mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-02-25 18:55:28 -06:00
renew agent, restart scripts: connect to LDAP after kinit
Connect to LDAP after kinit is done, otherwise GSSAPI authentication will fail. https://pagure.io/freeipa/issue/6757 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
This commit is contained in:
parent
3884a671cb
commit
a6a89e2414
@ -518,7 +518,6 @@ def main():
|
|||||||
|
|
||||||
api.bootstrap(in_server=True, context='renew', confdir=paths.ETC_IPA)
|
api.bootstrap(in_server=True, context='renew', confdir=paths.ETC_IPA)
|
||||||
api.finalize()
|
api.finalize()
|
||||||
api.Backend.ldap2.connect()
|
|
||||||
|
|
||||||
operation = os.environ.get('CERTMONGER_OPERATION')
|
operation = os.environ.get('CERTMONGER_OPERATION')
|
||||||
if operation not in ('SUBMIT', 'POLL'):
|
if operation not in ('SUBMIT', 'POLL'):
|
||||||
@ -532,6 +531,8 @@ def main():
|
|||||||
os.environ['KRB5CCNAME'] = ccache_filename
|
os.environ['KRB5CCNAME'] = ccache_filename
|
||||||
kinit_keytab(principal, paths.KRB5_KEYTAB, ccache_filename)
|
kinit_keytab(principal, paths.KRB5_KEYTAB, ccache_filename)
|
||||||
|
|
||||||
|
api.Backend.ldap2.connect()
|
||||||
|
|
||||||
profile = os.environ.get('CERTMONGER_CA_PROFILE')
|
profile = os.environ.get('CERTMONGER_CA_PROFILE')
|
||||||
if is_replicated():
|
if is_replicated():
|
||||||
if profile or is_renewal_master():
|
if profile or is_renewal_master():
|
||||||
@ -547,9 +548,10 @@ def main():
|
|||||||
print(item)
|
print(item)
|
||||||
return res[0]
|
return res[0]
|
||||||
finally:
|
finally:
|
||||||
|
if api.Backend.ldap2.isconnected():
|
||||||
|
api.Backend.ldap2.disconnect()
|
||||||
certs.renewal_lock.release()
|
certs.renewal_lock.release()
|
||||||
shutil.rmtree(tmpdir)
|
shutil.rmtree(tmpdir)
|
||||||
api.Backend.ldap2.disconnect()
|
|
||||||
|
|
||||||
|
|
||||||
try:
|
try:
|
||||||
|
@ -42,7 +42,6 @@ def _main():
|
|||||||
|
|
||||||
api.bootstrap(in_server=True, context='restart', confdir=paths.ETC_IPA)
|
api.bootstrap(in_server=True, context='restart', confdir=paths.ETC_IPA)
|
||||||
api.finalize()
|
api.finalize()
|
||||||
api.Backend.ldap2.connect()
|
|
||||||
|
|
||||||
dogtag_service = services.knownservices['pki_tomcatd']
|
dogtag_service = services.knownservices['pki_tomcatd']
|
||||||
|
|
||||||
@ -77,6 +76,8 @@ def _main():
|
|||||||
kinit_keytab(principal, paths.KRB5_KEYTAB, ccache_filename)
|
kinit_keytab(principal, paths.KRB5_KEYTAB, ccache_filename)
|
||||||
os.environ['KRB5CCNAME'] = ccache_filename
|
os.environ['KRB5CCNAME'] = ccache_filename
|
||||||
|
|
||||||
|
api.Backend.ldap2.connect()
|
||||||
|
|
||||||
ca = cainstance.CAInstance(host_name=api.env.host)
|
ca = cainstance.CAInstance(host_name=api.env.host)
|
||||||
ca.update_cert_config(nickname, cert)
|
ca.update_cert_config(nickname, cert)
|
||||||
if ca.is_renewal_master():
|
if ca.is_renewal_master():
|
||||||
@ -184,8 +185,9 @@ def _main():
|
|||||||
if conn is not None and conn.isconnected():
|
if conn is not None and conn.isconnected():
|
||||||
conn.disconnect()
|
conn.disconnect()
|
||||||
finally:
|
finally:
|
||||||
|
if api.Backend.ldap2.isconnected():
|
||||||
|
api.Backend.ldap2.disconnect()
|
||||||
shutil.rmtree(tmpdir)
|
shutil.rmtree(tmpdir)
|
||||||
api.Backend.ldap2.disconnect()
|
|
||||||
|
|
||||||
# Now we can start the CA. Using the services start should fire
|
# Now we can start the CA. Using the services start should fire
|
||||||
# off the servlet to verify that the CA is actually up and responding so
|
# off the servlet to verify that the CA is actually up and responding so
|
||||||
|
@ -38,7 +38,6 @@ from ipaplatform.paths import paths
|
|||||||
def _main():
|
def _main():
|
||||||
api.bootstrap(in_server=True, context='restart', confdir=paths.ETC_IPA)
|
api.bootstrap(in_server=True, context='restart', confdir=paths.ETC_IPA)
|
||||||
api.finalize()
|
api.finalize()
|
||||||
api.Backend.ldap2.connect()
|
|
||||||
|
|
||||||
tmpdir = tempfile.mkdtemp(prefix="tmp-")
|
tmpdir = tempfile.mkdtemp(prefix="tmp-")
|
||||||
try:
|
try:
|
||||||
@ -47,6 +46,8 @@ def _main():
|
|||||||
kinit_keytab(principal, paths.KRB5_KEYTAB, ccache_filename)
|
kinit_keytab(principal, paths.KRB5_KEYTAB, ccache_filename)
|
||||||
os.environ['KRB5CCNAME'] = ccache_filename
|
os.environ['KRB5CCNAME'] = ccache_filename
|
||||||
|
|
||||||
|
api.Backend.ldap2.connect()
|
||||||
|
|
||||||
ca = cainstance.CAInstance(host_name=api.env.host)
|
ca = cainstance.CAInstance(host_name=api.env.host)
|
||||||
ra_certpath = paths.RA_AGENT_PEM
|
ra_certpath = paths.RA_AGENT_PEM
|
||||||
if ca.is_renewal_master():
|
if ca.is_renewal_master():
|
||||||
@ -71,8 +72,9 @@ def _main():
|
|||||||
# Load it into dogtag
|
# Load it into dogtag
|
||||||
cainstance.update_people_entry(dercert)
|
cainstance.update_people_entry(dercert)
|
||||||
finally:
|
finally:
|
||||||
|
if api.Backend.ldap2.isconnected():
|
||||||
|
api.Backend.ldap2.disconnect()
|
||||||
shutil.rmtree(tmpdir)
|
shutil.rmtree(tmpdir)
|
||||||
api.Backend.ldap2.disconnect()
|
|
||||||
|
|
||||||
|
|
||||||
def main():
|
def main():
|
||||||
|
Loading…
Reference in New Issue
Block a user