diff options
author | Simo Sorce <simo@redhat.com> | 2015-08-07 15:14:58 -0400 |
---|---|---|
committer | Simo Sorce <simo@redhat.com> | 2015-10-01 16:20:49 -0400 |
commit | bbd4a394f8dddd6f07730a91b6e4583f51473cce (patch) | |
tree | 37f9bed3463c99334f998cea88b96c955ff9bc93 /ipaserver/install/server/replicainstall.py | |
parent | 7142caf4351a025a72051577775e3cf8969562aa (diff) | |
download | freeipa-bbd4a394f8dddd6f07730a91b6e4583f51473cce.tar.gz freeipa-bbd4a394f8dddd6f07730a91b6e4583f51473cce.tar.xz freeipa-bbd4a394f8dddd6f07730a91b6e4583f51473cce.zip |
Allow to setup the CA when promoting a replica
This patch makes --setup-ca work to set upa clone CA while creating
a new replica. The standalone ipa-ca-install script is not converted
yet though.
Signed-off-by: Simo Sorce <simo@redhat.com>
Diffstat (limited to 'ipaserver/install/server/replicainstall.py')
-rw-r--r-- | ipaserver/install/server/replicainstall.py | 58 |
1 files changed, 24 insertions, 34 deletions
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py index dcfaaedc2..363ada675 100644 --- a/ipaserver/install/server/replicainstall.py +++ b/ipaserver/install/server/replicainstall.py @@ -771,9 +771,9 @@ def install(installer): def promote_check(installer): options = installer + installer._top_dir = tempfile.mkdtemp("ipa") + # FIXME: to implement yet - if options.setup_ca: - raise NotImplementedError if options.setup_kra: raise NotImplementedError @@ -814,8 +814,10 @@ def promote_check(installer): config.host_name = api.env.host config.domain_name = api.env.domain config.master_host_name = api.env.server + config.ca_host_name = api.env.ca_host config.setup_ca = options.setup_ca config.setup_kra = options.setup_kra + config.dir = installer._top_dir installutils.verify_fqdn(config.host_name, options.no_host_dns) installutils.verify_fqdn(config.master_host_name, options.no_host_dns) @@ -1117,14 +1119,6 @@ def promote(installer): config.realm_name) custodia.create_replica(config.master_host_name) - if config.setup_ca: - options.realm_name = config.realm_name - options.domain_name = config.domain_name - options.host_name = config.host_name - options.dm_password = config.dirman_password - - ca.install(False, config, options) - krb = install_krb(config, setup_pkinit=not options.no_pkinit, promote=True) @@ -1133,37 +1127,33 @@ def promote(installer): auto_redirect=not options.no_ui_redirect, promote=True) - otpd = otpdinstance.OtpdInstance() - otpd.create_instance('OTPD', config.host_name, config.dirman_password, - ipautil.realm_to_suffix(config.realm_name)) - - CA = cainstance.CAInstance( - config.realm_name, certs.NSS_DIR, - dogtag_constants=dogtag_constants) - CA.dm_password = config.dirman_password - CA.configure_certmonger_renewal() - CA.fix_ra_perms() - # Apply any LDAP updates. Needs to be done after the replica is synced-up service.print_msg("Applying LDAP updates") ds.apply_updates() - if options.setup_kra: - kra.install(api, config, options) - else: - service.print_msg("Restarting the directory server") - ds.restart() - - service.print_msg("Restarting the KDC") - krb.restart() + otpd = otpdinstance.OtpdInstance() + otpd.create_instance('OTPD', config.host_name, config.dirman_password, + ipautil.realm_to_suffix(config.realm_name)) if config.setup_ca: - dogtag_service = services.knownservices[dogtag_constants.SERVICE_NAME] - dogtag_service.restart(dogtag_constants.PKI_INSTANCE_NAME) + options.realm_name = config.realm_name + options.domain_name = config.domain_name + options.host_name = config.host_name + options.dm_password = config.dirman_password + ca_data = (os.path.join(config.dir, 'cacert.p12'), + config.dirman_password) + custodia.get_ca_keys(config.ca_host_name, ca_data[0], ca_data[1]) + + ca = cainstance.CAInstance(config.realm_name, certs.NSS_DIR, + dogtag_constants=dogtag.install_constants, + host_name=config.host_name, + dm_password=config.dirman_password) + ca.configure_replica(config.ca_host_name, + subject_base=config.subject_base, + ca_cert_bundle=ca_data) - # Restart httpd to pick up the new IPA configuration - service.print_msg("Restarting the web server") - http.restart() + if options.setup_kra: + kra.install(api, config, options) ds.replica_populate() |