[Freeipa-devel] [freeipa PR#567][comment] Configure KDC to use certs after they are deployed
URL: https://github.com/freeipa/freeipa/pull/567 Title: #567: Configure KDC to use certs after they are deployed martbab commented: """ Superseded by https://github.com/freeipa/freeipa/pull/584 """ See the full comment at https://github.com/freeipa/freeipa/pull/567#issuecomment-286765122 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#567][comment] Configure KDC to use certs after they are deployed
URL: https://github.com/freeipa/freeipa/pull/567 Title: #567: Configure KDC to use certs after they are deployed martbab commented: """ @simo5 thank you """ See the full comment at https://github.com/freeipa/freeipa/pull/567#issuecomment-286392161 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#567][comment] Configure KDC to use certs after they are deployed
URL: https://github.com/freeipa/freeipa/pull/567 Title: #567: Configure KDC to use certs after they are deployed simo5 commented: """ Sure no prob """ See the full comment at https://github.com/freeipa/freeipa/pull/567#issuecomment-286391140 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#567][comment] Configure KDC to use certs after they are deployed
URL: https://github.com/freeipa/freeipa/pull/567 Title: #567: Configure KDC to use certs after they are deployed martbab commented: """ @simo5 yes the whole PKINIT setup logic on replica is flawed and will probably need to be moved into a later point in master/replica install. Can I re-use your PR and prepare a new one that will fix it properly? I will keep you the author of this commit if you wish. """ See the full comment at https://github.com/freeipa/freeipa/pull/567#issuecomment-286389719 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#567][comment] Configure KDC to use certs after they are deployed
URL: https://github.com/freeipa/freeipa/pull/567 Title: #567: Configure KDC to use certs after they are deployed simo5 commented: """ Can you figure out exactly why certmonger is doing this ? """ See the full comment at https://github.com/freeipa/freeipa/pull/567#issuecomment-286366985 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#567][comment] Configure KDC to use certs after they are deployed
URL: https://github.com/freeipa/freeipa/pull/567 Title: #567: Configure KDC to use certs after they are deployed martbab commented: """ @simo5 actually I found multiple issues during review and concluded that setting up PKINIT on DL1 replica never worked correctly actually. Will open respective blocker tickets ASAP. """ See the full comment at https://github.com/freeipa/freeipa/pull/567#issuecomment-286355471 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#567][comment] Configure KDC to use certs after they are deployed
URL: https://github.com/freeipa/freeipa/pull/567 Title: #567: Configure KDC to use certs after they are deployed simo5 commented: """ Should have addressed all concerns in this push """ See the full comment at https://github.com/freeipa/freeipa/pull/567#issuecomment-285660566 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#567][comment] Configure KDC to use certs after they are deployed
URL: https://github.com/freeipa/freeipa/pull/567 Title: #567: Configure KDC to use certs after they are deployed martbab commented: """ I think we can avoid the copy-pasta by actually moving PKINIT requesting code into `__common_post_setup` like this: ```diff --- a/ipaserver/install/krbinstance.py +++ b/ipaserver/install/krbinstance.py @@ -142,10 +142,15 @@ class KrbInstance(service.Service): self.step("starting the KDC", self.__start_instance) self.step("configuring KDC to start on boot", self.__enable) +if self.setup_pkinit: +self.step("installing X509 Certificate for PKINIT", + self.setup_pkinit) + def create_instance(self, realm_name, host_name, domain_name, admin_password, master_password, setup_pkinit=False, pkcs12_info=None, subject_base=None): self.master_password = master_password self.pkcs12_info = pkcs12_info self.subject_base = subject_base +self.setup_pkinit = setup_pkinit self.__common_setup(realm_name, host_name, domain_name, admin_password) @@ -160,10 +165,6 @@ class KrbInstance(service.Service): self.__common_post_setup() -if setup_pkinit: -self.step("installing X509 Certificate for PKINIT", - self.setup_pkinit) - self.start_creation(runtime=30) self.kpasswd = KpasswdInstance() @@ -178,14 +179,12 @@ class KrbInstance(service.Service): self.pkcs12_info = pkcs12_info self.subject_base = subject_base self.master_fqdn = master_fqdn +self.setup_pkinit = setup_pkinit self.__common_setup(realm_name, host_name, domain_name, admin_password) self.step("configuring KDC", self.__configure_instance) self.step("adding the password extension to the directory", self.__add_pwd_extop_module) -if setup_pkinit: -self.step("installing X509 Certificate for PKINIT", - self.setup_pkinit) self.__common_post_setup() ``` Yes we have now duplicated member assignment but still better that duplicate logic. Also I have some inline comments. """ See the full comment at https://github.com/freeipa/freeipa/pull/567#issuecomment-285599143 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#567][comment] Configure KDC to use certs after they are deployed
URL: https://github.com/freeipa/freeipa/pull/567 Title: #567: Configure KDC to use certs after they are deployed martbab commented: """ I think we can avoid the copy-pasta by actually moving PKINIT requesting code into `__common_post_setup` like this: ```diff --- a/ipaserver/install/krbinstance.py +++ b/ipaserver/install/krbinstance.py @@ -142,10 +142,15 @@ class KrbInstance(service.Service): self.step("starting the KDC", self.__start_instance) self.step("configuring KDC to start on boot", self.__enable) +if self.setup_pkinit: +self.step("installing X509 Certificate for PKINIT", + self.setup_pkinit) + def create_instance(self, realm_name, host_name, domain_name, admin_password, master_password, setup_pkinit=False, pkcs12_info=None, subject_base=None): self.master_password = master_password self.pkcs12_info = pkcs12_info self.subject_base = subject_base +self.setup_pkinit = setup_pkinit self.__common_setup(realm_name, host_name, domain_name, admin_password) @@ -160,10 +165,6 @@ class KrbInstance(service.Service): self.__common_post_setup() -if setup_pkinit: -self.step("installing X509 Certificate for PKINIT", - self.setup_pkinit) - self.start_creation(runtime=30) self.kpasswd = KpasswdInstance() @@ -178,14 +179,12 @@ class KrbInstance(service.Service): self.pkcs12_info = pkcs12_info self.subject_base = subject_base self.master_fqdn = master_fqdn +self.setup_pkinit = setup_pkinit self.__common_setup(realm_name, host_name, domain_name, admin_password) self.step("configuring KDC", self.__configure_instance) self.step("adding the password extension to the directory", self.__add_pwd_extop_module) -if setup_pkinit: -self.step("installing X509 Certificate for PKINIT", - self.setup_pkinit) self.__common_post_setup() ``` Yes we have now duplicated member assignment but still better that duplicate logic. Also I have some inline comments. """ See the full comment at https://github.com/freeipa/freeipa/pull/567#issuecomment-285599143 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#567][comment] Configure KDC to use certs after they are deployed
URL: https://github.com/freeipa/freeipa/pull/567 Title: #567: Configure KDC to use certs after they are deployed simo5 commented: """ Still testing but this should be the way to go to fix the bug reported in #564 """ See the full comment at https://github.com/freeipa/freeipa/pull/567#issuecomment-285493679 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code