URL: https://github.com/freeipa/freeipa/pull/801 Author: HonzaCholasta Title: #801: httpinstance: wait until the service entry is replicated Action: opened
PR body: """ Wait until the local HTTP service entry is replicated to the remote master before requesting the server certificate. This prevents a replication conflict between the service entry added locally and service entry added remotely when requesting the certificate. https://pagure.io/freeipa/issue/6867 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/801/head:pr801 git checkout pr801
From 40bcbd3e3589fdc0c0c021e1055c1fc8e5e2d0b9 Mon Sep 17 00:00:00 2001 From: Jan Cholasta <jchol...@redhat.com> Date: Mon, 22 May 2017 08:15:14 +0000 Subject: [PATCH] httpinstance: wait until the service entry is replicated Wait until the local HTTP service entry is replicated to the remote master before requesting the server certificate. This prevents a replication conflict between the service entry added locally and service entry added remotely when requesting the certificate. https://pagure.io/freeipa/issue/6867 --- ipaserver/install/httpinstance.py | 20 +++++++++++++++++++- ipaserver/install/server/replicainstall.py | 2 +- 2 files changed, 20 insertions(+), 2 deletions(-) diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index c76a1a4e48..9c72db97c3 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -32,9 +32,11 @@ from augeas import Augeas from ipalib.install import certmonger +from ipapython import ipaldap from ipapython.certdb import (IPA_CA_TRUST_FLAGS, EXTERNAL_CA_TRUST_FLAGS, TRUSTED_PEER_TRUST_FLAGS) +from ipaserver.install import replication from ipaserver.install import service from ipaserver.install import certs from ipaserver.install import installutils @@ -129,7 +131,8 @@ def __init__(self, fstore=None, cert_nickname='Server-Cert', def create_instance(self, realm, fqdn, domain_name, pkcs12_info=None, subject_base=None, auto_redirect=True, ca_file=None, - ca_is_configured=None, promote=False): + ca_is_configured=None, promote=False, + master_fqdn=None): self.fqdn = fqdn self.realm = realm self.domain = domain_name @@ -148,6 +151,7 @@ def create_instance(self, realm, fqdn, domain_name, pkcs12_info=None, if ca_is_configured is not None: self.ca_is_configured = ca_is_configured self.promote = promote + self.master_fqdn = master_fqdn self.step("stopping httpd", self.__stop) self.step("setting mod_nss port to 443", self.__set_mod_nss_port) @@ -577,3 +581,17 @@ def start_tracking_certificates(self): db = certs.CertDB(self.realm, nssdir=paths.HTTPD_ALIAS_DIR) db.track_server_cert(self.cert_nickname, self.principal, db.passwd_fname, 'restart_httpd') + + def request_service_keytab(self): + super(HTTPInstance, self).request_service_keytab() + + if self.master_fqdn is not None: + service_dn = DN(('krbprincipalname', self.principal), + ('cn', 'services'), + ('cn', 'accounts'), + self.suffix) + + ldap_uri = ipaldap.get_ldap_uri(self.master_fqdn) + with ipaldap.LDAPClient(ldap_uri) as remote_ldap: + remote_ldap.gssapi_bind() + replication.wait_for_entry(remote_ldap, service_dn, timeout=60) diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py index b30133ffa2..8e4152f2ef 100644 --- a/ipaserver/install/server/replicainstall.py +++ b/ipaserver/install/server/replicainstall.py @@ -165,7 +165,7 @@ def install_http(config, auto_redirect, ca_is_configured, ca_file, config.realm_name, config.host_name, config.domain_name, pkcs12_info, auto_redirect=auto_redirect, ca_file=ca_file, ca_is_configured=ca_is_configured, promote=promote, - subject_base=config.subject_base) + subject_base=config.subject_base, master_fqdn=config.master_host_name) return http
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org