From a497288b3eafe00ab9c819dd4a51d0b421824b36 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabinsk@redhat.com>
Date: Wed, 2 Dec 2015 12:22:45 +0100
Subject: replica install: improvements in the handling of CA-related IPA
 config entries

When a CA-less replica is installed, its IPA config file should be updated so
that ca_host points to nearest CA master and all certificate requests are
forwarded to it. A subsequent installation of CA subsystem on the replica
should clear this entry from the config so that all certificate requests are
handled by freshly installed local CA.

https://fedorahosted.org/freeipa/ticket/5506

Reviewed-By: Martin Basti <mbasti@redhat.com>
---
 ipaserver/install/cainstance.py | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

(limited to 'ipaserver/install/cainstance.py')

diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 65f9e463d..2ca718a7b 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -41,7 +41,7 @@ import shlex
 import pipes
 
 from six.moves import urllib
-from six.moves.configparser import ConfigParser
+from six.moves.configparser import ConfigParser, RawConfigParser
 
 from ipalib import api
 from ipalib import pkcs10, x509
@@ -429,6 +429,7 @@ class CAInstance(DogtagInstance):
             self.step("importing IPA certificate profiles",
                       import_included_profiles)
             self.step("adding default CA ACL", ensure_default_caacl)
+            self.step("updating IPA configuration", update_ipa_conf)
 
         self.start_creation(runtime=210)
 
@@ -1343,6 +1344,7 @@ class CAInstance(DogtagInstance):
                   self.track_servercert)
         self.step("Configure HTTP to proxy connections",
                   self.http_proxy)
+        self.step("updating IPA configuration", update_ipa_conf)
         self.step("Restart HTTP server to pick up changes",
                   self.__restart_http_instance)
 
@@ -1768,6 +1770,21 @@ def ensure_default_caacl():
         api.Backend.ldap2.disconnect()
 
 
+def update_ipa_conf():
+    """
+    Update IPA configuration file to ensure that RA plugins are enabled and
+    that CA host points to localhost
+    """
+    parser = RawConfigParser()
+    parser.read(paths.IPA_DEFAULT_CONF)
+    parser.set('global', 'enable_ra', 'True')
+    parser.set('global', 'ra_plugin', 'dogtag')
+    parser.set('global', 'dogtag_version', '10')
+    parser.remove_option('global', 'ca_host')
+    with open(paths.IPA_DEFAULT_CONF, 'w') as f:
+        parser.write(f)
+
+
 if __name__ == "__main__":
     standard_logging_setup("install.log")
     ds = dsinstance.DsInstance()
-- 
cgit