[Freeipa-devel] [PATCH] 6 - Dogtag DRM -IPA plugin

Ade Lee alee at redhat.com
Sat May 10 03:38:09 UTC 2014 

Attached is patch 6-1, which addresses the issues listed below.
In addition, there are two additional patches which :

7. disable the automatic install of the DRM in ipa-server-install as
decided until Dogtag 10.2 is available.

8. Add the ability to install a DRM replica using ipa-drm-install.

The install procedure is now as follows:

On Master:
1. ipa-server-install (installs ipa and dogtag CA)
2. ipa-drm-install  (installs drm)
3. ipa-replica-prepare <clone_hostname>

On clone:
1. ipa-replica-install <replica_file> (installs ipa replica)
2. ipa-ca-install <replica_file> (installs replica ca)
3. ipa-drm-install <replica file>

On the clone, if you fail to add a replica_file, the install scripts
will detect that a DRM has been installed in the security domain, and
prompt for a replica file.

For this all to work, you will need the newest version of Dogtag 10.2 -
which contains fixes that are not yet checked into Dogtag.  A build can
be found at:
http://copr.fedoraproject.org/coprs/vakwetu/dogtag/repo/fedora-20-x86_64/vakwetu-dogtag-fedora-20-x86_64.repo

Ade

Note: For convenience, all the DRM patches have been appended to this
email.
 
On Thu, 2014-05-01 at 14:55 -0400, Rob Crittenden wrote:
> Ade Lee wrote:
> > I have attached a patch that contains code for the new dogtag DRM plugin
> > vault functionality.  This patch should be applied on top of the ones
> > used to install a DRM.
> >
> > Forthcoming is a patch to actually start using this plugin.
> 
> All the imports should be at the top of the file.
> 
done.

> In _create_pem_file there is a ipaserver.install.certs.export_pkcs12() 
> that you can re-use. Similarly install_pem_from_p12() probably does the 
> same thing, and your copy doesn't take the PKCS#12 password as input AFAICT.
> 
done.
> In _transport_cert_present you can use:
> 
> from ipaserver.install import certs
> 
> db = certs.CertDB(self.realm, nssdir=self.sec_dir)
> return db.has_nickname(self.transport_nick)
> 
done.
> Should there be error handling around keyclient calls or will that be 
> handled at a different level?
> 
I think the keyclient calls should throw exceptions and the error
handling should be performed at a higher level. We can revisit this when
we write the code that calls this plugin.
 
> Incidentally, installing a replica on F-20 with pki-ca-10.2.0-0.1 
> against an F-20 master with pki-ca-10.1.1-1 fails with this traceback in 
> pkispawn:
> 
>    File "/usr/sbin/pkispawn", line 514, in <module>
>      main(sys.argv)
>    File "/usr/sbin/pkispawn", line 423, in main
>      info = parser.sd_get_info()
>    File 
> "/usr/lib/python2.7/site-packages/pki/server/deployment/pkiparser.py", 
> line 463, in sd_get_info
>      info = sd.getSecurityDomainInfo()
>    File "/usr/lib/python2.7/site-packages/pki/system.py", line 44, in 
> getSecurityDomainInfo
>      info.name = response.json()['id']
> KeyError: 'id'
> 
I'll have to look into this.  Will fix in another patch.  This will be a
dogtag patch though.

> rob

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Add-a-DRM-to-IPA.patch
Type: text/x-patch
Size: 40124 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140509/d45f0837/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-Add-a-DRM-to-IPA.patch
Type: text/x-patch
Size: 73390 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140509/d45f0837/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0003-Added-ipa-drm-install.patch
Type: text/x-patch
Size: 22704 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140509/d45f0837/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0005-Added-nolog-to-pkispawn-and-some-additional-fixes-fr.patch
Type: text/x-patch
Size: 13199 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140509/d45f0837/attachment-0003.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0004-Fix-various-pep-8-issues-and-comments-from-review.patch
Type: text/x-patch
Size: 31467 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140509/d45f0837/attachment-0004.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0006-1-Added-dogtag-plugin-for-DRM.patch
Type: text/x-patch
Size: 23333 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140509/d45f0837/attachment-0005.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0008-Allow-ipa-replica-install-to-be-used-for-installing-.patch
Type: text/x-patch
Size: 19638 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140509/d45f0837/attachment-0006.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0007-set-drm-to-not-install-by-default-with-ipa-server-in.patch
Type: text/x-patch
Size: 1082 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140509/d45f0837/attachment-0007.bin>

More information about the Freeipa-devel mailing list