From 459d6cff4efc529f2a9031e817c80a0377bf19a4 Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Thu, 12 Jun 2014 12:04:59 +0200 Subject: [PATCH] Get CA certs for /etc/ipa/ca.crt from certificate store in ipa-client-install. Part of https://fedorahosted.org/freeipa/ticket/3259 Part of https://fedorahosted.org/freeipa/ticket/3520 Reviewed-By: Rob Crittenden --- ipa-client/ipa-install/ipa-client-install | 36 +++++++---------------- 1 file changed, 10 insertions(+), 26 deletions(-) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index c9d99f079..b0ce521ef 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -48,7 +48,7 @@ try: from ipapython import kernel_keyring from ipapython.config import IPAOptionParser from ipalib import api, errors - from ipalib import x509 + from ipalib import x509, certstore from ipalib.constants import CACERT from ipapython.dn import DN from ipapython.ssh import SSHPublicKey @@ -1729,7 +1729,7 @@ def get_ca_certs_from_http(url, warn=True): return certs -def get_ca_certs_from_ldap(server, basedn): +def get_ca_certs_from_ldap(server, basedn, realm): ''' Retrieve th CA cert from the LDAP server by binding to the server with GSSAPI using the current Kerberos credentials. @@ -1742,21 +1742,12 @@ def get_ca_certs_from_ldap(server, basedn): Raises errors.FileError if unable to write cert. ''' - ca_cert_attr = 'cAcertificate;binary' - dn = DN(('cn', 'CAcert'), ('cn', 'ipa'), ('cn', 'etc'), basedn) - - root_logger.debug("trying to retrieve CA cert via LDAP from %s", server) conn = ipaldap.IPAdmin(server, sasl_nocanon=True) try: conn.do_sasl_gssapi_bind() - result, truncated = conn.find_entries( - base_dn=dn, - scope=conn.SCOPE_BASE, - filter='(objectclass=pkiCA)', - attrs_list=[ca_cert_attr], - time_limit=10) + certs = certstore.get_ca_certs(conn, basedn, realm, False) except errors.NotFound, e: root_logger.debug("get_ca_certs_from_ldap() error: %s", e) raise errors.NoCertificateError(entry=server) @@ -1768,18 +1759,10 @@ def get_ca_certs_from_ldap(server, basedn): root_logger.debug("get_ca_certs_from_ldap() error: %s", e) raise errors.LDAPError(str(e)) - if len(result) != 1: - raise errors.OnlyOneValueAllowed(attr=ca_cert_attr) + certs = [x509.load_certificate(c[0], x509.DER) for c in certs + if c[2] is not False] - attrs = result[0] - try: - der_cert = attrs[ca_cert_attr][0] - except KeyError: - raise errors.NoCertificateError(entry=ca_cert_attr) - - cert = x509.load_certificate(der_cert, x509.DER) - - return [cert] + return certs def validate_new_ca_certs(existing_ca_certs, new_ca_certs, ask, override=False): @@ -1808,7 +1791,7 @@ def validate_new_ca_certs(existing_ca_certs, new_ca_certs, ask, root_logger.debug( "Existing CA cert and Retrieved CA cert are identical") -def get_ca_certs(fstore, options, server, basedn): +def get_ca_certs(fstore, options, server, basedn, realm): ''' Examine the different options and determine a method for obtaining the CA cert. @@ -1907,7 +1890,7 @@ def get_ca_certs(fstore, options, server, basedn): # Auth with user credentials try: url = ldap_url() - ca_certs = get_ca_certs_from_ldap(server, basedn) + ca_certs = get_ca_certs_from_ldap(server, basedn, realm) validate_new_ca_certs(existing_ca_certs, ca_certs, interactive) except errors.FileError, e: root_logger.debug(e) @@ -2451,7 +2434,8 @@ def install(options, env, fstore, statestore): # Get the CA certificate try: os.environ['KRB5_CONFIG'] = env['KRB5_CONFIG'] - get_ca_certs(fstore, options, cli_server[0], cli_basedn) + get_ca_certs(fstore, options, cli_server[0], cli_basedn, + cli_realm) del os.environ['KRB5_CONFIG'] except errors.FileError, e: root_logger.error(e)