summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSimo Sorce <simo@redhat.com>2012-11-12 22:43:05 (GMT)
committerRob Crittenden <rcritten@redhat.com>2013-01-23 19:26:41 (GMT)
commit18eea90ebb24a9c22248f0b7e18646cc6e3e3e0f (patch)
treed254fad8444807639698c491e3382e38a8f75b78
parent69c2f077dfdc3b91c3d892556711e0720502f868 (diff)
downloadfreeipa-18eea90ebb24a9c22248f0b7e18646cc6e3e3e0f.zip
freeipa-18eea90ebb24a9c22248f0b7e18646cc6e3e3e0f.tar.gz
freeipa-18eea90ebb24a9c22248f0b7e18646cc6e3e3e0f.tar.xz
Upload CA cert in the directory on install
This will later allow clients to securely download the CA cert by performaing mutual auth using LDAP with GSSAPI
-rw-r--r--install/share/Makefile.am3
-rw-r--r--install/share/upload-cacert.ldif7
-rw-r--r--ipaserver/install/dsinstance.py15
3 files changed, 24 insertions, 1 deletions
diff --git a/install/share/Makefile.am b/install/share/Makefile.am
index 4a5f81a..f8f9b74 100644
--- a/install/share/Makefile.am
+++ b/install/share/Makefile.am
@@ -60,7 +60,8 @@ app_DATA = \
automember.ldif \
replica-automember.ldif \
replica-s4u2proxy.ldif \
- copy-schema-to-ca.py \
+ copy-schema-to-ca.py \
+ upload-cacert.ldif \
$(NULL)
EXTRA_DIST = \
diff --git a/install/share/upload-cacert.ldif b/install/share/upload-cacert.ldif
new file mode 100644
index 0000000..d2087d8
--- /dev/null
+++ b/install/share/upload-cacert.ldif
@@ -0,0 +1,7 @@
+# add CA certificate to LDAP server
+dn: cn=CAcert,cn=ipa,cn=etc,$SUFFIX
+changetype: add
+objectClass: nsContainer
+objectClass: pkiCA
+cn: CAcert
+cACertificate;binary:: $CADERCERT
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 966eeed..76ef687 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -44,6 +44,7 @@ from ipaserver.install import replication
from ipalib import util, errors
from ipapython.dn import DN
from ipaserver.plugins.ldap2 import ldap2
+import base64
SERVER_ROOT_64 = "/usr/lib64/dirsrv"
SERVER_ROOT_32 = "/usr/lib/dirsrv"
@@ -261,6 +262,7 @@ class DsInstance(service.Service):
self.step("adding range check plugin", self.__add_range_check_plugin)
if hbac_allow:
self.step("creating default HBAC rule allow_all", self.add_hbac)
+ self.step("Upload CA cert to the directory", self.__upload_ca_cert)
self.__common_post_setup()
@@ -587,6 +589,19 @@ class DsInstance(service.Service):
# check for open secure port 636 from now on
self.open_ports.append(636)
+ def __upload_ca_cert(self):
+ """
+ Upload the CA certificate in DER form in the LDAP directory.
+ """
+
+ dirname = config_dirname(self.serverid)
+ certdb = certs.CertDB(self.realm_name, nssdir=dirname, subject_base=self.subject_base)
+
+ dercert = certdb.get_cert_from_db(certdb.cacert_name, pem=False)
+ self.sub_dict['CADERCERT'] = base64.b64encode(dercert)
+
+ self._ldap_mod('upload-cacert.ldif', self.sub_dict)
+
def __add_default_layout(self):
self._ldap_mod("bootstrap-template.ldif", self.sub_dict)