On 11/01/2012 06:33 PM, Petr Viktorin wrote:
On 10/29/2012 04:48 PM, Petr Viktorin wrote:
On 10/26/2012 02:25 PM, Petr Viktorin wrote:
On 10/26/2012 02:20 PM, Petr Viktorin wrote:
Attached are this thread's patches rebased and squashed into one.
... and here is a patch to address replication problems related to
merging the schemata of the IPA and CA databases. See the commit message
for details.
https://fedorahosted.org/freeipa/ticket/3213
With the previous patch, if an old split-database DT9 CA was inatalled,
ipa-ca-install didn't detect this, started installing another CA, and
then failed a bit later in the process.
I've added a check for this to the patch.
Two more modifications are needed to support installing a CA on an old
replica. See commit messages for details. Here is the first one.
...and the second.
--
PetrĀ³
From 97957f8a958b3e7cb311f1e915cbf4b41d260faf Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pvikt...@redhat.com>
Date: Thu, 1 Nov 2012 12:16:25 -0400
Subject: [PATCH] Update certmap.conf on IPA upgrades
This brings /etc/dirsrv/slapd-REALM/certmap.conf under IPA control.
The file is overwritten on upgrades.
This ensures that the cert for the ipaca user is recognized when
ipa-ca-install is run on older masters.
---
install/share/certmap.conf.template | 6 +++++-
install/tools/ipa-upgradeconfig | 17 ++++++++++++++++-
ipaserver/install/dsinstance.py | 2 +-
3 files changed, 22 insertions(+), 3 deletions(-)
diff --git a/install/share/certmap.conf.template b/install/share/certmap.conf.template
index 40b4e6cb1513bed586248e0c214730861b9715cf..cff3a669b8946223b62e4fda00dbfa21d98245cd 100644
--- a/install/share/certmap.conf.template
+++ b/install/share/certmap.conf.template
@@ -1,4 +1,8 @@
+# VERSION 1 - DO NOT REMOVE THIS LINE
#
+# This file is managed by IPA and will be overwritten on upgrades.
+
+
# BEGIN COPYRIGHT BLOCK
# This Program is free software; you can redistribute it and/or modify it under
# the terms of the GNU General Public License as published by the Free Software
@@ -80,6 +84,6 @@ certmap default default
#default:InitFn <Init function's name>
default:DNComps
default:FilterComps uid
-certmap ipaca CN=Certificate Authority,O=domain_name
+certmap ipaca CN=Certificate Authority,O=$REALM
ipaca:CmapLdapAttr seeAlso
ipaca:verifycert on
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index 14d4e0829162ab78665f794c582e704b5901ea41..12e96cfb77786a5ff503975d05876f56c8876111 100644
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -153,7 +153,11 @@ def find_autoredirect(fqdn):
return True
def find_version(filename):
- """Find the version of a configuration file"""
+ """Find the version of a configuration file
+
+ If no VERSION entry exists in the file, returns 0.
+ If the file does not exist, returns -1.
+ """
if os.path.exists(filename):
pattern = "^[\s#]*VERSION\s+([0-9]+)\s+.*"
p = re.compile(pattern)
@@ -185,6 +189,12 @@ def upgrade(sub_dict, filename, template, add=False):
if new < 0:
root_logger.error("%s not found." % template)
+ if old == 0:
+ # The original file does not have a VERSION entry. This means it's now
+ # managed by IPA, but previously was not.
+ root_logger.warning("%s is now managed by IPA. It will be "
+ "overwritten. A backup of the original will be made.", filename)
+
if old < new or (add and old == 0):
backup_file(filename, new)
update_conf(sub_dict, filename, template)
@@ -626,9 +636,14 @@ def main():
'=')
sub_dict['CLONE']='#' if crl.lower() == 'true' else ''
+ certmap_dir = dsinstance.config_dirname(
+ dsinstance.realm_to_serverid(api.env.realm))
+
upgrade(sub_dict, "/etc/httpd/conf.d/ipa.conf", ipautil.SHARE_DIR + "ipa.conf")
upgrade(sub_dict, "/etc/httpd/conf.d/ipa-rewrite.conf", ipautil.SHARE_DIR + "ipa-rewrite.conf")
upgrade(sub_dict, "/etc/httpd/conf.d/ipa-pki-proxy.conf", ipautil.SHARE_DIR + "ipa-pki-proxy.conf", add=True)
+ upgrade(sub_dict, os.path.join(certmap_dir, "certmap.conf"),
+ os.path.join(ipautil.SHARE_DIR, "certmap.conf.template"))
upgrade_pki(ca, fstore)
update_dbmodules(api.env.realm)
uninstall_ipa_kpasswd()
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 060490d59c90d62fcdd3d0da89b4f6eb1d0fbf97..3b4db1e7a26a8c9c143be487f93738648ec76813 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -610,7 +610,7 @@ class DsInstance(service.Service):
shutil.copyfile(ipautil.SHARE_DIR + "certmap.conf.template",
config_dirname(self.serverid) + "certmap.conf")
installutils.update_file(config_dirname(self.serverid) + "certmap.conf",
- 'domain_name', self.realm_name)
+ '$REALM', self.realm_name)
def __enable_ldapi(self):
self._ldap_mod("ldapi.ldif", self.sub_dict)
--
1.7.7.6
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel