topology: manage ca replication agreements

Configure IPA so that topology plugin will manage also CA replication
agreements.

upgrades if CA is congigured:
- ipaca suffix is added to cn=topology,cn=ipa,cn=etc,$SUFFIX
- ipaReplTopoManagedSuffix: o=ipaca is added to master entry
- binddngroup is added to o=ipaca replica entry

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>

3 files changed, 17 insertions, 0 deletions

diff --git a/install/share/Makefile.am b/install/share/Makefile.am
index d952679e6..7dae55fdb 100644
--- a/install/share/Makefile.am
+++ b/install/share/Makefile.am
@@ -27,6 +27,7 @@ app_DATA =				\
 	72domainlevels.ldif			\
 	anonymous-vlv.ldif		\
 	bootstrap-template.ldif		\
+	ca-topology.uldif		\
 	caJarSigningCert.cfg.template	\
 	custodia.conf.template		\
 	default-aci.ldif		\
diff --git a/install/share/ca-topology.uldif b/install/share/ca-topology.uldif
new file mode 100644
index 000000000..3da9eaee1
--- /dev/null
+++ b/install/share/ca-topology.uldif
@@ -0,0 +1,15 @@
+# add IPA CA managed suffix to master entry
+dn: cn=$FQDN,cn=masters,cn=ipa,cn=etc,$SUFFIX
+add: objectclass: ipaReplTopoManagedServer
+add: ipaReplTopoManagedSuffix: o=ipaca
+
+# add IPA CA topology configuration area
+dn: cn=ipaca,cn=topology,cn=ipa,cn=etc,$SUFFIX
+default: objectclass: top
+default: objectclass: iparepltopoconf
+default: ipaReplTopoConfRoot: o=ipaca
+default: cn: ipaca
+
+# Update CA replication settings
+dn: cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config
+onlyifexist: nsds5replicabinddngroup: cn=replication managers,cn=sysaccounts,cn=etc,$SUFFIX
diff --git a/install/updates/90-post_upgrade_plugins.update b/install/updates/90-post_upgrade_plugins.update
index 3df3a4574..2089b3320 100644
--- a/install/updates/90-post_upgrade_plugins.update
+++ b/install/updates/90-post_upgrade_plugins.update
@@ -2,6 +2,7 @@
 
 
 # middle
+plugin: update_ca_topology
 plugin: update_dnszones
 plugin: update_dns_limits
 plugin: update_default_range