From aae78480220203b1c64c8b3c6b8297868c849110 Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Wed, 23 Jul 2014 19:03:46 +0200 Subject: [PATCH] Allow changing CA renewal master in ipa-csreplica-manage. https://fedorahosted.org/freeipa/ticket/4039 Reviewed-By: Petr Viktorin --- install/tools/ipa-csreplica-manage | 39 ++++++++++++++++++------ install/tools/man/ipa-csreplica-manage.1 | 3 ++ 2 files changed, 33 insertions(+), 9 deletions(-) diff --git a/install/tools/ipa-csreplica-manage b/install/tools/ipa-csreplica-manage index cfcb354f2..c534446d7 100755 --- a/install/tools/ipa-csreplica-manage +++ b/install/tools/ipa-csreplica-manage @@ -34,15 +34,16 @@ from ipapython.dn import DN # dict of command name and tuples of min/max num of args needed commands = { - "list":(0, 1, "[master fqdn]", ""), - "connect":(1, 2, " [other master fqdn]", - "must provide the name of the servers to connect"), - "disconnect":(1, 2, " [other master fqdn]", - "must provide the name of the server to disconnect"), - "del":(1, 1, "", - "must provide hostname of master to delete"), - "re-initialize":(0, 0, "", ""), - "force-sync":(0, 0, "", "") + "list": (0, 1, "[master fqdn]", ""), + "connect": (1, 2, " [other master fqdn]", + "must provide the name of the servers to connect"), + "disconnect": (1, 2, " [other master fqdn]", + "must provide the name of the server to disconnect"), + "del": (1, 1, "", + "must provide hostname of master to delete"), + "re-initialize": (0, 0, "", ""), + "force-sync": (0, 0, "", ""), + "set-renewal-master": (0, 1, "[master fqdn]", "") } @@ -375,6 +376,21 @@ def force_sync(realm, thishost, fromhost, dirman_passwd): except Exception, e: sys.exit(str(e)) +def set_renewal_master(realm, replica): + if not replica: + replica = installutils.get_fqdn() + + ca = cainstance.CAInstance(realm, certs.NSS_DIR) + if ca.is_renewal_master(replica): + sys.exit("%s is already the renewal master" % replica) + + try: + ca.set_renewal_master(replica) + except Exception, e: + sys.exit("Failed to set renewal master to %s: %s" % (replica, e)) + + print "%s is now the renewal master" % replica + def main(): options, args = parse_options() @@ -439,6 +455,11 @@ def main(): replica1 = host replica2 = args[1] del_link(realm, replica1, replica2, dirman_passwd, options.force) + elif args[0] == 'set-renewal-master': + replica = None + if len(args) > 1: + replica = args[1] + set_renewal_master(realm, replica) try: main() diff --git a/install/tools/man/ipa-csreplica-manage.1 b/install/tools/man/ipa-csreplica-manage.1 index ddb28da41..3164ea60d 100644 --- a/install/tools/man/ipa-csreplica-manage.1 +++ b/install/tools/man/ipa-csreplica-manage.1 @@ -42,6 +42,9 @@ Manages the CA replication agreements of an IPA server. \fBforce\-sync\fR \- Immediately flush any data to be replicated from a server specified with the \-\-from option .TP +\fBset\-renewal\-master\fR [SERVER] +\- Set CA server which handles renewal of CA subsystem certificates to SERVER +.TP The connect and disconnect options are used to manage the replication topology. When a replica is created it is only connected with the master that created it. The connect option may be used to connect it to other existing replicas. .TP The disconnect option cannot be used to remove the last link of a replica. To remove a replica from the topology use the del option.