Re: [Freeipa-devel] [PATCH] 377 Using LDAPI to setup CA and KRA agents.
On 7.9.2015 07:32, Jan Cholasta wrote:
On 4.9.2015 16:53, Petr Vobornik wrote:
On 09/04/2015 04:03 PM, Endi Sukma Dewata wrote:
On 9/4/2015 6:35 AM, Martin Basti wrote:
On 09/02/2015 06:42 AM, Endi Sukma Dewata wrote:
On 9/1/2015 1:52 AM, Martin Basti wrote:
The CA and KRA installation code has been modified to use LDAPI
to create the CA and KRA agents directly in the CA and KRA
database. This way it's no longer necessary to use the Directory
Manager password or CA and KRA admin certificate.
https://fedorahosted.org/freeipa/ticket/5257
Thank you.
1) Can you use following code instead of direct call of
ldap2.ldap2()?
if not api.Backend.ldap2.is_connected():
api.Backend.ldap2.connect(autobind=True)
conn = api.Backend.ldap2
Why would you want to do that? The original code is fine, except the
connection check is not necessary (it is a new instance of ldap2, so
.isconnected() will always return False).
It's actually isconnected() instead of is_connected(), but even so,
the
proposed code doesn't work:
ipa.ipapython.install.cli.install_tool(Server): DEBUGThe
ipa-server-install command failed, exception: TypeError: 'ldap2'
object
is not callable
ipa.ipapython.install.cli.install_tool(Server): ERROR 'ldap2'
object
is not callable
2) Patch needs rebase to master branch.
The original patch does apply cleanly to master. Did you see a
conflict?
Sorry my bad.
Martin^2
3)
+user_dn = DN(('uid', "ipara"), ('ou', 'People'),
self.basedn)
+conn.create(
+dn=user_dn,
can you use add entry() instead of create()? We don't use native
python-ldap, but rather ipaldap methods
It's actually calling the ldap2.create() defined in
ipaserver/plugins/ldap2.py, which calls add_entry().
NACK. We don't use ldap2.create(). Use add_entry().
So my original patch still stands.
New patch attached.
ACK, but IMO that comments is not necessary and I would like to push
the
patch without it.
Martin^2
It is necessary if we don't want people to use it. Otherwise someone
could make the same mistake. Or better yet, just remove the method.
+
+NOTE: Do not use this method.
I agree that the comment should not be in this patch - it is not
relevant to vaults.
The comment or a removal of the method(if it is really useless) should
be in a different patch. If comment is the way than please also add why
it should not be used.
The method was intended to be used with frontend objects, but they never
happened in IPA, so it was left unused (instead we have no clean
interface between frontend and backend and call backend-specific methods
ad-hoc, what a great design /sarcasm). I personally would like to revive
the concept, so I would not remove the methods. I don't think a comment
is necessary either, because up until now, nobody tried to use the method.
Pushed to:
master: 72cfcfa0bd1e867537fcc788512e5fca20708b83
ipa-4-2: 3973da56d334040d9fee88d52c38265066debd56
--
Jan Cholasta
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 377 Using LDAPI to setup CA and KRA agents.
On 4.9.2015 16:53, Petr Vobornik wrote:
On 09/04/2015 04:03 PM, Endi Sukma Dewata wrote:
On 9/4/2015 6:35 AM, Martin Basti wrote:
On 09/02/2015 06:42 AM, Endi Sukma Dewata wrote:
On 9/1/2015 1:52 AM, Martin Basti wrote:
The CA and KRA installation code has been modified to use LDAPI
to create the CA and KRA agents directly in the CA and KRA
database. This way it's no longer necessary to use the Directory
Manager password or CA and KRA admin certificate.
https://fedorahosted.org/freeipa/ticket/5257
Thank you.
1) Can you use following code instead of direct call of
ldap2.ldap2()?
if not api.Backend.ldap2.is_connected():
api.Backend.ldap2.connect(autobind=True)
conn = api.Backend.ldap2
Why would you want to do that? The original code is fine, except the
connection check is not necessary (it is a new instance of ldap2, so
.isconnected() will always return False).
It's actually isconnected() instead of is_connected(), but even so,
the
proposed code doesn't work:
ipa.ipapython.install.cli.install_tool(Server): DEBUGThe
ipa-server-install command failed, exception: TypeError: 'ldap2'
object
is not callable
ipa.ipapython.install.cli.install_tool(Server): ERROR 'ldap2' object
is not callable
2) Patch needs rebase to master branch.
The original patch does apply cleanly to master. Did you see a
conflict?
Sorry my bad.
Martin^2
3)
+user_dn = DN(('uid', "ipara"), ('ou', 'People'),
self.basedn)
+conn.create(
+dn=user_dn,
can you use add entry() instead of create()? We don't use native
python-ldap, but rather ipaldap methods
It's actually calling the ldap2.create() defined in
ipaserver/plugins/ldap2.py, which calls add_entry().
NACK. We don't use ldap2.create(). Use add_entry().
So my original patch still stands.
New patch attached.
ACK, but IMO that comments is not necessary and I would like to push the
patch without it.
Martin^2
It is necessary if we don't want people to use it. Otherwise someone
could make the same mistake. Or better yet, just remove the method.
+
+NOTE: Do not use this method.
I agree that the comment should not be in this patch - it is not
relevant to vaults.
The comment or a removal of the method(if it is really useless) should
be in a different patch. If comment is the way than please also add why
it should not be used.
The method was intended to be used with frontend objects, but they never
happened in IPA, so it was left unused (instead we have no clean
interface between frontend and backend and call backend-specific methods
ad-hoc, what a great design /sarcasm). I personally would like to revive
the concept, so I would not remove the methods. I don't think a comment
is necessary either, because up until now, nobody tried to use the method.
--
Jan Cholasta
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 377 Using LDAPI to setup CA and KRA agents.
On 09/04/2015 04:03 PM, Endi Sukma Dewata wrote:
On 9/4/2015 6:35 AM, Martin Basti wrote:
On 09/02/2015 06:42 AM, Endi Sukma Dewata wrote:
On 9/1/2015 1:52 AM, Martin Basti wrote:
The CA and KRA installation code has been modified to use LDAPI
to create the CA and KRA agents directly in the CA and KRA
database. This way it's no longer necessary to use the Directory
Manager password or CA and KRA admin certificate.
https://fedorahosted.org/freeipa/ticket/5257
Thank you.
1) Can you use following code instead of direct call of
ldap2.ldap2()?
if not api.Backend.ldap2.is_connected():
api.Backend.ldap2.connect(autobind=True)
conn = api.Backend.ldap2
Why would you want to do that? The original code is fine, except the
connection check is not necessary (it is a new instance of ldap2, so
.isconnected() will always return False).
It's actually isconnected() instead of is_connected(), but even so,
the
proposed code doesn't work:
ipa.ipapython.install.cli.install_tool(Server): DEBUGThe
ipa-server-install command failed, exception: TypeError: 'ldap2'
object
is not callable
ipa.ipapython.install.cli.install_tool(Server): ERROR 'ldap2' object
is not callable
2) Patch needs rebase to master branch.
The original patch does apply cleanly to master. Did you see a
conflict?
Sorry my bad.
Martin^2
3)
+user_dn = DN(('uid', "ipara"), ('ou', 'People'),
self.basedn)
+conn.create(
+dn=user_dn,
can you use add entry() instead of create()? We don't use native
python-ldap, but rather ipaldap methods
It's actually calling the ldap2.create() defined in
ipaserver/plugins/ldap2.py, which calls add_entry().
NACK. We don't use ldap2.create(). Use add_entry().
So my original patch still stands.
New patch attached.
ACK, but IMO that comments is not necessary and I would like to push the
patch without it.
Martin^2
It is necessary if we don't want people to use it. Otherwise someone
could make the same mistake. Or better yet, just remove the method.
+
+NOTE: Do not use this method.
I agree that the comment should not be in this patch - it is not
relevant to vaults.
The comment or a removal of the method(if it is really useless) should
be in a different patch. If comment is the way than please also add why
it should not be used.
--
Petr Vobornik
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 377 Using LDAPI to setup CA and KRA agents.
On 9/4/2015 6:35 AM, Martin Basti wrote:
On 09/02/2015 06:42 AM, Endi Sukma Dewata wrote:
On 9/1/2015 1:52 AM, Martin Basti wrote:
The CA and KRA installation code has been modified to use LDAPI
to create the CA and KRA agents directly in the CA and KRA
database. This way it's no longer necessary to use the Directory
Manager password or CA and KRA admin certificate.
https://fedorahosted.org/freeipa/ticket/5257
Thank you.
1) Can you use following code instead of direct call of
ldap2.ldap2()?
if not api.Backend.ldap2.is_connected():
api.Backend.ldap2.connect(autobind=True)
conn = api.Backend.ldap2
Why would you want to do that? The original code is fine, except the
connection check is not necessary (it is a new instance of ldap2, so
.isconnected() will always return False).
It's actually isconnected() instead of is_connected(), but even so,
the
proposed code doesn't work:
ipa.ipapython.install.cli.install_tool(Server): DEBUGThe
ipa-server-install command failed, exception: TypeError: 'ldap2'
object
is not callable
ipa.ipapython.install.cli.install_tool(Server): ERROR 'ldap2' object
is not callable
2) Patch needs rebase to master branch.
The original patch does apply cleanly to master. Did you see a
conflict?
Sorry my bad.
Martin^2
3)
+user_dn = DN(('uid', "ipara"), ('ou', 'People'),
self.basedn)
+conn.create(
+dn=user_dn,
can you use add entry() instead of create()? We don't use native
python-ldap, but rather ipaldap methods
It's actually calling the ldap2.create() defined in
ipaserver/plugins/ldap2.py, which calls add_entry().
NACK. We don't use ldap2.create(). Use add_entry().
So my original patch still stands.
New patch attached.
ACK, but IMO that comments is not necessary and I would like to push the
patch without it.
Martin^2
It is necessary if we don't want people to use it. Otherwise someone
could make the same mistake. Or better yet, just remove the method.
--
Endi S. Dewata
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 377 Using LDAPI to setup CA and KRA agents.
On 09/02/2015 06:42 AM, Endi Sukma Dewata wrote:
On 9/1/2015 1:52 AM, Martin Basti wrote:
The CA and KRA installation code has been modified to use LDAPI
to create the CA and KRA agents directly in the CA and KRA
database. This way it's no longer necessary to use the Directory
Manager password or CA and KRA admin certificate.
https://fedorahosted.org/freeipa/ticket/5257
Thank you.
1) Can you use following code instead of direct call of
ldap2.ldap2()?
if not api.Backend.ldap2.is_connected():
api.Backend.ldap2.connect(autobind=True)
conn = api.Backend.ldap2
Why would you want to do that? The original code is fine, except the
connection check is not necessary (it is a new instance of ldap2, so
.isconnected() will always return False).
It's actually isconnected() instead of is_connected(), but even so,
the
proposed code doesn't work:
ipa.ipapython.install.cli.install_tool(Server): DEBUGThe
ipa-server-install command failed, exception: TypeError: 'ldap2'
object
is not callable
ipa.ipapython.install.cli.install_tool(Server): ERROR 'ldap2' object
is not callable
2) Patch needs rebase to master branch.
The original patch does apply cleanly to master. Did you see a
conflict?
Sorry my bad.
Martin^2
3)
+user_dn = DN(('uid', "ipara"), ('ou', 'People'),
self.basedn)
+conn.create(
+dn=user_dn,
can you use add entry() instead of create()? We don't use native
python-ldap, but rather ipaldap methods
It's actually calling the ldap2.create() defined in
ipaserver/plugins/ldap2.py, which calls add_entry().
NACK. We don't use ldap2.create(). Use add_entry().
So my original patch still stands.
New patch attached.
ACK, but IMO that comments is not necessary and I would like to push the
patch without it.
Martin^2
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 377 Using LDAPI to setup CA and KRA agents.
On 9/1/2015 1:52 AM, Martin Basti wrote:
The CA and KRA installation code has been modified to use LDAPI
to create the CA and KRA agents directly in the CA and KRA
database. This way it's no longer necessary to use the Directory
Manager password or CA and KRA admin certificate.
https://fedorahosted.org/freeipa/ticket/5257
Thank you.
1) Can you use following code instead of direct call of ldap2.ldap2()?
if not api.Backend.ldap2.is_connected():
api.Backend.ldap2.connect(autobind=True)
conn = api.Backend.ldap2
Why would you want to do that? The original code is fine, except the
connection check is not necessary (it is a new instance of ldap2, so
.isconnected() will always return False).
It's actually isconnected() instead of is_connected(), but even so, the
proposed code doesn't work:
ipa.ipapython.install.cli.install_tool(Server): DEBUGThe
ipa-server-install command failed, exception: TypeError: 'ldap2' object
is not callable
ipa.ipapython.install.cli.install_tool(Server): ERROR'ldap2' object
is not callable
2) Patch needs rebase to master branch.
The original patch does apply cleanly to master. Did you see a conflict?
Sorry my bad.
Martin^2
3)
+user_dn = DN(('uid', "ipara"), ('ou', 'People'), self.basedn)
+conn.create(
+dn=user_dn,
can you use add entry() instead of create()? We don't use native
python-ldap, but rather ipaldap methods
It's actually calling the ldap2.create() defined in
ipaserver/plugins/ldap2.py, which calls add_entry().
NACK. We don't use ldap2.create(). Use add_entry().
So my original patch still stands.
New patch attached.
--
Endi S. Dewata
>From e03882e89d2acdb23fe289d59dd2db04662bf051 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata"
Date: Thu, 27 Aug 2015 06:44:29 +0200
Subject: [PATCH] Using LDAPI to setup CA and KRA agents.
The CA and KRA installation code has been modified to use LDAPI
to create the CA and KRA agents directly in the CA and KRA
database. This way it's no longer necessary to use the Directory
Manager password or CA and KRA admin certificate.
https://fedorahosted.org/freeipa/ticket/5257
---
ipaplatform/base/paths.py| 2 -
ipaserver/install/cainstance.py | 49 ++---
ipaserver/install/krainstance.py | 113 +++
ipaserver/plugins/ldap2.py | 2 +
4 files changed, 74 insertions(+), 92 deletions(-)
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index
5c8f25d6ef85fab2b9b30a660cd1c0360dbe9931..0dd3c7fda3020264a1ace8f2d13557cfddf18c2d
100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -343,8 +343,6 @@ class BasePathNamespace(object):
SLAPD_INSTANCE_SOCKET_TEMPLATE = "/var/run/slapd-%s.socket"
ALL_SLAPD_INSTANCE_SOCKETS = "/var/run/slapd-*.socket"
ADMIN_CERT_PATH = '/root/.dogtag/pki-tomcat/ca_admin.cert'
-KRA_NSSDB_PASSWORD_FILE = "/root/.dogtag/pki-tomcat/kra/password.conf"
-KRA_PKCS12_PASSWORD_FILE =
"/root/.dogtag/pki-tomcat/kra/pkcs12_password.conf"
ENTROPY_AVAIL = '/proc/sys/kernel/random/entropy_avail'
LDIF2DB = '/usr/sbin/ldif2db'
DB2LDIF = '/usr/sbin/db2ldif'
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index
6f565dd14a1ce3f22bf1d033eed364dc4b87281b..85ce6cba59442fe934cc96f4983b21c16d9ea8de
100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -466,7 +466,7 @@ class CAInstance(DogtagInstance):
self.step("restarting certificate server",
self.restart_instance)
self.step("requesting RA certificate from CA",
self.__request_ra_certificate)
self.step("issuing RA agent certificate", self.__issue_ra_cert)
-self.step("adding RA agent as a trusted user",
self.__configure_ra)
+self.step("adding RA agent as a trusted user",
self.__create_ca_agent)
self.step("authorizing RA to modify profiles",
self.__configure_profiles_acl)
self.step("configure certmonger for renewals",
self.configure_certmonger_renewal)
self.step("configure certificate renewals", self.configure_renewal)
@@ -905,18 +905,26 @@ class CAInstance(DogtagInstance):
self.configure_agent_renewal()
-def __configure_ra(self):
-# Create an RA user in the CA LDAP server and add that user to
-# the appropriate groups so it can issue certificates without
-# manual intervention.
-conn = ipaldap.IPAdmin(self.fqdn, self.ds_port)
-conn.do_simple_bind(DN(('cn', 'Directory Manager')), self.dm_password)
+def __create_ca_agent(self):
+"""
+Create CA agent, assign a certificate, and add the user to
+the appropriate groups for accessing CA services.
+"""
-decoded = base64.b64decode(self.ra_cert)
+# get ipaCert certificate
+cert_data = base64.b64decode(self.ra_cert)
+cert = x509.load_certif
Re: [Freeipa-devel] [PATCH] 377 Using LDAPI to setup CA and KRA agents.
On 09/01/2015 07:06 AM, Jan Cholasta wrote:
On 31.8.2015 22:15, Endi Sukma Dewata wrote:
On 8/31/2015 6:18 AM, Martin Basti wrote:
On 08/27/2015 09:41 PM, Endi Sukma Dewata wrote:
The CA and KRA installation code has been modified to use LDAPI
to create the CA and KRA agents directly in the CA and KRA
database. This way it's no longer necessary to use the Directory
Manager password or CA and KRA admin certificate.
https://fedorahosted.org/freeipa/ticket/5257
Thank you.
1) Can you use following code instead of direct call of ldap2.ldap2()?
if not api.Backend.ldap2.is_connected():
api.Backend.ldap2.connect(autobind=True)
conn = api.Backend.ldap2
Why would you want to do that? The original code is fine, except the
connection check is not necessary (it is a new instance of ldap2, so
.isconnected() will always return False).
It's actually isconnected() instead of is_connected(), but even so, the
proposed code doesn't work:
ipa.ipapython.install.cli.install_tool(Server): DEBUGThe
ipa-server-install command failed, exception: TypeError: 'ldap2' object
is not callable
ipa.ipapython.install.cli.install_tool(Server): ERROR'ldap2' object
is not callable
2) Patch needs rebase to master branch.
The original patch does apply cleanly to master. Did you see a conflict?
Sorry my bad.
Martin^2
3)
+user_dn = DN(('uid', "ipara"), ('ou', 'People'), self.basedn)
+conn.create(
+dn=user_dn,
can you use add entry() instead of create()? We don't use native
python-ldap, but rather ipaldap methods
It's actually calling the ldap2.create() defined in
ipaserver/plugins/ldap2.py, which calls add_entry().
NACK. We don't use ldap2.create(). Use add_entry().
So my original patch still stands.
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 377 Using LDAPI to setup CA and KRA agents.
On 31.8.2015 22:15, Endi Sukma Dewata wrote:
On 8/31/2015 6:18 AM, Martin Basti wrote:
On 08/27/2015 09:41 PM, Endi Sukma Dewata wrote:
The CA and KRA installation code has been modified to use LDAPI
to create the CA and KRA agents directly in the CA and KRA
database. This way it's no longer necessary to use the Directory
Manager password or CA and KRA admin certificate.
https://fedorahosted.org/freeipa/ticket/5257
Thank you.
1) Can you use following code instead of direct call of ldap2.ldap2()?
if not api.Backend.ldap2.is_connected():
api.Backend.ldap2.connect(autobind=True)
conn = api.Backend.ldap2
Why would you want to do that? The original code is fine, except the
connection check is not necessary (it is a new instance of ldap2, so
.isconnected() will always return False).
It's actually isconnected() instead of is_connected(), but even so, the
proposed code doesn't work:
ipa.ipapython.install.cli.install_tool(Server): DEBUGThe
ipa-server-install command failed, exception: TypeError: 'ldap2' object
is not callable
ipa.ipapython.install.cli.install_tool(Server): ERROR'ldap2' object
is not callable
2) Patch needs rebase to master branch.
The original patch does apply cleanly to master. Did you see a conflict?
3)
+user_dn = DN(('uid', "ipara"), ('ou', 'People'), self.basedn)
+conn.create(
+dn=user_dn,
can you use add entry() instead of create()? We don't use native
python-ldap, but rather ipaldap methods
It's actually calling the ldap2.create() defined in
ipaserver/plugins/ldap2.py, which calls add_entry().
NACK. We don't use ldap2.create(). Use add_entry().
So my original patch still stands.
--
Jan Cholasta
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 377 Using LDAPI to setup CA and KRA agents.
On 8/31/2015 6:18 AM, Martin Basti wrote:
On 08/27/2015 09:41 PM, Endi Sukma Dewata wrote:
The CA and KRA installation code has been modified to use LDAPI
to create the CA and KRA agents directly in the CA and KRA
database. This way it's no longer necessary to use the Directory
Manager password or CA and KRA admin certificate.
https://fedorahosted.org/freeipa/ticket/5257
Thank you.
1) Can you use following code instead of direct call of ldap2.ldap2()?
if not api.Backend.ldap2.is_connected():
api.Backend.ldap2.connect(autobind=True)
conn = api.Backend.ldap2
It's actually isconnected() instead of is_connected(), but even so, the
proposed code doesn't work:
ipa.ipapython.install.cli.install_tool(Server): DEBUGThe
ipa-server-install command failed, exception: TypeError: 'ldap2' object
is not callable
ipa.ipapython.install.cli.install_tool(Server): ERROR'ldap2' object
is not callable
2) Patch needs rebase to master branch.
The original patch does apply cleanly to master. Did you see a conflict?
3)
+user_dn = DN(('uid', "ipara"), ('ou', 'People'), self.basedn)
+conn.create(
+dn=user_dn,
can you use add entry() instead of create()? We don't use native
python-ldap, but rather ipaldap methods
It's actually calling the ldap2.create() defined in
ipaserver/plugins/ldap2.py, which calls add_entry().
So my original patch still stands.
--
Endi S. Dewata
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 377 Using LDAPI to setup CA and KRA agents.
On 08/27/2015 09:41 PM, Endi Sukma Dewata wrote:
The CA and KRA installation code has been modified to use LDAPI
to create the CA and KRA agents directly in the CA and KRA
database. This way it's no longer necessary to use the Directory
Manager password or CA and KRA admin certificate.
https://fedorahosted.org/freeipa/ticket/5257
Thank you.
1) Can you use following code instead of direct call of ldap2.ldap2()?
if not api.Backend.ldap2.is_connected():
api.Backend.ldap2.connect(autobind=True)
conn = api.Backend.ldap2
2) Patch needs rebase to master branch.
3)
+user_dn = DN(('uid', "ipara"), ('ou', 'People'), self.basedn)
+conn.create(
+dn=user_dn,
can you use add entry() instead of create()? We don't use native
python-ldap, but rather ipaldap methods
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH] 377 Using LDAPI to setup CA and KRA agents.
The CA and KRA installation code has been modified to use LDAPI
to create the CA and KRA agents directly in the CA and KRA
database. This way it's no longer necessary to use the Directory
Manager password or CA and KRA admin certificate.
https://fedorahosted.org/freeipa/ticket/5257
--
Endi S. Dewata
From 45af6d4f9a8ebc9bbd2856d7bf3af48520996dad Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata"
Date: Thu, 27 Aug 2015 06:44:29 +0200
Subject: [PATCH] Using LDAPI to setup CA and KRA agents.
The CA and KRA installation code has been modified to use LDAPI
to create the CA and KRA agents directly in the CA and KRA
database. This way it's no longer necessary to use the Directory
Manager password or CA and KRA admin certificate.
https://fedorahosted.org/freeipa/ticket/5257
---
ipaplatform/base/paths.py| 2 -
ipaserver/install/cainstance.py | 49 ++---
ipaserver/install/krainstance.py | 113 +++
3 files changed, 72 insertions(+), 92 deletions(-)
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index
5c8f25d6ef85fab2b9b30a660cd1c0360dbe9931..0dd3c7fda3020264a1ace8f2d13557cfddf18c2d
100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -343,8 +343,6 @@ class BasePathNamespace(object):
SLAPD_INSTANCE_SOCKET_TEMPLATE = "/var/run/slapd-%s.socket"
ALL_SLAPD_INSTANCE_SOCKETS = "/var/run/slapd-*.socket"
ADMIN_CERT_PATH = '/root/.dogtag/pki-tomcat/ca_admin.cert'
-KRA_NSSDB_PASSWORD_FILE = "/root/.dogtag/pki-tomcat/kra/password.conf"
-KRA_PKCS12_PASSWORD_FILE =
"/root/.dogtag/pki-tomcat/kra/pkcs12_password.conf"
ENTROPY_AVAIL = '/proc/sys/kernel/random/entropy_avail'
LDIF2DB = '/usr/sbin/ldif2db'
DB2LDIF = '/usr/sbin/db2ldif'
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index
ecd9300036353426097d929918be974cbbb5c69d..bec39419363f1ade0130465d3b70e1c5540b6006
100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -904,17 +904,26 @@ class CAInstance(DogtagInstance):
self.configure_agent_renewal()
def __configure_ra(self):
-# Create an RA user in the CA LDAP server and add that user to
-# the appropriate groups so it can issue certificates without
-# manual intervention.
-conn = ipaldap.IPAdmin(self.fqdn, self.ds_port)
-conn.do_simple_bind(DN(('cn', 'Directory Manager')), self.dm_password)
+"""
+Create CA agent, assign a certificate, and add the user to
+the appropriate groups for accessing CA services.
+"""
-decoded = base64.b64decode(self.ra_cert)
+# get ipaCert certificate
+cert_data = base64.b64decode(self.ra_cert)
+cert = x509.load_certificate(cert_data, x509.DER)
-entry_dn = DN(('uid', "ipara"), ('ou', 'People'), self.basedn)
-entry = conn.make_entry(
-entry_dn,
+# connect to CA database
+server_id = installutils.realm_to_serverid(api.env.realm)
+dogtag_uri = 'ldapi://%%2fvar%%2frun%%2fslapd-%s.socket' % server_id
+conn = ldap2.ldap2(api, ldap_uri=dogtag_uri)
+if not conn.isconnected():
+conn.connect(autobind=True)
+
+# create ipara user with ipaCert certificate
+user_dn = DN(('uid', "ipara"), ('ou', 'People'), self.basedn)
+conn.create(
+dn=user_dn,
objectClass=['top', 'person', 'organizationalPerson',
'inetOrgPerson', 'cmsuser'],
uid=["ipara"],
@@ -922,23 +931,23 @@ class CAInstance(DogtagInstance):
cn=["ipara"],
usertype=["agentType"],
userstate=["1"],
-userCertificate=[decoded],
+userCertificate=[cert_data],
description=['2;%s;%s;%s' % (
-str(self.requestId),
+cert.serial_number,
DN(('CN', 'Certificate Authority'), self.subject_base),
DN(('CN', 'IPA RA'), self.subject_base))])
-conn.add_entry(entry)
+# add ipara user to Certificate Manager Agents group
+group_dn = DN(('cn', 'Certificate Manager Agents'), ('ou', 'groups'),
+self.basedn)
+conn.add_entry_to_group(user_dn, group_dn, 'uniqueMember')
-dn = DN(('cn', 'Certificate Manager Agents'), ('ou', 'groups'),
self.basedn)
-modlist = [(0, 'uniqueMember', '%s' % entry_dn)]
-conn.modify_s(dn, modlist)
+# add ipara user to Registration Manager Agents group
+group_dn = DN(('cn', 'Registration Manager Agents'), ('ou', 'groups'),
+self.basedn)
+conn.add_entry_to_group(user_dn, group_dn, 'uniqueMember')
-dn = DN(('cn', 'Registration Manager Agents'), ('ou', 'groups'),
self.basedn)
-modlist = [(0, 'uniqueMember', '%s' % entry_dn)]
-conn.modify_s(dn, modlist)
-
-conn.unbind()
+conn.disconnect()
