summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPetr Viktorin <pviktori@redhat.com>2012-11-01 12:16:25 -0400
committerMartin Kosek <mkosek@redhat.com>2012-11-23 12:19:19 +0100
commit5fa3455764cb475078723eebacffefd2baf08016 (patch)
tree525a40290bba5a9ca0a92498ccf5ee02bdd4b8e2
parentd1574136754ff7e2190b0cf9a99b211c1bfededa (diff)
downloadfreeipa-5fa3455764cb475078723eebacffefd2baf08016.tar.gz
freeipa-5fa3455764cb475078723eebacffefd2baf08016.tar.xz
freeipa-5fa3455764cb475078723eebacffefd2baf08016.zip
Update certmap.conf on IPA upgrades
This brings /etc/dirsrv/slapd-REALM/certmap.conf under IPA control. The file is overwritten on upgrades. This ensures that the cert for the ipaca user is recognized when ipa-ca-install is run on older masters.
-rw-r--r--install/share/certmap.conf.template6
-rw-r--r--install/tools/ipa-upgradeconfig17
-rw-r--r--ipaserver/install/dsinstance.py2
3 files changed, 22 insertions, 3 deletions
diff --git a/install/share/certmap.conf.template b/install/share/certmap.conf.template
index 40b4e6cb1..cff3a669b 100644
--- a/install/share/certmap.conf.template
+++ b/install/share/certmap.conf.template
@@ -1,4 +1,8 @@
+# VERSION 1 - DO NOT REMOVE THIS LINE
#
+# This file is managed by IPA and will be overwritten on upgrades.
+
+
# BEGIN COPYRIGHT BLOCK
# This Program is free software; you can redistribute it and/or modify it under
# the terms of the GNU General Public License as published by the Free Software
@@ -80,6 +84,6 @@ certmap default default
#default:InitFn <Init function's name>
default:DNComps
default:FilterComps uid
-certmap ipaca CN=Certificate Authority,O=domain_name
+certmap ipaca CN=Certificate Authority,O=$REALM
ipaca:CmapLdapAttr seeAlso
ipaca:verifycert on
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index 14d4e0829..12e96cfb7 100644
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -153,7 +153,11 @@ def find_autoredirect(fqdn):
return True
def find_version(filename):
- """Find the version of a configuration file"""
+ """Find the version of a configuration file
+
+ If no VERSION entry exists in the file, returns 0.
+ If the file does not exist, returns -1.
+ """
if os.path.exists(filename):
pattern = "^[\s#]*VERSION\s+([0-9]+)\s+.*"
p = re.compile(pattern)
@@ -185,6 +189,12 @@ def upgrade(sub_dict, filename, template, add=False):
if new < 0:
root_logger.error("%s not found." % template)
+ if old == 0:
+ # The original file does not have a VERSION entry. This means it's now
+ # managed by IPA, but previously was not.
+ root_logger.warning("%s is now managed by IPA. It will be "
+ "overwritten. A backup of the original will be made.", filename)
+
if old < new or (add and old == 0):
backup_file(filename, new)
update_conf(sub_dict, filename, template)
@@ -626,9 +636,14 @@ def main():
'=')
sub_dict['CLONE']='#' if crl.lower() == 'true' else ''
+ certmap_dir = dsinstance.config_dirname(
+ dsinstance.realm_to_serverid(api.env.realm))
+
upgrade(sub_dict, "/etc/httpd/conf.d/ipa.conf", ipautil.SHARE_DIR + "ipa.conf")
upgrade(sub_dict, "/etc/httpd/conf.d/ipa-rewrite.conf", ipautil.SHARE_DIR + "ipa-rewrite.conf")
upgrade(sub_dict, "/etc/httpd/conf.d/ipa-pki-proxy.conf", ipautil.SHARE_DIR + "ipa-pki-proxy.conf", add=True)
+ upgrade(sub_dict, os.path.join(certmap_dir, "certmap.conf"),
+ os.path.join(ipautil.SHARE_DIR, "certmap.conf.template"))
upgrade_pki(ca, fstore)
update_dbmodules(api.env.realm)
uninstall_ipa_kpasswd()
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index c178a4dab..b963417ec 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -606,7 +606,7 @@ class DsInstance(service.Service):
shutil.copyfile(ipautil.SHARE_DIR + "certmap.conf.template",
config_dirname(self.serverid) + "certmap.conf")
installutils.update_file(config_dirname(self.serverid) + "certmap.conf",
- 'domain_name', self.realm_name)
+ '$REALM', self.realm_name)
def __enable_ldapi(self):
self._ldap_mod("ldapi.ldif", self.sub_dict)