diff options
author | Stanislav Laznicka <slaznick@redhat.com> | 2016-11-07 12:09:28 +0100 |
---|---|---|
committer | Jan Cholasta <jcholast@redhat.com> | 2016-11-11 12:17:25 +0100 |
commit | e40d6a2a53a931b4d2be3e45c84da99950e60a84 (patch) | |
tree | 6e90eba1c660576960f22f8b4cdae9559c7e3a03 /ipaserver/install/server/replicainstall.py | |
parent | 2de43e7aca7d4d4873ad3e5053ad75311e81dc68 (diff) | |
download | freeipa-e40d6a2a53a931b4d2be3e45c84da99950e60a84.tar.gz freeipa-e40d6a2a53a931b4d2be3e45c84da99950e60a84.tar.xz freeipa-e40d6a2a53a931b4d2be3e45c84da99950e60a84.zip |
Use host keytab to connect to remote server on DL0
Since host enrollment was implemented in DL0, use
the host keytab to connect to remote api and perform
certain actions to merge DL1 and DL0 replica install
workflows.
https://fedorahosted.org/freeipa/ticket/6392
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Diffstat (limited to 'ipaserver/install/server/replicainstall.py')
-rw-r--r-- | ipaserver/install/server/replicainstall.py | 26 |
1 files changed, 15 insertions, 11 deletions
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py index d0360e79b..853e8af4a 100644 --- a/ipaserver/install/server/replicainstall.py +++ b/ipaserver/install/server/replicainstall.py @@ -821,6 +821,10 @@ def install_check(installer): broadcast_ip_address_warning(config.ips) enroll_dl0_replica(installer, fstore, remote_api) + ccache = os.environ['KRB5CCNAME'] + ipautil.kinit_keytab('host/{env.host}@{env.realm}'.format(env=api.env), + paths.KRB5_KEYTAB, + ccache) except errors.ACIError: raise ScriptError("\nThe password provided is incorrect for LDAP server " @@ -841,10 +845,14 @@ def install_check(installer): # check connection if not options.skip_conncheck: - replica_conn_check( - config.master_host_name, config.host_name, config.realm_name, - options.setup_ca, config.ca_ds_port, options.admin_password, - ca_cert_file=cafile) + try: + del os.environ['KRB5CCNAME'] + replica_conn_check( + config.master_host_name, config.host_name, config.realm_name, + options.setup_ca, config.ca_ds_port, options.admin_password, + ca_cert_file=cafile) + finally: + os.environ['KRB5CCNAME'] = ccache installer._ca_enabled = ca_enabled installer._kra_enabled = kra_enabled @@ -1337,9 +1345,9 @@ def install(installer): remote_api = installer._remote_api conn = remote_api.Backend.ldap2 + ccache = os.environ['KRB5CCNAME'] if promote: - ccache = os.environ['KRB5CCNAME'] if installer._add_to_ipaservers: try: conn.connect(ccache=installer._ccache) @@ -1372,12 +1380,8 @@ def install(installer): http_instance.create_cert_db() try: - if promote: - conn.connect(ccache=ccache) - else: - conn.connect(bind_dn=ipaldap.DIRMAN_DN, - bind_pw=config.dirman_password, - tls_cacertfile=cafile) + conn.connect(ccache=ccache) + if not promote: # Install CA cert so that we can do SSL connections with ldap install_ca_cert(conn, api.env.basedn, api.env.realm, cafile) |