Re: [Freeipa-devel] [PATCH] Changes to use a single database for dogtag and IPA

Petr Viktorin Thu, 01 Nov 2012 10:34:56 -0700

On 11/01/2012 06:33 PM, Petr Viktorin wrote:

On 10/29/2012 04:48 PM, Petr Viktorin wrote:

On 10/26/2012 02:25 PM, Petr Viktorin wrote:

On 10/26/2012 02:20 PM, Petr Viktorin wrote:

Attached are this thread's patches rebased and squashed into one.


... and here is a patch to address replication problems related to
merging the schemata of the IPA and CA databases. See the commit message
for details.

https://fedorahosted.org/freeipa/ticket/3213


With the previous patch, if an old split-database DT9 CA was inatalled,
ipa-ca-install didn't detect this, started installing another CA, and
then failed a bit later in the process.

I've added a check for this to the patch.


Two more modifications are needed to support installing a CA on an old
replica. See commit messages for details. Here is the first one.

...and the second.


--
Petr³

From 97957f8a958b3e7cb311f1e915cbf4b41d260faf Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pvikt...@redhat.com>
Date: Thu, 1 Nov 2012 12:16:25 -0400
Subject: [PATCH] Update certmap.conf on IPA upgrades

This brings /etc/dirsrv/slapd-REALM/certmap.conf under IPA control.
The file is overwritten on upgrades.

This ensures that the cert for the ipaca user is recognized when
ipa-ca-install is run on older masters.
---
 install/share/certmap.conf.template |    6 +++++-
 install/tools/ipa-upgradeconfig     |   17 ++++++++++++++++-
 ipaserver/install/dsinstance.py     |    2 +-
 3 files changed, 22 insertions(+), 3 deletions(-)

diff --git a/install/share/certmap.conf.template b/install/share/certmap.conf.template
index 40b4e6cb1513bed586248e0c214730861b9715cf..cff3a669b8946223b62e4fda00dbfa21d98245cd 100644
--- a/install/share/certmap.conf.template
+++ b/install/share/certmap.conf.template
@@ -1,4 +1,8 @@
+# VERSION 1 - DO NOT REMOVE THIS LINE
 #
+# This file is managed by IPA and will be overwritten on upgrades.
+
+
 # BEGIN COPYRIGHT BLOCK
 # This Program is free software; you can redistribute it and/or modify it under
 # the terms of the GNU General Public License as published by the Free Software
@@ -80,6 +84,6 @@ certmap default         default
 #default:InitFn         <Init function's name>
 default:DNComps
 default:FilterComps     uid
-certmap ipaca           CN=Certificate Authority,O=domain_name
+certmap ipaca           CN=Certificate Authority,O=$REALM
 ipaca:CmapLdapAttr      seeAlso
 ipaca:verifycert        on
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index 14d4e0829162ab78665f794c582e704b5901ea41..12e96cfb77786a5ff503975d05876f56c8876111 100644
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -153,7 +153,11 @@ def find_autoredirect(fqdn):
     return True
 
 def find_version(filename):
-    """Find the version of a configuration file"""
+    """Find the version of a configuration file
+
+    If no VERSION entry exists in the file, returns 0.
+    If the file does not exist, returns -1.
+    """
     if os.path.exists(filename):
         pattern = "^[\s#]*VERSION\s+([0-9]+)\s+.*"
         p = re.compile(pattern)
@@ -185,6 +189,12 @@ def upgrade(sub_dict, filename, template, add=False):
     if new < 0:
         root_logger.error("%s not found." % template)
 
+    if old == 0:
+        # The original file does not have a VERSION entry. This means it's now
+        # managed by IPA, but previously was not.
+        root_logger.warning("%s is now managed by IPA. It will be "
+            "overwritten. A backup of the original will be made.", filename)
+
     if old < new or (add and old == 0):
         backup_file(filename, new)
         update_conf(sub_dict, filename, template)
@@ -626,9 +636,14 @@ def main():
                                          '=')
         sub_dict['CLONE']='#' if crl.lower() == 'true' else ''
 
+    certmap_dir = dsinstance.config_dirname(
+        dsinstance.realm_to_serverid(api.env.realm))
+
     upgrade(sub_dict, "/etc/httpd/conf.d/ipa.conf", ipautil.SHARE_DIR + "ipa.conf")
     upgrade(sub_dict, "/etc/httpd/conf.d/ipa-rewrite.conf", ipautil.SHARE_DIR + "ipa-rewrite.conf")
     upgrade(sub_dict, "/etc/httpd/conf.d/ipa-pki-proxy.conf", ipautil.SHARE_DIR + "ipa-pki-proxy.conf", add=True)
+    upgrade(sub_dict, os.path.join(certmap_dir, "certmap.conf"),
+        os.path.join(ipautil.SHARE_DIR, "certmap.conf.template"))
     upgrade_pki(ca, fstore)
     update_dbmodules(api.env.realm)
     uninstall_ipa_kpasswd()
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 060490d59c90d62fcdd3d0da89b4f6eb1d0fbf97..3b4db1e7a26a8c9c143be487f93738648ec76813 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -610,7 +610,7 @@ class DsInstance(service.Service):
         shutil.copyfile(ipautil.SHARE_DIR + "certmap.conf.template",
                         config_dirname(self.serverid) + "certmap.conf")
         installutils.update_file(config_dirname(self.serverid) + "certmap.conf",
-                                 'domain_name', self.realm_name)
+                                 '$REALM', self.realm_name)
 
     def __enable_ldapi(self):
         self._ldap_mod("ldapi.ldif", self.sub_dict)
-- 
1.7.7.6

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] Changes to use a single database for dogtag and IPA

Reply via email to