diff options
author | Alexander Bokovoy <abokovoy@redhat.com> | 2017-02-15 10:14:58 +0200 |
---|---|---|
committer | Martin Basti <mbasti@redhat.com> | 2017-02-16 09:51:38 +0100 |
commit | 14d84daf29543978c6383da10f4f2d913346f013 (patch) | |
tree | 308d1dbfb174db41e407a2206a26a85b2e6bc7d9 /ipaserver/install | |
parent | 0b9b6b52d7f2e64a52ef8fd570839711311fa254 (diff) | |
download | freeipa-14d84daf29543978c6383da10f4f2d913346f013.tar.gz freeipa-14d84daf29543978c6383da10f4f2d913346f013.tar.xz freeipa-14d84daf29543978c6383da10f4f2d913346f013.zip |
pkinit: make sure to have proper dictionary for Kerberos instance on upgrade
When running PKINIT upgrade we need to make sure full substitution
dictionary is in place or otherwise executing LDAP updates will fail to
find proper objects because $SUFFIX, $DOMAIN, and other variables
will not be substituted.
Fixes https://fedorahosted.org/freeipa/ticket/6670
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Diffstat (limited to 'ipaserver/install')
-rw-r--r-- | ipaserver/install/server/upgrade.py | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index 509f19647..41da723fa 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -1753,6 +1753,18 @@ def upgrade_configuration(): krb.realm = api.env.realm krb.suffix = ipautil.realm_to_suffix(krb.realm) krb.subject_base = subject_base + krb.sub_dict = dict(FQDN=krb.fqdn, + SUFFIX=krb.suffix, + DOMAIN=api.env.domain, + HOST=api.env.host, + SERVER_ID=installutils.realm_to_serverid(krb.realm), + REALM=krb.realm, + KRB5KDC_KADM5_ACL=paths.KRB5KDC_KADM5_ACL, + DICT_WORDS=paths.DICT_WORDS, + KRB5KDC_KADM5_KEYTAB=paths.KRB5KDC_KADM5_KEYTAB, + KDC_CERT=paths.KDC_CERT, + KDC_KEY=paths.KDC_KEY, + CACERT_PEM=paths.CACERT_PEM) if not os.path.exists(paths.KDC_CERT): krb.setup_pkinit() replacevars = dict() |