Re: [Freeipa-devel] [PATCH] Changes to use a single database for dogtag and IPA
Since this branch became somewhat unwieldy, here's a quick summary. Patches are pushed to master (1d3ddef~..bef251a). Martin's patch was also pushed to 3.0 (83d2822) and 2.2 (18b873c). This fixes ipa-replica-manage to only manage the IPA agreements, not the PKI ones. There is an outstanding issue: SELinux prevents connecting to the old PKI DS port (7389), preventing CA replicas to old masters. https://bugzilla.redhat.com/show_bug.cgi?id=879516 Please test in permissive mode until it's fixed. -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Changes to use a single database for dogtag and IPA
On 11/23/2012 01:44 PM, Petr Viktorin wrote: Since this branch became somewhat unwieldy, here's a quick summary. Patches are pushed to master (1d3ddef~..bef251a). Martin's patch was also pushed to 3.0 (83d2822) and 2.2 (18b873c). This fixes ipa-replica-manage to only manage the IPA agreements, not the PKI ones. There is an outstanding issue: SELinux prevents connecting to the old PKI DS port (7389), preventing CA replicas to old masters. https://bugzilla.redhat.com/show_bug.cgi?id=879516 Please test in permissive mode until it's fixed. Small addendum: permissive mode is needed only for replicas with CA, where the remote master has separate LDAP instance for Dogtag. A network of IPA 3.1 replicas should work SELinux enforced. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Changes to use a single database for dogtag and IPA
Petr Viktorin wrote: On 11/01/2012 06:34 PM, Petr Viktorin wrote: On 11/01/2012 06:33 PM, Petr Viktorin wrote: On 10/29/2012 04:48 PM, Petr Viktorin wrote: On 10/26/2012 02:25 PM, Petr Viktorin wrote: On 10/26/2012 02:20 PM, Petr Viktorin wrote: Attached are this thread's patches rebased and squashed into one. Dogtag recently changed the defaults it uses for pkispawn: we need to set pki_admin_name, pki_admin_uid, pki_security_domain_user to admin to retain current behavior. Attaching updated patch that does this. This may not be a new problem specific to this, I'm not sure yet, but uninstall doesn't untrack all the certificates in the new tomcat directory. It also seems to miss the ipaCert alias in httpd (my post-install check caught only this one). It may also be helpful to combine all the required patches up to this point into a single post, sort of a we're ready for broader testing checkpoint. Sifting through this long thread finding all the various patches was tedious. I sure wouldn't want to actually push what I culled because I'm not 100% sure I got them all. Otherwise a single master install went well and the CA renewal code works. Will continue upgrade and replication testing. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Changes to use a single database for dogtag and IPA
On 11/01/2012 06:34 PM, Petr Viktorin wrote:
On 11/01/2012 06:33 PM, Petr Viktorin wrote:
On 10/29/2012 04:48 PM, Petr Viktorin wrote:
On 10/26/2012 02:25 PM, Petr Viktorin wrote:
On 10/26/2012 02:20 PM, Petr Viktorin wrote:
Attached are this thread's patches rebased and squashed into one.
Dogtag recently changed the defaults it uses for pkispawn: we need to
set pki_admin_name, pki_admin_uid, pki_security_domain_user to
admin to retain current behavior. Attaching updated patch that does this.
--
Petr³
From 4f0f5142ff6f82f5b87cef1f85ec9a9b7548b49e Mon Sep 17 00:00:00 2001
From: Ade Lee a...@redhat.com
Date: Wed, 19 Sep 2012 23:35:42 -0400
Subject: [PATCH] Changes to use a single database for dogtag and IPA
New servers that are installed with dogtag 10 instances will use
a single database instance for dogtag and IPA, albeit with different
suffixes. Dogtag will communicate with the instance through a
database user with permissions to modify the dogtag suffix only.
This user will authenticate using client auth using the subsystem cert
for the instance.
This patch includes changes to allow the creation of masters and clones
with single ds instances.
---
freeipa.spec.in |6 +-
install/share/certmap.conf.template | 19 ---
install/tools/ipa-ca-install| 23 ++-
install/tools/ipa-csreplica-manage |2 +-
install/tools/ipa-replica-conncheck | 21 +++
install/tools/ipa-replica-install | 29 +++--
install/tools/ipa-replica-prepare |8 ++-
install/tools/ipa-server-install| 91 +-
install/tools/ipactl|6 ++-
ipapython/dogtag.py | 12 -
ipaserver/install/cainstance.py | 108 +-
ipaserver/install/dsinstance.py | 14 +++-
ipaserver/install/installutils.py |7 ++-
ipaserver/install/replication.py| 18 +++---
14 files changed, 256 insertions(+), 108 deletions(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 90f78905a30ac3b0f0372a5a744d7669020a8df7..bff3711e7ae98d46f470fd815ad41af4e778170b 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -149,9 +149,9 @@ Requires: selinux-policy = 3.9.7-27
%endif
Requires(post): selinux-policy-base
Requires: slapi-nis = 0.40
-Requires: pki-ca = 9.0.18
-Requires: pki-silent = 9.0.18
-Requires: pki-setup = 9.0.18
+Requires: pki-ca = 10.0.0-0.34
+Requires: pki-silent = 10.0.0-0.34
+Requires: pki-server = 10.0.0-0.34
Requires: dogtag-pki-common-theme
Requires: dogtag-pki-ca-theme
%if 0%{?fedora} = 18
diff --git a/install/share/certmap.conf.template b/install/share/certmap.conf.template
index 676d3ef354c9dae4dce8c4682176e656088991b2..40b4e6cb1513bed586248e0c214730861b9715cf 100644
--- a/install/share/certmap.conf.template
+++ b/install/share/certmap.conf.template
@@ -71,12 +71,15 @@
# attr names- a comma separated list of attributes to form the filter
#
-certmap default default
+certmap default default
#default:DNComps
-#default:FilterComps e, uid
-#default:verifycert on
-#default:CmapLdapAttr certSubjectDN
-#default:library path_to_shared_lib_or_dll
-#default:InitFn Init function's name
-default:DNComps
-default:FilterComps uid
+#default:FilterCompse, uid
+#default:verifycert on
+#default:CmapLdapAttr certSubjectDN
+#default:librarypath_to_shared_lib_or_dll
+#default:InitFn Init function's name
+default:DNComps
+default:FilterComps uid
+certmap ipaca CN=Certificate Authority,O=domain_name
+ipaca:CmapLdapAttr seeAlso
+ipaca:verifycerton
diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install
index 1c1b96a91fbbef455a68b158cc0191b91f2232f9..df3aebc111069d2d164fee6336182089c09a7195 100755
--- a/install/tools/ipa-ca-install
+++ b/install/tools/ipa-ca-install
@@ -142,17 +142,32 @@ def main():
config.dir = dir
config.setup_ca = True
+portfile = config.dir + /dogtag_directory_port.txt
+if not ipautil.file_exists(portfile):
+dogtag_master_ds_port = 7389
+else:
+with open(portfile) as fd:
+dogtag_master_ds_port = fd.read()
+
if not options.skip_conncheck:
-replica_conn_check(config.master_host_name, config.host_name, config.realm_name, True, options.admin_password)
+replica_conn_check(
+config.master_host_name, config.host_name, config.realm_name, True,
+dogtag_master_ds_port, options.admin_password)
# Configure the CA if necessary
-(CA, cs) = cainstance.install_replica_ca(config, postinstall=True)
+(CA, cs) = cainstance.install_replica_ca(
+config, dogtag_master_ds_port, postinstall=True)
# We need to ldap_enable the CA now that DS is up and running
CA.ldap_enable('CA', config.host_name, config.dirman_password,
ipautil.realm_to_suffix(config.realm_name))
-cs.add_simple_service('dogtagldap/%s@%s' % (config.host_name,
Re: [Freeipa-devel] [PATCH] Changes to use a single database for dogtag and IPA
On 10/29/2012 04:48 PM, Petr Viktorin wrote:
On 10/26/2012 02:25 PM, Petr Viktorin wrote:
On 10/26/2012 02:20 PM, Petr Viktorin wrote:
Attached are this thread's patches rebased and squashed into one.
... and here is a patch to address replication problems related to
merging the schemata of the IPA and CA databases. See the commit message
for details.
https://fedorahosted.org/freeipa/ticket/3213
With the previous patch, if an old split-database DT9 CA was inatalled,
ipa-ca-install didn't detect this, started installing another CA, and
then failed a bit later in the process.
I've added a check for this to the patch.
Two more modifications are needed to support installing a CA on an old
replica. See commit messages for details. Here is the first one.
--
Petr³
From f9afe21a6389a97bc642522f2217a995e1a2ecec Mon Sep 17 00:00:00 2001
From: Petr Viktorin pvikt...@redhat.com
Date: Wed, 31 Oct 2012 10:37:33 -0400
Subject: [PATCH] Use correct Dogtag configuration in get_pin and
get_ca_certchain
Some install utilities used Dogtag configuration before Dogtag
was configured. Fix by passing the relevant dogtag_constants
where they're needed.
---
ipapython/certmonger.py |6 --
ipapython/dogtag.py |6 --
ipaserver/install/cainstance.py | 26 +-
3 files changed, 21 insertions(+), 17 deletions(-)
diff --git a/ipapython/certmonger.py b/ipapython/certmonger.py
index 9cc4466c61108a863eb76b1ff67bef559a9228d0..445165dfb9498e7f3ffe682a7489158246bf1514 100644
--- a/ipapython/certmonger.py
+++ b/ipapython/certmonger.py
@@ -332,13 +332,15 @@ def remove_principal_from_cas():
fp.close()
# Routines specific to renewing dogtag CA certificates
-def get_pin(token):
+def get_pin(token, dogtag_constants=None):
Dogtag stores its NSS pin in a file formatted as token:PIN.
The caller is expected to handle any exceptions raised.
-with open(dogtag.configured_constants().PASSWORD_CONF_PATH, 'r') as f:
+if dogtag_constants is None:
+dogtag_constants = dogtag.configured_constants()
+with open(dogtag_constants.PASSWORD_CONF_PATH, 'r') as f:
for line in f:
(tok, pin) = line.split('=', 1)
if token == tok:
diff --git a/ipapython/dogtag.py b/ipapython/dogtag.py
index 067a66afbcca805c1a967bc85d2da89f317d4f50..1b428d20e7eb80225470449eece88c6d6fc01989 100644
--- a/ipapython/dogtag.py
+++ b/ipapython/dogtag.py
@@ -149,15 +149,17 @@ def error_from_xml(doc, message_template):
return errors.RemoteRetrieveError(reason=message_template % e)
-def get_ca_certchain(ca_host=None):
+def get_ca_certchain(ca_host=None, dogtag_constants=None):
Retrieve the CA Certificate chain from the configured Dogtag server.
if ca_host is None:
ca_host = api.env.ca_host
+if dogtag_constants is None:
+dogtag_constants = configured_constants()
chain = None
conn = httplib.HTTPConnection(ca_host,
-api.env.ca_install_port or configured_constants().UNSECURE_PORT)
+api.env.ca_install_port or dogtag_constants.UNSECURE_PORT)
conn.request(GET, /ca/ee/ca/getCertChain)
res = conn.getresponse()
doc = None
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 83752579dab0ad9075b93047b8b9a7699f967405..10c68fb754e7521da3d5632a13f51140c81f510c 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -1087,7 +1087,8 @@ class CAInstance(service.Service):
def __get_ca_chain(self):
try:
-return dogtag.get_ca_certchain(ca_host=self.fqdn)
+return dogtag.get_ca_certchain(ca_host=self.fqdn,
+dogtag_constants=self.dogtag_constants)
except Exception, e:
raise RuntimeError(Unable to retrieve CA chain: %s % str(e))
@@ -1383,11 +1384,16 @@ class CAInstance(service.Service):
with open(HTTPD_CONFD + ipa-pki-proxy.conf, w) as fd:
fd.write(template)
+def __get_ca_pin(self):
+try:
+return certmonger.get_pin('internal',
+dogtag_constants=self.dogtag_constants)
+except IOError, e:
+raise RuntimeError(
+'Unable to determine PIN for CA instance: %s' % str(e))
+
def track_servercert(self):
-try:
-pin = certmonger.get_pin('internal')
-except IOError, e:
-raise RuntimeError('Unable to determine PIN for CA instance: %s' % str(e))
+pin = self.__get_ca_pin()
certmonger.dogtag_start_tracking(
'dogtag-ipa-renew-agent', 'Server-Cert cert-pki-ca', pin, None,
self.dogtag_constants.ALIAS_DIR,
@@ -1399,10 +1405,7 @@ class CAInstance(service.Service):
ipaservices.knownservices.messagebus.start()
cmonger.start()
-try:
-pin = certmonger.get_pin('internal')
-except IOError, e:
-raise
Re: [Freeipa-devel] [PATCH] Changes to use a single database for dogtag and IPA
On 11/01/2012 06:33 PM, Petr Viktorin wrote: On 10/29/2012 04:48 PM, Petr Viktorin wrote: On 10/26/2012 02:25 PM, Petr Viktorin wrote: On 10/26/2012 02:20 PM, Petr Viktorin wrote: Attached are this thread's patches rebased and squashed into one. ... and here is a patch to address replication problems related to merging the schemata of the IPA and CA databases. See the commit message for details. https://fedorahosted.org/freeipa/ticket/3213 With the previous patch, if an old split-database DT9 CA was inatalled, ipa-ca-install didn't detect this, started installing another CA, and then failed a bit later in the process. I've added a check for this to the patch. Two more modifications are needed to support installing a CA on an old replica. See commit messages for details. Here is the first one. ...and the second. -- Petr³ From 97957f8a958b3e7cb311f1e915cbf4b41d260faf Mon Sep 17 00:00:00 2001 From: Petr Viktorin pvikt...@redhat.com Date: Thu, 1 Nov 2012 12:16:25 -0400 Subject: [PATCH] Update certmap.conf on IPA upgrades This brings /etc/dirsrv/slapd-REALM/certmap.conf under IPA control. The file is overwritten on upgrades. This ensures that the cert for the ipaca user is recognized when ipa-ca-install is run on older masters. --- install/share/certmap.conf.template |6 +- install/tools/ipa-upgradeconfig | 17 - ipaserver/install/dsinstance.py |2 +- 3 files changed, 22 insertions(+), 3 deletions(-) diff --git a/install/share/certmap.conf.template b/install/share/certmap.conf.template index 40b4e6cb1513bed586248e0c214730861b9715cf..cff3a669b8946223b62e4fda00dbfa21d98245cd 100644 --- a/install/share/certmap.conf.template +++ b/install/share/certmap.conf.template @@ -1,4 +1,8 @@ +# VERSION 1 - DO NOT REMOVE THIS LINE # +# This file is managed by IPA and will be overwritten on upgrades. + + # BEGIN COPYRIGHT BLOCK # This Program is free software; you can redistribute it and/or modify it under # the terms of the GNU General Public License as published by the Free Software @@ -80,6 +84,6 @@ certmap default default #default:InitFn Init function's name default:DNComps default:FilterComps uid -certmap ipaca CN=Certificate Authority,O=domain_name +certmap ipaca CN=Certificate Authority,O=$REALM ipaca:CmapLdapAttr seeAlso ipaca:verifycerton diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig index 14d4e0829162ab78665f794c582e704b5901ea41..12e96cfb77786a5ff503975d05876f56c8876111 100644 --- a/install/tools/ipa-upgradeconfig +++ b/install/tools/ipa-upgradeconfig @@ -153,7 +153,11 @@ def find_autoredirect(fqdn): return True def find_version(filename): -Find the version of a configuration file +Find the version of a configuration file + +If no VERSION entry exists in the file, returns 0. +If the file does not exist, returns -1. + if os.path.exists(filename): pattern = ^[\s#]*VERSION\s+([0-9]+)\s+.* p = re.compile(pattern) @@ -185,6 +189,12 @@ def upgrade(sub_dict, filename, template, add=False): if new 0: root_logger.error(%s not found. % template) +if old == 0: +# The original file does not have a VERSION entry. This means it's now +# managed by IPA, but previously was not. +root_logger.warning(%s is now managed by IPA. It will be +overwritten. A backup of the original will be made., filename) + if old new or (add and old == 0): backup_file(filename, new) update_conf(sub_dict, filename, template) @@ -626,9 +636,14 @@ def main(): '=') sub_dict['CLONE']='#' if crl.lower() == 'true' else '' +certmap_dir = dsinstance.config_dirname( +dsinstance.realm_to_serverid(api.env.realm)) + upgrade(sub_dict, /etc/httpd/conf.d/ipa.conf, ipautil.SHARE_DIR + ipa.conf) upgrade(sub_dict, /etc/httpd/conf.d/ipa-rewrite.conf, ipautil.SHARE_DIR + ipa-rewrite.conf) upgrade(sub_dict, /etc/httpd/conf.d/ipa-pki-proxy.conf, ipautil.SHARE_DIR + ipa-pki-proxy.conf, add=True) +upgrade(sub_dict, os.path.join(certmap_dir, certmap.conf), +os.path.join(ipautil.SHARE_DIR, certmap.conf.template)) upgrade_pki(ca, fstore) update_dbmodules(api.env.realm) uninstall_ipa_kpasswd() diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index 060490d59c90d62fcdd3d0da89b4f6eb1d0fbf97..3b4db1e7a26a8c9c143be487f93738648ec76813 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -610,7 +610,7 @@ class DsInstance(service.Service): shutil.copyfile(ipautil.SHARE_DIR + certmap.conf.template, config_dirname(self.serverid) + certmap.conf) installutils.update_file(config_dirname(self.serverid) + certmap.conf, - 'domain_name', self.realm_name) +
Re: [Freeipa-devel] [PATCH] Changes to use a single database for dogtag and IPA
On 10/26/2012 02:25 PM, Petr Viktorin wrote:
On 10/26/2012 02:20 PM, Petr Viktorin wrote:
Attached are this thread's patches rebased and squashed into one.
... and here is a patch to address replication problems related to
merging the schemata of the IPA and CA databases. See the commit message
for details.
https://fedorahosted.org/freeipa/ticket/3213
With the previous patch, if an old split-database DT9 CA was inatalled,
ipa-ca-install didn't detect this, started installing another CA, and
then failed a bit later in the process.
I've added a check for this to the patch.
--
Petr³
From b0c5942b7590b0c65d401ee1d79f7bb029a8d81d Mon Sep 17 00:00:00 2001
From: Petr Viktorin pvikt...@redhat.com
Date: Wed, 24 Oct 2012 04:37:16 -0400
Subject: [PATCH] Fix schema replication from old masters
The new merged database will replicate with both the IPA and CA trees, so all
DS instances (IPA and CA on the existing master, and the merged one on the
replica) need to have the same schema.
Dogtag does all its schema modifications online. Those are replicated normally.
The basic IPA schema, however, is delivered in ldif files, which are not
replicated. The files are not present on old CA DS instances. Any schema
update that references objects in these files will fail.
The whole 99user.ldif (i.e. changes introduced dynamically over LDAP) is
replicated as a blob. If we updated the old master's CA schema dynamically
during replica install, it would conflict with updates done during the
installation: the one with the lower CSN would get lost.
Dogtag's spawn script recently grew a new flag, 'pki_clone_replicate_schema'.
Turning it off tells Dogtag to create its schema in the clone, where the IPA
modifications are taking place, so that it is not overwritten by the IPA schema
on replication.
The patch solves the problems by:
- In __spawn_instance, turning off the pki_clone_replicate_schema flag.
- Providing a script to copy the IPA schema files to the CA DS instance.
The script needs to be copied to old masters and run there.
- At replica CA install, checking if the schema is updated, and failing if not.
All pre-3.1 CA servers in a domain will have to have the script run on them to
avoid schema replication errors.
https://fedorahosted.org/freeipa/ticket/3213
---
freeipa.spec.in|1 +
install/share/Makefile.am |1 +
install/share/copy-schema-to-ca.py | 84
install/tools/ipa-ca-install |2 +
install/tools/ipa-replica-install |2 +
ipaserver/install/cainstance.py| 34 ++
6 files changed, 124 insertions(+), 0 deletions(-)
create mode 100755 install/share/copy-schema-to-ca.py
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 2914ef839d415419c50c6b1d3eb186f5fb9fdf8c..41c478fe8dc302f0fc9fa4b4540adfb5aa1a1751 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -644,6 +644,7 @@ fi
%attr(755,root,root) %{_libdir}/ipa/certmonger/*
%dir %{_usr}/share/ipa
%{_usr}/share/ipa/wsgi.py*
+%{_usr}/share/ipa/copy-schema-to-ca.py*
%{_usr}/share/ipa/*.ldif
%{_usr}/share/ipa/*.uldif
%{_usr}/share/ipa/*.template
diff --git a/install/share/Makefile.am b/install/share/Makefile.am
index 7f953bc4261b9158303e166fd5c5f1c1232986e4..4a5f81a67a4a9e7a59647c755db5f6ad9e69ac31 100644
--- a/install/share/Makefile.am
+++ b/install/share/Makefile.am
@@ -60,6 +60,7 @@ app_DATA =\
automember.ldif \
replica-automember.ldif \
replica-s4u2proxy.ldif \
+ copy-schema-to-ca.py\
$(NULL)
EXTRA_DIST =\
diff --git a/install/share/copy-schema-to-ca.py b/install/share/copy-schema-to-ca.py
new file mode 100755
index ..cc878353717ed34141c99671fba1560d1c58fd72
--- /dev/null
+++ b/install/share/copy-schema-to-ca.py
@@ -0,0 +1,84 @@
+#! /usr/bin/python
+
+Copy the IPA schema to the CA directory server instance
+
+You need to run this script to prepare a 2.2 or 3.0 IPA masters for
+installation of a 3.1 replica.
+
+Once a 3.1 replica is in the domain, every older server will emit schema
+replication errors until this script is run on it.
+
+
+
+import os
+import sys
+import pwd
+import shutil
+
+from ipapython import services, ipautil, dogtag
+from ipapython.ipa_log_manager import root_logger, standard_logging_setup
+from ipaserver.install.dsinstance import DS_USER, schema_dirname
+from ipaserver.install.cainstance import PKI_USER
+from ipalib import api
+
+SERVERID = PKI-IPA
+SCHEMA_FILENAMES = (
+60kerberos.ldif,
+60samba.ldif,
+60ipaconfig.ldif,
+60basev2.ldif,
+60basev3.ldif,
+60ipadns.ldif,
+61kerberos-ipav3.ldif,
+65ipasudo.ldif,
+05rfc2247.ldif,
+)
+
+
+def add_ca_schema():
+Copy IPA schema files into the CA DS instance
+
+pki_pent = pwd.getpwnam(PKI_USER)
+ds_pent = pwd.getpwnam(DS_USER)
+for schema_fname in SCHEMA_FILENAMES:
+source_fname = os.path.join(ipautil.SHARE_DIR, schema_fname)
+target_fname =
Re: [Freeipa-devel] [PATCH] Changes to use a single database for dogtag and IPA
Attached are this thread's patches rebased and squashed into one.
--
Petr³
From e88d69814dad88e68cfa8b66e60e58477cecdc04 Mon Sep 17 00:00:00 2001
From: Ade Lee a...@redhat.com
Date: Wed, 19 Sep 2012 23:35:42 -0400
Subject: [PATCH] Changes to use a single database for dogtag and IPA
New servers that are installed with dogtag 10 instances will use
a single database instance for dogtag and IPA, albeit with different
suffixes. Dogtag will communicate with the instance through a
database user with permissions to modify the dogtag suffix only.
This user will authenticate using client auth using the subsystem cert
for the instance.
This patch includes changes to allow the creation of masters and clones
with single ds instances.
---
freeipa.spec.in |6 +-
install/share/certmap.conf.template | 19 ---
install/tools/ipa-ca-install| 23 ++-
install/tools/ipa-csreplica-manage |2 +-
install/tools/ipa-replica-conncheck | 21 +++
install/tools/ipa-replica-install | 29 +++--
install/tools/ipa-replica-prepare |8 ++-
install/tools/ipa-server-install| 91 +-
install/tools/ipactl|6 ++-
ipapython/dogtag.py | 12 -
ipaserver/install/cainstance.py | 105 +-
ipaserver/install/dsinstance.py | 14 +++-
ipaserver/install/installutils.py |7 ++-
ipaserver/install/replication.py| 18 +++---
14 files changed, 253 insertions(+), 108 deletions(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index af76118fd0294fa4d8934b747c254b891ae7f2cb..2914ef839d415419c50c6b1d3eb186f5fb9fdf8c 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -149,9 +149,9 @@ Requires: selinux-policy = 3.9.7-27
%endif
Requires(post): selinux-policy-base
Requires: slapi-nis = 0.40
-Requires: pki-ca = 9.0.18
-Requires: pki-silent = 9.0.18
-Requires: pki-setup = 9.0.18
+Requires: pki-ca = 10.0.0-0.34
+Requires: pki-silent = 10.0.0-0.34
+Requires: pki-server = 10.0.0-0.34
Requires: dogtag-pki-common-theme
Requires: dogtag-pki-ca-theme
%if 0%{?fedora} = 18
diff --git a/install/share/certmap.conf.template b/install/share/certmap.conf.template
index 676d3ef354c9dae4dce8c4682176e656088991b2..40b4e6cb1513bed586248e0c214730861b9715cf 100644
--- a/install/share/certmap.conf.template
+++ b/install/share/certmap.conf.template
@@ -71,12 +71,15 @@
# attr names- a comma separated list of attributes to form the filter
#
-certmap default default
+certmap default default
#default:DNComps
-#default:FilterComps e, uid
-#default:verifycert on
-#default:CmapLdapAttr certSubjectDN
-#default:library path_to_shared_lib_or_dll
-#default:InitFn Init function's name
-default:DNComps
-default:FilterComps uid
+#default:FilterCompse, uid
+#default:verifycert on
+#default:CmapLdapAttr certSubjectDN
+#default:librarypath_to_shared_lib_or_dll
+#default:InitFn Init function's name
+default:DNComps
+default:FilterComps uid
+certmap ipaca CN=Certificate Authority,O=domain_name
+ipaca:CmapLdapAttr seeAlso
+ipaca:verifycerton
diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install
index 1c1b96a91fbbef455a68b158cc0191b91f2232f9..df3aebc111069d2d164fee6336182089c09a7195 100755
--- a/install/tools/ipa-ca-install
+++ b/install/tools/ipa-ca-install
@@ -142,17 +142,32 @@ def main():
config.dir = dir
config.setup_ca = True
+portfile = config.dir + /dogtag_directory_port.txt
+if not ipautil.file_exists(portfile):
+dogtag_master_ds_port = 7389
+else:
+with open(portfile) as fd:
+dogtag_master_ds_port = fd.read()
+
if not options.skip_conncheck:
-replica_conn_check(config.master_host_name, config.host_name, config.realm_name, True, options.admin_password)
+replica_conn_check(
+config.master_host_name, config.host_name, config.realm_name, True,
+dogtag_master_ds_port, options.admin_password)
# Configure the CA if necessary
-(CA, cs) = cainstance.install_replica_ca(config, postinstall=True)
+(CA, cs) = cainstance.install_replica_ca(
+config, dogtag_master_ds_port, postinstall=True)
# We need to ldap_enable the CA now that DS is up and running
CA.ldap_enable('CA', config.host_name, config.dirman_password,
ipautil.realm_to_suffix(config.realm_name))
-cs.add_simple_service('dogtagldap/%s@%s' % (config.host_name, config.realm_name))
-cs.add_cert_to_service()
+if not dogtag.install_constants.SHARED_DB:
+cs.add_simple_service('dogtagldap/%s@%s' %
+(config.host_name, config.realm_name))
+cs.add_cert_to_service()
+else:
+CA.enable_client_auth_to_db()
+CA.restart()
# We need to restart apache as we drop a new config file in there
ipaservices.knownservices.httpd.restart(capture_output=True)
diff
Re: [Freeipa-devel] [PATCH] Changes to use a single database for dogtag and IPA
On 10/26/2012 02:20 PM, Petr Viktorin wrote:
Attached are this thread's patches rebased and squashed into one.
... and here is a patch to address replication problems related to
merging the schemata of the IPA and CA databases. See the commit message
for details.
https://fedorahosted.org/freeipa/ticket/3213
--
Petr³
From 43e6e57db75bb4f37706ceba629707f47b5e018c Mon Sep 17 00:00:00 2001
From: Petr Viktorin pvikt...@redhat.com
Date: Wed, 24 Oct 2012 04:37:16 -0400
Subject: [PATCH] Fix schema replication from old masters
The new merged database will replicate with both the IPA and CA trees, so all
DS instances (IPA and CA on the existing master, and the merged one on the
replica) need to have the same schema.
Dogtag does all its schema modifications online. Those are replicated normally.
The basic IPA schema, however, is delivered in ldif files, which are not
replicated. The files are not present on old CA DS instances. Any schema
update that references objects in these files will fail.
The whole 99user.ldif (i.e. changes introduced dynamically over LDAP) is
replicated as a blob. If we updated the old master's CA schema dynamically
during replica install, it would conflict with updates done during the
installation: the one with the lower CSN would get lost.
Dogtag's spawn script recently grew a new flag, 'pki_clone_replicate_schema'.
Turning it off tells Dogtag to create its schema in the clone, where the IPA
modifications are taking place, so that it is not overwritten by the IPA schema
on replication.
The patch solves the problems by:
- In __spawn_instance, turning off the pki_clone_replicate_schema flag.
- Providing a script to copy the IPA schema files to the CA DS instance.
The script needs to be copied to old masters and run there.
- At replica CA install, checking if the schema is updated, and failing if not.
All pre-3.1 CA servers in a domain will have to have the script run on them to
avoid schema replication errors.
https://fedorahosted.org/freeipa/ticket/3213
---
freeipa.spec.in|1 +
install/share/Makefile.am |1 +
install/share/copy-schema-to-ca.py | 84
install/tools/ipa-ca-install |2 +
install/tools/ipa-replica-install |2 +
ipaserver/install/cainstance.py| 27 +++
6 files changed, 117 insertions(+), 0 deletions(-)
create mode 100755 install/share/copy-schema-to-ca.py
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 2914ef839d415419c50c6b1d3eb186f5fb9fdf8c..41c478fe8dc302f0fc9fa4b4540adfb5aa1a1751 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -644,6 +644,7 @@ fi
%attr(755,root,root) %{_libdir}/ipa/certmonger/*
%dir %{_usr}/share/ipa
%{_usr}/share/ipa/wsgi.py*
+%{_usr}/share/ipa/copy-schema-to-ca.py*
%{_usr}/share/ipa/*.ldif
%{_usr}/share/ipa/*.uldif
%{_usr}/share/ipa/*.template
diff --git a/install/share/Makefile.am b/install/share/Makefile.am
index 7f953bc4261b9158303e166fd5c5f1c1232986e4..4a5f81a67a4a9e7a59647c755db5f6ad9e69ac31 100644
--- a/install/share/Makefile.am
+++ b/install/share/Makefile.am
@@ -60,6 +60,7 @@ app_DATA =\
automember.ldif \
replica-automember.ldif \
replica-s4u2proxy.ldif \
+ copy-schema-to-ca.py\
$(NULL)
EXTRA_DIST =\
diff --git a/install/share/copy-schema-to-ca.py b/install/share/copy-schema-to-ca.py
new file mode 100755
index ..cc878353717ed34141c99671fba1560d1c58fd72
--- /dev/null
+++ b/install/share/copy-schema-to-ca.py
@@ -0,0 +1,84 @@
+#! /usr/bin/python
+
+Copy the IPA schema to the CA directory server instance
+
+You need to run this script to prepare a 2.2 or 3.0 IPA masters for
+installation of a 3.1 replica.
+
+Once a 3.1 replica is in the domain, every older server will emit schema
+replication errors until this script is run on it.
+
+
+
+import os
+import sys
+import pwd
+import shutil
+
+from ipapython import services, ipautil, dogtag
+from ipapython.ipa_log_manager import root_logger, standard_logging_setup
+from ipaserver.install.dsinstance import DS_USER, schema_dirname
+from ipaserver.install.cainstance import PKI_USER
+from ipalib import api
+
+SERVERID = PKI-IPA
+SCHEMA_FILENAMES = (
+60kerberos.ldif,
+60samba.ldif,
+60ipaconfig.ldif,
+60basev2.ldif,
+60basev3.ldif,
+60ipadns.ldif,
+61kerberos-ipav3.ldif,
+65ipasudo.ldif,
+05rfc2247.ldif,
+)
+
+
+def add_ca_schema():
+Copy IPA schema files into the CA DS instance
+
+pki_pent = pwd.getpwnam(PKI_USER)
+ds_pent = pwd.getpwnam(DS_USER)
+for schema_fname in SCHEMA_FILENAMES:
+source_fname = os.path.join(ipautil.SHARE_DIR, schema_fname)
+target_fname = os.path.join(schema_dirname(SERVERID), schema_fname)
+if not os.path.exists(source_fname):
+root_logger.debug('File does not exist: %s', source_fname)
+continue
+if os.path.exists(target_fname):
+root_logger.info(
+
Re: [Freeipa-devel] [PATCH] Changes to use a single database for dogtag and IPA
On 10/05/2012 09:24 PM, Ade Lee wrote:
Agreed with your assessment that the --check-ca is not needed, as we
will be checking this into 3.1 (and not 3.0).
Attaching patch that does this. It also removes the unneeded
--dogtag-master-ds-port option. I'll squash it into the big patch later.
Attached is a patch for the request object issue. Basically, the
replication was not working because ipa-replica-prepare was passing in
the wrong port when creating the replica package.
Let me know if you have issues - and remember to add the missing link to
the master. That fix to add that link will be checked in today and
should be in the dogtag developer nightly build as of tommorow.
We are working on the issues off-list.
--
Petr³
From 63d9b018f065b9447dbc114dd61651cffccf8ba0 Mon Sep 17 00:00:00 2001
From: Petr Viktorin pvikt...@redhat.com
Date: Mon, 8 Oct 2012 03:51:31 -0400
Subject: [PATCH] Remove unneeded --dogtag-master-ds-port option in
replica-conncheck, only use check-ca for old installs
---
install/tools/ipa-replica-conncheck | 29 +
ipaserver/install/replication.py| 7 +++
2 files changed, 12 insertions(+), 24 deletions(-)
diff --git a/install/tools/ipa-replica-conncheck b/install/tools/ipa-replica-conncheck
index 879d08d15453803d05ec8930680ece72decdd2d8..f0ca7fcc272536eadce77471ea8326bf966916e7 100755
--- a/install/tools/ipa-replica-conncheck
+++ b/install/tools/ipa-replica-conncheck
@@ -60,6 +60,7 @@ BASE_PORTS = [
CheckedPort(443, SOCK_STREAM, HTTP Server: Secure port),
]
+
def print_info(msg):
if not QUIET:
print msg
@@ -94,11 +95,8 @@ def parse_options():
common_group.add_option(-c, --check-ca, dest=check_ca,
action=store_true,
default=False,
- help=Check also ports for Certificate Authority)
-
-common_group.add_option(-C, --dogtag-master-ds-port,
- dest=dogtag_master_ds_port,
- help=Port for Certificate Authority database)
+ help=Check also ports for Certificate Authority
+(for servers installed before IPA 3.1))
common_group.add_option(, --hostname, dest=hostname,
help=The hostname of this server (FQDN).
@@ -282,13 +280,10 @@ def main():
required_ports = BASE_PORTS
if options.check_ca:
-port_val = 7389
-if options.dogtag_master_ds_port:
-port_val = int(options.dogtag_master_ds_port)
-
-ca_port = CheckedPort(port_val, SOCK_STREAM,
- PKI-CA: Directory Service port)
-required_ports.extend([ca_port])
+# Check old Dogtag CA replication port
+# New installs with unified databases use port 389 (checked above)
+required_ports.append(CheckedPort(7389, SOCK_STREAM,
+PKI-CA: Directory Service port))
if options.replica:
print_info(Check connection from master to remote replica '%s': % options.replica)
@@ -322,6 +317,8 @@ def main():
responder.start()
RESPONDERS.append(responder)
+remote_check_opts = ['--replica %s' % options.hostname]
+
if options.auto_master_check:
(krb_fd, krb_name) = tempfile.mkstemp()
os.close(krb_fd)
@@ -362,10 +359,6 @@ def main():
if returncode != 0:
raise RuntimeError(Could not get ticket for master server: %s % stderr)
-remote_check_opts = ['--replica %s' % options.hostname]
-if options.check_ca and dogtag.install_constants.DS_PORT == 7389:
-remote_check_opts.append('--check-ca')
-
print_info(Execute check on remote master)
stderr = ''
@@ -387,10 +380,6 @@ def main():
print_info()
print_info(Please run the following command on remote master:)
-remote_check_opts = ['--replica %s' % options.hostname]
-if options.check_ca and dogtag.install_constants.DS_PORT == 7389:
-remote_check_opts.append('--check-ca')
-
print_info(/usr/sbin/ipa-replica-conncheck + .join(remote_check_opts))
time.sleep(3600)
print_info(Connection check timeout: terminating listening program)
diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py
index 06466f2995763c07b167a8312ab8bd4d6bf08522..62e33d93f5709422af319bcc6ea680c1c76a3588 100644
--- a/ipaserver/install/replication.py
+++ b/ipaserver/install/replication.py
@@ -77,11 +77,10 @@ def replica_conn_check(master_host, host_name, realm, check_ca,
args.extend([--password, admin_password])
nolog=(admin_password,)
-if check_ca:
+if check_ca and dogtag_master_ds_port == 7389:
args.append('--check-ca')
-args.extend([--dogtag-master-ds-port, dogtag_master_ds_port])
-(stdin, stderr, returncode) =
Re: [Freeipa-devel] [PATCH] Changes to use a single database for dogtag and IPA
On 10/04/2012 10:04 PM, Ade Lee wrote:
Attached is a patch to handle the ipa-replica-conncheck issue. It
should be applied on top of your patch.
Essentially, the fix is as follows:
A. If the DS_PORT = 7389, then we pass --check-ca in the
ipa-replica-conncheck to be executed on the master.
a1. If the master is ipa 2.x, this will prompt a check for port 7389.
a2. If the master is ipa 3, this will default to dogtag_ds_port of 7389.
B. Else if DS_PORT = 389, then we pass nothing to the
ipa-replica-conncheck to be executed on the master. This is because we
will be checking 389 in any case for the IPA DS check.
Ade
The code works, I got past the connection check, and now I'm getting the
same internal server error with a clone from IPA 2.2 as with a clone
from 3.0 upgraded from 2.2 (unknown object class request).
However, since with this patch IPA will depend on Dogtag 10,
install_constants.DS_PORT will always be 389, so case A will never
happen. I think the two if-blocks that add the --check-ca can be dropped
entirely.
Assuming that even a clone from an old instance will use the single DB,
conncheck's --dogtag-master-ds-port option is redundant: iff the server
supports it, it uses port 389 which doesn't need re-checking.
0001-Allow-ipa-replica-conncheck-to-work-with-2.2-instanc.patch
From a9cd4cb15e6c230e5690f3fa919fda9c5728ee10 Mon Sep 17 00:00:00 2001
From: Ade Leea...@redhat.com
Date: Thu, 4 Oct 2012 15:55:29 -0400
Subject: [PATCH] Allow ipa-replica-conncheck to work with 2.2 instances
---
install/tools/ipa-replica-conncheck | 15 +++
1 file changed, 7 insertions(+), 8 deletions(-)
diff --git a/install/tools/ipa-replica-conncheck
b/install/tools/ipa-replica-conncheck
index
c9fb816be43d873a6ca79396e77270fd0d10aa12..498ef49e84e1dc8325b6fc2d850c8bffb9297e69
100755
--- a/install/tools/ipa-replica-conncheck
+++ b/install/tools/ipa-replica-conncheck
@@ -282,7 +282,11 @@ def main():
required_ports = BASE_PORTS
if options.check_ca:
-ca_port = CheckedPort(int(options.dogtag_master_ds_port), SOCK_STREAM,
+port_val = 7389
+if options.dogtag_master_ds_port:
+port_val = int(options.dogtag_master_ds_port)
+
+ca_port = CheckedPort(port_val, SOCK_STREAM,
PKI-CA: Directory Service port)
required_ports.extend([ca_port])
@@ -359,11 +363,8 @@ def main():
raise RuntimeError(Could not get ticket for master server:
%s % stderr)
remote_check_opts = ['--replica %s' % options.hostname]
-if options.check_ca:
+if options.check_ca and dogtag.install_constants.DS_PORT == 7389:
remote_check_opts.append('--check-ca')
-remote_check_opts.extend([--dogtag-master-ds-port,
-str(dogtag.install_constants.DS_PORT)])
-
print_info(Execute check on remote master)
@@ -387,10 +388,8 @@ def main():
print_info(Please run the following command on remote master:)
remote_check_opts = ['--replica %s' % options.hostname]
-if options.check_ca:
+if options.check_ca and dogtag.install_constants.DS_PORT == 7389:
remote_check_opts.append('--check-ca')
-remote_check_opts.extend([--dogtag-master-ds-port,
-str(dogtag.install_constants.DS_PORT)])
print_info(/usr/sbin/ipa-replica-conncheck +
.join(remote_check_opts))
time.sleep(3600)
-- 1.7.12
--
Petr³
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Changes to use a single database for dogtag and IPA
Agreed with your assessment that the --check-ca is not needed, as we
will be checking this into 3.1 (and not 3.0).
Attached is a patch for the request object issue. Basically, the
replication was not working because ipa-replica-prepare was passing in
the wrong port when creating the replica package.
Let me know if you have issues - and remember to add the missing link to
the master. That fix to add that link will be checked in today and
should be in the dogtag developer nightly build as of tommorow.
Ade
On Fri, 2012-10-05 at 11:57 +0200, Petr Viktorin wrote:
On 10/04/2012 10:04 PM, Ade Lee wrote:
Attached is a patch to handle the ipa-replica-conncheck issue. It
should be applied on top of your patch.
Essentially, the fix is as follows:
A. If the DS_PORT = 7389, then we pass --check-ca in the
ipa-replica-conncheck to be executed on the master.
a1. If the master is ipa 2.x, this will prompt a check for port 7389.
a2. If the master is ipa 3, this will default to dogtag_ds_port of 7389.
B. Else if DS_PORT = 389, then we pass nothing to the
ipa-replica-conncheck to be executed on the master. This is because we
will be checking 389 in any case for the IPA DS check.
Ade
The code works, I got past the connection check, and now I'm getting the
same internal server error with a clone from IPA 2.2 as with a clone
from 3.0 upgraded from 2.2 (unknown object class request).
However, since with this patch IPA will depend on Dogtag 10,
install_constants.DS_PORT will always be 389, so case A will never
happen. I think the two if-blocks that add the --check-ca can be dropped
entirely.
Assuming that even a clone from an old instance will use the single DB,
conncheck's --dogtag-master-ds-port option is redundant: iff the server
supports it, it uses port 389 which doesn't need re-checking.
0001-Allow-ipa-replica-conncheck-to-work-with-2.2-instanc.patch
From a9cd4cb15e6c230e5690f3fa919fda9c5728ee10 Mon Sep 17 00:00:00 2001
From: Ade Leea...@redhat.com
Date: Thu, 4 Oct 2012 15:55:29 -0400
Subject: [PATCH] Allow ipa-replica-conncheck to work with 2.2 instances
---
install/tools/ipa-replica-conncheck | 15 +++
1 file changed, 7 insertions(+), 8 deletions(-)
diff --git a/install/tools/ipa-replica-conncheck
b/install/tools/ipa-replica-conncheck
index
c9fb816be43d873a6ca79396e77270fd0d10aa12..498ef49e84e1dc8325b6fc2d850c8bffb9297e69
100755
--- a/install/tools/ipa-replica-conncheck
+++ b/install/tools/ipa-replica-conncheck
@@ -282,7 +282,11 @@ def main():
required_ports = BASE_PORTS
if options.check_ca:
-ca_port = CheckedPort(int(options.dogtag_master_ds_port),
SOCK_STREAM,
+port_val = 7389
+if options.dogtag_master_ds_port:
+port_val = int(options.dogtag_master_ds_port)
+
+ca_port = CheckedPort(port_val, SOCK_STREAM,
PKI-CA: Directory Service port)
required_ports.extend([ca_port])
@@ -359,11 +363,8 @@ def main():
raise RuntimeError(Could not get ticket for master
server: %s % stderr)
remote_check_opts = ['--replica %s' % options.hostname]
-if options.check_ca:
+if options.check_ca and dogtag.install_constants.DS_PORT ==
7389:
remote_check_opts.append('--check-ca')
-remote_check_opts.extend([--dogtag-master-ds-port,
-str(dogtag.install_constants.DS_PORT)])
-
print_info(Execute check on remote master)
@@ -387,10 +388,8 @@ def main():
print_info(Please run the following command on remote
master:)
remote_check_opts = ['--replica %s' % options.hostname]
-if options.check_ca:
+if options.check_ca and dogtag.install_constants.DS_PORT ==
7389:
remote_check_opts.append('--check-ca')
-remote_check_opts.extend([--dogtag-master-ds-port,
-str(dogtag.install_constants.DS_PORT)])
print_info(/usr/sbin/ipa-replica-conncheck +
.join(remote_check_opts))
time.sleep(3600)
-- 1.7.12
From 424288306c6682fc99ef518b1c11a49880988564 Mon Sep 17 00:00:00 2001
From: Ade Lee a...@redhat.com
Date: Fri, 5 Oct 2012 15:18:50 -0400
Subject: [PATCH] Fix ipa-replica-prepare to include correct port
---
install/tools/ipa-replica-prepare | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/install/tools/ipa-replica-prepare b/install/tools/ipa-replica-prepare
index 5a566d61df521d3801c41a07753a2af728a7b6e7..80fb8d1de9555ad1ac957560f2d022e7b41adb1d 100755
--- a/install/tools/ipa-replica-prepare
+++ b/install/tools/ipa-replica-prepare
@@ -372,7 +372,7 @@ def main():
print Saving dogtag Directory Server port
port_fname = dir + /dogtag_directory_port.txt
with
Re: [Freeipa-devel] [PATCH] Changes to use a single database for dogtag and IPA
On 10/01/2012 05:02 PM, Ade Lee wrote: On Mon, 2012-10-01 at 16:09 +0200, Martin Kosek wrote: On 10/01/2012 03:35 PM, Petr Viktorin wrote: On 09/27/2012 10:26 AM, Petr Viktorin wrote: On 09/20/2012 05:58 AM, Ade Lee wrote: Changes to use a single database for dogtag and IPA New servers that are installed with dogtag 10 instances will use a single database instance for dogtag and IPA, albeit with different suffixes. Dogtag will communicate with the instance through a database user with permissions to modify the dogtag suffix only. This user will authenticate using client auth using the subsystem cert for the instance. This patch includes changes to allow the creation of masters and clones with single ds instances. I have tested being able to create a master and a clone using f17 and dogtag 10. Note that you will need to use the latest builds on the dogtag repo to get some changes that were checked in today. We'll kick off another official f18 dogtag build in a day or so. This is a pretty big change - so I expect many issues to come up as things get tested. But as this will take awhile to get resolved, its better to get this out for review as fast as possible. Happy reviewing. Ade Attaching a rebased patch with a couple of style issues fixed. - PEP8 compliance (remove trailing whitespace, use parentheses rather than \ for line continuation, wrap touched lines at 80 characters) - for files, use the with statement instead of the open/close sandwich - don't mix tabs and spaces in install/share/certmap.conf.template I've also adjusted the spec file, as we need dogtag 10.0 and pki-server now obsoletes pki-setup. I still need selinux in permissive mode to install on f17, and I still need to exclude *.i686 packages when updating. Are the following limitations expected? IPA and Dogtag have to be updated simultaneously; it's not possible to have current IPA master with Dogtag 10, or IPA with this patch with D9. It is not possible to create a replica from a machine with a single DS to an older version without the patch -- the older version will try the wrong ports. In this case, I think we are covered - we do not support installation of a replica with a lower version than the master where the replica info file was created. Rob's patch 26dfbe61dd399e9c34f6f5bdeb25a197f1f461cb should ensure this for next version release. For 3.0 I think we will have to settle with a note in Documentation. There is currently a dogtag bug where when the master is dogtag 9 (or dogtag 9 converted to 10), and the clone is dogtag 10, the clone will fail to get the installation token from the security domain. This is because the dogtag 10 code tries the new restful interface call -- which is not present on a dogtag 9 subsystem. https://fedorahosted.org/pki/ticket/334 This has been fixed in the latest dogtag 10 nightly builds. And will be in the next dogtag 10 official build, which we plan to create and release today. Incidentally, to see whats coming up in the new dogtag build, look for the 10.0.0-0.X.a2 milestone (plus some of what is closed in 9.0.24) Okay, testing with the dogtag-devel repo, on f17. The following scenarios don't work: - Start with a master on D9 - install a replica on D10, without a CA - run ipa-ca-install on the replica ipa-replica-conncheck: error: no such option: --dogtag-master-ds-port - Start with a master on D9 - install a replica without a CA (either Dogtag version) - Update all machines - run ipa-ca-install on the replica com.netscape.certsrv.base.PKIException: com.netscape.certsrv.base.PKIException: Failed to obtain installation token from security domain I get the following errors in catalina.out on the replica: 08:40:11,149 DEBUG (org.jboss.resteasy.plugins.providers.DocumentProvider:60) - Unable to retrieve ServletContext: expandEntityReferences defaults to true 08:40:11,158 DEBUG (org.jboss.resteasy.plugins.providers.DocumentProvider:60) - Unable to retrieve ServletContext: expandEntityReferences defaults to true CMS Warning: FAILURE: Cannot build CA chain. Error java.security.cert.CertificateException: Certificate is not a PKCS #11 certificate|FAILURE: authz instance DirAclAuthz initialization failed and skipped, error=Property internaldb.ldapconn.port missing value| -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Changes to use a single database for dogtag and IPA
On 10/02/2012 03:02 PM, Petr Viktorin wrote: On 10/01/2012 05:02 PM, Ade Lee wrote: On Mon, 2012-10-01 at 16:09 +0200, Martin Kosek wrote: On 10/01/2012 03:35 PM, Petr Viktorin wrote: On 09/27/2012 10:26 AM, Petr Viktorin wrote: On 09/20/2012 05:58 AM, Ade Lee wrote: Changes to use a single database for dogtag and IPA New servers that are installed with dogtag 10 instances will use a single database instance for dogtag and IPA, albeit with different suffixes. Dogtag will communicate with the instance through a database user with permissions to modify the dogtag suffix only. This user will authenticate using client auth using the subsystem cert for the instance. This patch includes changes to allow the creation of masters and clones with single ds instances. I have tested being able to create a master and a clone using f17 and dogtag 10. Note that you will need to use the latest builds on the dogtag repo to get some changes that were checked in today. We'll kick off another official f18 dogtag build in a day or so. This is a pretty big change - so I expect many issues to come up as things get tested. But as this will take awhile to get resolved, its better to get this out for review as fast as possible. Happy reviewing. Ade Attaching a rebased patch with a couple of style issues fixed. - PEP8 compliance (remove trailing whitespace, use parentheses rather than \ for line continuation, wrap touched lines at 80 characters) - for files, use the with statement instead of the open/close sandwich - don't mix tabs and spaces in install/share/certmap.conf.template I've also adjusted the spec file, as we need dogtag 10.0 and pki-server now obsoletes pki-setup. I still need selinux in permissive mode to install on f17, and I still need to exclude *.i686 packages when updating. Are the following limitations expected? IPA and Dogtag have to be updated simultaneously; it's not possible to have current IPA master with Dogtag 10, or IPA with this patch with D9. It is not possible to create a replica from a machine with a single DS to an older version without the patch -- the older version will try the wrong ports. In this case, I think we are covered - we do not support installation of a replica with a lower version than the master where the replica info file was created. Rob's patch 26dfbe61dd399e9c34f6f5bdeb25a197f1f461cb should ensure this for next version release. For 3.0 I think we will have to settle with a note in Documentation. There is currently a dogtag bug where when the master is dogtag 9 (or dogtag 9 converted to 10), and the clone is dogtag 10, the clone will fail to get the installation token from the security domain. This is because the dogtag 10 code tries the new restful interface call -- which is not present on a dogtag 9 subsystem. https://fedorahosted.org/pki/ticket/334 This has been fixed in the latest dogtag 10 nightly builds. And will be in the next dogtag 10 official build, which we plan to create and release today. Incidentally, to see whats coming up in the new dogtag build, look for the 10.0.0-0.X.a2 milestone (plus some of what is closed in 9.0.24) Okay, testing with the dogtag-devel repo, on f17. The following scenarios don't work: - Start with a master on D9 - install a replica on D10, without a CA - run ipa-ca-install on the replica ipa-replica-conncheck: error: no such option: --dogtag-master-ds-port - Start with a master on D9 - install a replica without a CA (either Dogtag version) - Update all machines - run ipa-ca-install on the replica com.netscape.certsrv.base.PKIException: com.netscape.certsrv.base.PKIException: Failed to obtain installation token from security domain I get the following errors in catalina.out on the replica: 08:40:11,149 DEBUG (org.jboss.resteasy.plugins.providers.DocumentProvider:60) - Unable to retrieve ServletContext: expandEntityReferences defaults to true 08:40:11,158 DEBUG (org.jboss.resteasy.plugins.providers.DocumentProvider:60) - Unable to retrieve ServletContext: expandEntityReferences defaults to true CMS Warning: FAILURE: Cannot build CA chain. Error java.security.cert.CertificateException: Certificate is not a PKCS #11 certificate|FAILURE: authz instance DirAclAuthz initialization failed and skipped, error=Property internaldb.ldapconn.port missing value| I did the second scenario again and got a slightly different error message: White spaces are required between publicId and systemId. See attached logs. I started with IPA 2.2 (from f17 repos) on both machines, then updated to patched IPA w/ D10, then ran ipa-ca-install. -- Petr³ replica-logs.tar.gz Description: GNU Zip compressed data ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Changes to use a single database for dogtag and IPA
On 09/27/2012 10:26 AM, Petr Viktorin wrote:
On 09/20/2012 05:58 AM, Ade Lee wrote:
Changes to use a single database for dogtag and IPA
New servers that are installed with dogtag 10 instances will use
a single database instance for dogtag and IPA, albeit with different
suffixes. Dogtag will communicate with the instance through a
database user with permissions to modify the dogtag suffix only.
This user will authenticate using client auth using the subsystem
cert
for the instance.
This patch includes changes to allow the creation of masters and
clones
with single ds instances.
I have tested being able to create a master and a clone using f17 and
dogtag 10. Note that you will need to use the latest builds on the
dogtag repo to get some changes that were checked in today. We'll kick
off another official f18 dogtag build in a day or so.
This is a pretty big change - so I expect many issues to come up as
things get tested. But as this will take awhile to get resolved, its
better to get this out for review as fast as possible.
Happy reviewing.
Ade
Attaching a rebased patch with a couple of style issues fixed.
- PEP8 compliance (remove trailing whitespace, use parentheses rather
than \ for line continuation, wrap touched lines at 80 characters)
- for files, use the with statement instead of the open/close sandwich
- don't mix tabs and spaces in install/share/certmap.conf.template
I've also adjusted the spec file, as we need dogtag 10.0 and pki-server
now obsoletes pki-setup.
I still need selinux in permissive mode to install on f17, and I still
need to exclude *.i686 packages when updating.
Are the following limitations expected?
IPA and Dogtag have to be updated simultaneously; it's not possible to
have current IPA master with Dogtag 10, or IPA with this patch with D9.
It is not possible to create a replica from a machine with a single DS
to an older version without the patch -- the older version will try the
wrong ports.
I've tried to run ipa-ca-install on a D10 replica cloned from an
upgraded (unpatched→patched IPA, D9→D10) master, and I got Failed to
obtain installation token from security domain (see attached log).
AFAICS pkispawn returns with exit code 0 on error, so our installation
script fails later, on missing
/var/lib/pki/pki-tomcat/alias/ca_backup_keys.p12. It would be nice if
pkispawn told us it failed.
--
Petr³
2012-10-01T13:31:07Z DEBUG /sbin/ipa-ca-install was invoked with argument /home/pviktori/replica-info-vm-076.idm.lab.bos.redhat.com.gpg and options: {'debug': False, 'unattended': False, 'skip_conncheck': False, 'no_host_dns': False}
2012-10-01T13:31:07Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2012-10-01T13:31:07Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2012-10-01T13:31:07Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
2012-10-01T13:31:07Z DEBUG importing all plugin modules in '/usr/lib/python2.7/site-packages/ipalib/plugins'...
2012-10-01T13:31:07Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/aci.py'
2012-10-01T13:31:07Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/automember.py'
2012-10-01T13:31:07Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/automount.py'
2012-10-01T13:31:07Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py'
2012-10-01T13:31:07Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/batch.py'
2012-10-01T13:31:07Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/cert.py'
2012-10-01T13:31:07Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/config.py'
2012-10-01T13:31:07Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/delegation.py'
2012-10-01T13:31:07Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/dns.py'
2012-10-01T13:31:07Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/entitle.py'
2012-10-01T13:31:07Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/group.py'
2012-10-01T13:31:07Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/hbacrule.py'
2012-10-01T13:31:07Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/hbacsvc.py'
2012-10-01T13:31:07Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/hbacsvcgroup.py'
2012-10-01T13:31:07Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/hbactest.py'
2012-10-01T13:31:07Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/host.py'
2012-10-01T13:31:07Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/hostgroup.py'
2012-10-01T13:31:07Z
Re: [Freeipa-devel] [PATCH] Changes to use a single database for dogtag and IPA
On 10/01/2012 03:35 PM, Petr Viktorin wrote: On 09/27/2012 10:26 AM, Petr Viktorin wrote: On 09/20/2012 05:58 AM, Ade Lee wrote: Changes to use a single database for dogtag and IPA New servers that are installed with dogtag 10 instances will use a single database instance for dogtag and IPA, albeit with different suffixes. Dogtag will communicate with the instance through a database user with permissions to modify the dogtag suffix only. This user will authenticate using client auth using the subsystem cert for the instance. This patch includes changes to allow the creation of masters and clones with single ds instances. I have tested being able to create a master and a clone using f17 and dogtag 10. Note that you will need to use the latest builds on the dogtag repo to get some changes that were checked in today. We'll kick off another official f18 dogtag build in a day or so. This is a pretty big change - so I expect many issues to come up as things get tested. But as this will take awhile to get resolved, its better to get this out for review as fast as possible. Happy reviewing. Ade Attaching a rebased patch with a couple of style issues fixed. - PEP8 compliance (remove trailing whitespace, use parentheses rather than \ for line continuation, wrap touched lines at 80 characters) - for files, use the with statement instead of the open/close sandwich - don't mix tabs and spaces in install/share/certmap.conf.template I've also adjusted the spec file, as we need dogtag 10.0 and pki-server now obsoletes pki-setup. I still need selinux in permissive mode to install on f17, and I still need to exclude *.i686 packages when updating. Are the following limitations expected? IPA and Dogtag have to be updated simultaneously; it's not possible to have current IPA master with Dogtag 10, or IPA with this patch with D9. It is not possible to create a replica from a machine with a single DS to an older version without the patch -- the older version will try the wrong ports. In this case, I think we are covered - we do not support installation of a replica with a lower version than the master where the replica info file was created. Rob's patch 26dfbe61dd399e9c34f6f5bdeb25a197f1f461cb should ensure this for next version release. For 3.0 I think we will have to settle with a note in Documentation. We just need to make sure, that 3.0 replica made out of 2.x master will work. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Changes to use a single database for dogtag and IPA
On Mon, 2012-10-01 at 16:09 +0200, Martin Kosek wrote: On 10/01/2012 03:35 PM, Petr Viktorin wrote: On 09/27/2012 10:26 AM, Petr Viktorin wrote: On 09/20/2012 05:58 AM, Ade Lee wrote: Changes to use a single database for dogtag and IPA New servers that are installed with dogtag 10 instances will use a single database instance for dogtag and IPA, albeit with different suffixes. Dogtag will communicate with the instance through a database user with permissions to modify the dogtag suffix only. This user will authenticate using client auth using the subsystem cert for the instance. This patch includes changes to allow the creation of masters and clones with single ds instances. I have tested being able to create a master and a clone using f17 and dogtag 10. Note that you will need to use the latest builds on the dogtag repo to get some changes that were checked in today. We'll kick off another official f18 dogtag build in a day or so. This is a pretty big change - so I expect many issues to come up as things get tested. But as this will take awhile to get resolved, its better to get this out for review as fast as possible. Happy reviewing. Ade Attaching a rebased patch with a couple of style issues fixed. - PEP8 compliance (remove trailing whitespace, use parentheses rather than \ for line continuation, wrap touched lines at 80 characters) - for files, use the with statement instead of the open/close sandwich - don't mix tabs and spaces in install/share/certmap.conf.template I've also adjusted the spec file, as we need dogtag 10.0 and pki-server now obsoletes pki-setup. I still need selinux in permissive mode to install on f17, and I still need to exclude *.i686 packages when updating. Are the following limitations expected? IPA and Dogtag have to be updated simultaneously; it's not possible to have current IPA master with Dogtag 10, or IPA with this patch with D9. It is not possible to create a replica from a machine with a single DS to an older version without the patch -- the older version will try the wrong ports. In this case, I think we are covered - we do not support installation of a replica with a lower version than the master where the replica info file was created. Rob's patch 26dfbe61dd399e9c34f6f5bdeb25a197f1f461cb should ensure this for next version release. For 3.0 I think we will have to settle with a note in Documentation. There is currently a dogtag bug where when the master is dogtag 9 (or dogtag 9 converted to 10), and the clone is dogtag 10, the clone will fail to get the installation token from the security domain. This is because the dogtag 10 code tries the new restful interface call -- which is not present on a dogtag 9 subsystem. https://fedorahosted.org/pki/ticket/334 This has been fixed in the latest dogtag 10 nightly builds. And will be in the next dogtag 10 official build, which we plan to create and release today. Incidentally, to see whats coming up in the new dogtag build, look for the 10.0.0-0.X.a2 milestone (plus some of what is closed in 9.0.24) We just need to make sure, that 3.0 replica made out of 2.x master will work. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Changes to use a single database for dogtag and IPA
On 09/20/2012 05:58 AM, Ade Lee wrote:
Changes to use a single database for dogtag and IPA
New servers that are installed with dogtag 10 instances will use
a single database instance for dogtag and IPA, albeit with different
suffixes. Dogtag will communicate with the instance through a
database user with permissions to modify the dogtag suffix only.
This user will authenticate using client auth using the subsystem cert
for the instance.
This patch includes changes to allow the creation of masters and clones
with single ds instances.
I have tested being able to create a master and a clone using f17 and
dogtag 10. Note that you will need to use the latest builds on the
dogtag repo to get some changes that were checked in today. We'll kick
off another official f18 dogtag build in a day or so.
This is a pretty big change - so I expect many issues to come up as
things get tested. But as this will take awhile to get resolved, its
better to get this out for review as fast as possible.
Happy reviewing.
Ade
Attaching a rebased patch with a couple of style issues fixed.
- PEP8 compliance (remove trailing whitespace, use parentheses rather
than \ for line continuation, wrap touched lines at 80 characters)
- for files, use the with statement instead of the open/close sandwich
- don't mix tabs and spaces in install/share/certmap.conf.template
I've also adjusted the spec file, as we need dogtag 10.0 and pki-server
now obsoletes pki-setup.
I still need selinux in permissive mode to install on f17, and I still
need to exclude *.i686 packages when updating.
--
Petr³
From 70197be93ad2b9c27d48fe5e0aa1af5a93ff487e Mon Sep 17 00:00:00 2001
From: Ade Lee a...@redhat.com
Date: Wed, 19 Sep 2012 23:35:42 -0400
Subject: [PATCH] Changes to use a single database for dogtag and IPA
New servers that are installed with dogtag 10 instances will use
a single database instance for dogtag and IPA, albeit with different
suffixes. Dogtag will communicate with the instance through a
database user with permissions to modify the dogtag suffix only.
This user will authenticate using client auth using the subsystem cert
for the instance.
This patch includes changes to allow the creation of masters and clones
with single ds instances.
---
freeipa.spec.in | 6 +-
install/share/certmap.conf.template | 19 ---
install/tools/ipa-ca-install| 23 ++--
install/tools/ipa-csreplica-manage | 2 +-
install/tools/ipa-replica-conncheck | 19 +--
install/tools/ipa-replica-install | 29 +++---
install/tools/ipa-replica-prepare | 8 ++-
install/tools/ipa-server-install| 91 +-
install/tools/ipactl| 6 +-
ipapython/dogtag.py | 12 +++-
ipaserver/install/cainstance.py | 107 ++--
ipaserver/install/dsinstance.py | 14 +++--
ipaserver/install/installutils.py | 7 ++-
ipaserver/install/replication.py| 13 +++--
14 files changed, 257 insertions(+), 99 deletions(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index ef9678ec25d5ab8ed064657904c17a4f52e85eac..dde19d45ff75364c01c287de6ac1ae6e6f5e4963 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -142,9 +142,9 @@ Requires: selinux-policy = 3.9.7-27
%endif
Requires(post): selinux-policy-base
Requires: slapi-nis = 0.40
-Requires: pki-ca = 9.0.18
-Requires: pki-silent = 9.0.18
-Requires: pki-setup = 9.0.18
+Requires: pki-ca = 10.0.0-0.34
+Requires: pki-silent = 10.0.0-0.34
+Requires: pki-server = 10.0.0-0.34
Requires: dogtag-pki-common-theme
Requires: dogtag-pki-ca-theme
%if 0%{?fedora} = 18
diff --git a/install/share/certmap.conf.template b/install/share/certmap.conf.template
index 676d3ef354c9dae4dce8c4682176e656088991b2..40b4e6cb1513bed586248e0c214730861b9715cf 100644
--- a/install/share/certmap.conf.template
+++ b/install/share/certmap.conf.template
@@ -71,12 +71,15 @@
# attr names- a comma separated list of attributes to form the filter
#
-certmap default default
+certmap default default
#default:DNComps
-#default:FilterComps e, uid
-#default:verifycert on
-#default:CmapLdapAttr certSubjectDN
-#default:library path_to_shared_lib_or_dll
-#default:InitFn Init function's name
-default:DNComps
-default:FilterComps uid
+#default:FilterCompse, uid
+#default:verifycert on
+#default:CmapLdapAttr certSubjectDN
+#default:librarypath_to_shared_lib_or_dll
+#default:InitFn Init function's name
+default:DNComps
+default:FilterComps uid
+certmap ipaca CN=Certificate Authority,O=domain_name
+ipaca:CmapLdapAttr seeAlso
+ipaca:verifycerton
diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install
index 1c1b96a91fbbef455a68b158cc0191b91f2232f9..df3aebc111069d2d164fee6336182089c09a7195 100755
--- a/install/tools/ipa-ca-install
+++ b/install/tools/ipa-ca-install
@@ -142,17 +142,32 @@ def
[Freeipa-devel] [PATCH] Changes to use a single database for dogtag and IPA
Changes to use a single database for dogtag and IPA
New servers that are installed with dogtag 10 instances will use
a single database instance for dogtag and IPA, albeit with different
suffixes. Dogtag will communicate with the instance through a
database user with permissions to modify the dogtag suffix only.
This user will authenticate using client auth using the subsystem cert
for the instance.
This patch includes changes to allow the creation of masters and clones
with single ds instances.
I have tested being able to create a master and a clone using f17 and
dogtag 10. Note that you will need to use the latest builds on the
dogtag repo to get some changes that were checked in today. We'll kick
off another official f18 dogtag build in a day or so.
This is a pretty big change - so I expect many issues to come up as
things get tested. But as this will take awhile to get resolved, its
better to get this out for review as fast as possible.
Happy reviewing.
Ade
From f827c0d744086a65c574de06ee3ff85083429f87 Mon Sep 17 00:00:00 2001
From: Ade Lee a...@redhat.com
Date: Wed, 19 Sep 2012 23:35:42 -0400
Subject: [PATCH] Changes to use a single database for dogtag and IPA
New servers that are installed with dogtag 10 instances will use
a single database instance for dogtag and IPA, albeit with different
suffixes. Dogtag will communicate with the instance through a
database user with permissions to modify the dogtag suffix only.
This user will authenticate using client auth using the subsystem cert
for the instance.
This patch includes changes to allow the creation of masters and clones
with single ds instances.
---
install/share/certmap.conf.template |3 ++
install/tools/ipa-ca-install| 22 +++--
install/tools/ipa-csreplica-manage |2 +-
install/tools/ipa-replica-conncheck | 19 ++--
install/tools/ipa-replica-install | 27 ---
install/tools/ipa-replica-prepare |5 ++
install/tools/ipa-server-install| 88 +++---
install/tools/ipactl|6 ++-
ipapython/dogtag.py | 11 -
ipaserver/install/cainstance.py | 89 +--
ipaserver/install/dsinstance.py | 14 --
ipaserver/install/installutils.py |6 ++-
ipaserver/install/replication.py|7 ++-
13 files changed, 218 insertions(+), 81 deletions(-)
diff --git a/install/share/certmap.conf.template b/install/share/certmap.conf.template
index 676d3ef354c9dae4dce8c4682176e656088991b2..d83b28c05cf9364e4ebb25a98aa8db6a98524bb7 100644
--- a/install/share/certmap.conf.template
+++ b/install/share/certmap.conf.template
@@ -80,3 +80,6 @@ certmap default default
#default:InitFn Init function's name
default:DNComps
default:FilterComps uid
+certmap ipaca CN=Certificate Authority,O=domain_name
+ipaca:CmapLdapAttr seeAlso
+ipaca:verifycerton
diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install
index 1c1b96a91fbbef455a68b158cc0191b91f2232f9..95a64a135e6634046ca55091968f371903511771 100755
--- a/install/tools/ipa-ca-install
+++ b/install/tools/ipa-ca-install
@@ -142,17 +142,31 @@ def main():
config.dir = dir
config.setup_ca = True
+portfile = config.dir + /dogtag_directory_port.txt
+if not ipautil.file_exists(portfile):
+dogtag_master_ds_port = 7389
+else:
+fd = open(portfile)
+dogtag_master_ds_port = fd.read()
+fd.close()
+
if not options.skip_conncheck:
-replica_conn_check(config.master_host_name, config.host_name, config.realm_name, True, options.admin_password)
+replica_conn_check(config.master_host_name, config.host_name, config.realm_name, True,
+ dogtag_master_ds_port, options.admin_password)
# Configure the CA if necessary
-(CA, cs) = cainstance.install_replica_ca(config, postinstall=True)
+(CA, cs) = cainstance.install_replica_ca(config,
+ dogtag_master_ds_port, postinstall=True)
# We need to ldap_enable the CA now that DS is up and running
CA.ldap_enable('CA', config.host_name, config.dirman_password,
ipautil.realm_to_suffix(config.realm_name))
-cs.add_simple_service('dogtagldap/%s@%s' % (config.host_name, config.realm_name))
-cs.add_cert_to_service()
+if not dogtag.install_constants.SHARED_DB:
+cs.add_simple_service('dogtagldap/%s@%s' % (config.host_name, config.realm_name))
+cs.add_cert_to_service()
+else:
+CA.enable_client_auth_to_db()
+CA.restart()
# We need to restart apache as we drop a new config file in there
ipaservices.knownservices.httpd.restart(capture_output=True)
diff --git a/install/tools/ipa-csreplica-manage b/install/tools/ipa-csreplica-manage
index 39cfa58511ae552cae64798c7559303fda27866a..272daacfedbb45db4307b04201954ad0a96b0614 100755
---
