diff options
author | Fraser Tweedale <ftweedal@redhat.com> | 2016-05-06 12:07:29 +1000 |
---|---|---|
committer | Jan Cholasta <jcholast@redhat.com> | 2016-06-15 07:13:38 +0200 |
commit | 7d8699580d44fc65ca50982107d7037f2a64aa60 (patch) | |
tree | c45eeac404c5000aa28c905261631afee0143f1f /ipaserver | |
parent | 3d4db834caa0688bcefc0092b7978402b783eaf3 (diff) | |
download | freeipa-7d8699580d44fc65ca50982107d7037f2a64aa60.tar.gz freeipa-7d8699580d44fc65ca50982107d7037f2a64aa60.tar.xz freeipa-7d8699580d44fc65ca50982107d7037f2a64aa60.zip |
Add IPA CA entry on install / upgrade
In addition to user-created lightweight CAs, CA ACLs need to be able
to refer to the "main" CA. Add an entry for the IPA CA on
installation and upgrade.
Part of: https://fedorahosted.org/freeipa/ticket/4559
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Diffstat (limited to 'ipaserver')
-rw-r--r-- | ipaserver/install/cainstance.py | 37 | ||||
-rw-r--r-- | ipaserver/install/server/upgrade.py | 1 |
2 files changed, 38 insertions, 0 deletions
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 3e2576d05..c7f3116f6 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -433,6 +433,7 @@ class CAInstance(DogtagInstance): self.step("importing IPA certificate profiles", import_included_profiles) self.step("adding default CA ACL", ensure_default_caacl) + self.step("adding 'ipa' CA entry", ensure_ipa_authority_entry) self.step("updating IPA configuration", update_ipa_conf) self.start_creation(runtime=210) @@ -1900,6 +1901,42 @@ def _create_dogtag_profile(profile_id, profile_data, overwrite): "(it is probably already enabled)") +def ensure_ipa_authority_entry(): + """Add the IPA CA ipaCa object if missing.""" + + # find out authority id, issuer DN and subject DN of IPA CA + # + api.Backend.ra_lightweight_ca._read_password() + api.Backend.ra_lightweight_ca.override_port = 8443 + with api.Backend.ra_lightweight_ca as lwca: + data = lwca.read_ca('host-authority') + attrs = dict( + ipacaid=data['id'], + ipacaissuerdn=data['issuerDN'], + ipacasubjectdn=data['dn'], + ) + api.Backend.ra_lightweight_ca.override_port = None + + is_already_connected = api.Backend.ldap2.isconnected() + if not is_already_connected: + try: + api.Backend.ldap2.connect(autobind=True) + except errors.PublicError as e: + root_logger.error("Cannot connect to LDAP to add CA: %s", e) + return + + ensure_entry( + DN(('cn', ipalib.constants.IPA_CA_CN), api.env.container_ca, api.env.basedn), + objectclass=['top', 'ipaca'], + cn=[ipalib.constants.IPA_CA_CN], + description=['IPA CA'], + **attrs + ) + + if not is_already_connected: + api.Backend.ldap2.disconnect() + + def ensure_default_caacl(): """Add the default CA ACL if missing.""" is_already_connected = api.Backend.ldap2.isconnected() diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index 81a49e8af..cd9b7c4a8 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -1724,6 +1724,7 @@ def upgrade_configuration(): if ca.is_configured(): cainstance.repair_profile_caIPAserviceCert() ca.setup_lightweight_ca_key_retrieval() + cainstance.ensure_ipa_authority_entry() set_sssd_domain_option('ipa_server_mode', 'True') |