pgreco / rpms / ipa

Forked from forks/areguera/rpms/ipa 4 years ago
Clone
Source Code
GIT

Blame SOURCES/0029-Fix-KRA-replica-installation-from-CA-master.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8-beta-stream-DL1 c8-beta-stream-client c8-stream-DL1 c8-stream-client
  1.   21de49fa266fe57ed8e4e49cb95352d0c40ca096
  2.   SOURCES
  3.   0029-Fix-KRA-replica-installation-from-CA-master.patch
Blob History Raw
95ea96 
From 609ccb601843b97b25f2fde3c4981839822af503 Mon Sep 17 00:00:00 2001
2737e7 
From: Christian Heimes <cheimes@redhat.com>
2737e7 
Date: Tue, 17 Jul 2018 08:53:39 +0200
2737e7 
Subject: [PATCH] Fix KRA replica installation from CA master
2737e7
2737e7 
ipa-replica-install --kra-install can fail when the topology already has
2737e7 
a KRA, but replica is installed from a master with just CA. In that
2737e7 
case, Custodia may pick a machine that doesn't have the KRA auditing and
2737e7 
signing certs in its NSSDB.
2737e7
2737e7 
Example:
2737e7 
 * master with CA
2737e7 
 * replica1 with CA and KRA
2737e7 
 * new replica gets installed from master
2737e7
2737e7 
The replica installer now always picks a KRA peer.
2737e7
2737e7 
The change fixes test scenario TestInstallWithCA1::()::test_replica2_ipa_dns_install
2737e7
2737e7 
Fixes: https://pagure.io/freeipa/issue/7518
2737e7 
See: https://pagure.io/freeipa/issue/7008
2737e7 
Signed-off-by: Christian Heimes <cheimes@redhat.com>
2737e7 
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2737e7 
---
2737e7 
 ipaserver/install/server/replicainstall.py | 5 ++++-
2737e7 
 1 file changed, 4 insertions(+), 1 deletion(-)
2737e7
2737e7 
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
95ea96 
index 8826da232a90380084b0e4f3dca783125a5500da..e78a2b992fbd44b8ee3ccd8183ebd6e13dfd1749 100644
2737e7 
--- a/ipaserver/install/server/replicainstall.py
2737e7 
+++ b/ipaserver/install/server/replicainstall.py
95ea96 
@@ -1486,7 +1486,10 @@ def install(installer):
2737e7 
     otpd.create_instance('OTPD', config.host_name,
2737e7 
                          ipautil.realm_to_suffix(config.realm_name))
2737e7
2737e7 
-    if ca_enabled:
2737e7 
+    if kra_enabled:
2737e7 
+        # A KRA peer always provides a CA, too.
2737e7 
+        mode = custodiainstance.CustodiaModes.KRA_PEER
2737e7 
+    elif ca_enabled:
2737e7 
         mode = custodiainstance.CustodiaModes.CA_PEER
2737e7 
     else:
2737e7 
         mode = custodiainstance.CustodiaModes.MASTER_PEER
2737e7 
--
2737e7 
2.17.1
2737e7

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation