diff options
author | Petr Viktorin <pviktori@redhat.com> | 2012-11-01 12:16:25 -0400 |
---|---|---|
committer | Martin Kosek <mkosek@redhat.com> | 2012-11-23 12:19:19 +0100 |
commit | 5fa3455764cb475078723eebacffefd2baf08016 (patch) | |
tree | 525a40290bba5a9ca0a92498ccf5ee02bdd4b8e2 | |
parent | d1574136754ff7e2190b0cf9a99b211c1bfededa (diff) | |
download | freeipa-5fa3455764cb475078723eebacffefd2baf08016.tar.gz freeipa-5fa3455764cb475078723eebacffefd2baf08016.tar.xz freeipa-5fa3455764cb475078723eebacffefd2baf08016.zip |
Update certmap.conf on IPA upgrades
This brings /etc/dirsrv/slapd-REALM/certmap.conf under IPA control.
The file is overwritten on upgrades.
This ensures that the cert for the ipaca user is recognized when
ipa-ca-install is run on older masters.
-rw-r--r-- | install/share/certmap.conf.template | 6 | ||||
-rw-r--r-- | install/tools/ipa-upgradeconfig | 17 | ||||
-rw-r--r-- | ipaserver/install/dsinstance.py | 2 |
3 files changed, 22 insertions, 3 deletions
diff --git a/install/share/certmap.conf.template b/install/share/certmap.conf.template index 40b4e6cb1..cff3a669b 100644 --- a/install/share/certmap.conf.template +++ b/install/share/certmap.conf.template @@ -1,4 +1,8 @@ +# VERSION 1 - DO NOT REMOVE THIS LINE # +# This file is managed by IPA and will be overwritten on upgrades. + + # BEGIN COPYRIGHT BLOCK # This Program is free software; you can redistribute it and/or modify it under # the terms of the GNU General Public License as published by the Free Software @@ -80,6 +84,6 @@ certmap default default #default:InitFn <Init function's name> default:DNComps default:FilterComps uid -certmap ipaca CN=Certificate Authority,O=domain_name +certmap ipaca CN=Certificate Authority,O=$REALM ipaca:CmapLdapAttr seeAlso ipaca:verifycert on diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig index 14d4e0829..12e96cfb7 100644 --- a/install/tools/ipa-upgradeconfig +++ b/install/tools/ipa-upgradeconfig @@ -153,7 +153,11 @@ def find_autoredirect(fqdn): return True def find_version(filename): - """Find the version of a configuration file""" + """Find the version of a configuration file + + If no VERSION entry exists in the file, returns 0. + If the file does not exist, returns -1. + """ if os.path.exists(filename): pattern = "^[\s#]*VERSION\s+([0-9]+)\s+.*" p = re.compile(pattern) @@ -185,6 +189,12 @@ def upgrade(sub_dict, filename, template, add=False): if new < 0: root_logger.error("%s not found." % template) + if old == 0: + # The original file does not have a VERSION entry. This means it's now + # managed by IPA, but previously was not. + root_logger.warning("%s is now managed by IPA. It will be " + "overwritten. A backup of the original will be made.", filename) + if old < new or (add and old == 0): backup_file(filename, new) update_conf(sub_dict, filename, template) @@ -626,9 +636,14 @@ def main(): '=') sub_dict['CLONE']='#' if crl.lower() == 'true' else '' + certmap_dir = dsinstance.config_dirname( + dsinstance.realm_to_serverid(api.env.realm)) + upgrade(sub_dict, "/etc/httpd/conf.d/ipa.conf", ipautil.SHARE_DIR + "ipa.conf") upgrade(sub_dict, "/etc/httpd/conf.d/ipa-rewrite.conf", ipautil.SHARE_DIR + "ipa-rewrite.conf") upgrade(sub_dict, "/etc/httpd/conf.d/ipa-pki-proxy.conf", ipautil.SHARE_DIR + "ipa-pki-proxy.conf", add=True) + upgrade(sub_dict, os.path.join(certmap_dir, "certmap.conf"), + os.path.join(ipautil.SHARE_DIR, "certmap.conf.template")) upgrade_pki(ca, fstore) update_dbmodules(api.env.realm) uninstall_ipa_kpasswd() diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index c178a4dab..b963417ec 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -606,7 +606,7 @@ class DsInstance(service.Service): shutil.copyfile(ipautil.SHARE_DIR + "certmap.conf.template", config_dirname(self.serverid) + "certmap.conf") installutils.update_file(config_dirname(self.serverid) + "certmap.conf", - 'domain_name', self.realm_name) + '$REALM', self.realm_name) def __enable_ldapi(self): self._ldap_mod("ldapi.ldif", self.sub_dict) |