From 9e188574a552e8ece47a181763afa891a4e45bc6 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Mon, 24 Mar 2014 15:30:53 +0100
Subject: Add method for setting CA renewal master in LDAP to CAInstance.

Allow checking and setting CA renewal master for non-local CA instances.

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
 ipaserver/install/cainstance.py | 41 ++++++++++++++++++++++++++++++++++++++---
 1 file changed, 38 insertions(+), 3 deletions(-)

(limited to 'ipaserver')

diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index f0aef7558..7e2572d97 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -1609,12 +1609,15 @@ class CAInstance(service.Service):
             return True
         return False
 
-    def is_renewal_master(self):
+    def is_renewal_master(self, fqdn=None):
+        if fqdn is None:
+            fqdn = api.env.host
+
         if not self.admin_conn:
             self.ldap_connect()
 
-        dn = DN(('cn', 'CA'), ('cn', api.env.host), ('cn', 'masters'),
-                ('cn', 'ipa'), ('cn', 'etc'), api.env.basedn)
+        dn = DN(('cn', 'CA'), ('cn', fqdn), ('cn', 'masters'), ('cn', 'ipa'),
+                ('cn', 'etc'), api.env.basedn)
         filter = '(ipaConfigString=caRenewalMaster)'
         try:
             self.admin_conn.get_entries(base_dn=dn, filter=filter,
@@ -1624,6 +1627,38 @@ class CAInstance(service.Service):
 
         return True
 
+    def set_renewal_master(self, fqdn=None):
+        if fqdn is None:
+            fqdn = api.env.host
+
+        if not self.admin_conn:
+            self.ldap_connect()
+
+        base_dn = DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'),
+                     api.env.basedn)
+        filter = '(&(cn=CA)(ipaConfigString=caRenewalMaster))'
+        try:
+            entries = self.admin_conn.get_entries(
+                base_dn=base_dn, filter=filter, attrs_list=['ipaConfigString'])
+        except errors.NotFound:
+            entries = []
+
+        dn = DN(('cn', 'CA'), ('cn', fqdn), base_dn)
+        master_entry = self.admin_conn.get_entry(dn, ['ipaConfigString'])
+
+        for entry in entries:
+            if master_entry is not None and entry.dn == master_entry.dn:
+                master_entry = None
+                continue
+
+            entry['ipaConfigString'] = [x for x in entry['ipaConfigString']
+                                        if x.lower() != 'carenewalmaster']
+            self.admin_conn.update_entry(entry)
+
+        if master_entry is not None:
+            master_entry['ipaConfigString'].append('caRenewalMaster')
+            self.admin_conn.update_entry(master_entry)
+
 
 def replica_ca_install_check(config):
     if not config.setup_ca:
-- 
cgit