[Freeipa-devel] [PATCHES] 172-196 Refactor certificate renewal code

Petr Spacek pspacek at redhat.com
Thu Mar 20 17:09:06 UTC 2014


On 19.3.2014 14:33, Jan Cholasta wrote:
> freeipa-jcholast-190.2-Store-information-about-which-CA-server-is-master-in.patch
>
>
>>From 147ab524032902f29b8c3048cdaf21c5606f2274 Mon Sep 17 00:00:00 2001
> From: Jan Cholasta<jcholast at redhat.com>
> Date: Wed, 16 Oct 2013 08:51:06 +0000
> Subject: [PATCH 17/23] Store information about which CA server is master in
>   LDAP.
>
> ---
>   install/tools/ipa-server-install       |  2 +-
>   ipaserver/install/cainstance.py        | 17 ++++++++++-
>   ipaserver/install/plugins/ca_master.py | 56 ++++++++++++++++++++++++++++++++++
>   ipaserver/install/service.py           |  4 +--
>   4 files changed, 75 insertions(+), 4 deletions(-)
>   create mode 100644 ipaserver/install/plugins/ca_master.py
>
> diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
> index dfe192a..a77ad71 100755
> --- a/install/tools/ipa-server-install
> +++ b/install/tools/ipa-server-install
> @@ -1114,7 +1114,7 @@ def main():
>       if setup_ca:
>           # We need to ldap_enable the CA now that DS is up and running
>           ca.ldap_enable('CA', host_name, dm_password,
> -                       ipautil.realm_to_suffix(realm_name))
> +                       ipautil.realm_to_suffix(realm_name), ['master'])
>
>           # This is done within stopped_service context, which restarts CA
>           ca.enable_client_auth_to_db()
> diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
> index 227cea0..c7a459d 100644
> --- a/ipaserver/install/cainstance.py
> +++ b/ipaserver/install/cainstance.py
> @@ -1603,8 +1603,23 @@ class CAInstance(service.Service):
>           gone or no longer performing certain duties then it is their
>           responsibility to handle changes on upgrades.
>           """
> +        if not self.admin_conn:
> +            self.ldap_connect()
> +
> +        base_dn = DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'),
> +                     api.env.basedn)
> +        filter = '(&(cn=CA)(ipaConfigString=master))'
> +        try:
> +            entries = self.admin_conn.get_entries(
> +                base_dn=base_dn, filter=filter, attrs_list=[])
> +        except errors.NotFound:
> +            pass
> +        else:
> +            fqdn = entries[0].dn[1].value
> +            return api.env.host.lower() == fqdn.lower()

Please use python-dns to compare DNS names.

This is fragile as you know :-)

Thanks!

-- 
Petr^2 Spacek




More information about the Freeipa-devel mailing list