From 74ba0cc7c1bdb9c560324a68c16593755bcda5d8 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Mon, 1 Nov 2010 13:51:14 -0400 Subject: Use Realm as certs subject base name Also use the realm name as nickname for the CA certificate --- install/tools/ipa-replica-install | 2 +- install/tools/ipa-replica-prepare | 6 +++--- install/tools/ipa-server-certinstall | 2 +- install/tools/ipa-server-install | 14 ++++++++------ install/tools/man/ipa-server-install.1 | 2 +- 5 files changed, 14 insertions(+), 12 deletions(-) (limited to 'install') diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install index e4aae4aa..2beadae8 100755 --- a/install/tools/ipa-replica-install +++ b/install/tools/ipa-replica-install @@ -48,7 +48,7 @@ class ReplicaConfig: self.host_name = "" self.repl_password = "" self.dir = "" - self.subject_base = "O=IPA" + self.subject_base = "" def parse_options(): usage = "%prog [options] REPLICA_FILE" diff --git a/install/tools/ipa-replica-prepare b/install/tools/ipa-replica-prepare index 6e9d649a..059b011f 100755 --- a/install/tools/ipa-replica-prepare +++ b/install/tools/ipa-replica-prepare @@ -103,14 +103,14 @@ def export_certdb(realm_name, ds_dir, dir, passwd_fname, fname, hostname, subjec try: self_signed = certs.ipa_self_signed() - db = certs.CertDB(dir, subject_base=subject_base) + db = certs.CertDB(dir, realm_name, subject_base=subject_base) db.create_passwd_file() # if self_signed: # ca_db = certs.CertDB(dsinstance.config_dirname(dsinstance.realm_to_serverid(realm_name))) # db.create_from_cacert(ca_db.cacert_fname) # else: # ca_db = certs.CertDB(httpinstance.NSS_DIR, host_name=api.env.host) - ca_db = certs.CertDB(httpinstance.NSS_DIR, host_name=api.env.host, subject_base=subject_base) + ca_db = certs.CertDB(httpinstance.NSS_DIR, realm_name, host_name=api.env.host, subject_base=subject_base) db.create_from_cacert(ca_db.cacert_fname) db.create_server_cert("Server-Cert", hostname, ca_db) except Exception, e: @@ -148,7 +148,7 @@ def export_ra_pkcs12(dir, dm_password): try: try: - db = certs.CertDB(httpinstance.NSS_DIR, host_name=api.env.host) + db = certs.CertDB(httpinstance.NSS_DIR, api.env.realm, host_name=api.env.host) if db.has_nickname("ipaCert"): pkcs12_fname = "%s/ra.p12" % dir diff --git a/install/tools/ipa-server-certinstall b/install/tools/ipa-server-certinstall index d853f718..9d69853e 100755 --- a/install/tools/ipa-server-certinstall +++ b/install/tools/ipa-server-certinstall @@ -89,7 +89,7 @@ def choose_server_cert(server_certs): return server_certs[num - 1] def import_cert(dirname, pkcs12_fname, pkcs12_passwd, db_password): - cdb = certs.CertDB(dirname) + cdb = certs.CertDB(dirname, api.env.realm) cdb.create_passwd_file(db_password) cdb.create_certdbs() [pw_fd, pw_name] = tempfile.mkstemp() diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index c8a17c99..569079d5 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -122,8 +122,8 @@ def parse_options(): help="The starting uid value (default random)") parser.add_option("--gidstart", dest="gidstart", default=namespace, type=int, help="The starting gid value (default random)") - parser.add_option("--subject", dest="subject", default="O=IPA", - help="The certificate subject base (default O=IPA)") + parser.add_option("--subject", dest="subject", + help="The certificate subject base (default O=)") parser.add_option("--no_hbac_allow", dest="hbac_allow", default=False, action="store_true", help="Don't install allow_all HBAC rule") @@ -402,8 +402,8 @@ def uninstall(): ntpinstance.NTPInstance(fstore).uninstall() if cainstance.CADSInstance().is_configured(): cainstance.CADSInstance().uninstall() - if cainstance.CAInstance().is_configured(): - cainstance.CAInstance().uninstall() + if cainstance.CAInstance(api.env.realm).is_configured(): + cainstance.CAInstance(api.env.realm).uninstall() bindinstance.BindInstance(fstore).uninstall() httpinstance.HTTPInstance(fstore).uninstall() krbinstance.KrbInstance(fstore).uninstall() @@ -465,7 +465,6 @@ def main(): global fstore fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore') - # Configuration for ipalib, we will bootstrap and finalize later, after # we are sure we have the configuration file ready. cfg = dict( @@ -610,6 +609,9 @@ def main(): else: realm_name = options.realm_name.upper() + if not options.subject: + options.subject = "O=%s" % realm_name + if not options.dm_password: dm_password = read_dm_password() else: @@ -689,7 +691,7 @@ def main(): if options.external_cert_file is None: cs = cainstance.CADSInstance() cs.create_instance("pkisrv", realm_name, host_name, domain_name, dm_password) - ca = cainstance.CAInstance() + ca = cainstance.CAInstance(realm_name) if external == 0: ca.configure_instance("pkiuser", host_name, dm_password, dm_password, subject_base=options.subject) elif external == 1: diff --git a/install/tools/man/ipa-server-install.1 b/install/tools/man/ipa-server-install.1 index 943a4201..0d4d8c52 100644 --- a/install/tools/man/ipa-server-install.1 +++ b/install/tools/man/ipa-server-install.1 @@ -102,7 +102,7 @@ The starting user id number (default random) The starting group id number (default random) .TP \fB\-\-subject\fR=\fISUBJECT\fR - The certificate subject base (default O=IPA) + The certificate subject base (default O=REALM.NAME) .TP \fB\-\-no_hbac_allow\fR Don't install allow_all HBAC rule. This rule lets any user from any host access any service on any other host. It is expected that users will remove this rule before moving to production. -- cgit