diff options
author | Jan Cholasta <jcholast@redhat.com> | 2014-06-09 14:51:23 +0200 |
---|---|---|
committer | Petr Viktorin <pviktori@redhat.com> | 2014-07-30 16:04:21 +0200 |
commit | 52f72ec058f11b3ca494c696f7d6a5e16b44cd49 (patch) | |
tree | 1a29ffbc9c2d9891b07f06267aebe4aa3440f4e7 /install/tools/ipa-upgradeconfig | |
parent | 1778f0ebc95bf53c2746ce5461f76458c40560cd (diff) | |
download | freeipa-52f72ec058f11b3ca494c696f7d6a5e16b44cd49.tar.gz freeipa-52f72ec058f11b3ca494c696f7d6a5e16b44cd49.tar.xz freeipa-52f72ec058f11b3ca494c696f7d6a5e16b44cd49.zip |
Do not treat the IPA RA cert as CA cert in DS NSS database.
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Diffstat (limited to 'install/tools/ipa-upgradeconfig')
-rw-r--r-- | install/tools/ipa-upgradeconfig | 35 |
1 files changed, 26 insertions, 9 deletions
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig index 11ed69b59..c9ad0a67f 100644 --- a/install/tools/ipa-upgradeconfig +++ b/install/tools/ipa-upgradeconfig @@ -967,7 +967,7 @@ def uninstall_selfsign(ds, http): http.stop_tracking_certificates() -def fix_schema_file_syntax(ds): +def fix_schema_file_syntax(): """Fix syntax errors in schema files https://fedorahosted.org/freeipa/ticket/3578 @@ -983,9 +983,6 @@ def fix_schema_file_syntax(ds): return serverid = dsinstance.realm_to_serverid(api.env.realm) - - ds.stop(serverid) - ds_dir = dsinstance.config_dirname(serverid) # 1. 60ipadns.ldif: Add parenthesis to idnsRecord @@ -1024,8 +1021,6 @@ def fix_schema_file_syntax(ds): # Done - ds.start(serverid) - sysupgrade.set_upgrade_state('ds', 'fix_schema_syntax', True) @@ -1038,6 +1033,25 @@ def set_sssd_domain_option(option, value): sssdconfig.write(paths.SSSD_CONF) +def remove_ds_ra_cert(subject_base): + root_logger.info('[Removing RA cert from DS NSS database]') + + if sysupgrade.get_upgrade_state('ds', 'remove_ra_cert'): + root_logger.info('RA cert already removed') + return + + dbdir = dsinstance.config_dirname( + dsinstance.realm_to_serverid(api.env.realm)) + dsdb = certs.CertDB(api.env.realm, nssdir=dbdir, subject_base=subject_base) + + nickname = 'CN=IPA RA,%s' % subject_base + cert = dsdb.get_cert_from_db(nickname) + if cert: + dsdb.delete_cert(nickname) + + sysupgrade.set_upgrade_state('ds', 'remove_ra_cert', True) + + def main(): """ Get some basics about the system. If getting those basics fail then @@ -1104,8 +1118,8 @@ def main(): '=') sub_dict['CLONE']='#' if crl.lower() == 'true' else '' - certmap_dir = dsinstance.config_dirname( - dsinstance.realm_to_serverid(api.env.realm)) + ds_serverid = dsinstance.realm_to_serverid(api.env.realm) + certmap_dir = dsinstance.config_dirname(ds_serverid) upgrade(sub_dict, paths.HTTPD_IPA_CONF, ipautil.SHARE_DIR + "ipa.conf") upgrade(sub_dict, paths.HTTPD_IPA_REWRITE_CONF, ipautil.SHARE_DIR + "ipa-rewrite.conf") @@ -1134,7 +1148,10 @@ def main(): ds = dsinstance.DsInstance() ds.configure_dirsrv_ccache() - fix_schema_file_syntax(ds) + ds.stop(ds_serverid) + fix_schema_file_syntax() + remove_ds_ra_cert(subject_base) + ds.start(ds_serverid) uninstall_selfsign(ds, http) |