summaryrefslogtreecommitdiffstats
path: root/ipaserver
diff options
context:
space:
mode:
authorRob Crittenden <rcritten@redhat.com>2012-10-09 10:40:20 -0400
committerRob Crittenden <rcritten@redhat.com>2012-10-09 19:24:43 -0400
commit392097f20673708a684da168aec302da7ccda9a6 (patch)
tree94406708a2008a6f0367ff0038372a2c1bda23de /ipaserver
parent1dd103bc8c445a1fe4f5ab59a1e6a343a8984305 (diff)
downloadfreeipa-392097f20673708a684da168aec302da7ccda9a6.tar.gz
freeipa-392097f20673708a684da168aec302da7ccda9a6.tar.xz
freeipa-392097f20673708a684da168aec302da7ccda9a6.zip
Configure the initial CA as the CRL generator.
Any installed clones will have CRL generation explicitly disabled. It is a manual process to make a different CA the CRL generator. There should be only one. https://fedorahosted.org/freeipa/ticket/3051
Diffstat (limited to 'ipaserver')
-rw-r--r--ipaserver/install/cainstance.py19
1 files changed, 18 insertions, 1 deletions
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index a64fe6f03..aabbba39d 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -1239,6 +1239,19 @@ class CAInstance(service.Service):
'https://%s/ipa/crl/MasterCRL.bin' % ipautil.format_netloc(self.fqdn),
quotes=False, separator='=')
+ # If we are the initial master then we are the CRL generator, otherwise
+ # we point to that master for CRLs.
+ if not self.clone:
+ # These next two are defaults, but I want to be explicit that the
+ # initial master is the CRL generator.
+ installutils.set_directive(caconfig, 'ca.crl.MasterCRL.enableCRLCache', 'true', quotes=False, separator='=')
+ installutils.set_directive(caconfig, 'ca.crl.MasterCRL.enableCRLUpdates', 'true', quotes=False, separator='=')
+ installutils.set_directive(caconfig, 'ca.listenToCloneModifications', 'true', quotes=False, separator='=')
+ else:
+ installutils.set_directive(caconfig, 'ca.crl.MasterCRL.enableCRLCache', 'false', quotes=False, separator='=')
+ installutils.set_directive(caconfig, 'ca.crl.MasterCRL.enableCRLUpdates', 'false', quotes=False, separator='=')
+ installutils.set_directive(caconfig, 'ca.listenToCloneModifications', 'false', quotes=False, separator='=')
+
def __set_subject_in_config(self):
# dogtag ships with an IPA-specific profile that forces a subject
# format. We need to update that template with our base subject
@@ -1291,7 +1304,11 @@ class CAInstance(service.Service):
def __http_proxy(self):
template_filename = ipautil.SHARE_DIR + "ipa-pki-proxy.conf"
- sub_dict = dict(DOGTAG_PORT=self.dogtag_constants.AJP_PORT)
+ sub_dict = dict(
+ DOGTAG_PORT=self.dogtag_constants.AJP_PORT,
+ CLONE='' if self.clone else '#',
+ FQDN=self.fqdn,
+ )
template = ipautil.template_file(template_filename, sub_dict)
with open(HTTPD_CONFD + "ipa-pki-proxy.conf", "w") as fd:
fd.write(template)