replica install: do not set CA renewal master flag

The CA renewal master flag was uncoditionally set on every replica during replica install. This causes the Dogtag certificates initially shared among all replicas to differ after renewal. Do not set the CA renewal master flag in replica install anymore. On upgrade, remove the flag from all but one IPA masters. https://fedorahosted.org/freeipa/ticket/5902 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
author: Jan Cholasta <jcholast@redhat.com> 2016-05-23 16:18:02 +0200
committer: Jan Cholasta <jcholast@redhat.com> 2016-05-24 14:54:01 +0200
commit: dea924ac8a04c923d96e04c4c40e253ae1ee857c (patch)
tree: 93aa731780d611d6e2caaad4491ce80af10530b3 /ipaserver/install/plugins
parent: d71de186cc4d942b2a1bb7fcd9677bfcedd86b26 (diff)
download: freeipa-dea924ac8a04c923d96e04c4c40e253ae1ee857c.tar.gz
freeipa-dea924ac8a04c923d96e04c4c40e253ae1ee857c.tar.xz
freeipa-dea924ac8a04c923d96e04c4c40e253ae1ee857c.zip
1 files changed, 22 insertions, 2 deletions
diff --git a/ipaserver/install/plugins/ca_renewal_master.py b/ipaserver/install/plugins/ca_renewal_master.py
index e83cf3b02..a92caf9c4 100644
--- a/ipaserver/install/plugins/ca_renewal_master.py
+++ b/ipaserver/install/plugins/ca_renewal_master.py
@@ -42,6 +42,7 @@ class update_ca_renewal_master(Updater):
         ldap = self.api.Backend.ldap2
         base_dn = DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'),
                      self.api.env.basedn)
+        dn = DN(('cn', 'CA'), ('cn', self.api.env.host), base_dn)
         filter = '(&(cn=CA)(ipaConfigString=caRenewalMaster))'
         try:
             entries = ldap.get_entries(base_dn=base_dn, filter=filter,
@@ -50,7 +51,27 @@ class update_ca_renewal_master(Updater):
             pass
         else:
             self.debug("found CA renewal master %s", entries[0].dn[1].value)
-            return False, []
+
+            master = False
+            updates = []
+
+            for entry in entries:
+                if entry.dn == dn:
+                    master = True
+                    continue
+
+                updates.append({
+                    'dn': entry.dn,
+                    'updates': [
+                        dict(action='remove', attr='ipaConfigString',
+                             value='caRenewalMaster')
+                    ],
+                })
+
+            if master:
+                return False, updates
+            else:
+                return False, []
 
         criteria = {
             'cert-database': paths.HTTPD_ALIAS_DIR,
@@ -95,7 +116,6 @@ class update_ca_renewal_master(Updater):
                     "assuming local CA is renewal slave", config)
                 return (False, False, [])
 
-        dn = DN(('cn', 'CA'), ('cn', self.api.env.host), base_dn)
         update = {
                 'dn': dn,
                 'updates': [
author	Jan Cholasta <jcholast@redhat.com>	2016-05-23 16:18:02 +0200
committer	Jan Cholasta <jcholast@redhat.com>	2016-05-24 14:54:01 +0200
commit	dea924ac8a04c923d96e04c4c40e253ae1ee857c (patch)
tree	93aa731780d611d6e2caaad4491ce80af10530b3 /ipaserver/install/plugins
parent	d71de186cc4d942b2a1bb7fcd9677bfcedd86b26 (diff)
download	freeipa-dea924ac8a04c923d96e04c4c40e253ae1ee857c.tar.gz freeipa-dea924ac8a04c923d96e04c4c40e253ae1ee857c.tar.xz freeipa-dea924ac8a04c923d96e04c4c40e253ae1ee857c.zip