1 files changed, 17 insertions, 0 deletions

diff --git a/ipaserver/install/drminstance.py b/ipaserver/install/drminstance.py
index a251e39a3..de98276e8 100644
--- a/ipaserver/install/drminstance.py
+++ b/ipaserver/install/drminstance.py
@@ -26,6 +26,7 @@ import tempfile
 
 from ipalib import api
 from ipapython import dogtag
+from ipapython import ipaldap
 from ipapython import ipautil
 from ipapython import services as ipaservices
 from ipapython.dn import DN
@@ -104,6 +105,8 @@ class DRMInstance(DogtagInstance):
                 "A Dogtag CA must be installed first")
 
         self.step("configuring DRM instance", self.__spawn_instance)
+        if not self.clone:
+            self.step("add RA user to DRM agent group", self.__add_ra_user_to_agent_group)
         self.step("restarting DRM", self.restart_instance)
         self.step("configure certificate renewals", self.configure_renewal)
         self.step("Configure HTTP to proxy connections",
@@ -250,6 +253,20 @@ class DRMInstance(DogtagInstance):
 
         root_logger.debug("completed creating DRM instance")
 
+    def __add_ra_user_to_agent_group(self):
+        """
+        Add RA agent created for CA to DRM agent group.
+        """
+        conn = ipaldap.IPAdmin(self.fqdn, self.ds_port)
+        conn.do_simple_bind(DN(('cn', 'Directory Manager')), self.dm_password)
+
+        entry_dn = DN(('uid', "ipara"), ('ou', 'People'), ('o', 'ipaca'))
+        dn = DN(('cn', 'Data Recovery Manager Agents'), ('ou', 'groups'), self.basedn)
+        modlist = [(0, 'uniqueMember', '%s' % entry_dn)]
+        conn.modify_s(dn, modlist)
+
+        conn.unbind()
+
     @staticmethod
     def update_cert_config(nickname, cert, dogtag_constants=None):
         """