Use Dogtag 10 only when it is available

Put the changes from Ade's dogtag 10 patch into namespaced constants in dogtag.py, which are then referenced in the code. Make ipaserver.install.CAInstance use the service name specified in the configuration. Uninstallation, where config is removed before CA uninstall, also uses the (previously) configured value. This and Ade's patch address https://fedorahosted.org/freeipa/ticket/2846
author: Petr Viktorin <pviktori@redhat.com> 2012-08-23 12:38:45 -0400
committer: Rob Crittenden <rcritten@redhat.com> 2012-09-17 18:43:59 -0400
commit: 4f76c143d2f2036af02677469c542f563a10158d (patch)
tree: 8ed4716135c53486710950b453f17bb71f36c658 /install/tools
parent: 3dd31a875650c7fe7c67ca6b47f2058c1181dafb (diff)
download: freeipa-4f76c143d2f2036af02677469c542f563a10158d.tar.gz
freeipa-4f76c143d2f2036af02677469c542f563a10158d.tar.xz
freeipa-4f76c143d2f2036af02677469c542f563a10158d.zip
6 files changed, 38 insertions, 13 deletions
diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install
index d52832239..1c1b96a91 100755
--- a/install/tools/ipa-ca-install
+++ b/install/tools/ipa-ca-install
@@ -37,6 +37,7 @@ from ipapython import version
 from ipalib import api, util
 from ipapython.config import IPAOptionParser
 from ipapython import sysrestore
+from ipapython import dogtag
 from ipapython.ipa_log_manager import *
 
 log_file_name = "/var/log/ipareplica-ca-install.log"
@@ -156,10 +157,11 @@ def main():
     # We need to restart apache as we drop a new config file in there
     ipaservices.knownservices.httpd.restart(capture_output=True)
 
-    #update dogtag version in config file to denote new instance
+    #update dogtag version in config file
     try:
         fd = open("/etc/ipa/default.conf", "a")
-        fd.write("dogtag_version=10\n")
+        fd.write(
+            "dogtag_version=%s\n" % dogtag.install_constants.DOGTAG_VERSION)
         fd.close()
     except IOError, e:
         print "Failed to update /etc/ipa/default.conf"
diff --git a/install/tools/ipa-csreplica-manage b/install/tools/ipa-csreplica-manage
index 884956fd1..39cfa5851 100755
--- a/install/tools/ipa-csreplica-manage
+++ b/install/tools/ipa-csreplica-manage
@@ -29,6 +29,7 @@ from ipapython import ipautil
 from ipaserver.install import replication, installutils
 from ipaserver import ipaldap
 from ipapython import version
+from ipapython import dogtag
 from ipalib import api, errors, util
 from ipapython.dn import DN
 
@@ -80,7 +81,7 @@ class CSReplicationManager(replication.ReplicationManager):
         """
         dn = None
         cn = None
-        instance_name = 'pki-tomcat'
+        instance_name = dogtag.configured_constants(api).PKI_INSTANCE_NAME
 
         # if master is not None we know what dn to return:
         if master is not None:
diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install
index a7b34cf1b..0378827d5 100755
--- a/install/tools/ipa-replica-install
+++ b/install/tools/ipa-replica-install
@@ -42,6 +42,7 @@ from ipapython.config import IPAOptionParser
 from ipapython import sysrestore
 from ipapython import services as ipaservices
 from ipapython.ipa_log_manager import *
+from ipapython import dogtag
 from ipapython.dn import DN
 
 log_file_name = "/var/log/ipareplica-install.log"
@@ -376,7 +377,8 @@ def main():
         if ipautil.file_exists(config.dir + "/cacert.p12"):
             fd.write("enable_ra=True\n")
             fd.write("ra_plugin=dogtag\n")
-            fd.write("dogtag_version=10\n")
+            fd.write("dogtag_version=%s\n" %
+                dogtag.install_constants.DOGTAG_VERSION)
         fd.write("mode=production\n")
         fd.close()
     finally:
diff --git a/install/tools/ipa-replica-prepare b/install/tools/ipa-replica-prepare
index ce25681f4..56f132a38 100755
--- a/install/tools/ipa-replica-prepare
+++ b/install/tools/ipa-replica-prepare
@@ -33,6 +33,7 @@ from ipaserver.install.replication import enable_replication_version_checking
 from ipaserver.install.installutils import resolve_host, BadHostError, HostLookupError
 from ipaserver.plugins.ldap2 import ldap2
 from ipapython import version
+from ipapython import dogtag
 from ipapython.config import IPAOptionParser
 from ipalib import api, errors, util
 from ipapython.dn import DN
@@ -304,7 +305,9 @@ def main():
         if options.reverse_zone and not bindinstance.verify_reverse_zone(options.reverse_zone, options.ip_address):
             sys.exit(1)
 
-    if not certs.ipa_self_signed() and not ipautil.file_exists("/var/lib/pki/pki-tomcat/conf/ca/CS.cfg") and not options.dirsrv_pin:
+    if (not certs.ipa_self_signed() and
+            not ipautil.file_exists(dogtag.configured_constants().CS_CFG_PATH) and
+            not options.dirsrv_pin):
         sys.exit("The replica must be created on the primary IPA server.\nIf you installed IPA with your own certificates using PKCS#12 files you must provide PKCS#12 files for any replicas you create as well.")
 
     check_ipa_configuration(api.env.realm)
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index 639a72701..201e2fb18 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -58,6 +58,7 @@ from ipaserver.plugins.ldap2 import ldap2
 from ipapython import sysrestore
 from ipapython.ipautil import *
 from ipapython import ipautil
+from ipapython import dogtag
 from ipalib import api, errors, util
 from ipapython.config import IPAOptionParser
 from ipalib.x509 import load_certificate_from_file, load_certificate_chain_from_file
@@ -465,6 +466,9 @@ def uninstall():
     except Exception, e:
         pass
 
+    # Need to get dogtag info before /etc/ipa/default.conf is removed
+    dogtag_constants = dogtag.configured_constants()
+
     print "Removing IPA client configuration"
     try:
         (stdout, stderr, rc) = run(["/usr/sbin/ipa-client-install", "--on-master", "--unattended", "--uninstall"], raiseonerr=False)
@@ -477,10 +481,13 @@ def uninstall():
         print "ipa-client-install returned: " + str(e)
 
     ntpinstance.NTPInstance(fstore).uninstall()
-    if cainstance.CADSInstance().is_configured():
-        cainstance.CADSInstance().uninstall()
-    if cainstance.CAInstance(api.env.realm, certs.NSS_DIR).is_configured():
-        cainstance.CAInstance(api.env.realm, certs.NSS_DIR).uninstall()
+    cads_instance = cainstance.CADSInstance(dogtag_constants=dogtag_constants)
+    if cads_instance.is_configured():
+        cads_instance.uninstall()
+    ca_instance = cainstance.CAInstance(
+        api.env.realm, certs.NSS_DIR, dogtag_constants=dogtag_constants)
+    if ca_instance.is_configured():
+        ca_instance.uninstall()
     bindinstance.BindInstance(fstore).uninstall()
     httpinstance.HTTPInstance(fstore).uninstall()
     krbinstance.KrbInstance(fstore).uninstall()
@@ -853,7 +860,8 @@ def main():
     fd.write("enable_ra=True\n")
     if not options.selfsign:
         fd.write("ra_plugin=dogtag\n")
-        fd.write("dogtag_version=10\n")
+        fd.write("dogtag_version=%s\n" %
+            dogtag.install_constants.DOGTAG_VERSION)
     fd.write("mode=production\n")
     fd.close()
 
@@ -916,7 +924,8 @@ def main():
         cs = cainstance.CADSInstance(host_name, realm_name, domain_name, dm_password)
         if not cs.is_configured():
             cs.create_instance(realm_name, host_name, domain_name, dm_password, subject_base=options.subject)
-        ca = cainstance.CAInstance(realm_name, certs.NSS_DIR)
+        ca = cainstance.CAInstance(realm_name, certs.NSS_DIR,
+            dogtag_constants=dogtag.install_constants)
         if external == 0:
             ca.configure_instance(host_name, dm_password, dm_password,
                                   subject_base=options.subject)
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index 3041cb60b..6c0437180 100644
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -29,6 +29,7 @@ try:
     from ipapython.config import IPAOptionParser
     from ipapython.ipa_log_manager import *
     from ipapython import certmonger
+    from ipapython import dogtag
     from ipaserver.install import installutils
     from ipaserver.install import dsinstance
     from ipaserver.install import httpinstance
@@ -458,7 +459,7 @@ def enable_certificate_renewal(realm):
             ca.configure_agent_renewal()
         ca.track_servercert()
         sysupgrade.set_upgrade_state('dogtag', 'renewal_configured', True)
-        ca.restart(cainstance.PKI_INSTANCE_NAME)
+        ca.restart(dogtag.configured_constants().PKI_INSTANCE_NAME)
         root_logger.debug('CA subsystem certificate renewal enabled')
 
 def main():
@@ -495,7 +496,14 @@ def main():
     check_certs()
 
     auto_redirect = find_autoredirect(fqdn)
-    sub_dict = { "REALM" : api.env.realm, "FQDN": fqdn, "AUTOREDIR": '' if auto_redirect else '#'}
+    configured_constants = dogtag.configured_constants()
+    sub_dict = dict(
+        REALM=api.env.realm,
+        FQDN=fqdn,
+        AUTOREDIR='' if auto_redirect else '#',
+        CRL_PUBLISH_PATH=configured_constants.CRL_PUBLISH_PATH,
+        DOGTAG_PORT=configured_constants.AJP_PORT,
+    )
 
     upgrade(sub_dict, "/etc/httpd/conf.d/ipa.conf", ipautil.SHARE_DIR + "ipa.conf")
     upgrade(sub_dict, "/etc/httpd/conf.d/ipa-rewrite.conf", ipautil.SHARE_DIR + "ipa-rewrite.conf")
author	Petr Viktorin <pviktori@redhat.com>	2012-08-23 12:38:45 -0400
committer	Rob Crittenden <rcritten@redhat.com>	2012-09-17 18:43:59 -0400
commit	4f76c143d2f2036af02677469c542f563a10158d (patch)
tree	8ed4716135c53486710950b453f17bb71f36c658 /install/tools
parent	3dd31a875650c7fe7c67ca6b47f2058c1181dafb (diff)
download	freeipa-4f76c143d2f2036af02677469c542f563a10158d.tar.gz freeipa-4f76c143d2f2036af02677469c542f563a10158d.tar.xz freeipa-4f76c143d2f2036af02677469c542f563a10158d.zip