summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAna Krivokapic <akrivoka@redhat.com>2013-05-15 11:22:41 +0200
committerAlexander Bokovoy <abokovoy@redhat.com>2013-07-11 12:39:29 +0300
commitc1e9b6fa1d3b334e6331c00158bf8e71926cd658 (patch)
treea172bcaacaa3591402dc741c8e3ffbdd44aaee6a
parente4437a3e7ffcb547a00a70614804dc35fefd630e (diff)
downloadfreeipa-c1e9b6fa1d3b334e6331c00158bf8e71926cd658.zip
freeipa-c1e9b6fa1d3b334e6331c00158bf8e71926cd658.tar.gz
freeipa-c1e9b6fa1d3b334e6331c00158bf8e71926cd658.tar.xz
Make sure replication works after DM password is changed
Replica information file contains the file `cacert.p12` which is protected by the Directory Manager password of the initial IPA server installation. The DM password of the initial installation is also used for the PKI admin user password. If the DM password is changed after the IPA server installation, the replication fails. To prevent this failure, add the following steps to ipa-replica-prepare: 1. Regenerate the `cacert.p12` file and protect it with the current DM password 2. Update the password of the PKI admin user with the current DM password https://fedorahosted.org/freeipa/ticket/3594
-rw-r--r--freeipa.spec.in9
-rw-r--r--ipaserver/install/ipa_replica_prepare.py36
2 files changed, 42 insertions, 3 deletions
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 5a143b6..debc6e5 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -17,7 +17,7 @@ Source0: freeipa-%{version}.tar.gz
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
%if ! %{ONLY_CLIENT}
-BuildRequires: 389-ds-base-devel >= 1.3.1.1
+BuildRequires: 389-ds-base-devel >= 1.3.1.3
BuildRequires: svrcore-devel
BuildRequires: policycoreutils >= %{POLICYCOREUTILSVER}
BuildRequires: systemd-units
@@ -89,7 +89,7 @@ Group: System Environment/Base
Requires: %{name}-python = %{version}-%{release}
Requires: %{name}-client = %{version}-%{release}
Requires: %{name}-admintools = %{version}-%{release}
-Requires: 389-ds-base >= 1.3.1.1
+Requires: 389-ds-base >= 1.3.1.3
Requires: openldap-clients > 2.4.35-4
%if 0%{?fedora} == 18
Requires: nss >= 3.14.3-2
@@ -145,7 +145,7 @@ Requires: zip
Requires: policycoreutils >= %{POLICYCOREUTILSVER}
Requires: tar
Requires(pre): certmonger >= 0.65
-Requires(pre): 389-ds-base >= 1.3.0.5
+Requires(pre): 389-ds-base >= 1.3.1.3
# With FreeIPA 3.3, package freeipa-server-selinux was obsoleted as the
# entire SELinux policy is stored in the system policy
@@ -815,6 +815,9 @@ fi
%endif # ! %{ONLY_CLIENT}
%changelog
+* Wed Jul 10 2013 Ana Krivokapic <akrivoka@redhat.com> - 3.2.99-4
+- Bump minimum version of 389-ds-base to 1.3.1.3 for user password change fix.
+
* Wed Jun 26 2013 Jan Cholasta <jcholast@redhat.com> - 3.2.99-3
- Bump minimum version of 389-ds-base to 1.3.1.1 for SASL mapping priority
support.
diff --git a/ipaserver/install/ipa_replica_prepare.py b/ipaserver/install/ipa_replica_prepare.py
index f6af28e..a92e9a1 100644
--- a/ipaserver/install/ipa_replica_prepare.py
+++ b/ipaserver/install/ipa_replica_prepare.py
@@ -274,6 +274,11 @@ class ReplicaPrepare(admintool.AdminTool):
self.copy_info_file(options.dirsrv_pkcs12, "dscert.p12")
else:
if ipautil.file_exists(options.ca_file):
+ # Since it is possible that the Directory Manager password
+ # has changed since ipa-server-install, we need to regenerate
+ # the CA PKCS#12 file and update the pki admin user password
+ self.regenerate_ca_file(options.ca_file)
+ self.update_pki_admin_password()
self.copy_info_file(options.ca_file, "cacert.p12")
else:
raise admintool.ScriptError("Root CA PKCS#12 not "
@@ -505,3 +510,34 @@ class ReplicaPrepare(admintool.AdminTool):
db.export_pkcs12(pkcs12_fname, agent_name, "ipaCert")
finally:
os.remove(agent_name)
+
+ def update_pki_admin_password(self):
+ ldap = ldap2(shared_instance=False)
+ ldap.connect(
+ bind_dn=DN(('cn', 'directory manager')),
+ bind_pw=self.dirman_password
+ )
+ dn = DN('uid=admin', 'ou=people', 'o=ipaca')
+ ldap.modify_password(dn, self.dirman_password)
+ ldap.disconnect()
+
+ def regenerate_ca_file(self, ca_file):
+ dm_pwd_fd = ipautil.write_tmp_file(self.dirman_password)
+
+ keydb_pwd = ''
+ with open('/etc/pki/pki-tomcat/password.conf') as f:
+ for line in f.readlines():
+ key, value = line.strip().split('=')
+ if key == 'internal':
+ keydb_pwd = value
+ break
+
+ keydb_pwd_fd = ipautil.write_tmp_file(keydb_pwd)
+
+ ipautil.run([
+ '/usr/bin/PKCS12Export',
+ '-d', '/etc/pki/pki-tomcat/alias/',
+ '-p', keydb_pwd_fd.name,
+ '-w', dm_pwd_fd.name,
+ '-o', ca_file
+ ])