From 766b534da0c3a1ed09fe187323eaae0440eb7784 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Mon, 7 Dec 2009 23:17:00 -0500
Subject: Make the IPA server host and its services "real" IPA entries

We use kadmin.local to bootstrap the creation of the kerberos principals
for the IPA server machine: host, HTTP and ldap. This works fine and has
the side-effect of protecting the services from modification by an
admin (which would likely break the server).

Unfortunately this also means that the services can't be managed by useful
utilities such as certmonger. So we have to create them as "real" services
instead.
---
 ipaserver/install/cainstance.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'ipaserver/install/cainstance.py')

diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 198b0c64..46a337cb 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -810,7 +810,7 @@ class CAInstance(service.Service):
         os.close(f)
         os.chmod(self.ra_agent_pwd, stat.S_IRUSR)
 
-        stdout, stderr = self.__run_certutil(["-N"])
+        (stdout, stderr, returncode)  = self.__run_certutil(["-N"])
 
     def __get_ca_chain(self):
         try:
@@ -886,7 +886,7 @@ class CAInstance(service.Service):
 
         # Generate our CSR. The result gets put into stdout
         try:
-            (stdout, stderr) = self.__run_certutil(["-R", "-k", "rsa", "-g", "2048", "-s", "CN=RA Subsystem Certificate,OU=pki-ipa,O=%s" % self.domain_name, "-z", noise_name, "-a"])
+            (stdout, stderr, returncode) = self.__run_certutil(["-R", "-k", "rsa", "-g", "2048", "-s", "CN=RA Subsystem Certificate,OU=pki-ipa,O=%s" % self.domain_name, "-z", noise_name, "-a"])
         finally:
             os.remove(noise_name)
 
-- 
cgit