diff options
Diffstat (limited to 'ipaserver')
-rw-r--r-- | ipaserver/install/dsinstance.py | 4 | ||||
-rw-r--r-- | ipaserver/install/server/upgrade.py | 25 |
2 files changed, 29 insertions, 0 deletions
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index 2acab13f2..9f24189b6 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -307,6 +307,7 @@ class DsInstance(service.Service): self.step("adding range check plugin", self.__add_range_check_plugin) if hbac_allow: self.step("creating default HBAC rule allow_all", self.add_hbac) + self.step("creating default CA ACL rule", self.add_caacl) self.step("adding entries for topology management", self.__add_topology_entries) self.__common_post_setup() @@ -741,6 +742,9 @@ class DsInstance(service.Service): def add_hbac(self): self._ldap_mod("default-hbac.ldif", self.sub_dict) + def add_caacl(self): + self._ldap_mod("default-caacl.ldif", self.sub_dict) + def change_admin_password(self, password): root_logger.debug("Changing admin password") dirname = config_dirname(self.serverid) diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index c5f4d37cc..306d1d27c 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -1254,6 +1254,30 @@ def update_mod_nss_protocol(http): sysupgrade.set_upgrade_state('nss.conf', 'protocol_updated_tls12', True) +def add_default_caacl(ca): + root_logger.info('[Add default CA ACL]') + + if sysupgrade.get_upgrade_state('caacl', 'add_default_caacl'): + root_logger.info('Default CA ACL already added') + return + + if ca.is_configured(): + if not api.Backend.ldap2.isconnected(): + try: + api.Backend.ldap2.connect(autobind=True) + except ipalib.errors.PublicError as e: + root_logger.error("Cannot connect to LDAP to add CA ACLs: %s", e) + return + + if not api.Command.caacl_find()['result']: + api.Command.caacl_add(u'hosts_services_caIPAserviceCert', + hostcategory=u'all', usercategory=u'all') + api.Command.caacl_add_profile(u'hosts_services_caIPAserviceCert', + certprofile=(u'caIPAserviceCert',)) + + sysupgrade.set_upgrade_state('caacl', 'add_default_caacl', True) + + def upgrade_configuration(): """ Execute configuration upgrade of the IPA services @@ -1431,6 +1455,7 @@ def upgrade_configuration(): # itself require a restart. # ca_import_included_profiles(ca) + add_default_caacl(ca) set_sssd_domain_option('ipa_server_mode', 'True') |