Re: [Freeipa-devel] [PATCH] 308 Allow changing CA renewal master in ipa-csreplica-manage

[Petr Viktorin]

On 09/02/2014 04:07 PM, Jan Cholasta wrote:

Dne 2.9.2014 v 15:31 Petr Viktorin napsal(a):

On 09/01/2014 03:56 PM, Jan Cholasta wrote:

Dne 4.8.2014 v 10:39 Jan Cholasta napsal(a):

Dne 24.7.2014 v 16:10 Jan Cholasta napsal(a):

Hi,

the attached patch fixes
.

Requires my patches 246 and 262 (current versions attached).

Honza


Forgot to update the man page. Updated patch attached.


Could someone please review this?


I ran into some trouble installing Dogtag, but it wasn't caused by this
patch.

ACK, pushed to:
master: 774140196360c727f11c75622ace488d591ddfba
ipa-4-1: aae78480220203b1c64c8b3c6b8297868c849110
ipa-4-0: 8999300894326d104ddf22a97d74d78fdab0984c


Thanks. Please also push the required patches (246 and 262) to ipa-4-0
(they already are in ipa-4-1 and master).


I knew I forgot something.

Pushed to ipa-4-0: 113b033ae5290425aa41c07835b4f24068514473


--
Petr³

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 308 Allow changing CA renewal master in ipa-csreplica-manage

[Jan Cholasta]

Dne 2.9.2014 v 15:31 Petr Viktorin napsal(a):

On 09/01/2014 03:56 PM, Jan Cholasta wrote:

Dne 4.8.2014 v 10:39 Jan Cholasta napsal(a):

Dne 24.7.2014 v 16:10 Jan Cholasta napsal(a):

Hi,

the attached patch fixes
.

Requires my patches 246 and 262 (current versions attached).

Honza


Forgot to update the man page. Updated patch attached.


Could someone please review this?


I ran into some trouble installing Dogtag, but it wasn't caused by this
patch.

ACK, pushed to:
master: 774140196360c727f11c75622ace488d591ddfba
ipa-4-1: aae78480220203b1c64c8b3c6b8297868c849110
ipa-4-0: 8999300894326d104ddf22a97d74d78fdab0984c


Thanks. Please also push the required patches (246 and 262) to ipa-4-0 
(they already are in ipa-4-1 and master).


--
Jan Cholasta

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 308 Allow changing CA renewal master in ipa-csreplica-manage

[Petr Viktorin]

On 09/01/2014 03:56 PM, Jan Cholasta wrote:

Dne 4.8.2014 v 10:39 Jan Cholasta napsal(a):

Dne 24.7.2014 v 16:10 Jan Cholasta napsal(a):

Hi,

the attached patch fixes .

Requires my patches 246 and 262 (current versions attached).

Honza


Forgot to update the man page. Updated patch attached.


Could someone please review this?


I ran into some trouble installing Dogtag, but it wasn't caused by this 
patch.


ACK, pushed to:
master: 774140196360c727f11c75622ace488d591ddfba
ipa-4-1: aae78480220203b1c64c8b3c6b8297868c849110
ipa-4-0: 8999300894326d104ddf22a97d74d78fdab0984c


--
Petr³

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 308 Allow changing CA renewal master in ipa-csreplica-manage

[Jan Cholasta]

Dne 4.8.2014 v 10:39 Jan Cholasta napsal(a):

Dne 24.7.2014 v 16:10 Jan Cholasta napsal(a):

Hi,

the attached patch fixes .

Requires my patches 246 and 262 (current versions attached).

Honza


Forgot to update the man page. Updated patch attached.


Could someone please review this?

--
Jan Cholasta

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 308 Allow changing CA renewal master in ipa-csreplica-manage

[Jan Cholasta]

Dne 24.7.2014 v 16:10 Jan Cholasta napsal(a):

Hi,

the attached patch fixes .

Requires my patches 246 and 262 (current versions attached).

Honza


Forgot to update the man page. Updated patch attached.

--
Jan Cholasta
>From 37deddbb4c80697460ef4af204e3a2e36dcbbe4e Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Mon, 24 Mar 2014 15:30:53 +0100
Subject: [PATCH 06/56] Add method for setting CA renewal master in LDAP to
 CAInstance.

Allow checking and setting CA renewal master for non-local CA instances.
---
 ipaserver/install/cainstance.py | 41 ++---
 1 file changed, 38 insertions(+), 3 deletions(-)

diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index f0aef75..7e2572d 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -1609,12 +1609,15 @@ class CAInstance(service.Service):
 return True
 return False
 
-def is_renewal_master(self):
+def is_renewal_master(self, fqdn=None):
+if fqdn is None:
+fqdn = api.env.host
+
 if not self.admin_conn:
 self.ldap_connect()
 
-dn = DN(('cn', 'CA'), ('cn', api.env.host), ('cn', 'masters'),
-('cn', 'ipa'), ('cn', 'etc'), api.env.basedn)
+dn = DN(('cn', 'CA'), ('cn', fqdn), ('cn', 'masters'), ('cn', 'ipa'),
+('cn', 'etc'), api.env.basedn)
 filter = '(ipaConfigString=caRenewalMaster)'
 try:
 self.admin_conn.get_entries(base_dn=dn, filter=filter,
@@ -1624,6 +1627,38 @@ class CAInstance(service.Service):
 
 return True
 
+def set_renewal_master(self, fqdn=None):
+if fqdn is None:
+fqdn = api.env.host
+
+if not self.admin_conn:
+self.ldap_connect()
+
+base_dn = DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'),
+ api.env.basedn)
+filter = '(&(cn=CA)(ipaConfigString=caRenewalMaster))'
+try:
+entries = self.admin_conn.get_entries(
+base_dn=base_dn, filter=filter, attrs_list=['ipaConfigString'])
+except errors.NotFound:
+entries = []
+
+dn = DN(('cn', 'CA'), ('cn', fqdn), base_dn)
+master_entry = self.admin_conn.get_entry(dn, ['ipaConfigString'])
+
+for entry in entries:
+if master_entry is not None and entry.dn == master_entry.dn:
+master_entry = None
+continue
+
+entry['ipaConfigString'] = [x for x in entry['ipaConfigString']
+if x.lower() != 'carenewalmaster']
+self.admin_conn.update_entry(entry)
+
+if master_entry is not None:
+master_entry['ipaConfigString'].append('caRenewalMaster')
+self.admin_conn.update_entry(master_entry)
+
 
 def replica_ca_install_check(config):
 if not config.setup_ca:
-- 
1.9.3

>From 8d9e84e14472d842d1b67452c9208131b76b2652 Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Thu, 10 Apr 2014 14:14:10 +0200
Subject: [PATCH 14/56] Pick new CA renewal master when deleting a replica.

---
 install/tools/ipa-csreplica-manage | 10 --
 install/tools/ipa-replica-manage   | 13 -
 2 files changed, 20 insertions(+), 3 deletions(-)

diff --git a/install/tools/ipa-csreplica-manage b/install/tools/ipa-csreplica-manage
index eb589f3..cfcb354 100755
--- a/install/tools/ipa-csreplica-manage
+++ b/install/tools/ipa-csreplica-manage
@@ -25,7 +25,8 @@ import os
 import krbV
 from ipapython.ipa_log_manager import *
 
-from ipaserver.install import replication, installutils, bindinstance
+from ipaserver.install import (replication, installutils, bindinstance,
+cainstance, certs)
 from ipalib import api, errors, util
 from ipalib.constants import CACERT
 from ipapython import ipautil, ipaldap, version, dogtag
@@ -272,7 +273,12 @@ def del_master(realm, hostname, options):
 except Exception, e:
 sys.exit("There were issues removing a connection: %s" % e)
 
-# 6. And clean up the removed replica DNS entries if any.
+# 6. Pick CA renewal master
+ca = cainstance.CAInstance(api.env.realm, certs.NSS_DIR)
+if ca.is_renewal_master(hostname):
+ca.set_renewal_master(options.host)
+
+# 7. And clean up the removed replica DNS entries if any.
 try:
 if bindinstance.dns_container_exists(options.host, api.env.basedn,
  dm_password=options.dirman_passwd):
diff --git a/install/tools/ipa-replica-manage b/install/tools/ipa-replica-manage
index d468850..aa71095 100755
--- a/install/tools/ipa-replica-manage
+++ b/install/tools/ipa-replica-manage
@@ -28,7 +28,7 @@ import socket
 
 from ipapython import ipautil
 from ipaserver.install import replication, dsinstance, installutils
-from ipaserver.install import bindinstance
+from ipaserver.install import bindinstance, cainst

[Freeipa-devel] [PATCH] 308 Allow changing CA renewal master in ipa-csreplica-manage

[Jan Cholasta]

Hi,

the attached patch fixes .

Requires my patches 246 and 262 (current versions attached).

Honza

--
Jan Cholasta
>From 37deddbb4c80697460ef4af204e3a2e36dcbbe4e Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Mon, 24 Mar 2014 15:30:53 +0100
Subject: [PATCH 06/56] Add method for setting CA renewal master in LDAP to
 CAInstance.

Allow checking and setting CA renewal master for non-local CA instances.
---
 ipaserver/install/cainstance.py | 41 ++---
 1 file changed, 38 insertions(+), 3 deletions(-)

diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index f0aef75..7e2572d 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -1609,12 +1609,15 @@ class CAInstance(service.Service):
 return True
 return False
 
-def is_renewal_master(self):
+def is_renewal_master(self, fqdn=None):
+if fqdn is None:
+fqdn = api.env.host
+
 if not self.admin_conn:
 self.ldap_connect()
 
-dn = DN(('cn', 'CA'), ('cn', api.env.host), ('cn', 'masters'),
-('cn', 'ipa'), ('cn', 'etc'), api.env.basedn)
+dn = DN(('cn', 'CA'), ('cn', fqdn), ('cn', 'masters'), ('cn', 'ipa'),
+('cn', 'etc'), api.env.basedn)
 filter = '(ipaConfigString=caRenewalMaster)'
 try:
 self.admin_conn.get_entries(base_dn=dn, filter=filter,
@@ -1624,6 +1627,38 @@ class CAInstance(service.Service):
 
 return True
 
+def set_renewal_master(self, fqdn=None):
+if fqdn is None:
+fqdn = api.env.host
+
+if not self.admin_conn:
+self.ldap_connect()
+
+base_dn = DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'),
+ api.env.basedn)
+filter = '(&(cn=CA)(ipaConfigString=caRenewalMaster))'
+try:
+entries = self.admin_conn.get_entries(
+base_dn=base_dn, filter=filter, attrs_list=['ipaConfigString'])
+except errors.NotFound:
+entries = []
+
+dn = DN(('cn', 'CA'), ('cn', fqdn), base_dn)
+master_entry = self.admin_conn.get_entry(dn, ['ipaConfigString'])
+
+for entry in entries:
+if master_entry is not None and entry.dn == master_entry.dn:
+master_entry = None
+continue
+
+entry['ipaConfigString'] = [x for x in entry['ipaConfigString']
+if x.lower() != 'carenewalmaster']
+self.admin_conn.update_entry(entry)
+
+if master_entry is not None:
+master_entry['ipaConfigString'].append('caRenewalMaster')
+self.admin_conn.update_entry(master_entry)
+
 
 def replica_ca_install_check(config):
 if not config.setup_ca:
-- 
1.9.3

>From 8d9e84e14472d842d1b67452c9208131b76b2652 Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Thu, 10 Apr 2014 14:14:10 +0200
Subject: [PATCH 14/56] Pick new CA renewal master when deleting a replica.

---
 install/tools/ipa-csreplica-manage | 10 --
 install/tools/ipa-replica-manage   | 13 -
 2 files changed, 20 insertions(+), 3 deletions(-)

diff --git a/install/tools/ipa-csreplica-manage b/install/tools/ipa-csreplica-manage
index eb589f3..cfcb354 100755
--- a/install/tools/ipa-csreplica-manage
+++ b/install/tools/ipa-csreplica-manage
@@ -25,7 +25,8 @@ import os
 import krbV
 from ipapython.ipa_log_manager import *
 
-from ipaserver.install import replication, installutils, bindinstance
+from ipaserver.install import (replication, installutils, bindinstance,
+cainstance, certs)
 from ipalib import api, errors, util
 from ipalib.constants import CACERT
 from ipapython import ipautil, ipaldap, version, dogtag
@@ -272,7 +273,12 @@ def del_master(realm, hostname, options):
 except Exception, e:
 sys.exit("There were issues removing a connection: %s" % e)
 
-# 6. And clean up the removed replica DNS entries if any.
+# 6. Pick CA renewal master
+ca = cainstance.CAInstance(api.env.realm, certs.NSS_DIR)
+if ca.is_renewal_master(hostname):
+ca.set_renewal_master(options.host)
+
+# 7. And clean up the removed replica DNS entries if any.
 try:
 if bindinstance.dns_container_exists(options.host, api.env.basedn,
  dm_password=options.dirman_passwd):
diff --git a/install/tools/ipa-replica-manage b/install/tools/ipa-replica-manage
index d468850..aa71095 100755
--- a/install/tools/ipa-replica-manage
+++ b/install/tools/ipa-replica-manage
@@ -28,7 +28,7 @@ import socket
 
 from ipapython import ipautil
 from ipaserver.install import replication, dsinstance, installutils
-from ipaserver.install import bindinstance
+from ipaserver.install import bindinstance, cainstance, certs
 from ipaserver.plugins import ldap2
 from ipapython import version, ipaldap
 from ipalib im