Hello, See the commit message for details.
https://fedorahosted.org/freeipa/ticket/3594 -- Regards, Ana Krivokapic Associate Software Engineer FreeIPA team Red Hat Inc.
From 1354ddec918dd0de235c9a35e2155483c6c1d97a Mon Sep 17 00:00:00 2001 From: Ana Krivokapic <akriv...@redhat.com> Date: Wed, 15 May 2013 11:22:41 +0200 Subject: [PATCH] Make sure replication works after DM password is changed Replica information file contains the file `cacert.p12` which is protected by the Directory Manager password of the initial IPA server installation. The DM password of the initial installation is also used for the PKI admin user password. If the DM password is changed after the IPA server installation, the replication fails. To prevent this failure, add the following steps to ipa-replica-prepare: 1. Regenerate the `cacert.p12` file and protect it with the current DM password 2. Update the password of the PKI admin user with the current DM password https://fedorahosted.org/freeipa/ticket/3594 --- ipaserver/install/ipa_replica_prepare.py | 44 ++++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+) diff --git a/ipaserver/install/ipa_replica_prepare.py b/ipaserver/install/ipa_replica_prepare.py index b6b063332a4ea6b87cddd20a0d53de22d4a0a639..6f5e511ad7b3c83e2195832846fc1c9553ed276d 100644 --- a/ipaserver/install/ipa_replica_prepare.py +++ b/ipaserver/install/ipa_replica_prepare.py @@ -274,6 +274,11 @@ def copy_ds_certificate(self): self.copy_info_file(options.dirsrv_pkcs12, "dscert.p12") else: if ipautil.file_exists(options.ca_file): + # Since it is possible that the Directory Manager password + # has changed since ipa-server-install, we need to regenerate + # the CA PKCS#12 file and update the pki admin user password + self.regenerate_ca_file(options.ca_file) + self.update_pki_admin_password() self.copy_info_file(options.ca_file, "cacert.p12") else: raise admintool.ScriptError("Root CA PKCS#12 not " @@ -504,3 +509,42 @@ def export_ra_pkcs12(self): db.export_pkcs12(pkcs12_fname, agent_name, "ipaCert") finally: os.remove(agent_name) + + def update_pki_admin_password(self): + ldap = ldap2(shared_instance=False) + ldap.connect( + bind_dn=DN(('cn', 'directory manager')), + bind_pw=self.dirman_password + ) + dn = DN('uid=admin', 'ou=people', 'o=ipaca') + ldap.modify_password(dn, self.dirman_password) + ldap.disconnect() + + def regenerate_ca_file(self, ca_file): + dm_pwd_fd, dm_pwd_fname = tempfile.mkstemp() + keydb_pwd_fd, keydb_pwd_fname = tempfile.mkstemp() + + os.write(dm_pwd_fd, self.dirman_password) + os.close(dm_pwd_fd) + + keydb_pwd = '' + with open('/etc/pki/pki-tomcat/password.conf') as f: + for line in f.readlines(): + key, value = line.strip().split('=') + if key == 'internal': + keydb_pwd = value + break + + os.write(keydb_pwd_fd, keydb_pwd) + os.close(keydb_pwd_fd) + + ipautil.run([ + '/usr/bin/PKCS12Export', + '-d', '/etc/pki/pki-tomcat/alias/', + '-p', keydb_pwd_fname, + '-w', dm_pwd_fname, + '-o', ca_file + ]) + + os.remove(dm_pwd_fname) + os.remove(keydb_pwd_fname) -- 1.8.1.4
_______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel