IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Handle --subject option in ipa-server-install

Browse Source 
Properly handle --subject option of ipa-server-install, making sure this
value gets passed to certmap.conf. Introduce a new template variable
$SUBJECT_BASE for this purpose.

Also make sure that this value is preserved on upgrades.

https://fedorahosted.org/freeipa/ticket/3783
This commit is contained in:
Ana Krivokapic
2013-07-29 18:33:09 +02:00
committed by Martin Kosek
parent f988e422eb
commit da2605c942
3 changed files with 103 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
install/share/certmap.conf.template
View File

@@ -1,4 +1,4 @@
# VERSION 1 - DO NOT REMOVE THIS LINE
# VERSION 2 - DO NOT REMOVE THIS LINE
#
# This file is managed by IPA and will be overwritten on upgrades.
@@ -84,6 +84,6 @@ certmap default default
#default:InitFn <Init function's name>
default:DNComps
default:FilterComps uid
certmap ipaca CN=Certificate Authority,O=$REALM
certmap ipaca CN=Certificate Authority,$SUBJECT_BASE
ipaca:CmapLdapAttr seeAlso
ipaca:verifycert on

96
install/tools/ipa-upgradeconfig
View File

@@ -760,6 +760,90 @@ def add_ca_dns_records():
sysupgrade.set_upgrade_state('dns', 'ipa_ca_records', True)
def find_subject_base():
"""
Try to find the current value of certificate subject base.
1) Look in sysupgrade first
2) If no value is found there, look in DS (start DS if necessary)
3) Last resort, look in the certmap.conf itself
4) If all fails, log loudly and return None
"""
root_logger.debug('Trying to find certificate subject base in sysupgrade')
subject_base = sysupgrade.get_upgrade_state('certmap.conf', 'subject_base')
if subject_base:
root_logger.debug(
'Found certificate subject base in sysupgrade: %s',
subject_base
)
return subject_base
root_logger.debug('Unable to find certificate subject base in sysupgrade')
root_logger.debug('Trying to find certificate subject base in DS')
ds_is_running = services.knownservices.dirsrv.is_running()
if not ds_is_running:
try:
services.knownservices.dirsrv.start()
except ipautil.CalledProcessError as e:
root_logger.error('Cannot start DS to find certificate '
'subject base: %s', e)
else:
ds_is_running = True
if ds_is_running:
try:
api.Backend.ldap2.connect(autobind=True)
except ipalib.errors.PublicError, e:
root_logger.error('Cannot connect to DS to find certificate '
'subject base: %s', e)
else:
ret = api.Command['config_show']()
api.Backend.ldap2.disconnect()
subject_base = str(ret['result']['ipacertificatesubjectbase'][0])
root_logger.debug(
'Found certificate subject base in DS: %s',
subject_base
)
if not subject_base:
root_logger.debug('Unable to find certificate subject base in DS')
root_logger.debug('Trying to find certificate subject base in '
'certmap.conf')
certmap_dir = dsinstance.config_dirname(
dsinstance.realm_to_serverid(api.env.realm)
)
try:
with open(os.path.join(certmap_dir, 'certmap.conf')) as f:
for line in f:
if line.startswith('certmap ipaca'):
subject_base = line.strip().split(',')[-1]
root_logger.debug(
'Found certificate subject base in certmap.conf: '
'%s',
subject_base
)
except IOError as e:
root_logger.error('Cannot open certmap.conf to find certificate '
'subject base: %s', e.strerror)
if subject_base:
sysupgrade.set_upgrade_state(
'certmap.conf',
'subject_base',
subject_base
)
return subject_base
root_logger.debug('Unable to find certificate subject base in '
'certmap.conf')
root_logger.error('Unable to determine certificate subject base. '
'certmap.conf will not be updated.')
def uninstall_selfsign(ds, http):
root_logger.info('[Removing self-signed CA]')
"""Replace self-signed CA by a CA-less install"""
@@ -901,6 +985,10 @@ def main():
CLONE='#'
)
subject_base = find_subject_base()
if subject_base:
sub_dict['SUBJECT_BASE'] = subject_base
ca = cainstance.CAInstance(api.env.realm, certs.NSS_DIR)
# migrate CRL publish dir before the location in ipa.conf is updated
@@ -918,8 +1006,12 @@ def main():
upgrade(sub_dict, "/etc/httpd/conf.d/ipa.conf", ipautil.SHARE_DIR + "ipa.conf")
upgrade(sub_dict, "/etc/httpd/conf.d/ipa-rewrite.conf", ipautil.SHARE_DIR + "ipa-rewrite.conf")
upgrade(sub_dict, "/etc/httpd/conf.d/ipa-pki-proxy.conf", ipautil.SHARE_DIR + "ipa-pki-proxy.conf", add=True)
upgrade(sub_dict, os.path.join(certmap_dir, "certmap.conf"),
os.path.join(ipautil.SHARE_DIR, "certmap.conf.template"))
if subject_base:
upgrade(
sub_dict,
os.path.join(certmap_dir, "certmap.conf"),
os.path.join(ipautil.SHARE_DIR, "certmap.conf.template")
)
upgrade_pki(ca, fstore)
update_dbmodules(api.env.realm)
uninstall_ipa_kpasswd()

8
ipaserver/install/dsinstance.py
View File

@@ -37,6 +37,7 @@ import certs
import ldap
from ipaserver.install import ldapupdate
from ipaserver.install import replication
from ipaserver.install import sysupgrade
from ipalib import errors
from ipapython.dn import DN
@@ -653,7 +654,12 @@ class DsInstance(service.Service):
shutil.copyfile(ipautil.SHARE_DIR + "certmap.conf.template",
config_dirname(self.serverid) + "certmap.conf")
installutils.update_file(config_dirname(self.serverid) + "certmap.conf",
'$REALM', self.realm_name)
'$SUBJECT_BASE', str(self.subject_base))
sysupgrade.set_upgrade_state(
'certmap.conf',
'subject_base',
str(self.subject_base)
)
def __enable_ldapi(self):
self._ldap_mod("ldapi.ldif", self.sub_dict)