From fea7163e87ef7b2e46fa18dc77836ec9ee92ce02 Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Wed, 11 Sep 2013 08:27:34 +0000 Subject: [PATCH] Move CACERT definition to a single place. Reviewed-By: Petr Viktorin --- install/tools/ipa-csreplica-manage | 3 +-- install/tools/ipa-managed-entries | 3 +-- install/tools/ipa-replica-install | 2 +- install/tools/ipa-replica-manage | 3 +-- install/tools/ipa-server-install | 5 +++-- ipa-client/ipa-install/ipa-client-install | 2 +- ipa-client/ipaclient/ipadiscovery.py | 2 -- ipalib/constants.py | 3 +++ ipaserver/install/bindinstance.py | 3 ++- ipaserver/install/dsinstance.py | 2 +- ipaserver/install/httpinstance.py | 1 + ipaserver/install/ipa_backup.py | 3 ++- ipaserver/install/ipa_replica_prepare.py | 5 +++-- ipaserver/install/ipa_server_certinstall.py | 3 +-- ipaserver/install/krbinstance.py | 3 ++- ipaserver/install/replication.py | 2 +- ipaserver/install/service.py | 2 -- 17 files changed, 24 insertions(+), 23 deletions(-) diff --git a/install/tools/ipa-csreplica-manage b/install/tools/ipa-csreplica-manage index 276eec964..eb589f3f9 100755 --- a/install/tools/ipa-csreplica-manage +++ b/install/tools/ipa-csreplica-manage @@ -27,11 +27,10 @@ from ipapython.ipa_log_manager import * from ipaserver.install import replication, installutils, bindinstance from ipalib import api, errors, util +from ipalib.constants import CACERT from ipapython import ipautil, ipaldap, version, dogtag from ipapython.dn import DN -CACERT = "/etc/ipa/ca.crt" - # dict of command name and tuples of min/max num of args needed commands = { "list":(0, 1, "[master fqdn]", ""), diff --git a/install/tools/ipa-managed-entries b/install/tools/ipa-managed-entries index 458339e92..85ef597ca 100755 --- a/install/tools/ipa-managed-entries +++ b/install/tools/ipa-managed-entries @@ -25,11 +25,10 @@ from optparse import OptionParser from ipapython import ipautil, config, ipaldap from ipaserver.install import installutils from ipalib import api, errors +from ipalib.constants import CACERT from ipapython.ipa_log_manager import * from ipapython.dn import DN -CACERT = "/etc/ipa/ca.crt" - def parse_options(): usage = "%prog [options] \n" usage += "%prog [options]\n" diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install index 9f420aef6..f5e7197b5 100755 --- a/install/tools/ipa-replica-install +++ b/install/tools/ipa-replica-install @@ -42,6 +42,7 @@ from ipaserver.install.installutils import (ReplicaConfig, expand_replica_info, from ipaserver.plugins.ldap2 import ldap2 from ipaserver.install import cainstance from ipalib import api, errors, util +from ipalib.constants import CACERT from ipapython import version from ipapython.config import IPAOptionParser from ipapython import sysrestore @@ -52,7 +53,6 @@ from ipapython.dn import DN import ipaclient.ntpconf log_file_name = "/var/log/ipareplica-install.log" -CACERT = "/etc/ipa/ca.crt" REPLICA_INFO_TOP_DIR = None DIRMAN_DN = DN(('cn', 'directory manager')) diff --git a/install/tools/ipa-replica-manage b/install/tools/ipa-replica-manage index 684000599..ee7aef881 100755 --- a/install/tools/ipa-replica-manage +++ b/install/tools/ipa-replica-manage @@ -32,14 +32,13 @@ from ipaserver.install import bindinstance from ipaserver.plugins import ldap2 from ipapython import version, ipaldap from ipalib import api, errors, util +from ipalib.constants import CACERT from ipapython.ipa_log_manager import * from ipapython.dn import DN from ipapython.config import IPAOptionParser from ipaclient import ipadiscovery from xmlrpclib import MAXINT -CACERT = "/etc/ipa/ca.crt" - # dict of command name and tuples of min/max num of args needed commands = { "list":(0, 1, "[master fqdn]", ""), diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index 7ca34e2cf..fa1396b49 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -72,6 +72,7 @@ from ipalib import api, errors, util, x509 from ipapython.config import IPAOptionParser from ipalib.x509 import load_certificate_from_file, load_certificate_chain_from_file from ipalib.util import validate_domain_name +from ipalib.constants import CACERT from ipapython import services as ipaservices from ipapython.ipa_log_manager import * from ipapython.dn import DN @@ -1101,7 +1102,7 @@ def main(): subject_base=options.subject) # Now put the CA cert where other instances exepct it - ca.publish_ca_cert("/etc/ipa/ca.crt") + ca.publish_ca_cert(CACERT) # we now need to enable ssl on the ds ds.enable_ssl() @@ -1129,7 +1130,7 @@ def main(): 'External CA cert', 'CT,,', options.root_ca_file) # Put a CA cert where other instances expect it - with open('/etc/ipa/ca.crt', 'wb') as f: + with open(CACERT, 'wb') as f: f.write(pem_cert) # Install the CA cert for the HTTP server diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index 22bf2a183..c376ff27a 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -36,7 +36,6 @@ try: from ipapython.ipa_log_manager import standard_logging_setup, root_logger from ipaclient import ipadiscovery - from ipaclient.ipadiscovery import CACERT import ipaclient.ipachangeconf import ipaclient.ntpconf from ipapython.ipautil import ( @@ -48,6 +47,7 @@ try: from ipapython.config import IPAOptionParser from ipalib import api, errors from ipalib import x509 + from ipalib.constants import CACERT from ipapython.dn import DN from ipapython.ssh import SSHPublicKey from ipalib.rpc import delete_persistent_client_session_data diff --git a/ipa-client/ipaclient/ipadiscovery.py b/ipa-client/ipaclient/ipadiscovery.py index 88445eb1e..d5004c6bf 100644 --- a/ipa-client/ipaclient/ipadiscovery.py +++ b/ipa-client/ipaclient/ipadiscovery.py @@ -29,8 +29,6 @@ from ipapython import ipaldap from ipapython.ipautil import valid_ip, get_ipa_basedn, realm_to_suffix from ipapython.dn import DN -CACERT = '/etc/ipa/ca.crt' - NOT_FQDN = -1 NO_LDAP_SERVER = -2 REALM_NOT_FOUND = -3 diff --git a/ipalib/constants.py b/ipalib/constants.py index 5a304daeb..8fc04afcd 100644 --- a/ipalib/constants.py +++ b/ipalib/constants.py @@ -32,6 +32,9 @@ except: except: FQDN = None +# Path to CA certificate bundle +CACERT = '/etc/ipa/ca.crt' + # regular expression NameSpace member names must match: NAME_REGEX = r'^[a-z][_a-z0-9]*[a-z0-9]$|^[a-z]$' diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py index 908807a1c..613af5c91 100644 --- a/ipaserver/install/bindinstance.py +++ b/ipaserver/install/bindinstance.py @@ -38,6 +38,7 @@ from ipalib import api, errors from ipalib.util import (validate_zonemgr, normalize_zonemgr, get_dns_forward_zone_update_policy, get_dns_reverse_zone_update_policy, normalize_zone, get_reverse_zone_default, zone_is_reverse) +from ipalib.constants import CACERT NAMED_CONF = '/etc/named.conf' RESOLV_CONF = '/etc/resolv.conf' @@ -206,7 +207,7 @@ def dns_container_exists(fqdn, suffix, dm_password=None, ldapi=False, realm=None if ldapi: conn = ipaldap.IPAdmin(host=fqdn, ldapi=True, realm=realm) else: - conn = ipaldap.IPAdmin(host=fqdn, port=636, cacert=service.CACERT) + conn = ipaldap.IPAdmin(host=fqdn, port=636, cacert=CACERT) if dm_password: conn.do_simple_bind(bindpw=dm_password) diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index 8fa900f8d..835589d88 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -40,11 +40,11 @@ from ipaserver.install import ldapupdate from ipaserver.install import replication from ipaserver.install import sysupgrade from ipalib import errors +from ipalib.constants import CACERT from ipapython.dn import DN SERVER_ROOT_64 = "/usr/lib64/dirsrv" SERVER_ROOT_32 = "/usr/lib/dirsrv" -CACERT="/etc/ipa/ca.crt" DS_USER = 'dirsrv' DS_GROUP = 'dirsrv' diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index 34e58fbb8..28a83ff04 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -35,6 +35,7 @@ from ipapython import dogtag from ipapython.ipa_log_manager import * from ipaserver.install import sysupgrade from ipalib import api +from ipalib.constants import CACERT HTTPD_DIR = "/etc/httpd" SSL_CONF = HTTPD_DIR + "/conf.d/ssl.conf" diff --git a/ipaserver/install/ipa_backup.py b/ipaserver/install/ipa_backup.py index 32272794a..302a5bd90 100644 --- a/ipaserver/install/ipa_backup.py +++ b/ipaserver/install/ipa_backup.py @@ -38,6 +38,7 @@ from ipaserver.install import installutils from ipapython import services as ipaservices from ipapython import ipaldap from ipalib.session import ISO8601_DATETIME_FMT +from ipalib.constants import CACERT from ConfigParser import SafeConfigParser """ @@ -149,7 +150,7 @@ class Backup(admintool.AdminTool): '/etc/krb5.conf', '/etc/group', '/etc/passwd', - '/etc/ipa/ca.crt', + CACERT, '/etc/ipa/default.conf', '/etc/dirsrv/ds.keytab', '/etc/ntp.conf', diff --git a/ipaserver/install/ipa_replica_prepare.py b/ipaserver/install/ipa_replica_prepare.py index c786569e2..e71dd22e4 100644 --- a/ipaserver/install/ipa_replica_prepare.py +++ b/ipaserver/install/ipa_replica_prepare.py @@ -34,6 +34,7 @@ from ipapython.dn import DN from ipapython import version from ipalib import api from ipalib import errors +from ipalib.constants import CACERT class ReplicaPrepare(admintool.AdminTool): @@ -139,7 +140,7 @@ class ReplicaPrepare(admintool.AdminTool): def check_pkcs12(self, pkcs12_file, pkcs12_pin): installutils.check_pkcs12( pkcs12_info=(pkcs12_file, pkcs12_pin), - ca_file='/etc/ipa/ca.crt', + ca_file=CACERT, hostname=self.replica_fqdn) def ask_for_options(self): @@ -356,7 +357,7 @@ class ReplicaPrepare(admintool.AdminTool): def copy_misc_files(self): self.log.info("Copying additional files") - self.copy_info_file("/etc/ipa/ca.crt", "ca.crt") + self.copy_info_file(CACERT, "ca.crt") preferences_filename = "/usr/share/ipa/html/preferences.html" if ipautil.file_exists(preferences_filename): self.copy_info_file(preferences_filename, "preferences.html") diff --git a/ipaserver/install/ipa_server_certinstall.py b/ipaserver/install/ipa_server_certinstall.py index 08b27e38a..a1c7c8e91 100644 --- a/ipaserver/install/ipa_server_certinstall.py +++ b/ipaserver/install/ipa_server_certinstall.py @@ -28,11 +28,10 @@ from ipapython import admintool from ipapython.dn import DN from ipapython.ipautil import user_input, write_tmp_file from ipalib import api, errors +from ipalib.constants import CACERT from ipaserver.install import certs, dsinstance, httpinstance, installutils from ipaserver.plugins.ldap2 import ldap2 -CACERT = "/etc/ipa/ca.crt" - class ServerCertInstall(admintool.AdminTool): command_name = 'ipa-server-certinstall' diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py index 80d1addb4..caa70a447 100644 --- a/ipaserver/install/krbinstance.py +++ b/ipaserver/install/krbinstance.py @@ -33,6 +33,7 @@ from ipapython import ipautil from ipapython import services as ipaservices from ipapython import kernel_keyring from ipalib import errors +from ipalib.constants import CACERT from ipapython.ipa_log_manager import * from ipapython.dn import DN @@ -435,7 +436,7 @@ class KrbInstance(service.Service): # Finally copy the cacert in the krb directory so we don't # have any selinux issues with the file context - shutil.copyfile("/etc/ipa/ca.crt", "/var/kerberos/krb5kdc/cacert.pem") + shutil.copyfile(CACERT, "/var/kerberos/krb5kdc/cacert.pem") def __add_anonymous_pkinit_principal(self): princ = "WELLKNOWN/ANONYMOUS" diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py index 4fa8cb8aa..f295fb305 100644 --- a/ipaserver/install/replication.py +++ b/ipaserver/install/replication.py @@ -25,12 +25,12 @@ import os import ldap from ipalib import api, errors +from ipalib.constants import CACERT from ipapython import services as ipaservices from ipapython.ipa_log_manager import * from ipapython import ipautil, dogtag, ipaldap from ipapython.dn import DN -CACERT = "/etc/ipa/ca.crt" # the default container used by AD for user entries WIN_USER_CONTAINER = DN(('cn', 'Users')) # the default container used by IPA for user entries diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py index 5d5db966f..ba6bc35ce 100644 --- a/ipaserver/install/service.py +++ b/ipaserver/install/service.py @@ -30,8 +30,6 @@ from ipapython.dn import DN from ipapython.ipa_log_manager import * from ipalib import errors -CACERT = "/etc/ipa/ca.crt" - # Autobind modes AUTO = 1 ENABLED = 2