On 23.7.2013 18:26, Jan Cholasta wrote:
On 22.7.2013 17:40, Simo Sorce wrote:
On Mon, 2013-07-22 at 17:36 +0200, Jan Cholasta wrote:
  if nickname == 'subsystemCert cert-pki-ca':
-    update_people_entry('pkidbuser', cert)
+    update_people_entry(dogtag_uri, 'pkidbuser', cert)


This is probably wrong, there is no pkidbuser in old instances.

My subsystemCert has a subject of "CN=CA Subsystem,O=REALM" and this
cert is associated to an object named:
uid=CA-<sevrver-name>-9443,ou=people,o=ipaca

I think you need to search the db to find the right object(s) to update.

Right. Updated patch attached.

Honza


Rebased on top of current master & ipa-3-1.

--
Jan Cholasta
>From f9a7db524f2b28ddd31c1cd68737032add07dbee Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jchol...@redhat.com>
Date: Tue, 23 Jul 2013 10:19:42 +0000
Subject: [PATCH] Fix certificate renewal scripts to work with separate CA DS
 instance.

https://fedorahosted.org/freeipa/ticket/3805
---
 install/restart_scripts/renew_ca_cert |  4 +--
 install/restart_scripts/renew_ra_cert |  2 +-
 ipaserver/install/cainstance.py       | 60 ++++++++++++++++++++++++-----------
 3 files changed, 44 insertions(+), 22 deletions(-)

diff --git a/install/restart_scripts/renew_ca_cert b/install/restart_scripts/renew_ca_cert
index ab394b9..a2d0e46 100644
--- a/install/restart_scripts/renew_ca_cert
+++ b/install/restart_scripts/renew_ca_cert
@@ -85,9 +85,7 @@ finally:
 
 # Done withing stopped_service context, CA restarted here
 update_cert_config(nickname, cert)
-
-if nickname == 'subsystemCert cert-pki-ca':
-    update_people_entry('pkidbuser', cert)
+update_people_entry(cert)
 
 if nickname == 'auditSigningCert cert-pki-ca':
     # Fix trust on the audit cert
diff --git a/install/restart_scripts/renew_ra_cert b/install/restart_scripts/renew_ra_cert
index e541e4b..596ca2b 100644
--- a/install/restart_scripts/renew_ra_cert
+++ b/install/restart_scripts/renew_ra_cert
@@ -41,7 +41,7 @@ db = certs.CertDB(api.env.realm)
 dercert = db.get_cert_from_db('ipaCert', pem=False)
 
 # Load it into dogtag
-update_people_entry('ipara', dercert)
+update_people_entry(dercert)
 
 attempts = 0
 updated = False
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 15d79fd..4f99b6f 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -40,6 +40,7 @@ import ConfigParser
 from ipapython import dogtag
 from ipapython.certdb import get_ca_nickname
 from ipapython import certmonger
+from ipalib import api
 from ipalib import pkcs10, x509
 from ipalib import errors
 from ipapython.dn import DN
@@ -1729,58 +1730,81 @@ def update_cert_config(nickname, cert, dogtag_constants=None):
                                     base64.b64encode(cert),
                                     quotes=False, separator='=')
 
-def update_people_entry(uid, dercert):
+def update_people_entry(dercert):
     """
     Update the userCerticate for an entry in the dogtag ou=People. This
     is needed when a certificate is renewed.
 
-    uid: uid of user to update
     dercert: An X509.3 certificate in DER format
 
     Logging is done via syslog
 
     Returns True or False
     """
-    dn = DN(('uid',uid),('ou','People'),('o','ipaca'))
+    base_dn = DN(('ou','People'), ('o','ipaca'))
     serial_number = x509.get_serial_number(dercert, datatype=x509.DER)
     subject = x509.get_subject(dercert, datatype=x509.DER)
     issuer = x509.get_issuer(dercert, datatype=x509.DER)
 
     attempts = 0
-    dogtag_uri='ldap://localhost:%d' % DEFAULT_DSPORT
+    configured_constants = dogtag.configured_constants(api)
+    dogtag_uri = 'ldap://localhost:%d' % configured_constants.DS_PORT
     updated = False
 
     try:
         dm_password = certmonger.get_pin('internaldb')
     except IOError, e:
-        syslog.syslog(syslog.LOG_ERR, 'Unable to determine PIN for CA instance: %s' % e)
+        syslog.syslog(
+            syslog.LOG_ERR, 'Unable to determine PIN for CA instance: %s' % e)
         return False
 
     while attempts < 10:
         conn = None
         try:
             conn = ldap2.ldap2(shared_instance=False, ldap_uri=dogtag_uri)
-            conn.connect(bind_dn=DN(('cn', 'directory manager')),
-                bind_pw=dm_password)
-            (entry_dn, entry_attrs) = conn.get_entry(dn, ['usercertificate'])
-            entry_attrs['usercertificate'].append(dercert)
-            entry_attrs['description'] = '2;%d;%s;%s' % (serial_number, issuer,
-                subject)
-            conn.update_entry(dn, entry_attrs)
+            conn.connect(
+                bind_dn=DN(('cn', 'directory manager')), bind_pw=dm_password)
+
+            filter = conn.make_filter(
+                {'description': ';%s;%s' % (issuer, subject)},
+                exact=False, trailing_wildcard=False)
+            try:
+                entries = conn.get_entries(base_dn, conn.SCOPE_SUBTREE, filter)
+            except errors.NotFound:
+                entries = []
+
             updated = True
+
+            for entry in entries:
+                syslog.syslog(
+                    syslog.LOG_NOTICE, 'Updating entry %s' % str(entry.dn))
+
+                try:
+                    entry['usercertificate'].append(dercert)
+                    entry['description'] = '2;%d;%s;%s' % (
+                        serial_number, issuer, subject)
+
+                    conn.update_entry(entry)
+                except errors.EmptyModlist:
+                    pass
+                except Exception, e:
+                    syslog.syslog(
+                        syslog.LOG_ERR,
+                        'Updating entry %s failed: %s' % (str(entry.dn), e))
+                    updated = False
+
             break
         except errors.NetworkError:
-            syslog.syslog(syslog.LOG_ERR, 'Connection to %s failed, sleeping 30s' % dogtag_uri)
+            syslog.syslog(
+                syslog.LOG_ERR,
+                'Connection to %s failed, sleeping 30s' % dogtag_uri)
             time.sleep(30)
             attempts += 1
-        except errors.EmptyModlist:
-            updated = True
-            break
         except Exception, e:
-            syslog.syslog(syslog.LOG_ERR, 'Updating %s entry failed: %s' % (str(dn), e))
+            syslog.syslog(syslog.LOG_ERR, 'Caught unhandled exception: %s' % e)
             break
         finally:
-            if conn.isconnected():
+            if conn is not None and conn.isconnected():
                 conn.disconnect()
 
     if not updated:
-- 
1.8.4

>From 20a1fc717b9248c18b1225937068fd6711fda8c8 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jchol...@redhat.com>
Date: Thu, 29 Aug 2013 16:26:46 +0200
Subject: [PATCH] Fix certificate renewal scripts to work with separate CA DS
 instance.

https://fedorahosted.org/freeipa/ticket/3805
---
 install/restart_scripts/renew_ca_cert |  4 +--
 install/restart_scripts/renew_ra_cert |  2 +-
 ipaserver/install/cainstance.py       | 64 ++++++++++++++++++++++++-----------
 3 files changed, 47 insertions(+), 23 deletions(-)

diff --git a/install/restart_scripts/renew_ca_cert b/install/restart_scripts/renew_ca_cert
index b1efd8f..1a505dd 100644
--- a/install/restart_scripts/renew_ca_cert
+++ b/install/restart_scripts/renew_ca_cert
@@ -84,9 +84,7 @@ finally:
     shutil.rmtree(tmpdir)
 
 update_cert_config(nickname, cert)
-
-if nickname == 'subsystemCert cert-pki-ca':
-    update_people_entry('pkidbuser', cert)
+update_people_entry(cert)
 
 if nickname == 'auditSigningCert cert-pki-ca':
     # Fix trust on the audit cert
diff --git a/install/restart_scripts/renew_ra_cert b/install/restart_scripts/renew_ra_cert
index a70ba5c..6c9a5a8 100644
--- a/install/restart_scripts/renew_ra_cert
+++ b/install/restart_scripts/renew_ra_cert
@@ -42,7 +42,7 @@ db = certs.CertDB(api.env.realm)
 dercert = db.get_cert_from_db('ipaCert', pem=False)
 
 # Load it into dogtag
-update_people_entry('ipara', dercert)
+update_people_entry(dercert)
 
 attempts = 0
 updated = False
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 666df48..4cd2f03 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -40,6 +40,7 @@ import ConfigParser
 from ipapython import dogtag
 from ipapython.certdb import get_ca_nickname
 from ipapython import certmonger
+from ipalib import api
 from ipalib import pkcs10, x509
 from ipalib import errors
 from ipapython.dn import DN
@@ -1856,59 +1857,84 @@ def update_cert_config(nickname, cert):
                                 base64.b64encode(cert),
                                 quotes=False, separator='=')
 
-def update_people_entry(uid, dercert):
+def update_people_entry(dercert):
     """
     Update the userCerticate for an entry in the dogtag ou=People. This
     is needed when a certificate is renewed.
 
-    uid: uid of user to update
     dercert: An X509.3 certificate in DER format
 
     Logging is done via syslog
 
     Returns True or False
     """
-    dn = DN(('uid',uid),('ou','People'),('o','ipaca'))
+    base_dn = DN(('ou','People'), ('o','ipaca'))
     serial_number = x509.get_serial_number(dercert, datatype=x509.DER)
     subject = x509.get_subject(dercert, datatype=x509.DER)
     issuer = x509.get_issuer(dercert, datatype=x509.DER)
 
     attempts = 0
-    dogtag_uri='ldap://localhost:%d' % DEFAULT_DSPORT
+    configured_constants = dogtag.configured_constants(api)
+    dogtag_uri = 'ldap://localhost:%d' % configured_constants.DS_PORT
     updated = False
 
     try:
         dm_password = certmonger.get_pin('internaldb')
     except IOError, e:
-        syslog.syslog(syslog.LOG_ERR, 'Unable to determine PIN for CA instance: %s' % e)
+        syslog.syslog(
+            syslog.LOG_ERR, 'Unable to determine PIN for CA instance: %s' % e)
         return False
 
     while attempts < 10:
         conn = None
         try:
             conn = ldap2.ldap2(shared_instance=False, ldap_uri=dogtag_uri)
-            conn.connect(bind_dn=DN(('cn', 'directory manager')),
-                bind_pw=dm_password)
-            (entry_dn, entry_attrs) = conn.get_entry(dn, ['usercertificate'],
-                normalize=False)
-            entry_attrs['usercertificate'].append(dercert)
-            entry_attrs['description'] = '2;%d;%s;%s' % (serial_number, issuer,
-                subject)
-            conn.update_entry(dn, entry_attrs, normalize=False)
+            conn.connect(
+                bind_dn=DN(('cn', 'directory manager')), bind_pw=dm_password)
+
+            filter = conn.make_filter(
+                {'description': ';%s;%s' % (issuer, subject)},
+                exact=False, trailing_wildcard=False)
+            try:
+                entries, truncated = conn.find_entries(
+                    base_dn=base_dn, filter=filter)
+                if truncated:
+                    raise errors.LimitsExceeded()
+            except errors.NotFound:
+                entries = []
+
             updated = True
+
+            for (entry_dn, entry_attrs) in entries:
+                syslog.syslog(
+                    syslog.LOG_NOTICE, 'Updating entry %s' % str(entry_dn))
+
+                try:
+                    entry_attrs['usercertificate'].append(dercert)
+                    entry_attrs['description'] = '2;%d;%s;%s' % (
+                        serial_number, issuer, subject)
+
+                    conn.update_entry(entry_dn, entry_attrs)
+                except errors.EmptyModlist:
+                    pass
+                except Exception, e:
+                    syslog.syslog(
+                        syslog.LOG_ERR,
+                        'Updating entry %s failed: %s' % (str(entry_dn), e))
+                    updated = False
+
             break
         except errors.NetworkError:
-            syslog.syslog(syslog.LOG_ERR, 'Connection to %s failed, sleeping 30s' % dogtag_uri)
+            syslog.syslog(
+                syslog.LOG_ERR,
+                'Connection to %s failed, sleeping 30s' % dogtag_uri)
             time.sleep(30)
             attempts += 1
-        except errors.EmptyModlist:
-            updated = True
-            break
         except Exception, e:
-            syslog.syslog(syslog.LOG_ERR, 'Updating %s entry failed: %s' % (str(dn), e))
+            syslog.syslog(syslog.LOG_ERR, 'Caught unhandled exception: %s' % e)
             break
         finally:
-            if conn.isconnected():
+            if conn is not None and conn.isconnected():
                 conn.disconnect()
 
     if not updated:
-- 
1.8.4

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to