diff options
author | Jan Cholasta <jcholast@redhat.com> | 2013-10-16 08:51:06 +0000 |
---|---|---|
committer | Petr Viktorin <pviktori@redhat.com> | 2014-03-25 16:54:55 +0100 |
commit | c3169add3be4fdb4572d6e159766a1d3cbb7e3d8 (patch) | |
tree | 826b97548aba5405e8edc689f083b1d2e20c25a0 /ipaserver/install | |
parent | 6a19738a4560ffbfe5a70699d787c4a44a9518c5 (diff) | |
download | freeipa-c3169add3be4fdb4572d6e159766a1d3cbb7e3d8.tar.gz freeipa-c3169add3be4fdb4572d6e159766a1d3cbb7e3d8.tar.xz freeipa-c3169add3be4fdb4572d6e159766a1d3cbb7e3d8.zip |
Store information about which CA server is master for renewals in LDAP.
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Diffstat (limited to 'ipaserver/install')
-rw-r--r-- | ipaserver/install/cainstance.py | 15 | ||||
-rw-r--r-- | ipaserver/install/plugins/Makefile.am | 1 | ||||
-rw-r--r-- | ipaserver/install/plugins/ca_renewal_master.py | 79 | ||||
-rw-r--r-- | ipaserver/install/service.py | 4 |
4 files changed, 97 insertions, 2 deletions
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 227cea00e..99c008a67 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -1608,6 +1608,21 @@ class CAInstance(service.Service): return master == 'New' + def is_renewal_master(self): + if not self.admin_conn: + self.ldap_connect() + + dn = DN(('cn', 'CA'), ('cn', api.env.host), ('cn', 'masters'), + ('cn', 'ipa'), ('cn', 'etc'), api.env.basedn) + filter = '(ipaConfigString=caRenewalMaster)' + try: + self.admin_conn.get_entries(base_dn=dn, filter=filter, + attrs_list=[]) + except errors.NotFound: + return False + + return True + def replica_ca_install_check(config): if not config.setup_ca: diff --git a/ipaserver/install/plugins/Makefile.am b/ipaserver/install/plugins/Makefile.am index 624e82687..7cf049513 100644 --- a/ipaserver/install/plugins/Makefile.am +++ b/ipaserver/install/plugins/Makefile.am @@ -11,6 +11,7 @@ app_PYTHON = \ update_services.py \ update_anonymous_aci.py \ update_pacs.py \ + ca_renewal_master.py \ $(NULL) EXTRA_DIST = \ diff --git a/ipaserver/install/plugins/ca_renewal_master.py b/ipaserver/install/plugins/ca_renewal_master.py new file mode 100644 index 000000000..2481fa70d --- /dev/null +++ b/ipaserver/install/plugins/ca_renewal_master.py @@ -0,0 +1,79 @@ +# Authors: +# Jan Cholasta <jcholast@redhat.com> +# +# Copyright (C) 2014 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +from ipaserver.install.plugins.baseupdate import PostUpdate +from ipalib import errors +from ipalib.plugable import Registry +from ipapython import certmonger +from ipapython.dn import DN + +register = Registry() + +@register() +class update_ca_renewal_master(PostUpdate): + """ + Set CA renewal master in LDAP. + """ + + def execute(self, **options): + ldap = self.obj.backend + base_dn = DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'), + self.api.env.basedn) + filter = '(&(cn=CA)(ipaConfigString=caRenewalMaster))' + try: + entries = ldap.get_entries(base_dn=base_dn, filter=filter, + attrs_list=[]) + except errors.NotFound: + pass + else: + self.debug("found CA renewal master %s", entries[0].dn[1].value) + return (False, False, []) + + criteria = ( + ('cert_storage_location', '/etc/httpd/alias', certmonger.NPATH), + ('cert_nickname', 'ipaCert', None), + ) + request_id = certmonger.get_request_id(criteria) + if request_id is None: + self.error("certmonger request for ipaCert not found") + return (False, False, []) + ca_name = certmonger.get_request_value(request_id, 'ca_name') + if ca_name is None: + self.error("certmonger request for ipaCert is missing ca_name") + return (False, False, []) + ca_name = ca_name.strip() + + if ca_name == 'dogtag-ipa-renew-agent': + dn = DN(('cn', 'CA'), ('cn', self.api.env.host), base_dn) + update = { + dn: { + 'dn': dn, + 'updates': ['add:ipaConfigString: caRenewalMaster'], + }, + } + return (False, True, [update]) + elif ca_name == 'dogtag-ipa-retrieve-agent-submit': + return (False, False, []) + elif ca_name == 'dogtag-ipa-ca-renew-agent': + return (False, False, []) + else: + self.warning( + "certmonger request for ipaCert has unknown ca_name \"%s\", " + "assuming local CA is renewal slave", ca_name) + return (False, False, []) diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py index ba6bc35ce..387cb1cf4 100644 --- a/ipaserver/install/service.py +++ b/ipaserver/install/service.py @@ -373,7 +373,7 @@ class Service(object): self.steps = [] - def ldap_enable(self, name, fqdn, dm_password, ldap_suffix): + def ldap_enable(self, name, fqdn, dm_password, ldap_suffix, config=[]): assert isinstance(ldap_suffix, DN) self.disable() if not self.admin_conn: @@ -386,7 +386,7 @@ class Service(object): objectclass=["nsContainer", "ipaConfigObject"], cn=[name], ipaconfigstring=[ - "enabledService", "startOrder " + str(order)], + "enabledService", "startOrder " + str(order)] + config, ) try: |