This patch fixes https://fedorahosted.org/freeipa/ticket/5570 and also
enables CA installation on CA-less master with hardened dirsrv
configuration.
When testing I ran into the issue with Dogtag restart during KRA
installation [1] which I will try to troubleshoot with Dogtag guys. You
are welcome to troubleshoot it also during the review, maybe I did some
misconfiguration on my part.
[1] https://www.redhat.com/archives/pki-devel/2016-February/msg00100.html
--
Martin^3 Babinsky
From 911d3d54a4a1fb1914cc2a727e7c01fb065d8b69 Mon Sep 17 00:00:00 2001
From: Martin Babinsky
Date: Thu, 25 Feb 2016 09:09:35 +0100
Subject: [PATCH] use LDAPS during standalone CA/KRA subsystem deployment
The deployment descriptor used during CA/KRA install was modified to use LDAPS
to communicate with DS backend. This will enable standalone CA/KRA
installation on top of hardened directory server configuration.
https://fedorahosted.org/freeipa/ticket/5570
---
ipaserver/install/cainstance.py | 3 +++
ipaserver/install/dogtaginstance.py | 6 ++
ipaserver/install/krainstance.py| 2 ++
3 files changed, 11 insertions(+)
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 1a98c438786ae7dad208212fff23e3a760c95b3c..3ca4fa8d373ebc3375a9fc75b59969292f0198f0 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -533,6 +533,9 @@ class CAInstance(DogtagInstance):
config.set("CA", "pki_ds_base_dn", self.basedn)
config.set("CA", "pki_ds_database", "ipaca")
+if not self.create_ra_agent_db and not self.clone:
+self._use_ldaps_during_spawn(config)
+
# Certificate subject DN's
config.set("CA", "pki_subsystem_subject_dn",
str(DN(('cn', 'CA Subsystem'), self.subject_base)))
diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py
index 940b3ea9b13897d7e9e2878a47a8c66ce5ce9f0a..fa93b5069574b5fad824cee764460afb32dbc13e 100644
--- a/ipaserver/install/dogtaginstance.py
+++ b/ipaserver/install/dogtaginstance.py
@@ -463,3 +463,9 @@ class DogtagInstance(service.Service):
self.log.critical(" %s" % log)
raise RuntimeError("%s configuration failed." % self.subsystem)
+
+def _use_ldaps_during_spawn(self, config, ds_cacert=paths.IPA_CA_CRT):
+config.set(self.subsystem, "pki_ds_ldaps_port", "636")
+config.set(self.subsystem, "pki_ds_secure_connection", "True")
+config.set(self.subsystem, "pki_ds_secure_connection_ca_pem_file",
+ ds_cacert)
diff --git a/ipaserver/install/krainstance.py b/ipaserver/install/krainstance.py
index 625d84ab3129708cfdaf759cee6c2953b585a822..be2727fb6ed66648c35f9db59ee8729d37e9dc02 100644
--- a/ipaserver/install/krainstance.py
+++ b/ipaserver/install/krainstance.py
@@ -188,6 +188,8 @@ class KRAInstance(DogtagInstance):
config.set("KRA", "pki_ds_database", "ipaca")
config.set("KRA", "pki_ds_create_new_db", "False")
+self._use_ldaps_during_spawn(config)
+
# Certificate subject DNs
config.set("KRA", "pki_subsystem_subject_dn",
str(DN(('cn', 'CA Subsystem'), self.subject_base)))
--
2.5.0
From f4bc04be5cf3c577acb0a3091d70455580550f51 Mon Sep 17 00:00:00 2001
From: Martin Babinsky
Date: Thu, 25 Feb 2016 09:09:35 +0100
Subject: [PATCH] use LDAPS during standalone CA/KRA subsystem deployment
The deployment descriptor used during CA/KRA install was modified to use LDAPS
to communicate with DS backend. This will enable standalone CA/KRA
installation on top of hardened directory server configuration.
https://fedorahosted.org/freeipa/ticket/5570
---
ipaserver/install/cainstance.py | 3 +++
ipaserver/install/dogtaginstance.py | 6 ++
ipaserver/install/krainstance.py| 2 ++
3 files changed, 11 insertions(+)
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index b72255f1ad2f95c5265a40eddfb1fe413826dba4..d9452016670241f200fa646c8cab1e777291d089 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -480,6 +480,9 @@ class CAInstance(DogtagInstance):
config.set("CA", "pki_ds_base_dn", self.basedn)
config.set("CA", "pki_ds_database", "ipaca")
+if not self.create_ra_agent_db and not self.clone:
+self._use_ldaps_during_spawn(config)
+
# Certificate subject DN's
config.set("CA", "pki_subsystem_subject_dn",
str(DN(('cn', 'CA Subsystem'), self.subject_base)))
diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py
index 5c2b28202329240e264e0b0a6149308ee208e8fa..f5e5649f9a7b80ab25c9789b62ea7efcd5662bb6 100644
--- a/ipaserver/install/dogtaginstance.py
+++ b/ipaserver/install/dogtaginstance.py
@@ -500,3 +500,9 @@ class DogtagInstance(service.Service):
for group in self.admin_groups: