diff options
author | Martin Babinsky <mbabinsk@redhat.com> | 2017-03-09 12:49:54 -0500 |
---|---|---|
committer | Martin Basti <mbasti@redhat.com> | 2017-03-15 16:39:39 +0100 |
commit | bd18b5f91e3f98fa877def245c54c1cd33bd372e (patch) | |
tree | 9bb362699d194f163e77c3a35eb7342432c0b799 | |
parent | b5b23e073e59930e4dcf14ea8031c2c0441e6344 (diff) | |
download | freeipa-bd18b5f91e3f98fa877def245c54c1cd33bd372e.tar.gz freeipa-bd18b5f91e3f98fa877def245c54c1cd33bd372e.tar.xz freeipa-bd18b5f91e3f98fa877def245c54c1cd33bd372e.zip |
Move PKINIT configuration to a later stage of server/replica install
This is to ensure that we can request PKINIT certs once all the
following requirements are in place:
* CA is configured or PKCS#12 file is provided
* LDAP, KDC and Apache are configured and the master role is thus
completed and enabled
https://pagure.io/freeipa/issue/6739
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
-rw-r--r-- | ipaserver/install/krbinstance.py | 24 | ||||
-rw-r--r-- | ipaserver/install/server/install.py | 3 | ||||
-rw-r--r-- | ipaserver/install/server/replicainstall.py | 3 |
3 files changed, 23 insertions, 7 deletions
diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py index 5f2a4b1c1..04cf681df 100644 --- a/ipaserver/install/krbinstance.py +++ b/ipaserver/install/krbinstance.py @@ -69,6 +69,7 @@ class KrbInstance(service.Service): self.sub_dict = None self.pkcs12_info = None self.master_fqdn = None + self.config_pkinit = None suffix = ipautil.dn_attribute_property('_suffix') subject_base = ipautil.dn_attribute_property('_subject_base') @@ -147,6 +148,7 @@ class KrbInstance(service.Service): self.master_password = master_password self.pkcs12_info = pkcs12_info self.subject_base = subject_base + self.config_pkinit = setup_pkinit self.__common_setup(realm_name, host_name, domain_name, admin_password) @@ -161,10 +163,6 @@ class KrbInstance(service.Service): self.__common_post_setup() - if setup_pkinit: - self.step("installing X509 Certificate for PKINIT", - self.setup_pkinit) - self.start_creation() self.kpasswd = KpasswdInstance() @@ -179,14 +177,12 @@ class KrbInstance(service.Service): self.pkcs12_info = pkcs12_info self.subject_base = subject_base self.master_fqdn = master_fqdn + self.config_pkinit = setup_pkinit self.__common_setup(realm_name, host_name, domain_name, admin_password) self.step("configuring KDC", self.__configure_instance) self.step("adding the password extension to the directory", self.__add_pwd_extop_module) - if setup_pkinit: - self.step("installing X509 Certificate for PKINIT", - self.setup_pkinit) self.__common_post_setup() @@ -393,6 +389,20 @@ class KrbInstance(service.Service): # have any selinux issues with the file context shutil.copyfile(paths.IPA_CA_CRT, paths.CACERT_PEM) + try: + self.restart() + except Exception: + root_logger.critical("krb5kdc service failed to restart") + raise + + def enable_ssl(self): + if self.config_pkinit: + self.steps = [] + self.step("installing X509 Certificate for PKINIT", + self.setup_pkinit) + + self.start_creation() + def get_anonymous_principal_name(self): return "%s@%s" % (ANON_USER, self.realm) diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py index d9710dcab..de6b5b312 100644 --- a/ipaserver/install/server/install.py +++ b/ipaserver/install/server/install.py @@ -836,6 +836,9 @@ def install(installer): ca.set_subject_base_in_config(options.subject_base) + # configure PKINIT now that all required services are in place + krb.enable_ssl() + # Apply any LDAP updates. Needs to be done after the configuration file # is created. DS is restarted in the process. service.print_msg("Applying LDAP updates") diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py index d7f0307e1..b4463fd40 100644 --- a/ipaserver/install/server/replicainstall.py +++ b/ipaserver/install/server/replicainstall.py @@ -1461,6 +1461,9 @@ def install(installer): options.dm_password = config.dirman_password ca.install(False, config, options) + # configure PKINIT now that all required services are in place + krb.enable_ssl() + # Apply any LDAP updates. Needs to be done after the replica is synced-up service.print_msg("Applying LDAP updates") ds.apply_updates() |