On 05/15/2013 12:29 PM, Petr Viktorin wrote:
> On 05/15/2013 12:04 PM, Tomas Babej wrote:
>> On 05/15/2013 11:40 AM, Ana Krivokapic wrote:
>>> Hello,
>>>
>>> See the commit message for details.
>>>
>>> https://fedorahosted.org/freeipa/ticket/3594
>>>
>>>
>>>
>>> _______________________________________________
>>> Freeipa-devel mailing list
>>> Freeipa-devel@redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>>
>> +    def regenerate_ca_file(self, ca_file):
>> +        dm_pwd_fd, dm_pwd_fname = tempfile.mkstemp()
>> +        keydb_pwd_fd, keydb_pwd_fname = tempfile.mkstemp()
>> +
>> +        os.write(dm_pwd_fd, self.dirman_password)
>> +        os.close(dm_pwd_fd)
>> +
>> +        keydb_pwd = ''
>> +        with open('/etc/pki/pki-tomcat/password.conf') as f:
>> +            for line in f.readlines():
>> +                key, value = line.strip().split('=')
>> +                if key == 'internal':
>> +                    keydb_pwd = value
>> +                    break
>> +
>> +        os.write(keydb_pwd_fd, keydb_pwd)
>> +        os.close(keydb_pwd_fd)
>> +
>> +        ipautil.run([
>> +            '/usr/bin/PKCS12Export',
>> +            '-d', '/etc/pki/pki-tomcat/alias/',
>> +            '-p', keydb_pwd_fname,
>> +            '-w', dm_pwd_fname,
>> +            '-o', ca_file
>> +        ])
>> +
>>
>> If the PKCS12Export call fails (returns non-zero code), we raise
>> exception here, and the temporary files are never removed.
>>
>> +        os.remove(dm_pwd_fname)
>> +        os.remove(keydb_pwd_fname)
>>
>> This might not be a big issue since mkstemp() call creates temporary
>> file readable and writable only be given user ID,
>> however, we should not leave files with passwords in plaintext on the
>> disk if it is not necessary.
>>
>> This can be easily prevented by wrapping the call up with
>> try-chatch-finally block, or using raiseonerr=False options of run
>> method.
>
> Or by using ipautil.write_tmp_file() – the file it creates is always
> removed after it's closed/garbage collected, and it has a name attribute.
>

Updated patch uses `ipautil.write_tmp_file()`.

-- 
Regards,

Ana Krivokapic
Associate Software Engineer
FreeIPA team
Red Hat Inc.

From ed1d0e1bfec6f13dd92b24ca01f832e183695068 Mon Sep 17 00:00:00 2001
From: Ana Krivokapic <akriv...@redhat.com>
Date: Wed, 15 May 2013 11:22:41 +0200
Subject: [PATCH] Make sure replication works after DM password is changed

Replica information file contains the file `cacert.p12` which is protected by
the Directory Manager password of the initial IPA server installation. The DM
password of the initial installation is also used for the PKI admin user
password.

If the DM password is changed after the IPA server installation, the replication
fails.

To prevent this failure, add the following steps to ipa-replica-prepare:
1. Regenerate the `cacert.p12` file and protect it with the current DM password
2. Update the password of the PKI admin user with the current DM password

https://fedorahosted.org/freeipa/ticket/3594
---
 ipaserver/install/ipa_replica_prepare.py | 36 ++++++++++++++++++++++++++++++++
 1 file changed, 36 insertions(+)

diff --git a/ipaserver/install/ipa_replica_prepare.py b/ipaserver/install/ipa_replica_prepare.py
index b6b063332a4ea6b87cddd20a0d53de22d4a0a639..eecced1b70a93de802d13bb3a6a36ebb135dddf8 100644
--- a/ipaserver/install/ipa_replica_prepare.py
+++ b/ipaserver/install/ipa_replica_prepare.py
@@ -274,6 +274,11 @@ def copy_ds_certificate(self):
             self.copy_info_file(options.dirsrv_pkcs12, "dscert.p12")
         else:
             if ipautil.file_exists(options.ca_file):
+                # Since it is possible that the Directory Manager password
+                # has changed since ipa-server-install, we need to regenerate
+                # the CA PKCS#12 file and update the pki admin user password
+                self.regenerate_ca_file(options.ca_file)
+                self.update_pki_admin_password()
                 self.copy_info_file(options.ca_file, "cacert.p12")
             else:
                 raise admintool.ScriptError("Root CA PKCS#12 not "
@@ -504,3 +509,34 @@ def export_ra_pkcs12(self):
                 db.export_pkcs12(pkcs12_fname, agent_name, "ipaCert")
         finally:
             os.remove(agent_name)
+
+    def update_pki_admin_password(self):
+        ldap = ldap2(shared_instance=False)
+        ldap.connect(
+            bind_dn=DN(('cn', 'directory manager')),
+            bind_pw=self.dirman_password
+        )
+        dn = DN('uid=admin', 'ou=people', 'o=ipaca')
+        ldap.modify_password(dn, self.dirman_password)
+        ldap.disconnect()
+
+    def regenerate_ca_file(self, ca_file):
+        dm_pwd_fd = ipautil.write_tmp_file(self.dirman_password)
+
+        keydb_pwd = ''
+        with open('/etc/pki/pki-tomcat/password.conf') as f:
+            for line in f.readlines():
+                key, value = line.strip().split('=')
+                if key == 'internal':
+                    keydb_pwd = value
+                    break
+
+        keydb_pwd_fd = ipautil.write_tmp_file(keydb_pwd)
+
+        ipautil.run([
+            '/usr/bin/PKCS12Export',
+            '-d', '/etc/pki/pki-tomcat/alias/',
+            '-p', keydb_pwd_fd.name,
+            '-w', dm_pwd_fd.name,
+            '-o', ca_file
+        ])
-- 
1.8.1.4

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to