diff options
| author | Fraser Tweedale <ftweedal@redhat.com> | 2015-11-23 12:09:32 +1100 |
|---|---|---|
| committer | Jan Cholasta <jcholast@redhat.com> | 2015-11-24 10:12:24 +0100 |
| commit | 620036d26e98fdcefff00168e9e5463a8257d49c (patch) | |
| tree | 5f06b9eb125370d9dcdee938e18c31d1d8a3fe5d /ipaserver | |
| parent | 6fe0a898077a74924b6ccaf6dfbaf2d166175722 (diff) | |
| download | freeipa-620036d26e98fdcefff00168e9e5463a8257d49c.tar.gz freeipa-620036d26e98fdcefff00168e9e5463a8257d49c.tar.xz freeipa-620036d26e98fdcefff00168e9e5463a8257d49c.zip | |
Add profiles and default CA ACL on migration
Profiles and the default CA ACL were not being added during replica
install from pre-4.2 servers. Update ipa-replica-install to add
these if they are missing.
Also update the caacl plugin to prevent deletion of the default CA
ACL and instruct the administrator to disable it instead.
To ensure that the cainstance installation can add profiles, supply
the RA certificate as part of the instance configuration.
Certmonger renewal setup is avoided at this point because the NSSDB
gets reinitialised later in installation procedure.
Also move the addition of the default CA ACL from dsinstance
installation to cainstance installation.
Fixes: https://fedorahosted.org/freeipa/ticket/5459
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Diffstat (limited to 'ipaserver')
| -rw-r--r-- | ipaserver/install/ca.py | 5 | ||||
| -rw-r--r-- | ipaserver/install/cainstance.py | 100 | ||||
| -rw-r--r-- | ipaserver/install/dsinstance.py | 4 | ||||
| -rw-r--r-- | ipaserver/install/server/replicainstall.py | 3 | ||||
| -rw-r--r-- | ipaserver/install/server/upgrade.py | 13 |
5 files changed, 81 insertions, 44 deletions
diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py index 8d0252cbb..51871f2dc 100644 --- a/ipaserver/install/ca.py +++ b/ipaserver/install/ca.py @@ -138,9 +138,10 @@ def install_step_0(standalone, replica_config, options): if standalone: api.Backend.ldap2.disconnect() - cainstance.install_replica_ca(replica_config, postinstall) + cainstance.install_replica_ca(replica_config, postinstall, + ra_p12=getattr(options, 'ra_p12', None)) - if standalone: + if standalone and not api.Backend.ldap2.isconnected(): api.Backend.ldap2.connect(bind_dn=DN(('cn', 'Directory Manager')), bind_pw=dm_password) diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 448e42e2b..90edb362f 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -410,7 +410,7 @@ class CAInstance(DogtagInstance): cert_file=None, cert_chain_file=None, master_replication_port=None, subject_base=None, ca_signing_algorithm=None, - ca_type=None): + ca_type=None, ra_p12=None): """Create a CA instance. For Dogtag 9, this may involve creating the pki-ca instance. @@ -484,7 +484,10 @@ class CAInstance(DogtagInstance): self.step("requesting RA certificate from CA", self.__request_ra_certificate) self.step("issuing RA agent certificate", self.__issue_ra_cert) self.step("adding RA agent as a trusted user", self.__create_ca_agent) - self.step("authorizing RA to modify profiles", self.__configure_profiles_acl) + elif ra_p12 is not None: + self.step("importing RA certificate from PKCS #12 file", + lambda: self.import_ra_cert(ra_p12, configure_renewal=False)) + self.step("authorizing RA to modify profiles", configure_profiles_acl) self.step("configure certmonger for renewals", self.configure_certmonger_renewal) self.step("configure certificate renewals", self.configure_renewal) if not self.clone: @@ -492,9 +495,12 @@ class CAInstance(DogtagInstance): self.step("configure Server-Cert certificate renewal", self.track_servercert) self.step("Configure HTTP to proxy connections", self.http_proxy) - if not self.clone: - self.step("restarting certificate server", self.restart_instance) - self.step("Importing IPA certificate profiles", import_included_profiles) + self.step("restarting certificate server", self.restart_instance) + self.step("migrating certificate profiles to LDAP", + migrate_profiles_to_ldap) + self.step("importing IPA certificate profiles", + import_included_profiles) + self.step("adding default CA ACL", ensure_default_caacl) self.start_creation(runtime=210) @@ -921,7 +927,7 @@ class CAInstance(DogtagInstance): export_kra_agent_pem() - def import_ra_cert(self, rafile): + def import_ra_cert(self, rafile, configure_renewal=True): """ Cloned RAs will use the same RA agent cert as the master so we need to import from a PKCS#12 file. @@ -937,7 +943,8 @@ class CAInstance(DogtagInstance): finally: os.remove(agent_name) - self.configure_agent_renewal() + if configure_renewal: + self.configure_agent_renewal() export_kra_agent_pem() @@ -987,10 +994,6 @@ class CAInstance(DogtagInstance): conn.disconnect() - def __configure_profiles_acl(self): - """Allow the Certificate Manager Agents group to modify profiles.""" - configure_profiles_acl() - def __run_certutil(self, args, database=None, pwd_file=None, stdin=None): if not database: database = self.ra_agent_db @@ -1654,7 +1657,7 @@ def replica_ca_install_check(config): exit('IPA schema missing on master CA directory server') -def install_replica_ca(config, postinstall=False): +def install_replica_ca(config, postinstall=False, ra_p12=None): """ Install a CA on a replica. @@ -1691,7 +1694,7 @@ def install_replica_ca(config, postinstall=False): ca.create_ra_agent_db = False ca.configure_instance(config.host_name, config.dirman_password, config.dirman_password, - pkcs12_info=(cafile,), + pkcs12_info=(cafile,), ra_p12=ra_p12, master_host=config.master_host_name, master_replication_port=config.ca_ds_port, subject_base=config.subject_base) @@ -1816,6 +1819,14 @@ def update_people_entry(dercert): return True def ensure_ldap_profiles_container(): + ensure_entry( + DN(('ou', 'certificateProfiles'), ('ou', 'ca'), ('o', 'ipaca')), + objectclass=['top', 'organizationalUnit'], + ou=['certificateProfiles'], + ) + + +def ensure_entry(dn, **attrs): server_id = installutils.realm_to_serverid(api.env.realm) dogtag_uri = 'ldapi://%%2fvar%%2frun%%2fslapd-%s.socket' % server_id @@ -1823,40 +1834,39 @@ def ensure_ldap_profiles_container(): if not conn.isconnected(): conn.connect(autobind=True) - dn = DN(('ou', 'certificateProfiles'), ('ou', 'ca'), ('o', 'ipaca')) try: conn.get_entry(dn) except errors.NotFound: # entry doesn't exist; add it - entry = conn.make_entry( - dn, - objectclass=['top', 'organizationalUnit'], - ou=['certificateProfiles'], - ) + entry = conn.make_entry(dn, **attrs) conn.add_entry(entry) conn.disconnect() def configure_profiles_acl(): + """Allow the Certificate Manager Agents group to modify profiles.""" server_id = installutils.realm_to_serverid(api.env.realm) dogtag_uri = 'ldapi://%%2fvar%%2frun%%2fslapd-%s.socket' % server_id updated = False dn = DN(('cn', 'aclResources'), ('o', 'ipaca')) - rule = ( + new_rules = [ 'certServer.profile.configuration:read,modify:allow (read,modify) ' 'group="Certificate Manager Agents":' - 'Certificate Manager agents may modify (create/update/delete) and read profiles' - ) - modlist = [(ldap.MOD_ADD, 'resourceACLS', [rule])] + 'Certificate Manager agents may modify (create/update/delete) and read profiles', + + 'certServer.ca.account:login,logout:allow (login,logout) ' + 'user="anybody":Anybody can login and logout', + ] conn = ldap2.ldap2(api, ldap_uri=dogtag_uri) if not conn.isconnected(): conn.connect(autobind=True) - rules = conn.get_entry(dn).get('resourceACLS', []) - if rule not in rules: - conn.conn.modify_s(str(dn), modlist) + cur_rules = conn.get_entry(dn).get('resourceACLS', []) + add_rules = [rule for rule in new_rules if rule not in cur_rules] + if add_rules: + conn.conn.modify_s(str(dn), [(ldap.MOD_ADD, 'resourceACLS', add_rules)]) updated = True conn.disconnect() @@ -1876,6 +1886,17 @@ def import_included_profiles(): if not conn.isconnected(): conn.connect(autobind=True) + ensure_entry( + DN(('cn', 'ca'), api.env.basedn), + objectclass=['top', 'nsContainer'], + cn=['ca'], + ) + ensure_entry( + DN(api.env.container_certprofile, api.env.basedn), + objectclass=['top', 'nsContainer'], + cn=['certprofiles'], + ) + api.Backend.ra_certprofile._read_password() api.Backend.ra_certprofile.override_port = 8443 @@ -1981,6 +2002,33 @@ def _create_dogtag_profile(profile_id, profile_data): "(it is probably already enabled)") +def ensure_default_caacl(): + """Add the default CA ACL if missing.""" + if not api.Backend.ldap2.isconnected(): + try: + api.Backend.ldap2.connect(autobind=True) + except errors.PublicError as e: + root_logger.error("Cannot connect to LDAP to add CA ACLs: %s", e) + return + + ensure_entry( + DN(('cn', 'ca'), api.env.basedn), + objectclass=['top', 'nsContainer'], + cn=['ca'], + ) + ensure_entry( + DN(api.env.container_caacl, api.env.basedn), + objectclass=['top', 'nsContainer'], + cn=['certprofiles'], + ) + + if not api.Command.caacl_find()['result']: + api.Command.caacl_add(u'hosts_services_caIPAserviceCert', + hostcategory=u'all', servicecategory=u'all') + api.Command.caacl_add_profile(u'hosts_services_caIPAserviceCert', + certprofile=(u'caIPAserviceCert',)) + + if __name__ == "__main__": standard_logging_setup("install.log") ds = dsinstance.DsInstance() diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index 7bdcaea31..c980ebf4e 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -332,7 +332,6 @@ class DsInstance(service.Service): self.step("adding range check plugin", self.__add_range_check_plugin) if hbac_allow: self.step("creating default HBAC rule allow_all", self.add_hbac) - self.step("creating default CA ACL rule", self.add_caacl) self.step("adding sasl mappings to the directory", self.__configure_sasl_mappings) self.step("adding entries for topology management", self.__add_topology_entries) @@ -874,9 +873,6 @@ class DsInstance(service.Service): def add_hbac(self): self._ldap_mod("default-hbac.ldif", self.sub_dict) - def add_caacl(self): - self._ldap_mod("default-caacl.ldif", self.sub_dict) - def change_admin_password(self, password): root_logger.debug("Changing admin password") dirname = config_dirname(self.serverid) diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py index 5ce9eb709..492ea72d8 100644 --- a/ipaserver/install/server/replicainstall.py +++ b/ipaserver/install/server/replicainstall.py @@ -672,6 +672,9 @@ def install(installer): options.domain_name = config.domain_name options.host_name = config.host_name + if ipautil.file_exists(config.dir + "/cacert.p12"): + options.ra_p12 = config.dir + "/ra.p12" + ca.install(False, config, options) krb = install_krb(config, setup_pkinit=not options.no_pkinit) diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index b9621a39d..84339b0a2 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -1328,18 +1328,7 @@ def add_default_caacl(ca): return if ca.is_configured(): - if not api.Backend.ldap2.isconnected(): - try: - api.Backend.ldap2.connect(autobind=True) - except ipalib.errors.PublicError as e: - root_logger.error("Cannot connect to LDAP to add CA ACLs: %s", e) - return - - if not api.Command.caacl_find()['result']: - api.Command.caacl_add(u'hosts_services_caIPAserviceCert', - hostcategory=u'all', servicecategory=u'all') - api.Command.caacl_add_profile(u'hosts_services_caIPAserviceCert', - certprofile=(u'caIPAserviceCert',)) + cainstance.ensure_default_caacl() sysupgrade.set_upgrade_state('caacl', 'add_default_caacl', True) |