Handle --subject option in ipa-server-install

Properly handle --subject option of ipa-server-install, making sure this
value gets passed to certmap.conf. Introduce a new template variable
$SUBJECT_BASE for this purpose.

Also make sure that this value is preserved on upgrades.

https://fedorahosted.org/freeipa/ticket/3783
This commit is contained in:
Ana Krivokapic 2013-07-29 18:33:09 +02:00 committed by Martin Kosek
parent f988e422eb
commit da2605c942
3 changed files with 103 additions and 5 deletions

View File

@ -1,4 +1,4 @@
# VERSION 1 - DO NOT REMOVE THIS LINE
# VERSION 2 - DO NOT REMOVE THIS LINE
#
# This file is managed by IPA and will be overwritten on upgrades.
@ -84,6 +84,6 @@ certmap default default
#default:InitFn <Init function's name>
default:DNComps
default:FilterComps uid
certmap ipaca CN=Certificate Authority,O=$REALM
certmap ipaca CN=Certificate Authority,$SUBJECT_BASE
ipaca:CmapLdapAttr seeAlso
ipaca:verifycert on

View File

@ -760,6 +760,90 @@ def add_ca_dns_records():
sysupgrade.set_upgrade_state('dns', 'ipa_ca_records', True)
def find_subject_base():
"""
Try to find the current value of certificate subject base.
1) Look in sysupgrade first
2) If no value is found there, look in DS (start DS if necessary)
3) Last resort, look in the certmap.conf itself
4) If all fails, log loudly and return None
"""
root_logger.debug('Trying to find certificate subject base in sysupgrade')
subject_base = sysupgrade.get_upgrade_state('certmap.conf', 'subject_base')
if subject_base:
root_logger.debug(
'Found certificate subject base in sysupgrade: %s',
subject_base
)
return subject_base
root_logger.debug('Unable to find certificate subject base in sysupgrade')
root_logger.debug('Trying to find certificate subject base in DS')
ds_is_running = services.knownservices.dirsrv.is_running()
if not ds_is_running:
try:
services.knownservices.dirsrv.start()
except ipautil.CalledProcessError as e:
root_logger.error('Cannot start DS to find certificate '
'subject base: %s', e)
else:
ds_is_running = True
if ds_is_running:
try:
api.Backend.ldap2.connect(autobind=True)
except ipalib.errors.PublicError, e:
root_logger.error('Cannot connect to DS to find certificate '
'subject base: %s', e)
else:
ret = api.Command['config_show']()
api.Backend.ldap2.disconnect()
subject_base = str(ret['result']['ipacertificatesubjectbase'][0])
root_logger.debug(
'Found certificate subject base in DS: %s',
subject_base
)
if not subject_base:
root_logger.debug('Unable to find certificate subject base in DS')
root_logger.debug('Trying to find certificate subject base in '
'certmap.conf')
certmap_dir = dsinstance.config_dirname(
dsinstance.realm_to_serverid(api.env.realm)
)
try:
with open(os.path.join(certmap_dir, 'certmap.conf')) as f:
for line in f:
if line.startswith('certmap ipaca'):
subject_base = line.strip().split(',')[-1]
root_logger.debug(
'Found certificate subject base in certmap.conf: '
'%s',
subject_base
)
except IOError as e:
root_logger.error('Cannot open certmap.conf to find certificate '
'subject base: %s', e.strerror)
if subject_base:
sysupgrade.set_upgrade_state(
'certmap.conf',
'subject_base',
subject_base
)
return subject_base
root_logger.debug('Unable to find certificate subject base in '
'certmap.conf')
root_logger.error('Unable to determine certificate subject base. '
'certmap.conf will not be updated.')
def uninstall_selfsign(ds, http):
root_logger.info('[Removing self-signed CA]')
"""Replace self-signed CA by a CA-less install"""
@ -901,6 +985,10 @@ def main():
CLONE='#'
)
subject_base = find_subject_base()
if subject_base:
sub_dict['SUBJECT_BASE'] = subject_base
ca = cainstance.CAInstance(api.env.realm, certs.NSS_DIR)
# migrate CRL publish dir before the location in ipa.conf is updated
@ -918,8 +1006,12 @@ def main():
upgrade(sub_dict, "/etc/httpd/conf.d/ipa.conf", ipautil.SHARE_DIR + "ipa.conf")
upgrade(sub_dict, "/etc/httpd/conf.d/ipa-rewrite.conf", ipautil.SHARE_DIR + "ipa-rewrite.conf")
upgrade(sub_dict, "/etc/httpd/conf.d/ipa-pki-proxy.conf", ipautil.SHARE_DIR + "ipa-pki-proxy.conf", add=True)
upgrade(sub_dict, os.path.join(certmap_dir, "certmap.conf"),
os.path.join(ipautil.SHARE_DIR, "certmap.conf.template"))
if subject_base:
upgrade(
sub_dict,
os.path.join(certmap_dir, "certmap.conf"),
os.path.join(ipautil.SHARE_DIR, "certmap.conf.template")
)
upgrade_pki(ca, fstore)
update_dbmodules(api.env.realm)
uninstall_ipa_kpasswd()

View File

@ -37,6 +37,7 @@ import certs
import ldap
from ipaserver.install import ldapupdate
from ipaserver.install import replication
from ipaserver.install import sysupgrade
from ipalib import errors
from ipapython.dn import DN
@ -653,7 +654,12 @@ class DsInstance(service.Service):
shutil.copyfile(ipautil.SHARE_DIR + "certmap.conf.template",
config_dirname(self.serverid) + "certmap.conf")
installutils.update_file(config_dirname(self.serverid) + "certmap.conf",
'$REALM', self.realm_name)
'$SUBJECT_BASE', str(self.subject_base))
sysupgrade.set_upgrade_state(
'certmap.conf',
'subject_base',
str(self.subject_base)
)
def __enable_ldapi(self):
self._ldap_mod("ldapi.ldif", self.sub_dict)