dsinstance: extract function for writing certmap.conf

For full customisability of the IPA CA subject DN, we will need the ability to update DS `certmap.conf' when upgrading a deployment from CA-less to CA-ful. Extract the existing behaviour, which is private to DsInstance, to the `write_certmap_conf' top-level function. Also update `certmap.conf.template' for substition of the whole CA subject DN (not just the subject base). Part of: https://fedorahosted.org/freeipa/ticket/2614 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2025-02-25 18:55:28 -06:00 · 2016-12-14 13:23:11 +10:00 · 2016-12-14 13:23:11 +10:00 · f54df62aba
commit f54df62aba
parent 46bf0e89ae
2 changed files with 14 additions and 6 deletions
--- a/install/share/certmap.conf.template
+++ b/install/share/certmap.conf.template
@ -41,6 +41,6 @@ certmap default         default
 #default:InitFn         <Init function's name>
 default:DNComps
 default:FilterComps     uid
-certmap ipaca           CN=Certificate Authority,$SUBJECT_BASE
+certmap ipaca           $ISSUER_DN
 ipaca:CmapLdapAttr      seeAlso
 ipaca:verifycert        on
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@ -920,11 +920,8 @@ class DsInstance(service.Service):
        self._ldap_mod("indices.ldif")

    def __certmap_conf(self):
-        shutil.copyfile(
-            os.path.join(paths.USR_SHARE_IPA_DIR, "certmap.conf.template"),
-            os.path.join(config_dirname(self.serverid), "certmap.conf"))
-        installutils.update_file(config_dirname(self.serverid) + "certmap.conf",
-                                 '$SUBJECT_BASE', str(self.subject_base))
+        ca_subject = 'CN=Certificate Authority,' + str(self.subject_base)
+        write_certmap_conf(self.realm, ca_subject)
        sysupgrade.set_upgrade_state(
            'certmap.conf',
            'subject_base',
@ -1286,3 +1283,14 @@ class DsInstance(service.Service):

        # check for open secure port 636 from now on
        self.open_ports.append(636)
+
+
+def write_certmap_conf(realm, ca_subject):
+    """(Re)write certmap.conf with given CA subject DN."""
+    serverid = installutils.realm_to_serverid(realm)
+    ds_dirname = config_dirname(serverid)
+    certmap_filename = os.path.join(ds_dirname, "certmap.conf")
+    shutil.copyfile(
+        os.path.join(paths.USR_SHARE_IPA_DIR, "certmap.conf.template"),
+        certmap_filename)
+    installutils.update_file(certmap_filename, '$ISSUER_DN', str(ca_subject))