mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-23 15:40:01 -06:00
ipa-getkeytab: expose CA cert path as option
get rid of hardcoded CA cert path and allow the caller to use supplied custom paths instead https://fedorahosted.org/freeipa/ticket/6409 Reviewed-By: Simo Sorce <ssorce@redhat.com>
This commit is contained in:
parent
7a183bad66
commit
294fc3dc56
@ -44,6 +44,8 @@
|
|||||||
#include "ipa_asn1.h"
|
#include "ipa_asn1.h"
|
||||||
#include "ipa-client-common.h"
|
#include "ipa-client-common.h"
|
||||||
|
|
||||||
|
#define DEFAULT_CA_CERT_FILE "/etc/ipa/ca.crt"
|
||||||
|
|
||||||
static int ldap_sasl_interact(LDAP *ld, unsigned flags, void *priv_data, void *sit)
|
static int ldap_sasl_interact(LDAP *ld, unsigned flags, void *priv_data, void *sit)
|
||||||
{
|
{
|
||||||
sasl_interact_t *in = NULL;
|
sasl_interact_t *in = NULL;
|
||||||
@ -152,10 +154,9 @@ static int ipa_ldap_init(LDAP ** ld, const char * scheme, const char * servernam
|
|||||||
return rc;
|
return rc;
|
||||||
}
|
}
|
||||||
|
|
||||||
const char *ca_cert_file = "/etc/ipa/ca.crt";
|
|
||||||
|
|
||||||
static int ipa_ldap_bind(const char *server_name, krb5_principal bind_princ,
|
static int ipa_ldap_bind(const char *server_name, krb5_principal bind_princ,
|
||||||
const char *bind_dn, const char *bind_pw, LDAP **_ld)
|
const char *bind_dn, const char *bind_pw,
|
||||||
|
const char *ca_cert_file, LDAP **_ld)
|
||||||
{
|
{
|
||||||
char *msg = NULL;
|
char *msg = NULL;
|
||||||
struct berval bv;
|
struct berval bv;
|
||||||
@ -343,6 +344,7 @@ static int ldap_set_keytab(krb5_context krbctx,
|
|||||||
krb5_principal princ,
|
krb5_principal princ,
|
||||||
const char *binddn,
|
const char *binddn,
|
||||||
const char *bindpw,
|
const char *bindpw,
|
||||||
|
const char *ca_cert_file,
|
||||||
struct keys_container *keys)
|
struct keys_container *keys)
|
||||||
{
|
{
|
||||||
LDAP *ld = NULL;
|
LDAP *ld = NULL;
|
||||||
@ -369,7 +371,7 @@ static int ldap_set_keytab(krb5_context krbctx,
|
|||||||
goto error_out;
|
goto error_out;
|
||||||
}
|
}
|
||||||
|
|
||||||
ret = ipa_ldap_bind(servername, princ, binddn, bindpw, &ld);
|
ret = ipa_ldap_bind(servername, princ, binddn, bindpw, ca_cert_file, &ld);
|
||||||
if (ret != LDAP_SUCCESS) {
|
if (ret != LDAP_SUCCESS) {
|
||||||
fprintf(stderr, _("Failed to bind to server!\n"));
|
fprintf(stderr, _("Failed to bind to server!\n"));
|
||||||
goto error_out;
|
goto error_out;
|
||||||
@ -500,6 +502,7 @@ static int ldap_get_keytab(krb5_context krbctx, bool generate, char *password,
|
|||||||
const char *enctypes, const char *bind_server,
|
const char *enctypes, const char *bind_server,
|
||||||
const char *svc_princ, krb5_principal bind_princ,
|
const char *svc_princ, krb5_principal bind_princ,
|
||||||
const char *bind_dn, const char *bind_pw,
|
const char *bind_dn, const char *bind_pw,
|
||||||
|
const char *ca_cert_file,
|
||||||
struct keys_container *keys, int *kvno,
|
struct keys_container *keys, int *kvno,
|
||||||
char **err_msg)
|
char **err_msg)
|
||||||
{
|
{
|
||||||
@ -529,7 +532,8 @@ static int ldap_get_keytab(krb5_context krbctx, bool generate, char *password,
|
|||||||
goto done;
|
goto done;
|
||||||
}
|
}
|
||||||
|
|
||||||
ret = ipa_ldap_bind(bind_server, bind_princ, bind_dn, bind_pw, &ld);
|
ret = ipa_ldap_bind(bind_server, bind_princ, bind_dn, bind_pw,
|
||||||
|
ca_cert_file, &ld);
|
||||||
if (ret != LDAP_SUCCESS) {
|
if (ret != LDAP_SUCCESS) {
|
||||||
*err_msg = _("Failed to bind to server!\n");
|
*err_msg = _("Failed to bind to server!\n");
|
||||||
goto done;
|
goto done;
|
||||||
@ -684,6 +688,7 @@ int main(int argc, const char *argv[])
|
|||||||
static const char *enctypes_string = NULL;
|
static const char *enctypes_string = NULL;
|
||||||
static const char *binddn = NULL;
|
static const char *binddn = NULL;
|
||||||
static const char *bindpw = NULL;
|
static const char *bindpw = NULL;
|
||||||
|
static const char *ca_cert_file = NULL;
|
||||||
int quiet = 0;
|
int quiet = 0;
|
||||||
int askpass = 0;
|
int askpass = 0;
|
||||||
int permitted_enctypes = 0;
|
int permitted_enctypes = 0;
|
||||||
@ -712,6 +717,8 @@ int main(int argc, const char *argv[])
|
|||||||
_("LDAP DN"), _("DN to bind as if not using kerberos") },
|
_("LDAP DN"), _("DN to bind as if not using kerberos") },
|
||||||
{ "bindpw", 'w', POPT_ARG_STRING, &bindpw, 0,
|
{ "bindpw", 'w', POPT_ARG_STRING, &bindpw, 0,
|
||||||
_("LDAP password"), _("password to use if not using kerberos") },
|
_("LDAP password"), _("password to use if not using kerberos") },
|
||||||
|
{ "cacert", 0, POPT_ARG_STRING, &ca_cert_file, 0,
|
||||||
|
_("Path to the IPA CA certificate"), _("IPA CA certificate")},
|
||||||
{ "retrieve", 'r', POPT_ARG_NONE, &retrieve, 0,
|
{ "retrieve", 'r', POPT_ARG_NONE, &retrieve, 0,
|
||||||
_("Retrieve current keys without changing them"), NULL },
|
_("Retrieve current keys without changing them"), NULL },
|
||||||
POPT_AUTOHELP
|
POPT_AUTOHELP
|
||||||
@ -798,6 +805,10 @@ int main(int argc, const char *argv[])
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (!ca_cert_file) {
|
||||||
|
ca_cert_file = DEFAULT_CA_CERT_FILE;
|
||||||
|
}
|
||||||
|
|
||||||
if (askpass && retrieve) {
|
if (askpass && retrieve) {
|
||||||
fprintf(stderr, _("Incompatible options provided (-r and -P)\n"));
|
fprintf(stderr, _("Incompatible options provided (-r and -P)\n"));
|
||||||
exit(2);
|
exit(2);
|
||||||
@ -853,6 +864,7 @@ int main(int argc, const char *argv[])
|
|||||||
kvno = -1;
|
kvno = -1;
|
||||||
ret = ldap_get_keytab(krbctx, (retrieve == 0), password, enctypes_string,
|
ret = ldap_get_keytab(krbctx, (retrieve == 0), password, enctypes_string,
|
||||||
server, principal, uprinc, binddn, bindpw,
|
server, principal, uprinc, binddn, bindpw,
|
||||||
|
ca_cert_file,
|
||||||
&keys, &kvno, &err_msg);
|
&keys, &kvno, &err_msg);
|
||||||
if (ret) {
|
if (ret) {
|
||||||
if (!quiet && err_msg != NULL) {
|
if (!quiet && err_msg != NULL) {
|
||||||
@ -877,7 +889,8 @@ int main(int argc, const char *argv[])
|
|||||||
exit(8);
|
exit(8);
|
||||||
}
|
}
|
||||||
|
|
||||||
kvno = ldap_set_keytab(krbctx, server, principal, uprinc, binddn, bindpw, &keys);
|
kvno = ldap_set_keytab(krbctx, server, principal, uprinc, binddn,
|
||||||
|
bindpw, ca_cert_file, &keys);
|
||||||
}
|
}
|
||||||
|
|
||||||
if (kvno == -1) {
|
if (kvno == -1) {
|
||||||
|
@ -21,7 +21,7 @@
|
|||||||
.SH "NAME"
|
.SH "NAME"
|
||||||
ipa\-getkeytab \- Get a keytab for a Kerberos principal
|
ipa\-getkeytab \- Get a keytab for a Kerberos principal
|
||||||
.SH "SYNOPSIS"
|
.SH "SYNOPSIS"
|
||||||
ipa\-getkeytab \fB\-p\fR \fIprincipal\-name\fR \fB\-k\fR \fIkeytab\-file\fR [ \fB\-e\fR \fIencryption\-types\fR ] [ \fB\-s\fR \fIipaserver\fR ] [ \fB\-q\fR ] [ \fB\-D\fR|\fB\-\-binddn\fR \fIBINDDN\fR ] [ \fB\-w|\-\-bindpw\fR ] [ \fB\-P\fR|\fB\-\-password\fR \fIPASSWORD\fR ] [ \fB\-r\fR ]
|
ipa\-getkeytab \fB\-p\fR \fIprincipal\-name\fR \fB\-k\fR \fIkeytab\-file\fR [ \fB\-e\fR \fIencryption\-types\fR ] [ \fB\-s\fR \fIipaserver\fR ] [ \fB\-q\fR ] [ \fB\-D\fR|\fB\-\-binddn\fR \fIBINDDN\fR ] [ \fB\-w|\-\-bindpw\fR ] [ \fB\-P\fR|\fB\-\-password\fR \fIPASSWORD\fR ] [ \fB\-\-cacert \fICACERT\fR ] [ \fB\-r\fR ]
|
||||||
|
|
||||||
.SH "DESCRIPTION"
|
.SH "DESCRIPTION"
|
||||||
Retrieves a Kerberos \fIkeytab\fR.
|
Retrieves a Kerberos \fIkeytab\fR.
|
||||||
@ -98,6 +98,10 @@ The LDAP DN to bind as when retrieving a keytab without Kerberos credentials. Ge
|
|||||||
\fB\-w, \-\-bindpw\fR
|
\fB\-w, \-\-bindpw\fR
|
||||||
The LDAP password to use when not binding with Kerberos.
|
The LDAP password to use when not binding with Kerberos.
|
||||||
.TP
|
.TP
|
||||||
|
\fB\-\-cacert\fR
|
||||||
|
The path to the IPA CA certificate used to validate LDAPS connections. Defaults to
|
||||||
|
/etc/ipa/ca.crt
|
||||||
|
.TP
|
||||||
\fB\-r\fR
|
\fB\-r\fR
|
||||||
Retrieve mode. Retrieve an existing key from the server instead of generating a
|
Retrieve mode. Retrieve an existing key from the server instead of generating a
|
||||||
new one. This is incompatibile with the \-\-password option, and will work only
|
new one. This is incompatibile with the \-\-password option, and will work only
|
||||||
|
Loading…
Reference in New Issue
Block a user