The CA and KRA installation code has been modified to use LDAPI
to create the CA and KRA agents directly in the CA and KRA
database. This way it's no longer necessary to use the Directory
Manager password or CA and KRA admin certificate.

https://fedorahosted.org/freeipa/ticket/5257

--
Endi S. Dewata
From 45af6d4f9a8ebc9bbd2856d7bf3af48520996dad Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edew...@redhat.com>
Date: Thu, 27 Aug 2015 06:44:29 +0200
Subject: [PATCH] Using LDAPI to setup CA and KRA agents.

The CA and KRA installation code has been modified to use LDAPI
to create the CA and KRA agents directly in the CA and KRA
database. This way it's no longer necessary to use the Directory
Manager password or CA and KRA admin certificate.

https://fedorahosted.org/freeipa/ticket/5257
---
 ipaplatform/base/paths.py        |   2 -
 ipaserver/install/cainstance.py  |  49 ++++++++++-------
 ipaserver/install/krainstance.py | 113 +++++++++++++++------------------------
 3 files changed, 72 insertions(+), 92 deletions(-)

diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index 
5c8f25d6ef85fab2b9b30a660cd1c0360dbe9931..0dd3c7fda3020264a1ace8f2d13557cfddf18c2d
 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -343,8 +343,6 @@ class BasePathNamespace(object):
     SLAPD_INSTANCE_SOCKET_TEMPLATE = "/var/run/slapd-%s.socket"
     ALL_SLAPD_INSTANCE_SOCKETS = "/var/run/slapd-*.socket"
     ADMIN_CERT_PATH = '/root/.dogtag/pki-tomcat/ca_admin.cert'
-    KRA_NSSDB_PASSWORD_FILE = "/root/.dogtag/pki-tomcat/kra/password.conf"
-    KRA_PKCS12_PASSWORD_FILE = 
"/root/.dogtag/pki-tomcat/kra/pkcs12_password.conf"
     ENTROPY_AVAIL = '/proc/sys/kernel/random/entropy_avail'
     LDIF2DB = '/usr/sbin/ldif2db'
     DB2LDIF = '/usr/sbin/db2ldif'
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 
ecd9300036353426097d929918be974cbbb5c69d..bec39419363f1ade0130465d3b70e1c5540b6006
 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -904,17 +904,26 @@ class CAInstance(DogtagInstance):
         self.configure_agent_renewal()
 
     def __configure_ra(self):
-        # Create an RA user in the CA LDAP server and add that user to
-        # the appropriate groups so it can issue certificates without
-        # manual intervention.
-        conn = ipaldap.IPAdmin(self.fqdn, self.ds_port)
-        conn.do_simple_bind(DN(('cn', 'Directory Manager')), self.dm_password)
+        """
+        Create CA agent, assign a certificate, and add the user to
+        the appropriate groups for accessing CA services.
+        """
 
-        decoded = base64.b64decode(self.ra_cert)
+        # get ipaCert certificate
+        cert_data = base64.b64decode(self.ra_cert)
+        cert = x509.load_certificate(cert_data, x509.DER)
 
-        entry_dn = DN(('uid', "ipara"), ('ou', 'People'), self.basedn)
-        entry = conn.make_entry(
-            entry_dn,
+        # connect to CA database
+        server_id = installutils.realm_to_serverid(api.env.realm)
+        dogtag_uri = 'ldapi://%%2fvar%%2frun%%2fslapd-%s.socket' % server_id
+        conn = ldap2.ldap2(api, ldap_uri=dogtag_uri)
+        if not conn.isconnected():
+            conn.connect(autobind=True)
+
+        # create ipara user with ipaCert certificate
+        user_dn = DN(('uid', "ipara"), ('ou', 'People'), self.basedn)
+        conn.create(
+            dn=user_dn,
             objectClass=['top', 'person', 'organizationalPerson',
                          'inetOrgPerson', 'cmsuser'],
             uid=["ipara"],
@@ -922,23 +931,23 @@ class CAInstance(DogtagInstance):
             cn=["ipara"],
             usertype=["agentType"],
             userstate=["1"],
-            userCertificate=[decoded],
+            userCertificate=[cert_data],
             description=['2;%s;%s;%s' % (
-                str(self.requestId),
+                cert.serial_number,
                 DN(('CN', 'Certificate Authority'), self.subject_base),
                 DN(('CN', 'IPA RA'), self.subject_base))])
 
-        conn.add_entry(entry)
+        # add ipara user to Certificate Manager Agents group
+        group_dn = DN(('cn', 'Certificate Manager Agents'), ('ou', 'groups'),
+            self.basedn)
+        conn.add_entry_to_group(user_dn, group_dn, 'uniqueMember')
 
-        dn = DN(('cn', 'Certificate Manager Agents'), ('ou', 'groups'), 
self.basedn)
-        modlist = [(0, 'uniqueMember', '%s' % entry_dn)]
-        conn.modify_s(dn, modlist)
+        # add ipara user to Registration Manager Agents group
+        group_dn = DN(('cn', 'Registration Manager Agents'), ('ou', 'groups'),
+            self.basedn)
+        conn.add_entry_to_group(user_dn, group_dn, 'uniqueMember')
 
-        dn = DN(('cn', 'Registration Manager Agents'), ('ou', 'groups'), 
self.basedn)
-        modlist = [(0, 'uniqueMember', '%s' % entry_dn)]
-        conn.modify_s(dn, modlist)
-
-        conn.unbind()
+        conn.disconnect()
 
     def __configure_profiles_acl(self):
         """Allow the Certificate Manager Agents group to modify profiles."""
diff --git a/ipaserver/install/krainstance.py b/ipaserver/install/krainstance.py
index 
e5cdbf5e7714603041e3f0156e87311994175b18..b57858d51ae7b3ddb629c7e0e519e5d7b54f6a0b
 100644
--- a/ipaserver/install/krainstance.py
+++ b/ipaserver/install/krainstance.py
@@ -25,17 +25,21 @@ import sys
 import tempfile
 
 from ipalib import api
+from ipalib import x509
 from ipaplatform import services
 from ipaplatform.paths import paths
+from ipapython import certdb
 from ipapython import dogtag
 from ipapython import ipautil
 from ipapython.dn import DN
 from ipaserver.install import certs
 from ipaserver.install import cainstance
+from ipaserver.install import installutils
 from ipaserver.install import ldapupdate
 from ipaserver.install import service
 from ipaserver.install.dogtaginstance import DogtagInstance
 from ipaserver.install.dogtaginstance import DEFAULT_DSPORT, PKI_USER
+from ipaserver.plugins import ldap2
 from ipapython.ipa_log_manager import log_mgr
 
 # When IPA is installed with DNS support, this CNAME should hold all IPA
@@ -111,8 +115,8 @@ class KRAInstance(DogtagInstance):
 
         self.step("configuring KRA instance", self.__spawn_instance)
         if not self.clone:
-            self.step("add RA user to KRA agent group",
-                      self.__add_ra_user_to_agent_group)
+            self.step("create KRA agent",
+                      self.__create_kra_agent)
         self.step("restarting KRA", self.restart_instance)
         self.step("configure certmonger for renewals",
                   self.configure_certmonger_renewal)
@@ -267,77 +271,46 @@ class KRAInstance(DogtagInstance):
 
         self.log.debug("completed creating KRA instance")
 
-    def __add_ra_user_to_agent_group(self):
+    def __create_kra_agent(self):
         """
-        Add RA agent created for CA to KRA agent group.
+        Create KRA agent, assign a certificate, and add the user to
+        the appropriate groups for accessing KRA services.
         """
 
-        # import CA certificate into temporary security database
-        args = ["/usr/bin/pki",
-            "-d", self.agent_db,
-            "-C", paths.KRA_NSSDB_PASSWORD_FILE,
-            "client-cert-import",
-            "--pkcs12", paths.KRACERT_P12,
-            "--pkcs12-password-file", paths.KRA_PKCS12_PASSWORD_FILE]
-        ipautil.run(args)
-
-        # trust CA certificate
-        args = ["/usr/bin/pki",
-            "-d", self.agent_db,
-            "-C", paths.KRA_NSSDB_PASSWORD_FILE,
-            "client-cert-mod", "Certificate Authority - %s" % api.env.realm,
-            "--trust", "CT,c,"]
-        ipautil.run(args)
-
-        # import Dogtag admin certificate into temporary security database
-        args = ["/usr/bin/pki",
-            "-d", self.agent_db,
-            "-C", paths.KRA_NSSDB_PASSWORD_FILE,
-            "client-cert-import",
-            "--pkcs12", paths.DOGTAG_ADMIN_P12,
-            "--pkcs12-password-file", paths.KRA_PKCS12_PASSWORD_FILE]
-        ipautil.run(args)
-
-        # as Dogtag admin, create ipakra user in KRA
-        args = ["/usr/bin/pki",
-            "-d", self.agent_db,
-            "-C", paths.KRA_NSSDB_PASSWORD_FILE,
-            "-n", "ipa-ca-agent",
-            "kra-user-add", "ipakra",
-            "--fullName", "IPA KRA User"]
-        ipautil.run(args)
-
-        # as Dogtag admin, add ipakra into KRA agents group
-        args = ["/usr/bin/pki",
-            "-d", self.agent_db,
-            "-C", paths.KRA_NSSDB_PASSWORD_FILE,
-            "-n", "ipa-ca-agent",
-            "kra-user-membership-add", "ipakra", "Data Recovery Manager 
Agents"]
-        ipautil.run(args)
-
-        # assign ipaCert to ipakra
-        (file, filename) = tempfile.mkstemp()
-        os.close(file)
-        try:
-            # export ipaCert without private key
-            args = ["/usr/bin/pki",
-                "-d", paths.HTTPD_ALIAS_DIR,
-                "-C", paths.ALIAS_PWDFILE_TXT,
-                "client-cert-show", "ipaCert",
-                "--cert", filename]
-            ipautil.run(args)
-
-            # as Dogtag admin, upload and assign ipaCert to ipakra
-            args = ["/usr/bin/pki",
-                "-d", self.agent_db,
-                "-C", paths.KRA_NSSDB_PASSWORD_FILE,
-                "-n", "ipa-ca-agent",
-                "kra-user-cert-add", "ipakra",
-                "--input", filename]
-            ipautil.run(args)
-
-        finally:
-            os.remove(filename)
+        # get ipaCert certificate
+        with certdb.NSSDatabase(paths.HTTPD_ALIAS_DIR) as ipa_nssdb:
+           cert_data = ipa_nssdb.get_cert("ipaCert")
+        cert = x509.load_certificate(cert_data, x509.DER)
+
+        # connect to KRA database
+        server_id = installutils.realm_to_serverid(api.env.realm)
+        dogtag_uri = 'ldapi://%%2fvar%%2frun%%2fslapd-%s.socket' % server_id
+        conn = ldap2.ldap2(api, ldap_uri=dogtag_uri)
+        if not conn.isconnected():
+            conn.connect(autobind=True)
+
+        # create ipakra user with ipaCert certificate
+        user_dn = DN(('uid', "ipakra"), ('ou', 'people'), self.basedn)
+        conn.create(
+            dn=user_dn,
+            objectClass=['top', 'person', 'organizationalPerson',
+                         'inetOrgPerson', 'cmsuser'],
+            uid=["ipakra"],
+            sn=["IPA KRA User"],
+            cn=["IPA KRA User"],
+            usertype=["undefined"],
+            userCertificate=[cert_data],
+            description=['2;%s;%s;%s' % (
+                cert.serial_number,
+                DN(('CN', 'Certificate Authority'), self.subject_base),
+                DN(('CN', 'IPA RA'), self.subject_base))])
+
+        # add ipakra user to Data Recovery Manager Agents group
+        group_dn = DN(('cn', 'Data Recovery Manager Agents'), ('ou', 'groups'),
+                self.basedn)
+        conn.add_entry_to_group(user_dn, group_dn, 'uniqueMember')
+
+        conn.disconnect()
 
     def __add_vault_container(self):
         sub_dict = {
-- 
2.4.3

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to