3 files changed, 26 insertions, 4 deletions

diff --git a/API.txt b/API.txt
index 5a5e20b3b..68ce3560d 100644
--- a/API.txt
+++ b/API.txt
@@ -789,9 +789,10 @@ args: 0,1,1
 option: Str('version?')
 output: Output('result')
 command: config_mod
-args: 0,25,3
+args: 0,26,3
 option: Str('addattr*', cli_name='addattr')
 option: Flag('all', autofill=True, cli_name='all', default=False)
+option: Str('ca_renewal_master_server?', autofill=False)
 option: Str('delattr*', cli_name='delattr')
 option: StrEnum('ipaconfigstring*', autofill=False, cli_name='ipaconfigstring', values=[u'AllowNThash', u'KDC:Disable Last Success', u'KDC:Disable Lockout', u'KDC:Disable Default Preauth for SPNs'])
 option: Str('ipadefaultemaildomain?', autofill=False, cli_name='emaildomain')
diff --git a/VERSION b/VERSION
index c28fd1929..7c3e46a98 100644
--- a/VERSION
+++ b/VERSION
@@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000
 #                                                      #
 ########################################################
 IPA_API_VERSION_MAJOR=2
-IPA_API_VERSION_MINOR=179
-# Last change: mbabinsk - Server Roles: make server-{show,find} utilize role information
+IPA_API_VERSION_MINOR=180
+# Last change: mbabink - Server Roles: provide an API for setting CA renewal master
diff --git a/ipaserver/plugins/config.py b/ipaserver/plugins/config.py
index 95d1d6409..94a48a27d 100644
--- a/ipaserver/plugins/config.py
+++ b/ipaserver/plugins/config.py
@@ -243,7 +243,7 @@ class config(LDAPObject):
             'ca_renewal_master_server?',
             label=_('IPA CA renewal master'),
             doc=_('Renewal master for IPA certificate authority'),
-            flags={'virtual_attribute', 'no_create', 'no_update'}
+            flags={'virtual_attribute', 'no_create'}
         )
     )
 
@@ -377,8 +377,29 @@ class config_mod(LDAPUpdate):
                 raise errors.ValidationError(name=failedattr,
                     error=_('SELinux user map default user not in order list'))
 
+        if 'ca_renewal_master_server' in options:
+            new_master = options['ca_renewal_master_server']
+
+            try:
+                self.api.Object.server.get_dn_if_exists(new_master)
+            except errors.NotFound:
+                self.api.Object.server.handle_not_found(new_master)
+
+            backend = self.api.Backend.serverroles
+            backend.config_update(ca_renewal_master_server=new_master)
+
         return dn
 
+    def exc_callback(self, keys, options, exc, call_func,
+                     *call_args, **call_kwargs):
+        if (isinstance(exc, errors.EmptyModlist) and
+                call_func.__name__ == 'update_entry' and
+                'ca_renewal_master_server' in options):
+            return
+
+        super(config_mod, self).exc_callback(
+            keys, options, exc, call_func, *call_args, **call_kwargs)
+
     def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
         self.obj.show_servroles_attributes(entry_attrs, **options)
         return dn