Move PKINIT configuration to a later stage of server/replica install

This is to ensure that we can request PKINIT certs once all the following requirements are in place: * CA is configured or PKCS#12 file is provided * LDAP, KDC and Apache are configured and the master role is thus completed and enabled https://pagure.io/freeipa/issue/6739 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2025-02-25 18:55:28 -06:00 · 2017-03-09 12:49:54 -05:00 · 2017-03-09 12:49:54 -05:00 · bd18b5f91e
commit bd18b5f91e
parent b5b23e073e
3 changed files with 23 additions and 7 deletions
--- a/ipaserver/install/krbinstance.py
+++ b/ipaserver/install/krbinstance.py
@ -69,6 +69,7 @@ class KrbInstance(service.Service):
        self.sub_dict = None
        self.pkcs12_info = None
        self.master_fqdn = None
+        self.config_pkinit = None

    suffix = ipautil.dn_attribute_property('_suffix')
    subject_base = ipautil.dn_attribute_property('_subject_base')
@ -147,6 +148,7 @@ class KrbInstance(service.Service):
        self.master_password = master_password
        self.pkcs12_info = pkcs12_info
        self.subject_base = subject_base
+        self.config_pkinit = setup_pkinit

        self.__common_setup(realm_name, host_name, domain_name, admin_password)

@ -161,10 +163,6 @@ class KrbInstance(service.Service):

        self.__common_post_setup()

-        if setup_pkinit:
-            self.step("installing X509 Certificate for PKINIT",
-                      self.setup_pkinit)
-
        self.start_creation()

        self.kpasswd = KpasswdInstance()
@ -179,14 +177,12 @@ class KrbInstance(service.Service):
        self.pkcs12_info = pkcs12_info
        self.subject_base = subject_base
        self.master_fqdn = master_fqdn
+        self.config_pkinit = setup_pkinit

        self.__common_setup(realm_name, host_name, domain_name, admin_password)

        self.step("configuring KDC", self.__configure_instance)
        self.step("adding the password extension to the directory", self.__add_pwd_extop_module)
-        if setup_pkinit:
-            self.step("installing X509 Certificate for PKINIT",
-                      self.setup_pkinit)

        self.__common_post_setup()

@ -393,6 +389,20 @@ class KrbInstance(service.Service):
        # have any selinux issues with the file context
        shutil.copyfile(paths.IPA_CA_CRT, paths.CACERT_PEM)

+        try:
+            self.restart()
+        except Exception:
+            root_logger.critical("krb5kdc service failed to restart")
+            raise
+
+    def enable_ssl(self):
+        if self.config_pkinit:
+            self.steps = []
+            self.step("installing X509 Certificate for PKINIT",
+                      self.setup_pkinit)
+
+            self.start_creation()
+
    def get_anonymous_principal_name(self):
        return "%s@%s" % (ANON_USER, self.realm)

--- a/ipaserver/install/server/install.py
+++ b/ipaserver/install/server/install.py
@ -836,6 +836,9 @@ def install(installer):

    ca.set_subject_base_in_config(options.subject_base)

+    # configure PKINIT now that all required services are in place
+    krb.enable_ssl()
+
    # Apply any LDAP updates. Needs to be done after the configuration file
    # is created. DS is restarted in the process.
    service.print_msg("Applying LDAP updates")
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@ -1461,6 +1461,9 @@ def install(installer):
        options.dm_password = config.dirman_password
        ca.install(False, config, options)

+    # configure PKINIT now that all required services are in place
+    krb.enable_ssl()
+
    # Apply any LDAP updates. Needs to be done after the replica is synced-up
    service.print_msg("Applying LDAP updates")
    ds.apply_updates()