Hi,

the attached patches fix several shortcomings in ipa-kra-install, see commit messages.


<https://fedorahosted.org/freeipa/ticket/3872>

(Patch 434 was introduced in <https://www.redhat.com/archives/freeipa-devel/2015-June/msg00035.html>.)

Honza

--
Jan Cholasta
>From 7a668e773b9c7a600e8ab9581aa70ab5629123fc Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jchol...@redhat.com>
Date: Wed, 10 Jun 2015 10:35:43 +0000
Subject: [PATCH 1/3] vault: Move vaults to cn=vaults,cn=kra

https://fedorahosted.org/freeipa/ticket/3872
---
 freeipa.spec.in                           |  1 +
 install/share/Makefile.am                 |  1 +
 install/share/vault.update                | 24 ++++++++++++++++++++++++
 install/updates/40-vault.update           | 19 -------------------
 install/updates/Makefile.am               |  1 -
 ipa-client/man/default.conf.5             |  2 +-
 ipalib/constants.py                       |  2 +-
 ipaplatform/base/paths.py                 |  1 +
 ipaserver/install/kra.py                  |  4 ++--
 ipaserver/install/krainstance.py          | 21 +++++++++++++++++----
 ipatests/test_xmlrpc/test_vault_plugin.py | 24 ++++++++++++------------
 11 files changed, 60 insertions(+), 40 deletions(-)
 create mode 100644 install/share/vault.update
 delete mode 100644 install/updates/40-vault.update

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 23c3d1a..64b24c8 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -716,6 +716,7 @@ fi
 %{_usr}/share/ipa/copy-schema-to-ca.py*
 %{_usr}/share/ipa/*.ldif
 %{_usr}/share/ipa/*.uldif
+%{_usr}/share/ipa/*.update
 %{_usr}/share/ipa/*.template
 %dir %{_usr}/share/ipa/advise
 %dir %{_usr}/share/ipa/advise/legacy
diff --git a/install/share/Makefile.am b/install/share/Makefile.am
index 31f391b..5d8397b 100644
--- a/install/share/Makefile.am
+++ b/install/share/Makefile.am
@@ -82,6 +82,7 @@ app_DATA =				\
 	copy-schema-to-ca.py		\
 	sasl-mapping-fallback.ldif	\
 	schema-update.ldif		\
+	vault.update			\
 	$(NULL)
 
 EXTRA_DIST =				\
diff --git a/install/share/vault.update b/install/share/vault.update
new file mode 100644
index 0000000..dcd1e2a
--- /dev/null
+++ b/install/share/vault.update
@@ -0,0 +1,24 @@
+dn: cn=kra,$SUFFIX
+default: objectClass: top
+default: objectClass: nsContainer
+default: cn: kra
+
+dn: cn=vaults,cn=kra,$SUFFIX
+default: objectClass: top
+default: objectClass: nsContainer
+default: cn: vaults
+
+dn: cn=services,cn=vaults,cn=kra,$SUFFIX
+default: objectClass: top
+default: objectClass: nsContainer
+default: cn: services
+
+dn: cn=shared,cn=vaults,cn=kra,$SUFFIX
+default: objectClass: top
+default: objectClass: nsContainer
+default: cn: shared
+
+dn: cn=users,cn=vaults,cn=kra,$SUFFIX
+default: objectClass: top
+default: objectClass: nsContainer
+default: cn: users
diff --git a/install/updates/40-vault.update b/install/updates/40-vault.update
deleted file mode 100644
index 5a6b8c6..0000000
--- a/install/updates/40-vault.update
+++ /dev/null
@@ -1,19 +0,0 @@
-dn: cn=vaults,$SUFFIX
-default: objectClass: top
-default: objectClass: nsContainer
-default: cn: vaults
-
-dn: cn=services,cn=vaults,$SUFFIX
-default: objectClass: top
-default: objectClass: nsContainer
-default: cn: services
-
-dn: cn=shared,cn=vaults,$SUFFIX
-default: objectClass: top
-default: objectClass: nsContainer
-default: cn: shared
-
-dn: cn=users,cn=vaults,$SUFFIX
-default: objectClass: top
-default: objectClass: nsContainer
-default: cn: users
diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am
index fc6bd62..1c7da35 100644
--- a/install/updates/Makefile.am
+++ b/install/updates/Makefile.am
@@ -34,7 +34,6 @@ app_DATA =				\
 	40-automember.update		\
 	40-certprofile.update		\
 	40-otp.update			\
-	40-vault.update			\
 	45-roles.update			\
 	50-7_bit_check.update	        \
 	50-dogtag10-migration.update	\
diff --git a/ipa-client/man/default.conf.5 b/ipa-client/man/default.conf.5
index 0973f1a..e345e93 100644
--- a/ipa-client/man/default.conf.5
+++ b/ipa-client/man/default.conf.5
@@ -221,7 +221,7 @@ The following define the containers for the IPA server. Containers define where
   container_sudocmdgroup: cn=sudocmdgroups,cn=sudo
   container_sudorule: cn=sudorules,cn=sudo
   container_user: cn=users,cn=accounts
-  container_vault: cn=vaults
+  container_vault: cn=vaults,cn=kra
   container_virtual: cn=virtual operations,cn=etc
 
 .SH "FILES"
diff --git a/ipalib/constants.py b/ipalib/constants.py
index 93d7aaa..0ffdcbf 100644
--- a/ipalib/constants.py
+++ b/ipalib/constants.py
@@ -99,7 +99,7 @@ DEFAULT_CONFIG = (
     ('container_hbacservice', DN(('cn', 'hbacservices'), ('cn', 'hbac'))),
     ('container_hbacservicegroup', DN(('cn', 'hbacservicegroups'), ('cn', 'hbac'))),
     ('container_dns', DN(('cn', 'dns'))),
-    ('container_vault', DN(('cn', 'vaults'))),
+    ('container_vault', DN(('cn', 'vaults'), ('cn', 'kra'))),
     ('container_virtual', DN(('cn', 'virtual operations'), ('cn', 'etc'))),
     ('container_sudorule', DN(('cn', 'sudorules'), ('cn', 'sudo'))),
     ('container_sudocmd', DN(('cn', 'sudocmds'), ('cn', 'sudo'))),
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index 9ba8752..b83e948 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -247,6 +247,7 @@ class BasePathNamespace(object):
     SCHEMA_COMPAT_ULDIF = "/usr/share/ipa/schema_compat.uldif"
     IPA_JS_PLUGINS_DIR = "/usr/share/ipa/ui/js/plugins"
     UPDATES_DIR = "/usr/share/ipa/updates/"
+    VAULT_UPDATE = "/usr/share/ipa/vault.update"
     PKI_CONF_SERVER_XML_TEMPLATE = "/usr/share/pki/%s/conf/server.xml"
     CACHE_IPA_SESSIONS = "/var/cache/ipa/sessions"
     VAR_KERBEROS_KRB5KDC_DIR = "/var/kerberos/krb5kdc/"
diff --git a/ipaserver/install/kra.py b/ipaserver/install/kra.py
index 2ff8df5..8083c74 100644
--- a/ipaserver/install/kra.py
+++ b/ipaserver/install/kra.py
@@ -46,8 +46,8 @@ def install(replica_config, options, dm_password):
             dogtag_constants=dogtag.install_constants)
 
         kra.configure_instance(
-            api.env.host, api.env.domain, dm_password,
-            dm_password, subject_base=subject)
+            api.env.realm, api.env.host, api.env.domain, options.dm_password,
+            options.dm_password, subject_base=subject)
     else:
         kra = krainstance.install_replica_kra(replica_config)
 
diff --git a/ipaserver/install/krainstance.py b/ipaserver/install/krainstance.py
index 7c1bded..50ab424 100644
--- a/ipaserver/install/krainstance.py
+++ b/ipaserver/install/krainstance.py
@@ -28,11 +28,11 @@ from ipalib import api
 from ipaplatform import services
 from ipaplatform.paths import paths
 from ipapython import dogtag
-from ipapython import ipaldap
 from ipapython import ipautil
 from ipapython.dn import DN
 from ipaserver.install import certs
 from ipaserver.install import cainstance
+from ipaserver.install import ldapupdate
 from ipaserver.install import service
 from ipaserver.install.dogtaginstance import DogtagInstance
 from ipaserver.install.dogtaginstance import DEFAULT_DSPORT, PKI_USER
@@ -70,7 +70,7 @@ class KRAInstance(DogtagInstance):
         self.basedn = DN(('o', 'kra'), ('o', 'ipaca'))
         self.log = log_mgr.get_logger(self)
 
-    def configure_instance(self, host_name, domain, dm_password,
+    def configure_instance(self, realm_name, host_name, domain, dm_password,
                            admin_password, ds_port=DEFAULT_DSPORT,
                            pkcs12_info=None, master_host=None,
                            master_replication_port=None,
@@ -93,6 +93,8 @@ class KRAInstance(DogtagInstance):
             self.subject_base = DN(('O', self.realm))
         else:
             self.subject_base = subject_base
+        self.realm = realm_name
+        self.suffix = ipautil.realm_to_suffix(realm_name)
 
         # Confirm that a KRA does not already exist
         if self.is_installed():
@@ -115,8 +117,9 @@ class KRAInstance(DogtagInstance):
         self.step("configure certmonger for renewals",
                   self.configure_certmonger_renewal)
         self.step("configure certificate renewals", self.configure_renewal)
-        self.step("Configure HTTP to proxy connections",
+        self.step("configure HTTP to proxy connections",
                   self.http_proxy)
+        self.step("add vault container", self.__add_vault_container)
 
         self.start_creation(runtime=126)
 
@@ -335,6 +338,15 @@ class KRAInstance(DogtagInstance):
             "--client-cert", paths.KRA_AGENT_PEM]
         ipautil.run(args)
 
+    def __add_vault_container(self):
+        sub_dict = {
+            'SUFFIX': self.suffix,
+        }
+
+        ld = ldapupdate.LDAPUpdate(dm_password=self.dm_password,
+                                   sub_dict=sub_dict)
+        ld.update([paths.VAULT_UPDATE])
+
     @staticmethod
     def update_cert_config(nickname, cert, dogtag_constants=None):
         """
@@ -391,7 +403,8 @@ def install_replica_kra(config, postinstall=False):
     if _kra.is_installed():
         sys.exit("A KRA is already configured on this system.")
 
-    _kra.configure_instance(config.host_name, config.domain_name,
+    _kra.configure_instance(config.realm_name,
+                            config.host_name, config.domain_name,
                             config.dirman_password, config.dirman_password,
                             pkcs12_info=(krafile,),
                             master_host=config.master_host_name,
diff --git a/ipatests/test_xmlrpc/test_vault_plugin.py b/ipatests/test_xmlrpc/test_vault_plugin.py
index 4b18672..9a40547 100644
--- a/ipatests/test_xmlrpc/test_vault_plugin.py
+++ b/ipatests/test_xmlrpc/test_vault_plugin.py
@@ -57,7 +57,7 @@ class test_vault_plugin(Declarative):
                 'value': vault_name,
                 'summary': 'Added vault "%s"' % vault_name,
                 'result': {
-                    'dn': u'cn=%s,cn=admin,cn=users,cn=vaults,%s'
+                    'dn': u'cn=%s,cn=admin,cn=users,cn=vaults,cn=kra,%s'
                           % (vault_name, api.env.basedn),
                     'objectclass': [u'top', u'ipaVault'],
                     'cn': [vault_name],
@@ -78,7 +78,7 @@ class test_vault_plugin(Declarative):
                 'summary': u'1 vault matched',
                 'result': [
                     {
-                        'dn': u'cn=%s,cn=admin,cn=users,cn=vaults,%s'
+                        'dn': u'cn=%s,cn=admin,cn=users,cn=vaults,cn=kra,%s'
                               % (vault_name, api.env.basedn),
                         'cn': [vault_name],
                     },
@@ -97,7 +97,7 @@ class test_vault_plugin(Declarative):
                 'value': vault_name,
                 'summary': None,
                 'result': {
-                    'dn': u'cn=%s,cn=admin,cn=users,cn=vaults,%s'
+                    'dn': u'cn=%s,cn=admin,cn=users,cn=vaults,cn=kra,%s'
                           % (vault_name, api.env.basedn),
                     'cn': [vault_name],
                 },
@@ -152,7 +152,7 @@ class test_vault_plugin(Declarative):
                 'value': vault_name,
                 'summary': u'Added vault "%s"' % vault_name,
                 'result': {
-                    'dn': u'cn=%s,cn=%s,cn=services,cn=vaults,%s'
+                    'dn': u'cn=%s,cn=%s,cn=services,cn=vaults,cn=kra,%s'
                           % (vault_name, service_name, api.env.basedn),
                     'objectclass': [u'top', u'ipaVault'],
                     'cn': [vault_name],
@@ -175,7 +175,7 @@ class test_vault_plugin(Declarative):
                 'summary': u'1 vault matched',
                 'result': [
                     {
-                        'dn': u'cn=%s,cn=%s,cn=services,cn=vaults,%s'
+                        'dn': u'cn=%s,cn=%s,cn=services,cn=vaults,cn=kra,%s'
                               % (vault_name, service_name, api.env.basedn),
                         'cn': [vault_name],
                     },
@@ -196,7 +196,7 @@ class test_vault_plugin(Declarative):
                 'value': vault_name,
                 'summary': None,
                 'result': {
-                    'dn': u'cn=%s,cn=%s,cn=services,cn=vaults,%s'
+                    'dn': u'cn=%s,cn=%s,cn=services,cn=vaults,cn=kra,%s'
                           % (vault_name, service_name, api.env.basedn),
                     'cn': [vault_name],
                 },
@@ -254,7 +254,7 @@ class test_vault_plugin(Declarative):
                 'value': vault_name,
                 'summary': u'Added vault "%s"' % vault_name,
                 'result': {
-                    'dn': u'cn=%s,cn=shared,cn=vaults,%s'
+                    'dn': u'cn=%s,cn=shared,cn=vaults,cn=kra,%s'
                           % (vault_name, api.env.basedn),
                     'objectclass': [u'top', u'ipaVault'],
                     'cn': [vault_name],
@@ -277,7 +277,7 @@ class test_vault_plugin(Declarative):
                 'summary': u'1 vault matched',
                 'result': [
                     {
-                        'dn': u'cn=%s,cn=shared,cn=vaults,%s'
+                        'dn': u'cn=%s,cn=shared,cn=vaults,cn=kra,%s'
                               % (vault_name, api.env.basedn),
                         'cn': [vault_name],
                     },
@@ -298,7 +298,7 @@ class test_vault_plugin(Declarative):
                 'value': vault_name,
                 'summary': None,
                 'result': {
-                    'dn': u'cn=%s,cn=shared,cn=vaults,%s'
+                    'dn': u'cn=%s,cn=shared,cn=vaults,cn=kra,%s'
                           % (vault_name, api.env.basedn),
                     'cn': [vault_name],
                 },
@@ -356,7 +356,7 @@ class test_vault_plugin(Declarative):
                 'value': vault_name,
                 'summary': u'Added vault "%s"' % vault_name,
                 'result': {
-                    'dn': u'cn=%s,cn=%s,cn=users,cn=vaults,%s'
+                    'dn': u'cn=%s,cn=%s,cn=users,cn=vaults,cn=kra,%s'
                           % (vault_name, user_name, api.env.basedn),
                     'objectclass': [u'top', u'ipaVault'],
                     'cn': [vault_name],
@@ -379,7 +379,7 @@ class test_vault_plugin(Declarative):
                 'summary': u'1 vault matched',
                 'result': [
                     {
-                        'dn': u'cn=%s,cn=%s,cn=users,cn=vaults,%s'
+                        'dn': u'cn=%s,cn=%s,cn=users,cn=vaults,cn=kra,%s'
                               % (vault_name, user_name, api.env.basedn),
                         'cn': [vault_name],
                     },
@@ -400,7 +400,7 @@ class test_vault_plugin(Declarative):
                 'value': vault_name,
                 'summary': None,
                 'result': {
-                    'dn': u'cn=%s,cn=%s,cn=users,cn=vaults,%s'
+                    'dn': u'cn=%s,cn=%s,cn=users,cn=vaults,cn=kra,%s'
                           % (vault_name, user_name, api.env.basedn),
                     'cn': [vault_name],
                 },
-- 
2.1.0

>From 6e8bfe13fe6b5592bef76b80947506a3f5987be9 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jchol...@redhat.com>
Date: Wed, 10 Jun 2015 08:22:30 +0000
Subject: [PATCH 2/3] install: Initialize API early in server and replica
 install

https://fedorahosted.org/freeipa/ticket/4468
---
 ipaserver/install/server/install.py        |  90 +++++-----
 ipaserver/install/server/replicainstall.py | 278 +++++++++++++++--------------
 2 files changed, 191 insertions(+), 177 deletions(-)

diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
index 59a9d1e..89473dc 100644
--- a/ipaserver/install/server/install.py
+++ b/ipaserver/install/server/install.py
@@ -301,6 +301,8 @@ def install_check(installer):
     external_ca_file = installer._external_ca_file
     http_ca_cert = installer._ca_cert
 
+    dogtag_constants = dogtag.install_constants
+
     tasks.check_selinux_status()
 
     if options.master_password:
@@ -550,6 +552,51 @@ def install_check(installer):
     else:
         admin_password = options.admin_password
 
+    # Configuration for ipalib, we will bootstrap and finalize later, after
+    # we are sure we have the configuration file ready.
+    cfg = dict(
+        context='installer',
+        in_server=True,
+    )
+
+    # Create the management framework config file and finalize api
+    target_fname = paths.IPA_DEFAULT_CONF
+    fd = open(target_fname, "w")
+    fd.write("[global]\n")
+    fd.write("host=%s\n" % host_name)
+    fd.write("basedn=%s\n" % ipautil.realm_to_suffix(realm_name))
+    fd.write("realm=%s\n" % realm_name)
+    fd.write("domain=%s\n" % domain_name)
+    fd.write("xmlrpc_uri=https://%s/ipa/xml\n"; % format_netloc(host_name))
+    fd.write("ldap_uri=ldapi://%%2fvar%%2frun%%2fslapd-%s.socket\n" %
+             installutils.realm_to_serverid(realm_name))
+    if setup_ca:
+        fd.write("enable_ra=True\n")
+        fd.write("ra_plugin=dogtag\n")
+        fd.write("dogtag_version=%s\n" % dogtag_constants.DOGTAG_VERSION)
+    else:
+        fd.write("enable_ra=False\n")
+        fd.write("ra_plugin=none\n")
+    fd.write("mode=production\n")
+    fd.close()
+
+    # Must be readable for everyone
+    os.chmod(target_fname, 0644)
+
+    system_hostname = get_fqdn()
+    if host_name != system_hostname:
+        root_logger.debug("Chosen hostname (%s) differs from system hostname "
+                          "(%s) - change it" % (host_name, system_hostname))
+        # update `api.env.ca_host` to correct hostname
+        # https://fedorahosted.org/freeipa/ticket/4936
+        api.env.ca_host = host_name
+
+    api.bootstrap(**cfg)
+    if setup_ca:
+        # ensure profile backend is available
+        import ipaserver.plugins.dogtag
+    api.finalize()
+
     if setup_ca:
         ca.install_check(False, None, options)
 
@@ -656,38 +703,6 @@ def install(installer):
     # failure to enable root cause investigation
     installer._installation_cleanup = False
 
-    # Configuration for ipalib, we will bootstrap and finalize later, after
-    # we are sure we have the configuration file ready.
-    cfg = dict(
-        context='installer',
-        in_server=True,
-    )
-
-    # Create the management framework config file and finalize api
-    target_fname = paths.IPA_DEFAULT_CONF
-    fd = open(target_fname, "w")
-    fd.write("[global]\n")
-    fd.write("host=%s\n" % host_name)
-    fd.write("basedn=%s\n" % ipautil.realm_to_suffix(realm_name))
-    fd.write("realm=%s\n" % realm_name)
-    fd.write("domain=%s\n" % domain_name)
-    fd.write("xmlrpc_uri=https://%s/ipa/xml\n"; % format_netloc(host_name))
-    fd.write("ldap_uri=ldapi://%%2fvar%%2frun%%2fslapd-%s.socket\n" %
-             installutils.realm_to_serverid(realm_name))
-    if setup_ca:
-        fd.write("enable_ra=True\n")
-        fd.write("ra_plugin=dogtag\n")
-        fd.write("dogtag_version=%s\n" % dogtag_constants.DOGTAG_VERSION)
-    else:
-        fd.write("enable_ra=False\n")
-        fd.write("ra_plugin=none\n")
-    fd.write("enable_kra=%s\n" % setup_kra)
-    fd.write("mode=production\n")
-    fd.close()
-
-    # Must be readable for everyone
-    os.chmod(target_fname, 0644)
-
     if installer.interactive:
         print ""
         print "The following operations may take some minutes to complete."
@@ -696,19 +711,8 @@ def install(installer):
 
     system_hostname = get_fqdn()
     if host_name != system_hostname:
-        root_logger.debug("Chosen hostname (%s) differs from system hostname "
-                          "(%s) - change it" % (host_name, system_hostname))
         # configure /etc/sysconfig/network to contain the custom hostname
         tasks.backup_and_replace_hostname(fstore, sstore, host_name)
-        # update `api.env.ca_host` to correct hostname
-        # https://fedorahosted.org/freeipa/ticket/4936
-        api.env.ca_host = host_name
-
-    api.bootstrap(**cfg)
-    if setup_ca:
-        # ensure profile backend is available
-        import ipaserver.plugins.dogtag
-    api.finalize()
 
     # Create DS user/group if it doesn't exist yet
     dsinstance.create_ds_user()
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index 9455117..0429a40 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -355,6 +355,143 @@ def install_check(installer):
     config.setup_ca = options.setup_ca
     config.setup_kra = options.setup_kra
 
+    # Create the management framework config file
+    # Note: We must do this before bootstraping and finalizing ipalib.api
+    old_umask = os.umask(022)   # must be readable for httpd
+    try:
+        fd = open(paths.IPA_DEFAULT_CONF, "w")
+        fd.write("[global]\n")
+        fd.write("host=%s\n" % config.host_name)
+        fd.write("basedn=%s\n" %
+                 str(ipautil.realm_to_suffix(config.realm_name)))
+        fd.write("realm=%s\n" % config.realm_name)
+        fd.write("domain=%s\n" % config.domain_name)
+        fd.write("xmlrpc_uri=https://%s/ipa/xml\n"; %
+                 ipautil.format_netloc(config.host_name))
+        fd.write("ldap_uri=ldapi://%%2fvar%%2frun%%2fslapd-%s.socket\n" %
+                 installutils.realm_to_serverid(config.realm_name))
+        if ipautil.file_exists(config.dir + "/cacert.p12"):
+            fd.write("enable_ra=True\n")
+            fd.write("ra_plugin=dogtag\n")
+            fd.write("dogtag_version=%s\n" %
+                     dogtag.install_constants.DOGTAG_VERSION)
+        else:
+            fd.write("enable_ra=False\n")
+            fd.write("ra_plugin=none\n")
+
+        fd.write("enable_kra=%s\n" % config.setup_kra)
+
+        fd.write("mode=production\n")
+        fd.close()
+    finally:
+        os.umask(old_umask)
+
+    api.bootstrap(in_server=True, context='installer')
+    api.finalize()
+
+    installutils.verify_fqdn(config.master_host_name, options.no_host_dns)
+
+    cafile = config.dir + "/ca.crt"
+
+    ldapuri = 'ldaps://%s' % ipautil.format_netloc(config.master_host_name)
+    remote_api = create_api(mode=None)
+    remote_api.bootstrap(in_server=True, context='installer',
+                         ldap_uri=ldapuri)
+    remote_api.finalize()
+    conn = remote_api.Backend.ldap2
+    replman = None
+    try:
+        # Try out the password
+        conn.connect(bind_dn=DIRMAN_DN, bind_pw=config.dirman_password,
+                     tls_cacertfile=cafile)
+        replman = ReplicationManager(config.realm_name,
+                                     config.master_host_name,
+                                     config.dirman_password)
+
+        # Check that we don't already have a replication agreement
+        try:
+            (agreement_cn, agreement_dn) = replman.agreement_dn(
+                config.host_name)
+            entry = conn.get_entry(agreement_dn, ['*'])
+        except errors.NotFound:
+            pass
+        else:
+            root_logger.info('Error: A replication agreement for this '
+                             'host already exists.')
+            print('A replication agreement for this host already exists. '
+                  'It needs to be removed.')
+            print "Run this on the master that generated the info file:"
+            print("    %% ipa-replica-manage del %s --force" %
+                  config.host_name)
+            sys.exit(3)
+
+        # Detect the current domain level
+        try:
+            current = remote_api.Command['domainlevel_get']()['result']
+        except errors.NotFound:
+            # If we're joining an older master, domain entry is not
+            # available
+            current = 0
+
+        # Detect if current level is out of supported range
+        # for this IPA version
+        under_lower_bound = current < constants.MIN_DOMAIN_LEVEL
+        above_upper_bound = current > constants.MAX_DOMAIN_LEVEL
+
+        if under_lower_bound or above_upper_bound:
+            message = ("This version of FreeIPA does not support "
+                       "the Domain Level which is currently set for "
+                       "this domain. The Domain Level needs to be "
+                       "raised before installing a replica with "
+                       "this version is allowed to be installed "
+                       "within this domain.")
+            root_logger.error(message)
+            print(message)
+            sys.exit(3)
+
+        # Check pre-existing host entry
+        try:
+            entry = conn.find_entries(u'fqdn=%s' % config.host_name,
+                                      ['fqdn'], DN(api.env.container_host,
+                                                   api.env.basedn))
+        except errors.NotFound:
+            pass
+        else:
+            root_logger.info('Error: Host %s already exists on the master '
+                             'server.' % config.host_name)
+            print('The host %s already exists on the master server.' %
+                  config.host_name)
+            print "You should remove it before proceeding:"
+            print "    %% ipa host-del %s" % config.host_name
+            sys.exit(3)
+
+        dns_masters = remote_api.Object['dnsrecord'].get_dns_masters()
+        if dns_masters:
+            if not options.no_host_dns:
+                master = config.master_host_name
+                root_logger.debug('Check forward/reverse DNS resolution')
+                resolution_ok = (
+                    check_dns_resolution(master, dns_masters) and
+                    check_dns_resolution(config.host_name, dns_masters))
+                if not resolution_ok and installer.interactive:
+                    if not ipautil.user_input("Continue?", False):
+                        sys.exit(0)
+        else:
+            root_logger.debug('No IPA DNS servers, '
+                              'skipping forward/reverse resolution check')
+
+    except errors.ACIError:
+        sys.exit("\nThe password provided is incorrect for LDAP server "
+                 "%s" % config.master_host_name)
+    except errors.LDAPError:
+        sys.exit("\nUnable to connect to LDAP server %s" %
+                 config.master_host_name)
+    finally:
+        if replman and replman.conn:
+            replman.conn.unbind()
+        if conn.isconnected():
+            conn.disconnect()
+
     if options.setup_ca:
         options.realm_name = config.realm_name
         options.host_name = config.host_name
@@ -369,8 +506,6 @@ def install_check(installer):
             print str(e)
             sys.exit(1)
 
-    installutils.verify_fqdn(config.master_host_name, options.no_host_dns)
-
     if options.setup_dns:
         dns.install_check(False, True, options, config.host_name)
     else:
@@ -384,11 +519,11 @@ def install_check(installer):
             config.master_host_name, config.host_name, config.realm_name,
             options.setup_ca, config.ca_ds_port, options.admin_password)
 
-    cafile = config.dir + "/ca.crt"
     if not ipautil.file_exists(cafile):
         raise RuntimeError("CA cert file is not available. Please run "
                            "ipa-replica-prepare to create a new replica file.")
 
+    installer._remote_api = remote_api
     installer._fstore = fstore
     installer._sstore = sstore
     installer._config = config
@@ -403,144 +538,19 @@ def install(installer):
 
     dogtag_constants = dogtag.install_constants
 
-    # Create the management framework config file
-    # Note: We must do this before bootstraping and finalizing ipalib.api
-    old_umask = os.umask(022)   # must be readable for httpd
-    try:
-        fd = open(paths.IPA_DEFAULT_CONF, "w")
-        fd.write("[global]\n")
-        fd.write("host=%s\n" % config.host_name)
-        fd.write("basedn=%s\n" %
-                 str(ipautil.realm_to_suffix(config.realm_name)))
-        fd.write("realm=%s\n" % config.realm_name)
-        fd.write("domain=%s\n" % config.domain_name)
-        fd.write("xmlrpc_uri=https://%s/ipa/xml\n"; %
-                 ipautil.format_netloc(config.host_name))
-        fd.write("ldap_uri=ldapi://%%2fvar%%2frun%%2fslapd-%s.socket\n" %
-                 installutils.realm_to_serverid(config.realm_name))
-        if ipautil.file_exists(config.dir + "/cacert.p12"):
-            fd.write("enable_ra=True\n")
-            fd.write("ra_plugin=dogtag\n")
-            fd.write("dogtag_version=%s\n" % dogtag_constants.DOGTAG_VERSION)
-        else:
-            fd.write("enable_ra=False\n")
-            fd.write("ra_plugin=none\n")
-
-        fd.write("enable_kra=%s\n" % config.setup_kra)
-
-        fd.write("mode=production\n")
-        fd.close()
-    finally:
-        os.umask(old_umask)
-
-    api.bootstrap(in_server=True, context='installer')
-    api.finalize()
-
     # Create DS user/group if it doesn't exist yet
     dsinstance.create_ds_user()
 
     cafile = config.dir + "/ca.crt"
 
-    ldapuri = 'ldaps://%s' % ipautil.format_netloc(config.master_host_name)
-    remote_api = create_api(mode=None)
-    remote_api.bootstrap(in_server=True, context='installer',
-                         ldap_uri=ldapuri, basedn=DN())
-    remote_api.finalize()
+    remote_api = installer._remote_api
     conn = remote_api.Backend.ldap2
-    replman = None
     try:
-        try:
-            # Try out the password
-            conn.connect(bind_dn=DIRMAN_DN, bind_pw=config.dirman_password,
-                         tls_cacertfile=cafile)
-            replman = ReplicationManager(config.realm_name,
-                                         config.master_host_name,
-                                         config.dirman_password)
-
-            # Check that we don't already have a replication agreement
-            try:
-                (agreement_cn, agreement_dn) = replman.agreement_dn(
-                    config.host_name)
-                entry = conn.get_entry(agreement_dn, ['*'])
-            except errors.NotFound:
-                pass
-            else:
-                root_logger.info('Error: A replication agreement for this '
-                                 'host already exists.')
-                print('A replication agreement for this host already exists. '
-                      'It needs to be removed.')
-                print "Run this on the master that generated the info file:"
-                print("    %% ipa-replica-manage del %s --force" %
-                      config.host_name)
-                sys.exit(3)
-
-            # Detect the current domain level
-            try:
-                current = remote_api.Command['domainlevel_get']()['result']
-            except errors.NotFound:
-                # If we're joining an older master, domain entry is not
-                # available
-                current = 0
-
-            # Detect if current level is out of supported range
-            # for this IPA version
-            under_lower_bound = current < constants.MIN_DOMAIN_LEVEL
-            above_upper_bound = current > constants.MAX_DOMAIN_LEVEL
-
-            if under_lower_bound or above_upper_bound:
-                message = ("This version of FreeIPA does not support "
-                           "the Domain Level which is currently set for "
-                           "this domain. The Domain Level needs to be "
-                           "raised before installing a replica with "
-                           "this version is allowed to be installed "
-                           "within this domain.")
-                root_logger.error(message)
-                print(message)
-                sys.exit(3)
-
-            # Check pre-existing host entry
-            try:
-                entry = conn.find_entries(u'fqdn=%s' % config.host_name,
-                                          ['fqdn'], DN(api.env.container_host,
-                                                       api.env.basedn))
-            except errors.NotFound:
-                pass
-            else:
-                root_logger.info('Error: Host %s already exists on the master '
-                                 'server.' % config.host_name)
-                print('The host %s already exists on the master server.' %
-                      config.host_name)
-                print "You should remove it before proceeding:"
-                print "    %% ipa host-del %s" % config.host_name
-                sys.exit(3)
-
-            # Install CA cert so that we can do SSL connections with ldap
-            install_ca_cert(conn, api.env.basedn, api.env.realm, cafile)
-
-            dns_masters = remote_api.Object['dnsrecord'].get_dns_masters()
-            if dns_masters:
-                if not options.no_host_dns:
-                    master = config.master_host_name
-                    root_logger.debug('Check forward/reverse DNS resolution')
-                    resolution_ok = (
-                        check_dns_resolution(master, dns_masters) and
-                        check_dns_resolution(config.host_name, dns_masters))
-                    if not resolution_ok and installer.interactive:
-                        if not ipautil.user_input("Continue?", False):
-                            sys.exit(0)
-            else:
-                root_logger.debug('No IPA DNS servers, '
-                                  'skipping forward/reverse resolution check')
-
-        except errors.ACIError:
-            sys.exit("\nThe password provided is incorrect for LDAP server "
-                     "%s" % config.master_host_name)
-        except errors.LDAPError:
-            sys.exit("\nUnable to connect to LDAP server %s" %
-                     config.master_host_name)
-        finally:
-            if replman and replman.conn:
-                replman.conn.unbind()
+        conn.connect(bind_dn=DIRMAN_DN, bind_pw=config.dirman_password,
+                     tls_cacertfile=cafile)
+
+        # Install CA cert so that we can do SSL connections with ldap
+        install_ca_cert(conn, api.env.basedn, api.env.realm, cafile)
 
         # Configure ntpd
         if not options.no_ntp:
-- 
2.1.0

>From 35a1032ee5e3095e0177a0f0cf19834ac5ef699d Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jchol...@redhat.com>
Date: Wed, 10 Jun 2015 08:50:42 +0000
Subject: [PATCH 3/3] vault: Fix ipa-kra-install

Use state in LDAP rather than local state to check if KRA is installed.
Use correct log file names.

https://fedorahosted.org/freeipa/ticket/3872
---
 API.txt                                    |  6 +++
 VERSION                                    |  4 +-
 ipalib/plugins/vault.py                    | 38 ++++++++++++-----
 ipaplatform/base/paths.py                  |  4 +-
 ipaserver/install/installutils.py          | 16 --------
 ipaserver/install/ipa_kra_install.py       | 22 ++++++----
 ipaserver/install/kra.py                   | 65 +++++++++++++-----------------
 ipaserver/install/server/install.py        |  7 ++--
 ipaserver/install/server/replicainstall.py | 41 +++++++++----------
 ipaserver/install/service.py               |  1 +
 ipaserver/plugins/dogtag.py                |  2 +-
 11 files changed, 106 insertions(+), 100 deletions(-)

diff --git a/API.txt b/API.txt
index 9e3f223..9e41ece 100644
--- a/API.txt
+++ b/API.txt
@@ -2487,6 +2487,12 @@ option: Str('version?', exclude='webui')
 output: Output('commands', <type 'dict'>, None)
 output: Output('methods', <type 'dict'>, None)
 output: Output('objects', <type 'dict'>, None)
+command: kra_is_enabled
+args: 0,1,3
+option: Str('version?', exclude='webui')
+output: Output('result', <type 'bool'>, None)
+output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
+output: PrimaryKey('value', None, None)
 command: krbtpolicy_mod
 args: 1,9,3
 arg: Str('uid', attribute=True, cli_name='user', multivalue=False, primary_key=True, query=True, required=False)
diff --git a/VERSION b/VERSION
index 535b3e2..a8d484c 100644
--- a/VERSION
+++ b/VERSION
@@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000
 #                                                      #
 ########################################################
 IPA_API_VERSION_MAJOR=2
-IPA_API_VERSION_MINOR=126
-# Last change: edewata - added vault-archive and vault-retrieve
+IPA_API_VERSION_MINOR=127
+# Last change: jcholast - add kra_is_enabled
diff --git a/ipalib/plugins/vault.py b/ipalib/plugins/vault.py
index e1e64aa..f80ecfd 100644
--- a/ipalib/plugins/vault.py
+++ b/ipalib/plugins/vault.py
@@ -33,7 +33,7 @@ from ipalib import output
 from ipalib.crud import PKQuery, Retrieve, Update
 from ipalib.plugable import Registry
 from ipalib.plugins.baseldap import LDAPObject, LDAPCreate, LDAPDelete,\
-    LDAPSearch, LDAPUpdate, LDAPRetrieve
+    LDAPSearch, LDAPUpdate, LDAPRetrieve, pkey_to_value
 from ipalib.request import context
 from ipalib.plugins.user import split_principal
 from ipalib import _, ngettext
@@ -320,7 +320,7 @@ class vault_add(LDAPCreate):
                      **options):
         assert isinstance(dn, DN)
 
-        if not self.api.env.enable_kra:
+        if not self.api.Command.kra_is_enabled()['result']:
             raise errors.InvocationError(
                 format=_('KRA service is not enabled'))
 
@@ -344,7 +344,7 @@ class vault_del(LDAPDelete):
     def pre_callback(self, ldap, dn, *keys, **options):
         assert isinstance(dn, DN)
 
-        if not self.api.env.enable_kra:
+        if not self.api.Command.kra_is_enabled()['result']:
             raise errors.InvocationError(
                 format=_('KRA service is not enabled'))
 
@@ -390,7 +390,7 @@ class vault_find(LDAPSearch):
                      **options):
         assert isinstance(base_dn, DN)
 
-        if not self.api.env.enable_kra:
+        if not self.api.Command.kra_is_enabled()['result']:
             raise errors.InvocationError(
                 format=_('KRA service is not enabled'))
 
@@ -422,7 +422,7 @@ class vault_mod(LDAPUpdate):
 
         assert isinstance(dn, DN)
 
-        if not self.api.env.enable_kra:
+        if not self.api.Command.kra_is_enabled()['result']:
             raise errors.InvocationError(
                 format=_('KRA service is not enabled'))
 
@@ -438,7 +438,7 @@ class vault_show(LDAPRetrieve):
     def pre_callback(self, ldap, dn, attrs_list, *keys, **options):
         assert isinstance(dn, DN)
 
-        if not self.api.env.enable_kra:
+        if not self.api.Command.kra_is_enabled()['result']:
             raise errors.InvocationError(
                 format=_('KRA service is not enabled'))
 
@@ -486,7 +486,7 @@ class vaultconfig_show(Retrieve):
 
     def execute(self, *args, **options):
 
-        if not self.api.env.enable_kra:
+        if not self.api.Command.kra_is_enabled()['result']:
             raise errors.InvocationError(
                 format=_('KRA service is not enabled'))
 
@@ -624,7 +624,7 @@ class vault_archive_encrypted(Update):
 
     def execute(self, *args, **options):
 
-        if not self.api.env.enable_kra:
+        if not self.api.Command.kra_is_enabled()['result']:
             raise errors.InvocationError(
                 format=_('KRA service is not enabled'))
 
@@ -774,7 +774,7 @@ class vault_retrieve_encrypted(Retrieve):
 
     def execute(self, *args, **options):
 
-        if not self.api.env.enable_kra:
+        if not self.api.Command.kra_is_enabled()['result']:
             raise errors.InvocationError(
                 format=_('KRA service is not enabled'))
 
@@ -813,3 +813,23 @@ class vault_retrieve_encrypted(Retrieve):
         kra_account.logout()
 
         return result
+
+
+@register()
+class kra_is_enabled(Command):
+    NO_CLI = True
+
+    has_output = output.standard_value
+
+    def execute(self, *args, **options):
+        base_dn = DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'),
+                     self.api.env.basedn)
+        filter = '(&(objectClass=ipaConfigObject)(cn=KRA))'
+        try:
+            self.api.Backend.ldap2.find_entries(
+                base_dn=base_dn, filter=filter, attrs_list=[])
+        except errors.NotFound:
+            result = False
+        else:
+            result = True
+        return dict(result=result, value=pkey_to_value(None, options))
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index b83e948..174c7d1 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -309,6 +309,8 @@ class BasePathNamespace(object):
     IPARESTORE_LOG = "/var/log/iparestore.log"
     IPASERVER_CA_INSTALL_LOG = "/var/log/ipaserver-ca-install.log"
     IPASERVER_INSTALL_LOG = "/var/log/ipaserver-install.log"
+    IPASERVER_KRA_INSTALL_LOG = "/var/log/ipaserver-kra-install.log"
+    IPASERVER_KRA_UNINSTALL_LOG = "/var/log/ipaserver-kra-uninstall.log"
     IPASERVER_UNINSTALL_LOG = "/var/log/ipaserver-uninstall.log"
     IPAUPGRADE_LOG = "/var/log/ipaupgrade.log"
     KADMIND_LOG = "/var/log/kadmind.log"
@@ -316,8 +318,6 @@ class BasePathNamespace(object):
     PKI_CA_LOG_DIR = "/var/log/pki-ca"
     PKI_CA_INSTALL_LOG = "/var/log/pki-ca-install.log"
     PKI_CA_UNINSTALL_LOG = "/var/log/pki-ca-uninstall.log"
-    PKI_KRA_INSTALL_LOG = "/var/log/pki-kra-install.log"
-    PKI_KRA_UNINSTALL_LOG = "/var/log/pki-kra-uninstall.log"
     VAR_LOG_PKI_DIR = "/var/log/pki/"
     TOMCAT_TOPLEVEL_DIR = "/var/log/pki/pki-tomcat"
     TOMCAT_CA_DIR = "/var/log/pki/pki-tomcat/ca"
diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py
index 9d0998f..5fb2bb2 100644
--- a/ipaserver/install/installutils.py
+++ b/ipaserver/install/installutils.py
@@ -584,22 +584,6 @@ def read_replica_info_dogtag_port(config_dir):
 
     return dogtag_master_ds_port
 
-def read_replica_info_kra_enabled(config_dir):
-    """
-    Check the replica info to determine if a KRA has been installed
-    on the master
-    """
-    default_file = config_dir + "/default.conf"
-    if not ipautil.file_exists(default_file):
-        return False
-    else:
-        with open(default_file) as fd:
-            config = SafeConfigParser()
-            config.readfp(fd)
-
-            enable_kra = config.getboolean("global", "enable_kra")
-            return enable_kra
-
 
 def create_replica_config(dirman_password, filename, options):
     top_dir = None
diff --git a/ipaserver/install/ipa_kra_install.py b/ipaserver/install/ipa_kra_install.py
index edb6225..d75a242 100644
--- a/ipaserver/install/ipa_kra_install.py
+++ b/ipaserver/install/ipa_kra_install.py
@@ -23,7 +23,10 @@ from ipalib import api
 from ipaplatform import services
 from ipaplatform.paths import paths
 from ipapython import admintool
+from ipapython import dogtag
 from ipapython import ipautil
+from ipapython.dn import DN
+from ipaserver.install import krainstance
 from ipaserver.install import installutils
 from ipaserver.install.installutils import create_replica_config
 from ipaserver.install import dogtaginstance
@@ -80,7 +83,7 @@ class KRAInstall(admintool.AdminTool):
 
 
 class KRAUninstaller(KRAInstall):
-    log_file_name = paths.PKI_KRA_UNINSTALL_LOG
+    log_file_name = paths.IPASERVER_KRA_UNINSTALL_LOG
 
     def validate_options(self, needs_root=True):
         super(KRAUninstaller, self).validate_options(needs_root=True)
@@ -88,18 +91,20 @@ class KRAUninstaller(KRAInstall):
         if self.args:
             self.option_parser.error("Too many parameters provided.")
 
-        if not api.env.enable_kra:
+        dogtag_constants = dogtag.configured_constants(api)
+        _kra = krainstance.KRAInstance(api, dogtag_constants=dogtag_constants)
+        if not _kra.is_installed():
             self.option_parser.error(
                 "Cannot uninstall.  There is no KRA installed on this system."
             )
 
     def run(self):
         super(KRAUninstaller, self).run()
-        kra.uninstall()
+        kra.uninstall(True)
 
 
 class KRAInstaller(KRAInstall):
-    log_file_name = paths.PKI_KRA_INSTALL_LOG
+    log_file_name = paths.IPASERVER_KRA_INSTALL_LOG
 
     INSTALLER_START_MESSAGE = '''
         ===================================================================
@@ -161,15 +166,18 @@ class KRAInstaller(KRAInstall):
                 self.replica_file,
                 self.options)
 
+        self.options.dm_password = self.options.password
         self.options.setup_ca = False
 
+        api.Backend.ldap2.connect(bind_dn=DN('cn=Directory Manager'),
+                                  bind_pw=self.options.dm_password)
+
         try:
-            kra.install_check(replica_config, self.options, api.env.enable_kra,
-                              int(api.env.dogtag_version))
+            kra.install_check(api, replica_config, self.options)
         except RuntimeError as e:
             raise admintool.ScriptError(str(e))
 
-        kra.install(replica_config, self.options, self.options.password)
+        kra.install(api, replica_config, self.options)
 
         # Restart apache for new proxy config file
         services.knownservices.httpd.restart(capture_output=True)
diff --git a/ipaserver/install/kra.py b/ipaserver/install/kra.py
index 8083c74..b55dfb7 100644
--- a/ipaserver/install/kra.py
+++ b/ipaserver/install/kra.py
@@ -2,25 +2,25 @@
 # Copyright (C) 2015  FreeIPA Contributors see COPYING for license
 #
 
-import os
-from ConfigParser import RawConfigParser
-from ipalib import api
-from ipaplatform.paths import paths
+from ipalib import api, errors
 from ipapython import dogtag
+from ipapython.dn import DN
 from ipaserver.install import cainstance
 from ipaserver.install import krainstance
 from ipaserver.install import dsinstance
 from ipaserver.install import service
-from ipaserver.install.installutils import read_replica_info_kra_enabled
 
 
-def install_check(replica_config, options, enable_kra, dogtag_version):
-    if enable_kra:
+def install_check(api, replica_config, options):
+    dogtag_constants = dogtag.configured_constants(api=api)
+    kra = krainstance.KRAInstance(api.env.realm,
+                                  dogtag_constants=dogtag_constants)
+    if kra.is_installed():
         raise RuntimeError("KRA is already installed.")
 
     if not options.setup_ca:
         if cainstance.is_ca_installed_locally():
-            if dogtag_version >= 10:
+            if api.env.dogtag_version >= 10:
                 # correct dogtag version of CA installed
                 pass
             else:
@@ -31,14 +31,11 @@ def install_check(replica_config, options, enable_kra, dogtag_version):
                 "Dogtag CA is not installed.  Please install the CA first")
 
     if replica_config is not None:
-        if not read_replica_info_kra_enabled(replica_config.dir):
-            raise RuntimeError(
-                "Either KRA is not installed on the master system or "
-                "your replica file is out of date"
-            )
+        if not api.Command.kra_is_enabled()['result']:
+            raise RuntimeError("KRA is not installed on the master system")
 
 
-def install(replica_config, options, dm_password):
+def install(api, replica_config, options):
     subject = dsinstance.DsInstance().find_subject_base()
     if replica_config is None:
         kra = krainstance.KRAInstance(
@@ -55,31 +52,25 @@ def install(replica_config, options, dm_password):
     ds = dsinstance.DsInstance()
     ds.restart()
 
-    kra.enable_client_auth_to_db(kra.dogtag_constants.KRA_CS_CFG_PATH)
-
-    # Update config file
-    parser = RawConfigParser()
-    parser.read(paths.IPA_DEFAULT_CONF)
-    parser.set('global', 'enable_kra', 'True')
-
-    with open(paths.IPA_DEFAULT_CONF, 'w') as f:
-        parser.write(f)
+    kra.ldap_enable('KRA', api.env.host, options.dm_password, api.env.basedn)
 
+    kra.enable_client_auth_to_db(kra.dogtag_constants.KRA_CS_CFG_PATH)
 
-def uninstall():
-    dogtag_constants = dogtag.configured_constants(api=api)
 
-    kra_instance = krainstance.KRAInstance(
-        api.env.realm, dogtag_constants=dogtag_constants)
-    kra_instance.stop_tracking_certificates()
-    if kra_instance.is_installed():
-        kra_instance.uninstall()
+def uninstall(standalone):
+    dogtag_constants = dogtag.configured_constants(api)
+    kra = krainstance.KRAInstance(api.env.realm,
+                                  dogtag_constants=dogtag_constants)
 
-    # Check if config file exists, then update it
-    if os.path.exists(paths.IPA_DEFAULT_CONF):
-        parser = RawConfigParser()
-        parser.read(paths.IPA_DEFAULT_CONF)
-        parser.set('global', 'enable_kra', 'False')
+    if standalone:
+        kra.ldap_connect()
+        try:
+            kra.admin_conn.delete_entry(DN(('cn', 'KRA'), ('cn', api.env.host),
+                                           ('cn', 'masters'), ('cn', 'ipa'),
+                                           ('cn', 'etc'), api.env.basedn))
+        except errors.NotFound:
+            pass
 
-        with open(paths.IPA_DEFAULT_CONF, 'w') as f:
-            parser.write(f)
+    kra.stop_tracking_certificates()
+    if kra.is_installed():
+        kra.uninstall()
diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
index 89473dc..bde3485 100644
--- a/ipaserver/install/server/install.py
+++ b/ipaserver/install/server/install.py
@@ -602,8 +602,7 @@ def install_check(installer):
 
     if setup_kra:
         try:
-            kra.install_check(None, options, False,
-                              dogtag.install_constants.DOGTAG_VERSION)
+            kra.install_check(api, None, options)
         except RuntimeError as e:
             print str(e)
             sys.exit(1)
@@ -865,7 +864,7 @@ def install(installer):
     http.restart()
 
     if setup_kra:
-        kra.install(None, options, dm_password)
+        kra.install(api, None, options)
 
     # Set the admin user kerberos password
     ds.change_admin_password(admin_password)
@@ -1060,7 +1059,7 @@ def uninstall(installer):
 
     ntpinstance.NTPInstance(fstore).uninstall()
 
-    kra.uninstall()
+    kra.uninstall(False)
 
     ca.uninstall(dogtag_constants)
 
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index 0429a40..011669c 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -379,8 +379,6 @@ def install_check(installer):
             fd.write("enable_ra=False\n")
             fd.write("ra_plugin=none\n")
 
-        fd.write("enable_kra=%s\n" % config.setup_kra)
-
         fd.write("mode=production\n")
         fd.close()
     finally:
@@ -480,6 +478,18 @@ def install_check(installer):
             root_logger.debug('No IPA DNS servers, '
                               'skipping forward/reverse resolution check')
 
+        if options.setup_ca:
+            options.realm_name = config.realm_name
+            options.host_name = config.host_name
+            options.subject = config.subject_base
+            ca.install_check(False, config, options)
+
+        if config.setup_kra:
+            try:
+                kra.install_check(remote_api, config, options)
+            except RuntimeError as e:
+                print str(e)
+                sys.exit(1)
     except errors.ACIError:
         sys.exit("\nThe password provided is incorrect for LDAP server "
                  "%s" % config.master_host_name)
@@ -492,20 +502,6 @@ def install_check(installer):
         if conn.isconnected():
             conn.disconnect()
 
-    if options.setup_ca:
-        options.realm_name = config.realm_name
-        options.host_name = config.host_name
-        options.subject = config.subject_base
-        ca.install_check(False, config, options)
-
-    if config.setup_kra:
-        try:
-            kra.install_check(config, options, False,
-                              dogtag.install_constants.DOGTAG_VERSION)
-        except RuntimeError as e:
-            print str(e)
-            sys.exit(1)
-
     if options.setup_dns:
         dns.install_check(False, True, options, config.host_name)
     else:
@@ -567,14 +563,18 @@ def install(installer):
         if conn.isconnected():
             conn.disconnect()
 
+    options.dm_password = config.dirman_password
+
     if config.setup_ca:
         options.realm_name = config.realm_name
         options.domain_name = config.domain_name
-        options.dm_password = config.dirman_password
         options.host_name = config.host_name
 
         ca.install(False, config, options)
 
+    if options.setup_kra:
+        kra.install(api, config, options)
+
     krb = install_krb(config, setup_pkinit=not options.no_pkinit)
     http = install_http(config, auto_redirect=not options.no_ui_redirect)
 
@@ -590,11 +590,8 @@ def install(installer):
     service.print_msg("Applying LDAP updates")
     ds.apply_updates()
 
-    if options.setup_kra:
-        kra.install(config, options, config.dirman_password)
-    else:
-        service.print_msg("Restarting the directory server")
-        ds.restart()
+    service.print_msg("Restarting the directory server")
+    ds.restart()
 
     service.print_msg("Restarting the KDC")
     krb.restart()
diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py
index e4e5dd3..88307a0 100644
--- a/ipaserver/install/service.py
+++ b/ipaserver/install/service.py
@@ -41,6 +41,7 @@ SERVICE_LIST = {
     'MEMCACHE': ('ipa_memcached', 39),
     'HTTP': ('httpd', 40),
     'CA': ('%sd' % dogtag.configured_constants().PKI_INSTANCE_NAME, 50),
+    'KRA': ('%sd' % dogtag.configured_constants().PKI_INSTANCE_NAME, 51),
     'ADTRUST': ('smb', 60),
     'EXTID': ('winbind', 70),
     'OTPD': ('ipa-otpd', 80),
diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py
index e60cced..a5b7d23 100644
--- a/ipaserver/plugins/dogtag.py
+++ b/ipaserver/plugins/dogtag.py
@@ -1909,7 +1909,7 @@ class kra(Backend):
         Raises a generic exception if KRA is not enabled.
         """
 
-        if not api.env.enable_kra:
+        if not self.api.Command.kra_is_enabled()['result']:
             # TODO: replace this with a more specific exception
             raise RuntimeError('KRA service is not enabled')
 
-- 
2.1.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to