diff options
author | Jan Cholasta <jcholast@redhat.com> | 2016-05-23 16:18:02 +0200 |
---|---|---|
committer | Jan Cholasta <jcholast@redhat.com> | 2016-05-24 14:54:01 +0200 |
commit | dea924ac8a04c923d96e04c4c40e253ae1ee857c (patch) | |
tree | 93aa731780d611d6e2caaad4491ce80af10530b3 | |
parent | d71de186cc4d942b2a1bb7fcd9677bfcedd86b26 (diff) | |
download | freeipa-dea924ac8a04c923d96e04c4c40e253ae1ee857c.tar.gz freeipa-dea924ac8a04c923d96e04c4c40e253ae1ee857c.tar.xz freeipa-dea924ac8a04c923d96e04c4c40e253ae1ee857c.zip |
replica install: do not set CA renewal master flag
The CA renewal master flag was uncoditionally set on every replica during
replica install. This causes the Dogtag certificates initially shared
among all replicas to differ after renewal.
Do not set the CA renewal master flag in replica install anymore. On
upgrade, remove the flag from all but one IPA masters.
https://fedorahosted.org/freeipa/ticket/5902
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
-rw-r--r-- | ipaserver/install/ca.py | 6 | ||||
-rw-r--r-- | ipaserver/install/cainstance.py | 2 | ||||
-rw-r--r-- | ipaserver/install/plugins/ca_renewal_master.py | 24 |
3 files changed, 28 insertions, 4 deletions
diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py index acc54334e..3a827aee8 100644 --- a/ipaserver/install/ca.py +++ b/ipaserver/install/ca.py @@ -188,7 +188,11 @@ def install_step_1(standalone, replica_config, options): ca.stop('pki-tomcat') # We need to ldap_enable the CA now that DS is up and running - ca.ldap_enable('CA', host_name, dm_password, basedn, ['caRenewalMaster']) + if replica_config is None: + config = ['caRenewalMaster'] + else: + config = [] + ca.ldap_enable('CA', host_name, dm_password, basedn, config) # This is done within stopped_service context, which restarts CA ca.enable_client_auth_to_db(paths.CA_CS_CFG_PATH) diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 337a07797..475e74d7f 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -1288,7 +1288,7 @@ class CAInstance(DogtagInstance): def __enable_instance(self): basedn = ipautil.realm_to_suffix(self.realm) - self.ldap_enable('CA', self.fqdn, None, basedn, ['caRenewalMaster']) + self.ldap_enable('CA', self.fqdn, None, basedn) def configure_replica(self, master_host, subject_base=None, ca_cert_bundle=None, ca_signing_algorithm=None, diff --git a/ipaserver/install/plugins/ca_renewal_master.py b/ipaserver/install/plugins/ca_renewal_master.py index e83cf3b02..a92caf9c4 100644 --- a/ipaserver/install/plugins/ca_renewal_master.py +++ b/ipaserver/install/plugins/ca_renewal_master.py @@ -42,6 +42,7 @@ class update_ca_renewal_master(Updater): ldap = self.api.Backend.ldap2 base_dn = DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'), self.api.env.basedn) + dn = DN(('cn', 'CA'), ('cn', self.api.env.host), base_dn) filter = '(&(cn=CA)(ipaConfigString=caRenewalMaster))' try: entries = ldap.get_entries(base_dn=base_dn, filter=filter, @@ -50,7 +51,27 @@ class update_ca_renewal_master(Updater): pass else: self.debug("found CA renewal master %s", entries[0].dn[1].value) - return False, [] + + master = False + updates = [] + + for entry in entries: + if entry.dn == dn: + master = True + continue + + updates.append({ + 'dn': entry.dn, + 'updates': [ + dict(action='remove', attr='ipaConfigString', + value='caRenewalMaster') + ], + }) + + if master: + return False, updates + else: + return False, [] criteria = { 'cert-database': paths.HTTPD_ALIAS_DIR, @@ -95,7 +116,6 @@ class update_ca_renewal_master(Updater): "assuming local CA is renewal slave", config) return (False, False, []) - dn = DN(('cn', 'CA'), ('cn', self.api.env.host), base_dn) update = { 'dn': dn, 'updates': [ |