Hi,

the attached patch fixes <https://fedorahosted.org/freeipa/ticket/5902>.

Honza

--
Jan Cholasta
From 6daef1e8e7fa55fd2be3a3ab1fff32ff10b88298 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jchol...@redhat.com>
Date: Mon, 23 May 2016 16:18:02 +0200
Subject: [PATCH] replica install: do not set CA renewal master flag

The CA renewal master flag was uncoditionally set on every replica during
replica install. This causes the Dogtag certificates initially shared
among all replicas to differ after renewal.

Do not set the CA renewal master flag in replica install anymore. On
upgrade, remove the flag from all but one IPA masters.

https://fedorahosted.org/freeipa/ticket/5902
---
 ipaserver/install/ca.py                        |  6 +++++-
 ipaserver/install/cainstance.py                |  2 +-
 ipaserver/install/plugins/ca_renewal_master.py | 24 ++++++++++++++++++++++--
 3 files changed, 28 insertions(+), 4 deletions(-)

diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py
index acc5433..3a827ae 100644
--- a/ipaserver/install/ca.py
+++ b/ipaserver/install/ca.py
@@ -188,7 +188,11 @@ def install_step_1(standalone, replica_config, options):
         ca.stop('pki-tomcat')
 
     # We need to ldap_enable the CA now that DS is up and running
-    ca.ldap_enable('CA', host_name, dm_password, basedn, ['caRenewalMaster'])
+    if replica_config is None:
+        config = ['caRenewalMaster']
+    else:
+        config = []
+    ca.ldap_enable('CA', host_name, dm_password, basedn, config)
 
     # This is done within stopped_service context, which restarts CA
     ca.enable_client_auth_to_db(paths.CA_CS_CFG_PATH)
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 337a077..475e74d 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -1288,7 +1288,7 @@ class CAInstance(DogtagInstance):
 
     def __enable_instance(self):
         basedn = ipautil.realm_to_suffix(self.realm)
-        self.ldap_enable('CA', self.fqdn, None, basedn, ['caRenewalMaster'])
+        self.ldap_enable('CA', self.fqdn, None, basedn)
 
     def configure_replica(self, master_host, subject_base=None,
                           ca_cert_bundle=None, ca_signing_algorithm=None,
diff --git a/ipaserver/install/plugins/ca_renewal_master.py b/ipaserver/install/plugins/ca_renewal_master.py
index e83cf3b..a92caf9 100644
--- a/ipaserver/install/plugins/ca_renewal_master.py
+++ b/ipaserver/install/plugins/ca_renewal_master.py
@@ -42,6 +42,7 @@ class update_ca_renewal_master(Updater):
         ldap = self.api.Backend.ldap2
         base_dn = DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'),
                      self.api.env.basedn)
+        dn = DN(('cn', 'CA'), ('cn', self.api.env.host), base_dn)
         filter = '(&(cn=CA)(ipaConfigString=caRenewalMaster))'
         try:
             entries = ldap.get_entries(base_dn=base_dn, filter=filter,
@@ -50,7 +51,27 @@ class update_ca_renewal_master(Updater):
             pass
         else:
             self.debug("found CA renewal master %s", entries[0].dn[1].value)
-            return False, []
+
+            master = False
+            updates = []
+
+            for entry in entries:
+                if entry.dn == dn:
+                    master = True
+                    continue
+
+                updates.append({
+                    'dn': entry.dn,
+                    'updates': [
+                        dict(action='remove', attr='ipaConfigString',
+                             value='caRenewalMaster')
+                    ],
+                })
+
+            if master:
+                return False, updates
+            else:
+                return False, []
 
         criteria = {
             'cert-database': paths.HTTPD_ALIAS_DIR,
@@ -95,7 +116,6 @@ class update_ca_renewal_master(Updater):
                     "assuming local CA is renewal slave", config)
                 return (False, False, [])
 
-        dn = DN(('cn', 'CA'), ('cn', self.api.env.host), base_dn)
         update = {
                 'dn': dn,
                 'updates': [
-- 
2.5.5

From 242e85bb040dcf1d4c0f979421ea7b37716aa81a Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jchol...@redhat.com>
Date: Mon, 23 May 2016 16:18:02 +0200
Subject: [PATCH] replica install: do not set CA renewal master flag

The CA renewal master flag was uncoditionally set on every replica during
replica install. This causes the Dogtag certificates initially shared
among all replicas to differ after renewal.

Do not set the CA renewal master flag in replica install anymore. On
upgrade, remove the flag from all but one IPA masters.

https://fedorahosted.org/freeipa/ticket/5902
---
 ipaserver/install/ca.py                        |  6 +++++-
 ipaserver/install/plugins/ca_renewal_master.py | 24 ++++++++++++++++++++++--
 2 files changed, 27 insertions(+), 3 deletions(-)

diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py
index d2fb5fe..1fc0b7a 100644
--- a/ipaserver/install/ca.py
+++ b/ipaserver/install/ca.py
@@ -192,7 +192,11 @@ def install_step_1(standalone, replica_config, options):
         ca.stop(ca.dogtag_constants.PKI_INSTANCE_NAME)
 
     # We need to ldap_enable the CA now that DS is up and running
-    ca.ldap_enable('CA', host_name, dm_password, basedn, ['caRenewalMaster'])
+    if replica_config is None:
+        config = ['caRenewalMaster']
+    else:
+        config = []
+    ca.ldap_enable('CA', host_name, dm_password, basedn, config)
 
     # This is done within stopped_service context, which restarts CA
     ca.enable_client_auth_to_db(dogtag_constants.CS_CFG_PATH)
diff --git a/ipaserver/install/plugins/ca_renewal_master.py b/ipaserver/install/plugins/ca_renewal_master.py
index dae976f..c0c655c 100644
--- a/ipaserver/install/plugins/ca_renewal_master.py
+++ b/ipaserver/install/plugins/ca_renewal_master.py
@@ -42,6 +42,7 @@ class update_ca_renewal_master(Updater):
         ldap = self.api.Backend.ldap2
         base_dn = DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'),
                      self.api.env.basedn)
+        dn = DN(('cn', 'CA'), ('cn', self.api.env.host), base_dn)
         filter = '(&(cn=CA)(ipaConfigString=caRenewalMaster))'
         try:
             entries = ldap.get_entries(base_dn=base_dn, filter=filter,
@@ -50,7 +51,27 @@ class update_ca_renewal_master(Updater):
             pass
         else:
             self.debug("found CA renewal master %s", entries[0].dn[1].value)
-            return False, []
+
+            master = False
+            updates = []
+
+            for entry in entries:
+                if entry.dn == dn:
+                    master = True
+                    continue
+
+                updates.append({
+                    'dn': entry.dn,
+                    'updates': [
+                        dict(action='remove', attr='ipaConfigString',
+                             value='caRenewalMaster')
+                    ],
+                })
+
+            if master:
+                return False, updates
+            else:
+                return False, []
 
         criteria = {
             'cert-database': paths.HTTPD_ALIAS_DIR,
@@ -96,7 +117,6 @@ class update_ca_renewal_master(Updater):
                     "assuming local CA is renewal slave", config)
                 return (False, False, [])
 
-        dn = DN(('cn', 'CA'), ('cn', self.api.env.host), base_dn)
         update = {
                 'dn': dn,
                 'updates': [
-- 
2.5.5

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to