Store information about which CA server is master for renewals in LDAP.

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2025-02-25 18:55:28 -06:00 · 2013-10-16 08:51:06 +00:00 · 2013-10-16 08:51:06 +00:00 · c3169add3b
commit c3169add3b
parent 6a19738a45
5 changed files with 98 additions and 3 deletions
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@ -1114,7 +1114,7 @@ def main():
    if setup_ca:
        # We need to ldap_enable the CA now that DS is up and running
        ca.ldap_enable('CA', host_name, dm_password,
-                       ipautil.realm_to_suffix(realm_name))
+                       ipautil.realm_to_suffix(realm_name), ['caRenewalMaster'])

        # This is done within stopped_service context, which restarts CA
        ca.enable_client_auth_to_db()
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@ -1608,6 +1608,21 @@ class CAInstance(service.Service):

        return master == 'New'

+    def is_renewal_master(self):
+        if not self.admin_conn:
+            self.ldap_connect()
+
+        dn = DN(('cn', 'CA'), ('cn', api.env.host), ('cn', 'masters'),
+                ('cn', 'ipa'), ('cn', 'etc'), api.env.basedn)
+        filter = '(ipaConfigString=caRenewalMaster)'
+        try:
+            self.admin_conn.get_entries(base_dn=dn, filter=filter,
+                                        attrs_list=[])
+        except errors.NotFound:
+            return False
+
+        return True
+

 def replica_ca_install_check(config):
    if not config.setup_ca:
--- a/ipaserver/install/plugins/Makefile.am
+++ b/ipaserver/install/plugins/Makefile.am
@ -11,6 +11,7 @@ app_PYTHON = 			\
 	update_services.py	\
 	update_anonymous_aci.py	\
 	update_pacs.py		\
+	ca_renewal_master.py	\
 	$(NULL)

 EXTRA_DIST =			\
--- a/ipaserver/install/plugins/ca_renewal_master.py
+++ b/ipaserver/install/plugins/ca_renewal_master.py
@ -0,0 +1,79 @@
+# Authors:
+#   Jan Cholasta <jcholast@redhat.com>
+#
+# Copyright (C) 2014  Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+from ipaserver.install.plugins.baseupdate import PostUpdate
+from ipalib import errors
+from ipalib.plugable import Registry
+from ipapython import certmonger
+from ipapython.dn import DN
+
+register = Registry()
+
+@register()
+class update_ca_renewal_master(PostUpdate):
+    """
+    Set CA renewal master in LDAP.
+    """
+
+    def execute(self, **options):
+        ldap = self.obj.backend
+        base_dn = DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'),
+                     self.api.env.basedn)
+        filter = '(&(cn=CA)(ipaConfigString=caRenewalMaster))'
+        try:
+            entries = ldap.get_entries(base_dn=base_dn, filter=filter,
+                                       attrs_list=[])
+        except errors.NotFound:
+            pass
+        else:
+            self.debug("found CA renewal master %s", entries[0].dn[1].value)
+            return (False, False, [])
+
+        criteria = (
+            ('cert_storage_location', '/etc/httpd/alias', certmonger.NPATH),
+            ('cert_nickname', 'ipaCert', None),
+        )
+        request_id = certmonger.get_request_id(criteria)
+        if request_id is None:
+            self.error("certmonger request for ipaCert not found")
+            return (False, False, [])
+        ca_name = certmonger.get_request_value(request_id, 'ca_name')
+        if ca_name is None:
+            self.error("certmonger request for ipaCert is missing ca_name")
+            return (False, False, [])
+        ca_name = ca_name.strip()
+
+        if ca_name == 'dogtag-ipa-renew-agent':
+            dn = DN(('cn', 'CA'), ('cn', self.api.env.host), base_dn)
+            update = {
+                dn: {
+                    'dn': dn,
+                    'updates': ['add:ipaConfigString: caRenewalMaster'],
+                },
+            }
+            return (False, True, [update])
+        elif ca_name == 'dogtag-ipa-retrieve-agent-submit':
+            return (False, False, [])
+        elif ca_name == 'dogtag-ipa-ca-renew-agent':
+            return (False, False, [])
+        else:
+            self.warning(
+                "certmonger request for ipaCert has unknown ca_name \"%s\", "
+                "assuming local CA is renewal slave", ca_name)
+            return (False, False, [])
--- a/ipaserver/install/service.py
+++ b/ipaserver/install/service.py
@ -373,7 +373,7 @@ class Service(object):

        self.steps = []

-    def ldap_enable(self, name, fqdn, dm_password, ldap_suffix):
+    def ldap_enable(self, name, fqdn, dm_password, ldap_suffix, config=[]):
        assert isinstance(ldap_suffix, DN)
        self.disable()
        if not self.admin_conn:
@ -386,7 +386,7 @@ class Service(object):
            objectclass=["nsContainer", "ipaConfigObject"],
            cn=[name],
            ipaconfigstring=[
-                "enabledService", "startOrder " + str(order)],
+                "enabledService", "startOrder " + str(order)] + config,
        )

        try: