e57a97aa67
- Resolves: RHEL-12589 ipa: Invalid CSRF protection - Resolves: RHEL-19748 ipa hbac-test did not report that it hit an arbitrary search limit - Resolves: RHEL-21059 'DogtagCertsConfigCheck' fails, displaying the error message 'Malformed directive: ca.signing.certnickname=caSigningCert cert-pki-ca' - Resolves: RHEL-21804 ipa client 4.10.2 - Failed to obtain host TGT - Resolves: RHEL-21809 CA less servers are failing to be added in topology segment for domain suffix - Resolves: RHEL-21810 ipa-client-install --automount-location does not work - Resolves: RHEL-21811 Handle change in behavior of pki-server ca-config-show in pki 11.5.0 - Resolves: RHEL-21812 Backport latest test fixes in ipa - Resolves: RHEL-21813 krb5kdc fails to start when pkinit and otp auth type is enabled in ipa - Resolves: RHEL-21815 IPA 389ds plugins need to have better logging and tracing - Resolves: RHEL-21937 Make sure a default NetBIOS name is set if not passed in by ADTrust instance constructor Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
99 lines
4.3 KiB
Diff
99 lines
4.3 KiB
Diff
From d2ffa10df62bba45aa63232d3ad9a5ebf7158eea Mon Sep 17 00:00:00 2001
|
|
From: Rob Crittenden <rcritten@redhat.com>
|
|
Date: Tue, 5 Dec 2023 14:34:31 -0500
|
|
Subject: [PATCH] Server affinity: Retain user-requested remote server
|
|
|
|
We want to avoid splitting a replica server installation between
|
|
two hosts where possible so if a CA or KRA is requested then
|
|
we only try to install against a remote server that also provides
|
|
those capabilities. This avoids race conditions.
|
|
|
|
If a CA or KRA is not requested and the user has provided a
|
|
server to install against then use that instead of overriding it.
|
|
|
|
Extend the logic of picking the remote Custodia mode
|
|
(KRA, CA, *MASTER*) to include considering whether the
|
|
CA and KRA services are requested. If the service(s) are
|
|
not requested the the associated hostname may not be
|
|
reliable.
|
|
|
|
Fixes: https://pagure.io/freeipa/issue/9491
|
|
Related: https://pagure.io/freeipa/issue/9289
|
|
|
|
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
|
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
|
---
|
|
ipaserver/install/server/replicainstall.py | 19 +++++++++----------
|
|
1 file changed, 9 insertions(+), 10 deletions(-)
|
|
|
|
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
|
|
index 27fbdef8ec9aa5ae343352ebf3c61d74d65c8958..8096b6accb4c94fefdfcc06f19584c63c24d7baf 100644
|
|
--- a/ipaserver/install/server/replicainstall.py
|
|
+++ b/ipaserver/install/server/replicainstall.py
|
|
@@ -782,6 +782,7 @@ def promotion_check_host_principal_auth_ind(conn, hostdn):
|
|
|
|
|
|
def remote_connection(config):
|
|
+ logger.debug("Creating LDAP connection to %s", config.master_host_name)
|
|
ldapuri = 'ldaps://%s' % ipautil.format_netloc(config.master_host_name)
|
|
xmlrpc_uri = 'https://{}/ipa/xml'.format(
|
|
ipautil.format_netloc(config.master_host_name))
|
|
@@ -1087,7 +1088,7 @@ def promote_check(installer):
|
|
'CA', conn, preferred_cas
|
|
)
|
|
if ca_host is not None:
|
|
- if config.master_host_name != ca_host:
|
|
+ if options.setup_ca and config.master_host_name != ca_host:
|
|
conn.disconnect()
|
|
del remote_api
|
|
config.master_host_name = ca_host
|
|
@@ -1096,8 +1097,7 @@ def promote_check(installer):
|
|
conn = remote_api.Backend.ldap2
|
|
conn.connect(ccache=installer._ccache)
|
|
config.ca_host_name = ca_host
|
|
- config.master_host_name = ca_host
|
|
- ca_enabled = True
|
|
+ ca_enabled = True # There is a CA somewhere in the topology
|
|
if options.dirsrv_cert_files:
|
|
logger.error("Certificates could not be provided when "
|
|
"CA is present on some master.")
|
|
@@ -1135,7 +1135,7 @@ def promote_check(installer):
|
|
'KRA', conn, preferred_kras
|
|
)
|
|
if kra_host is not None:
|
|
- if config.master_host_name != kra_host:
|
|
+ if options.setup_kra and config.master_host_name != kra_host:
|
|
conn.disconnect()
|
|
del remote_api
|
|
config.master_host_name = kra_host
|
|
@@ -1143,10 +1143,9 @@ def promote_check(installer):
|
|
installer._remote_api = remote_api
|
|
conn = remote_api.Backend.ldap2
|
|
conn.connect(ccache=installer._ccache)
|
|
- config.kra_host_name = kra_host
|
|
- config.ca_host_name = kra_host
|
|
- config.master_host_name = kra_host
|
|
- kra_enabled = True
|
|
+ config.kra_host_name = kra_host
|
|
+ config.ca_host_name = kra_host
|
|
+ kra_enabled = True # There is a KRA somewhere in the topology
|
|
if options.setup_kra and options.server and \
|
|
kra_host != options.server:
|
|
# Installer was provided with a specific master
|
|
@@ -1372,10 +1371,10 @@ def install(installer):
|
|
otpd.create_instance('OTPD', config.host_name,
|
|
ipautil.realm_to_suffix(config.realm_name))
|
|
|
|
- if kra_enabled:
|
|
+ if options.setup_kra and kra_enabled:
|
|
# A KRA peer always provides a CA, too.
|
|
mode = custodiainstance.CustodiaModes.KRA_PEER
|
|
- elif ca_enabled:
|
|
+ elif options.setup_ca and ca_enabled:
|
|
mode = custodiainstance.CustodiaModes.CA_PEER
|
|
else:
|
|
mode = custodiainstance.CustodiaModes.MASTER_PEER
|
|
--
|
|
2.43.0
|
|
|