From 835923750bff4f26d9b90df9870a961d16728488 Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka Date: Nov 11 2016 11:17:25 +0000 Subject: Take advantage of the ca/kra code cleanup in replica installation The recent cleanup of ca/kra installation code can be used to greatly reduce the number of differences between DL0 and DL1 in replica installation. This change also allows to move Custodia instance creation after Kerberos and httpd instances installation. https://fedorahosted.org/freeipa/ticket/6392 Reviewed-By: Martin Basti Reviewed-By: Jan Cholasta --- diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py index e6a64fc..054513d 100644 --- a/ipaserver/install/server/replicainstall.py +++ b/ipaserver/install/server/replicainstall.py @@ -1407,18 +1407,6 @@ def install(installer): # To config certmonger would try to connect to local server create_ipa_conf(fstore, config, ca_enabled) - if promote: - custodia = custodiainstance.CustodiaInstance(config.host_name, - config.realm_name) - custodia.create_replica(config.master_host_name) - else: - options.dm_password = config.dirman_password - if ca_enabled: - options.realm_name = config.realm_name - options.domain_name = config.domain_name - options.host_name = config.host_name - ca.install_step_0(False, config, options) - krb = install_krb( config, setup_pkinit=not options.no_pkinit, @@ -1436,23 +1424,21 @@ def install(installer): otpd.create_instance('OTPD', config.host_name, ipautil.realm_to_suffix(config.realm_name)) + custodia = custodiainstance.CustodiaInstance(config.host_name, + config.realm_name) if promote: - if ca_enabled: - options.realm_name = config.realm_name - options.domain_name = config.domain_name - options.host_name = config.host_name - options.dm_password = config.dirman_password - ca.install(False, config, options) + custodia.create_replica(config.master_host_name) + custodia.import_dm_password(config.master_host_name) else: - if ca_enabled: - # Done after install_krb() because lightweight CA key - # retrieval setup needs to create kerberos principal. - ca.install_step_1(False, config, options) - - custodia = custodiainstance.CustodiaInstance(config.host_name, - config.realm_name) custodia.create_instance() + if ca_enabled: + options.realm_name = config.realm_name + options.domain_name = config.domain_name + options.host_name = config.host_name + options.dm_password = config.dirman_password + ca.install(False, config, options) + # Apply any LDAP updates. Needs to be done after the replica is synced-up service.print_msg("Applying LDAP updates") ds.apply_updates() @@ -1464,8 +1450,6 @@ def install(installer): krb.restart() if promote: - custodia.import_dm_password(config.master_host_name) - promote_sssd(config.host_name) promote_openldap_conf(config.host_name, config.master_host_name)