Import CA certs from certificate store to DS NSS database on replica install.

Part of https://fedorahosted.org/freeipa/ticket/3259
Part of https://fedorahosted.org/freeipa/ticket/3520

Reviewed-By: Rob Crittenden <rcritten@redhat.com>

1 files changed, 13 insertions, 0 deletions

diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 6aaa14891..242e04d99 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -384,6 +384,7 @@ class DsInstance(service.Service):
         # See LDIFs for automember configuration during replica install
         self.step("setting Auto Member configuration", self.__add_replica_automember_config)
         self.step("enabling S4U2Proxy delegation", self.__setup_s4u2proxy)
+        self.step("importing CA certificates from LDAP", self.__import_ca_certs)
 
         self.__common_post_setup()
 
@@ -716,6 +717,18 @@ class DsInstance(service.Service):
 
         conn.unbind()
 
+    def __import_ca_certs(self):
+        dirname = config_dirname(self.serverid)
+        dsdb = certs.CertDB(self.realm, nssdir=dirname,
+                            subject_base=self.subject_base)
+
+        conn = ipaldap.IPAdmin(self.fqdn)
+        conn.do_simple_bind(DN(('cn', 'directory manager')), self.dm_password)
+
+        self.import_ca_certs(dsdb, self.ca_is_configured, conn)
+
+        conn.unbind()
+
     def __add_default_layout(self):
         self._ldap_mod("bootstrap-template.ldif", self.sub_dict)