summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAde Lee <alee@redhat.com>2014-04-16 11:20:29 -0400
committerAde Lee <alee@redhat.com>2014-05-27 14:51:50 -0400
commit462629bab3163be47b2fc6d79b88781f82fdaf15 (patch)
tree759df0069974df031577338dafc658ab3c2a5556
parent2139db9cb9c05ed84b4c39c50091462fdaff4b6c (diff)
downloadfreeipa-462629bab3163be47b2fc6d79b88781f82fdaf15.zip
freeipa-462629bab3163be47b2fc6d79b88781f82fdaf15.tar.gz
freeipa-462629bab3163be47b2fc6d79b88781f82fdaf15.tar.xz
Added nolog to pkispawn and some additional fixes from review.
-rw-r--r--install/tools/ipa-drm-install2
-rwxr-xr-xinstall/tools/ipa-server-install2
-rw-r--r--ipaserver/install/cainstance.py26
-rw-r--r--ipaserver/install/dogtaginstance.py32
-rw-r--r--ipaserver/install/drminstance.py22
-rw-r--r--ipaserver/install/dsinstance.py20
6 files changed, 66 insertions, 38 deletions
diff --git a/install/tools/ipa-drm-install b/install/tools/ipa-drm-install
index 7af39a3..2a2b2a7 100644
--- a/install/tools/ipa-drm-install
+++ b/install/tools/ipa-drm-install
@@ -137,7 +137,7 @@ def main():
if options.uninstall:
if enable_drm is None:
sys.exit("There is no DRM installed on this system")
- uninstall(realm_name)
+ return uninstall(realm_name)
if enable_drm is not None and enable_drm == 'True':
sys.exit("DRM is already installed.")
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index 440d108..2ab4e68 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -503,6 +503,7 @@ def uninstall():
ca_instance = cainstance.CAInstance(
api.env.realm, certs.NSS_DIR, dogtag_constants=dogtag_constants)
ca_instance.stop_tracking_certificates(dogtag_constants)
+ ca_instance.stop_tracking_agent_certificate(dogtag_constants)
if ca_instance.is_configured():
ca_instance.uninstall()
@@ -762,6 +763,7 @@ def main():
# We only set up the CA if the PKCS#12 options are not given.
if options.dirsrv_pkcs12:
setup_ca = False
+ setup_drm = False
else:
setup_ca = True
setup_drm = True
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 6bbb6f5..5768e29 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -285,7 +285,7 @@ class CADSInstance(service.Service):
_user_exists = self.restore_state("user_exists")
# At one time we removed this user on uninstall. That can potentially
- # orphan files, or worse, if another useradd runs in the intermim,
+ # orphan files, or worse, if another useradd runs in the interim,
# cause files to have a new owner.
@@ -325,6 +325,10 @@ class CAInstance(DogtagInstance):
self.ra_agent_pwd = self.ra_agent_db + "/pwdfile.txt"
self.ra_cert = None
self.requestId = None
+ self.tracking_nicknames = ['Server-Cert cert-pki-ca',
+ 'auditSigningCert cert-pki-ca',
+ 'ocspSigningCert cert-pki-ca',
+ 'subsystemCert cert-pki-ca']
def configure_instance(self, host_name, domain, dm_password,
admin_password, ds_port=DEFAULT_DSPORT,
@@ -713,7 +717,7 @@ class CAInstance(DogtagInstance):
os.write(admin_fd, self.admin_password)
os.close(admin_fd)
- # Look thru the cert chain to get all the certs we need to add
+ # Look through the cert chain to get all the certs we need to add
# trust for
p = subprocess.Popen(["/usr/bin/certutil", "-d", self.agent_db,
"-O", "-n", "ipa-ca-agent"], stdout=subprocess.PIPE)
@@ -899,7 +903,7 @@ class CAInstance(DogtagInstance):
try:
ipautil.run(["/usr/bin/pk12util",
"-n", "ipa-ca-agent",
- "-o", "/root/ca-agent.p12",
+ "-o", DogtagInstance.AGENT_P12_PATH,
"-d", self.agent_db,
"-k", pwd_name,
"-w", pwd_name])
@@ -925,7 +929,7 @@ class CAInstance(DogtagInstance):
"-print_certs",
], stdin=data)
- # Ok, now we have all the certificates in certs, walk thru it
+ # Ok, now we have all the certificates in certs, walk through it
# and pull out each certificate and add it to our database
st = 1
@@ -1201,7 +1205,7 @@ class CAInstance(DogtagInstance):
root_logger.critical("failed to uninstall CA instance %s" % e)
# At one time we removed this user on uninstall. That can potentially
- # orphan files, or worse, if another useradd runs in the intermim,
+ # orphan files, or worse, if another useradd runs in the interim,
# cause files to have a new owner.
_user_exists = self.restore_state("user_exists")
@@ -1316,16 +1320,10 @@ class CAInstance(DogtagInstance):
root_logger.error(
"certmonger failed to start tracking certificate: %s" % e)
- def stop_tracking_system_certificates(self, dogtag_constants):
- """Stop tracking our certificates. Called on uninstall.
+ @staticmethod
+ def stop_tracking_agent_certificate(dogtag_constants):
+ """Stop tracking agent certificate. Called on uninstall.
"""
- nicknames = ['Server-Cert cert-pki-ca',
- 'auditSigningCert cert-pki-ca',
- 'ocspSigningCert cert-pki-ca',
- 'subsystemCert cert-pki-ca']
- DogtagInstance.stop_tracking_certificates(
- self, dogtag_constants, nicknames)
-
cmonger = ipaservices.knownservices.certmonger
ipaservices.knownservices.messagebus.start()
cmonger.start()
diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py
index 14b96ba..66a76c7 100644
--- a/ipaserver/install/dogtaginstance.py
+++ b/ipaserver/install/dogtaginstance.py
@@ -25,6 +25,7 @@ import traceback
from ipapython import certmonger
from ipapython import dogtag
+from ipapython import ipaldap
from ipapython import ipautil
from ipapython import services as ipaservices
from ipapython.dn import DN
@@ -66,6 +67,9 @@ class DogtagInstance(service.Service):
CA, KRA, and eventually TKS and TPS.
"""
+ ADMIN_CERT_PATH = '/root/.dogtag/pki-tomcat/ca_admin.cert'
+ AGENT_P12_PATH = '/root/ca-agent.p12'
+
def __init__(self, realm, subsystem, service_desc, dogtag_constants=None):
if dogtag_constants is None:
dogtag_constants = dogtag.configured_constants()
@@ -84,6 +88,7 @@ class DogtagInstance(service.Service):
self.clone = False
self.basedn = DN(('o', 'ipa%s' % subsystem.lower()))
+ self.admin_user = DN(('uid', 'admin'), ('ou', 'people'), ('o', 'ipaca'))
self.agent_db = tempfile.mkdtemp(prefix="tmp-")
self.ds_port = DEFAULT_DSPORT
self.server_root = dogtag_constants.SERVER_ROOT
@@ -109,7 +114,7 @@ class DogtagInstance(service.Service):
self.server_root, self.dogtag_constants.PKI_INSTANCE_NAME,
self.subsystem.lower()))
- def spawn_instance(self, cfg_file):
+ def spawn_instance(self, cfg_file, nolog_list=None):
"""
Create and configure a new Dogtag instance using pkispawn.
Passes in a configuration file with IPA-specific
@@ -118,7 +123,10 @@ class DogtagInstance(service.Service):
subsystem = self.subsystem
# Define the things we don't want logged
- nolog = (self.admin_password, self.dm_password,)
+ if nolog_list is None:
+ nolog_list = []
+ nolog_list.extend([self.admin_password, self.dm_password])
+ nolog = tuple(nolog_list)
args = ["/usr/sbin/pkispawn",
"-s", subsystem,
@@ -330,3 +338,23 @@ class DogtagInstance(service.Service):
base64.b64encode(cert),
quotes=False,
separator='=')
+
+ def get_admin_cert(self):
+ """
+ Get the certificate for the admin user by checking the ldap entry
+ for the user
+ """
+ root_logger.debug('Trying to find the certificate for the admin user')
+ conn = None
+
+ try:
+ conn = ipaldap.IPAdmin(self.fqdn, self.ds_port)
+ conn.do_simple_bind(DN(('cn', 'Directory Manager')), self.dm_password)
+
+ entry_attrs = conn.get_entry(self.admin_user, ['usercertificate'])
+ admin_cert = entry_attrs.get('usercertificate')[0]
+ finally:
+ if conn is not None:
+ conn.unbind()
+
+ return base64.b64encode(admin_cert) \ No newline at end of file
diff --git a/ipaserver/install/drminstance.py b/ipaserver/install/drminstance.py
index c4edd2c..a251e39 100644
--- a/ipaserver/install/drminstance.py
+++ b/ipaserver/install/drminstance.py
@@ -111,18 +111,6 @@ class DRMInstance(DogtagInstance):
self.start_creation(runtime=210)
- def start_instance(self):
- DogtagInstance.start_instance(self)
-
- def stop_instance(self):
- DogtagInstance.stop_instance(self)
-
- def restart_instance(self):
- DogtagInstance.restart_instance(self)
-
- def http_proxy(self):
- DogtagInstance.http_proxy(self)
-
def __spawn_instance(self):
"""
Create and configure a new DRM instance using pkispawn.
@@ -172,8 +160,9 @@ class DRMInstance(DogtagInstance):
str(DN(('cn', 'ipa-ca-agent'), self.subject_base)))
config.set("KRA", "pki_import_admin_cert", "True")
config.set("KRA", "pki_admin_cert_file",
- "/root/.dogtag/pki-tomcat/ca_admin.cert")
- config.set("KRA", "pki_client_admin_cert_p12", "/root/ca-agent.p12")
+ DogtagInstance.ADMIN_CERT_PATH)
+ config.set("KRA", "pki_client_admin_cert_p12",
+ DogtagInstance.AGENT_P12_PATH)
# Directory server
config.set("KRA", "pki_ds_ldap_port", str(self.ds_port))
@@ -222,6 +211,11 @@ class DRMInstance(DogtagInstance):
pent = pwd.getpwnam(PKI_USER)
os.chown("/tmp/drm.p12", pent.pw_uid, pent.pw_gid)
+ # create admin cert file if it does not exist
+ cert = DogtagInstance.get_admin_cert(self)
+ with open(DogtagInstance.ADMIN_CERT_PATH, "w") as admin_path:
+ admin_path.write(cert)
+
# Security domain registration
config.set("KRA", "pki_security_domain_hostname", self.master_host)
config.set("KRA", "pki_security_domain_https_port", "443")
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 5c20860..96881fa 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -942,6 +942,10 @@ class DsInstance(service.Service):
2) If no value is found there, look in DS (start DS if necessary)
3) Last resort, look in the certmap.conf itself
4) If all fails, log loudly and return None
+
+ Note that this method can only be executed AFTER the ipa server
+ is configured, the api is initialized elsewhere and
+ that a ticket already have been acquired.
"""
root_logger.debug(
'Trying to find certificate subject base in sysupgrade')
@@ -963,25 +967,27 @@ class DsInstance(service.Service):
if not ds_is_running:
try:
self.start()
+ ds_is_running = True
except ipautil.CalledProcessError as e:
root_logger.error('Cannot start DS to find certificate '
'subject base: %s', e)
- else:
- ds_is_running = True
if ds_is_running:
try:
api.Backend.ldap2.connect(autobind=True)
- except errors.PublicError, e:
- root_logger.error('Cannot connect to DS to find certificate '
- 'subject base: %s', e)
- else:
ret = api.Command['config_show']()
- api.Backend.ldap2.disconnect()
subject_base = str(
ret['result']['ipacertificatesubjectbase'][0])
root_logger.debug(
'Found certificate subject base in DS: %s', subject_base)
+ except errors.PublicError, e:
+ root_logger.error('Cannot connect to DS to find certificate '
+ 'subject base: %s', e)
+ finally:
+ try:
+ api.Backend.ldap2.disconnect()
+ except:
+ pass
if not subject_base:
root_logger.debug('Unable to find certificate subject base in DS')