mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-25 08:21:05 -06:00
69bda6b440
ipa-server-upgrade fails when running the ipaload_cacrt plugin. The plugin finds all CA certificates in /etc/httpd/alias and uploads them in LDAP below cn=certificates,cn=ipa,cn=etc,$BASEDN. The issue happens because there is already an entry in LDAP for IPA CA, but with a different DN. The nickname in /etc/httpd/alias can differ from $DOMAIN IPA CA. To avoid the issue: 1/ during upgrade, run a new plugin that removes duplicates and restarts ldap (to make sure that uniqueness attr plugin is working after the new plugin) 2/ modify upload_cacert plugin so that it is using $DOMAIN IPA CA instead of cn=$nickname,cn=ipa,cn=etc,$BASEDN when uploading IPA CA. https://pagure.io/freeipa/issue/7125 Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
36 lines
1022 B
Plaintext
36 lines
1022 B
Plaintext
# first
|
|
|
|
|
|
# middle
|
|
plugin: update_ca_topology
|
|
plugin: update_ipaconfigstring_dnsversion_to_ipadnsversion
|
|
plugin: update_dnszones
|
|
plugin: update_dns_limits
|
|
plugin: update_sigden_extdom_broken_config
|
|
plugin: update_sids
|
|
plugin: update_default_range
|
|
plugin: update_default_trust_view
|
|
plugin: update_tdo_gidnumber
|
|
plugin: update_ca_renewal_master
|
|
plugin: update_idrange_type
|
|
plugin: update_pacs
|
|
plugin: update_service_principalalias
|
|
plugin: update_fix_duplicate_cacrt_in_ldap
|
|
plugin: update_upload_cacrt
|
|
# update_ra_cert_store has to be executed after update_ca_renewal_master
|
|
plugin: update_ra_cert_store
|
|
|
|
# last
|
|
# DNS version 1
|
|
plugin: update_master_to_dnsforwardzones
|
|
# DNS version 2
|
|
plugin: update_dnsforward_emptyzones
|
|
plugin: update_managed_post
|
|
plugin: update_managed_permissions
|
|
plugin: update_read_replication_agreements_permission
|
|
plugin: update_idrange_baserid
|
|
plugin: update_passync_privilege_update
|
|
plugin: update_dnsserver_configuration_into_ldap
|
|
plugin: update_ldap_server_list
|
|
plugin: update_dna_shared_config
|