diff options
| author | Martin Babinsky <mbabinsk@redhat.com> | 2015-12-02 12:22:45 +0100 |
|---|---|---|
| committer | Martin Basti <mbasti@redhat.com> | 2015-12-04 19:37:37 +0100 |
| commit | a497288b3eafe00ab9c819dd4a51d0b421824b36 (patch) | |
| tree | 24bbe03d22635ae9d3977b6ddc7cef5d27c044bb /ipaserver/install/cainstance.py | |
| parent | 95d659b634b2ea13d18d26cacbd73e19972145f2 (diff) | |
| download | freeipa-a497288b3eafe00ab9c819dd4a51d0b421824b36.tar.gz freeipa-a497288b3eafe00ab9c819dd4a51d0b421824b36.tar.xz freeipa-a497288b3eafe00ab9c819dd4a51d0b421824b36.zip | |
replica install: improvements in the handling of CA-related IPA config entries
When a CA-less replica is installed, its IPA config file should be updated so
that ca_host points to nearest CA master and all certificate requests are
forwarded to it. A subsequent installation of CA subsystem on the replica
should clear this entry from the config so that all certificate requests are
handled by freshly installed local CA.
https://fedorahosted.org/freeipa/ticket/5506
Reviewed-By: Martin Basti <mbasti@redhat.com>
Diffstat (limited to 'ipaserver/install/cainstance.py')
| -rw-r--r-- | ipaserver/install/cainstance.py | 19 |
1 files changed, 18 insertions, 1 deletions
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 65f9e463d..2ca718a7b 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -41,7 +41,7 @@ import shlex import pipes from six.moves import urllib -from six.moves.configparser import ConfigParser +from six.moves.configparser import ConfigParser, RawConfigParser from ipalib import api from ipalib import pkcs10, x509 @@ -429,6 +429,7 @@ class CAInstance(DogtagInstance): self.step("importing IPA certificate profiles", import_included_profiles) self.step("adding default CA ACL", ensure_default_caacl) + self.step("updating IPA configuration", update_ipa_conf) self.start_creation(runtime=210) @@ -1343,6 +1344,7 @@ class CAInstance(DogtagInstance): self.track_servercert) self.step("Configure HTTP to proxy connections", self.http_proxy) + self.step("updating IPA configuration", update_ipa_conf) self.step("Restart HTTP server to pick up changes", self.__restart_http_instance) @@ -1768,6 +1770,21 @@ def ensure_default_caacl(): api.Backend.ldap2.disconnect() +def update_ipa_conf(): + """ + Update IPA configuration file to ensure that RA plugins are enabled and + that CA host points to localhost + """ + parser = RawConfigParser() + parser.read(paths.IPA_DEFAULT_CONF) + parser.set('global', 'enable_ra', 'True') + parser.set('global', 'ra_plugin', 'dogtag') + parser.set('global', 'dogtag_version', '10') + parser.remove_option('global', 'ca_host') + with open(paths.IPA_DEFAULT_CONF, 'w') as f: + parser.write(f) + + if __name__ == "__main__": standard_logging_setup("install.log") ds = dsinstance.DsInstance() |