diff options
author | Petr Viktorin <pviktori@redhat.com> | 2013-02-25 17:15:23 +0100 |
---|---|---|
committer | Martin Kosek <mkosek@redhat.com> | 2013-03-08 15:42:20 +0100 |
commit | 6ff20ca2d979f481ce91f013469e53d74a95dd48 (patch) | |
tree | d0a5938e3a02ec2df72c8028d7eda873b96620fa /ipaserver/install | |
parent | 9955ba0714996db7b2b97261d3eb72f281eaa2f6 (diff) | |
download | freeipa-6ff20ca2d979f481ce91f013469e53d74a95dd48.tar.gz freeipa-6ff20ca2d979f481ce91f013469e53d74a95dd48.tar.xz freeipa-6ff20ca2d979f481ce91f013469e53d74a95dd48.zip |
Fix installing server with external CA
Reorganize ipa-server-instal so that DS (and NTP server) installation
only happens in step one.
Change CAInstance to behave correctly in two-step install.
Add an `init_info` method to DSInstance that includes common
attribute/sub_dict initialization from create_instance and create_replica.
Use it in ipa-server-install to get a properly configured DSInstance
for later tasks.
https://fedorahosted.org/freeipa/ticket/3459
Diffstat (limited to 'ipaserver/install')
-rw-r--r-- | ipaserver/install/cainstance.py | 18 | ||||
-rw-r--r-- | ipaserver/install/dsinstance.py | 45 |
2 files changed, 32 insertions, 31 deletions
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index a1107cee8..cba5fc9f6 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -238,8 +238,10 @@ def get_crl_files(path=None): def is_step_one_done(): '''Read CS.cfg and determine if step one of an external CA install is done ''' - test = installutils.get_directive( - dogtag.install_constants.CS_CFG_PATH, 'preop.ca.type', '=') + path = dogtag.install_constants.CS_CFG_PATH + if not os.path.exists(path): + return False + test = installutils.get_directive(path, 'preop.ca.type', '=') if test == "otherca": return True return False @@ -736,16 +738,16 @@ class CAInstance(service.Service): finally: os.remove(cfg_file) - if not self.clone: - shutil.move("/root/.pki/pki-tomcat/ca_admin_cert.p12", \ - "/root/ca-agent.p12") - shutil.move("/var/lib/pki/pki-tomcat/alias/ca_backup_keys.p12", \ - "/root/cacert.p12") - if self.external == 1: print "The next step is to get %s signed by your CA and re-run ipa-server-install as:" % self.csr_file print "ipa-server-install --external_cert_file=/path/to/signed_certificate --external_ca_file=/path/to/external_ca_certificate" sys.exit(0) + else: + if not self.clone: + shutil.move("/root/.pki/pki-tomcat/ca_admin_cert.p12", \ + "/root/ca-agent.p12") + shutil.move("/var/lib/pki/pki-tomcat/alias/ca_backup_keys.p12", \ + "/root/cacert.p12") root_logger.debug("completed creating ca instance") diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index 77d76a635..25cac6c27 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -228,24 +228,31 @@ class DsInstance(service.Service): self.step("configuring directory to start on boot", self.__enable) - def create_instance(self, realm_name, fqdn, domain_name, - dm_password, pkcs12_info=None, self_signed_ca=False, - idstart=1100, idmax=999999, subject_base=None, - hbac_allow=True): + def init_info(self, realm_name, fqdn, domain_name, dm_password, + self_signed_ca, subject_base, idstart, idmax, pkcs12_info): self.realm_name = realm_name.upper() self.serverid = realm_to_serverid(self.realm_name) self.suffix = ipautil.realm_to_suffix(self.realm_name) self.fqdn = fqdn self.dm_password = dm_password self.domain = domain_name - self.pkcs12_info = pkcs12_info - self.self_signed_ca = self_signed_ca - self.idstart = idstart - self.idmax = idmax self.principal = "ldap/%s@%s" % (self.fqdn, self.realm_name) + self.self_signed_ca = False self.subject_base = subject_base + self.idstart = idstart + self.idmax = idmax + self.pkcs12_info = pkcs12_info self.__setup_sub_dict() + + def create_instance(self, realm_name, fqdn, domain_name, + dm_password, pkcs12_info=None, self_signed_ca=False, + idstart=1100, idmax=999999, subject_base=None, + hbac_allow=True): + self.init_info( + realm_name, fqdn, domain_name, dm_password, self_signed_ca, + subject_base, idstart, idmax, pkcs12_info) + self.__common_setup() self.step("adding default layout", self.__add_default_layout) @@ -266,26 +273,18 @@ class DsInstance(service.Service): def create_replica(self, realm_name, master_fqdn, fqdn, domain_name, dm_password, pkcs12_info=None): - self.realm_name = realm_name.upper() - self.serverid = realm_to_serverid(self.realm_name) - self.suffix = ipautil.realm_to_suffix(self.realm_name) - self.master_fqdn = master_fqdn - self.fqdn = fqdn - self.dm_password = dm_password - self.domain = domain_name - self.pkcs12_info = pkcs12_info - self.principal = "ldap/%s@%s" % (self.fqdn, self.realm_name) - - self.self_signed_ca = False - self.subject_base = None # idstart and idmax are configured so that the range is seen as # depleted by the DNA plugin and the replica will go and get a # new range from the master. # This way all servers use the initially defined range by default. - self.idstart = 1101 - self.idmax = 1100 + idstart = 1101 + idmax = 1100 + + self.init_info( + realm_name, fqdn, domain_name, dm_password, None, None, + idstart, idmax, pkcs12_info) + self.master_fqdn = master_fqdn - self.__setup_sub_dict() self.__common_setup(True) self.step("setting up initial replication", self.__setup_replica) |