Fix SELinux errors caused by enabling TLS on dogtag 389-ds instance.

This fixes 2 AVCS:

* One because we are enabling port 7390 because an SSL port must be
  defined to use TLS On 7389.
* We were symlinking to the main IPA 389-ds NSS certificate databsae.
  Instead generate a separate NSS database and certificate and have
  certmonger track it separately

I also noticed some variable inconsistency in cainstance.py. Everywhere
else we use self.fqdn and that was using self.host_name. I found it
confusing so I fixed it.

ticket 1085

1 files changed, 19 insertions, 0 deletions

diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py
index e97b7816..253c0f05 100644
--- a/ipaserver/install/service.py
+++ b/ipaserver/install/service.py
@@ -187,6 +187,25 @@ class Service:
         self.admin_conn.addEntry(entry)
         return newdn
 
+    def add_simple_service(self, principal):
+        """
+        Add a very basic IPA service.
+
+        The principal needs to be fully-formed: service/host@REALM
+        """
+        if not self.admin_conn:
+            self.ldap_connect()
+
+        dn = "krbprincipalname=%s,cn=services,cn=accounts,%s" % (principal, self.suffix)
+        hostdn = "fqdn=%s,cn=computers,cn=accounts,%s" % (self.fqdn, self.suffix)
+        entry = ipaldap.Entry(dn)
+        entry.setValues("objectclass", ["krbprincipal", "krbprincipalaux", "krbticketpolicyaux", "ipaobject", "ipaservice", "pkiuser"])
+        entry.setValue("krbprincipalname", principal)
+        entry.setValue("ipauniqueid", 'autogenerate')
+        entry.setValue("managedby", hostdn)
+        self.admin_conn.addEntry(entry)
+        return dn
+
     def add_cert_to_service(self):
         """
         Add a certificate to a service