From da2605c942b6119b69e14ab5bec53ddda4393808 Mon Sep 17 00:00:00 2001 From: Ana Krivokapic Date: Aug 08 2013 14:52:48 +0000 Subject: Handle --subject option in ipa-server-install Properly handle --subject option of ipa-server-install, making sure this value gets passed to certmap.conf. Introduce a new template variable $SUBJECT_BASE for this purpose. Also make sure that this value is preserved on upgrades. https://fedorahosted.org/freeipa/ticket/3783 --- diff --git a/install/share/certmap.conf.template b/install/share/certmap.conf.template index cff3a66..7beb507 100644 --- a/install/share/certmap.conf.template +++ b/install/share/certmap.conf.template @@ -1,4 +1,4 @@ -# VERSION 1 - DO NOT REMOVE THIS LINE +# VERSION 2 - DO NOT REMOVE THIS LINE # # This file is managed by IPA and will be overwritten on upgrades. @@ -84,6 +84,6 @@ certmap default default #default:InitFn default:DNComps default:FilterComps uid -certmap ipaca CN=Certificate Authority,O=$REALM +certmap ipaca CN=Certificate Authority,$SUBJECT_BASE ipaca:CmapLdapAttr seeAlso ipaca:verifycert on diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig index de17c5b..ca1dcc7 100644 --- a/install/tools/ipa-upgradeconfig +++ b/install/tools/ipa-upgradeconfig @@ -760,6 +760,90 @@ def add_ca_dns_records(): sysupgrade.set_upgrade_state('dns', 'ipa_ca_records', True) + +def find_subject_base(): + """ + Try to find the current value of certificate subject base. + 1) Look in sysupgrade first + 2) If no value is found there, look in DS (start DS if necessary) + 3) Last resort, look in the certmap.conf itself + 4) If all fails, log loudly and return None + """ + root_logger.debug('Trying to find certificate subject base in sysupgrade') + subject_base = sysupgrade.get_upgrade_state('certmap.conf', 'subject_base') + + if subject_base: + root_logger.debug( + 'Found certificate subject base in sysupgrade: %s', + subject_base + ) + return subject_base + + root_logger.debug('Unable to find certificate subject base in sysupgrade') + root_logger.debug('Trying to find certificate subject base in DS') + + ds_is_running = services.knownservices.dirsrv.is_running() + if not ds_is_running: + try: + services.knownservices.dirsrv.start() + except ipautil.CalledProcessError as e: + root_logger.error('Cannot start DS to find certificate ' + 'subject base: %s', e) + else: + ds_is_running = True + + if ds_is_running: + try: + api.Backend.ldap2.connect(autobind=True) + except ipalib.errors.PublicError, e: + root_logger.error('Cannot connect to DS to find certificate ' + 'subject base: %s', e) + else: + ret = api.Command['config_show']() + api.Backend.ldap2.disconnect() + subject_base = str(ret['result']['ipacertificatesubjectbase'][0]) + root_logger.debug( + 'Found certificate subject base in DS: %s', + subject_base + ) + + if not subject_base: + root_logger.debug('Unable to find certificate subject base in DS') + root_logger.debug('Trying to find certificate subject base in ' + 'certmap.conf') + + certmap_dir = dsinstance.config_dirname( + dsinstance.realm_to_serverid(api.env.realm) + ) + try: + with open(os.path.join(certmap_dir, 'certmap.conf')) as f: + for line in f: + if line.startswith('certmap ipaca'): + subject_base = line.strip().split(',')[-1] + root_logger.debug( + 'Found certificate subject base in certmap.conf: ' + '%s', + subject_base + ) + + except IOError as e: + root_logger.error('Cannot open certmap.conf to find certificate ' + 'subject base: %s', e.strerror) + + if subject_base: + sysupgrade.set_upgrade_state( + 'certmap.conf', + 'subject_base', + subject_base + ) + return subject_base + + root_logger.debug('Unable to find certificate subject base in ' + 'certmap.conf') + root_logger.error('Unable to determine certificate subject base. ' + 'certmap.conf will not be updated.') + + def uninstall_selfsign(ds, http): root_logger.info('[Removing self-signed CA]') """Replace self-signed CA by a CA-less install""" @@ -901,6 +985,10 @@ def main(): CLONE='#' ) + subject_base = find_subject_base() + if subject_base: + sub_dict['SUBJECT_BASE'] = subject_base + ca = cainstance.CAInstance(api.env.realm, certs.NSS_DIR) # migrate CRL publish dir before the location in ipa.conf is updated @@ -918,8 +1006,12 @@ def main(): upgrade(sub_dict, "/etc/httpd/conf.d/ipa.conf", ipautil.SHARE_DIR + "ipa.conf") upgrade(sub_dict, "/etc/httpd/conf.d/ipa-rewrite.conf", ipautil.SHARE_DIR + "ipa-rewrite.conf") upgrade(sub_dict, "/etc/httpd/conf.d/ipa-pki-proxy.conf", ipautil.SHARE_DIR + "ipa-pki-proxy.conf", add=True) - upgrade(sub_dict, os.path.join(certmap_dir, "certmap.conf"), - os.path.join(ipautil.SHARE_DIR, "certmap.conf.template")) + if subject_base: + upgrade( + sub_dict, + os.path.join(certmap_dir, "certmap.conf"), + os.path.join(ipautil.SHARE_DIR, "certmap.conf.template") + ) upgrade_pki(ca, fstore) update_dbmodules(api.env.realm) uninstall_ipa_kpasswd() diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index e48ced4..8815757 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -37,6 +37,7 @@ import certs import ldap from ipaserver.install import ldapupdate from ipaserver.install import replication +from ipaserver.install import sysupgrade from ipalib import errors from ipapython.dn import DN @@ -653,7 +654,12 @@ class DsInstance(service.Service): shutil.copyfile(ipautil.SHARE_DIR + "certmap.conf.template", config_dirname(self.serverid) + "certmap.conf") installutils.update_file(config_dirname(self.serverid) + "certmap.conf", - '$REALM', self.realm_name) + '$SUBJECT_BASE', str(self.subject_base)) + sysupgrade.set_upgrade_state( + 'certmap.conf', + 'subject_base', + str(self.subject_base) + ) def __enable_ldapi(self): self._ldap_mod("ldapi.ldif", self.sub_dict)