ipa-replica-install never checks for 7389 port

When creating replica from a Dogtag 9 based IPA server, the port 7389
which is required for the installation is never checked by
ipa-replica-conncheck even though it knows that it is being installed
from the Dogtag 9 based FreeIPA. If the 7389 port would be blocked by
firewall, installation would stuck with no hint to user.

Make sure that the port configuration parsed from replica info file
is used consistently in the installers.

https://fedorahosted.org/freeipa/ticket/4240

Reviewed-By: Petr Viktorin <pviktori@redhat.com>

2 files changed, 21 insertions, 7 deletions

diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 5e7cab8e0..733847c07 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -1575,7 +1575,7 @@ class CAInstance(service.Service):
         return master == 'New'
 
 
-def replica_ca_install_check(config, master_ds_port):
+def replica_ca_install_check(config):
     if not config.setup_ca:
         return
 
@@ -1584,8 +1584,6 @@ def replica_ca_install_check(config, master_ds_port):
         # Replica of old "self-signed" master - CA won't be installed
         return
 
-    master_ds_port = int(master_ds_port)
-
     # Exit if we have an old-style (Dogtag 9) CA already installed
     ca = CAInstance(config.realm_name, certs.NSS_DIR,
         dogtag_constants=dogtag.Dogtag9Constants)
@@ -1593,13 +1591,13 @@ def replica_ca_install_check(config, master_ds_port):
         root_logger.info('Dogtag 9 style CA instance found')
         sys.exit("A CA is already configured on this system.")
 
-    if master_ds_port != dogtag.Dogtag9Constants.DS_PORT:
+    if config.ca_ds_port != dogtag.Dogtag9Constants.DS_PORT:
         root_logger.debug(
             'Installing CA Replica from master with a merged database')
         return
 
     # Check if the master has the necessary schema in its CA instance
-    ca_ldap_url = 'ldap://%s:%s' % (config.master_host_name, master_ds_port)
+    ca_ldap_url = 'ldap://%s:%s' % (config.master_host_name, config.ca_ds_port)
     objectclass = 'ipaObject'
     root_logger.debug('Checking if IPA schema is present in %s', ca_ldap_url)
     try:
@@ -1628,7 +1626,7 @@ def replica_ca_install_check(config, master_ds_port):
         exit('IPA schema missing on master CA directory server')
 
 
-def install_replica_ca(config, master_ds_port, postinstall=False):
+def install_replica_ca(config, postinstall=False):
     """
     Install a CA on a replica.
 
@@ -1677,7 +1675,7 @@ def install_replica_ca(config, master_ds_port, postinstall=False):
                           config.dirman_password, config.dirman_password,
                           pkcs12_info=(cafile,),
                           master_host=config.master_host_name,
-                          master_replication_port=master_ds_port,
+                          master_replication_port=config.ca_ds_port,
                           subject_base=config.subject_base)
 
     # Restart httpd since we changed it's config and added ipa-pki-proxy.conf
diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py
index 4cc33ac56..daf81e890 100644
--- a/ipaserver/install/installutils.py
+++ b/ipaserver/install/installutils.py
@@ -538,6 +538,22 @@ def read_replica_info(dir, rconfig):
     except NoOptionError:
         pass
 
+def read_replica_info_dogtag_port(config_dir):
+    portfile = config_dir + "/dogtag_directory_port.txt"
+    default_port = dogtag.Dogtag9Constants.DS_PORT
+    if not ipautil.file_exists(portfile):
+        dogtag_master_ds_port = default_port
+    else:
+        with open(portfile) as fd:
+            try:
+                dogtag_master_ds_port = int(fd.read())
+            except (ValueError, IOError), e:
+                root_logger.debug('Cannot parse dogtag DS port: %s', e)
+                root_logger.debug('Default to %d', default_port)
+                dogtag_master_ds_port = default_port
+
+    return dogtag_master_ds_port
+
 def check_server_configuration():
     """
     Check if IPA server is configured on the system.