diff options
author | Ana Krivokapic <akrivoka@redhat.com> | 2013-05-15 11:22:41 +0200 |
---|---|---|
committer | Alexander Bokovoy <abokovoy@redhat.com> | 2013-07-11 12:39:29 +0300 |
commit | c1e9b6fa1d3b334e6331c00158bf8e71926cd658 (patch) | |
tree | a172bcaacaa3591402dc741c8e3ffbdd44aaee6a | |
parent | e4437a3e7ffcb547a00a70614804dc35fefd630e (diff) | |
download | freeipa-c1e9b6fa1d3b334e6331c00158bf8e71926cd658.tar.gz freeipa-c1e9b6fa1d3b334e6331c00158bf8e71926cd658.tar.xz freeipa-c1e9b6fa1d3b334e6331c00158bf8e71926cd658.zip |
Make sure replication works after DM password is changed
Replica information file contains the file `cacert.p12` which is protected by
the Directory Manager password of the initial IPA server installation. The DM
password of the initial installation is also used for the PKI admin user
password.
If the DM password is changed after the IPA server installation, the replication
fails.
To prevent this failure, add the following steps to ipa-replica-prepare:
1. Regenerate the `cacert.p12` file and protect it with the current DM password
2. Update the password of the PKI admin user with the current DM password
https://fedorahosted.org/freeipa/ticket/3594
-rw-r--r-- | freeipa.spec.in | 9 | ||||
-rw-r--r-- | ipaserver/install/ipa_replica_prepare.py | 36 |
2 files changed, 42 insertions, 3 deletions
diff --git a/freeipa.spec.in b/freeipa.spec.in index 5a143b643..debc6e587 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -17,7 +17,7 @@ Source0: freeipa-%{version}.tar.gz BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) %if ! %{ONLY_CLIENT} -BuildRequires: 389-ds-base-devel >= 1.3.1.1 +BuildRequires: 389-ds-base-devel >= 1.3.1.3 BuildRequires: svrcore-devel BuildRequires: policycoreutils >= %{POLICYCOREUTILSVER} BuildRequires: systemd-units @@ -89,7 +89,7 @@ Group: System Environment/Base Requires: %{name}-python = %{version}-%{release} Requires: %{name}-client = %{version}-%{release} Requires: %{name}-admintools = %{version}-%{release} -Requires: 389-ds-base >= 1.3.1.1 +Requires: 389-ds-base >= 1.3.1.3 Requires: openldap-clients > 2.4.35-4 %if 0%{?fedora} == 18 Requires: nss >= 3.14.3-2 @@ -145,7 +145,7 @@ Requires: zip Requires: policycoreutils >= %{POLICYCOREUTILSVER} Requires: tar Requires(pre): certmonger >= 0.65 -Requires(pre): 389-ds-base >= 1.3.0.5 +Requires(pre): 389-ds-base >= 1.3.1.3 # With FreeIPA 3.3, package freeipa-server-selinux was obsoleted as the # entire SELinux policy is stored in the system policy @@ -815,6 +815,9 @@ fi %endif # ! %{ONLY_CLIENT} %changelog +* Wed Jul 10 2013 Ana Krivokapic <akrivoka@redhat.com> - 3.2.99-4 +- Bump minimum version of 389-ds-base to 1.3.1.3 for user password change fix. + * Wed Jun 26 2013 Jan Cholasta <jcholast@redhat.com> - 3.2.99-3 - Bump minimum version of 389-ds-base to 1.3.1.1 for SASL mapping priority support. diff --git a/ipaserver/install/ipa_replica_prepare.py b/ipaserver/install/ipa_replica_prepare.py index f6af28e3a..a92e9a111 100644 --- a/ipaserver/install/ipa_replica_prepare.py +++ b/ipaserver/install/ipa_replica_prepare.py @@ -274,6 +274,11 @@ class ReplicaPrepare(admintool.AdminTool): self.copy_info_file(options.dirsrv_pkcs12, "dscert.p12") else: if ipautil.file_exists(options.ca_file): + # Since it is possible that the Directory Manager password + # has changed since ipa-server-install, we need to regenerate + # the CA PKCS#12 file and update the pki admin user password + self.regenerate_ca_file(options.ca_file) + self.update_pki_admin_password() self.copy_info_file(options.ca_file, "cacert.p12") else: raise admintool.ScriptError("Root CA PKCS#12 not " @@ -505,3 +510,34 @@ class ReplicaPrepare(admintool.AdminTool): db.export_pkcs12(pkcs12_fname, agent_name, "ipaCert") finally: os.remove(agent_name) + + def update_pki_admin_password(self): + ldap = ldap2(shared_instance=False) + ldap.connect( + bind_dn=DN(('cn', 'directory manager')), + bind_pw=self.dirman_password + ) + dn = DN('uid=admin', 'ou=people', 'o=ipaca') + ldap.modify_password(dn, self.dirman_password) + ldap.disconnect() + + def regenerate_ca_file(self, ca_file): + dm_pwd_fd = ipautil.write_tmp_file(self.dirman_password) + + keydb_pwd = '' + with open('/etc/pki/pki-tomcat/password.conf') as f: + for line in f.readlines(): + key, value = line.strip().split('=') + if key == 'internal': + keydb_pwd = value + break + + keydb_pwd_fd = ipautil.write_tmp_file(keydb_pwd) + + ipautil.run([ + '/usr/bin/PKCS12Export', + '-d', '/etc/pki/pki-tomcat/alias/', + '-p', keydb_pwd_fd.name, + '-w', dm_pwd_fd.name, + '-o', ca_file + ]) |