summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJan Cholasta <jcholast@redhat.com>2016-05-23 16:18:02 +0200
committerJan Cholasta <jcholast@redhat.com>2016-05-24 14:54:01 +0200
commitdea924ac8a04c923d96e04c4c40e253ae1ee857c (patch)
tree93aa731780d611d6e2caaad4491ce80af10530b3
parentd71de186cc4d942b2a1bb7fcd9677bfcedd86b26 (diff)
downloadfreeipa-dea924ac8a04c923d96e04c4c40e253ae1ee857c.tar.gz
freeipa-dea924ac8a04c923d96e04c4c40e253ae1ee857c.tar.xz
freeipa-dea924ac8a04c923d96e04c4c40e253ae1ee857c.zip
replica install: do not set CA renewal master flag
The CA renewal master flag was uncoditionally set on every replica during replica install. This causes the Dogtag certificates initially shared among all replicas to differ after renewal. Do not set the CA renewal master flag in replica install anymore. On upgrade, remove the flag from all but one IPA masters. https://fedorahosted.org/freeipa/ticket/5902 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
-rw-r--r--ipaserver/install/ca.py6
-rw-r--r--ipaserver/install/cainstance.py2
-rw-r--r--ipaserver/install/plugins/ca_renewal_master.py24
3 files changed, 28 insertions, 4 deletions
diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py
index acc54334e..3a827aee8 100644
--- a/ipaserver/install/ca.py
+++ b/ipaserver/install/ca.py
@@ -188,7 +188,11 @@ def install_step_1(standalone, replica_config, options):
ca.stop('pki-tomcat')
# We need to ldap_enable the CA now that DS is up and running
- ca.ldap_enable('CA', host_name, dm_password, basedn, ['caRenewalMaster'])
+ if replica_config is None:
+ config = ['caRenewalMaster']
+ else:
+ config = []
+ ca.ldap_enable('CA', host_name, dm_password, basedn, config)
# This is done within stopped_service context, which restarts CA
ca.enable_client_auth_to_db(paths.CA_CS_CFG_PATH)
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 337a07797..475e74d7f 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -1288,7 +1288,7 @@ class CAInstance(DogtagInstance):
def __enable_instance(self):
basedn = ipautil.realm_to_suffix(self.realm)
- self.ldap_enable('CA', self.fqdn, None, basedn, ['caRenewalMaster'])
+ self.ldap_enable('CA', self.fqdn, None, basedn)
def configure_replica(self, master_host, subject_base=None,
ca_cert_bundle=None, ca_signing_algorithm=None,
diff --git a/ipaserver/install/plugins/ca_renewal_master.py b/ipaserver/install/plugins/ca_renewal_master.py
index e83cf3b02..a92caf9c4 100644
--- a/ipaserver/install/plugins/ca_renewal_master.py
+++ b/ipaserver/install/plugins/ca_renewal_master.py
@@ -42,6 +42,7 @@ class update_ca_renewal_master(Updater):
ldap = self.api.Backend.ldap2
base_dn = DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'),
self.api.env.basedn)
+ dn = DN(('cn', 'CA'), ('cn', self.api.env.host), base_dn)
filter = '(&(cn=CA)(ipaConfigString=caRenewalMaster))'
try:
entries = ldap.get_entries(base_dn=base_dn, filter=filter,
@@ -50,7 +51,27 @@ class update_ca_renewal_master(Updater):
pass
else:
self.debug("found CA renewal master %s", entries[0].dn[1].value)
- return False, []
+
+ master = False
+ updates = []
+
+ for entry in entries:
+ if entry.dn == dn:
+ master = True
+ continue
+
+ updates.append({
+ 'dn': entry.dn,
+ 'updates': [
+ dict(action='remove', attr='ipaConfigString',
+ value='caRenewalMaster')
+ ],
+ })
+
+ if master:
+ return False, updates
+ else:
+ return False, []
criteria = {
'cert-database': paths.HTTPD_ALIAS_DIR,
@@ -95,7 +116,6 @@ class update_ca_renewal_master(Updater):
"assuming local CA is renewal slave", config)
return (False, False, [])
- dn = DN(('cn', 'CA'), ('cn', self.api.env.host), base_dn)
update = {
'dn': dn,
'updates': [