diff options
| author | Rob Crittenden <rcritten@redhat.com> | 2011-03-10 00:06:15 -0500 |
|---|---|---|
| committer | Rob Crittenden <rcritten@redhat.com> | 2011-03-10 09:57:36 -0500 |
| commit | 9dfb0f05b03176dd8478b56ce684c9a2f4f07b0e (patch) | |
| tree | 4294d10a6d09fa0dd4c5989c63477c5936d53318 /install/tools/ipa-server-install | |
| parent | ed5cffd026a6528ea47802d16417139dd2734980 (diff) | |
| download | freeipa-9dfb0f05b03176dd8478b56ce684c9a2f4f07b0e.tar.gz freeipa-9dfb0f05b03176dd8478b56ce684c9a2f4f07b0e.tar.xz freeipa-9dfb0f05b03176dd8478b56ce684c9a2f4f07b0e.zip | |
Use TLS for dogtag replication agreements.
Configure the dogtag 389-ds instance with SSL so we can enable TLS
for the dogtag replication agreements. The NSS database we use is a
symbolic link to the IPA 389-ds instance.
ticket 1060
Diffstat (limited to 'install/tools/ipa-server-install')
| -rwxr-xr-x | install/tools/ipa-server-install | 16 |
1 files changed, 15 insertions, 1 deletions
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index 29c3f785f..9c0947c83 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -760,6 +760,7 @@ def main(): ca.configure_instance(host_name, dm_password, dm_password, subject_base=options.subject) elif external == 1: + # stage 2 of external CA installation options.realm_name = realm_name options.domain_name = domain_name options.master_password = master_password @@ -776,6 +777,7 @@ def main(): # This can happen if someone passes external_ca_file without # already having done the first stage of the CA install. sys.exit('CA is not installed yet. To install with an external CA is a two-stage process.\nFirst run the installer with --external-ca.') + cs = cainstance.CADSInstance(dm_password=dm_password) ca.configure_instance(host_name, dm_password, dm_password, cert_file=options.external_cert_file, cert_chain_file=options.external_ca_file, @@ -810,11 +812,23 @@ def main(): subject_base=options.subject, hbac_allow=not options.hbac_allow) - # We ned to ldap_enable the CA now that DS is up and running + # We need to ldap_enable the CA now that DS is up and running if not options.selfsign: ca.ldap_enable('CA', host_name, dm_password, util.realm_to_suffix(realm_name)) + # Symlink the IPA LDAP server NSS database to this one. + caconfigdir = dsinstance.config_dirname(dsinstance.realm_to_serverid('PKI-IPA')) + for filename in ['cert8.db', 'key3.db', 'secmod.db']: + os.unlink('%s%s' % (caconfigdir, filename)) + dsconfigdir = dsinstance.config_dirname(dsinstance.realm_to_serverid(realm_name)) + for filename in ['cert8.db', 'key3.db', 'secmod.db', 'pin.txt']: + os.symlink('%s%s' % (dsconfigdir, filename), '%s%s' % (caconfigdir, filename)) + + # Turn on SSL in the dogtag LDAP instance. This will get restarted + # later, we don't need SSL now. + cs.enable_ssl() + # Create a kerberos instance if options.pkinit_pin: [pw_fd, pw_name] = tempfile.mkstemp() |