diff options
author | Fraser Tweedale <ftweedal@redhat.com> | 2015-05-25 08:39:07 -0400 |
---|---|---|
committer | Jan Cholasta <jcholast@redhat.com> | 2015-06-11 10:50:31 +0000 |
commit | bc0c60688505968daf6851e3e179aab20e23af7d (patch) | |
tree | ea8cb740dfcd50ab46d73a350686502d80a902ec /ipaserver/install/server | |
parent | ae56ca422d1897569717fa44a5d483b10e490f6a (diff) | |
download | freeipa-bc0c60688505968daf6851e3e179aab20e23af7d.tar.gz freeipa-bc0c60688505968daf6851e3e179aab20e23af7d.tar.xz freeipa-bc0c60688505968daf6851e3e179aab20e23af7d.zip |
Add CA ACL plugin
Implement the caacl commands, which are used to indicate which
principals may be issued certificates from which (sub-)CAs, using
which profiles.
At this commit, and until sub-CAs are implemented, all rules refer
to the top-level CA (represented as ".") and no ca-ref argument is
exposed.
Also, during install and upgrade add a default CA ACL that permits
certificate issuance for all hosts and services using the profile
'caIPAserviceCert' on the top-level CA.
Part of: https://fedorahosted.org/freeipa/ticket/57
Part of: https://fedorahosted.org/freeipa/ticket/4559
Reviewed-By: Martin Basti <mbasti@redhat.com>
Diffstat (limited to 'ipaserver/install/server')
-rw-r--r-- | ipaserver/install/server/upgrade.py | 25 |
1 files changed, 25 insertions, 0 deletions
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index c5f4d37cc..306d1d27c 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -1254,6 +1254,30 @@ def update_mod_nss_protocol(http): sysupgrade.set_upgrade_state('nss.conf', 'protocol_updated_tls12', True) +def add_default_caacl(ca): + root_logger.info('[Add default CA ACL]') + + if sysupgrade.get_upgrade_state('caacl', 'add_default_caacl'): + root_logger.info('Default CA ACL already added') + return + + if ca.is_configured(): + if not api.Backend.ldap2.isconnected(): + try: + api.Backend.ldap2.connect(autobind=True) + except ipalib.errors.PublicError as e: + root_logger.error("Cannot connect to LDAP to add CA ACLs: %s", e) + return + + if not api.Command.caacl_find()['result']: + api.Command.caacl_add(u'hosts_services_caIPAserviceCert', + hostcategory=u'all', usercategory=u'all') + api.Command.caacl_add_profile(u'hosts_services_caIPAserviceCert', + certprofile=(u'caIPAserviceCert',)) + + sysupgrade.set_upgrade_state('caacl', 'add_default_caacl', True) + + def upgrade_configuration(): """ Execute configuration upgrade of the IPA services @@ -1431,6 +1455,7 @@ def upgrade_configuration(): # itself require a restart. # ca_import_included_profiles(ca) + add_default_caacl(ca) set_sssd_domain_option('ipa_server_mode', 'True') |