Re: [Freeipa-devel] [PATCH 0108] replica install: improvements in the handling of CA-related IPA config entries

2015-12-04 Thread Martin Basti 



On 03.12.2015 17:05, Martin Babinsky wrote:
This patch fixes https://fedorahosted.org/freeipa/ticket/5506 and also 
reorganizes the way CA installer updates IPA default.conf.


Maybe a simpler patch would suffice, but I had a need to improve 
things a bit.


This one is for master branch only. IIRC the situation described in 
#5506 does not occur in domain level 0, however the root cause 
(incorrect forwarding of certmonger requests by CA-less replicas) 
manifests when enrolling a client against CA-less replica and 
requesting host certificate.


Should I open a separate ticket for that?




ACK
Pushed to master: a497288b3eafe00ab9c819dd4a51d0b421824b36

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH 0108] replica install: improvements in the handling of CA-related IPA config entries

2015-12-03 Thread Martin Babinsky 
This patch fixes https://fedorahosted.org/freeipa/ticket/5506 and also 
reorganizes the way CA installer updates IPA default.conf.


Maybe a simpler patch would suffice, but I had a need to improve things 
a bit.


This one is for master branch only. IIRC the situation described in 
#5506 does not occur in domain level 0, however the root cause 
(incorrect forwarding of certmonger requests by CA-less replicas) 
manifests when enrolling a client against CA-less replica and requesting 
host certificate.


Should I open a separate ticket for that?

--
Martin^3 Babinsky
From c67a6c03a4f2ed82aea7e0da03c9e2270eea2d42 Mon Sep 17 00:00:00 2001
From: Martin Babinsky 
Date: Wed, 2 Dec 2015 12:22:45 +0100
Subject: [PATCH] replica install: improvements in the handling of CA-related
 IPA config entries

When a CA-less replica is installed, its IPA config file should be updated so
that ca_host points to nearest CA master and all certificate requests are
forwarded to it. A subsequent installation of CA subsystem on the replica
should clear this entry from the config so that all certificate requests are
handled by freshly installed local CA.

https://fedorahosted.org/freeipa/ticket/5506
---
 ipaserver/install/ca.py| 16 
 ipaserver/install/cainstance.py| 19 ++-
 ipaserver/install/server/replicainstall.py |  7 +++
 3 files changed, 25 insertions(+), 17 deletions(-)

diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py
index fcead1891583c2e495951fbeb733e6eec3b07ccf..1a51ebc8cf994eae70323ee0642bebd746080de2 100644
--- a/ipaserver/install/ca.py
+++ b/ipaserver/install/ca.py
@@ -7,8 +7,6 @@ from __future__ import print_function
 import sys
 import os.path
 
-from six.moves.configparser import RawConfigParser
-
 from ipaserver.install import cainstance, dsinstance, bindinstance
 from ipapython import ipautil, certdb
 from ipaplatform import services
@@ -236,20 +234,6 @@ def install_step_1(standalone, replica_config, options):
 if standalone:
 ca.start('pki-tomcat')
 
-# Update config file
-try:
-parser = RawConfigParser()
-parser.read(paths.IPA_DEFAULT_CONF)
-parser.set('global', 'enable_ra', 'True')
-parser.set('global', 'ra_plugin', 'dogtag')
-parser.set('global', 'dogtag_version', '10')
-with open(paths.IPA_DEFAULT_CONF, 'w') as f:
-parser.write(f)
-except IOError as e:
-print("Failed to update /etc/ipa/default.conf")
-root_logger.error(str(e))
-sys.exit(1)
-
 # We need to restart apache as we drop a new config file in there
 services.knownservices.httpd.restart(capture_output=True)
 
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 65f9e463d39ca1ecf4c42ca22620cf1f2de06880..2ca718a7b6799b7daf825918517a54852746a84f 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -41,7 +41,7 @@ import shlex
 import pipes
 
 from six.moves import urllib
-from six.moves.configparser import ConfigParser
+from six.moves.configparser import ConfigParser, RawConfigParser
 
 from ipalib import api
 from ipalib import pkcs10, x509
@@ -429,6 +429,7 @@ class CAInstance(DogtagInstance):
 self.step("importing IPA certificate profiles",
   import_included_profiles)
 self.step("adding default CA ACL", ensure_default_caacl)
+self.step("updating IPA configuration", update_ipa_conf)
 
 self.start_creation(runtime=210)
 
@@ -1343,6 +1344,7 @@ class CAInstance(DogtagInstance):
   self.track_servercert)
 self.step("Configure HTTP to proxy connections",
   self.http_proxy)
+self.step("updating IPA configuration", update_ipa_conf)
 self.step("Restart HTTP server to pick up changes",
   self.__restart_http_instance)
 
@@ -1768,6 +1770,21 @@ def ensure_default_caacl():
 api.Backend.ldap2.disconnect()
 
 
+def update_ipa_conf():
+"""
+Update IPA configuration file to ensure that RA plugins are enabled and
+that CA host points to localhost
+"""
+parser = RawConfigParser()
+parser.read(paths.IPA_DEFAULT_CONF)
+parser.set('global', 'enable_ra', 'True')
+parser.set('global', 'ra_plugin', 'dogtag')
+parser.set('global', 'dogtag_version', '10')
+parser.remove_option('global', 'ca_host')
+with open(paths.IPA_DEFAULT_CONF, 'w') as f:
+parser.write(f)
+
+
 if __name__ == "__main__":
 standard_logging_setup("install.log")
 ds = dsinstance.DsInstance()
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index ec77ab21b1e4969bdcd8d9e588eed7b97e3a9079..d2b03431ee68c41b750fac33c3cf954d4bb5892e 100644
--- a/ipaserver/install/server/replicainstall.py
+++