[Freeipa-devel] [PATCH] 6 - Dogtag DRM -IPA plugin

Ade Lee alee at redhat.com
Tue May 27 21:57:40 UTC 2014 

There have been a couple of changes in the Dogtag interface, that
require some changes in the IPA patches.  Also, I had to add back a
function in order to rebase to the latest IPA code.

Most are the patches are as before, attached to this email by default.

The latest Dogtag 10.2 build with the relevant changes needed to work
with these patches is at: 
http://copr.fedoraproject.org/coprs/vakwetu/dogtag/

Ade

On Fri, 2014-05-09 at 23:38 -0400, Ade Lee wrote:
> Attached is patch 6-1, which addresses the issues listed below.
> In addition, there are two additional patches which :
> 
> 7. disable the automatic install of the DRM in ipa-server-install as
> decided until Dogtag 10.2 is available.
> 
> 8. Add the ability to install a DRM replica using ipa-drm-install.
> 
> The install procedure is now as follows:
> 
> On Master:
> 1. ipa-server-install (installs ipa and dogtag CA)
> 2. ipa-drm-install  (installs drm)
> 3. ipa-replica-prepare <clone_hostname>
> 
> On clone:
> 1. ipa-replica-install <replica_file> (installs ipa replica)
> 2. ipa-ca-install <replica_file> (installs replica ca)
> 3. ipa-drm-install <replica file>
> 
> On the clone, if you fail to add a replica_file, the install scripts
> will detect that a DRM has been installed in the security domain, and
> prompt for a replica file.
> 
> For this all to work, you will need the newest version of Dogtag 10.2 -
> which contains fixes that are not yet checked into Dogtag.  A build can
> be found at:
> http://copr.fedoraproject.org/coprs/vakwetu/dogtag/repo/fedora-20-x86_64/vakwetu-dogtag-fedora-20-x86_64.repo
> 
> Ade
> 
> Note: For convenience, all the DRM patches have been appended to this
> email.
>  
> On Thu, 2014-05-01 at 14:55 -0400, Rob Crittenden wrote:
> > Ade Lee wrote:
> > > I have attached a patch that contains code for the new dogtag DRM plugin
> > > vault functionality.  This patch should be applied on top of the ones
> > > used to install a DRM.
> > >
> > > Forthcoming is a patch to actually start using this plugin.
> > 
> > All the imports should be at the top of the file.
> > 
> done.
> 
> > In _create_pem_file there is a ipaserver.install.certs.export_pkcs12() 
> > that you can re-use. Similarly install_pem_from_p12() probably does the 
> > same thing, and your copy doesn't take the PKCS#12 password as input AFAICT.
> > 
> done.
> > In _transport_cert_present you can use:
> > 
> > from ipaserver.install import certs
> > 
> > db = certs.CertDB(self.realm, nssdir=self.sec_dir)
> > return db.has_nickname(self.transport_nick)
> > 
> done.
> > Should there be error handling around keyclient calls or will that be 
> > handled at a different level?
> > 
> I think the keyclient calls should throw exceptions and the error
> handling should be performed at a higher level. We can revisit this when
> we write the code that calls this plugin.
>  
> > Incidentally, installing a replica on F-20 with pki-ca-10.2.0-0.1 
> > against an F-20 master with pki-ca-10.1.1-1 fails with this traceback in 
> > pkispawn:
> > 
> >    File "/usr/sbin/pkispawn", line 514, in <module>
> >      main(sys.argv)
> >    File "/usr/sbin/pkispawn", line 423, in main
> >      info = parser.sd_get_info()
> >    File 
> > "/usr/lib/python2.7/site-packages/pki/server/deployment/pkiparser.py", 
> > line 463, in sd_get_info
> >      info = sd.getSecurityDomainInfo()
> >    File "/usr/lib/python2.7/site-packages/pki/system.py", line 44, in 
> > getSecurityDomainInfo
> >      info.name = response.json()['id']
> > KeyError: 'id'
> > 
> I'll have to look into this.  Will fix in another patch.  This will be a
> dogtag patch though.
> 
> > rob
> 
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-Add-a-DRM-to-IPA.patch
Type: text/x-patch
Size: 73390 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140527/27439091/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0003-Added-ipa-drm-install.patch
Type: text/x-patch
Size: 22704 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140527/27439091/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0005-Added-nolog-to-pkispawn-and-some-additional-fixes-fr.patch
Type: text/x-patch
Size: 13199 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140527/27439091/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0004-Fix-various-pep-8-issues-and-comments-from-review.patch
Type: text/x-patch
Size: 31467 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140527/27439091/attachment-0003.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0006-1-Added-dogtag-plugin-for-DRM.patch
Type: text/x-patch
Size: 23333 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140527/27439091/attachment-0004.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0008-Allow-ipa-replica-install-to-be-used-for-installing-.patch
Type: text/x-patch
Size: 19638 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140527/27439091/attachment-0005.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0007-set-drm-to-not-install-by-default-with-ipa-server-in.patch
Type: text/x-patch
Size: 1082 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140527/27439091/attachment-0006.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0009-Formatting-fixes-and-change-in-security-domain-api.patch
Type: text/x-patch
Size: 10208 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140527/27439091/attachment-0007.bin>

More information about the Freeipa-devel mailing list