From aae78480220203b1c64c8b3c6b8297868c849110 Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Sep 02 2014 13:28:51 +0000 Subject: Allow changing CA renewal master in ipa-csreplica-manage. https://fedorahosted.org/freeipa/ticket/4039 Reviewed-By: Petr Viktorin --- diff --git a/install/tools/ipa-csreplica-manage b/install/tools/ipa-csreplica-manage index cfcb354..c534446 100755 --- a/install/tools/ipa-csreplica-manage +++ b/install/tools/ipa-csreplica-manage @@ -34,15 +34,16 @@ from ipapython.dn import DN # dict of command name and tuples of min/max num of args needed commands = { - "list":(0, 1, "[master fqdn]", ""), - "connect":(1, 2, " [other master fqdn]", - "must provide the name of the servers to connect"), - "disconnect":(1, 2, " [other master fqdn]", - "must provide the name of the server to disconnect"), - "del":(1, 1, "", - "must provide hostname of master to delete"), - "re-initialize":(0, 0, "", ""), - "force-sync":(0, 0, "", "") + "list": (0, 1, "[master fqdn]", ""), + "connect": (1, 2, " [other master fqdn]", + "must provide the name of the servers to connect"), + "disconnect": (1, 2, " [other master fqdn]", + "must provide the name of the server to disconnect"), + "del": (1, 1, "", + "must provide hostname of master to delete"), + "re-initialize": (0, 0, "", ""), + "force-sync": (0, 0, "", ""), + "set-renewal-master": (0, 1, "[master fqdn]", "") } @@ -375,6 +376,21 @@ def force_sync(realm, thishost, fromhost, dirman_passwd): except Exception, e: sys.exit(str(e)) +def set_renewal_master(realm, replica): + if not replica: + replica = installutils.get_fqdn() + + ca = cainstance.CAInstance(realm, certs.NSS_DIR) + if ca.is_renewal_master(replica): + sys.exit("%s is already the renewal master" % replica) + + try: + ca.set_renewal_master(replica) + except Exception, e: + sys.exit("Failed to set renewal master to %s: %s" % (replica, e)) + + print "%s is now the renewal master" % replica + def main(): options, args = parse_options() @@ -439,6 +455,11 @@ def main(): replica1 = host replica2 = args[1] del_link(realm, replica1, replica2, dirman_passwd, options.force) + elif args[0] == 'set-renewal-master': + replica = None + if len(args) > 1: + replica = args[1] + set_renewal_master(realm, replica) try: main() diff --git a/install/tools/man/ipa-csreplica-manage.1 b/install/tools/man/ipa-csreplica-manage.1 index ddb28da..3164ea6 100644 --- a/install/tools/man/ipa-csreplica-manage.1 +++ b/install/tools/man/ipa-csreplica-manage.1 @@ -42,6 +42,9 @@ Manages the CA replication agreements of an IPA server. \fBforce\-sync\fR \- Immediately flush any data to be replicated from a server specified with the \-\-from option .TP +\fBset\-renewal\-master\fR [SERVER] +\- Set CA server which handles renewal of CA subsystem certificates to SERVER +.TP The connect and disconnect options are used to manage the replication topology. When a replica is created it is only connected with the master that created it. The connect option may be used to connect it to other existing replicas. .TP The disconnect option cannot be used to remove the last link of a replica. To remove a replica from the topology use the del option.