On 07/30/2013 06:24 PM, Petr Viktorin wrote: > On 07/30/2013 10:27 AM, Ana Krivokapic wrote: >> Hello, >> >> This patch addresses ticket https://fedorahosted.org/freeipa/ticket/3783. >> > > Thanks for the patch, I have a concern below: > >> freeipa-akrivoka-0051-Handle-subject-option-in-ipa-server-install.patch >> diff --git a/install/tools/ipa-upgradeconfig >> b/install/tools/ipa-upgradeconfig >> index >> de17c5b23d79f31e8571a3400d44397630cadada..a2625e6198bcff0811c482e479c8af10716dcea1 >> 100644 >> --- a/install/tools/ipa-upgradeconfig >> +++ b/install/tools/ipa-upgradeconfig >> @@ -894,6 +895,7 @@ def main(): >> configured_constants = dogtag.configured_constants() >> sub_dict = dict( >> REALM=api.env.realm, >> + SUBJECT_BASE=str(DN(('O', api.env.realm))), > > When certmap.conf.template's version changes again, this will rewrite the > subject to the default. Don't we want to use the subject base also here? > > >
You are right. The updated patch uses the current value of subject base from LDAP to update certmap.conf during upgrades. -- Regards, Ana Krivokapic Associate Software Engineer FreeIPA team Red Hat Inc.
From dcf162e4eef3b0e0384a9d9be6d40584694663d2 Mon Sep 17 00:00:00 2001 From: Ana Krivokapic <akriv...@redhat.com> Date: Mon, 29 Jul 2013 18:33:09 +0200 Subject: [PATCH] Handle --subject option in ipa-server-install Properly handle --subject option of ipa-server-install, making sure this value gets passed to certmap.conf. Introduce a new template variable $SUBJECT_BASE for this purpose. https://fedorahosted.org/freeipa/ticket/3783 --- install/share/certmap.conf.template | 4 ++-- install/tools/ipa-upgradeconfig | 16 ++++++++++++++++ ipaserver/install/dsinstance.py | 2 +- 3 files changed, 19 insertions(+), 3 deletions(-) diff --git a/install/share/certmap.conf.template b/install/share/certmap.conf.template index cff3a669b8946223b62e4fda00dbfa21d98245cd..7beb5070fbff2f7fe614eba8669d48578d52059c 100644 --- a/install/share/certmap.conf.template +++ b/install/share/certmap.conf.template @@ -1,4 +1,4 @@ -# VERSION 1 - DO NOT REMOVE THIS LINE +# VERSION 2 - DO NOT REMOVE THIS LINE # # This file is managed by IPA and will be overwritten on upgrades. @@ -84,6 +84,6 @@ certmap default default #default:InitFn <Init function's name> default:DNComps default:FilterComps uid -certmap ipaca CN=Certificate Authority,O=$REALM +certmap ipaca CN=Certificate Authority,$SUBJECT_BASE ipaca:CmapLdapAttr seeAlso ipaca:verifycert on diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig index de17c5b23d79f31e8571a3400d44397630cadada..7958c16d00fe16faf470ad26dda074dafa553aaf 100644 --- a/install/tools/ipa-upgradeconfig +++ b/install/tools/ipa-upgradeconfig @@ -760,6 +760,21 @@ def add_ca_dns_records(): sysupgrade.set_upgrade_state('dns', 'ipa_ca_records', True) + +def find_subject_base(): + try: + api.Backend.ldap2.connect(autobind=True) + except ipalib.errors.PublicError, e: + root_logger.error("Cannot connect to LDAP to find certificate" + "subject base: %s", e) + return + + ret = api.Command['config_show']() + api.Backend.ldap2.disconnect() + + return str(ret['result']['ipacertificatesubjectbase'][0]) + + def uninstall_selfsign(ds, http): root_logger.info('[Removing self-signed CA]') """Replace self-signed CA by a CA-less install""" @@ -894,6 +909,7 @@ def main(): configured_constants = dogtag.configured_constants() sub_dict = dict( REALM=api.env.realm, + SUBJECT_BASE=find_subject_base(), FQDN=fqdn, AUTOREDIR='' if auto_redirect else '#', CRL_PUBLISH_PATH=configured_constants.CRL_PUBLISH_PATH, diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index e48ced4b8653863f377debe206594e304a80d11e..95106e01938843805108079d8eeb2aafd38d2702 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -653,7 +653,7 @@ def __certmap_conf(self): shutil.copyfile(ipautil.SHARE_DIR + "certmap.conf.template", config_dirname(self.serverid) + "certmap.conf") installutils.update_file(config_dirname(self.serverid) + "certmap.conf", - '$REALM', self.realm_name) + '$SUBJECT_BASE', str(self.subject_base)) def __enable_ldapi(self): self._ldap_mod("ldapi.ldif", self.sub_dict) -- 1.8.1.4
_______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel