Re-sending this patch as it should go into Work towards next release.


Since we depend on Dogtag 10 now, there is no need to keep code
that installs a Dogtag 9 CA.

Support for upgraded Dogtag-9-style instances is left in.

https://fedorahosted.org/freeipa/ticket/3529

--
PetrĀ³
From 484ce47a858af38fe0e0ab4ab6fecd3a49d059d4 Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pvikt...@redhat.com>
Date: Thu, 15 Nov 2012 09:38:24 -0500
Subject: [PATCH] Remove code to install Dogtag 9

Since we depend on Dogtag 10 now, there is no need to keep code
that installs a Dogtag 9 CA.

Support for upgraded Dogtag-9-style instances is left in.

https://fedorahosted.org/freeipa/ticket/3529
---
 install/tools/ipa-ca-install           |  12 +--
 install/tools/ipa-replica-install      |  11 +-
 install/tools/ipa-server-install       |  20 +---
 install/tools/ipactl                   |   6 +-
 ipapython/platform/fedora16/service.py |   4 -
 ipaserver/install/cainstance.py        | 183 ++-------------------------------
 ipaserver/install/dsinstance.py        |   2 +-
 ipaserver/install/installutils.py      |   2 -
 8 files changed, 22 insertions(+), 218 deletions(-)

diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install
index 2046b5fb8818fad5ded42e22c46a304c33f1ec06..81c11834547c37b01c4749079284affd13bb10d7 100755
--- a/install/tools/ipa-ca-install
+++ b/install/tools/ipa-ca-install
@@ -178,19 +178,15 @@ def main():
         cainstance.replica_ca_install_check(config, dogtag_master_ds_port)
 
     # Configure the CA if necessary
-    (CA, cs) = cainstance.install_replica_ca(
+    CA = cainstance.install_replica_ca(
         config, dogtag_master_ds_port, postinstall=True)
 
     # We need to ldap_enable the CA now that DS is up and running
     CA.ldap_enable('CA', config.host_name, config.dirman_password,
                    ipautil.realm_to_suffix(config.realm_name))
-    if not dogtag.install_constants.SHARED_DB:
-        cs.add_simple_service('dogtagldap/%s@%s' %
-            (config.host_name, config.realm_name))
-        cs.add_cert_to_service()
-    else:
-        CA.enable_client_auth_to_db()
-        CA.restart()
+
+    CA.enable_client_auth_to_db()
+    CA.restart()
 
     # Install CA DNS records
     install_dns_records(config, options)
diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install
index 2c28f37ce92b33b31121723667747dc6a0977173..b194b85a201c2d842938d3251fa9179c57d0bd68 100755
--- a/install/tools/ipa-replica-install
+++ b/install/tools/ipa-replica-install
@@ -653,22 +653,17 @@ def main():
     ds = install_replica_ds(config)
 
     # Configure the CA if necessary
-    (CA, cs) = cainstance.install_replica_ca(config, dogtag_master_ds_port)
+    CA = cainstance.install_replica_ca(config, dogtag_master_ds_port)
 
     # Always try to install DNS records
     install_dns_records(config, options)
 
     # We need to ldap_enable the CA now that DS is up and running
     if CA and config.setup_ca:
         CA.ldap_enable('CA', config.host_name, config.dirman_password,
                        ipautil.realm_to_suffix(config.realm_name))
-        if not dogtag.install_constants.SHARED_DB:
-            cs.add_simple_service('dogtagldap/%s@%s' %
-                (config.host_name, config.realm_name))
-            cs.add_cert_to_service()
-        else:
-            CA.enable_client_auth_to_db()
-            CA.restart()
+        CA.enable_client_auth_to_db()
+        CA.restart()
 
     krb = install_krb(config, setup_pkinit=options.setup_pkinit)
     http = install_http(config, auto_redirect=options.ui_redirect)
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index 992da90c142149597c0f7625fd14ec2613186c01..62adbd5bc5183793f3371e46e276b9ad20077b84 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -1009,13 +1009,6 @@ def main():
 
 
     if setup_ca:
-        if not dogtag.install_constants.SHARED_DB:
-            cs = cainstance.CADSInstance(
-                host_name, realm_name, domain_name, dm_password)
-            if not cs.is_configured():
-                cs.create_instance(realm_name, host_name, domain_name,
-                    dm_password, subject_base=options.subject)
-
         ca = cainstance.CAInstance(realm_name, certs.NSS_DIR,
             dogtag_constants=dogtag.install_constants)
         if external == 0:
@@ -1055,17 +1048,8 @@ def main():
         # We need to ldap_enable the CA now that DS is up and running
         ca.ldap_enable('CA', host_name, dm_password,
                        ipautil.realm_to_suffix(realm_name))
-        if not dogtag.install_constants.SHARED_DB:
-            # Turn on SSL in the dogtag LDAP instance. This will get restarted
-            # later, we don't need SSL now.
-            cs.create_certdb()
-            cs.enable_ssl()
-            # Add the IPA service for storing the PKI-IPA server certificate.
-            cs.add_simple_service(cs.principal)
-            cs.add_cert_to_service()
-        else:
-            ca.enable_client_auth_to_db()
-            ca.restart()
+        ca.enable_client_auth_to_db()
+        ca.restart()
 
         # Upload the CA cert to the directory
         ds.upload_ca_cert()
diff --git a/install/tools/ipactl b/install/tools/ipactl
index 2d699880ccf818cc33802994aa10bbd10e4c8851..df0d6f57e5a862006f7266a04d36ccdb02bc17b7 100755
--- a/install/tools/ipactl
+++ b/install/tools/ipactl
@@ -45,16 +45,14 @@ def check_IPA_configuration():
 
 def is_dirsrv_debugging_enabled():
     """
-    Check the IPA and PKI-CA 389-ds instances to see if debugging is
-    enabled. If so we suppress that in our output.
+    Check the 389-ds instance to see if debugging is enabled.
+    If so we suppress that in our output.
 
     returns True or False
     """
     debugging = False
     serverid = realm_to_serverid(api.env.realm)
     dselist = [config_dirname(serverid)]
-    if not dogtag.install_constants.SHARED_DB:
-        dselist.append('/etc/dirsrv/slapd-PKI-IPA/')
     for dse in dselist:
         try:
             fd = open(dse + 'dse.ldif', 'r')
diff --git a/ipapython/platform/fedora16/service.py b/ipapython/platform/fedora16/service.py
index dac8c0049b835d6be9bf05d817c7aae1b2a350c4..f8026b9f2bae9a70cc67ce56d7ae6915f1424a47 100644
--- a/ipapython/platform/fedora16/service.py
+++ b/ipapython/platform/fedora16/service.py
@@ -128,10 +128,6 @@ def __wait_until_running(self):
             root_logger.debug(
                 'The httpd proxy is not installed, skipping wait for CA')
             return
-        if dogtag.install_constants.DOGTAG_VERSION < 10:
-            # The server status information isn't available on DT 9
-            root_logger.debug('Using Dogtag 9, skipping wait for CA')
-            return
         root_logger.debug('Waiting until the CA is running')
         timeout = api.env.startup_timeout
         op_timeout = time.time() + timeout
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 5669ebecb810ae0ff4f264725de3d67d54584e49..d83fd7a1d4c45ed06c61c1d96ca9eb6b27341ccc 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -247,6 +247,11 @@ def is_step_one_done():
 
 
 class CADSInstance(service.Service):
+    """Certificate Authority DS instance
+
+    The CA DS was used with Dogtag 9. Only upgraded installations still use it.
+    Thus this class only does uninstallation.
+    """
     def __init__(self, host_name=None, realm_name=None, domain_name=None, dm_password=None, dogtag_constants=None):
         service.Service.__init__(self, "pkids",
             service_desc="directory server for the CA",
@@ -265,153 +270,6 @@ def __init__(self, host_name=None, realm_name=None, domain_name=None, dm_passwor
         self.master_host = None
         self.nickname = 'Server-Cert'
         self.subject_base = None
-        if host_name and realm_name:
-            self.principal = "dogtagldap/%s@%s" % (self.fqdn, self.realm_name)
-        if realm_name:
-            self.suffix = ipautil.realm_to_suffix(self.realm_name)
-            self.__setup_sub_dict()
-        else:
-            self.suffix = DN()
-
-        if dogtag_constants is None:
-            dogtag_constants = dogtag.configured_constants()
-        self.dogtag_constants = dogtag_constants
-
-    subject_base = ipautil.dn_attribute_property('_subject_base')
-
-    def create_instance(self, realm_name, host_name, domain_name,
-                        dm_password, pkcs12_info=None, ds_port=DEFAULT_DSPORT,
-                        subject_base=None):
-        self.ds_port = ds_port
-        self.realm_name = realm_name.upper()
-        self.suffix = ipautil.realm_to_suffix(self.realm_name)
-        self.fqdn = host_name
-        self.dm_password = dm_password
-        self.domain = domain_name
-        self.pkcs12_info = pkcs12_info
-        self.subject_base = subject_base
-        self.principal = "dogtagldap/%s@%s" % (self.fqdn, self.realm_name)
-        self.__setup_sub_dict()
-
-        self.step("creating directory server user", self.__create_ds_user)
-        self.step("creating directory server instance", self.__create_instance)
-        self.step("restarting directory server", self.restart_instance)
-
-        self.start_creation(runtime=30)
-
-    def __setup_sub_dict(self):
-        server_root = dsinstance.find_server_root()
-        self.sub_dict = dict(FQDN=self.fqdn, SERVERID=self.serverid,
-                             PASSWORD=self.dm_password, SUFFIX=self.suffix,
-                             REALM=self.realm_name, USER=PKI_DS_USER,
-                             SERVER_ROOT=server_root, DOMAIN=self.domain,
-                             TIME=int(time.time()), DSPORT=self.ds_port,
-                             GROUP=dsinstance.DS_GROUP)
-
-    def __create_ds_user(self):
-        try:
-            pwd.getpwnam(PKI_DS_USER)
-            root_logger.debug("ds user %s exists" % PKI_DS_USER)
-        except KeyError:
-            root_logger.debug("adding ds user %s" % PKI_DS_USER)
-            args = ["/usr/sbin/useradd", "-g", dsinstance.DS_GROUP,
-                                         "-c", "PKI DS System User",
-                                         "-d", "/var/lib/dirsrv",
-                                         "-s", "/sbin/nologin",
-                                         "-M", "-r", PKI_DS_USER]
-            try:
-                ipautil.run(args)
-                root_logger.debug("done adding user")
-            except ipautil.CalledProcessError, e:
-                root_logger.critical("failed to add user %s" % e)
-
-    def __create_instance(self):
-        self.backup_state("serverid", self.serverid)
-
-        inf_txt = ipautil.template_str(INF_TEMPLATE, self.sub_dict)
-        root_logger.debug("writing inf template")
-        inf_fd = ipautil.write_tmp_file(inf_txt)
-        inf_txt = re.sub(r"RootDNPwd=.*\n", "", inf_txt)
-        root_logger.debug(inf_txt)
-        if ipautil.file_exists("/usr/sbin/setup-ds.pl"):
-            args = ["/usr/sbin/setup-ds.pl", "--silent", "--logfile", "-", "-f", inf_fd.name]
-            root_logger.debug("calling setup-ds.pl")
-        else:
-            args = ["/usr/bin/ds_newinst.pl", inf_fd.name]
-            root_logger.debug("calling ds_newinst.pl")
-        try:
-            ipautil.run(args)
-            root_logger.debug("completed creating ds instance")
-        except ipautil.CalledProcessError, e:
-            root_logger.critical("failed to create ds instance %s" % e)
-        inf_fd.close()
-
-    def load_pkcs12(self):
-        dirname = dsinstance.config_dirname(self.serverid)
-        dsdb = certs.CertDB(self.realm_name, nssdir=dirname)
-        if self.pkcs12_info:
-            dsdb.create_from_pkcs12(self.pkcs12_info[0], self.pkcs12_info[1])
-            server_certs = dsdb.find_server_certs()
-            if len(server_certs) == 0:
-                raise RuntimeError("Could not find a suitable server cert in import in %s" % self.pkcs12_info[0])
-
-            # We only handle one server cert
-            self.nickname = server_certs[0][0]
-            self.dercert = dsdb.get_cert_from_db(self.nickname, pem=False)
-            dsdb.track_server_cert(self.nickname, self.principal, dsdb.passwd_fname, 'restart_dirsrv %s' % self.serverid)
-
-    def create_certdb(self):
-        """
-        Create the dogtag 389-ds instance NSS certificate database. This needs
-        to be done after dogtag is installed and configured.
-        """
-        dirname = dsinstance.config_dirname(self.serverid)
-        dsdb = certs.CertDB(self.realm_name, nssdir=dirname, subject_base=self.subject_base)
-        cadb = certs.CertDB(self.realm_name, host_name=self.fqdn, subject_base=self.subject_base)
-        cadb.export_ca_cert('ipaCert', False)
-        dsdb.create_from_cacert(cadb.cacert_fname, passwd=None)
-        self.dercert = dsdb.create_server_cert("Server-Cert", self.fqdn, cadb)
-        dsdb.track_server_cert("Server-Cert", self.principal, dsdb.passwd_fname, 'restart_dirsrv %s' % self.serverid)
-        dsdb.create_pin_file()
-
-    def enable_ssl(self):
-        conn = ipaldap.IPAdmin(self.fqdn, port=DEFAULT_DSPORT)
-        conn.do_simple_bind(DN(('cn', 'directory manager')), self.dm_password)
-
-        mod = [(ldap.MOD_REPLACE, "nsSSLClientAuth", "allowed"),
-               (ldap.MOD_REPLACE, "nsSSL3Ciphers",
-                "-rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,\
-+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,\
-+fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,\
-+tls_rsa_export1024_with_des_cbc_sha")]
-        conn.modify_s(DN(('cn', 'encryption'), ('cn', 'config')), mod)
-
-        mod = [(ldap.MOD_ADD, "nsslapd-security", "on"),
-               (ldap.MOD_ADD, "nsslapd-secureport", str(DEFAULT_DSPORT+1))]
-        conn.modify_s(DN(('cn', 'config')), mod)
-
-        entry = conn.make_entry(
-            DN(('cn', 'RSA'), ('cn', 'encryption'), ('cn', 'config')),
-            objectclass=["top", "nsEncryptionModule"],
-            cn=["RSA"],
-            nsSSLPersonalitySSL=[self.nickname],
-            nsSSLToken=["internal (software)"],
-            nsSSLActivation=["on"],
-        )
-        conn.add_entry(entry)
-
-        conn.unbind()
-
-    def restart_instance(self):
-        try:
-            ipaservices.knownservices.dirsrv.restart(self.serverid)
-            if not dsinstance.is_ds_running(self.serverid):
-                root_logger.critical("Failed to restart the directory server. See the installation log for details.")
-                sys.exit(1)
-        except Exception:
-            # TODO: roll back here?
-            root_logger.debug(traceback.format_exc())
-            root_logger.critical("Failed to restart the directory server. See the installation log for details.")
 
     def uninstall(self):
         if self.is_configured():
@@ -1757,16 +1615,16 @@ def install_replica_ca(config, master_ds_port, postinstall=False):
 
     if not ipautil.file_exists(cafile):
         # Replica of old "self-signed" master - skip installing CA
-        return (None, None)
+        return None
 
     if not config.setup_ca:
         # We aren't configuring the CA in this step but we still need
         # a minimum amount of information on the CA for this IPA install.
         ca = CAInstance(config.realm_name, certs.NSS_DIR,
             dogtag_constants=dogtag.install_constants)
         ca.dm_password = config.dirman_password
         ca.subject_base = config.subject_base
-        return (ca, None)
+        return ca
 
     ca = CAInstance(config.realm_name, certs.NSS_DIR,
         dogtag_constants=dogtag.install_constants)
@@ -1780,17 +1638,6 @@ def install_replica_ca(config, master_ds_port, postinstall=False):
         pkcs12_info = (config.dir + "/dogtagcert.p12",
                        config.dir + "/dirsrv_pin.txt")
 
-    if not dogtag.install_constants.SHARED_DB:
-        cs = CADSInstance(dogtag_constants=dogtag.install_constants)
-        cs.create_instance(config.realm_name, config.host_name,
-                           config.domain_name, config.dirman_password,
-                           pkcs12_info)
-        cs.load_pkcs12()
-        cs.enable_ssl()
-        cs.restart_instance()
-    else:
-        cs = None
-
     ca = CAInstance(config.realm_name, certs.NSS_DIR,
             dogtag_constants=dogtag.install_constants)
     if postinstall:
@@ -1821,16 +1668,11 @@ def install_replica_ca(config, master_ds_port, postinstall=False):
     service.print_msg("Restarting the directory and certificate servers")
     ca.stop(dogtag.install_constants.PKI_INSTANCE_NAME)
 
-    if not dogtag.install_constants.SHARED_DB:
-        ds_name = dogtag.install_constants.DS_NAME
-        ipaservices.knownservices.dirsrv.stop(ds_name)
-        ipaservices.knownservices.dirsrv.start(ds_name)
-    else:
-        ipaservices.knownservices.dirsrv.restart()
+    ipaservices.knownservices.dirsrv.restart()
 
     ca.start(dogtag.install_constants.PKI_INSTANCE_NAME)
 
-    return (ca, cs)
+    return ca
 
 def update_cert_config(nickname, cert):
     """
@@ -1914,12 +1756,7 @@ def update_people_entry(uid, dercert):
 
 if __name__ == "__main__":
     standard_logging_setup("install.log")
-    if not dogtag.install_constants.SHARED_DB:
-        cs = CADSInstance()
-        cs.create_instance(
-            "EXAMPLE.COM", "catest.example.com", "example.com", "password")
-    else:
-        ds = dsinstance.DsInstance()
+    ds = dsinstance.DsInstance()
 
     ca = CAInstance("EXAMPLE.COM", "/etc/httpd/alias")
     ca.configure_instance("catest.example.com", "example.com", "password", "password")
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index e6bb054ddad4a0d91d76d4c79eb477913e8776aa..5980b4018d6cffa2ee14cd97da55180a0a6c7475 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -208,7 +208,7 @@ def __common_setup(self, enable_ssl=False):
         self.step("configuring lockout plugin", self.__config_lockout_module)
         self.step("creating indices", self.__create_indices)
         self.step("enabling referential integrity plugin", self.__add_referint_module)
-        if not dogtag.install_constants.SHARED_DB or enable_ssl:
+        if enable_ssl:
             self.step("configuring ssl for ds instance", self.enable_ssl)
         self.step("configuring certmap.conf", self.__certmap_conf)
         self.step("configure autobind for root", self.__root_autobind)
diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py
index bc28dec43ce1561bf06d244bc98244ead84b8c12..5ed2689d75ab5b372a40031f03bab5000302752c 100644
--- a/ipaserver/install/installutils.py
+++ b/ipaserver/install/installutils.py
@@ -46,8 +46,6 @@
 IPA_MODULES = [
     'httpd', 'kadmin', 'dirsrv', 'pki-cad', 'pki-tomcatd', 'install',
     'krb5kdc', 'ntpd', 'named', 'ipa_memcached']
-if not dogtag.install_constants.SHARED_DB:
-    IPA_MODULES.append('pkids')
 
 
 class BadHostError(Exception):
-- 
1.8.1.4

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to