mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-24 16:10:02 -06:00
Use IPA CA certificate when available and ignore NO_TLS_LDAP when not.
ipa-client-automount is run after ipa-client-install so the CA certificate should be available. If the certificate is not available and ipadiscovery.ipacheckldap returns NO_TLS_LDAP warn user and try to continue. https://fedorahosted.org/freeipa/ticket/4902 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
This commit is contained in:
parent
ddd7fb6a68
commit
0344f246c2
@ -379,6 +379,10 @@ def main():
|
||||
api.bootstrap(**cfg)
|
||||
api.finalize()
|
||||
|
||||
ca_cert_path = None
|
||||
if os.path.exists(paths.IPA_CA_CRT):
|
||||
ca_cert_path = paths.IPA_CA_CRT
|
||||
|
||||
if options.uninstall:
|
||||
return uninstall(fstore, statestore)
|
||||
|
||||
@ -390,7 +394,7 @@ def main():
|
||||
ds = ipadiscovery.IPADiscovery()
|
||||
if not options.server:
|
||||
print "Searching for IPA server..."
|
||||
ret = ds.search()
|
||||
ret = ds.search(ca_cert_path=ca_cert_path)
|
||||
root_logger.debug('Executing DNS discovery')
|
||||
if ret == ipadiscovery.NO_LDAP_SERVER:
|
||||
root_logger.debug('Autodiscovery did not find LDAP server')
|
||||
@ -406,11 +410,13 @@ def main():
|
||||
else:
|
||||
server = options.server
|
||||
root_logger.debug("Verifying that %s is an IPA server" % server)
|
||||
ldapret = ds.ipacheckldap(server, api.env.realm)
|
||||
ldapret = ds.ipacheckldap(server, api.env.realm, ca_cert_path)
|
||||
if ldapret[0] == ipadiscovery.NO_ACCESS_TO_LDAP:
|
||||
print "Anonymous access to the LDAP server is disabled."
|
||||
print "Proceeding without strict verification."
|
||||
print "Note: This is not an error if anonymous access has been explicitly restricted."
|
||||
elif ldapret[0] == ipadiscovery.NO_TLS_LDAP:
|
||||
root_logger.warning("Unencrypted access to LDAP is not supported.")
|
||||
elif ldapret[0] != 0:
|
||||
sys.exit('Unable to confirm that %s is an IPA server' % server)
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user