From b248dfda3980244070f85a1968e76d37ad50de9c Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Thu, 10 Dec 2015 08:17:11 +0100 Subject: [PATCH] ca install: use host credentials in domain level 1 https://fedorahosted.org/freeipa/ticket/5399 Reviewed-By: Martin Basti --- install/tools/ipa-ca-install | 76 ++++++++++++++++++++++++------------ 1 file changed, 51 insertions(+), 25 deletions(-) diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install index 0b8f28cb7..f2f32bd8e 100755 --- a/install/tools/ipa-ca-install +++ b/install/tools/ipa-ca-install @@ -107,21 +107,19 @@ def get_dirman_password(): def install_replica(safe_options, options, filename): - domain_level = dsinstance.get_domain_level(api) - if domain_level > DOMAIN_LEVEL_0: - options.promote = True + if options.promote: if filename is not None: sys.exit("Too many parameters provided. " "No replica file is required") else: - options.promote = False if filename is None: sys.exit("A replica file is required") if not ipautil.file_exists(filename): sys.exit("Replica file %s does not exist" % filename) - # Check if we have admin creds already, otherwise acquire them - check_creds(options, api.env.realm) + if not options.promote: + # Check if we have admin creds already, otherwise acquire them + check_creds(options, api.env.realm) # get the directory manager password dirman_password = options.password @@ -135,8 +133,8 @@ def install_replica(safe_options, options, filename): if dirman_password is None: sys.exit("Directory Manager password required") - if not options.admin_password and not options.skip_conncheck and \ - options.unattended: + if (not options.promote and not options.admin_password and + not options.skip_conncheck and options.unattended): sys.exit('admin password required') if options.promote: @@ -229,6 +227,46 @@ def install_master(safe_options, options): ca.install(True, None, options) +def install(safe_options, options, filename): + options.promote = False + + try: + if filename is None: + install_master(safe_options, options) + else: + install_replica(safe_options, options, filename) + + finally: + # Clean up if we created custom credentials + created_ccache_file = getattr(options, 'created_ccache_file', None) + if created_ccache_file is not None: + try: + os.unlink(created_ccache_file) + except OSError: + pass + + +def promote(safe_options, options, filename): + options.promote = True + + with ipautil.private_ccache(): + ccache = os.environ['KRB5CCNAME'] + + ipautil.kinit_keytab( + 'host/{env.host}@{env.realm}'.format(env=api.env), + paths.KRB5_KEYTAB, + ccache) + + conn = api.Backend.ldap2 + conn.connect(ccache=ccache) + ca_host = service.find_providing_server('CA', conn) + conn.disconnect() + if ca_host is None: + install_master(safe_options, options) + else: + install_replica(safe_options, options, filename) + + def main(): safe_options, options, filename = parse_options() @@ -251,24 +289,12 @@ def main(): api.bootstrap(in_server=True, ra_plugin='dogtag') api.finalize() - try: - conn = api.Backend.ldap2 - conn.connect(autobind=True) - ca_host = service.find_providing_server('CA', conn) - conn.disconnect() - if ca_host is None: - install_master(safe_options, options) - else: - install_replica(safe_options, options, filename) + domain_level = dsinstance.get_domain_level(api) + if domain_level > DOMAIN_LEVEL_0: + promote(safe_options, options, filename) + else: + install(safe_options, options, filename) - finally: - # Clean up if we created custom credentials - created_ccache_file = getattr(options, 'created_ccache_file', None) - if created_ccache_file is not None: - try: - os.unlink(created_ccache_file) - except OSError: - pass fail_message = ''' Your system may be partly configured.