This patch fixes https://fedorahosted.org/freeipa/ticket/5570 and also enables CA installation on CA-less master with hardened dirsrv configuration.

When testing I ran into the issue with Dogtag restart during KRA installation [1] which I will try to troubleshoot with Dogtag guys. You are welcome to troubleshoot it also during the review, maybe I did some misconfiguration on my part.

[1] https://www.redhat.com/archives/pki-devel/2016-February/msg00100.html
--
Martin^3 Babinsky
From 911d3d54a4a1fb1914cc2a727e7c01fb065d8b69 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabi...@redhat.com>
Date: Thu, 25 Feb 2016 09:09:35 +0100
Subject: [PATCH] use LDAPS during standalone CA/KRA subsystem deployment

The deployment descriptor used during CA/KRA install was modified to use LDAPS
to communicate with DS backend. This will enable standalone CA/KRA
installation on top of hardened directory server configuration.

https://fedorahosted.org/freeipa/ticket/5570
---
 ipaserver/install/cainstance.py     | 3 +++
 ipaserver/install/dogtaginstance.py | 6 ++++++
 ipaserver/install/krainstance.py    | 2 ++
 3 files changed, 11 insertions(+)

diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 1a98c438786ae7dad208212fff23e3a760c95b3c..3ca4fa8d373ebc3375a9fc75b59969292f0198f0 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -533,6 +533,9 @@ class CAInstance(DogtagInstance):
         config.set("CA", "pki_ds_base_dn", self.basedn)
         config.set("CA", "pki_ds_database", "ipaca")
 
+        if not self.create_ra_agent_db and not self.clone:
+            self._use_ldaps_during_spawn(config)
+
         # Certificate subject DN's
         config.set("CA", "pki_subsystem_subject_dn",
             str(DN(('cn', 'CA Subsystem'), self.subject_base)))
diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py
index 940b3ea9b13897d7e9e2878a47a8c66ce5ce9f0a..fa93b5069574b5fad824cee764460afb32dbc13e 100644
--- a/ipaserver/install/dogtaginstance.py
+++ b/ipaserver/install/dogtaginstance.py
@@ -463,3 +463,9 @@ class DogtagInstance(service.Service):
             self.log.critical("  %s" % log)
 
         raise RuntimeError("%s configuration failed." % self.subsystem)
+
+    def _use_ldaps_during_spawn(self, config, ds_cacert=paths.IPA_CA_CRT):
+        config.set(self.subsystem, "pki_ds_ldaps_port", "636")
+        config.set(self.subsystem, "pki_ds_secure_connection", "True")
+        config.set(self.subsystem, "pki_ds_secure_connection_ca_pem_file",
+                   ds_cacert)
diff --git a/ipaserver/install/krainstance.py b/ipaserver/install/krainstance.py
index 625d84ab3129708cfdaf759cee6c2953b585a822..be2727fb6ed66648c35f9db59ee8729d37e9dc02 100644
--- a/ipaserver/install/krainstance.py
+++ b/ipaserver/install/krainstance.py
@@ -188,6 +188,8 @@ class KRAInstance(DogtagInstance):
         config.set("KRA", "pki_ds_database", "ipaca")
         config.set("KRA", "pki_ds_create_new_db", "False")
 
+        self._use_ldaps_during_spawn(config)
+
         # Certificate subject DNs
         config.set("KRA", "pki_subsystem_subject_dn",
                    str(DN(('cn', 'CA Subsystem'), self.subject_base)))
-- 
2.5.0

From f4bc04be5cf3c577acb0a3091d70455580550f51 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabi...@redhat.com>
Date: Thu, 25 Feb 2016 09:09:35 +0100
Subject: [PATCH] use LDAPS during standalone CA/KRA subsystem deployment

The deployment descriptor used during CA/KRA install was modified to use LDAPS
to communicate with DS backend. This will enable standalone CA/KRA
installation on top of hardened directory server configuration.

https://fedorahosted.org/freeipa/ticket/5570
---
 ipaserver/install/cainstance.py     | 3 +++
 ipaserver/install/dogtaginstance.py | 6 ++++++
 ipaserver/install/krainstance.py    | 2 ++
 3 files changed, 11 insertions(+)

diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index b72255f1ad2f95c5265a40eddfb1fe413826dba4..d9452016670241f200fa646c8cab1e777291d089 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -480,6 +480,9 @@ class CAInstance(DogtagInstance):
         config.set("CA", "pki_ds_base_dn", self.basedn)
         config.set("CA", "pki_ds_database", "ipaca")
 
+        if not self.create_ra_agent_db and not self.clone:
+            self._use_ldaps_during_spawn(config)
+
         # Certificate subject DN's
         config.set("CA", "pki_subsystem_subject_dn",
             str(DN(('cn', 'CA Subsystem'), self.subject_base)))
diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py
index 5c2b28202329240e264e0b0a6149308ee208e8fa..f5e5649f9a7b80ab25c9789b62ea7efcd5662bb6 100644
--- a/ipaserver/install/dogtaginstance.py
+++ b/ipaserver/install/dogtaginstance.py
@@ -500,3 +500,9 @@ class DogtagInstance(service.Service):
         for group in self.admin_groups:
             self.__remove_admin_from_group(group)
         self.admin_conn.delete_entry(self.admin_dn)
+
+    def _use_ldaps_during_spawn(self, config, ds_cacert=paths.IPA_CA_CRT):
+        config.set(self.subsystem, "pki_ds_ldaps_port", "636")
+        config.set(self.subsystem, "pki_ds_secure_connection", "True")
+        config.set(self.subsystem, "pki_ds_secure_connection_ca_pem_file",
+                   ds_cacert)
diff --git a/ipaserver/install/krainstance.py b/ipaserver/install/krainstance.py
index 6589bb54eadf9bc5017ef99cdfbf3c46dabc27c6..a354d3748d14519f460cb0e5dce3c4170d26a6b9 100644
--- a/ipaserver/install/krainstance.py
+++ b/ipaserver/install/krainstance.py
@@ -182,6 +182,8 @@ class KRAInstance(DogtagInstance):
         config.set("KRA", "pki_ds_database", "ipaca")
         config.set("KRA", "pki_ds_create_new_db", "False")
 
+        self._use_ldaps_during_spawn(config)
+
         # Certificate subject DNs
         config.set("KRA", "pki_subsystem_subject_dn",
                    str(DN(('cn', 'CA Subsystem'), self.subject_base)))
-- 
2.5.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to