diff options
-rw-r--r-- | freeipa.spec.in | 4 | ||||
-rw-r--r-- | install/share/Makefile.am | 1 | ||||
-rw-r--r-- | install/share/ca-topology.uldif | 15 | ||||
-rw-r--r-- | install/updates/20-replication.update | 5 | ||||
-rw-r--r-- | install/updates/90-post_upgrade_plugins.update | 1 | ||||
-rw-r--r-- | ipaplatform/base/paths.py | 1 | ||||
-rw-r--r-- | ipaserver/install/cainstance.py | 10 | ||||
-rw-r--r-- | ipaserver/install/plugins/update_ca_topology.py | 34 |
8 files changed, 69 insertions, 2 deletions
diff --git a/freeipa.spec.in b/freeipa.spec.in index dc4e4bfbd..29eb07cf1 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -139,8 +139,8 @@ Requires(post): systemd-units Requires: selinux-policy >= %{selinux_policy_version} Requires(post): selinux-policy-base >= %{selinux_policy_version} Requires: slapi-nis >= 0.54.2-1 -Requires: pki-ca >= 10.2.6 -Requires: pki-kra >= 10.2.6 +Requires: pki-ca >= 10.2.7 +Requires: pki-kra >= 10.2.7 Requires(preun): python systemd-units Requires(postun): python systemd-units Requires: python-dns >= 1.11.1 diff --git a/install/share/Makefile.am b/install/share/Makefile.am index d952679e6..7dae55fdb 100644 --- a/install/share/Makefile.am +++ b/install/share/Makefile.am @@ -27,6 +27,7 @@ app_DATA = \ 72domainlevels.ldif \ anonymous-vlv.ldif \ bootstrap-template.ldif \ + ca-topology.uldif \ caJarSigningCert.cfg.template \ custodia.conf.template \ default-aci.ldif \ diff --git a/install/share/ca-topology.uldif b/install/share/ca-topology.uldif new file mode 100644 index 000000000..3da9eaee1 --- /dev/null +++ b/install/share/ca-topology.uldif @@ -0,0 +1,15 @@ +# add IPA CA managed suffix to master entry +dn: cn=$FQDN,cn=masters,cn=ipa,cn=etc,$SUFFIX +add: objectclass: ipaReplTopoManagedServer +add: ipaReplTopoManagedSuffix: o=ipaca + +# add IPA CA topology configuration area +dn: cn=ipaca,cn=topology,cn=ipa,cn=etc,$SUFFIX +default: objectclass: top +default: objectclass: iparepltopoconf +default: ipaReplTopoConfRoot: o=ipaca +default: cn: ipaca + +# Update CA replication settings +dn: cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config +onlyifexist: nsds5replicabinddngroup: cn=replication managers,cn=sysaccounts,cn=etc,$SUFFIX diff --git a/install/updates/20-replication.update b/install/updates/20-replication.update index 83d5d1f0c..43f4edc0d 100644 --- a/install/updates/20-replication.update +++ b/install/updates/20-replication.update @@ -28,6 +28,11 @@ default: objectclass: iparepltopoconf default: ipaReplTopoConfRoot: $SUFFIX default: cn: realm +# add IPA realm managed suffix to master entry +dn: cn=$FQDN,cn=masters,cn=ipa,cn=etc,$SUFFIX +add: objectclass: ipaReplTopoManagedServer +add: ipaReplTopoManagedSuffix: $SUFFIX + # Set replication changelog limit (#5086) dn: cn=changelog5,cn=config addifnew: nsslapd-changelogmaxage: 7d diff --git a/install/updates/90-post_upgrade_plugins.update b/install/updates/90-post_upgrade_plugins.update index 3df3a4574..2089b3320 100644 --- a/install/updates/90-post_upgrade_plugins.update +++ b/install/updates/90-post_upgrade_plugins.update @@ -2,6 +2,7 @@ # middle +plugin: update_ca_topology plugin: update_dnszones plugin: update_dns_limits plugin: update_default_range diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py index 98aa5f9b7..644e94e78 100644 --- a/ipaplatform/base/paths.py +++ b/ipaplatform/base/paths.py @@ -236,6 +236,7 @@ class BasePathNamespace(object): SMBD = "/usr/sbin/smbd" USERADD = "/usr/sbin/useradd" USR_SHARE_IPA_DIR = "/usr/share/ipa/" + CA_TOPOLOGY_ULDIF = "/usr/share/ipa/ca-topology.uldif" FFEXTENSION = "/usr/share/ipa/ffextension" IPA_HTML_DIR = "/usr/share/ipa/html" CA_CRT = "/usr/share/ipa/html/ca.crt" diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index ebf9a7ea5..fefcb8e76 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -63,6 +63,7 @@ from ipapython.ipa_log_manager import log_mgr,\ from ipaserver.install import certs from ipaserver.install import dsinstance from ipaserver.install import installutils +from ipaserver.install import ldapupdate from ipaserver.install import service from ipaserver.install.dogtaginstance import DogtagInstance from ipaserver.install.dogtaginstance import PKI_USER, DEFAULT_DSPORT @@ -797,6 +798,15 @@ class CAInstance(DogtagInstance): except Exception as e: root_logger.warning("Failed to backup CS.cfg: %s", e) + def __update_topology(self): + ld = ldapupdate.LDAPUpdate(ldapi=True, sub_dict={ + 'SUFFIX': api.env.basedn, + 'FQDN': self.fqdn, + }) + rv = ld.update([paths.CA_TOPOLOGY_ULDIF]) + if not rv: + raise RuntimeError("Failed to update CA topology configuration") + def __disable_nonce(self): # Turn off Nonces update_result = installutils.update_file( diff --git a/ipaserver/install/plugins/update_ca_topology.py b/ipaserver/install/plugins/update_ca_topology.py new file mode 100644 index 000000000..ce4b5bc9a --- /dev/null +++ b/ipaserver/install/plugins/update_ca_topology.py @@ -0,0 +1,34 @@ +# +# Copyright (C) 2015 FreeIPA Contributors see COPYING for license +# + +from ipalib import api +from ipalib import Updater +from ipaserver.install import certs, cainstance +from ipaserver.install import ldapupdate +from ipaplatform.paths import paths + + +class update_ca_topology(Updater): + """ + Updates CA topology configuration entries + """ + + def execute(self, **options): + + ca = cainstance.CAInstance(self.api.env.realm, certs.NSS_DIR) + if not ca.is_configured(): + self.log.debug("CA is not configured on this host") + return False, [] + + ld = ldapupdate.LDAPUpdate(ldapi=True, sub_dict={ + 'SUFFIX': self.api.env.basedn, + 'FQDN': self.api.env.host, + }) + rv = ld.update([paths.CA_TOPOLOGY_ULDIF]) + if not rv: + self.log.error("Failed to update CA topology configuration") + + return False, [] + +api.register(update_ca_topology) |