f19c883a04
Add upstream fixes - Fix memory leak in Kerberos KDC driver - Fix possible crash in IPA command line tool when accessing Kerberos credentials - Compatibility fix for Python Cryptography 42.0.0 - Fix CA affinity when installing replica Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
70 lines
2.6 KiB
Diff
70 lines
2.6 KiB
Diff
From 5dbb3101cee7a96ec8eef40be8e802d456c0d06c Mon Sep 17 00:00:00 2001
|
|
From: Rob Crittenden <rcritten@redhat.com>
|
|
Date: Mon, 22 Jan 2024 08:36:27 -0500
|
|
Subject: [PATCH] Server affinity: call ca.install() if there is a CA in the
|
|
topology
|
|
|
|
This should not have been gated on options.setup_ca because we need
|
|
the RA agent on all servers if there is a CA in the topology otherwise
|
|
the non-CA servers won't be able to communicate with the CA.
|
|
|
|
Fixes: https://pagure.io/freeipa/issue/9510
|
|
|
|
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
|
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
|
---
|
|
ipaserver/install/ca.py | 7 ++++---
|
|
ipaserver/install/server/replicainstall.py | 7 +++++--
|
|
2 files changed, 9 insertions(+), 5 deletions(-)
|
|
|
|
diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py
|
|
index c93ae1fce..187f8032b 100644
|
|
--- a/ipaserver/install/ca.py
|
|
+++ b/ipaserver/install/ca.py
|
|
@@ -387,9 +387,10 @@ def install_step_0(standalone, replica_config, options, custodia):
|
|
promote = False
|
|
else:
|
|
cafile = os.path.join(replica_config.dir, 'cacert.p12')
|
|
- custodia.get_ca_keys(
|
|
- cafile,
|
|
- replica_config.dirman_password)
|
|
+ if replica_config.setup_ca:
|
|
+ custodia.get_ca_keys(
|
|
+ cafile,
|
|
+ replica_config.dirman_password)
|
|
|
|
ca_signing_algorithm = None
|
|
ca_type = None
|
|
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
|
|
index 191913ddb..b3fd27e6a 100644
|
|
--- a/ipaserver/install/server/replicainstall.py
|
|
+++ b/ipaserver/install/server/replicainstall.py
|
|
@@ -1382,11 +1382,13 @@ def install(installer):
|
|
custodia = custodiainstance.get_custodia_instance(config, mode)
|
|
custodia.create_instance()
|
|
|
|
- if options.setup_ca and ca_enabled:
|
|
+ if ca_enabled:
|
|
options.realm_name = config.realm_name
|
|
options.domain_name = config.domain_name
|
|
options.host_name = config.host_name
|
|
options.dm_password = config.dirman_password
|
|
+ # Always call ca.install() if there is a CA in the topology
|
|
+ # to ensure the RA agent is present.
|
|
ca.install(False, config, options, custodia=custodia)
|
|
|
|
# configure PKINIT now that all required services are in place
|
|
@@ -1398,7 +1400,8 @@ def install(installer):
|
|
service.print_msg("Finalize replication settings")
|
|
ds.finalize_replica_config()
|
|
|
|
- if options.setup_kra and kra_enabled:
|
|
+ if kra_enabled:
|
|
+ # The KRA installer checks for itself the status of setup_kra
|
|
kra.install(api, config, options, custodia=custodia)
|
|
|
|
service.print_msg("Restarting the KDC")
|
|
--
|
|
2.43.0
|
|
|