
    try:
@ -47,6 +46,8 @@ def _main():
        kinit_keytab(principal, paths.KRB5_KEYTAB, ccache_filename)
        os.environ['KRB5CCNAME'] = ccache_filename

+        api.Backend.ldap2.connect()
+
        ca = cainstance.CAInstance(host_name=api.env.host)
        ra_certpath = paths.RA_AGENT_PEM
        if ca.is_renewal_master():
@ -71,8 +72,9 @@ def _main():
            # Load it into dogtag
            cainstance.update_people_entry(dercert)
    finally:
+        if api.Backend.ldap2.isconnected():
+            api.Backend.ldap2.disconnect()
        shutil.rmtree(tmpdir)
-        api.Backend.ldap2.disconnect()


 def main():