Use LDAP API to upload CA certificate instead of ldapmodify command.

Reviewed-By: Petr Viktorin <pviktori@redhat.com>

install/share/Makefile.am

@@ -68,7 +68,6 @@ app_DATA =				\
 	replica-automember.ldif		\
 	replica-s4u2proxy.ldif		\
 	copy-schema-to-ca.py		\
-	upload-cacert.ldif		\
 	sasl-mapping-fallback.ldif	\
 	schema-update.ldif		\
 	$(NULL)

install/share/upload-cacert.ldif

@@ -1,7 +0,0 @@
-# add CA certificate to LDAP server
-dn: cn=CAcert,cn=ipa,cn=etc,$SUFFIX
-changetype: add
-objectClass: nsContainer
-objectClass: pkiCA
-cn: CAcert
-cACertificate;binary:: $CADERCERT

ipaserver/install/dsinstance.py

@@ -688,12 +688,25 @@ class DsInstance(service.Service):
     def upload_ca_dercert(self, dercert):
         """Upload the CA DER certificate to the LDAP directory
         """
-        # Note: Don't try to optimize if base64 data is already available.
+        conn = ipaldap.IPAdmin(self.fqdn)
-        # We want to re-encode using Python's b64encode to ensure the
+        conn.do_simple_bind(DN(('cn', 'directory manager')), self.dm_password)
-        # data is normalized (no extra newlines in the ldif)
-        self.sub_dict['CADERCERT'] = base64.b64encode(dercert)
 
-        self._ldap_mod('upload-cacert.ldif', self.sub_dict)
+        dn = DN(('cn', 'CAcert'), ('cn', 'ipa'), ('cn', 'etc'), self.suffix)
+        try:
+            entry = conn.get_entry(dn, attrs_list=['cACertificate;binary'])
+            entry['cACertificate;binary'] = [dercert]
+            conn.update_entry(entry)
+        except errors.NotFound:
+            entry = conn.make_entry(
+                dn,
+                {'objectClass': ['nsContainer', 'pkiCA'],
+                 'cn': ['CAcert'],
+                 'cACertificate;binary': [dercert]})
+            conn.add_entry(entry)
+        except errors.EmptyModlist:
+            pass
+
+        conn.unbind()
 
     def __add_default_layout(self):
         self._ldap_mod("bootstrap-template.ldif", self.sub_dict)