topology: manage ca replication agreements

Configure IPA so that topology plugin will manage also CA replication
agreements.

upgrades if CA is congigured:
- ipaca suffix is added to cn=topology,cn=ipa,cn=etc,$SUFFIX
- ipaReplTopoManagedSuffix: o=ipaca is added to master entry
- binddngroup is added to o=ipaca replica entry

Signed-off-by: Simo Sorce <simo@redhat.com>

8 files changed, 69 insertions, 2 deletions

diff --git a/freeipa.spec.in b/freeipa.spec.in
index dc4e4bfbd..29eb07cf1 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -139,8 +139,8 @@ Requires(post): systemd-units
 Requires: selinux-policy >= %{selinux_policy_version}
 Requires(post): selinux-policy-base >= %{selinux_policy_version}
 Requires: slapi-nis >= 0.54.2-1
-Requires: pki-ca >= 10.2.6
-Requires: pki-kra >= 10.2.6
+Requires: pki-ca >= 10.2.7
+Requires: pki-kra >= 10.2.7
 Requires(preun): python systemd-units
 Requires(postun): python systemd-units
 Requires: python-dns >= 1.11.1
diff --git a/install/share/Makefile.am b/install/share/Makefile.am
index d952679e6..7dae55fdb 100644
--- a/install/share/Makefile.am
+++ b/install/share/Makefile.am
@@ -27,6 +27,7 @@ app_DATA =				\
 	72domainlevels.ldif			\
 	anonymous-vlv.ldif		\
 	bootstrap-template.ldif		\
+	ca-topology.uldif		\
 	caJarSigningCert.cfg.template	\
 	custodia.conf.template		\
 	default-aci.ldif		\
diff --git a/install/share/ca-topology.uldif b/install/share/ca-topology.uldif
new file mode 100644
index 000000000..3da9eaee1
--- /dev/null
+++ b/install/share/ca-topology.uldif
@@ -0,0 +1,15 @@
+# add IPA CA managed suffix to master entry
+dn: cn=$FQDN,cn=masters,cn=ipa,cn=etc,$SUFFIX
+add: objectclass: ipaReplTopoManagedServer
+add: ipaReplTopoManagedSuffix: o=ipaca
+
+# add IPA CA topology configuration area
+dn: cn=ipaca,cn=topology,cn=ipa,cn=etc,$SUFFIX
+default: objectclass: top
+default: objectclass: iparepltopoconf
+default: ipaReplTopoConfRoot: o=ipaca
+default: cn: ipaca
+
+# Update CA replication settings
+dn: cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config
+onlyifexist: nsds5replicabinddngroup: cn=replication managers,cn=sysaccounts,cn=etc,$SUFFIX
diff --git a/install/updates/20-replication.update b/install/updates/20-replication.update
index 83d5d1f0c..43f4edc0d 100644
--- a/install/updates/20-replication.update
+++ b/install/updates/20-replication.update
@@ -28,6 +28,11 @@ default: objectclass: iparepltopoconf
 default: ipaReplTopoConfRoot: $SUFFIX
 default: cn: realm
 
+# add IPA realm managed suffix to master entry
+dn: cn=$FQDN,cn=masters,cn=ipa,cn=etc,$SUFFIX
+add: objectclass: ipaReplTopoManagedServer
+add: ipaReplTopoManagedSuffix: $SUFFIX
+
 # Set replication changelog limit (#5086)
 dn: cn=changelog5,cn=config
 addifnew: nsslapd-changelogmaxage: 7d
diff --git a/install/updates/90-post_upgrade_plugins.update b/install/updates/90-post_upgrade_plugins.update
index 3df3a4574..2089b3320 100644
--- a/install/updates/90-post_upgrade_plugins.update
+++ b/install/updates/90-post_upgrade_plugins.update
@@ -2,6 +2,7 @@
 
 
 # middle
+plugin: update_ca_topology
 plugin: update_dnszones
 plugin: update_dns_limits
 plugin: update_default_range
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index 98aa5f9b7..644e94e78 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -236,6 +236,7 @@ class BasePathNamespace(object):
     SMBD = "/usr/sbin/smbd"
     USERADD = "/usr/sbin/useradd"
     USR_SHARE_IPA_DIR = "/usr/share/ipa/"
+    CA_TOPOLOGY_ULDIF = "/usr/share/ipa/ca-topology.uldif"
     FFEXTENSION = "/usr/share/ipa/ffextension"
     IPA_HTML_DIR = "/usr/share/ipa/html"
     CA_CRT = "/usr/share/ipa/html/ca.crt"
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index ebf9a7ea5..fefcb8e76 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -63,6 +63,7 @@ from ipapython.ipa_log_manager import log_mgr,\
 from ipaserver.install import certs
 from ipaserver.install import dsinstance
 from ipaserver.install import installutils
+from ipaserver.install import ldapupdate
 from ipaserver.install import service
 from ipaserver.install.dogtaginstance import DogtagInstance
 from ipaserver.install.dogtaginstance import PKI_USER, DEFAULT_DSPORT
@@ -797,6 +798,15 @@ class CAInstance(DogtagInstance):
         except Exception as e:
             root_logger.warning("Failed to backup CS.cfg: %s", e)
 
+    def __update_topology(self):
+        ld = ldapupdate.LDAPUpdate(ldapi=True, sub_dict={
+            'SUFFIX': api.env.basedn,
+            'FQDN': self.fqdn,
+        })
+        rv = ld.update([paths.CA_TOPOLOGY_ULDIF])
+        if not rv:
+            raise RuntimeError("Failed to update CA topology configuration")
+
     def __disable_nonce(self):
         # Turn off Nonces
         update_result = installutils.update_file(
diff --git a/ipaserver/install/plugins/update_ca_topology.py b/ipaserver/install/plugins/update_ca_topology.py
new file mode 100644
index 000000000..ce4b5bc9a
--- /dev/null
+++ b/ipaserver/install/plugins/update_ca_topology.py
@@ -0,0 +1,34 @@
+#
+# Copyright (C) 2015  FreeIPA Contributors see COPYING for license
+#
+
+from ipalib import api
+from ipalib import Updater
+from ipaserver.install import certs, cainstance
+from ipaserver.install import ldapupdate
+from ipaplatform.paths import paths
+
+
+class update_ca_topology(Updater):
+    """
+    Updates CA topology configuration entries
+    """
+
+    def execute(self, **options):
+
+        ca = cainstance.CAInstance(self.api.env.realm, certs.NSS_DIR)
+        if not ca.is_configured():
+            self.log.debug("CA is not configured on this host")
+            return False, []
+
+        ld = ldapupdate.LDAPUpdate(ldapi=True, sub_dict={
+            'SUFFIX': self.api.env.basedn,
+            'FQDN': self.api.env.host,
+        })
+        rv = ld.update([paths.CA_TOPOLOGY_ULDIF])
+        if not rv:
+            self.log.error("Failed to update CA topology configuration")
+
+        return False, []
+
+api.register(update_ca_topology)