diff options
-rw-r--r-- | freeipa.spec.in | 1 | ||||
-rw-r--r-- | install/share/Makefile.am | 1 | ||||
-rw-r--r-- | install/share/vault.update (renamed from install/updates/40-vault.update) | 13 | ||||
-rw-r--r-- | install/updates/Makefile.am | 1 | ||||
-rw-r--r-- | ipa-client/man/default.conf.5 | 2 | ||||
-rw-r--r-- | ipalib/constants.py | 2 | ||||
-rw-r--r-- | ipaplatform/base/paths.py | 1 | ||||
-rw-r--r-- | ipaserver/install/kra.py | 4 | ||||
-rw-r--r-- | ipaserver/install/krainstance.py | 21 | ||||
-rw-r--r-- | ipatests/test_xmlrpc/test_vault_plugin.py | 24 |
10 files changed, 45 insertions, 25 deletions
diff --git a/freeipa.spec.in b/freeipa.spec.in index 23c3d1a80..64b24c808 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -716,6 +716,7 @@ fi %{_usr}/share/ipa/copy-schema-to-ca.py* %{_usr}/share/ipa/*.ldif %{_usr}/share/ipa/*.uldif +%{_usr}/share/ipa/*.update %{_usr}/share/ipa/*.template %dir %{_usr}/share/ipa/advise %dir %{_usr}/share/ipa/advise/legacy diff --git a/install/share/Makefile.am b/install/share/Makefile.am index 31f391be2..5d8397bb1 100644 --- a/install/share/Makefile.am +++ b/install/share/Makefile.am @@ -82,6 +82,7 @@ app_DATA = \ copy-schema-to-ca.py \ sasl-mapping-fallback.ldif \ schema-update.ldif \ + vault.update \ $(NULL) EXTRA_DIST = \ diff --git a/install/updates/40-vault.update b/install/share/vault.update index 5a6b8c6a0..dcd1e2a15 100644 --- a/install/updates/40-vault.update +++ b/install/share/vault.update @@ -1,19 +1,24 @@ -dn: cn=vaults,$SUFFIX +dn: cn=kra,$SUFFIX +default: objectClass: top +default: objectClass: nsContainer +default: cn: kra + +dn: cn=vaults,cn=kra,$SUFFIX default: objectClass: top default: objectClass: nsContainer default: cn: vaults -dn: cn=services,cn=vaults,$SUFFIX +dn: cn=services,cn=vaults,cn=kra,$SUFFIX default: objectClass: top default: objectClass: nsContainer default: cn: services -dn: cn=shared,cn=vaults,$SUFFIX +dn: cn=shared,cn=vaults,cn=kra,$SUFFIX default: objectClass: top default: objectClass: nsContainer default: cn: shared -dn: cn=users,cn=vaults,$SUFFIX +dn: cn=users,cn=vaults,cn=kra,$SUFFIX default: objectClass: top default: objectClass: nsContainer default: cn: users diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am index fc6bd624e..1c7da35b2 100644 --- a/install/updates/Makefile.am +++ b/install/updates/Makefile.am @@ -34,7 +34,6 @@ app_DATA = \ 40-automember.update \ 40-certprofile.update \ 40-otp.update \ - 40-vault.update \ 45-roles.update \ 50-7_bit_check.update \ 50-dogtag10-migration.update \ diff --git a/ipa-client/man/default.conf.5 b/ipa-client/man/default.conf.5 index 0973f1a07..e345e9300 100644 --- a/ipa-client/man/default.conf.5 +++ b/ipa-client/man/default.conf.5 @@ -221,7 +221,7 @@ The following define the containers for the IPA server. Containers define where container_sudocmdgroup: cn=sudocmdgroups,cn=sudo container_sudorule: cn=sudorules,cn=sudo container_user: cn=users,cn=accounts - container_vault: cn=vaults + container_vault: cn=vaults,cn=kra container_virtual: cn=virtual operations,cn=etc .SH "FILES" diff --git a/ipalib/constants.py b/ipalib/constants.py index 93d7aaa7b..0ffdcbfc7 100644 --- a/ipalib/constants.py +++ b/ipalib/constants.py @@ -99,7 +99,7 @@ DEFAULT_CONFIG = ( ('container_hbacservice', DN(('cn', 'hbacservices'), ('cn', 'hbac'))), ('container_hbacservicegroup', DN(('cn', 'hbacservicegroups'), ('cn', 'hbac'))), ('container_dns', DN(('cn', 'dns'))), - ('container_vault', DN(('cn', 'vaults'))), + ('container_vault', DN(('cn', 'vaults'), ('cn', 'kra'))), ('container_virtual', DN(('cn', 'virtual operations'), ('cn', 'etc'))), ('container_sudorule', DN(('cn', 'sudorules'), ('cn', 'sudo'))), ('container_sudocmd', DN(('cn', 'sudocmds'), ('cn', 'sudo'))), diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py index 9ba87523b..b83e9482a 100644 --- a/ipaplatform/base/paths.py +++ b/ipaplatform/base/paths.py @@ -247,6 +247,7 @@ class BasePathNamespace(object): SCHEMA_COMPAT_ULDIF = "/usr/share/ipa/schema_compat.uldif" IPA_JS_PLUGINS_DIR = "/usr/share/ipa/ui/js/plugins" UPDATES_DIR = "/usr/share/ipa/updates/" + VAULT_UPDATE = "/usr/share/ipa/vault.update" PKI_CONF_SERVER_XML_TEMPLATE = "/usr/share/pki/%s/conf/server.xml" CACHE_IPA_SESSIONS = "/var/cache/ipa/sessions" VAR_KERBEROS_KRB5KDC_DIR = "/var/kerberos/krb5kdc/" diff --git a/ipaserver/install/kra.py b/ipaserver/install/kra.py index 2ff8df5a1..8083c7427 100644 --- a/ipaserver/install/kra.py +++ b/ipaserver/install/kra.py @@ -46,8 +46,8 @@ def install(replica_config, options, dm_password): dogtag_constants=dogtag.install_constants) kra.configure_instance( - api.env.host, api.env.domain, dm_password, - dm_password, subject_base=subject) + api.env.realm, api.env.host, api.env.domain, options.dm_password, + options.dm_password, subject_base=subject) else: kra = krainstance.install_replica_kra(replica_config) diff --git a/ipaserver/install/krainstance.py b/ipaserver/install/krainstance.py index 7c1bded41..50ab424b0 100644 --- a/ipaserver/install/krainstance.py +++ b/ipaserver/install/krainstance.py @@ -28,11 +28,11 @@ from ipalib import api from ipaplatform import services from ipaplatform.paths import paths from ipapython import dogtag -from ipapython import ipaldap from ipapython import ipautil from ipapython.dn import DN from ipaserver.install import certs from ipaserver.install import cainstance +from ipaserver.install import ldapupdate from ipaserver.install import service from ipaserver.install.dogtaginstance import DogtagInstance from ipaserver.install.dogtaginstance import DEFAULT_DSPORT, PKI_USER @@ -70,7 +70,7 @@ class KRAInstance(DogtagInstance): self.basedn = DN(('o', 'kra'), ('o', 'ipaca')) self.log = log_mgr.get_logger(self) - def configure_instance(self, host_name, domain, dm_password, + def configure_instance(self, realm_name, host_name, domain, dm_password, admin_password, ds_port=DEFAULT_DSPORT, pkcs12_info=None, master_host=None, master_replication_port=None, @@ -93,6 +93,8 @@ class KRAInstance(DogtagInstance): self.subject_base = DN(('O', self.realm)) else: self.subject_base = subject_base + self.realm = realm_name + self.suffix = ipautil.realm_to_suffix(realm_name) # Confirm that a KRA does not already exist if self.is_installed(): @@ -115,8 +117,9 @@ class KRAInstance(DogtagInstance): self.step("configure certmonger for renewals", self.configure_certmonger_renewal) self.step("configure certificate renewals", self.configure_renewal) - self.step("Configure HTTP to proxy connections", + self.step("configure HTTP to proxy connections", self.http_proxy) + self.step("add vault container", self.__add_vault_container) self.start_creation(runtime=126) @@ -335,6 +338,15 @@ class KRAInstance(DogtagInstance): "--client-cert", paths.KRA_AGENT_PEM] ipautil.run(args) + def __add_vault_container(self): + sub_dict = { + 'SUFFIX': self.suffix, + } + + ld = ldapupdate.LDAPUpdate(dm_password=self.dm_password, + sub_dict=sub_dict) + ld.update([paths.VAULT_UPDATE]) + @staticmethod def update_cert_config(nickname, cert, dogtag_constants=None): """ @@ -391,7 +403,8 @@ def install_replica_kra(config, postinstall=False): if _kra.is_installed(): sys.exit("A KRA is already configured on this system.") - _kra.configure_instance(config.host_name, config.domain_name, + _kra.configure_instance(config.realm_name, + config.host_name, config.domain_name, config.dirman_password, config.dirman_password, pkcs12_info=(krafile,), master_host=config.master_host_name, diff --git a/ipatests/test_xmlrpc/test_vault_plugin.py b/ipatests/test_xmlrpc/test_vault_plugin.py index 4b18672c1..9a40547b1 100644 --- a/ipatests/test_xmlrpc/test_vault_plugin.py +++ b/ipatests/test_xmlrpc/test_vault_plugin.py @@ -57,7 +57,7 @@ class test_vault_plugin(Declarative): 'value': vault_name, 'summary': 'Added vault "%s"' % vault_name, 'result': { - 'dn': u'cn=%s,cn=admin,cn=users,cn=vaults,%s' + 'dn': u'cn=%s,cn=admin,cn=users,cn=vaults,cn=kra,%s' % (vault_name, api.env.basedn), 'objectclass': [u'top', u'ipaVault'], 'cn': [vault_name], @@ -78,7 +78,7 @@ class test_vault_plugin(Declarative): 'summary': u'1 vault matched', 'result': [ { - 'dn': u'cn=%s,cn=admin,cn=users,cn=vaults,%s' + 'dn': u'cn=%s,cn=admin,cn=users,cn=vaults,cn=kra,%s' % (vault_name, api.env.basedn), 'cn': [vault_name], }, @@ -97,7 +97,7 @@ class test_vault_plugin(Declarative): 'value': vault_name, 'summary': None, 'result': { - 'dn': u'cn=%s,cn=admin,cn=users,cn=vaults,%s' + 'dn': u'cn=%s,cn=admin,cn=users,cn=vaults,cn=kra,%s' % (vault_name, api.env.basedn), 'cn': [vault_name], }, @@ -152,7 +152,7 @@ class test_vault_plugin(Declarative): 'value': vault_name, 'summary': u'Added vault "%s"' % vault_name, 'result': { - 'dn': u'cn=%s,cn=%s,cn=services,cn=vaults,%s' + 'dn': u'cn=%s,cn=%s,cn=services,cn=vaults,cn=kra,%s' % (vault_name, service_name, api.env.basedn), 'objectclass': [u'top', u'ipaVault'], 'cn': [vault_name], @@ -175,7 +175,7 @@ class test_vault_plugin(Declarative): 'summary': u'1 vault matched', 'result': [ { - 'dn': u'cn=%s,cn=%s,cn=services,cn=vaults,%s' + 'dn': u'cn=%s,cn=%s,cn=services,cn=vaults,cn=kra,%s' % (vault_name, service_name, api.env.basedn), 'cn': [vault_name], }, @@ -196,7 +196,7 @@ class test_vault_plugin(Declarative): 'value': vault_name, 'summary': None, 'result': { - 'dn': u'cn=%s,cn=%s,cn=services,cn=vaults,%s' + 'dn': u'cn=%s,cn=%s,cn=services,cn=vaults,cn=kra,%s' % (vault_name, service_name, api.env.basedn), 'cn': [vault_name], }, @@ -254,7 +254,7 @@ class test_vault_plugin(Declarative): 'value': vault_name, 'summary': u'Added vault "%s"' % vault_name, 'result': { - 'dn': u'cn=%s,cn=shared,cn=vaults,%s' + 'dn': u'cn=%s,cn=shared,cn=vaults,cn=kra,%s' % (vault_name, api.env.basedn), 'objectclass': [u'top', u'ipaVault'], 'cn': [vault_name], @@ -277,7 +277,7 @@ class test_vault_plugin(Declarative): 'summary': u'1 vault matched', 'result': [ { - 'dn': u'cn=%s,cn=shared,cn=vaults,%s' + 'dn': u'cn=%s,cn=shared,cn=vaults,cn=kra,%s' % (vault_name, api.env.basedn), 'cn': [vault_name], }, @@ -298,7 +298,7 @@ class test_vault_plugin(Declarative): 'value': vault_name, 'summary': None, 'result': { - 'dn': u'cn=%s,cn=shared,cn=vaults,%s' + 'dn': u'cn=%s,cn=shared,cn=vaults,cn=kra,%s' % (vault_name, api.env.basedn), 'cn': [vault_name], }, @@ -356,7 +356,7 @@ class test_vault_plugin(Declarative): 'value': vault_name, 'summary': u'Added vault "%s"' % vault_name, 'result': { - 'dn': u'cn=%s,cn=%s,cn=users,cn=vaults,%s' + 'dn': u'cn=%s,cn=%s,cn=users,cn=vaults,cn=kra,%s' % (vault_name, user_name, api.env.basedn), 'objectclass': [u'top', u'ipaVault'], 'cn': [vault_name], @@ -379,7 +379,7 @@ class test_vault_plugin(Declarative): 'summary': u'1 vault matched', 'result': [ { - 'dn': u'cn=%s,cn=%s,cn=users,cn=vaults,%s' + 'dn': u'cn=%s,cn=%s,cn=users,cn=vaults,cn=kra,%s' % (vault_name, user_name, api.env.basedn), 'cn': [vault_name], }, @@ -400,7 +400,7 @@ class test_vault_plugin(Declarative): 'value': vault_name, 'summary': None, 'result': { - 'dn': u'cn=%s,cn=%s,cn=users,cn=vaults,%s' + 'dn': u'cn=%s,cn=%s,cn=users,cn=vaults,cn=kra,%s' % (vault_name, user_name, api.env.basedn), 'cn': [vault_name], }, |