IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Use host keytab to connect to remote server on DL0

Browse Source 
Since host enrollment was implemented in DL0, use
the host keytab to connect to remote api and perform
certain actions to merge DL1 and DL0 replica install
workflows.

https://fedorahosted.org/freeipa/ticket/6392

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
This commit is contained in:
Stanislav Laznicka 2016-11-07 12:09:28 +01:00 committed by Jan Cholasta
parent 2de43e7aca
commit e40d6a2a53
1 changed files with 15 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
ipaserver/install/server/replicainstall.py
View File

@ -821,6 +821,10 @@ def install_check(installer):
broadcast_ip_address_warning(config.ips) broadcast_ip_address_warning(config.ips)
enroll_dl0_replica(installer, fstore, remote_api) enroll_dl0_replica(installer, fstore, remote_api)
ccache = os.environ['KRB5CCNAME']
ipautil.kinit_keytab('host/{env.host}@{env.realm}'.format(env=api.env),
paths.KRB5_KEYTAB,
ccache)
except errors.ACIError: except errors.ACIError:
raise ScriptError("\nThe password provided is incorrect for LDAP server " raise ScriptError("\nThe password provided is incorrect for LDAP server "
@ -841,10 +845,14 @@ def install_check(installer):
# check connection # check connection
if not options.skip_conncheck: if not options.skip_conncheck:
try:
del os.environ['KRB5CCNAME']
replica_conn_check( replica_conn_check(
config.master_host_name, config.host_name, config.realm_name, config.master_host_name, config.host_name, config.realm_name,
options.setup_ca, config.ca_ds_port, options.admin_password, options.setup_ca, config.ca_ds_port, options.admin_password,
ca_cert_file=cafile) ca_cert_file=cafile)
finally:
os.environ['KRB5CCNAME'] = ccache
installer._ca_enabled = ca_enabled installer._ca_enabled = ca_enabled
installer._kra_enabled = kra_enabled installer._kra_enabled = kra_enabled
@ -1337,9 +1345,9 @@ def install(installer):
remote_api = installer._remote_api remote_api = installer._remote_api
conn = remote_api.Backend.ldap2 conn = remote_api.Backend.ldap2
ccache = os.environ['KRB5CCNAME']
if promote: if promote:
ccache = os.environ['KRB5CCNAME']
if installer._add_to_ipaservers: if installer._add_to_ipaservers:
try: try:
conn.connect(ccache=installer._ccache) conn.connect(ccache=installer._ccache)
@ -1372,12 +1380,8 @@ def install(installer):
http_instance.create_cert_db() http_instance.create_cert_db()
try: try:
if promote:
conn.connect(ccache=ccache) conn.connect(ccache=ccache)
else: if not promote:
conn.connect(bind_dn=ipaldap.DIRMAN_DN,
bind_pw=config.dirman_password,
tls_cacertfile=cafile)
# Install CA cert so that we can do SSL connections with ldap # Install CA cert so that we can do SSL connections with ldap
install_ca_cert(conn, api.env.basedn, api.env.realm, cafile) install_ca_cert(conn, api.env.basedn, api.env.realm, cafile)