diff options
author | Fraser Tweedale <ftweedal@redhat.com> | 2015-05-11 21:17:48 -0400 |
---|---|---|
committer | Jan Cholasta <jcholast@redhat.com> | 2015-06-04 08:27:33 +0000 |
commit | b24fe0eb733c68af4042cdd78fca6f609efe843b (patch) | |
tree | 3bf04bdc6db9f0f6f3a70beee7f5563d9c4866ad /ipaserver/install/server | |
parent | ba075b195c5c6a78416f15fb06c765858a0b2069 (diff) | |
download | freeipa-b24fe0eb733c68af4042cdd78fca6f609efe843b.tar.gz freeipa-b24fe0eb733c68af4042cdd78fca6f609efe843b.tar.xz freeipa-b24fe0eb733c68af4042cdd78fca6f609efe843b.zip |
Import included profiles during install or upgrade
Add a default service profile template as part of FreeIPA and format
and import it as part of installation or upgrade process.
Also remove the code that modifies the old (file-based)
`caIPAserviceCert' profile.
Fixes https://fedorahosted.org/freeipa/ticket/4002
Reviewed-By: Martin Basti <mbasti@redhat.com>
Diffstat (limited to 'ipaserver/install/server')
-rw-r--r-- | ipaserver/install/server/install.py | 6 | ||||
-rw-r--r-- | ipaserver/install/server/upgrade.py | 42 |
2 files changed, 28 insertions, 20 deletions
diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py index aea1f9915..955e4cc11 100644 --- a/ipaserver/install/server/install.py +++ b/ipaserver/install/server/install.py @@ -748,6 +748,9 @@ def install(options): api.env.ca_host = host_name api.bootstrap(**cfg) + if setup_ca: + # ensure profile backend is available + import ipaserver.plugins.dogtag api.finalize() # Create DS user/group if it doesn't exist yet @@ -903,6 +906,9 @@ def install(options): service.print_msg("Restarting the certificate server") ca.restart(dogtag.configured_constants().PKI_INSTANCE_NAME) + service.print_msg("Importing certificate profiles") + cainstance.import_included_profiles() + if options.setup_dns: api.Backend.ldap2.connect(autobind=True) dns.install(False, False, options) diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index 820533d6f..c5f4d37cc 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -338,32 +338,28 @@ def ca_enable_ldap_profile_subsystem(ca): return needs_update -def upgrade_ipa_profile(ca, domain, fqdn): +def ca_import_included_profiles(ca): + root_logger.info('[Ensuring presence of included profiles]') + + if not ca.is_configured(): + root_logger.info('CA is not configured') + return False + + return cainstance.import_included_profiles() + + +def upgrade_ca_audit_cert_validity(ca): """ - Update the IPA Profile provided by dogtag + Update the Dogtag audit signing certificate. Returns True if restart is needed, False otherwise. """ - root_logger.info('[Verifying that CA service certificate profile is updated]') + root_logger.info('[Verifying that CA audit signing cert has 2 year validity]') if ca.is_configured(): - ski = ca.enable_subject_key_identifier() - if ski: - root_logger.debug('Subject Key Identifier updated.') - else: - root_logger.debug('Subject Key Identifier already set.') - san = ca.enable_subject_alternative_name() - if san: - root_logger.debug('Subject Alternative Name updated.') - else: - root_logger.debug('Subject Alternative Name already set.') - audit = ca.set_audit_renewal() - uri = ca.set_crl_ocsp_extensions(domain, fqdn) - if audit or ski or san or uri: - return True + return ca.set_audit_renewal() else: root_logger.info('CA is not configured') - - return False + return False def named_remove_deprecated_options(): @@ -1416,7 +1412,7 @@ def upgrade_configuration(): ca_restart = any([ ca_restart, - upgrade_ipa_profile(ca, api.env.domain, fqdn), + upgrade_ca_audit_cert_validity(ca), certificate_renewal_update(ca), ca_enable_pkix(ca), ca_configure_profiles_acl(ca), @@ -1430,6 +1426,12 @@ def upgrade_configuration(): except ipautil.CalledProcessError as e: root_logger.error("Failed to restart %s: %s", ca.service_name, e) + # This step MUST be done after ca_enable_ldap_profile_subsystem and + # ca_configure_profiles_acl, and the consequent restart, but does not + # itself require a restart. + # + ca_import_included_profiles(ca) + set_sssd_domain_option('ipa_server_mode', 'True') |