diff options
author | Petr Viktorin <pviktori@redhat.com> | 2012-08-23 12:38:45 -0400 |
---|---|---|
committer | Rob Crittenden <rcritten@redhat.com> | 2012-09-17 18:43:59 -0400 |
commit | 4f76c143d2f2036af02677469c542f563a10158d (patch) | |
tree | 8ed4716135c53486710950b453f17bb71f36c658 /install/tools | |
parent | 3dd31a875650c7fe7c67ca6b47f2058c1181dafb (diff) | |
download | freeipa-4f76c143d2f2036af02677469c542f563a10158d.tar.gz freeipa-4f76c143d2f2036af02677469c542f563a10158d.tar.xz freeipa-4f76c143d2f2036af02677469c542f563a10158d.zip |
Use Dogtag 10 only when it is available
Put the changes from Ade's dogtag 10 patch into namespaced constants in
dogtag.py, which are then referenced in the code.
Make ipaserver.install.CAInstance use the service name specified in the
configuration. Uninstallation, where config is removed before CA uninstall,
also uses the (previously) configured value.
This and Ade's patch address https://fedorahosted.org/freeipa/ticket/2846
Diffstat (limited to 'install/tools')
-rwxr-xr-x | install/tools/ipa-ca-install | 6 | ||||
-rwxr-xr-x | install/tools/ipa-csreplica-manage | 3 | ||||
-rwxr-xr-x | install/tools/ipa-replica-install | 4 | ||||
-rwxr-xr-x | install/tools/ipa-replica-prepare | 5 | ||||
-rwxr-xr-x | install/tools/ipa-server-install | 21 | ||||
-rw-r--r-- | install/tools/ipa-upgradeconfig | 12 |
6 files changed, 38 insertions, 13 deletions
diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install index d52832239..1c1b96a91 100755 --- a/install/tools/ipa-ca-install +++ b/install/tools/ipa-ca-install @@ -37,6 +37,7 @@ from ipapython import version from ipalib import api, util from ipapython.config import IPAOptionParser from ipapython import sysrestore +from ipapython import dogtag from ipapython.ipa_log_manager import * log_file_name = "/var/log/ipareplica-ca-install.log" @@ -156,10 +157,11 @@ def main(): # We need to restart apache as we drop a new config file in there ipaservices.knownservices.httpd.restart(capture_output=True) - #update dogtag version in config file to denote new instance + #update dogtag version in config file try: fd = open("/etc/ipa/default.conf", "a") - fd.write("dogtag_version=10\n") + fd.write( + "dogtag_version=%s\n" % dogtag.install_constants.DOGTAG_VERSION) fd.close() except IOError, e: print "Failed to update /etc/ipa/default.conf" diff --git a/install/tools/ipa-csreplica-manage b/install/tools/ipa-csreplica-manage index 884956fd1..39cfa5851 100755 --- a/install/tools/ipa-csreplica-manage +++ b/install/tools/ipa-csreplica-manage @@ -29,6 +29,7 @@ from ipapython import ipautil from ipaserver.install import replication, installutils from ipaserver import ipaldap from ipapython import version +from ipapython import dogtag from ipalib import api, errors, util from ipapython.dn import DN @@ -80,7 +81,7 @@ class CSReplicationManager(replication.ReplicationManager): """ dn = None cn = None - instance_name = 'pki-tomcat' + instance_name = dogtag.configured_constants(api).PKI_INSTANCE_NAME # if master is not None we know what dn to return: if master is not None: diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install index a7b34cf1b..0378827d5 100755 --- a/install/tools/ipa-replica-install +++ b/install/tools/ipa-replica-install @@ -42,6 +42,7 @@ from ipapython.config import IPAOptionParser from ipapython import sysrestore from ipapython import services as ipaservices from ipapython.ipa_log_manager import * +from ipapython import dogtag from ipapython.dn import DN log_file_name = "/var/log/ipareplica-install.log" @@ -376,7 +377,8 @@ def main(): if ipautil.file_exists(config.dir + "/cacert.p12"): fd.write("enable_ra=True\n") fd.write("ra_plugin=dogtag\n") - fd.write("dogtag_version=10\n") + fd.write("dogtag_version=%s\n" % + dogtag.install_constants.DOGTAG_VERSION) fd.write("mode=production\n") fd.close() finally: diff --git a/install/tools/ipa-replica-prepare b/install/tools/ipa-replica-prepare index ce25681f4..56f132a38 100755 --- a/install/tools/ipa-replica-prepare +++ b/install/tools/ipa-replica-prepare @@ -33,6 +33,7 @@ from ipaserver.install.replication import enable_replication_version_checking from ipaserver.install.installutils import resolve_host, BadHostError, HostLookupError from ipaserver.plugins.ldap2 import ldap2 from ipapython import version +from ipapython import dogtag from ipapython.config import IPAOptionParser from ipalib import api, errors, util from ipapython.dn import DN @@ -304,7 +305,9 @@ def main(): if options.reverse_zone and not bindinstance.verify_reverse_zone(options.reverse_zone, options.ip_address): sys.exit(1) - if not certs.ipa_self_signed() and not ipautil.file_exists("/var/lib/pki/pki-tomcat/conf/ca/CS.cfg") and not options.dirsrv_pin: + if (not certs.ipa_self_signed() and + not ipautil.file_exists(dogtag.configured_constants().CS_CFG_PATH) and + not options.dirsrv_pin): sys.exit("The replica must be created on the primary IPA server.\nIf you installed IPA with your own certificates using PKCS#12 files you must provide PKCS#12 files for any replicas you create as well.") check_ipa_configuration(api.env.realm) diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index 639a72701..201e2fb18 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -58,6 +58,7 @@ from ipaserver.plugins.ldap2 import ldap2 from ipapython import sysrestore from ipapython.ipautil import * from ipapython import ipautil +from ipapython import dogtag from ipalib import api, errors, util from ipapython.config import IPAOptionParser from ipalib.x509 import load_certificate_from_file, load_certificate_chain_from_file @@ -465,6 +466,9 @@ def uninstall(): except Exception, e: pass + # Need to get dogtag info before /etc/ipa/default.conf is removed + dogtag_constants = dogtag.configured_constants() + print "Removing IPA client configuration" try: (stdout, stderr, rc) = run(["/usr/sbin/ipa-client-install", "--on-master", "--unattended", "--uninstall"], raiseonerr=False) @@ -477,10 +481,13 @@ def uninstall(): print "ipa-client-install returned: " + str(e) ntpinstance.NTPInstance(fstore).uninstall() - if cainstance.CADSInstance().is_configured(): - cainstance.CADSInstance().uninstall() - if cainstance.CAInstance(api.env.realm, certs.NSS_DIR).is_configured(): - cainstance.CAInstance(api.env.realm, certs.NSS_DIR).uninstall() + cads_instance = cainstance.CADSInstance(dogtag_constants=dogtag_constants) + if cads_instance.is_configured(): + cads_instance.uninstall() + ca_instance = cainstance.CAInstance( + api.env.realm, certs.NSS_DIR, dogtag_constants=dogtag_constants) + if ca_instance.is_configured(): + ca_instance.uninstall() bindinstance.BindInstance(fstore).uninstall() httpinstance.HTTPInstance(fstore).uninstall() krbinstance.KrbInstance(fstore).uninstall() @@ -853,7 +860,8 @@ def main(): fd.write("enable_ra=True\n") if not options.selfsign: fd.write("ra_plugin=dogtag\n") - fd.write("dogtag_version=10\n") + fd.write("dogtag_version=%s\n" % + dogtag.install_constants.DOGTAG_VERSION) fd.write("mode=production\n") fd.close() @@ -916,7 +924,8 @@ def main(): cs = cainstance.CADSInstance(host_name, realm_name, domain_name, dm_password) if not cs.is_configured(): cs.create_instance(realm_name, host_name, domain_name, dm_password, subject_base=options.subject) - ca = cainstance.CAInstance(realm_name, certs.NSS_DIR) + ca = cainstance.CAInstance(realm_name, certs.NSS_DIR, + dogtag_constants=dogtag.install_constants) if external == 0: ca.configure_instance(host_name, dm_password, dm_password, subject_base=options.subject) diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig index 3041cb60b..6c0437180 100644 --- a/install/tools/ipa-upgradeconfig +++ b/install/tools/ipa-upgradeconfig @@ -29,6 +29,7 @@ try: from ipapython.config import IPAOptionParser from ipapython.ipa_log_manager import * from ipapython import certmonger + from ipapython import dogtag from ipaserver.install import installutils from ipaserver.install import dsinstance from ipaserver.install import httpinstance @@ -458,7 +459,7 @@ def enable_certificate_renewal(realm): ca.configure_agent_renewal() ca.track_servercert() sysupgrade.set_upgrade_state('dogtag', 'renewal_configured', True) - ca.restart(cainstance.PKI_INSTANCE_NAME) + ca.restart(dogtag.configured_constants().PKI_INSTANCE_NAME) root_logger.debug('CA subsystem certificate renewal enabled') def main(): @@ -495,7 +496,14 @@ def main(): check_certs() auto_redirect = find_autoredirect(fqdn) - sub_dict = { "REALM" : api.env.realm, "FQDN": fqdn, "AUTOREDIR": '' if auto_redirect else '#'} + configured_constants = dogtag.configured_constants() + sub_dict = dict( + REALM=api.env.realm, + FQDN=fqdn, + AUTOREDIR='' if auto_redirect else '#', + CRL_PUBLISH_PATH=configured_constants.CRL_PUBLISH_PATH, + DOGTAG_PORT=configured_constants.AJP_PORT, + ) upgrade(sub_dict, "/etc/httpd/conf.d/ipa.conf", ipautil.SHARE_DIR + "ipa.conf") upgrade(sub_dict, "/etc/httpd/conf.d/ipa-rewrite.conf", ipautil.SHARE_DIR + "ipa-rewrite.conf") |