rpms/ipa
7
0
Fork 0
Code Issues Pull Requests Releases Activity
13b7686650
ipa/0041-Server-affinity-Don-t-rely-just-on-ca-kra-_enabled-f.patch
Florence Blanc-Renaud e57a97aa67 ipa-4.11.0-5 
- Resolves: RHEL-12589 ipa: Invalid CSRF protection
- Resolves: RHEL-19748 ipa hbac-test did not report that it hit an arbitrary search limit
- Resolves: RHEL-21059 'DogtagCertsConfigCheck' fails, displaying the error message 'Malformed directive: ca.signing.certnickname=caSigningCert cert-pki-ca'
- Resolves: RHEL-21804 ipa client 4.10.2 - Failed to obtain host TGT
- Resolves: RHEL-21809 CA less servers are failing to be added in topology segment for domain suffix
- Resolves: RHEL-21810 ipa-client-install --automount-location does not work
- Resolves: RHEL-21811 Handle change in behavior of pki-server ca-config-show in pki 11.5.0
- Resolves: RHEL-21812 Backport latest test fixes in ipa
- Resolves: RHEL-21813 krb5kdc fails to start when pkinit and otp auth type is enabled in ipa
- Resolves: RHEL-21815 IPA 389ds plugins need to have better logging and tracing
- Resolves: RHEL-21937 Make sure a default NetBIOS name is set if not passed in by ADTrust instance constructor

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
2024-01-18 17:08:12 +01:00

55 lines
2.2 KiB
Diff
Raw Blame History

From 851ce93ac07044172a7db56d54ab9e1d7c7ec79f Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Mon, 15 Jan 2024 09:05:58 -0500
Subject: [PATCH] Server affinity: Don't rely just on [ca|kra]_enabled for
installs
ca_enable and kra_enabled are intended to be used to identify that
a CA or KRA is available in the topology. It was also being used
to determine whether a CA or KRA service is desired on a replica
install, rather than options.setup_[ca|kra]
Fixes: https://pagure.io/freeipa/issue/9510
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
ipaserver/install/server/replicainstall.py | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index 8096b6accb4c94fefdfcc06f19584c63c24d7baf..191913ddb973b94bcd8ad920570edcee27349ffd 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -1143,7 +1143,8 @@ def promote_check(installer):
installer._remote_api = remote_api
conn = remote_api.Backend.ldap2
conn.connect(ccache=installer._ccache)
- config.kra_host_name = kra_host
+ config.kra_host_name = kra_host
+ if options.setup_kra: # only reset ca_host if KRA is requested
config.ca_host_name = kra_host
kra_enabled = True # There is a KRA somewhere in the topology
if options.setup_kra and options.server and \
@@ -1381,7 +1382,7 @@ def install(installer):
custodia = custodiainstance.get_custodia_instance(config, mode)
custodia.create_instance()
- if ca_enabled:
+ if options.setup_ca and ca_enabled:
options.realm_name = config.realm_name
options.domain_name = config.domain_name
options.host_name = config.host_name
@@ -1397,7 +1398,7 @@ def install(installer):
service.print_msg("Finalize replication settings")
ds.finalize_replica_config()
- if kra_enabled:
+ if options.setup_kra and kra_enabled:
kra.install(api, config, options, custodia=custodia)
service.print_msg("Restarting the KDC")
--
2.43.0
Reference in New Issue View Git Blame Copy Permalink