diff options
| author | Fraser Tweedale <ftweedal@redhat.com> | 2015-05-14 01:46:06 -0400 |
|---|---|---|
| committer | Jan Cholasta <jcholast@redhat.com> | 2016-06-15 07:13:38 +0200 |
| commit | 3d4db834caa0688bcefc0092b7978402b783eaf3 (patch) | |
| tree | e9fddc70bdff260ce738dc9458938851453d86c0 /ipaserver/install | |
| parent | 8135651abb857fbe489a1de8aacad3747d7d5cc9 (diff) | |
| download | freeipa-3d4db834caa0688bcefc0092b7978402b783eaf3.tar.gz freeipa-3d4db834caa0688bcefc0092b7978402b783eaf3.tar.xz freeipa-3d4db834caa0688bcefc0092b7978402b783eaf3.zip | |
Add 'ca' plugin
This commit adds the 'ca' plugin for creating and managing
lightweight CAs. The initial implementation supports a single level
of sub-CAs underneath the IPA CA.
This commit also:
- adds the container for FreeIPA CA objects
- adds schema for the FreeIPA CA objects
- updates ipa-pki-proxy.conf to allow access to the Dogtag
lightweight CAs REST API.
Part of: https://fedorahosted.org/freeipa/ticket/4559
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Diffstat (limited to 'ipaserver/install')
| -rw-r--r-- | ipaserver/install/cainstance.py | 7 | ||||
| -rw-r--r-- | ipaserver/install/server/upgrade.py | 16 |
2 files changed, 22 insertions, 1 deletions
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index becb0b172..3e2576d05 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -1629,6 +1629,13 @@ def ensure_ldap_profiles_container(): ou=['certificateProfiles'], ) +def ensure_lightweight_cas_container(): + ensure_entry( + DN(('ou', 'authorities'), ('ou', 'ca'), ('o', 'ipaca')), + objectclass=['top', 'organizationalUnit'], + ou=['authorities'], + ) + def ensure_entry(dn, **attrs): server_id = installutils.realm_to_serverid(api.env.realm) diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index cd2ad2e11..81a49e8af 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -345,6 +345,16 @@ def ca_import_included_profiles(ca): return cainstance.import_included_profiles() +def ca_ensure_lightweight_cas_container(ca): + root_logger.info('[Ensuring Lightweight CAs container exists in Dogtag database]') + + if not ca.is_configured(): + root_logger.info('CA is not configured') + return False + + return cainstance.ensure_lightweight_cas_container() + + def upgrade_ca_audit_cert_validity(ca): """ Update the Dogtag audit signing certificate. @@ -1438,7 +1448,10 @@ def ca_upgrade_schema(ca): root_logger.info('CA is not configured') return False - schema_files=['/usr/share/pki/server/conf/schema-certProfile.ldif'] + schema_files=[ + '/usr/share/pki/server/conf/schema-certProfile.ldif', + '/usr/share/pki/server/conf/schema-authority.ldif', + ] try: modified = schemaupdate.update_schema(schema_files, ldapi=True) except Exception as e: @@ -1698,6 +1711,7 @@ def upgrade_configuration(): except ipautil.CalledProcessError as e: root_logger.error("Failed to restart %s: %s", ca.service_name, e) + ca_ensure_lightweight_cas_container(ca) ca_enable_ldap_profile_subsystem(ca) # This step MUST be done after ca_enable_ldap_profile_subsystem and |