From a6a89e24147d8542fd09cf64e04982599b79e3cc Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Apr 07 2017 16:53:15 +0000 Subject: renew agent, restart scripts: connect to LDAP after kinit Connect to LDAP after kinit is done, otherwise GSSAPI authentication will fail. https://pagure.io/freeipa/issue/6757 Reviewed-By: Martin Babinsky --- diff --git a/install/certmonger/dogtag-ipa-ca-renew-agent-submit b/install/certmonger/dogtag-ipa-ca-renew-agent-submit index 3389447..7a3d955 100755 --- a/install/certmonger/dogtag-ipa-ca-renew-agent-submit +++ b/install/certmonger/dogtag-ipa-ca-renew-agent-submit @@ -518,7 +518,6 @@ def main(): api.bootstrap(in_server=True, context='renew', confdir=paths.ETC_IPA) api.finalize() - api.Backend.ldap2.connect() operation = os.environ.get('CERTMONGER_OPERATION') if operation not in ('SUBMIT', 'POLL'): @@ -532,6 +531,8 @@ def main(): os.environ['KRB5CCNAME'] = ccache_filename kinit_keytab(principal, paths.KRB5_KEYTAB, ccache_filename) + api.Backend.ldap2.connect() + profile = os.environ.get('CERTMONGER_CA_PROFILE') if is_replicated(): if profile or is_renewal_master(): @@ -547,9 +548,10 @@ def main(): print(item) return res[0] finally: + if api.Backend.ldap2.isconnected(): + api.Backend.ldap2.disconnect() certs.renewal_lock.release() shutil.rmtree(tmpdir) - api.Backend.ldap2.disconnect() try: diff --git a/install/restart_scripts/renew_ca_cert b/install/restart_scripts/renew_ca_cert index bbeae1a..7a54b4c 100644 --- a/install/restart_scripts/renew_ca_cert +++ b/install/restart_scripts/renew_ca_cert @@ -42,7 +42,6 @@ def _main(): api.bootstrap(in_server=True, context='restart', confdir=paths.ETC_IPA) api.finalize() - api.Backend.ldap2.connect() dogtag_service = services.knownservices['pki_tomcatd'] @@ -77,6 +76,8 @@ def _main(): kinit_keytab(principal, paths.KRB5_KEYTAB, ccache_filename) os.environ['KRB5CCNAME'] = ccache_filename + api.Backend.ldap2.connect() + ca = cainstance.CAInstance(host_name=api.env.host) ca.update_cert_config(nickname, cert) if ca.is_renewal_master(): @@ -184,8 +185,9 @@ def _main(): if conn is not None and conn.isconnected(): conn.disconnect() finally: + if api.Backend.ldap2.isconnected(): + api.Backend.ldap2.disconnect() shutil.rmtree(tmpdir) - api.Backend.ldap2.disconnect() # Now we can start the CA. Using the services start should fire # off the servlet to verify that the CA is actually up and responding so diff --git a/install/restart_scripts/renew_ra_cert b/install/restart_scripts/renew_ra_cert index 5c71d57..486ee78 100644 --- a/install/restart_scripts/renew_ra_cert +++ b/install/restart_scripts/renew_ra_cert @@ -38,7 +38,6 @@ from ipaplatform.paths import paths def _main(): api.bootstrap(in_server=True, context='restart', confdir=paths.ETC_IPA) api.finalize() - api.Backend.ldap2.connect() tmpdir = tempfile.mkdtemp(prefix="tmp-") try: @@ -47,6 +46,8 @@ def _main(): kinit_keytab(principal, paths.KRB5_KEYTAB, ccache_filename) os.environ['KRB5CCNAME'] = ccache_filename + api.Backend.ldap2.connect() + ca = cainstance.CAInstance(host_name=api.env.host) ra_certpath = paths.RA_AGENT_PEM if ca.is_renewal_master(): @@ -71,8 +72,9 @@ def _main(): # Load it into dogtag cainstance.update_people_entry(dercert) finally: + if api.Backend.ldap2.isconnected(): + api.Backend.ldap2.disconnect() shutil.rmtree(tmpdir) - api.Backend.ldap2.disconnect() def main():