diff options
author | Rob Crittenden <rcritten@redhat.com> | 2009-12-07 23:17:00 -0500 |
---|---|---|
committer | Jason Gerard DeRose <jderose@redhat.com> | 2009-12-11 23:06:08 -0700 |
commit | 766b534da0c3a1ed09fe187323eaae0440eb7784 (patch) | |
tree | 8eebfdf577f4d64da9fbaa2fea3d5c955514bca7 /install/tools | |
parent | 7105a0c0d62583384c6a2d20bc508e35bd227347 (diff) | |
download | freeipa-766b534da0c3a1ed09fe187323eaae0440eb7784.tar.gz freeipa-766b534da0c3a1ed09fe187323eaae0440eb7784.tar.xz freeipa-766b534da0c3a1ed09fe187323eaae0440eb7784.zip |
Make the IPA server host and its services "real" IPA entries
We use kadmin.local to bootstrap the creation of the kerberos principals
for the IPA server machine: host, HTTP and ldap. This works fine and has
the side-effect of protecting the services from modification by an
admin (which would likely break the server).
Unfortunately this also means that the services can't be managed by useful
utilities such as certmonger. So we have to create them as "real" services
instead.
Diffstat (limited to 'install/tools')
-rwxr-xr-x | install/tools/ipa-replica-install | 6 | ||||
-rwxr-xr-x | install/tools/ipa-server-install | 8 |
2 files changed, 11 insertions, 3 deletions
diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install index 33d3726c2..766957862 100755 --- a/install/tools/ipa-replica-install +++ b/install/tools/ipa-replica-install @@ -200,7 +200,7 @@ def install_http(config): config.dir + "/http_pin.txt") http = httpinstance.HTTPInstance() - http.create_instance(config.realm_name, config.host_name, config.domain_name, False, pkcs12_info, self_signed_ca=True) + http.create_instance(config.realm_name, config.host_name, config.domain_name, config.dirman_password, False, pkcs12_info, self_signed_ca=True) # Now copy the autoconfiguration files if ipautil.file_exists(config.dir + "/preferences.html"): @@ -347,6 +347,10 @@ def main(): CA.fix_ra_perms() service.restart("httpd") + # The DS instance is created before the keytab, add the SSL cert we + # generated + ds.add_cert_to_service() + # Create the management framework config file fd = open("/etc/ipa/default.conf", "w") fd.write("[global]\n") diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index 0694d6ed5..c92989a47 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -729,6 +729,10 @@ def main(): krb = krbinstance.KrbInstance(fstore) krb.create_instance(ds_user, realm_name, host_name, domain_name, dm_password, master_password) + # The DS instance is created before the keytab, add the SSL cert we + # generated + ds.add_cert_to_service() + # Render webui assets: ipautil.run(["/sbin/restorecon", ASSETS_DIR]) render_assets() @@ -743,10 +747,10 @@ def main(): http = httpinstance.HTTPInstance(fstore) if options.http_pkcs12: pkcs12_info = (options.http_pkcs12, pw_name) - http.create_instance(realm_name, host_name, domain_name, autoconfig=False, pkcs12_info=pkcs12_info) + http.create_instance(realm_name, host_name, domain_name, dm_password, autoconfig=False, pkcs12_info=pkcs12_info) os.remove(pw_name) else: - http.create_instance(realm_name, host_name, domain_name, autoconfig=True, self_signed_ca=not options.ca) + http.create_instance(realm_name, host_name, domain_name, dm_password, autoconfig=True, self_signed_ca=not options.ca) ipautil.run(["/sbin/restorecon", "/var/cache/ipa/sessions"]) # Create the management framework config file |