Make sure replication works after DM password is changed

Replica information file contains the file `cacert.p12` which is protected by
the Directory Manager password of the initial IPA server installation. The DM
password of the initial installation is also used for the PKI admin user
password.

If the DM password is changed after the IPA server installation, the replication
fails.

To prevent this failure, add the following steps to ipa-replica-prepare:
1. Regenerate the `cacert.p12` file and protect it with the current DM password
2. Update the password of the PKI admin user with the current DM password

https://fedorahosted.org/freeipa/ticket/3594

freeipa.spec.in

@@ -17,7 +17,7 @@ Source0:        freeipa-%{version}.tar.gz
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
 %if ! %{ONLY_CLIENT}
-BuildRequires:  389-ds-base-devel >= 1.3.1.1
+BuildRequires:  389-ds-base-devel >= 1.3.1.3
 BuildRequires:  svrcore-devel
 BuildRequires:  policycoreutils >= %{POLICYCOREUTILSVER}
 BuildRequires:  systemd-units
@@ -89,7 +89,7 @@ Group: System Environment/Base
 Requires: %{name}-python = %{version}-%{release}
 Requires: %{name}-client = %{version}-%{release}
 Requires: %{name}-admintools = %{version}-%{release}
-Requires: 389-ds-base >= 1.3.1.1
+Requires: 389-ds-base >= 1.3.1.3
 Requires: openldap-clients > 2.4.35-4
 %if 0%{?fedora} == 18
 Requires: nss >= 3.14.3-2
@@ -145,7 +145,7 @@ Requires: zip
 Requires: policycoreutils >= %{POLICYCOREUTILSVER}
 Requires: tar
 Requires(pre): certmonger >= 0.65
-Requires(pre): 389-ds-base >= 1.3.0.5
+Requires(pre): 389-ds-base >= 1.3.1.3
 
 # With FreeIPA 3.3, package freeipa-server-selinux was obsoleted as the
 # entire SELinux policy is stored in the system policy
@@ -815,6 +815,9 @@ fi
 %endif  # ! %{ONLY_CLIENT}
 
 %changelog
+* Wed Jul 10 2013 Ana Krivokapic <akrivoka@redhat.com> - 3.2.99-4
+- Bump minimum version of 389-ds-base to 1.3.1.3 for user password change fix.
+
 * Wed Jun 26 2013 Jan Cholasta <jcholast@redhat.com> - 3.2.99-3
 - Bump minimum version of 389-ds-base to 1.3.1.1 for SASL mapping priority
   support.

ipaserver/install/ipa_replica_prepare.py

@@ -274,6 +274,11 @@ class ReplicaPrepare(admintool.AdminTool):
             self.copy_info_file(options.dirsrv_pkcs12, "dscert.p12")
         else:
             if ipautil.file_exists(options.ca_file):
+                # Since it is possible that the Directory Manager password
+                # has changed since ipa-server-install, we need to regenerate
+                # the CA PKCS#12 file and update the pki admin user password
+                self.regenerate_ca_file(options.ca_file)
+                self.update_pki_admin_password()
                 self.copy_info_file(options.ca_file, "cacert.p12")
             else:
                 raise admintool.ScriptError("Root CA PKCS#12 not "
@@ -505,3 +510,34 @@ class ReplicaPrepare(admintool.AdminTool):
                 db.export_pkcs12(pkcs12_fname, agent_name, "ipaCert")
         finally:
             os.remove(agent_name)
+
+    def update_pki_admin_password(self):
+        ldap = ldap2(shared_instance=False)
+        ldap.connect(
+            bind_dn=DN(('cn', 'directory manager')),
+            bind_pw=self.dirman_password
+        )
+        dn = DN('uid=admin', 'ou=people', 'o=ipaca')
+        ldap.modify_password(dn, self.dirman_password)
+        ldap.disconnect()
+
+    def regenerate_ca_file(self, ca_file):
+        dm_pwd_fd = ipautil.write_tmp_file(self.dirman_password)
+
+        keydb_pwd = ''
+        with open('/etc/pki/pki-tomcat/password.conf') as f:
+            for line in f.readlines():
+                key, value = line.strip().split('=')
+                if key == 'internal':
+                    keydb_pwd = value
+                    break
+
+        keydb_pwd_fd = ipautil.write_tmp_file(keydb_pwd)
+
+        ipautil.run([
+            '/usr/bin/PKCS12Export',
+            '-d', '/etc/pki/pki-tomcat/alias/',
+            '-p', keydb_pwd_fd.name,
+            '-w', dm_pwd_fd.name,
+            '-o', ca_file
+        ])