subject:"\[Freeipa\-devel\] \[PATCH 00136\] use LDAPS during standalone CA\/KRA subsystem deployment"

Re: [Freeipa-devel] [PATCH 00136] use LDAPS during standalone CA/KRA subsystem deployment

2016-03-01 Thread Tomas Babej



On 02/26/2016 06:03 PM, Martin Babinsky wrote:
> This patch fixes https://fedorahosted.org/freeipa/ticket/5570 and also
> enables CA installation on CA-less master with hardened dirsrv
> configuration.
> 
> When testing I ran into the issue with Dogtag restart during KRA
> installation [1] which I will try to troubleshoot with Dogtag guys. You
> are welcome to troubleshoot it also during the review, maybe I did some
> misconfiguration on my part.
> 
> [1] https://www.redhat.com/archives/pki-devel/2016-February/msg00100.html
> 
> 

Works fine, ACK!

Pushed to:
master: 276d16775a4ce8af5d39ca8a7bf5bcd638df343f
ipa-4-3: 8de860cc081dd0e5e8b0ae3a97fbb89d6d1386c4
ipa-4-2: c7c126fb51c5b2c92622f493d1c7efbadb899e49

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH 00136] use LDAPS during standalone CA/KRA subsystem deployment

2016-02-26 Thread Martin Babinsky

This patch fixes https://fedorahosted.org/freeipa/ticket/5570 and also 
enables CA installation on CA-less master with hardened dirsrv 
configuration.


When testing I ran into the issue with Dogtag restart during KRA 
installation [1] which I will try to troubleshoot with Dogtag guys. You 
are welcome to troubleshoot it also during the review, maybe I did some 
misconfiguration on my part.


[1] https://www.redhat.com/archives/pki-devel/2016-February/msg00100.html
--
Martin^3 Babinsky
From 911d3d54a4a1fb1914cc2a727e7c01fb065d8b69 Mon Sep 17 00:00:00 2001
From: Martin Babinsky 
Date: Thu, 25 Feb 2016 09:09:35 +0100
Subject: [PATCH] use LDAPS during standalone CA/KRA subsystem deployment

The deployment descriptor used during CA/KRA install was modified to use LDAPS
to communicate with DS backend. This will enable standalone CA/KRA
installation on top of hardened directory server configuration.

https://fedorahosted.org/freeipa/ticket/5570
---
 ipaserver/install/cainstance.py | 3 +++
 ipaserver/install/dogtaginstance.py | 6 ++
 ipaserver/install/krainstance.py| 2 ++
 3 files changed, 11 insertions(+)

diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 1a98c438786ae7dad208212fff23e3a760c95b3c..3ca4fa8d373ebc3375a9fc75b59969292f0198f0 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -533,6 +533,9 @@ class CAInstance(DogtagInstance):
 config.set("CA", "pki_ds_base_dn", self.basedn)
 config.set("CA", "pki_ds_database", "ipaca")
 
+if not self.create_ra_agent_db and not self.clone:
+self._use_ldaps_during_spawn(config)
+
 # Certificate subject DN's
 config.set("CA", "pki_subsystem_subject_dn",
 str(DN(('cn', 'CA Subsystem'), self.subject_base)))
diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py
index 940b3ea9b13897d7e9e2878a47a8c66ce5ce9f0a..fa93b5069574b5fad824cee764460afb32dbc13e 100644
--- a/ipaserver/install/dogtaginstance.py
+++ b/ipaserver/install/dogtaginstance.py
@@ -463,3 +463,9 @@ class DogtagInstance(service.Service):
 self.log.critical("  %s" % log)
 
 raise RuntimeError("%s configuration failed." % self.subsystem)
+
+def _use_ldaps_during_spawn(self, config, ds_cacert=paths.IPA_CA_CRT):
+config.set(self.subsystem, "pki_ds_ldaps_port", "636")
+config.set(self.subsystem, "pki_ds_secure_connection", "True")
+config.set(self.subsystem, "pki_ds_secure_connection_ca_pem_file",
+   ds_cacert)
diff --git a/ipaserver/install/krainstance.py b/ipaserver/install/krainstance.py
index 625d84ab3129708cfdaf759cee6c2953b585a822..be2727fb6ed66648c35f9db59ee8729d37e9dc02 100644
--- a/ipaserver/install/krainstance.py
+++ b/ipaserver/install/krainstance.py
@@ -188,6 +188,8 @@ class KRAInstance(DogtagInstance):
 config.set("KRA", "pki_ds_database", "ipaca")
 config.set("KRA", "pki_ds_create_new_db", "False")
 
+self._use_ldaps_during_spawn(config)
+
 # Certificate subject DNs
 config.set("KRA", "pki_subsystem_subject_dn",
str(DN(('cn', 'CA Subsystem'), self.subject_base)))
-- 
2.5.0

From f4bc04be5cf3c577acb0a3091d70455580550f51 Mon Sep 17 00:00:00 2001
From: Martin Babinsky 
Date: Thu, 25 Feb 2016 09:09:35 +0100
Subject: [PATCH] use LDAPS during standalone CA/KRA subsystem deployment

The deployment descriptor used during CA/KRA install was modified to use LDAPS
to communicate with DS backend. This will enable standalone CA/KRA
installation on top of hardened directory server configuration.

https://fedorahosted.org/freeipa/ticket/5570
---
 ipaserver/install/cainstance.py | 3 +++
 ipaserver/install/dogtaginstance.py | 6 ++
 ipaserver/install/krainstance.py| 2 ++
 3 files changed, 11 insertions(+)

diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index b72255f1ad2f95c5265a40eddfb1fe413826dba4..d9452016670241f200fa646c8cab1e777291d089 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -480,6 +480,9 @@ class CAInstance(DogtagInstance):
 config.set("CA", "pki_ds_base_dn", self.basedn)
 config.set("CA", "pki_ds_database", "ipaca")
 
+if not self.create_ra_agent_db and not self.clone:
+self._use_ldaps_during_spawn(config)
+
 # Certificate subject DN's
 config.set("CA", "pki_subsystem_subject_dn",
 str(DN(('cn', 'CA Subsystem'), self.subject_base)))
diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py
index 5c2b28202329240e264e0b0a6149308ee208e8fa..f5e5649f9a7b80ab25c9789b62ea7efcd5662bb6 100644
--- a/ipaserver/install/dogtaginstance.py
+++ b/ipaserver/install/dogtaginstance.py
@@ -500,3 +500,9 @@ class DogtagInstance(service.Service):
 for group in self.admin_groups:

Re: [Freeipa-devel] [PATCH 00136] use LDAPS during standalone CA/KRA subsystem deployment

[Freeipa-devel] [PATCH 00136] use LDAPS during standalone CA/KRA subsystem deployment

2 matches

Site Navigation

Mail list logo

Footer information