diff options
Diffstat (limited to 'install')
-rw-r--r-- | install/Makefile.am | 1 | ||||
-rw-r--r-- | install/certmonger/Makefile.am | 14 | ||||
-rw-r--r-- | install/certmonger/dogtag-ipa-retrieve-agent-submit | 80 | ||||
-rw-r--r-- | install/conf/Makefile.am | 3 | ||||
-rw-r--r-- | install/conf/ca_renewal | 6 | ||||
-rw-r--r-- | install/configure.ac | 1 | ||||
-rw-r--r-- | install/restart_scripts/Makefile.am | 3 | ||||
-rw-r--r-- | install/restart_scripts/renew_ca_cert | 93 | ||||
-rw-r--r-- | install/restart_scripts/renew_ra_cert | 96 | ||||
-rw-r--r-- | install/restart_scripts/restart_dirsrv | 25 | ||||
-rw-r--r-- | install/restart_scripts/restart_httpd | 25 | ||||
-rw-r--r-- | install/restart_scripts/restart_pkicad | 50 | ||||
-rw-r--r-- | install/share/bootstrap-template.ldif | 6 | ||||
-rw-r--r-- | install/share/default-aci.ldif | 10 | ||||
-rwxr-xr-x | install/tools/ipa-replica-install | 1 | ||||
-rw-r--r-- | install/tools/ipa-upgradeconfig | 52 | ||||
-rw-r--r-- | install/updates/21-ca_renewal_container.update | 8 | ||||
-rw-r--r-- | install/updates/40-delegation.update | 4 | ||||
-rw-r--r-- | install/updates/Makefile.am | 1 |
19 files changed, 466 insertions, 13 deletions
diff --git a/install/Makefile.am b/install/Makefile.am index 5670f9bd9..54c456a97 100644 --- a/install/Makefile.am +++ b/install/Makefile.am @@ -5,6 +5,7 @@ AUTOMAKE_OPTIONS = 1.7 NULL = SUBDIRS = \ + certmonger \ conf \ html \ migration \ diff --git a/install/certmonger/Makefile.am b/install/certmonger/Makefile.am new file mode 100644 index 000000000..2023a2aec --- /dev/null +++ b/install/certmonger/Makefile.am @@ -0,0 +1,14 @@ +NULL = + +appdir = $(libexecdir)/certmonger/ +app_SCRIPTS = \ + dogtag-ipa-retrieve-agent-submit \ + $(NULL) + +EXTRA_DIST = \ + $(app_SCRIPTS) \ + $(NULL) + +MAINTAINERCLEANFILES = \ + *~ \ + Makefile.in diff --git a/install/certmonger/dogtag-ipa-retrieve-agent-submit b/install/certmonger/dogtag-ipa-retrieve-agent-submit new file mode 100644 index 000000000..24e1844a5 --- /dev/null +++ b/install/certmonger/dogtag-ipa-retrieve-agent-submit @@ -0,0 +1,80 @@ +#!/usr/bin/python -E +# +# Authors: +# Rob Crittenden <rcritten@redhat.com> +# +# Copyright (C) 2012 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +# The certificate rewewal is done on only one dogtag CA. The others +# retrieve the updated certificate from IPA. + +import os +import sys +import shutil +import tempfile +import krbV +import syslog +from ipalib import api +from ipalib.dn import DN +from ipalib import errors +from ipalib import x509 +from ipapython import services as ipaservices +from ipapython import ipautil +from ipaserver.install import certs +from ipaserver.plugins.ldap2 import ldap2 +import base64 + +# We cheat and pass in the nickname as the CA profile to execute against. +# Some way is needed to determine which entry to retrieve from LDAP +operation = os.environ.get('CERTMONGER_OPERATION') +nickname = os.environ.get('CERTMONGER_CA_PROFILE') + +if operation not in ['SUBMIT', 'POLL']: + sys.exit(6) # unsupported operation + +api.bootstrap(context='renew') +api.finalize() + +# Update or add it +tmpdir = tempfile.mkdtemp(prefix = "tmp-") +try: + dn = str(DN(('cn',nickname),('cn=ca_renewal,cn=ipa,cn=etc'),(api.env.basedn))) + principal = str('host/%s@%s' % (api.env.host, api.env.realm)) + ccache = ipautil.kinit_hostprincipal('/etc/krb5.keytab', tmpdir, principal) + conn = ldap2(shared_instance=False, ldap_uri=api.env.ldap_uri) + conn.connect(ccache=ccache) + try: + syslog.syslog(syslog.LOG_NOTICE, "Updating certificate for %s" % nickname) + (entry_dn, entry_attrs) = conn.get_entry(dn, ['usercertificate']) + cert = entry_attrs['usercertificate'][0] + cert = base64.b64encode(cert) + print x509.make_pem(cert) + except errors.NotFound: + syslog.syslog(syslog.LOG_INFO, "Updated certificate for %s not available" % nickname) + # No cert available yet, tell certmonger to wait another 8 hours + print 8 * 60 * 60 + sys.exit(5) + finally: + conn.disconnect() +except Exception, e: + syslog.syslog(syslog.LOG_ERR, "Exception trying to retrieve %s: %s" % (nickname, e)) + # Unhandled error + sys.exit(3) +finally: + shutil.rmtree(tmpdir) + +sys.exit(0) diff --git a/install/conf/Makefile.am b/install/conf/Makefile.am index 5ee3eddb5..06b3b32df 100644 --- a/install/conf/Makefile.am +++ b/install/conf/Makefile.am @@ -2,8 +2,9 @@ NULL = appdir = $(IPA_DATA_DIR) app_DATA = \ + ca_renewal \ ipa.conf \ - ipa-pki-proxy.conf \ + ipa-pki-proxy.conf \ ipa-rewrite.conf \ $(NULL) diff --git a/install/conf/ca_renewal b/install/conf/ca_renewal new file mode 100644 index 000000000..57a9e9c24 --- /dev/null +++ b/install/conf/ca_renewal @@ -0,0 +1,6 @@ +# A separate helper for fetching dogtag certificates that are renewed on +# another system. +id=dogtag-ipa-retrieve-agent-submit +ca_is_default=0 +ca_type=EXTERNAL +ca_external_helper=/usr/libexec/certmonger/dogtag-ipa-retrieve-agent-submit diff --git a/install/configure.ac b/install/configure.ac index 9e781a684..c5934d93d 100644 --- a/install/configure.ac +++ b/install/configure.ac @@ -75,6 +75,7 @@ AC_SUBST(IPA_SYSCONF_DIR) AC_CONFIG_FILES([ Makefile + certmonger/Makefile conf/Makefile html/Makefile migration/Makefile diff --git a/install/restart_scripts/Makefile.am b/install/restart_scripts/Makefile.am index abc066b30..210c4863e 100644 --- a/install/restart_scripts/Makefile.am +++ b/install/restart_scripts/Makefile.am @@ -4,6 +4,9 @@ appdir = $(libdir)/ipa/certmonger app_DATA = \ restart_dirsrv \ restart_httpd \ + restart_pkicad \ + renew_ca_cert \ + renew_ra_cert \ $(NULL) EXTRA_DIST = \ diff --git a/install/restart_scripts/renew_ca_cert b/install/restart_scripts/renew_ca_cert new file mode 100644 index 000000000..d3b756042 --- /dev/null +++ b/install/restart_scripts/renew_ca_cert @@ -0,0 +1,93 @@ +#!/usr/bin/python -E +# +# Authors: +# Rob Crittenden <rcritten@redhat.com> +# +# Copyright (C) 2012 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +import os +import sys +import shutil +import tempfile +import krbV +import syslog +from ipalib import api +from ipalib.dn import DN +from ipalib import errors +from ipapython import services as ipaservices +from ipapython import ipautil +from ipaserver.install import certs +from ipaserver.plugins.ldap2 import ldap2 +from ipaserver.install.cainstance import update_cert_config + +nickname = sys.argv[1] + +api.bootstrap(context='restart') +api.finalize() + +# Fetch the new certificate +db = certs.CertDB(api.env.realm, nssdir='/var/lib/pki-ca/alias') +cert = db.get_cert_from_db(nickname, pem=False) + +if not cert: + syslog.syslog(syslog.LOG_ERR, 'No certificate %s found.' % nickname) + sys.exit(1) + +# Update or add it +tmpdir = tempfile.mkdtemp(prefix = "tmp-") +try: + dn = str(DN(('cn',nickname),('cn=ca_renewal,cn=ipa,cn=etc'),(api.env.basedn))) + principal = str('host/%s@%s' % (api.env.host, api.env.realm)) + ccache = ipautil.kinit_hostprincipal('/etc/krb5.keytab', tmpdir, principal) + conn = ldap2(shared_instance=False, ldap_uri=api.env.ldap_uri) + conn.connect(ccache=ccache) + try: + (entry_dn, entry_attrs) = conn.get_entry(dn, ['usercertificate']) + entry_attrs['usercertificate'] = cert + conn.update_entry(dn, entry_attrs, normalize=False) + except errors.NotFound: + entry_attrs = dict(objectclass=['top', 'pkiuser', 'nscontainer'], + usercertificate=cert) + conn.add_entry(dn, entry_attrs, normalize=False) + except errors.EmptyModlist: + pass + conn.disconnect() +except Exception, e: + syslog.syslog(syslog.LOG_ERR, 'Updating renewal certificate failed: %s' % e) +finally: + shutil.rmtree(tmpdir) + +# Fix permissions on the audit cert if we're updating it +if nickname == 'auditSigningCert cert-pki-ca': + db = certs.CertDB(api.env.realm, nssdir='/var/lib/pki-ca/alias') + args = ['-M', + '-n', nickname, + '-t', 'u,u,Pu', + ] + try: + db.run_certutil(args) + except ipautil.CalledProcessError: + syslog.syslog(syslog.LOG_ERR, 'Updating trust on certificate %s failed in %s' % (nickname, db.secdir)) + +update_cert_config(nickname, cert) + +syslog.syslog(syslog.LOG_NOTICE, 'certmonger restarted pki-cad instance pki-ca') + +try: + ipaservices.knownservices.pki_cad.restart('pki-ca') +except Exception, e: + syslog.syslog(syslog.LOG_ERR, "Cannot restart pki-cad: %s" % str(e)) diff --git a/install/restart_scripts/renew_ra_cert b/install/restart_scripts/renew_ra_cert new file mode 100644 index 000000000..2fcf1a79b --- /dev/null +++ b/install/restart_scripts/renew_ra_cert @@ -0,0 +1,96 @@ +#!/usr/bin/python -E +# +# Authors: +# Rob Crittenden <rcritten@redhat.com> +# +# Copyright (C) 2012 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +import sys +import shutil +import tempfile +import syslog +from ipapython import services as ipaservices +from ipapython.certmonger import get_pin +from ipapython import ipautil +from ipaserver.install import certs +from ipaserver.install.cainstance import DEFAULT_DSPORT +from ipalib import api +from ipalib.dn import DN +from ipalib import x509 +from ipalib import errors +from ipaserver.plugins.ldap2 import ldap2 + +api.bootstrap(context='restart') +api.finalize() + +# Fetch the new certificate +db = certs.CertDB(api.env.realm) +cert = db.get_cert_from_db('ipaCert', pem=False) +serial_number = x509.get_serial_number(cert, datatype=x509.DER) +subject = x509.get_subject(cert, datatype=x509.DER) +issuer = x509.get_issuer(cert, datatype=x509.DER) + +# Load it into dogtag +dn = str(DN(('uid','ipara'),('ou','People'),('o','ipaca'))) + +try: + dm_password = get_pin('internaldb') +except IOError, e: + syslog.syslog(syslog.LOG_ERR, 'Unable to determine PIN for CA instance: %s' % e) + sys.exit(1) + +try: + conn = ldap2(shared_instance=False, ldap_uri='ldap://localhost:%d' % DEFAULT_DSPORT) + conn.connect(bind_dn='cn=directory manager', bind_pw=dm_password) + (entry_dn, entry_attrs) = conn.get_entry(dn, ['usercertificate'], normalize=False) + entry_attrs['usercertificate'].append(cert) + entry_attrs['description'] = '2;%d;%s;%s' % (serial_number, issuer, subject) + conn.update_entry(dn, entry_attrs, normalize=False) + conn.disconnect() +except Exception, e: + syslog.syslog(syslog.LOG_ERR, 'Updating agent entry failed: %s' % e) + sys.exit(1) + +# Store it in the IPA LDAP server +tmpdir = tempfile.mkdtemp(prefix = "tmp-") +try: + dn = str(DN(('cn','ipaCert'),('cn=ca_renewal,cn=ipa,cn=etc'),(api.env.basedn))) + principal = str('host/%s@%s' % (api.env.host, api.env.realm)) + ccache = ipautil.kinit_hostprincipal('/etc/krb5.keytab', tmpdir, principal) + conn = ldap2(shared_instance=False, ldap_uri=api.env.ldap_uri) + conn.connect(ccache=ccache) + try: + (entry_dn, entry_attrs) = conn.get_entry(dn, ['usercertificate']) + entry_attrs['usercertificate'] = cert + conn.update_entry(dn, entry_attrs, normalize=False) + except errors.NotFound: + entry_attrs = dict(objectclass=['top', 'pkiuser', 'nscontainer'], + usercertificate=cert) + conn.add_entry(dn, entry_attrs, normalize=False) + except errors.EmptyModlist: + pass + conn.disconnect() +except Exception, e: + syslog.syslog(syslog.LOG_ERR, 'Updating renewal certificate failed: %s' % e) +finally: + shutil.rmtree(tmpdir) + +# Now restart Apache so the new certificate is available +try: + ipaservices.knownservices.httpd.restart() +except Exception, e: + syslog.syslog(syslog.LOG_ERR, "Cannot restart httpd: %s" % str(e)) diff --git a/install/restart_scripts/restart_dirsrv b/install/restart_scripts/restart_dirsrv index e243583f9..d6bbbbc3f 100644 --- a/install/restart_scripts/restart_dirsrv +++ b/install/restart_scripts/restart_dirsrv @@ -1,5 +1,26 @@ #!/usr/bin/python -E +# +# Authors: +# Rob Crittenden <rcritten@redhat.com> +# +# Copyright (C) 2012 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + import sys +import syslog from ipapython import services as ipaservices try: @@ -7,7 +28,9 @@ try: except IndexError: instance = "" +syslog.syslog(syslog.LOG_NOTICE, "certmonger restarted dirsrv instance '%s'" % instance) + try: ipaservices.knownservices.dirsrv.restart(instance) except Exception, e: - print "Cannot restart dirsrv (instance: '%s'): %s" % (instance, str(e)) + syslog.syslog(syslog.LOG_ERR, "Cannot restart dirsrv (instance: '%s'): %s" % (instance, str(e))) diff --git a/install/restart_scripts/restart_httpd b/install/restart_scripts/restart_httpd index a53ab6e62..96f80bd8e 100644 --- a/install/restart_scripts/restart_httpd +++ b/install/restart_scripts/restart_httpd @@ -1,7 +1,30 @@ #!/usr/bin/python -E +# +# Authors: +# Rob Crittenden <rcritten@redhat.com> +# +# Copyright (C) 2012 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +import syslog from ipapython import services as ipaservices +syslog.syslog(syslog.LOG_NOTICE, 'certmonger restarted httpd') + try: ipaservices.knownservices.httpd.restart() except Exception, e: - print "Cannot restart httpd: %s" % str(e) + syslog.syslog(syslog.LOG_ERR, "Cannot restart httpd: %s" % str(e)) diff --git a/install/restart_scripts/restart_pkicad b/install/restart_scripts/restart_pkicad new file mode 100644 index 000000000..070760b16 --- /dev/null +++ b/install/restart_scripts/restart_pkicad @@ -0,0 +1,50 @@ +#!/usr/bin/python -E +# +# Authors: +# Rob Crittenden <rcritten@redhat.com> +# +# Copyright (C) 2012 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +import sys +import syslog +from ipapython import services as ipaservices +from ipaserver.install import certs +from ipalib import api + +nickname = sys.argv[1] + +api.bootstrap(context='restart') +api.finalize() + +syslog.syslog(syslog.LOG_NOTICE, "certmonger restarted pki-cad, nickname '%s'" % nickname) + +# Fix permissions on the audit cert if we're updating it +if nickname == 'auditSigningCert cert-pki-ca': + db = certs.CertDB(api.env.realm, nssdir='/var/lib/pki-ca/alias') + args = ['-M', + '-n', nickname, + '-t', 'u,u,Pu', + ] + db.run_certutil(args) + +try: + # I've seen times where systemd restart does not actually restart + # the process. A full stop/start is required. This works around that + ipaservices.knownservices.pki_cad.stop('pki-ca') + ipaservices.knownservices.pki_cad.start('pki-ca') +except Exception, e: + syslog.syslog(syslog.LOG_ERR, "Cannot restart pki-cad: %s" % str(e)) diff --git a/install/share/bootstrap-template.ldif b/install/share/bootstrap-template.ldif index 23510c953..aac3f059a 100644 --- a/install/share/bootstrap-template.ldif +++ b/install/share/bootstrap-template.ldif @@ -161,6 +161,12 @@ objectClass: nsContainer objectClass: top cn: posix-ids +dn: cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX +changetype: add +objectClass: nsContainer +objectClass: top +cn: ca_renewal + dn: cn=s4u2proxy,cn=etc,$SUFFIX changetype: add objectClass: nsContainer diff --git a/install/share/default-aci.ldif b/install/share/default-aci.ldif index 870ac12e9..f3ed39599 100644 --- a/install/share/default-aci.ldif +++ b/install/share/default-aci.ldif @@ -86,3 +86,13 @@ changetype: modify add: aci aci: (targetattr="userPassword || krbPrincipalKey")(version 3.0; acl "Search existence of password and kerberos keys"; allow(search) userdn = "ldap:///all";) +# Let host add and update CA renewal certificates +dn: cn=ipa,cn=etc,$SUFFIX +changetype: modify +add: aci +aci: (target="ldap:///cn=*,cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX")(version 3.0; acl "Add CA Certificates for renewals"; allow(add) userdn = "ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX";) + +dn: cn=ipa,cn=etc,$SUFFIX +changetype: modify +add: aci +aci: (target="ldap:///cn=*,cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX")(targetattr="userCertificate")(version 3.0; acl "Modify CA Certificates for renewals"; allow(write) userdn = "ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX";) diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install index 063eea023..c322cb62e 100755 --- a/install/tools/ipa-replica-install +++ b/install/tools/ipa-replica-install @@ -461,6 +461,7 @@ def main(): krb = install_krb(config, setup_pkinit=options.setup_pkinit) http = install_http(config, auto_redirect=options.ui_redirect) if CA: + CA.configure_certmonger_renewal() CA.import_ra_cert(dir + "/ra.p12") CA.fix_ra_perms() ipaservices.knownservices.httpd.restart() diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig index cfb9a19e3..951bd4854 100644 --- a/install/tools/ipa-upgradeconfig +++ b/install/tools/ipa-upgradeconfig @@ -28,6 +28,7 @@ try: from ipapython import ipautil, sysrestore, version from ipapython.config import IPAOptionParser from ipapython.ipa_log_manager import * + from ipapython import certmonger from ipaserver.install import installutils from ipaserver.install import dsinstance from ipaserver.install import httpinstance @@ -43,6 +44,7 @@ try: import os import shutil import fileinput + from ipalib import api import ipalib.errors except ImportError: print >> sys.stderr, """\ @@ -430,6 +432,35 @@ def named_enable_serial_autoincrement(): return changed +def enable_certificate_renewal(realm): + """ + If the CA subsystem certificates are not being tracked for renewal then + tell certmonger to start tracking them. + """ + ca = cainstance.CAInstance(realm, certs.NSS_DIR) + if not ca.is_configured(): + root_logger.debug('dogtag not configured') + return + + # Using the nickname find the certmonger request_id + criteria = (('cert_storage_location', '/etc/httpd/alias', certmonger.NPATH),('cert_nickname', 'ipaCert', None)) + request_id = certmonger.get_request_id(criteria) + if request_id is not None: + root_logger.debug('Certificate renewal already configured') + return + + if not sysupgrade.get_upgrade_state('dogtag', 'renewal_configured'): + if ca.is_master(): + ca.configure_renewal() + else: + ca.configure_certmonger_renewal() + ca.configure_clone_renewal() + ca.configure_agent_renewal() + ca.track_servercert() + sysupgrade.set_upgrade_state('dogtag', 'renewal_configured', True) + ca.restart(cainstance.PKI_INSTANCE_NAME) + root_logger.debug('CA subsystem certificate renewal enabled') + def main(): """ Get some basics about the system. If getting those basics fail then @@ -440,6 +471,9 @@ def main(): if not os.geteuid()==0: sys.exit("\nYou must be root to run this script.\n") + if not installutils.is_ipa_configured(): + sys.exit(0) + safe_options, options = parse_options() standard_logging_setup('/var/log/ipaupgrade.log', verbose=True, @@ -448,11 +482,8 @@ def main(): fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore') - try: - krbctx = krbV.default_context() - except krbV.Krb5Error, e: - # Unable to get default kerberos realm - sys.exit(0) + api.bootstrap(context='restart') + api.finalize() fqdn = find_hostname() if fqdn is None: @@ -464,13 +495,13 @@ def main(): check_certs() auto_redirect = find_autoredirect(fqdn) - sub_dict = { "REALM" : krbctx.default_realm, "FQDN": fqdn, "AUTOREDIR": '' if auto_redirect else '#'} + sub_dict = { "REALM" : api.env.realm, "FQDN": fqdn, "AUTOREDIR": '' if auto_redirect else '#'} upgrade(sub_dict, "/etc/httpd/conf.d/ipa.conf", ipautil.SHARE_DIR + "ipa.conf") upgrade(sub_dict, "/etc/httpd/conf.d/ipa-rewrite.conf", ipautil.SHARE_DIR + "ipa-rewrite.conf") upgrade(sub_dict, "/etc/httpd/conf.d/ipa-pki-proxy.conf", ipautil.SHARE_DIR + "ipa-pki-proxy.conf", add=True) upgrade_pki(fstore) - update_dbmodules(krbctx.default_realm) + update_dbmodules(api.env.realm) uninstall_ipa_kpasswd() http = httpinstance.HTTPInstance(fstore) @@ -479,25 +510,26 @@ def main(): memcache = memcacheinstance.MemcacheInstance() memcache.ldapi = True - memcache.realm = krbctx.default_realm + memcache.realm = api.env.realm try: if not memcache.is_configured(): # 389-ds needs to be running to create the memcache instance # because we record the new service in cn=masters. ds = dsinstance.DsInstance() ds.start() - memcache.create_instance('MEMCACHE', fqdn, None, ipautil.realm_to_suffix(krbctx.default_realm)) + memcache.create_instance('MEMCACHE', fqdn, None, ipautil.realm_to_suffix(api.env.realm)) except (ldap.ALREADY_EXISTS, ipalib.errors.DuplicateEntry): pass cleanup_kdc(fstore) - upgrade_ipa_profile(krbctx.default_realm) + upgrade_ipa_profile(api.env.realm) changed_psearch = named_enable_psearch() changed_autoincrement = named_enable_serial_autoincrement() if changed_psearch or changed_autoincrement: # configuration has changed, restart the name server root_logger.info('Changes to named.conf have been made, restart named') bindinstance.BindInstance(fstore).restart() + enable_certificate_renewal(api.env.realm) if __name__ == '__main__': installutils.run_script(main, operation_name='ipa-upgradeconfig') diff --git a/install/updates/21-ca_renewal_container.update b/install/updates/21-ca_renewal_container.update new file mode 100644 index 000000000..50b92d73d --- /dev/null +++ b/install/updates/21-ca_renewal_container.update @@ -0,0 +1,8 @@ +# +# Add CA renewal container if not available +# + +dn: cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX +add:objectClass: top +add:objectClass: nsContainer +add:cn: ca_renewal diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update index de112d99d..1e512d0f7 100644 --- a/install/updates/40-delegation.update +++ b/install/updates/40-delegation.update @@ -356,3 +356,7 @@ replace:aci:'(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(targetattr # Don't allow the default 'manage group membership' to be able to manage the # admins group replace:aci:'(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,$SUFFIX";)::(targetfilter = "(!(cn=admins))")(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,$SUFFIX";)' + +dn: cn=ipa,cn=etc,$SUFFIX +add:aci:'(target = "ldap:///cn=*,cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX")(version 3.0; acl "Add CA Certificates for renewals"; allow(add) userdn = "ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX";)' +add:aci:'(target = "ldap:///cn=*,cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX")(targetattr = "userCertificate")(version 3.0; acl "Modify CA Certificates for renewals"; allow(write) userdn = "ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX";)' diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am index e45690f14..bc7945d7a 100644 --- a/install/updates/Makefile.am +++ b/install/updates/Makefile.am @@ -22,6 +22,7 @@ app_DATA = \ 20-user_private_groups.update \ 20-winsync_index.update \ 21-replicas_container.update \ + 21-ca_renewal_container.update \ 30-s4u2proxy.update \ 40-delegation.update \ 40-dns.update \ |