From 861d1bbdca4793fb45fb233d236d3793cc23da36 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Mon, 14 Mar 2011 16:27:19 -0400
Subject: Fix SELinux errors caused by enabling TLS on dogtag 389-ds instance.

This fixes 2 AVCS:

* One because we are enabling port 7390 because an SSL port must be
  defined to use TLS On 7389.
* We were symlinking to the main IPA 389-ds NSS certificate databsae.
  Instead generate a separate NSS database and certificate and have
  certmonger track it separately

I also noticed some variable inconsistency in cainstance.py. Everywhere
else we use self.fqdn and that was using self.host_name. I found it
confusing so I fixed it.

ticket 1085
---
 install/tools/ipa-server-install | 14 +++++---------
 1 file changed, 5 insertions(+), 9 deletions(-)

(limited to 'install/tools/ipa-server-install')

diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index 9c0947c83..f3a01e892 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -754,7 +754,7 @@ def main():
 
         if options.external_cert_file is None:
             cs = cainstance.CADSInstance()
-            cs.create_instance(realm_name, host_name, domain_name, dm_password)
+            cs.create_instance(realm_name, host_name, domain_name, dm_password, subject_base=options.subject)
         ca = cainstance.CAInstance(realm_name, certs.NSS_DIR)
         if external == 0:
             ca.configure_instance(host_name, dm_password, dm_password,
@@ -817,17 +817,13 @@ def main():
         ca.ldap_enable('CA', host_name, dm_password,
                        util.realm_to_suffix(realm_name))
 
-        # Symlink the IPA LDAP server NSS database to this one.
-        caconfigdir = dsinstance.config_dirname(dsinstance.realm_to_serverid('PKI-IPA'))
-        for filename in ['cert8.db', 'key3.db', 'secmod.db']:
-            os.unlink('%s%s' % (caconfigdir, filename))
-        dsconfigdir = dsinstance.config_dirname(dsinstance.realm_to_serverid(realm_name))
-        for filename in ['cert8.db', 'key3.db', 'secmod.db', 'pin.txt']:
-            os.symlink('%s%s' % (dsconfigdir, filename), '%s%s' % (caconfigdir, filename))
-
         # Turn on SSL in the dogtag LDAP instance. This will get restarted
         # later, we don't need SSL now.
+        cs.create_certdb()
         cs.enable_ssl()
+        # Add the IPA service for storing the PKI-IPA server certificate.
+        cs.add_simple_service('dogtagldap/%s@%s' % (host_name, realm_name))
+        cs.add_cert_to_service()
 
     # Create a kerberos instance
     if options.pkinit_pin:
-- 
cgit