1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
|
#! /usr/bin/python -E
from ipaserver.install.krbinstance import update_key_val_in_file
from ipapython import ipautil, config
from ipapython import services as ipaservices
import os, platform
def convert_java_link(foo, topdir, filepaths):
cwd = os.getcwd()
os.chdir(topdir)
for filepath in filepaths:
# All this shouldn't happen because java system upgrade should properly
# move files and symlinks but if this is a broken link
if os.path.islink(filepath):
print " Checking %s ... " % (filepath),
if not os.path.exists(filepath):
rpath = os.path.realpath(filepath)
# .. and it points to jss in /usr/lib
if rpath.find('/usr/lib/') != -1 and rpath.find('jss') != -1:
base = os.path.basename(rpath)
bitness = platform.architecture()[0][:2]
# rewrite it to /usr/lib64 for x86_64 platform
if bitness == '64':
npath = "/usr/lib%s/jss/%s" % (bitness, base)
os.unlink(filepath)
os.symlink(npath, filepath)
print "%s -> %s" % (filepath, npath)
else:
print "Ok"
else:
print "Ok"
else:
print "Ok"
os.chdir(cwd)
# 0. Init config
try:
config.init_config()
except config.IPAConfigError, e:
# No configured IPA install, no need to upgrade anything
exit(0)
# 1. Convert broken symlinks, if any, in /var/lib/pki-ca
if os.path.exists('/var/lib/pki-ca/common/lib'):
print "Analyzing symlinks in PKI-CA install"
os.path.walk('/var/lib/pki-ca/common/lib', convert_java_link, None)
try:
print "Found IPA server for domain %s" % (config.config.default_realm)
# 1. Make sure Dogtag instance (if exists) has proper OIDs for IPA CA
ipa_ca_cfg = "/var/lib/pki-ca/profiles/ca/caIPAserviceCert.cfg"
if os.path.exists(ipa_ca_cfg):
print "Make sure PKI-CA has Extended Key Usage OIDs for the certificates (Server and Client Authentication)",
key = 'policyset.serverCertSet.7.default.params.exKeyUsageOIDs'
value = '1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2'
replacevars = {key:value}
appendvars = {}
old_values = ipautil.config_replace_variables(ipa_ca_cfg, replacevars=replacevars, appendvars=appendvars)
ipaservices.restore_context(ipa_ca_cfg)
if key in old_values and old_values[key] != value:
print
print " WARNING: Previously issued certificate didn't have both Server and Client Authentication usage"
print " Old usage OID(s): %(oids)s" % (old_values[key])
print " Please make sure to revoke old certificates and re-issue them again to add both usages when needed"
ipaservices.service('pki-cad').restart()
else:
print "... ok"
print "Converting services setup to systemd"
# 2. Upgrade /etc/sysconfig/dirsrv for systemd
print " Upgrade /etc/sysconfig/dirsrv"
update_key_val_in_file("/etc/sysconfig/dirsrv", "KRB5_KTNAME", "/etc/dirsrv/ds.keytab")
# 3. Upgrade /etc/sysconfig/krb5kdc for systemd
print " Upgrade /etc/sysconfig/krb5kdc"
replacevars = {'KRB5REALM':config.config.default_realm}
appendvars = {}
ipautil.config_replace_variables("/etc/sysconfig/krb5kdc",
replacevars=replacevars, appendvars=appendvars)
ipaservices.restore_context("/etc/sysconfig/krb5kdc")
# 4. Enable DS instances:
# when enabling DS instances we'll also do configure /etc/sysconfig/dirsrv.systemd
# which comes with 389-ds-base-1.2.10-0.8.a7 on F-16 and later. This is handled in
# fedora16 platform code
realm = config.config.default_realm.upper().replace('.','-') #pylint: disable=E1103
print " Re-enable Directory server instances PKI-IPA and %s " % (realm)
if os.path.exists('/etc/systemd/system/dirsrv@.service'):
os.unlink('/etc/systemd/system/dirsrv@.service')
ipaservices.knownservices.dirsrv.enable(realm)
ipaservices.knownservices.dirsrv.enable("PKI-IPA")
# 4. Enable FreeIPA
print " Re-enable IPA service"
ipaservices.knownservices.ipa.enable()
except:
pass
finally:
print "Finished."
|
