library/ipaapi.py: Add call to api to get subject base form server

The subject base generated in discovery is only a guess and might have been changed by the admin at installation process. Therefore it is needed to get this from the server. subject_base has been added as a new return value. Use subject base form ipaapi in roles/ipaclient/tasks/install.yml instead of guessed value from ipadiscovery.
2026-05-06 13:23:14 +00:00 · 2017-09-25 15:52:27 +02:00
parent 860794232e
commit 6dc469fdb8
2 changed files with 17 additions and 2 deletions
--- a/library/ipaapi.py
+++ b/library/ipaapi.py
@@ -63,6 +63,11 @@ ca_enabled:
  description: Wheter the Certificate Authority is enabled or not.
  returned: always
  type: bool
+subject_base:
+  description: The subject base, needed for certmonger
+  returned: always
+  type: string
+  sample: O=EXAMPLE.COM
 '''

 import os
@@ -88,6 +93,7 @@ from ipalib.rpc import delete_persistent_client_session_data
 from ipapython import certdb
 from ipapython.ipautil import CalledProcessError, write_tmp_file, \
    ipa_generate_password
+from ipapython.dn import DN
 ipa_client_install = None
 try:
    from ipaclient.install.client import SECURE_PATH, disable_ra
@@ -236,7 +242,16 @@ def main():
    if not ca_enabled:
        disable_ra()

-    module.exit_json(changed=True, ca_enabled=ca_enabled)
+    # Get subject base from ipa server
+    try:
+        config = api.Command['config_show']()['result']
+        subject_base = str(DN(config['ipacertificatesubjectbase'][0]))
+    except errors.PublicError as e:
+        module.fail_json(msg="Cannot get subject base from server: %s" % e)
+
+    module.exit_json(changed=True,
+                     ca_enabled=ca_enabled,
+                     subject_base=subject_base)

 if __name__ == '__main__':
    main()
--- a/roles/ipaclient/tasks/install.yml
+++ b/roles/ipaclient/tasks/install.yml
@@ -174,7 +174,7 @@
    realm: "{{ ipadiscovery.realm }}"
    basedn: "{{ ipadiscovery.basedn }}"
    hostname: "{{ ipadiscovery.hostname }}"
-    subject_base: "{{ ipadiscovery.subject_base }}"
+    subject_base: "{{ ipaapi.subject_base }}"
    principal: "{{ ipaadmin_principal | default(omit) }}"
    mkhomedir: "{{ ipaclient_mkhomedir | default(omit) }}"
    ca_enabled: "{{ ipaapi.ca_enabled | default(omit) }}"