summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMartin Kosek <mkosek@redhat.com>2013-05-14 18:36:50 +0200
committerRob Crittenden <rcritten@redhat.com>2013-05-14 17:01:03 -0400
commitba89635679a318102bffbb0a5d00aff61f4e2967 (patch)
treeaba23a8392c0d4ebcb5e0b6323ad24ea1da06262
parent8897b5181458af0f4237fbc0344c1ba9ceb9ddcd (diff)
downloadfreeipa-ba89635679a318102bffbb0a5d00aff61f4e2967.tar.gz
freeipa-ba89635679a318102bffbb0a5d00aff61f4e2967.tar.xz
freeipa-ba89635679a318102bffbb0a5d00aff61f4e2967.zip
Set KRB5CCNAME so that dirsrv can work with newer krb5-server
The DIR ccache format is now the default in krb5-server 1.11.2-4 but /run/user/<uid> isn't created for Apache by anything so it has no ccache (and it doesn't have SELinux permissions to write here either). Use KRB5CCNAME to set a file path instead in /etc/sysconfig/dirsrv. https://fedorahosted.org/freeipa/ticket/3628
-rw-r--r--install/tools/ipa-upgradeconfig1
-rw-r--r--ipaserver/install/dsinstance.py18
2 files changed, 19 insertions, 0 deletions
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index 8fa9b189a..8e9357f20 100644
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -919,6 +919,7 @@ def main():
http.configure_httpd_ccache()
ds = dsinstance.DsInstance()
+ ds.configure_dirsrv_ccache()
fix_schema_file_syntax(ds)
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index e6bb054dd..3b841417e 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -26,6 +26,7 @@ import re
import time
import tempfile
import base64
+import stat
from ipapython.ipa_log_manager import *
from ipapython import ipautil, sysrestore, dogtag, ipaldap
@@ -213,6 +214,7 @@ class DsInstance(service.Service):
self.step("configuring certmap.conf", self.__certmap_conf)
self.step("configure autobind for root", self.__root_autobind)
self.step("configure new location for managed entries", self.__repoint_managed_entries)
+ self.step("configure dirsrv ccache", self.configure_dirsrv_ccache)
self.step("restarting directory server", self.__restart_instance)
def __common_post_setup(self):
@@ -515,6 +517,22 @@ class DsInstance(service.Service):
def __repoint_managed_entries(self):
self._ldap_mod("repoint-managed-entries.ldif", self.sub_dict)
+ def configure_dirsrv_ccache(self):
+ pent = pwd.getpwnam("dirsrv")
+ ccache = '/tmp/krb5cc_%d' % pent.pw_uid
+ filepath = '/etc/sysconfig/dirsrv'
+ if not os.path.exists(filepath):
+ # file doesn't exist; create it with correct ownership & mode
+ open(filepath, 'a').close()
+ os.chmod(filepath,
+ stat.S_IRUSR | stat.S_IWUSR | stat.S_IRGRP | stat.S_IROTH)
+ os.chown(filepath, 0, 0)
+
+ replacevars = {'KRB5CCNAME': ccache}
+ old_values = ipautil.backup_config_and_replace_variables(
+ self.fstore, filepath, replacevars=replacevars)
+ ipaservices.restore_context(filepath)
+
def __managed_entries(self):
self._ldap_mod("managed-entries.ldif", self.sub_dict)