[Freeipa-devel] [PATCH] 6 - Dogtag DRM -IPA plugin
Ade Lee
alee at redhat.com
Sat May 10 03:38:09 UTC 2014
Attached is patch 6-1, which addresses the issues listed below.
In addition, there are two additional patches which :
7. disable the automatic install of the DRM in ipa-server-install as
decided until Dogtag 10.2 is available.
8. Add the ability to install a DRM replica using ipa-drm-install.
The install procedure is now as follows:
On Master:
1. ipa-server-install (installs ipa and dogtag CA)
2. ipa-drm-install (installs drm)
3. ipa-replica-prepare <clone_hostname>
On clone:
1. ipa-replica-install <replica_file> (installs ipa replica)
2. ipa-ca-install <replica_file> (installs replica ca)
3. ipa-drm-install <replica file>
On the clone, if you fail to add a replica_file, the install scripts
will detect that a DRM has been installed in the security domain, and
prompt for a replica file.
For this all to work, you will need the newest version of Dogtag 10.2 -
which contains fixes that are not yet checked into Dogtag. A build can
be found at:
http://copr.fedoraproject.org/coprs/vakwetu/dogtag/repo/fedora-20-x86_64/vakwetu-dogtag-fedora-20-x86_64.repo
Ade
Note: For convenience, all the DRM patches have been appended to this
email.
On Thu, 2014-05-01 at 14:55 -0400, Rob Crittenden wrote:
> Ade Lee wrote:
> > I have attached a patch that contains code for the new dogtag DRM plugin
> > vault functionality. This patch should be applied on top of the ones
> > used to install a DRM.
> >
> > Forthcoming is a patch to actually start using this plugin.
>
> All the imports should be at the top of the file.
>
done.
> In _create_pem_file there is a ipaserver.install.certs.export_pkcs12()
> that you can re-use. Similarly install_pem_from_p12() probably does the
> same thing, and your copy doesn't take the PKCS#12 password as input AFAICT.
>
done.
> In _transport_cert_present you can use:
>
> from ipaserver.install import certs
>
> db = certs.CertDB(self.realm, nssdir=self.sec_dir)
> return db.has_nickname(self.transport_nick)
>
done.
> Should there be error handling around keyclient calls or will that be
> handled at a different level?
>
I think the keyclient calls should throw exceptions and the error
handling should be performed at a higher level. We can revisit this when
we write the code that calls this plugin.
> Incidentally, installing a replica on F-20 with pki-ca-10.2.0-0.1
> against an F-20 master with pki-ca-10.1.1-1 fails with this traceback in
> pkispawn:
>
> File "/usr/sbin/pkispawn", line 514, in <module>
> main(sys.argv)
> File "/usr/sbin/pkispawn", line 423, in main
> info = parser.sd_get_info()
> File
> "/usr/lib/python2.7/site-packages/pki/server/deployment/pkiparser.py",
> line 463, in sd_get_info
> info = sd.getSecurityDomainInfo()
> File "/usr/lib/python2.7/site-packages/pki/system.py", line 44, in
> getSecurityDomainInfo
> info.name = response.json()['id']
> KeyError: 'id'
>
I'll have to look into this. Will fix in another patch. This will be a
dogtag patch though.
> rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Add-a-DRM-to-IPA.patch
Type: text/x-patch
Size: 40124 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140509/d45f0837/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-Add-a-DRM-to-IPA.patch
Type: text/x-patch
Size: 73390 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140509/d45f0837/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0003-Added-ipa-drm-install.patch
Type: text/x-patch
Size: 22704 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140509/d45f0837/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0005-Added-nolog-to-pkispawn-and-some-additional-fixes-fr.patch
Type: text/x-patch
Size: 13199 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140509/d45f0837/attachment-0003.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0004-Fix-various-pep-8-issues-and-comments-from-review.patch
Type: text/x-patch
Size: 31467 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140509/d45f0837/attachment-0004.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0006-1-Added-dogtag-plugin-for-DRM.patch
Type: text/x-patch
Size: 23333 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140509/d45f0837/attachment-0005.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0008-Allow-ipa-replica-install-to-be-used-for-installing-.patch
Type: text/x-patch
Size: 19638 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140509/d45f0837/attachment-0006.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0007-set-drm-to-not-install-by-default-with-ipa-server-in.patch
Type: text/x-patch
Size: 1082 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140509/d45f0837/attachment-0007.bin>
More information about the Freeipa-devel
mailing list