diff options
| author | Rob Crittenden <rcritten@redhat.com> | 2011-03-14 16:27:19 -0400 |
|---|---|---|
| committer | Rob Crittenden <rcritten@redhat.com> | 2011-03-15 14:09:57 -0400 |
| commit | 861d1bbdca4793fb45fb233d236d3793cc23da36 (patch) | |
| tree | ccb169d140cd119b07435b675ca11df8f7bff067 /install/tools/ipa-server-install | |
| parent | a36bc4ee93d13c28f8edf2bb94eb4dbfc25be568 (diff) | |
| download | freeipa-861d1bbdca4793fb45fb233d236d3793cc23da36.tar.gz freeipa-861d1bbdca4793fb45fb233d236d3793cc23da36.tar.xz freeipa-861d1bbdca4793fb45fb233d236d3793cc23da36.zip | |
Fix SELinux errors caused by enabling TLS on dogtag 389-ds instance.
This fixes 2 AVCS:
* One because we are enabling port 7390 because an SSL port must be
defined to use TLS On 7389.
* We were symlinking to the main IPA 389-ds NSS certificate databsae.
Instead generate a separate NSS database and certificate and have
certmonger track it separately
I also noticed some variable inconsistency in cainstance.py. Everywhere
else we use self.fqdn and that was using self.host_name. I found it
confusing so I fixed it.
ticket 1085
Diffstat (limited to 'install/tools/ipa-server-install')
| -rwxr-xr-x | install/tools/ipa-server-install | 14 |
1 files changed, 5 insertions, 9 deletions
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index 9c0947c83..f3a01e892 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -754,7 +754,7 @@ def main(): if options.external_cert_file is None: cs = cainstance.CADSInstance() - cs.create_instance(realm_name, host_name, domain_name, dm_password) + cs.create_instance(realm_name, host_name, domain_name, dm_password, subject_base=options.subject) ca = cainstance.CAInstance(realm_name, certs.NSS_DIR) if external == 0: ca.configure_instance(host_name, dm_password, dm_password, @@ -817,17 +817,13 @@ def main(): ca.ldap_enable('CA', host_name, dm_password, util.realm_to_suffix(realm_name)) - # Symlink the IPA LDAP server NSS database to this one. - caconfigdir = dsinstance.config_dirname(dsinstance.realm_to_serverid('PKI-IPA')) - for filename in ['cert8.db', 'key3.db', 'secmod.db']: - os.unlink('%s%s' % (caconfigdir, filename)) - dsconfigdir = dsinstance.config_dirname(dsinstance.realm_to_serverid(realm_name)) - for filename in ['cert8.db', 'key3.db', 'secmod.db', 'pin.txt']: - os.symlink('%s%s' % (dsconfigdir, filename), '%s%s' % (caconfigdir, filename)) - # Turn on SSL in the dogtag LDAP instance. This will get restarted # later, we don't need SSL now. + cs.create_certdb() cs.enable_ssl() + # Add the IPA service for storing the PKI-IPA server certificate. + cs.add_simple_service('dogtagldap/%s@%s' % (host_name, realm_name)) + cs.add_cert_to_service() # Create a kerberos instance if options.pkinit_pin: |