URL: https://github.com/freeipa/freeipa/pull/2294 Author: Tiboris Title: #2294: [Backport][ipa-4-6] Do not set ca_host when --setup-ca is used. Action: opened
PR body: """ This PR was opened automatically because PR #2185 was pushed to master and backport to ipa-4-6 is required. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/2294/head:pr2294 git checkout pr2294
From 0e76d9430fdb7c17c342d3110cd4820ecd9b1c57 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tibor=20Dudl=C3=A1k?= <tdud...@redhat.com> Date: Thu, 26 Jul 2018 11:46:55 +0200 Subject: [PATCH] Do not set ca_host when --setup-ca is used Setting ca_host caused replication failures on DL0 because it was trying to connect to wrong CA host. Trying to avoid corner-case in ipaserver/plugins/dogtag.py when api.env.host nor api.env.ca_host had not CA configured and there was ca_host set to api.env.ca_host variable. See: https://pagure.io/freeipa/issue/7566 Resolves: https://pagure.io/freeipa/issue/7629 --- ipaserver/install/cainstance.py | 24 ++++++++++++++++++++++ ipaserver/install/server/replicainstall.py | 7 +++++-- 2 files changed, 29 insertions(+), 2 deletions(-) diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 30f70932b3..2aea524f02 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -452,6 +452,11 @@ def configure_instance(self, host_name, dm_password, admin_password, self.step("updating IPA configuration", update_ipa_conf) self.step("enabling CA instance", self.__enable_instance) if not promote: + if self.clone: + # DL0 workaround; see docstring of __expose_ca_in_ldap + self.step("exposing CA instance on LDAP", + self.__expose_ca_in_ldap) + self.step("migrating certificate profiles to LDAP", migrate_profiles_to_ldap) self.step("importing IPA certificate profiles", @@ -1269,6 +1274,25 @@ def __enable_instance(self): config = [] self.ldap_configure('CA', self.fqdn, None, basedn, config) + def __expose_ca_in_ldap(self): + """ + In a case when replica is created on DL0 we need to make + sure that query for CA service record of this replica in + ldap will succeed in time of installation. + This method is needed for sucessfull replica installation + on DL0 and should be removed alongside with code for DL0. + + To suppress deprecation warning message this method is + not invoking ldap_enable() but _ldap_enable() method. + """ + + basedn = ipautil.realm_to_suffix(self.realm) + if not self.clone: + config = ['caRenewalMaster'] + else: + config = [] + self._ldap_enable(u'enabledService', "CA", self.fqdn, basedn, config) + def setup_lightweight_ca_key_retrieval(self): if sysupgrade.get_upgrade_state('dogtag', 'setup_lwca_key_retrieval'): return diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py index 8aba0b816e..c009c7f2f2 100644 --- a/ipaserver/install/server/replicainstall.py +++ b/ipaserver/install/server/replicainstall.py @@ -241,9 +241,12 @@ def create_ipa_conf(fstore, config, ca_enabled, master=None): gopts.extend([ ipaconf.setOption('enable_ra', 'True'), ipaconf.setOption('ra_plugin', 'dogtag'), - ipaconf.setOption('dogtag_version', '10'), - ipaconf.setOption('ca_host', config.ca_host_name) + ipaconf.setOption('dogtag_version', '10') ]) + + if not config.setup_ca: + gopts.append(ipaconf.setOption('ca_host', config.ca_host_name)) + else: gopts.extend([ ipaconf.setOption('enable_ra', 'False'),
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
