diff options
| author | Fraser Tweedale <frase@frase.id.au> | 2015-06-16 07:40:36 -0400 |
|---|---|---|
| committer | Tomas Babej <tbabej@redhat.com> | 2015-07-01 12:28:12 +0200 |
| commit | 6e641e8d184f799817c5c830b33aff40b576640e (patch) | |
| tree | 16ebf20527aa50acd7a3149312cd23755629f69e | |
| parent | fe6819eb9d7d9f84616daadb5f07072a3dfa02b1 (diff) | |
| download | freeipa-6e641e8d184f799817c5c830b33aff40b576640e.tar.gz freeipa-6e641e8d184f799817c5c830b33aff40b576640e.tar.xz freeipa-6e641e8d184f799817c5c830b33aff40b576640e.zip | |
Upgrade CA schema during upgrade
New schema (for LDAP-based profiles) was introduced in Dogtag, but
Dogtag does not yet have a reliable method for upgrading its schema.
Use FreeIPA's schema update machinery to add the new attributeTypes
and objectClasses defined by Dogtag.
Also update the pki dependencies to 10.2.5, which provides the
schema update file.
Reviewed-By: Martin Basti <mbasti@redhat.com>
| -rw-r--r-- | freeipa.spec.in | 6 | ||||
| -rw-r--r-- | ipaserver/install/server/upgrade.py | 23 |
2 files changed, 26 insertions, 3 deletions
diff --git a/freeipa.spec.in b/freeipa.spec.in index 4f08db9f6..de250d884 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -96,7 +96,7 @@ BuildRequires: python-backports-ssl_match_hostname BuildRequires: softhsm-devel >= 2.0.0rc1-1 BuildRequires: openssl-devel BuildRequires: p11-kit-devel -BuildRequires: pki-base >= 10.2.4-1 +BuildRequires: pki-base >= 10.2.5 BuildRequires: python-pytest-multihost >= 0.5 BuildRequires: python-pytest-sourceorder BuildRequires: python-kdcproxy >= 0.3 @@ -141,8 +141,8 @@ Requires(post): systemd-units Requires: selinux-policy >= %{selinux_policy_version} Requires(post): selinux-policy-base Requires: slapi-nis >= 0.54.2-1 -Requires: pki-ca >= 10.2.4-1 -Requires: pki-kra >= 10.2.4-1 +Requires: pki-ca >= 10.2.5 +Requires: pki-kra >= 10.2.5 Requires(preun): python systemd-units Requires(postun): python systemd-units Requires: python-dns >= 1.11.1 diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index 822f74622..4a9f0128a 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -31,6 +31,7 @@ from ipaserver.install import service from ipaserver.install import cainstance from ipaserver.install import certs from ipaserver.install import otpdinstance +from ipaserver.install import schemaupdate from ipaserver.install import sysupgrade from ipaserver.install import dnskeysyncinstance from ipaserver.install.upgradeinstance import IPAUpgrade @@ -1254,6 +1255,27 @@ def update_mod_nss_protocol(http): sysupgrade.set_upgrade_state('nss.conf', 'protocol_updated_tls12', True) +def ca_upgrade_schema(ca): + root_logger.info('[Upgrading CA schema]') + if not ca.is_configured(): + root_logger.info('CA is not configured') + return False + + schema_files=['/usr/share/pki/server/conf/schema-certProfile.ldif'] + try: + modified = schemaupdate.update_schema(schema_files, ldapi=True) + except Exception as e: + root_logger.error("%s", e) + raise RuntimeError('CA schema upgrade failed.', 1) + else: + if modified: + root_logger.info('CA schema update complete') + return True + else: + root_logger.info('CA schema update complete (no changes)') + return False + + def add_default_caacl(ca): root_logger.info('[Add default CA ACL]') @@ -1452,6 +1474,7 @@ def upgrade_configuration(): ca_restart = any([ ca_restart, + ca_upgrade_schema(ca), upgrade_ca_audit_cert_validity(ca), certificate_renewal_update(ca), ca_enable_pkix(ca), |