URL: https://github.com/freeipa/freeipa/pull/466
Author: abbra
 Title: #466: pkinit: make sure to have proper dictionary for Kerberos instance 
on upgrade
Action: opened

PR body:
"""

When running PKINIT upgrade we need to make sure full substitution
dictionary is in place or otherwise executing LDAP updates will fail to
find proper objects because $SUFFIX, $DOMAIN, and other variables
will not be substituted.

Fixes https://fedorahosted.org/freeipa/ticket/6670
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/466/head:pr466
git checkout pr466
From 1dc4cea37c4efa74d3c8505abaeb569af87ef269 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <aboko...@redhat.com>
Date: Wed, 15 Feb 2017 10:14:58 +0200
Subject: [PATCH] pkinit: make sure to have proper dictionary for Kerberos
 instance on upgrade

When running PKINIT upgrade we need to make sure full substitution
dictionary is in place or otherwise executing LDAP updates will fail to
find proper objects because $SUFFIX, $DOMAIN, and other variables
will not be substituted.

Fixes https://fedorahosted.org/freeipa/ticket/6670
---
 ipaserver/install/server/upgrade.py | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index 509f196..41da723 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -1753,6 +1753,18 @@ def upgrade_configuration():
     krb.realm = api.env.realm
     krb.suffix = ipautil.realm_to_suffix(krb.realm)
     krb.subject_base = subject_base
+    krb.sub_dict = dict(FQDN=krb.fqdn,
+                        SUFFIX=krb.suffix,
+                        DOMAIN=api.env.domain,
+                        HOST=api.env.host,
+                        SERVER_ID=installutils.realm_to_serverid(krb.realm),
+                        REALM=krb.realm,
+                        KRB5KDC_KADM5_ACL=paths.KRB5KDC_KADM5_ACL,
+                        DICT_WORDS=paths.DICT_WORDS,
+                        KRB5KDC_KADM5_KEYTAB=paths.KRB5KDC_KADM5_KEYTAB,
+                        KDC_CERT=paths.KDC_CERT,
+                        KDC_KEY=paths.KDC_KEY,
+                        CACERT_PEM=paths.CACERT_PEM)
     if not os.path.exists(paths.KDC_CERT):
         krb.setup_pkinit()
         replacevars = dict()
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to