subject:"\[Freeipa\-devel\] \[PATCHES\] 354\-356 Check LDAP instead of local configuration to see if IPA CA is enabled"

Re: [Freeipa-devel] [PATCHES] 354-356 Check LDAP instead of local configuration to see if IPA CA is enabled

2014-10-17 Thread Jan Cholasta


Dne 13.10.2014 v 14:48 Jan Cholasta napsal(a):

Hi,

the attached patches fix https://fedorahosted.org/freeipa/ticket/4621.

Honza


Rebased on top of current ipa-4-1, patches attached.

--
Jan Cholasta
From 02ee569148f9abf45e8188557a13d600323160b2 Mon Sep 17 00:00:00 2001
From: Jan Cholasta jchol...@redhat.com
Date: Mon, 13 Oct 2014 14:10:13 +0200
Subject: [PATCH 1/3] Do not create ipa-pki-proxy.conf if CA is not configured
 in ipa-upgradeconfig

This fixes upgrade from CA-less to CA-full after IPA upgrade.

https://fedorahosted.org/freeipa/ticket/4621
---
 install/tools/ipa-upgradeconfig | 6 +-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index d647eb8..cc66990 100644
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -1281,7 +1281,11 @@ def main():
 
 upgrade(sub_dict, paths.HTTPD_IPA_CONF, ipautil.SHARE_DIR + ipa.conf)
 upgrade(sub_dict, paths.HTTPD_IPA_REWRITE_CONF, ipautil.SHARE_DIR + ipa-rewrite.conf)
-upgrade(sub_dict, paths.HTTPD_IPA_PKI_PROXY_CONF, ipautil.SHARE_DIR + ipa-pki-proxy.conf, add=True)
+if ca.is_configured():
+upgrade(sub_dict, paths.HTTPD_IPA_PKI_PROXY_CONF, ipautil.SHARE_DIR + ipa-pki-proxy.conf, add=True)
+else:
+if ipautil.file_exists(paths.HTTPD_IPA_PKI_PROXY_CONF):
+os.remove(paths.HTTPD_IPA_PKI_PROXY_CONF)
 if subject_base:
 upgrade(
 sub_dict,
-- 
1.9.3

From aa7d7bd9a60295086571b671802b6b0232e6c942 Mon Sep 17 00:00:00 2001
From: Jan Cholasta jchol...@redhat.com
Date: Mon, 13 Oct 2014 14:17:19 +0200
Subject: [PATCH 2/3] Do not fix trust flags in the DS NSS DB in
 ipa-upgradeconfig

It is necessary to fix trust flags only in the HTTP NSS DB, as it is used as
a source in the upload_cacrt update plugin.

https://fedorahosted.org/freeipa/ticket/4621
---
 install/tools/ipa-upgradeconfig | 11 +--
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index cc66990..6be5783 100644
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -1188,8 +1188,8 @@ def remove_ds_ra_cert(subject_base):
 sysupgrade.set_upgrade_state('ds', 'remove_ra_cert', True)
 
 
-def fix_trust_flags(service, **kwargs):
-root_logger.info('[Fixing trust_flags in %s NSS database]' % service)
+def fix_trust_flags():
+root_logger.info('[Fixing trust flags in %s]' % paths.HTTPD_ALIAS_DIR)
 
 if not api.env.enable_ra:
 root_logger.info(CA is not enabled)
@@ -1199,13 +1199,13 @@ def fix_trust_flags(service, **kwargs):
 root_logger.info(Trust flags already fixed)
 return
 
-db = certs.CertDB(api.env.realm, **kwargs)
+db = certs.CertDB(api.env.realm)
 nickname = certdb.get_ca_nickname(api.env.realm)
 cert = db.get_cert_from_db(nickname)
 if cert:
 db.trust_root_cert(nickname, 'CT,C,C')
 
-sysupgrade.set_upgrade_state(service, 'fix_trust_flags', True)
+sysupgrade.set_upgrade_state('http', 'fix_trust_flags', True)
 
 
 def main():
@@ -1309,7 +1309,7 @@ def main():
 http.change_mod_nss_port_from_http()
 
 http.stop()
-fix_trust_flags('http')
+fix_trust_flags()
 http.start()
 
 ds = dsinstance.DsInstance()
@@ -1318,7 +1318,6 @@ def main():
 ds.stop(ds_serverid)
 fix_schema_file_syntax()
 remove_ds_ra_cert(subject_base)
-fix_trust_flags('ds', nssdir=ds_dirname)
 ds.start(ds_serverid)
 
 uninstall_selfsign(ds, http)
-- 
1.9.3

From cbc78bfede407af8ecde41855e9d57d472b0f353 Mon Sep 17 00:00:00 2001
From: Jan Cholasta jchol...@redhat.com
Date: Mon, 13 Oct 2014 14:30:15 +0200
Subject: [PATCH 3/3] Check LDAP instead of local configuration to see if IPA
 CA is enabled

The check is done using a new hidden command ca_is_enabled.

https://fedorahosted.org/freeipa/ticket/4621
---
 API.txt |  6 +
 VERSION |  4 +--
 install/tools/ipa-ca-install|  6 ++---
 install/tools/ipa-replica-install   |  3 ++-
 install/tools/ipa-server-install|  6 +++--
 install/tools/ipa-upgradeconfig | 27 +---
 ipa-client/ipa-install/ipa-client-install   | 33 +++--
 ipa-client/ipaclient/ipa_certupdate.py  | 20 +--
 ipalib/plugins/cert.py  | 38 ++---
 ipalib/plugins/host.py  |  6 ++---
 ipalib/plugins/service.py   |  4 +--
 ipalib/x509.py  |  2 +-
 ipaserver/install/httpinstance.py   | 12 ++---
 ipaserver/install/ipa_replica_prepare.py| 15 ++--
 ipaserver/install/ipa_server_certinstall.py | 20 ---
 ipaserver/install/plugins/upload_cacrt.py   |  7 +++---
 16 files changed, 144 insertions(+), 65

Re: [Freeipa-devel] [PATCHES] 354-356 Check LDAP instead of local configuration to see if IPA CA is enabled

2014-10-17 Thread David Kupka


On 10/17/2014 10:15 AM, Jan Cholasta wrote:

Dne 13.10.2014 v 14:48 Jan Cholasta napsal(a):

Hi,

the attached patches fix https://fedorahosted.org/freeipa/ticket/4621.

Honza


Rebased on top of current ipa-4-1, patches attached.


Works for me, ACK.
It would be nice to also start tracking certificates when IPA is CA-ful. 
But it can be done later, ticket: 
https://fedorahosted.org/freeipa/ticket/4644




___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel



--
David Kupka

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCHES] 354-356 Check LDAP instead of local configuration to see if IPA CA is enabled

2014-10-17 Thread Martin Kosek

On 10/17/2014 12:42 PM, David Kupka wrote:
 On 10/17/2014 10:15 AM, Jan Cholasta wrote:
 Dne 13.10.2014 v 14:48 Jan Cholasta napsal(a):
 Hi,

 the attached patches fix https://fedorahosted.org/freeipa/ticket/4621.

 Honza

 Rebased on top of current ipa-4-1, patches attached.
 
 Works for me, ACK.
 It would be nice to also start tracking certificates when IPA is CA-ful. But 
 it
 can be done later, ticket: https://fedorahosted.org/freeipa/ticket/4644

Pushed to:
master: 608851d3f86a9082b394c30fe0c7a7b33d43f363
ipa-4-1: 5303e6324efb24c7529caaea68c3d985087e2053

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCHES] 354-356 Check LDAP instead of local configuration to see if IPA CA is enabled

2014-10-13 Thread Jan Cholasta


Hi,

the attached patches fix https://fedorahosted.org/freeipa/ticket/4621.

Honza

--
Jan Cholasta
From c4f65820ebf2936139c010d143a1f6a4017d6b58 Mon Sep 17 00:00:00 2001
From: Jan Cholasta jchol...@redhat.com
Date: Mon, 13 Oct 2014 14:10:13 +0200
Subject: [PATCH 1/3] Do not create ipa-pki-proxy.conf if CA is not configured
 in ipa-upgradeconfig

This fixes upgrade from CA-less to CA-full after IPA upgrade.

https://fedorahosted.org/freeipa/ticket/4621
---
 install/tools/ipa-upgradeconfig | 6 +-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index ba4ac93..dd607f3 100644
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -1161,7 +1161,11 @@ def main():
 
 upgrade(sub_dict, paths.HTTPD_IPA_CONF, ipautil.SHARE_DIR + ipa.conf)
 upgrade(sub_dict, paths.HTTPD_IPA_REWRITE_CONF, ipautil.SHARE_DIR + ipa-rewrite.conf)
-upgrade(sub_dict, paths.HTTPD_IPA_PKI_PROXY_CONF, ipautil.SHARE_DIR + ipa-pki-proxy.conf, add=True)
+if ca.is_configured():
+upgrade(sub_dict, paths.HTTPD_IPA_PKI_PROXY_CONF, ipautil.SHARE_DIR + ipa-pki-proxy.conf, add=True)
+else:
+if ipautil.file_exists(paths.HTTPD_IPA_PKI_PROXY_CONF):
+os.remove(paths.HTTPD_IPA_PKI_PROXY_CONF)
 if subject_base:
 upgrade(
 sub_dict,
-- 
1.9.3

From f9a64d83a00d1d2b15a1643bb4547893155a4d6f Mon Sep 17 00:00:00 2001
From: Jan Cholasta jchol...@redhat.com
Date: Mon, 13 Oct 2014 14:17:19 +0200
Subject: [PATCH 2/3] Do not fix trust flags in the DS NSS DB in
 ipa-upgradeconfig

It is necessary to fix trust flags only in the HTTP NSS DB, as it is used as
a source in the upload_cacrt update plugin.

https://fedorahosted.org/freeipa/ticket/4621
---
 install/tools/ipa-upgradeconfig | 11 +--
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index dd607f3..63af697 100644
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -1069,8 +1069,8 @@ def remove_ds_ra_cert(subject_base):
 sysupgrade.set_upgrade_state('ds', 'remove_ra_cert', True)
 
 
-def fix_trust_flags(service, **kwargs):
-root_logger.info('[Fixing trust_flags in %s NSS database]' % service)
+def fix_trust_flags():
+root_logger.info('[Fixing trust flags in %s]' % paths.HTTPD_ALIAS_DIR)
 
 if not api.env.enable_ra:
 root_logger.info(CA is not enabled)
@@ -1080,13 +1080,13 @@ def fix_trust_flags(service, **kwargs):
 root_logger.info(Trust flags already fixed)
 return
 
-db = certs.CertDB(api.env.realm, **kwargs)
+db = certs.CertDB(api.env.realm)
 nickname = certdb.get_ca_nickname(api.env.realm)
 cert = db.get_cert_from_db(nickname)
 if cert:
 db.trust_root_cert(nickname, 'CT,C,C')
 
-sysupgrade.set_upgrade_state(service, 'fix_trust_flags', True)
+sysupgrade.set_upgrade_state('http', 'fix_trust_flags', True)
 
 
 def main():
@@ -1188,7 +1188,7 @@ def main():
 http.change_mod_nss_port_from_http()
 
 http.stop()
-fix_trust_flags('http')
+fix_trust_flags()
 http.start()
 
 ds = dsinstance.DsInstance()
@@ -1197,7 +1197,6 @@ def main():
 ds.stop(ds_serverid)
 fix_schema_file_syntax()
 remove_ds_ra_cert(subject_base)
-fix_trust_flags('ds', nssdir=ds_dirname)
 ds.start(ds_serverid)
 
 uninstall_selfsign(ds, http)
-- 
1.9.3

From bd6a94fa5efb7ff3635ffcfb3c7e9165bcf2cebb Mon Sep 17 00:00:00 2001
From: Jan Cholasta jchol...@redhat.com
Date: Mon, 13 Oct 2014 14:30:15 +0200
Subject: [PATCH 3/3] Check LDAP instead of local configuration to see if IPA
 CA is enabled

The check is done using a new hidden command ca_is_enabled.

https://fedorahosted.org/freeipa/ticket/4621
---
 API.txt |  6 +
 VERSION |  4 +--
 install/tools/ipa-ca-install|  6 ++---
 install/tools/ipa-replica-install   |  3 ++-
 install/tools/ipa-server-install|  6 +++--
 install/tools/ipa-upgradeconfig | 27 +---
 ipa-client/ipa-install/ipa-client-install   | 27 
 ipa-client/ipaclient/ipa_certupdate.py  | 20 +--
 ipalib/plugins/cert.py  | 38 ++---
 ipalib/plugins/host.py  |  6 ++---
 ipalib/plugins/service.py   |  4 +--
 ipalib/x509.py  |  2 +-
 ipaserver/install/httpinstance.py   | 12 ++---
 ipaserver/install/ipa_replica_prepare.py| 15 ++--
 ipaserver/install/ipa_server_certinstall.py | 20 ---
 ipaserver/install/plugins/upload_cacrt.py   |  7 +++---
 16 files changed, 141 insertions(+), 62 deletions(-)

diff --git a/API.txt b/API.txt
index 1af7850..df924c0 100644
--- a/API.txt
+++ b/API.txt
@@ -450,6 +450,12 @@ arg: Any('methods*')
 option:

Re: [Freeipa-devel] [PATCHES] 354-356 Check LDAP instead of local configuration to see if IPA CA is enabled

Re: [Freeipa-devel] [PATCHES] 354-356 Check LDAP instead of local configuration to see if IPA CA is enabled

Re: [Freeipa-devel] [PATCHES] 354-356 Check LDAP instead of local configuration to see if IPA CA is enabled

[Freeipa-devel] [PATCHES] 354-356 Check LDAP instead of local configuration to see if IPA CA is enabled

4 matches

Site Navigation

Mail list logo

Footer information