Add profiles and default CA ACL on migration

Profiles and the default CA ACL were not being added during replica
install from pre-4.2 servers.  Update ipa-replica-install to add
these if they are missing.

Also update the caacl plugin to prevent deletion of the default CA
ACL and instruct the administrator to disable it instead.

To ensure that the cainstance installation can add profiles, supply
the RA certificate as part of the instance configuration.
Certmonger renewal setup is avoided at this point because the NSSDB
gets reinitialised later in installation procedure.

Also move the addition of the default CA ACL from dsinstance
installation to cainstance installation.

Fixes: https://fedorahosted.org/freeipa/ticket/5459
Reviewed-By: Jan Cholasta <jcholast@redhat.com>

2 files changed, 0 insertions, 12 deletions

diff --git a/install/share/Makefile.am b/install/share/Makefile.am
index 92508a9ba..42f3972e1 100644
--- a/install/share/Makefile.am
+++ b/install/share/Makefile.am
@@ -31,7 +31,6 @@ app_DATA =				\
 	caJarSigningCert.cfg.template	\
 	custodia.conf.template		\
 	default-aci.ldif		\
-	default-caacl.ldif		\
 	default-hbac.ldif		\
 	default-smb-group.ldif		\
 	default-trust-view.ldif		\
diff --git a/install/share/default-caacl.ldif b/install/share/default-caacl.ldif
deleted file mode 100644
index f3cd5b4d4..000000000
--- a/install/share/default-caacl.ldif
+++ /dev/null
@@ -1,11 +0,0 @@
-# default CA ACL that grants use of caIPAserviceCert on top-level CA to all hosts and services
-dn: ipauniqueid=autogenerate,cn=caacls,cn=ca,$SUFFIX
-changetype: add
-objectclass: ipaassociation
-objectclass: ipacaacl
-ipauniqueid: autogenerate
-cn: hosts_services_caIPAserviceCert
-ipaenabledflag: TRUE
-ipamembercertprofile: cn=caIPAserviceCert,cn=certprofiles,cn=ca,$SUFFIX
-hostcategory: all
-servicecategory: all