Make sure replication works after DM password is changed

Replica information file contains the file `cacert.p12` which is protected by the Directory Manager password of the initial IPA server installation. The DM password of the initial installation is also used for the PKI admin user password. If the DM password is changed after the IPA server installation, the replication fails. To prevent this failure, add the following steps to ipa-replica-prepare: 1. Regenerate the `cacert.p12` file and protect it with the current DM password 2. Update the password of the PKI admin user with the current DM password https://fedorahosted.org/freeipa/ticket/3594
author: Ana Krivokapic <akrivoka@redhat.com> 2013-07-11 12:50:01 +0200
committer: Alexander Bokovoy <abokovoy@redhat.com> 2013-07-11 13:53:41 +0300
commit: 7b402b3bc30af1e57b0451bd2ecfb121ee1739e5 (patch)
tree: 2c1af306cfcd0a9975ec1b1954d560c655eb1c1e
parent: 1fbbb2c44522e80697f62c1711fc5958195d2d43 (diff)
download: freeipa-7b402b3bc30af1e57b0451bd2ecfb121ee1739e5.tar.gz
freeipa-7b402b3bc30af1e57b0451bd2ecfb121ee1739e5.tar.xz
freeipa-7b402b3bc30af1e57b0451bd2ecfb121ee1739e5.zip
2 files changed, 42 insertions, 3 deletions
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 1f9242ea8..11365bebe 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -17,7 +17,7 @@ Source0:        freeipa-%{version}.tar.gz
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
 %if ! %{ONLY_CLIENT}
-BuildRequires:  389-ds-base-devel >= 1.3.1.1
+BuildRequires:  389-ds-base-devel >= 1.3.1.3
 BuildRequires:  svrcore-devel
 BuildRequires:  /usr/share/selinux/devel/Makefile
 BuildRequires:  policycoreutils >= %{POLICYCOREUTILSVER}
@@ -91,7 +91,7 @@ Requires: %{name}-python = %{version}-%{release}
 Requires: %{name}-client = %{version}-%{release}
 Requires: %{name}-admintools = %{version}-%{release}
 Requires: %{name}-server-selinux = %{version}-%{release}
-Requires: 389-ds-base >= 1.3.1.1
+Requires: 389-ds-base >= 1.3.1.3
 Requires: openldap-clients > 2.4.35-4
 %if 0%{?fedora} == 18
 Requires: nss >= 3.14.3-2
@@ -147,7 +147,7 @@ Requires: zip
 Requires: policycoreutils >= %{POLICYCOREUTILSVER}
 Requires: tar
 Requires(pre): certmonger >= 0.65
-Requires(pre): 389-ds-base >= 1.3.0.5
+Requires(pre): 389-ds-base >= 1.3.1.3
 
 # We have a soft-requires on bind. It is an optional part of
 # IPA but if it is configured we need a way to require versions
@@ -844,6 +844,9 @@ fi
 %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/ca.crt
 
 %changelog
+* Wed Jul 10 2013 Ana Krivokapic <akrivoka@redhat.com> - 3.2.99-4
+- Bump minimum version of 389-ds-base to 1.3.1.3 for user password change fix.
+
 * Wed Jun 26 2013 Jan Cholasta <jcholast@redhat.com> - 3.2.1-1
 - Bump minimum version of 389-ds-base to 1.3.1.1 for SASL mapping priority
   support.
diff --git a/ipaserver/install/ipa_replica_prepare.py b/ipaserver/install/ipa_replica_prepare.py
index f6af28e3a..a92e9a111 100644
--- a/ipaserver/install/ipa_replica_prepare.py
+++ b/ipaserver/install/ipa_replica_prepare.py
@@ -274,6 +274,11 @@ class ReplicaPrepare(admintool.AdminTool):
             self.copy_info_file(options.dirsrv_pkcs12, "dscert.p12")
         else:
             if ipautil.file_exists(options.ca_file):
+                # Since it is possible that the Directory Manager password
+                # has changed since ipa-server-install, we need to regenerate
+                # the CA PKCS#12 file and update the pki admin user password
+                self.regenerate_ca_file(options.ca_file)
+                self.update_pki_admin_password()
                 self.copy_info_file(options.ca_file, "cacert.p12")
             else:
                 raise admintool.ScriptError("Root CA PKCS#12 not "
@@ -505,3 +510,34 @@ class ReplicaPrepare(admintool.AdminTool):
                 db.export_pkcs12(pkcs12_fname, agent_name, "ipaCert")
         finally:
             os.remove(agent_name)
+
+    def update_pki_admin_password(self):
+        ldap = ldap2(shared_instance=False)
+        ldap.connect(
+            bind_dn=DN(('cn', 'directory manager')),
+            bind_pw=self.dirman_password
+        )
+        dn = DN('uid=admin', 'ou=people', 'o=ipaca')
+        ldap.modify_password(dn, self.dirman_password)
+        ldap.disconnect()
+
+    def regenerate_ca_file(self, ca_file):
+        dm_pwd_fd = ipautil.write_tmp_file(self.dirman_password)
+
+        keydb_pwd = ''
+        with open('/etc/pki/pki-tomcat/password.conf') as f:
+            for line in f.readlines():
+                key, value = line.strip().split('=')
+                if key == 'internal':
+                    keydb_pwd = value
+                    break
+
+        keydb_pwd_fd = ipautil.write_tmp_file(keydb_pwd)
+
+        ipautil.run([
+            '/usr/bin/PKCS12Export',
+            '-d', '/etc/pki/pki-tomcat/alias/',
+            '-p', keydb_pwd_fd.name,
+            '-w', dm_pwd_fd.name,
+            '-o', ca_file
+        ])
author	Ana Krivokapic <akrivoka@redhat.com>	2013-07-11 12:50:01 +0200
committer	Alexander Bokovoy <abokovoy@redhat.com>	2013-07-11 13:53:41 +0300
commit	7b402b3bc30af1e57b0451bd2ecfb121ee1739e5 (patch)
tree	2c1af306cfcd0a9975ec1b1954d560c655eb1c1e
parent	1fbbb2c44522e80697f62c1711fc5958195d2d43 (diff)
download	freeipa-7b402b3bc30af1e57b0451bd2ecfb121ee1739e5.tar.gz freeipa-7b402b3bc30af1e57b0451bd2ecfb121ee1739e5.tar.xz freeipa-7b402b3bc30af1e57b0451bd2ecfb121ee1739e5.zip