summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--ipaplatform/base/paths.py2
-rw-r--r--ipaserver/install/cainstance.py49
-rw-r--r--ipaserver/install/krainstance.py113
3 files changed, 72 insertions, 92 deletions
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index a407c1273..ff75e0d7a 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -344,8 +344,6 @@ class BasePathNamespace(object):
SLAPD_INSTANCE_SOCKET_TEMPLATE = "/var/run/slapd-%s.socket"
ALL_SLAPD_INSTANCE_SOCKETS = "/var/run/slapd-*.socket"
ADMIN_CERT_PATH = '/root/.dogtag/pki-tomcat/ca_admin.cert'
- KRA_NSSDB_PASSWORD_FILE = "/root/.dogtag/pki-tomcat/kra/password.conf"
- KRA_PKCS12_PASSWORD_FILE = "/root/.dogtag/pki-tomcat/kra/pkcs12_password.conf"
ENTROPY_AVAIL = '/proc/sys/kernel/random/entropy_avail'
LDIF2DB = '/usr/sbin/ldif2db'
DB2LDIF = '/usr/sbin/db2ldif'
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 6f565dd14..85ce6cba5 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -466,7 +466,7 @@ class CAInstance(DogtagInstance):
self.step("restarting certificate server", self.restart_instance)
self.step("requesting RA certificate from CA", self.__request_ra_certificate)
self.step("issuing RA agent certificate", self.__issue_ra_cert)
- self.step("adding RA agent as a trusted user", self.__configure_ra)
+ self.step("adding RA agent as a trusted user", self.__create_ca_agent)
self.step("authorizing RA to modify profiles", self.__configure_profiles_acl)
self.step("configure certmonger for renewals", self.configure_certmonger_renewal)
self.step("configure certificate renewals", self.configure_renewal)
@@ -905,18 +905,26 @@ class CAInstance(DogtagInstance):
self.configure_agent_renewal()
- def __configure_ra(self):
- # Create an RA user in the CA LDAP server and add that user to
- # the appropriate groups so it can issue certificates without
- # manual intervention.
- conn = ipaldap.IPAdmin(self.fqdn, self.ds_port)
- conn.do_simple_bind(DN(('cn', 'Directory Manager')), self.dm_password)
+ def __create_ca_agent(self):
+ """
+ Create CA agent, assign a certificate, and add the user to
+ the appropriate groups for accessing CA services.
+ """
- decoded = base64.b64decode(self.ra_cert)
+ # get ipaCert certificate
+ cert_data = base64.b64decode(self.ra_cert)
+ cert = x509.load_certificate(cert_data, x509.DER)
- entry_dn = DN(('uid', "ipara"), ('ou', 'People'), self.basedn)
+ # connect to CA database
+ server_id = installutils.realm_to_serverid(api.env.realm)
+ dogtag_uri = 'ldapi://%%2fvar%%2frun%%2fslapd-%s.socket' % server_id
+ conn = ldap2.ldap2(api, ldap_uri=dogtag_uri)
+ conn.connect(autobind=True)
+
+ # create ipara user with ipaCert certificate
+ user_dn = DN(('uid', "ipara"), ('ou', 'People'), self.basedn)
entry = conn.make_entry(
- entry_dn,
+ user_dn,
objectClass=['top', 'person', 'organizationalPerson',
'inetOrgPerson', 'cmsuser'],
uid=["ipara"],
@@ -924,23 +932,24 @@ class CAInstance(DogtagInstance):
cn=["ipara"],
usertype=["agentType"],
userstate=["1"],
- userCertificate=[decoded],
+ userCertificate=[cert_data],
description=['2;%s;%s;%s' % (
- str(self.requestId),
+ cert.serial_number,
DN(('CN', 'Certificate Authority'), self.subject_base),
DN(('CN', 'IPA RA'), self.subject_base))])
-
conn.add_entry(entry)
- dn = DN(('cn', 'Certificate Manager Agents'), ('ou', 'groups'), self.basedn)
- modlist = [(0, 'uniqueMember', '%s' % entry_dn)]
- conn.modify_s(dn, modlist)
+ # add ipara user to Certificate Manager Agents group
+ group_dn = DN(('cn', 'Certificate Manager Agents'), ('ou', 'groups'),
+ self.basedn)
+ conn.add_entry_to_group(user_dn, group_dn, 'uniqueMember')
- dn = DN(('cn', 'Registration Manager Agents'), ('ou', 'groups'), self.basedn)
- modlist = [(0, 'uniqueMember', '%s' % entry_dn)]
- conn.modify_s(dn, modlist)
+ # add ipara user to Registration Manager Agents group
+ group_dn = DN(('cn', 'Registration Manager Agents'), ('ou', 'groups'),
+ self.basedn)
+ conn.add_entry_to_group(user_dn, group_dn, 'uniqueMember')
- conn.unbind()
+ conn.disconnect()
def __configure_profiles_acl(self):
"""Allow the Certificate Manager Agents group to modify profiles."""
diff --git a/ipaserver/install/krainstance.py b/ipaserver/install/krainstance.py
index e5cdbf5e7..958fe6fb0 100644
--- a/ipaserver/install/krainstance.py
+++ b/ipaserver/install/krainstance.py
@@ -25,17 +25,21 @@ import sys
import tempfile
from ipalib import api
+from ipalib import x509
from ipaplatform import services
from ipaplatform.paths import paths
+from ipapython import certdb
from ipapython import dogtag
from ipapython import ipautil
from ipapython.dn import DN
from ipaserver.install import certs
from ipaserver.install import cainstance
+from ipaserver.install import installutils
from ipaserver.install import ldapupdate
from ipaserver.install import service
from ipaserver.install.dogtaginstance import DogtagInstance
from ipaserver.install.dogtaginstance import DEFAULT_DSPORT, PKI_USER
+from ipaserver.plugins import ldap2
from ipapython.ipa_log_manager import log_mgr
# When IPA is installed with DNS support, this CNAME should hold all IPA
@@ -111,8 +115,8 @@ class KRAInstance(DogtagInstance):
self.step("configuring KRA instance", self.__spawn_instance)
if not self.clone:
- self.step("add RA user to KRA agent group",
- self.__add_ra_user_to_agent_group)
+ self.step("create KRA agent",
+ self.__create_kra_agent)
self.step("restarting KRA", self.restart_instance)
self.step("configure certmonger for renewals",
self.configure_certmonger_renewal)
@@ -267,77 +271,46 @@ class KRAInstance(DogtagInstance):
self.log.debug("completed creating KRA instance")
- def __add_ra_user_to_agent_group(self):
+ def __create_kra_agent(self):
"""
- Add RA agent created for CA to KRA agent group.
+ Create KRA agent, assign a certificate, and add the user to
+ the appropriate groups for accessing KRA services.
"""
- # import CA certificate into temporary security database
- args = ["/usr/bin/pki",
- "-d", self.agent_db,
- "-C", paths.KRA_NSSDB_PASSWORD_FILE,
- "client-cert-import",
- "--pkcs12", paths.KRACERT_P12,
- "--pkcs12-password-file", paths.KRA_PKCS12_PASSWORD_FILE]
- ipautil.run(args)
-
- # trust CA certificate
- args = ["/usr/bin/pki",
- "-d", self.agent_db,
- "-C", paths.KRA_NSSDB_PASSWORD_FILE,
- "client-cert-mod", "Certificate Authority - %s" % api.env.realm,
- "--trust", "CT,c,"]
- ipautil.run(args)
-
- # import Dogtag admin certificate into temporary security database
- args = ["/usr/bin/pki",
- "-d", self.agent_db,
- "-C", paths.KRA_NSSDB_PASSWORD_FILE,
- "client-cert-import",
- "--pkcs12", paths.DOGTAG_ADMIN_P12,
- "--pkcs12-password-file", paths.KRA_PKCS12_PASSWORD_FILE]
- ipautil.run(args)
-
- # as Dogtag admin, create ipakra user in KRA
- args = ["/usr/bin/pki",
- "-d", self.agent_db,
- "-C", paths.KRA_NSSDB_PASSWORD_FILE,
- "-n", "ipa-ca-agent",
- "kra-user-add", "ipakra",
- "--fullName", "IPA KRA User"]
- ipautil.run(args)
-
- # as Dogtag admin, add ipakra into KRA agents group
- args = ["/usr/bin/pki",
- "-d", self.agent_db,
- "-C", paths.KRA_NSSDB_PASSWORD_FILE,
- "-n", "ipa-ca-agent",
- "kra-user-membership-add", "ipakra", "Data Recovery Manager Agents"]
- ipautil.run(args)
-
- # assign ipaCert to ipakra
- (file, filename) = tempfile.mkstemp()
- os.close(file)
- try:
- # export ipaCert without private key
- args = ["/usr/bin/pki",
- "-d", paths.HTTPD_ALIAS_DIR,
- "-C", paths.ALIAS_PWDFILE_TXT,
- "client-cert-show", "ipaCert",
- "--cert", filename]
- ipautil.run(args)
-
- # as Dogtag admin, upload and assign ipaCert to ipakra
- args = ["/usr/bin/pki",
- "-d", self.agent_db,
- "-C", paths.KRA_NSSDB_PASSWORD_FILE,
- "-n", "ipa-ca-agent",
- "kra-user-cert-add", "ipakra",
- "--input", filename]
- ipautil.run(args)
-
- finally:
- os.remove(filename)
+ # get ipaCert certificate
+ with certdb.NSSDatabase(paths.HTTPD_ALIAS_DIR) as ipa_nssdb:
+ cert_data = ipa_nssdb.get_cert("ipaCert")
+ cert = x509.load_certificate(cert_data, x509.DER)
+
+ # connect to KRA database
+ server_id = installutils.realm_to_serverid(api.env.realm)
+ dogtag_uri = 'ldapi://%%2fvar%%2frun%%2fslapd-%s.socket' % server_id
+ conn = ldap2.ldap2(api, ldap_uri=dogtag_uri)
+ conn.connect(autobind=True)
+
+ # create ipakra user with ipaCert certificate
+ user_dn = DN(('uid', "ipakra"), ('ou', 'people'), self.basedn)
+ entry = conn.make_entry(
+ user_dn,
+ objectClass=['top', 'person', 'organizationalPerson',
+ 'inetOrgPerson', 'cmsuser'],
+ uid=["ipakra"],
+ sn=["IPA KRA User"],
+ cn=["IPA KRA User"],
+ usertype=["undefined"],
+ userCertificate=[cert_data],
+ description=['2;%s;%s;%s' % (
+ cert.serial_number,
+ DN(('CN', 'Certificate Authority'), self.subject_base),
+ DN(('CN', 'IPA RA'), self.subject_base))])
+ conn.add_entry(entry)
+
+ # add ipakra user to Data Recovery Manager Agents group
+ group_dn = DN(('cn', 'Data Recovery Manager Agents'), ('ou', 'groups'),
+ self.basedn)
+ conn.add_entry_to_group(user_dn, group_dn, 'uniqueMember')
+
+ conn.disconnect()
def __add_vault_container(self):
sub_dict = {
generated by cgit (git 2.34.1) at 2024-05-18 10:22:20 +0000