From f32bea5415d9d789e40a26eaf82a1154e02f21f1 Mon Sep 17 00:00:00 2001 From: Ade Lee Date: Fri, 15 May 2020 15:25:38 -0400 Subject: [PATCH] Add missing FreeIPA install steps We need a couple of additional steps for the IPA setup. Change-Id: I8038a6ca4ad6ea02184195a4052a22d84a658fa2 --- .../source/features/tls-introduction.rst | 20 +++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/deploy-guide/source/features/tls-introduction.rst b/deploy-guide/source/features/tls-introduction.rst index ee0717de..baba7835 100644 --- a/deploy-guide/source/features/tls-introduction.rst +++ b/deploy-guide/source/features/tls-introduction.rst @@ -84,6 +84,26 @@ Configure FreeIPA:: --auto-reverse / --unattended +By default, FreeIPA does not public it's Certificate Revocation List (CRL) +on startup. As the CRL is retrieved when the overcloud nodes retrieve +certificates from FreeIPA, we should configure it to do so and restart +FreeIPA.:: + + sed -i -e \ + 's/ca.crl.MasterCRL.publishOnStart=.*/ca.crl.MasterCRL.publishOnStart=true/' \ + /etc/pki/pki-tomcat/ca/CS.cfg + systemctl restart ipa + +Finally, if your IPA server is not at 4.8.5 or higher, you will need to add an +ACL to allow for the proper generation of certificates with a IP SAN.:: + + cat << EOF | ldapmodify -x -D "cn=Directory Manager" -w $DIRECTORY_MANAGER_PASSWORD + dn: cn=dns,dc=example,dc=com + changetype: modify + add: aci + aci: (targetattr = "aaaarecord || arecord || cnamerecord || idnsname || objectclass || ptrrecord")(targetfilter = "(&(objectclass=idnsrecord)(|(aaaarecord=*)(arecord=*)(cnamerecord=*)(ptrrecord=*)(idnsZoneActive=TRUE)))")(version 3.0; acl "Allow hosts to read DNS A/AAA/CNAME/PTR records"; allow (read,search,compare) userdn = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=example,dc=com";) + EOF + Please refer to ``ipa-server-install --help`` for specifics on each argument or reference the `FreeIPA documentation`_. The directions above are only a guide. You may need to adjust certain values and configuration options to use FreeIPA,