freeipa

Clone
Source Code
GIT

69bda6b Fix ipa-server-upgrade: This entry already exists

4 files Authored by frenaud 6 years ago, Committed by stlaz 6 years ago,
raw patch tree parent
4 files changed. 118 lines added. 2 lines removed.
install/updates/90-post_upgrade_plugins.update
file modified
+1 -0
ipalib/install/certstore.py
file modified
+19 -0
ipaserver/install/plugins/update_fix_duplicate_cacrt_in_ldap.py
file added
+84
ipaserver/install/plugins/upload_cacrt.py
file modified
+14 -2 
    Fix ipa-server-upgrade: This entry already exists
    
    ipa-server-upgrade fails when running the ipaload_cacrt plugin. The plugin
    finds all CA certificates in /etc/httpd/alias and uploads them in LDAP
    below cn=certificates,cn=ipa,cn=etc,$BASEDN.
    The issue happens because there is already an entry in LDAP for IPA CA, but
    with a different DN. The nickname in /etc/httpd/alias can differ from
    $DOMAIN IPA CA.
    
    To avoid the issue:
    1/ during upgrade, run a new plugin that removes duplicates and restarts ldap
    (to make sure that uniqueness attr plugin is working after the new plugin)
    2/ modify upload_cacert plugin so that it is using $DOMAIN IPA CA instead of
    cn=$nickname,cn=ipa,cn=etc,$BASEDN when uploading IPA CA.
    
    https://pagure.io/freeipa/issue/7125
    
    Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
file modified
+1 -0
file modified
+19 -0
file added
+84
file modified
+14 -2
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.