From 4562b41f0d9dcfc07e7fc0ab3b0b253d609a459f Mon Sep 17 00:00:00 2001
From: Thorsten Scherf <tscherf@redhat.com>
Date: Mon, 11 Dec 2017 11:04:17 +0100
Subject: [ipa] use correct PKI directories for tomcat version

The PKI subsystem uses different folders in IPA v3 and v4 for the NSS DB and
the configuration files. The plugin needs to take this into account.

Closes: #1163

Signed-off-by: Thorsten Scherf <tscherf@redhat.com>
Signed-off-by: Bryn M. Reeves <bmr@redhat.com>
---
 sos/plugins/ipa.py | 23 ++++++++++++++++++-----
 1 file changed, 18 insertions(+), 5 deletions(-)

diff --git a/sos/plugins/ipa.py b/sos/plugins/ipa.py
index 683f8254..fe6ddf08 100644
--- a/sos/plugins/ipa.py
+++ b/sos/plugins/ipa.py
@@ -83,6 +83,9 @@ class Ipa(Plugin, RedHatPlugin):
         self.pki_tomcat_dir_v4 = "/var/lib/pki/pki-tomcat"
         self.pki_tomcat_dir_v3 = "/var/lib/pki-ca"
 
+        self.pki_tomcat_conf_dir_v4 = "/etc/pki/pki-tomcat/ca"
+        self.pki_tomcat_conf_dir_v3 = "/etc/pki-ca"
+
         if self.ipa_server_installed():
             self._log_debug("IPA server install detected")
 
@@ -111,7 +114,6 @@ class Ipa(Plugin, RedHatPlugin):
             "/etc/dirsrv/slapd-*/schema/99user.ldif",
             "/etc/hosts",
             "/etc/named.*",
-            "/etc/pki-ca/CS.cfg",
             "/etc/ipa/ca.crt",
             "/etc/ipa/default.conf",
             "/var/lib/certmonger/requests/[0-9]*",
@@ -119,22 +121,33 @@ class Ipa(Plugin, RedHatPlugin):
         ])
 
         self.add_forbidden_path("/etc/pki/nssdb/key*")
-        self.add_forbidden_path("/etc/pki-ca/flatfile.txt")
-        self.add_forbidden_path("/etc/pki-ca/password.conf")
-        self.add_forbidden_path("/var/lib/pki-ca/alias/key*")
         self.add_forbidden_path("/etc/dirsrv/slapd-*/key*")
         self.add_forbidden_path("/etc/dirsrv/slapd-*/pin.txt")
         self.add_forbidden_path("/etc/dirsrv/slapd-*/pwdfile.txt")
         self.add_forbidden_path("/etc/named.keytab")
 
+        #  Make sure to use the right PKI config and NSS DB folders
+        if ipa_version == "v4":
+            self.pki_tomcat_dir = self.pki_tomcat_dir_v4
+            self.pki_tomcat_conf_dir = self.pki_tomcat_conf_dir_v4
+        else:
+            self.pki_tomcat_dir = self.pki_tomcat_dir_v3
+            self.pki_tomcat_conf_dir = self.pki_tomcat_conf_dir_v3
+
+        self.add_cmd_output("certutil -L -d %s/alias" % self.pki_tomcat_dir)
+        self.add_copy_spec("%s/CS.cfg" % self.pki_tomcat_conf_dir)
+        self.add_forbidden_path("%s/alias/key*" % self.pki_tomcat_dir)
+        self.add_forbidden_path("%s/flatfile.txt" % self.pki_tomcat_conf_dir)
+        self.add_forbidden_path("%s/password.conf" % self.pki_tomcat_conf_dir)
+
         self.add_cmd_output([
             "ls -la /etc/dirsrv/slapd-*/schema/",
             "getcert list",
-            "certutil -L -d /var/lib/pki-ca/alias",
             "certutil -L -d /etc/httpd/alias/",
             "klist -ket /etc/dirsrv/ds.keytab",
             "klist -ket /etc/httpd/conf/ipa.keytab"
         ])
+
         for certdb_directory in glob("/etc/dirsrv/slapd-*/"):
             self.add_cmd_output(["certutil -L -d %s" % certdb_directory])
         return
-- 
cgit