Re: [Freeipa-devel] [PATCHES] 354-356 Check LDAP instead of local configuration to see if IPA CA is enabled
Dne 13.10.2014 v 14:48 Jan Cholasta napsal(a): Hi, the attached patches fix https://fedorahosted.org/freeipa/ticket/4621. Honza Rebased on top of current ipa-4-1, patches attached. -- Jan Cholasta From 02ee569148f9abf45e8188557a13d600323160b2 Mon Sep 17 00:00:00 2001 From: Jan Cholasta jchol...@redhat.com Date: Mon, 13 Oct 2014 14:10:13 +0200 Subject: [PATCH 1/3] Do not create ipa-pki-proxy.conf if CA is not configured in ipa-upgradeconfig This fixes upgrade from CA-less to CA-full after IPA upgrade. https://fedorahosted.org/freeipa/ticket/4621 --- install/tools/ipa-upgradeconfig | 6 +- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig index d647eb8..cc66990 100644 --- a/install/tools/ipa-upgradeconfig +++ b/install/tools/ipa-upgradeconfig @@ -1281,7 +1281,11 @@ def main(): upgrade(sub_dict, paths.HTTPD_IPA_CONF, ipautil.SHARE_DIR + ipa.conf) upgrade(sub_dict, paths.HTTPD_IPA_REWRITE_CONF, ipautil.SHARE_DIR + ipa-rewrite.conf) -upgrade(sub_dict, paths.HTTPD_IPA_PKI_PROXY_CONF, ipautil.SHARE_DIR + ipa-pki-proxy.conf, add=True) +if ca.is_configured(): +upgrade(sub_dict, paths.HTTPD_IPA_PKI_PROXY_CONF, ipautil.SHARE_DIR + ipa-pki-proxy.conf, add=True) +else: +if ipautil.file_exists(paths.HTTPD_IPA_PKI_PROXY_CONF): +os.remove(paths.HTTPD_IPA_PKI_PROXY_CONF) if subject_base: upgrade( sub_dict, -- 1.9.3 From aa7d7bd9a60295086571b671802b6b0232e6c942 Mon Sep 17 00:00:00 2001 From: Jan Cholasta jchol...@redhat.com Date: Mon, 13 Oct 2014 14:17:19 +0200 Subject: [PATCH 2/3] Do not fix trust flags in the DS NSS DB in ipa-upgradeconfig It is necessary to fix trust flags only in the HTTP NSS DB, as it is used as a source in the upload_cacrt update plugin. https://fedorahosted.org/freeipa/ticket/4621 --- install/tools/ipa-upgradeconfig | 11 +-- 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig index cc66990..6be5783 100644 --- a/install/tools/ipa-upgradeconfig +++ b/install/tools/ipa-upgradeconfig @@ -1188,8 +1188,8 @@ def remove_ds_ra_cert(subject_base): sysupgrade.set_upgrade_state('ds', 'remove_ra_cert', True) -def fix_trust_flags(service, **kwargs): -root_logger.info('[Fixing trust_flags in %s NSS database]' % service) +def fix_trust_flags(): +root_logger.info('[Fixing trust flags in %s]' % paths.HTTPD_ALIAS_DIR) if not api.env.enable_ra: root_logger.info(CA is not enabled) @@ -1199,13 +1199,13 @@ def fix_trust_flags(service, **kwargs): root_logger.info(Trust flags already fixed) return -db = certs.CertDB(api.env.realm, **kwargs) +db = certs.CertDB(api.env.realm) nickname = certdb.get_ca_nickname(api.env.realm) cert = db.get_cert_from_db(nickname) if cert: db.trust_root_cert(nickname, 'CT,C,C') -sysupgrade.set_upgrade_state(service, 'fix_trust_flags', True) +sysupgrade.set_upgrade_state('http', 'fix_trust_flags', True) def main(): @@ -1309,7 +1309,7 @@ def main(): http.change_mod_nss_port_from_http() http.stop() -fix_trust_flags('http') +fix_trust_flags() http.start() ds = dsinstance.DsInstance() @@ -1318,7 +1318,6 @@ def main(): ds.stop(ds_serverid) fix_schema_file_syntax() remove_ds_ra_cert(subject_base) -fix_trust_flags('ds', nssdir=ds_dirname) ds.start(ds_serverid) uninstall_selfsign(ds, http) -- 1.9.3 From cbc78bfede407af8ecde41855e9d57d472b0f353 Mon Sep 17 00:00:00 2001 From: Jan Cholasta jchol...@redhat.com Date: Mon, 13 Oct 2014 14:30:15 +0200 Subject: [PATCH 3/3] Check LDAP instead of local configuration to see if IPA CA is enabled The check is done using a new hidden command ca_is_enabled. https://fedorahosted.org/freeipa/ticket/4621 --- API.txt | 6 + VERSION | 4 +-- install/tools/ipa-ca-install| 6 ++--- install/tools/ipa-replica-install | 3 ++- install/tools/ipa-server-install| 6 +++-- install/tools/ipa-upgradeconfig | 27 +--- ipa-client/ipa-install/ipa-client-install | 33 +++-- ipa-client/ipaclient/ipa_certupdate.py | 20 +-- ipalib/plugins/cert.py | 38 ++--- ipalib/plugins/host.py | 6 ++--- ipalib/plugins/service.py | 4 +-- ipalib/x509.py | 2 +- ipaserver/install/httpinstance.py | 12 ++--- ipaserver/install/ipa_replica_prepare.py| 15 ++-- ipaserver/install/ipa_server_certinstall.py | 20 --- ipaserver/install/plugins/upload_cacrt.py | 7 +++--- 16 files changed, 144 insertions(+), 65
Re: [Freeipa-devel] [PATCHES] 354-356 Check LDAP instead of local configuration to see if IPA CA is enabled
On 10/17/2014 10:15 AM, Jan Cholasta wrote: Dne 13.10.2014 v 14:48 Jan Cholasta napsal(a): Hi, the attached patches fix https://fedorahosted.org/freeipa/ticket/4621. Honza Rebased on top of current ipa-4-1, patches attached. Works for me, ACK. It would be nice to also start tracking certificates when IPA is CA-ful. But it can be done later, ticket: https://fedorahosted.org/freeipa/ticket/4644 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel -- David Kupka ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 354-356 Check LDAP instead of local configuration to see if IPA CA is enabled
On 10/17/2014 12:42 PM, David Kupka wrote: On 10/17/2014 10:15 AM, Jan Cholasta wrote: Dne 13.10.2014 v 14:48 Jan Cholasta napsal(a): Hi, the attached patches fix https://fedorahosted.org/freeipa/ticket/4621. Honza Rebased on top of current ipa-4-1, patches attached. Works for me, ACK. It would be nice to also start tracking certificates when IPA is CA-ful. But it can be done later, ticket: https://fedorahosted.org/freeipa/ticket/4644 Pushed to: master: 608851d3f86a9082b394c30fe0c7a7b33d43f363 ipa-4-1: 5303e6324efb24c7529caaea68c3d985087e2053 Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCHES] 354-356 Check LDAP instead of local configuration to see if IPA CA is enabled
Hi, the attached patches fix https://fedorahosted.org/freeipa/ticket/4621. Honza -- Jan Cholasta From c4f65820ebf2936139c010d143a1f6a4017d6b58 Mon Sep 17 00:00:00 2001 From: Jan Cholasta jchol...@redhat.com Date: Mon, 13 Oct 2014 14:10:13 +0200 Subject: [PATCH 1/3] Do not create ipa-pki-proxy.conf if CA is not configured in ipa-upgradeconfig This fixes upgrade from CA-less to CA-full after IPA upgrade. https://fedorahosted.org/freeipa/ticket/4621 --- install/tools/ipa-upgradeconfig | 6 +- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig index ba4ac93..dd607f3 100644 --- a/install/tools/ipa-upgradeconfig +++ b/install/tools/ipa-upgradeconfig @@ -1161,7 +1161,11 @@ def main(): upgrade(sub_dict, paths.HTTPD_IPA_CONF, ipautil.SHARE_DIR + ipa.conf) upgrade(sub_dict, paths.HTTPD_IPA_REWRITE_CONF, ipautil.SHARE_DIR + ipa-rewrite.conf) -upgrade(sub_dict, paths.HTTPD_IPA_PKI_PROXY_CONF, ipautil.SHARE_DIR + ipa-pki-proxy.conf, add=True) +if ca.is_configured(): +upgrade(sub_dict, paths.HTTPD_IPA_PKI_PROXY_CONF, ipautil.SHARE_DIR + ipa-pki-proxy.conf, add=True) +else: +if ipautil.file_exists(paths.HTTPD_IPA_PKI_PROXY_CONF): +os.remove(paths.HTTPD_IPA_PKI_PROXY_CONF) if subject_base: upgrade( sub_dict, -- 1.9.3 From f9a64d83a00d1d2b15a1643bb4547893155a4d6f Mon Sep 17 00:00:00 2001 From: Jan Cholasta jchol...@redhat.com Date: Mon, 13 Oct 2014 14:17:19 +0200 Subject: [PATCH 2/3] Do not fix trust flags in the DS NSS DB in ipa-upgradeconfig It is necessary to fix trust flags only in the HTTP NSS DB, as it is used as a source in the upload_cacrt update plugin. https://fedorahosted.org/freeipa/ticket/4621 --- install/tools/ipa-upgradeconfig | 11 +-- 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig index dd607f3..63af697 100644 --- a/install/tools/ipa-upgradeconfig +++ b/install/tools/ipa-upgradeconfig @@ -1069,8 +1069,8 @@ def remove_ds_ra_cert(subject_base): sysupgrade.set_upgrade_state('ds', 'remove_ra_cert', True) -def fix_trust_flags(service, **kwargs): -root_logger.info('[Fixing trust_flags in %s NSS database]' % service) +def fix_trust_flags(): +root_logger.info('[Fixing trust flags in %s]' % paths.HTTPD_ALIAS_DIR) if not api.env.enable_ra: root_logger.info(CA is not enabled) @@ -1080,13 +1080,13 @@ def fix_trust_flags(service, **kwargs): root_logger.info(Trust flags already fixed) return -db = certs.CertDB(api.env.realm, **kwargs) +db = certs.CertDB(api.env.realm) nickname = certdb.get_ca_nickname(api.env.realm) cert = db.get_cert_from_db(nickname) if cert: db.trust_root_cert(nickname, 'CT,C,C') -sysupgrade.set_upgrade_state(service, 'fix_trust_flags', True) +sysupgrade.set_upgrade_state('http', 'fix_trust_flags', True) def main(): @@ -1188,7 +1188,7 @@ def main(): http.change_mod_nss_port_from_http() http.stop() -fix_trust_flags('http') +fix_trust_flags() http.start() ds = dsinstance.DsInstance() @@ -1197,7 +1197,6 @@ def main(): ds.stop(ds_serverid) fix_schema_file_syntax() remove_ds_ra_cert(subject_base) -fix_trust_flags('ds', nssdir=ds_dirname) ds.start(ds_serverid) uninstall_selfsign(ds, http) -- 1.9.3 From bd6a94fa5efb7ff3635ffcfb3c7e9165bcf2cebb Mon Sep 17 00:00:00 2001 From: Jan Cholasta jchol...@redhat.com Date: Mon, 13 Oct 2014 14:30:15 +0200 Subject: [PATCH 3/3] Check LDAP instead of local configuration to see if IPA CA is enabled The check is done using a new hidden command ca_is_enabled. https://fedorahosted.org/freeipa/ticket/4621 --- API.txt | 6 + VERSION | 4 +-- install/tools/ipa-ca-install| 6 ++--- install/tools/ipa-replica-install | 3 ++- install/tools/ipa-server-install| 6 +++-- install/tools/ipa-upgradeconfig | 27 +--- ipa-client/ipa-install/ipa-client-install | 27 ipa-client/ipaclient/ipa_certupdate.py | 20 +-- ipalib/plugins/cert.py | 38 ++--- ipalib/plugins/host.py | 6 ++--- ipalib/plugins/service.py | 4 +-- ipalib/x509.py | 2 +- ipaserver/install/httpinstance.py | 12 ++--- ipaserver/install/ipa_replica_prepare.py| 15 ++-- ipaserver/install/ipa_server_certinstall.py | 20 --- ipaserver/install/plugins/upload_cacrt.py | 7 +++--- 16 files changed, 141 insertions(+), 62 deletions(-) diff --git a/API.txt b/API.txt index 1af7850..df924c0 100644 --- a/API.txt +++ b/API.txt @@ -450,6 +450,12 @@ arg: Any('methods*') option: