diff options
author | Simo Sorce <simo@redhat.com> | 2012-11-12 17:43:05 -0500 |
---|---|---|
committer | Rob Crittenden <rcritten@redhat.com> | 2013-01-23 14:26:41 -0500 |
commit | 18eea90ebb24a9c22248f0b7e18646cc6e3e3e0f (patch) | |
tree | d254fad8444807639698c491e3382e38a8f75b78 | |
parent | 69c2f077dfdc3b91c3d892556711e0720502f868 (diff) | |
download | freeipa-18eea90ebb24a9c22248f0b7e18646cc6e3e3e0f.tar.gz freeipa-18eea90ebb24a9c22248f0b7e18646cc6e3e3e0f.tar.xz freeipa-18eea90ebb24a9c22248f0b7e18646cc6e3e3e0f.zip |
Upload CA cert in the directory on install
This will later allow clients to securely download the CA cert by
performaing mutual auth using LDAP with GSSAPI
-rw-r--r-- | install/share/Makefile.am | 3 | ||||
-rw-r--r-- | install/share/upload-cacert.ldif | 7 | ||||
-rw-r--r-- | ipaserver/install/dsinstance.py | 15 |
3 files changed, 24 insertions, 1 deletions
diff --git a/install/share/Makefile.am b/install/share/Makefile.am index 4a5f81a67..f8f9b742d 100644 --- a/install/share/Makefile.am +++ b/install/share/Makefile.am @@ -60,7 +60,8 @@ app_DATA = \ automember.ldif \ replica-automember.ldif \ replica-s4u2proxy.ldif \ - copy-schema-to-ca.py \ + copy-schema-to-ca.py \ + upload-cacert.ldif \ $(NULL) EXTRA_DIST = \ diff --git a/install/share/upload-cacert.ldif b/install/share/upload-cacert.ldif new file mode 100644 index 000000000..d2087d8e2 --- /dev/null +++ b/install/share/upload-cacert.ldif @@ -0,0 +1,7 @@ +# add CA certificate to LDAP server +dn: cn=CAcert,cn=ipa,cn=etc,$SUFFIX +changetype: add +objectClass: nsContainer +objectClass: pkiCA +cn: CAcert +cACertificate;binary:: $CADERCERT diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index 966eeed5b..76ef68726 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -44,6 +44,7 @@ from ipaserver.install import replication from ipalib import util, errors from ipapython.dn import DN from ipaserver.plugins.ldap2 import ldap2 +import base64 SERVER_ROOT_64 = "/usr/lib64/dirsrv" SERVER_ROOT_32 = "/usr/lib/dirsrv" @@ -261,6 +262,7 @@ class DsInstance(service.Service): self.step("adding range check plugin", self.__add_range_check_plugin) if hbac_allow: self.step("creating default HBAC rule allow_all", self.add_hbac) + self.step("Upload CA cert to the directory", self.__upload_ca_cert) self.__common_post_setup() @@ -587,6 +589,19 @@ class DsInstance(service.Service): # check for open secure port 636 from now on self.open_ports.append(636) + def __upload_ca_cert(self): + """ + Upload the CA certificate in DER form in the LDAP directory. + """ + + dirname = config_dirname(self.serverid) + certdb = certs.CertDB(self.realm_name, nssdir=dirname, subject_base=self.subject_base) + + dercert = certdb.get_cert_from_db(certdb.cacert_name, pem=False) + self.sub_dict['CADERCERT'] = base64.b64encode(dercert) + + self._ldap_mod('upload-cacert.ldif', self.sub_dict) + def __add_default_layout(self): self._ldap_mod("bootstrap-template.ldif", self.sub_dict) |