When using a selfsign CA you can't run ipa-ca-install at all and you can only run ipa-replica-prepare on the initial master.

rob
>From cb2a4fd8c52602d8da8821348a5334ad7201bd57 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcrit...@redhat.com>
Date: Thu, 8 Sep 2011 17:21:32 -0400
Subject: [PATCH] Detect CA installation type in ipa-replica-prepare and ipa-ca-install.

ipa-ca-install can only add a dogtag CA to an IPA install.

ipa-replica-prepare can only be run on the initial master with a
selfsign backend.

https://fedorahosted.org/freeipa/ticket/1756
https://fedorahosted.org/freeipa/ticket/1757
---
 install/tools/ipa-ca-install      |   13 ++++++-------
 install/tools/ipa-replica-prepare |    3 +++
 ipaserver/install/certs.py        |   13 +++++++++++++
 3 files changed, 22 insertions(+), 7 deletions(-)

diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install
index 05a05dce9bf00102aa9781997f9d7f52fd5e8ba2..7ff457c96a5ccdef42f32b5fcf52807cd3f382bf 100755
--- a/install/tools/ipa-ca-install
+++ b/install/tools/ipa-ca-install
@@ -83,6 +83,12 @@ def main():
     if not dsinstance.DsInstance().is_configured():
         sys.exit("IPA server is not configured on this system.\n")
 
+    api.bootstrap(in_server=True)
+    api.finalize()
+
+    if certs.ipa_self_signed():
+        sys.exit('A selfsign CA can not be added')
+
     # get the directory manager password
     dirman_password = options.password
     if not dirman_password:
@@ -129,16 +135,9 @@ def main():
     if not options.skip_conncheck:
         replica_conn_check(config.master_host_name, config.host_name, config.realm_name, True, options.admin_password)
 
-    api.bootstrap(in_server=True)
-    api.finalize()
-
     # Configure the CA if necessary
     (CA, cs) = cainstance.install_replica_ca(config, postinstall=True)
 
-    if not CA:
-        # not a dogtag CA replica
-        sys.exit("Not a dogtag CA installation!")
-
     # We need to ldap_enable the CA now that DS is up and running
     CA.ldap_enable('CA', config.host_name, config.dirman_password,
                    util.realm_to_suffix(config.realm_name))
diff --git a/install/tools/ipa-replica-prepare b/install/tools/ipa-replica-prepare
index 0c88244b33f46aa87f4f619a0b7053ec14fd7603..5755153e3a7ba0931abf5e020d735d9d944d7927 100755
--- a/install/tools/ipa-replica-prepare
+++ b/install/tools/ipa-replica-prepare
@@ -247,6 +247,9 @@ def main():
     if not options.pkinit_pkcs12 and not certs.ipa_self_signed():
         options.setup_pkinit = False
 
+    if certs.ipa_self_signed_master() == False:
+        sys.exit('A selfsign CA backend can only prepare on the original master')
+
     try:
         installutils.verify_fqdn(replica_fqdn)
     except RuntimeError, e:
diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
index ead9c815936a882784144122c6722c59478a5156..1657c75c959bab73e2d6ddbdf871ddf0d1a51b9c 100644
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -65,6 +65,19 @@ def ipa_self_signed():
     else:
         return False
 
+def ipa_self_signed_master():
+    """
+    The selfsign backend is enabled only one a single master.
+
+    Return True/False whether this is that master.
+
+    Returns None if not a self-signed server.
+    """
+    if ipa_self_signed():
+        return api.env.enable_ra
+    else:
+        return None
+
 def find_cert_from_txt(cert, start=0):
     """
     Given a cert blob (str) which may or may not contian leading and
-- 
1.7.4

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to