From c7c126fb51c5b2c92622f493d1c7efbadb899e49 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabinsk@redhat.com>
Date: Mar 01 2016 12:45:40 +0000
Subject: use LDAPS during standalone CA/KRA subsystem deployment


The deployment descriptor used during CA/KRA install was modified to use LDAPS
to communicate with DS backend. This will enable standalone CA/KRA
installation on top of hardened directory server configuration.

https://fedorahosted.org/freeipa/ticket/5570

Reviewed-By: Tomas Babej <tbabej@redhat.com>

---

diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 1a98c43..3ca4fa8 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -533,6 +533,9 @@ class CAInstance(DogtagInstance):
         config.set("CA", "pki_ds_base_dn", self.basedn)
         config.set("CA", "pki_ds_database", "ipaca")
 
+        if not self.create_ra_agent_db and not self.clone:
+            self._use_ldaps_during_spawn(config)
+
         # Certificate subject DN's
         config.set("CA", "pki_subsystem_subject_dn",
             str(DN(('cn', 'CA Subsystem'), self.subject_base)))
diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py
index 940b3ea..fa93b50 100644
--- a/ipaserver/install/dogtaginstance.py
+++ b/ipaserver/install/dogtaginstance.py
@@ -463,3 +463,9 @@ class DogtagInstance(service.Service):
             self.log.critical("  %s" % log)
 
         raise RuntimeError("%s configuration failed." % self.subsystem)
+
+    def _use_ldaps_during_spawn(self, config, ds_cacert=paths.IPA_CA_CRT):
+        config.set(self.subsystem, "pki_ds_ldaps_port", "636")
+        config.set(self.subsystem, "pki_ds_secure_connection", "True")
+        config.set(self.subsystem, "pki_ds_secure_connection_ca_pem_file",
+                   ds_cacert)
diff --git a/ipaserver/install/krainstance.py b/ipaserver/install/krainstance.py
index 625d84a..be2727f 100644
--- a/ipaserver/install/krainstance.py
+++ b/ipaserver/install/krainstance.py
@@ -188,6 +188,8 @@ class KRAInstance(DogtagInstance):
         config.set("KRA", "pki_ds_database", "ipaca")
         config.set("KRA", "pki_ds_create_new_db", "False")
 
+        self._use_ldaps_during_spawn(config)
+
         # Certificate subject DNs
         config.set("KRA", "pki_subsystem_subject_dn",
                    str(DN(('cn', 'CA Subsystem'), self.subject_base)))