patch attached. https://fedorahosted.org/freeipa/ticket/5966
From 78be21f8eedd2de79bddf6653363e2466485a19f Mon Sep 17 00:00:00 2001 From: Martin Basti <mba...@redhat.com> Date: Wed, 22 Jun 2016 12:20:09 +0200 Subject: [PATCH] CA replica promotion: add proper CA DNS records Update 'ipa-ca' records with A/AAAA records of the newly added replica https://fedorahosted.org/freeipa/ticket/5966 --- ipalib/constants.py | 1 + ipaserver/install/bindinstance.py | 2 +- ipaserver/install/cainstance.py | 16 +++++++++++----- 3 files changed, 13 insertions(+), 6 deletions(-) diff --git a/ipalib/constants.py b/ipalib/constants.py index 1ff9ccc7efe0c3be0fc3cf2f21352e89ef94ad6e..ed6e4aa59503c9dc9b7499e39fbc89aa45e2666f 100644 --- a/ipalib/constants.py +++ b/ipalib/constants.py @@ -261,3 +261,4 @@ REPL_AGMT_STRIP_ATTRS = ('modifiersName', DOMAIN_SUFFIX_NAME = 'domain' CA_SUFFIX_NAME = 'ca' +IPA_CA_RECORD = "ipa-ca" diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py index cbf52ba14d9f342a4139941d2367fef984e7d1e5..3e6e26ccdd7bbfb25a19f210307d6597be901a37 100644 --- a/ipaserver/install/bindinstance.py +++ b/ipaserver/install/bindinstance.py @@ -33,13 +33,13 @@ import six from ipaserver.install import installutils from ipaserver.install import service from ipaserver.install import sysupgrade -from ipaserver.install.cainstance import IPA_CA_RECORD from ipapython import sysrestore, ipautil, ipaldap from ipapython.ipa_log_manager import * from ipapython import dnsutil from ipapython.dn import DN import ipalib from ipalib import api, errors +from ipalib.constants import IPA_CA_RECORD from ipaplatform import services from ipaplatform.constants import constants from ipaplatform.paths import paths diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index f67e7733fe867f859cae90a85e9ffe6ae188b41b..278514d06265455b49be8fb4dc5634592572efe8 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -62,6 +62,7 @@ from ipapython.ipa_log_manager import log_mgr,\ standard_logging_setup, root_logger from ipaserver.install import certs +from ipaserver.install import bindinstance from ipaserver.install import dsinstance from ipaserver.install import installutils from ipaserver.install import ldapupdate @@ -79,10 +80,6 @@ except ImportError: import http.client as httplib -# When IPA is installed with DNS support, this CNAME should hold all IPA -# replicas with CA configured -IPA_CA_RECORD = "ipa-ca" - # We need to reset the template because the CA uses the regular boot # information INF_TEMPLATE = """ @@ -1291,6 +1288,14 @@ class CAInstance(DogtagInstance): basedn = ipautil.realm_to_suffix(self.realm) self.ldap_enable('CA', self.fqdn, None, basedn) + def __update_ca_records(self): + # Install CA DNS records + if bindinstance.dns_container_exists( + api.env.host, api.env.basedn, ldapi=True, realm=api.env.realm + ): + bind = bindinstance.BindInstance(ldapi=True) + bind.add_ipa_ca_dns_records(api.env.host, api.env.domain) + def configure_replica(self, master_host, subject_base=None, ca_cert_bundle=None, ca_signing_algorithm=None, ca_type=None): @@ -1359,6 +1364,7 @@ class CAInstance(DogtagInstance): self.__restart_http_instance) self.step("enabling CA instance", self.__enable_instance) + self.step("Updating DNS CA records", self.__update_ca_records) self.start_creation(runtime=210) @@ -1623,7 +1629,7 @@ def configure_profiles_acl(): def __get_profile_config(profile_id): sub_dict = dict( DOMAIN=ipautil.format_netloc(api.env.domain), - IPA_CA_RECORD=IPA_CA_RECORD, + IPA_CA_RECORD=ipalib.constants.IPA_CA_RECORD, CRL_ISSUER='CN=Certificate Authority,o=ipaca', SUBJECT_DN_O=dsinstance.DsInstance().find_subject_base(), ) -- 2.5.5
From 213ceefd6185006e0a5a15369ab963c94f93ef48 Mon Sep 17 00:00:00 2001 From: Martin Basti <mba...@redhat.com> Date: Wed, 22 Jun 2016 12:20:09 +0200 Subject: [PATCH] CA replica promotion: add proper CA DNS records Update 'ipa-ca' records with A/AAAA records of the newly added replica https://fedorahosted.org/freeipa/ticket/5966 --- ipalib/constants.py | 1 + ipaserver/install/bindinstance.py | 2 +- ipaserver/install/cainstance.py | 16 +++++++++++----- 3 files changed, 13 insertions(+), 6 deletions(-) diff --git a/ipalib/constants.py b/ipalib/constants.py index bcddb5b97225a924400dbcb049b02fa71d039d61..45f633f72c747e1fc6c996d89204f09342bbcf8f 100644 --- a/ipalib/constants.py +++ b/ipalib/constants.py @@ -268,3 +268,4 @@ DOMAIN_SUFFIX_NAME = 'domain' CA_SUFFIX_NAME = 'ca' PKI_GSSAPI_SERVICE_NAME = 'dogtag' IPA_CA_CN = u'ipa' +IPA_CA_RECORD = "ipa-ca" diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py index 08c32f4837a5b4f72b78a52002a58c888db6cc91..1c71e049538cccac84558dfe073a77d9e4658096 100644 --- a/ipaserver/install/bindinstance.py +++ b/ipaserver/install/bindinstance.py @@ -37,7 +37,6 @@ from ipaserver.dns_data_management import ( from ipaserver.install import installutils from ipaserver.install import service from ipaserver.install import sysupgrade -from ipaserver.install.cainstance import IPA_CA_RECORD from ipapython import sysrestore, ipautil, ipaldap from ipapython import dnsutil from ipapython.dnsutil import DNSName @@ -45,6 +44,7 @@ from ipapython.ipa_log_manager import root_logger from ipapython.dn import DN import ipalib from ipalib import api, errors +from ipalib.constants import IPA_CA_RECORD from ipaplatform import services from ipaplatform.constants import constants from ipaplatform.paths import paths diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 8dfb71528d2dc020e05ccd7ff42199218a1c0839..c741a7ef6e303d08cef961b68da5384549b8b263 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -63,6 +63,7 @@ from ipapython.ipa_log_manager import log_mgr,\ from ipapython.secrets.kem import IPAKEMKeys from ipaserver.install import certs +from ipaserver.install import bindinstance from ipaserver.install import dsinstance from ipaserver.install import installutils from ipaserver.install import ldapupdate @@ -81,10 +82,6 @@ except ImportError: import http.client as httplib -# When IPA is installed with DNS support, this CNAME should hold all IPA -# replicas with CA configured -IPA_CA_RECORD = "ipa-ca" - # We need to reset the template because the CA uses the regular boot # information INF_TEMPLATE = """ @@ -1296,6 +1293,14 @@ class CAInstance(DogtagInstance): basedn = ipautil.realm_to_suffix(self.realm) self.ldap_enable('CA', self.fqdn, None, basedn) + def __update_ca_records(self): + # Install CA DNS records + if bindinstance.dns_container_exists( + api.env.host, api.env.basedn, ldapi=True, realm=api.env.realm + ): + bind = bindinstance.BindInstance(ldapi=True) + bind.update_system_records() + def configure_replica(self, master_host, subject_base=None, ca_cert_bundle=None, ca_signing_algorithm=None, ca_type=None): @@ -1366,6 +1371,7 @@ class CAInstance(DogtagInstance): self.__restart_http_instance) self.step("enabling CA instance", self.__enable_instance) + self.step("Updating DNS CA records", self.__update_ca_records) self.start_creation(runtime=210) @@ -1722,7 +1728,7 @@ def __add_acls(new_rules): def __get_profile_config(profile_id): sub_dict = dict( DOMAIN=ipautil.format_netloc(api.env.domain), - IPA_CA_RECORD=IPA_CA_RECORD, + IPA_CA_RECORD=ipalib.constants.IPA_CA_RECORD, CRL_ISSUER='CN=Certificate Authority,o=ipaca', SUBJECT_DN_O=dsinstance.DsInstance().find_subject_base(), ) -- 2.5.5
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
