From 294fc3dc5645eeb7942908c3e351c06aa0af329e Mon Sep 17 00:00:00 2001 From: Martin Babinsky Date: Thu, 27 Oct 2016 13:35:10 +0200 Subject: [PATCH] ipa-getkeytab: expose CA cert path as option get rid of hardcoded CA cert path and allow the caller to use supplied custom paths instead https://fedorahosted.org/freeipa/ticket/6409 Reviewed-By: Simo Sorce --- client/ipa-getkeytab.c | 25 +++++++++++++++++++------ client/man/ipa-getkeytab.1 | 6 +++++- 2 files changed, 24 insertions(+), 7 deletions(-) diff --git a/client/ipa-getkeytab.c b/client/ipa-getkeytab.c index 0f549a5cf..e32e9e426 100644 --- a/client/ipa-getkeytab.c +++ b/client/ipa-getkeytab.c @@ -44,6 +44,8 @@ #include "ipa_asn1.h" #include "ipa-client-common.h" +#define DEFAULT_CA_CERT_FILE "/etc/ipa/ca.crt" + static int ldap_sasl_interact(LDAP *ld, unsigned flags, void *priv_data, void *sit) { sasl_interact_t *in = NULL; @@ -152,10 +154,9 @@ static int ipa_ldap_init(LDAP ** ld, const char * scheme, const char * servernam return rc; } -const char *ca_cert_file = "/etc/ipa/ca.crt"; - static int ipa_ldap_bind(const char *server_name, krb5_principal bind_princ, - const char *bind_dn, const char *bind_pw, LDAP **_ld) + const char *bind_dn, const char *bind_pw, + const char *ca_cert_file, LDAP **_ld) { char *msg = NULL; struct berval bv; @@ -343,6 +344,7 @@ static int ldap_set_keytab(krb5_context krbctx, krb5_principal princ, const char *binddn, const char *bindpw, + const char *ca_cert_file, struct keys_container *keys) { LDAP *ld = NULL; @@ -369,7 +371,7 @@ static int ldap_set_keytab(krb5_context krbctx, goto error_out; } - ret = ipa_ldap_bind(servername, princ, binddn, bindpw, &ld); + ret = ipa_ldap_bind(servername, princ, binddn, bindpw, ca_cert_file, &ld); if (ret != LDAP_SUCCESS) { fprintf(stderr, _("Failed to bind to server!\n")); goto error_out; @@ -500,6 +502,7 @@ static int ldap_get_keytab(krb5_context krbctx, bool generate, char *password, const char *enctypes, const char *bind_server, const char *svc_princ, krb5_principal bind_princ, const char *bind_dn, const char *bind_pw, + const char *ca_cert_file, struct keys_container *keys, int *kvno, char **err_msg) { @@ -529,7 +532,8 @@ static int ldap_get_keytab(krb5_context krbctx, bool generate, char *password, goto done; } - ret = ipa_ldap_bind(bind_server, bind_princ, bind_dn, bind_pw, &ld); + ret = ipa_ldap_bind(bind_server, bind_princ, bind_dn, bind_pw, + ca_cert_file, &ld); if (ret != LDAP_SUCCESS) { *err_msg = _("Failed to bind to server!\n"); goto done; @@ -684,6 +688,7 @@ int main(int argc, const char *argv[]) static const char *enctypes_string = NULL; static const char *binddn = NULL; static const char *bindpw = NULL; + static const char *ca_cert_file = NULL; int quiet = 0; int askpass = 0; int permitted_enctypes = 0; @@ -712,6 +717,8 @@ int main(int argc, const char *argv[]) _("LDAP DN"), _("DN to bind as if not using kerberos") }, { "bindpw", 'w', POPT_ARG_STRING, &bindpw, 0, _("LDAP password"), _("password to use if not using kerberos") }, + { "cacert", 0, POPT_ARG_STRING, &ca_cert_file, 0, + _("Path to the IPA CA certificate"), _("IPA CA certificate")}, { "retrieve", 'r', POPT_ARG_NONE, &retrieve, 0, _("Retrieve current keys without changing them"), NULL }, POPT_AUTOHELP @@ -798,6 +805,10 @@ int main(int argc, const char *argv[]) } } + if (!ca_cert_file) { + ca_cert_file = DEFAULT_CA_CERT_FILE; + } + if (askpass && retrieve) { fprintf(stderr, _("Incompatible options provided (-r and -P)\n")); exit(2); @@ -853,6 +864,7 @@ int main(int argc, const char *argv[]) kvno = -1; ret = ldap_get_keytab(krbctx, (retrieve == 0), password, enctypes_string, server, principal, uprinc, binddn, bindpw, + ca_cert_file, &keys, &kvno, &err_msg); if (ret) { if (!quiet && err_msg != NULL) { @@ -877,7 +889,8 @@ int main(int argc, const char *argv[]) exit(8); } - kvno = ldap_set_keytab(krbctx, server, principal, uprinc, binddn, bindpw, &keys); + kvno = ldap_set_keytab(krbctx, server, principal, uprinc, binddn, + bindpw, ca_cert_file, &keys); } if (kvno == -1) { diff --git a/client/man/ipa-getkeytab.1 b/client/man/ipa-getkeytab.1 index 1c270729e..997a5955e 100644 --- a/client/man/ipa-getkeytab.1 +++ b/client/man/ipa-getkeytab.1 @@ -21,7 +21,7 @@ .SH "NAME" ipa\-getkeytab \- Get a keytab for a Kerberos principal .SH "SYNOPSIS" -ipa\-getkeytab \fB\-p\fR \fIprincipal\-name\fR \fB\-k\fR \fIkeytab\-file\fR [ \fB\-e\fR \fIencryption\-types\fR ] [ \fB\-s\fR \fIipaserver\fR ] [ \fB\-q\fR ] [ \fB\-D\fR|\fB\-\-binddn\fR \fIBINDDN\fR ] [ \fB\-w|\-\-bindpw\fR ] [ \fB\-P\fR|\fB\-\-password\fR \fIPASSWORD\fR ] [ \fB\-r\fR ] +ipa\-getkeytab \fB\-p\fR \fIprincipal\-name\fR \fB\-k\fR \fIkeytab\-file\fR [ \fB\-e\fR \fIencryption\-types\fR ] [ \fB\-s\fR \fIipaserver\fR ] [ \fB\-q\fR ] [ \fB\-D\fR|\fB\-\-binddn\fR \fIBINDDN\fR ] [ \fB\-w|\-\-bindpw\fR ] [ \fB\-P\fR|\fB\-\-password\fR \fIPASSWORD\fR ] [ \fB\-\-cacert \fICACERT\fR ] [ \fB\-r\fR ] .SH "DESCRIPTION" Retrieves a Kerberos \fIkeytab\fR. @@ -98,6 +98,10 @@ The LDAP DN to bind as when retrieving a keytab without Kerberos credentials. Ge \fB\-w, \-\-bindpw\fR The LDAP password to use when not binding with Kerberos. .TP +\fB\-\-cacert\fR +The path to the IPA CA certificate used to validate LDAPS connections. Defaults to +/etc/ipa/ca.crt +.TP \fB\-r\fR Retrieve mode. Retrieve an existing key from the server instead of generating a new one. This is incompatibile with the \-\-password option, and will work only