Hi,

the attached patches fix <https://fedorahosted.org/freeipa/ticket/5253>.

Honza

--
Jan Cholasta
From 5600a357d3dbed0524acd766a2ce19b20e58235e Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jchol...@redhat.com>
Date: Thu, 27 Aug 2015 07:23:39 +0200
Subject: [PATCH 1/2] cert renewal: Include KRA users in Dogtag LDAP update

https://fedorahosted.org/freeipa/ticket/5253
---
 ipaserver/install/cainstance.py | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 60c41b6..c8b834f 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -1575,7 +1575,7 @@ def update_people_entry(dercert):
 
     Returns True or False
     """
-    base_dn = DN(('ou','People'), ('o','ipaca'))
+    base_dn = DN(('o', 'ipaca'))
     serial_number = x509.get_serial_number(dercert, datatype=x509.DER)
     subject = x509.get_subject(dercert, datatype=x509.DER)
     issuer = x509.get_issuer(dercert, datatype=x509.DER)
@@ -1591,9 +1591,14 @@ def update_people_entry(dercert):
             conn = ldap2.ldap2(api, ldap_uri=dogtag_uri)
             conn.connect(autobind=True)
 
-            db_filter = conn.make_filter(
-                {'description': ';%s;%s' % (issuer, subject)},
-                exact=False, trailing_wildcard=False)
+            db_filter = conn.combine_filters(
+                [
+                    conn.make_filter({'objectClass': 'inetOrgPerson'}),
+                    conn.make_filter(
+                        {'description': ';%s;%s' % (issuer, subject)},
+                        exact=False, trailing_wildcard=False),
+                ],
+                conn.MATCH_ALL)
             try:
                 entries = conn.get_entries(base_dn, conn.SCOPE_SUBTREE, db_filter)
             except errors.NotFound:
-- 
2.4.3

From 8aacd2e5e318d53b9db3d28ab615f49e57dc7cf2 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jchol...@redhat.com>
Date: Thu, 27 Aug 2015 07:37:24 +0200
Subject: [PATCH 2/2] cert renewal: Automatically update KRA agent PEM file

https://fedorahosted.org/freeipa/ticket/5253
---
 install/restart_scripts/renew_ra_cert | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/install/restart_scripts/renew_ra_cert b/install/restart_scripts/renew_ra_cert
index 24b8ba4..4337e7a 100644
--- a/install/restart_scripts/renew_ra_cert
+++ b/install/restart_scripts/renew_ra_cert
@@ -29,7 +29,7 @@ import traceback
 
 from ipapython import ipautil
 from ipalib import api
-from ipaserver.install import certs, cainstance
+from ipaserver.install import certs, cainstance, krainstance
 from ipaplatform import services
 from ipaplatform.paths import paths
 
@@ -60,6 +60,16 @@ def _main():
 
             # Load it into dogtag
             cainstance.update_people_entry(dercert)
+
+        kra = krainstance.KRAInstance(api.env.realm)
+        if kra.is_installed():
+            # export ipaCert with private key for client authentication
+            args = ["/usr/bin/pki",
+                    "-d", paths.HTTPD_ALIAS_DIR,
+                    "-C", paths.ALIAS_PWDFILE_TXT,
+                    "client-cert-show", "ipaCert",
+                    "--client-cert", paths.KRA_AGENT_PEM]
+            ipautil.run(args)
     finally:
         shutil.rmtree(tmpdir)
 
-- 
2.4.3

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to