-
Notifications
You must be signed in to change notification settings - Fork 17
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Get the certificate from freeIPA #81
Conversation
Automatic reply from Jenkins: Can I test this? |
@@ -112,6 +112,16 @@ yum -c /tmp/aii/yum/yum.conf -y install ipa-client | |||
--realm=$tree->{realm} \\ | |||
--server=$tree->{server} \\ | |||
|| fail "ipa-client-install failed" | |||
|
|||
mkdir -p /etc/ipa/quattor/certs |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fetch the location of the key adn cert from the ccm configuration.
@StephaneGerardVUB wrote in his documentation (http://mon.iihe.ac.be/trac/t2b/wiki/QuattorFreeIPA) : |
test this please |
3 similar comments
test this please |
test this please |
test this please |
Merged build finished. Test PASSed. |
Test PASSed. |
retest this please |
Test PASSed. |
retest this please |
Test PASSed. |
@samary , but the goal is to put these certificates where CCM can use them. So the right location is given by |
@samary we are 2 weeks from 14.10, will you have time address the remarks? |
Hi, I'm currently on holiday, but I think I will have time to see with @StephaneGerardVUB how we can improve this next week. If I don't, I suggest to slip this to the next milestone. Sorry for the delay. Keep you updated. |
- Added 'use_ssl' in the CCM schemas - If use_ssl is true, extract certificates from IPA
Hi, |
--realm=$tree->{realm} \\ | ||
--server=$tree->{server} \\ | ||
|| fail "ipa-client-install failed" | ||
--domain=$tree->{domain} \\ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why did you change the indentation?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry for that, I'll revert this.
@samary i realised that this is sort of a hack and probably doesn't deserve an entry under the CCM schema. |
If you think support for NSS in CCM makes sense, have a look at |
Looks interesting. Is it worth the effort of integrating it into CCM? |
yeah, and then redo it for |
Should we remove the code at this point and let ccm handle the key validity check and key extraction on profile download ? |
@samary no, i think the hook can do this. but would stay away from ccm wrt the key extraction and use the aii schema. but ccm should work with nss, so the key extraction is not needed in the first place (but that rerquires a lot more code and testing) |
- add "extract_x509" boolean (default : false) to run the extraction in the hook schema - use a function to extract certificates
Following your recommendations, @StephaneGerardVUB have updated the code. Let me know if it looks good to you. Cheers |
@@ -66,5 +66,7 @@ type structure_aii_freeipa = { | |||
|
|||
"dns" : boolean = false # DNS is controlled by FreeIPA (to register the host ip) | |||
"disable" : boolean = true # disable the host on AII removal | |||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
remove empty newline
@samary minor programming style remarks. otherwise good to go imho nice work! |
Updated following code style requirement |
LGTM |
Get the certificate from freeIPA
These commands extracts the host certificate and key and the IPA CA certificate from nssdb. This is required when using ccm-fetch over SSL with a non-kerberos apache webserver.