Hi,

the attached patch fixes <https://fedorahosted.org/freeipa/ticket/3975>.

Honza

--
Jan Cholasta
>From e032ea6c7c348c02247c571694eba49b876bbdd0 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jchol...@redhat.com>
Date: Thu, 17 Oct 2013 12:52:07 +0000
Subject: [PATCH] Track DS certificate with certmonger on replicas.

https://fedorahosted.org/freeipa/ticket/3975
---
 install/tools/ipa-replica-install |  1 +
 ipaserver/install/dsinstance.py   | 11 +++++++++--
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install
index 5e69414..41f41a1 100755
--- a/install/tools/ipa-replica-install
+++ b/install/tools/ipa-replica-install
@@ -184,6 +184,7 @@ def install_replica_ds(config):
         dm_password=config.dirman_password,
         subject_base=config.subject_base,
         pkcs12_info=pkcs12_info,
+        ca_is_configured=ipautil.file_exists(config.dir + "/cacert.p12"),
         ca_file=config.dir + "/ca.crt",
     )
 
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 3cb2ffd..285159e 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -218,6 +218,7 @@ class DsInstance(service.Service):
         self.domain = domain_name
         self.serverid = None
         self.pkcs12_info = None
+        self.ca_is_configured = True
         self.dercert = None
         self.idstart = None
         self.idmax = None
@@ -290,6 +291,8 @@ class DsInstance(service.Service):
         self.idstart = idstart
         self.idmax = idmax
         self.pkcs12_info = pkcs12_info
+        if pkcs12_info:
+            self.ca_is_configured = False
         self.ca_file = ca_file
 
         self.__setup_sub_dict()
@@ -321,7 +324,7 @@ class DsInstance(service.Service):
 
     def create_replica(self, realm_name, master_fqdn, fqdn,
                        domain_name, dm_password, subject_base,
-                       pkcs12_info=None, ca_file=None):
+                       pkcs12_info=None, ca_file=None, ca_is_configured=None):
         # idstart and idmax are configured so that the range is seen as
         # depleted by the DNA plugin and the replica will go and get a
         # new range from the master.
@@ -341,6 +344,8 @@ class DsInstance(service.Service):
             ca_file=ca_file
         )
         self.master_fqdn = master_fqdn
+        if ca_is_configured is not None:
+            self.ca_is_configured = ca_is_configured
 
         self.__common_setup(True)
 
@@ -615,10 +620,12 @@ class DsInstance(service.Service):
             dsdb.create_from_cacert(cadb.cacert_fname, passwd=None)
             self.dercert = dsdb.create_server_cert(
                 nickname, self.fqdn, cadb)
+            dsdb.create_pin_file()
+
+        if self.ca_is_configured:
             dsdb.track_server_cert(
                 nickname, self.principal, dsdb.passwd_fname,
                 'restart_dirsrv %s' % self.serverid)
-            dsdb.create_pin_file()
 
         conn = ipaldap.IPAdmin(self.fqdn)
         conn.do_simple_bind(DN(('cn', 'directory manager')), self.dm_password)
-- 
1.8.3.1

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to