diff options
author | Jan Cholasta <jcholast@redhat.com> | 2013-04-15 12:19:11 +0200 |
---|---|---|
committer | Martin Kosek <mkosek@redhat.com> | 2013-04-15 21:12:36 +0200 |
commit | f684c6d6f8f8cde5689a92cf2b06914c3e3da34c (patch) | |
tree | 807412f94d71a20b279fcdb02835fb0d2f46f654 /install | |
parent | ddeb1cea5564093799a6352b2c25bda68d971ce3 (diff) | |
download | freeipa-f684c6d6f8f8cde5689a92cf2b06914c3e3da34c.tar.gz freeipa-f684c6d6f8f8cde5689a92cf2b06914c3e3da34c.tar.xz freeipa-f684c6d6f8f8cde5689a92cf2b06914c3e3da34c.zip |
Use A/AAAA records instead of CNAME records in ipa-ca.
https://fedorahosted.org/freeipa/ticket/3547
Diffstat (limited to 'install')
-rw-r--r-- | install/share/bind.zone.db.template | 2 | ||||
-rwxr-xr-x | install/tools/ipa-ca-install | 2 | ||||
-rwxr-xr-x | install/tools/ipa-replica-manage | 1 | ||||
-rw-r--r-- | install/tools/ipa-upgradeconfig | 54 |
4 files changed, 32 insertions, 27 deletions
diff --git a/install/share/bind.zone.db.template b/install/share/bind.zone.db.template index 5ee71d688..6795bb01a 100644 --- a/install/share/bind.zone.db.template +++ b/install/share/bind.zone.db.template @@ -26,4 +26,4 @@ _kpasswd._udp IN SRV 0 100 464 $HOST $OPTIONAL_NTP ; CNAME for IPA CA replicas (used for CRL, OCSP) -$IPA_CA_CNAME IN CNAME $HOST +$IPA_CA_RECORD diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install index f8f7e1d5d..2ebce60c2 100755 --- a/install/tools/ipa-ca-install +++ b/install/tools/ipa-ca-install @@ -85,7 +85,7 @@ def install_dns_records(config, options): try: api.Backend.ldap2.connect(bind_dn=DN(('cn', 'Directory Manager')), bind_pw=config.dirman_password) - bind.add_ipa_ca_cname(config.host_name, config.domain_name) + bind.add_ipa_ca_dns_records(config.host_name, config.domain_name) finally: if api.Backend.ldap2.isconnected(): api.Backend.ldap2.disconnect() diff --git a/install/tools/ipa-replica-manage b/install/tools/ipa-replica-manage index 956fb2f14..8ab4dc547 100755 --- a/install/tools/ipa-replica-manage +++ b/install/tools/ipa-replica-manage @@ -718,6 +718,7 @@ def del_master(realm, hostname, options): api.Backend.ldap2.connect(ccache=ccache) bind = bindinstance.BindInstance() bind.remove_master_dns_records(hostname, realm, realm.lower()) + bind.remove_ipa_ca_dns_records(hostname, realm.lower()) except Exception, e: print "Failed to cleanup %s DNS entries: %s" % (hostname, e) print "You may need to manually remove them from the tree" diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig index c690544fa..dbbffe321 100644 --- a/install/tools/ipa-upgradeconfig +++ b/install/tools/ipa-upgradeconfig @@ -727,31 +727,35 @@ def migrate_crl_publish_dir(ca): 'request pki-ca restart') return True -def add_server_cname_records(): - root_logger.info('[Add missing server CNAME records]') +def add_ca_dns_records(): + root_logger.info('[Add missing CA DNS records]') - if not sysupgrade.get_upgrade_state('dns', 'ipa_ca_cname'): - try: - api.Backend.ldap2.connect(autobind=True) - except ipalib.errors.PublicError, e: - root_logger.error("Cannot connect to LDAP to add DNS records: %s", e) - else: - ret = api.Command['dns_is_enabled']() - if not ret['result']: - root_logger.info('DNS is not configured') - sysupgrade.set_upgrade_state('dns', 'ipa_ca_cname', True) - return - - bind = bindinstance.BindInstance() - # DNS is enabled, so let bindinstance find out if CA is enabled - # and let it add the CNAME in that case - bind.add_ipa_ca_cname(api.env.host, api.env.domain, ca_configured=None) - sysupgrade.set_upgrade_state('dns', 'ipa_ca_cname', True) - finally: - if api.Backend.ldap2.isconnected(): - api.Backend.ldap2.disconnect() - else: - root_logger.info('IPA CA CNAME already processed') + if sysupgrade.get_upgrade_state('dns', 'ipa_ca_records'): + root_logger.info('IPA CA DNS records already processed') + return + + try: + api.Backend.ldap2.connect(autobind=True) + except ipalib.errors.PublicError, e: + root_logger.error("Cannot connect to LDAP to add DNS records: %s", e) + return + + ret = api.Command['dns_is_enabled']() + if not ret['result']: + root_logger.info('DNS is not configured') + sysupgrade.set_upgrade_state('dns', 'ipa_ca_records', True) + return + + bind = bindinstance.BindInstance() + + bind.convert_ipa_ca_cnames(api.env.domain) + + # DNS is enabled, so let bindinstance find out if CA is enabled + # and let it add the record in that case + bind.add_ipa_ca_dns_records(api.env.host, api.env.domain, + ca_configured=None) + + sysupgrade.set_upgrade_state('dns', 'ipa_ca_records', True) def main(): """ @@ -845,7 +849,7 @@ def main(): cleanup_kdc(fstore) setup_firefox_extension(fstore) - add_server_cname_records() + add_ca_dns_records() changed_psearch = named_enable_psearch() changed_autoincrement = named_enable_serial_autoincrement() changed_gssapi_conf = named_update_gssapi_configuration() |