mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-02-25 18:55:28 -06:00
Track DS certificate with certmonger on replicas.
https://fedorahosted.org/freeipa/ticket/3975
This commit is contained in:
Jan Cholasta
committed by
Petr Viktorin
Petr Viktorin
parent
5854c47685
commit
e98abdca9b
@@ -184,6 +184,7 @@ def install_replica_ds(config):
|
|||||||
dm_password=config.dirman_password,
|
dm_password=config.dirman_password,
|
||||||
subject_base=config.subject_base,
|
subject_base=config.subject_base,
|
||||||
pkcs12_info=pkcs12_info,
|
pkcs12_info=pkcs12_info,
|
||||||
|
ca_is_configured=ipautil.file_exists(config.dir + "/cacert.p12"),
|
||||||
ca_file=config.dir + "/ca.crt",
|
ca_file=config.dir + "/ca.crt",
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|||||||
@@ -218,6 +218,7 @@ class DsInstance(service.Service):
|
|||||||
self.domain = domain_name
|
self.domain = domain_name
|
||||||
self.serverid = None
|
self.serverid = None
|
||||||
self.pkcs12_info = None
|
self.pkcs12_info = None
|
||||||
|
self.ca_is_configured = True
|
||||||
self.dercert = None
|
self.dercert = None
|
||||||
self.idstart = None
|
self.idstart = None
|
||||||
self.idmax = None
|
self.idmax = None
|
||||||
@@ -290,6 +291,8 @@ class DsInstance(service.Service):
|
|||||||
self.idstart = idstart
|
self.idstart = idstart
|
||||||
self.idmax = idmax
|
self.idmax = idmax
|
||||||
self.pkcs12_info = pkcs12_info
|
self.pkcs12_info = pkcs12_info
|
||||||
|
if pkcs12_info:
|
||||||
|
self.ca_is_configured = False
|
||||||
self.ca_file = ca_file
|
self.ca_file = ca_file
|
||||||
|
|
||||||
self.__setup_sub_dict()
|
self.__setup_sub_dict()
|
||||||
@@ -321,7 +324,7 @@ class DsInstance(service.Service):
|
|||||||
|
|
||||||
def create_replica(self, realm_name, master_fqdn, fqdn,
|
def create_replica(self, realm_name, master_fqdn, fqdn,
|
||||||
domain_name, dm_password, subject_base,
|
domain_name, dm_password, subject_base,
|
||||||
pkcs12_info=None, ca_file=None):
|
pkcs12_info=None, ca_file=None, ca_is_configured=None):
|
||||||
# idstart and idmax are configured so that the range is seen as
|
# idstart and idmax are configured so that the range is seen as
|
||||||
# depleted by the DNA plugin and the replica will go and get a
|
# depleted by the DNA plugin and the replica will go and get a
|
||||||
# new range from the master.
|
# new range from the master.
|
||||||
@@ -341,6 +344,8 @@ class DsInstance(service.Service):
|
|||||||
ca_file=ca_file
|
ca_file=ca_file
|
||||||
)
|
)
|
||||||
self.master_fqdn = master_fqdn
|
self.master_fqdn = master_fqdn
|
||||||
|
if ca_is_configured is not None:
|
||||||
|
self.ca_is_configured = ca_is_configured
|
||||||
|
|
||||||
self.__common_setup(True)
|
self.__common_setup(True)
|
||||||
|
|
||||||
@@ -615,10 +620,12 @@ class DsInstance(service.Service):
|
|||||||
dsdb.create_from_cacert(cadb.cacert_fname, passwd=None)
|
dsdb.create_from_cacert(cadb.cacert_fname, passwd=None)
|
||||||
self.dercert = dsdb.create_server_cert(
|
self.dercert = dsdb.create_server_cert(
|
||||||
nickname, self.fqdn, cadb)
|
nickname, self.fqdn, cadb)
|
||||||
|
dsdb.create_pin_file()
|
||||||
|
|
||||||
|
if self.ca_is_configured:
|
||||||
dsdb.track_server_cert(
|
dsdb.track_server_cert(
|
||||||
nickname, self.principal, dsdb.passwd_fname,
|
nickname, self.principal, dsdb.passwd_fname,
|
||||||
'restart_dirsrv %s' % self.serverid)
|
'restart_dirsrv %s' % self.serverid)
|
||||||
dsdb.create_pin_file()
|
|
||||||
|
|
||||||
conn = ipaldap.IPAdmin(self.fqdn)
|
conn = ipaldap.IPAdmin(self.fqdn)
|
||||||
conn.do_simple_bind(DN(('cn', 'directory manager')), self.dm_password)
|
conn.do_simple_bind(DN(('cn', 'directory manager')), self.dm_password)
|
||||||
|
|||||||
Reference in New Issue
Block a user