From 82d682fa6413fc2532e9f3f9dd4abb1c70c40f8a Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Thu, 12 Jun 2014 10:23:19 +0200
Subject: Import CA certs from certificate store to DS NSS database on replica
 install.

Part of https://fedorahosted.org/freeipa/ticket/3259
Part of https://fedorahosted.org/freeipa/ticket/3520

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
 ipaserver/install/dsinstance.py | 13 +++++++++++++
 ipaserver/install/service.py    | 17 ++++++++++++++++-
 2 files changed, 29 insertions(+), 1 deletion(-)

diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 6aaa14891..242e04d99 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -384,6 +384,7 @@ class DsInstance(service.Service):
         # See LDIFs for automember configuration during replica install
         self.step("setting Auto Member configuration", self.__add_replica_automember_config)
         self.step("enabling S4U2Proxy delegation", self.__setup_s4u2proxy)
+        self.step("importing CA certificates from LDAP", self.__import_ca_certs)
 
         self.__common_post_setup()
 
@@ -716,6 +717,18 @@ class DsInstance(service.Service):
 
         conn.unbind()
 
+    def __import_ca_certs(self):
+        dirname = config_dirname(self.serverid)
+        dsdb = certs.CertDB(self.realm, nssdir=dirname,
+                            subject_base=self.subject_base)
+
+        conn = ipaldap.IPAdmin(self.fqdn)
+        conn.do_simple_bind(DN(('cn', 'directory manager')), self.dm_password)
+
+        self.import_ca_certs(dsdb, self.ca_is_configured, conn)
+
+        conn.unbind()
+
     def __add_default_layout(self):
         self._ldap_mod("bootstrap-template.ldif", self.sub_dict)
 
diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py
index 9e4ea3700..585c903bd 100644
--- a/ipaserver/install/service.py
+++ b/ipaserver/install/service.py
@@ -27,7 +27,7 @@ import datetime
 from ipapython import sysrestore, ipautil, dogtag, ipaldap
 from ipapython.dn import DN
 from ipapython.ipa_log_manager import *
-from ipalib import errors
+from ipalib import errors, certstore
 from ipaplatform import services
 from ipaplatform.paths import paths
 
@@ -269,6 +269,21 @@ class Service(object):
         except Exception, e:
             root_logger.critical("Could not add certificate to service %s entry: %s" % (self.principal, str(e)))
 
+    def import_ca_certs(self, db, ca_is_configured, conn=None):
+        if conn is None:
+            if not self.admin_conn:
+                self.ldap_connect()
+            conn = self.admin_conn
+
+        try:
+            ca_certs = certstore.get_ca_certs_nss(
+                conn, self.suffix, self.realm, ca_is_configured)
+        except errors.NotFound:
+            pass
+        else:
+            for cert, nickname, trust_flags in ca_certs:
+                db.add_cert(cert, nickname, trust_flags)
+
     def is_configured(self):
         return self.sstore.has_state(self.service_name)
 
-- 
cgit