summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJan Cholasta <jcholast@redhat.com>2014-07-23 19:03:46 +0200
committerPetr Viktorin <pviktori@dhcp-31-13.brq.redhat.com>2014-09-02 15:28:51 +0200
commit774140196360c727f11c75622ace488d591ddfba (patch)
treee83b96bae933aff446899e2a45a970c4fd06bcce
parenta2eab057d4adfaa8da7fee07410e1a33efb7f95d (diff)
downloadfreeipa-774140196360c727f11c75622ace488d591ddfba.tar.gz
freeipa-774140196360c727f11c75622ace488d591ddfba.tar.xz
freeipa-774140196360c727f11c75622ace488d591ddfba.zip
Allow changing CA renewal master in ipa-csreplica-manage.
https://fedorahosted.org/freeipa/ticket/4039 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
-rwxr-xr-xinstall/tools/ipa-csreplica-manage39
-rw-r--r--install/tools/man/ipa-csreplica-manage.13
2 files changed, 33 insertions, 9 deletions
diff --git a/install/tools/ipa-csreplica-manage b/install/tools/ipa-csreplica-manage
index cfcb354f2..c534446d7 100755
--- a/install/tools/ipa-csreplica-manage
+++ b/install/tools/ipa-csreplica-manage
@@ -34,15 +34,16 @@ from ipapython.dn import DN
# dict of command name and tuples of min/max num of args needed
commands = {
- "list":(0, 1, "[master fqdn]", ""),
- "connect":(1, 2, "<master fqdn> [other master fqdn]",
- "must provide the name of the servers to connect"),
- "disconnect":(1, 2, "<master fqdn> [other master fqdn]",
- "must provide the name of the server to disconnect"),
- "del":(1, 1, "<master fqdn>",
- "must provide hostname of master to delete"),
- "re-initialize":(0, 0, "", ""),
- "force-sync":(0, 0, "", "")
+ "list": (0, 1, "[master fqdn]", ""),
+ "connect": (1, 2, "<master fqdn> [other master fqdn]",
+ "must provide the name of the servers to connect"),
+ "disconnect": (1, 2, "<master fqdn> [other master fqdn]",
+ "must provide the name of the server to disconnect"),
+ "del": (1, 1, "<master fqdn>",
+ "must provide hostname of master to delete"),
+ "re-initialize": (0, 0, "", ""),
+ "force-sync": (0, 0, "", ""),
+ "set-renewal-master": (0, 1, "[master fqdn]", "")
}
@@ -375,6 +376,21 @@ def force_sync(realm, thishost, fromhost, dirman_passwd):
except Exception, e:
sys.exit(str(e))
+def set_renewal_master(realm, replica):
+ if not replica:
+ replica = installutils.get_fqdn()
+
+ ca = cainstance.CAInstance(realm, certs.NSS_DIR)
+ if ca.is_renewal_master(replica):
+ sys.exit("%s is already the renewal master" % replica)
+
+ try:
+ ca.set_renewal_master(replica)
+ except Exception, e:
+ sys.exit("Failed to set renewal master to %s: %s" % (replica, e))
+
+ print "%s is now the renewal master" % replica
+
def main():
options, args = parse_options()
@@ -439,6 +455,11 @@ def main():
replica1 = host
replica2 = args[1]
del_link(realm, replica1, replica2, dirman_passwd, options.force)
+ elif args[0] == 'set-renewal-master':
+ replica = None
+ if len(args) > 1:
+ replica = args[1]
+ set_renewal_master(realm, replica)
try:
main()
diff --git a/install/tools/man/ipa-csreplica-manage.1 b/install/tools/man/ipa-csreplica-manage.1
index ddb28da41..3164ea60d 100644
--- a/install/tools/man/ipa-csreplica-manage.1
+++ b/install/tools/man/ipa-csreplica-manage.1
@@ -42,6 +42,9 @@ Manages the CA replication agreements of an IPA server.
\fBforce\-sync\fR
\- Immediately flush any data to be replicated from a server specified with the \-\-from option
.TP
+\fBset\-renewal\-master\fR [SERVER]
+\- Set CA server which handles renewal of CA subsystem certificates to SERVER
+.TP
The connect and disconnect options are used to manage the replication topology. When a replica is created it is only connected with the master that created it. The connect option may be used to connect it to other existing replicas.
.TP
The disconnect option cannot be used to remove the last link of a replica. To remove a replica from the topology use the del option.