On 02.12.2015 14:52, Martin Babinsky wrote:
On 11/30/2015 06:29 PM, Martin Basti wrote:


On 30.11.2015 14:16, Martin Babinsky wrote:
On 11/27/2015 05:02 PM, Martin Basti wrote:
https://fedorahosted.org/freeipa/ticket/5460

I tested just master, I will test ipa-4-2 later.
patch attached.



ACK for the master branch.

Thanks, additional patch improves error message when ipa-replica-install
--setup-ca --setup-kra is executed and KRA is not installed anywhere yet.

I'm working on patches for ipa-4-2 branch

Martin

ACK for patch 367.

Pushed to master: bbbe411f357b7fbad533b5211a90bb0558b1abbe

IPA 4.2 patches attached.
From 9166a7ad5243bff7681f1b8591536e45da2d6669 Mon Sep 17 00:00:00 2001
From: Martin Basti <mba...@redhat.com>
Date: Mon, 23 Nov 2015 13:43:53 +0100
Subject: [PATCH 1/2] ipa-kra-install: allow to install first KRA on replica

https://fedorahosted.org/freeipa/ticket/5460
---
 ipaserver/install/krainstance.py | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/ipaserver/install/krainstance.py b/ipaserver/install/krainstance.py
index a2514debae600bdc46afb92e426a5f616529fde2..625d84ab3129708cfdaf759cee6c2953b585a822 100644
--- a/ipaserver/install/krainstance.py
+++ b/ipaserver/install/krainstance.py
@@ -225,17 +225,13 @@ class KRAInstance(DogtagInstance):
             str(DN(('uid', 'pkidbuser'), ('ou', 'people'), ('o', 'ipaca'))))
 
         _p12_tmpfile_handle, p12_tmpfile_name = tempfile.mkstemp(dir=paths.TMP)
+
         if self.clone:
             krafile = self.pkcs12_info[0]
             shutil.copy(krafile, p12_tmpfile_name)
             pent = pwd.getpwnam(PKI_USER)
             os.chown(p12_tmpfile_name, pent.pw_uid, pent.pw_gid)
 
-            # create admin cert file if it does not exist
-            cert = DogtagInstance.get_admin_cert(self)
-            with open(paths.ADMIN_CERT_PATH, "w") as admin_path:
-                admin_path.write(cert)
-
             # Security domain registration
             config.set("KRA", "pki_security_domain_hostname", self.master_host)
             config.set("KRA", "pki_security_domain_https_port", "443")
@@ -252,6 +248,11 @@ class KRAInstance(DogtagInstance):
                 "KRA", "pki_clone_uri",
                 "https://%s"; % ipautil.format_netloc(self.master_host, 443))
 
+        # the admin cert file is needed for the KRA
+        cert = DogtagInstance.get_admin_cert(self)
+        with open(paths.ADMIN_CERT_PATH, "w") as admin_path:
+            admin_path.write(cert)
+
         # Generate configuration file
         with open(cfg_file, "wb") as f:
             config.write(f)
-- 
2.5.0

From e81fa00593541df6e8990b102c4b5a0c0829adbe Mon Sep 17 00:00:00 2001
From: Martin Basti <mba...@redhat.com>
Date: Mon, 30 Nov 2015 18:18:38 +0100
Subject: [PATCH 2/2] Modify error message to install first instance of KRA

First instance of KRA should be installed by ipa-kra-install.

https://fedorahosted.org/freeipa/ticket/5460
---
 ipaserver/install/kra.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/ipaserver/install/kra.py b/ipaserver/install/kra.py
index f317e7aa0f5d9bec01ec743fb42f06cdff83d03c..e506f10a39234e1537a3233cd68abee262524f7b 100644
--- a/ipaserver/install/kra.py
+++ b/ipaserver/install/kra.py
@@ -34,7 +34,9 @@ def install_check(api, replica_config, options):
 
     if replica_config is not None:
         if not api.Command.kra_is_enabled()['result']:
-            raise RuntimeError("KRA is not installed on the master system")
+            raise RuntimeError(
+                "KRA is not installed on the master system. Please use "
+                "'ipa-kra-install' command to install the first instance.")
 
         with certdb.NSSDatabase() as tmpdb:
             pw = ipautil.write_tmp_file(ipautil.ipa_generate_password())
-- 
2.5.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to