diff options
author | Jan Cholasta <jcholast@redhat.com> | 2013-10-16 08:51:06 +0000 |
---|---|---|
committer | Petr Viktorin <pviktori@redhat.com> | 2014-03-25 16:54:55 +0100 |
commit | c3169add3be4fdb4572d6e159766a1d3cbb7e3d8 (patch) | |
tree | 826b97548aba5405e8edc689f083b1d2e20c25a0 /ipaserver/install/plugins | |
parent | 6a19738a4560ffbfe5a70699d787c4a44a9518c5 (diff) | |
download | freeipa-c3169add3be4fdb4572d6e159766a1d3cbb7e3d8.tar.gz freeipa-c3169add3be4fdb4572d6e159766a1d3cbb7e3d8.tar.xz freeipa-c3169add3be4fdb4572d6e159766a1d3cbb7e3d8.zip |
Store information about which CA server is master for renewals in LDAP.
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Diffstat (limited to 'ipaserver/install/plugins')
-rw-r--r-- | ipaserver/install/plugins/Makefile.am | 1 | ||||
-rw-r--r-- | ipaserver/install/plugins/ca_renewal_master.py | 79 |
2 files changed, 80 insertions, 0 deletions
diff --git a/ipaserver/install/plugins/Makefile.am b/ipaserver/install/plugins/Makefile.am index 624e82687..7cf049513 100644 --- a/ipaserver/install/plugins/Makefile.am +++ b/ipaserver/install/plugins/Makefile.am @@ -11,6 +11,7 @@ app_PYTHON = \ update_services.py \ update_anonymous_aci.py \ update_pacs.py \ + ca_renewal_master.py \ $(NULL) EXTRA_DIST = \ diff --git a/ipaserver/install/plugins/ca_renewal_master.py b/ipaserver/install/plugins/ca_renewal_master.py new file mode 100644 index 000000000..2481fa70d --- /dev/null +++ b/ipaserver/install/plugins/ca_renewal_master.py @@ -0,0 +1,79 @@ +# Authors: +# Jan Cholasta <jcholast@redhat.com> +# +# Copyright (C) 2014 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +from ipaserver.install.plugins.baseupdate import PostUpdate +from ipalib import errors +from ipalib.plugable import Registry +from ipapython import certmonger +from ipapython.dn import DN + +register = Registry() + +@register() +class update_ca_renewal_master(PostUpdate): + """ + Set CA renewal master in LDAP. + """ + + def execute(self, **options): + ldap = self.obj.backend + base_dn = DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'), + self.api.env.basedn) + filter = '(&(cn=CA)(ipaConfigString=caRenewalMaster))' + try: + entries = ldap.get_entries(base_dn=base_dn, filter=filter, + attrs_list=[]) + except errors.NotFound: + pass + else: + self.debug("found CA renewal master %s", entries[0].dn[1].value) + return (False, False, []) + + criteria = ( + ('cert_storage_location', '/etc/httpd/alias', certmonger.NPATH), + ('cert_nickname', 'ipaCert', None), + ) + request_id = certmonger.get_request_id(criteria) + if request_id is None: + self.error("certmonger request for ipaCert not found") + return (False, False, []) + ca_name = certmonger.get_request_value(request_id, 'ca_name') + if ca_name is None: + self.error("certmonger request for ipaCert is missing ca_name") + return (False, False, []) + ca_name = ca_name.strip() + + if ca_name == 'dogtag-ipa-renew-agent': + dn = DN(('cn', 'CA'), ('cn', self.api.env.host), base_dn) + update = { + dn: { + 'dn': dn, + 'updates': ['add:ipaConfigString: caRenewalMaster'], + }, + } + return (False, True, [update]) + elif ca_name == 'dogtag-ipa-retrieve-agent-submit': + return (False, False, []) + elif ca_name == 'dogtag-ipa-ca-renew-agent': + return (False, False, []) + else: + self.warning( + "certmonger request for ipaCert has unknown ca_name \"%s\", " + "assuming local CA is renewal slave", ca_name) + return (False, False, []) |