diff options
| -rw-r--r-- | freeipa.spec.in | 9 | ||||
| -rw-r--r-- | ipaserver/install/ipa_replica_prepare.py | 36 |
2 files changed, 42 insertions, 3 deletions
diff --git a/freeipa.spec.in b/freeipa.spec.in index 5a143b643..debc6e587 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -17,7 +17,7 @@ Source0: freeipa-%{version}.tar.gz BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) %if ! %{ONLY_CLIENT} -BuildRequires: 389-ds-base-devel >= 1.3.1.1 +BuildRequires: 389-ds-base-devel >= 1.3.1.3 BuildRequires: svrcore-devel BuildRequires: policycoreutils >= %{POLICYCOREUTILSVER} BuildRequires: systemd-units @@ -89,7 +89,7 @@ Group: System Environment/Base Requires: %{name}-python = %{version}-%{release} Requires: %{name}-client = %{version}-%{release} Requires: %{name}-admintools = %{version}-%{release} -Requires: 389-ds-base >= 1.3.1.1 +Requires: 389-ds-base >= 1.3.1.3 Requires: openldap-clients > 2.4.35-4 %if 0%{?fedora} == 18 Requires: nss >= 3.14.3-2 @@ -145,7 +145,7 @@ Requires: zip Requires: policycoreutils >= %{POLICYCOREUTILSVER} Requires: tar Requires(pre): certmonger >= 0.65 -Requires(pre): 389-ds-base >= 1.3.0.5 +Requires(pre): 389-ds-base >= 1.3.1.3 # With FreeIPA 3.3, package freeipa-server-selinux was obsoleted as the # entire SELinux policy is stored in the system policy @@ -815,6 +815,9 @@ fi %endif # ! %{ONLY_CLIENT} %changelog +* Wed Jul 10 2013 Ana Krivokapic <akrivoka@redhat.com> - 3.2.99-4 +- Bump minimum version of 389-ds-base to 1.3.1.3 for user password change fix. + * Wed Jun 26 2013 Jan Cholasta <jcholast@redhat.com> - 3.2.99-3 - Bump minimum version of 389-ds-base to 1.3.1.1 for SASL mapping priority support. diff --git a/ipaserver/install/ipa_replica_prepare.py b/ipaserver/install/ipa_replica_prepare.py index f6af28e3a..a92e9a111 100644 --- a/ipaserver/install/ipa_replica_prepare.py +++ b/ipaserver/install/ipa_replica_prepare.py @@ -274,6 +274,11 @@ class ReplicaPrepare(admintool.AdminTool): self.copy_info_file(options.dirsrv_pkcs12, "dscert.p12") else: if ipautil.file_exists(options.ca_file): + # Since it is possible that the Directory Manager password + # has changed since ipa-server-install, we need to regenerate + # the CA PKCS#12 file and update the pki admin user password + self.regenerate_ca_file(options.ca_file) + self.update_pki_admin_password() self.copy_info_file(options.ca_file, "cacert.p12") else: raise admintool.ScriptError("Root CA PKCS#12 not " @@ -505,3 +510,34 @@ class ReplicaPrepare(admintool.AdminTool): db.export_pkcs12(pkcs12_fname, agent_name, "ipaCert") finally: os.remove(agent_name) + + def update_pki_admin_password(self): + ldap = ldap2(shared_instance=False) + ldap.connect( + bind_dn=DN(('cn', 'directory manager')), + bind_pw=self.dirman_password + ) + dn = DN('uid=admin', 'ou=people', 'o=ipaca') + ldap.modify_password(dn, self.dirman_password) + ldap.disconnect() + + def regenerate_ca_file(self, ca_file): + dm_pwd_fd = ipautil.write_tmp_file(self.dirman_password) + + keydb_pwd = '' + with open('/etc/pki/pki-tomcat/password.conf') as f: + for line in f.readlines(): + key, value = line.strip().split('=') + if key == 'internal': + keydb_pwd = value + break + + keydb_pwd_fd = ipautil.write_tmp_file(keydb_pwd) + + ipautil.run([ + '/usr/bin/PKCS12Export', + '-d', '/etc/pki/pki-tomcat/alias/', + '-p', keydb_pwd_fd.name, + '-w', dm_pwd_fd.name, + '-o', ca_file + ]) |