diff options
| author | Fraser Tweedale <ftweedal@redhat.com> | 2015-05-25 08:39:07 -0400 |
|---|---|---|
| committer | Jan Cholasta <jcholast@redhat.com> | 2015-06-11 10:50:31 +0000 |
| commit | bc0c60688505968daf6851e3e179aab20e23af7d (patch) | |
| tree | ea8cb740dfcd50ab46d73a350686502d80a902ec /ipaserver | |
| parent | ae56ca422d1897569717fa44a5d483b10e490f6a (diff) | |
| download | freeipa-bc0c60688505968daf6851e3e179aab20e23af7d.tar.gz freeipa-bc0c60688505968daf6851e3e179aab20e23af7d.tar.xz freeipa-bc0c60688505968daf6851e3e179aab20e23af7d.zip | |
Add CA ACL plugin
Implement the caacl commands, which are used to indicate which
principals may be issued certificates from which (sub-)CAs, using
which profiles.
At this commit, and until sub-CAs are implemented, all rules refer
to the top-level CA (represented as ".") and no ca-ref argument is
exposed.
Also, during install and upgrade add a default CA ACL that permits
certificate issuance for all hosts and services using the profile
'caIPAserviceCert' on the top-level CA.
Part of: https://fedorahosted.org/freeipa/ticket/57
Part of: https://fedorahosted.org/freeipa/ticket/4559
Reviewed-By: Martin Basti <mbasti@redhat.com>
Diffstat (limited to 'ipaserver')
| -rw-r--r-- | ipaserver/install/dsinstance.py | 4 | ||||
| -rw-r--r-- | ipaserver/install/server/upgrade.py | 25 |
2 files changed, 29 insertions, 0 deletions
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index 2acab13f2..9f24189b6 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -307,6 +307,7 @@ class DsInstance(service.Service): self.step("adding range check plugin", self.__add_range_check_plugin) if hbac_allow: self.step("creating default HBAC rule allow_all", self.add_hbac) + self.step("creating default CA ACL rule", self.add_caacl) self.step("adding entries for topology management", self.__add_topology_entries) self.__common_post_setup() @@ -741,6 +742,9 @@ class DsInstance(service.Service): def add_hbac(self): self._ldap_mod("default-hbac.ldif", self.sub_dict) + def add_caacl(self): + self._ldap_mod("default-caacl.ldif", self.sub_dict) + def change_admin_password(self, password): root_logger.debug("Changing admin password") dirname = config_dirname(self.serverid) diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index c5f4d37cc..306d1d27c 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -1254,6 +1254,30 @@ def update_mod_nss_protocol(http): sysupgrade.set_upgrade_state('nss.conf', 'protocol_updated_tls12', True) +def add_default_caacl(ca): + root_logger.info('[Add default CA ACL]') + + if sysupgrade.get_upgrade_state('caacl', 'add_default_caacl'): + root_logger.info('Default CA ACL already added') + return + + if ca.is_configured(): + if not api.Backend.ldap2.isconnected(): + try: + api.Backend.ldap2.connect(autobind=True) + except ipalib.errors.PublicError as e: + root_logger.error("Cannot connect to LDAP to add CA ACLs: %s", e) + return + + if not api.Command.caacl_find()['result']: + api.Command.caacl_add(u'hosts_services_caIPAserviceCert', + hostcategory=u'all', usercategory=u'all') + api.Command.caacl_add_profile(u'hosts_services_caIPAserviceCert', + certprofile=(u'caIPAserviceCert',)) + + sysupgrade.set_upgrade_state('caacl', 'add_default_caacl', True) + + def upgrade_configuration(): """ Execute configuration upgrade of the IPA services @@ -1431,6 +1455,7 @@ def upgrade_configuration(): # itself require a restart. # ca_import_included_profiles(ca) + add_default_caacl(ca) set_sssd_domain_option('ipa_server_mode', 'True') |