IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Check LDAP instead of local configuration to see if IPA CA is enabled

Browse Source 
The check is done using a new hidden command ca_is_enabled.

https://fedorahosted.org/freeipa/ticket/4621

Reviewed-By: David Kupka <dkupka@redhat.com>
This commit is contained in:
Jan Cholasta
2014-10-13 14:30:15 +02:00
committed by Martin Kosek
parent 6227ebb0cd
commit 608851d3f8
16 changed files with 144 additions and 65 deletions
Download Patch File Download Diff File Expand all files Collapse all files

33
ipa-client/ipa-install/ipa-client-install
View File

@@ -1093,11 +1093,11 @@ def configure_krb5_conf(cli_realm, cli_domain, cli_server, cli_kdc, dnsok,
return 0
def configure_certmonger(fstore, subject_base, cli_realm, hostname, options,
remote_env):
ca_enabled):
if not options.request_cert:
return
if not remote_env['enable_ra']:
if not ca_enabled:
root_logger.warning(
"An RA is not configured on the server. "
"Not requesting host certificate.")
@@ -1696,11 +1696,11 @@ def print_port_conf_info():
" TCP: 464\n"
" UDP: 464, 123 (if NTP enabled)")
def get_certs_from_ldap(server, base_dn, realm, enable_ra):
def get_certs_from_ldap(server, base_dn, realm, ca_enabled):
conn = ipaldap.IPAdmin(server, sasl_nocanon=True)
try:
conn.do_sasl_gssapi_bind()
certs = certstore.get_ca_certs(conn, base_dn, realm, enable_ra)
certs = certstore.get_ca_certs(conn, base_dn, realm, ca_enabled)
except errors.NotFound:
raise errors.NoCertificateError(entry=server)
except errors.NetworkError, e:
@@ -2640,13 +2640,20 @@ def install(options, env, fstore, statestore):
return CLIENT_INSTALL_ERROR
# Use the RPC directly so older servers are supported
result = api.Backend.rpcclient.forward(
'env',
server=True,
version=u'2.0',
)
remote_env = result['result']
if not remote_env['enable_ra']:
try:
result = api.Backend.rpcclient.forward(
'ca_is_enabled',
version=u'2.0',
)
ca_enabled = result['result']
except errors.CommandError:
result = api.Backend.rpcclient.forward(
'env',
server=True,
version=u'2.0',
)
ca_enabled = result['result']['enable_ra']
if not ca_enabled:
disable_ra()
# Create IPA NSS database
@@ -2658,7 +2665,7 @@ def install(options, env, fstore, statestore):
# Get CA certificates from the certificate store
ca_certs = get_certs_from_ldap(cli_server[0], cli_basedn, cli_realm,
remote_env['enable_ra'])
ca_enabled)
ca_certs_trust = [(c, n, certstore.key_policy_to_trust_flags(t, True, u))
for (c, n, t, u) in ca_certs]
@@ -2692,7 +2699,7 @@ def install(options, env, fstore, statestore):
if not options.on_master:
client_dns(cli_server[0], hostname, options.dns_updates)
configure_certmonger(fstore, subject_base, cli_realm, hostname,
options, remote_env)
options, ca_enabled)
update_ssh_keys(cli_server[0], hostname, services.knownservices.sshd.get_config_dir(), options.create_sshfp)

20
ipa-client/ipaclient/ipa_certupdate.py
View File

@@ -27,7 +27,7 @@ from ipapython import (admintool, ipautil, ipaldap, sysrestore, dogtag,
from ipaplatform import services
from ipaplatform.paths import paths
from ipaplatform.tasks import tasks
from ipalib import api, x509, certstore
from ipalib import api, errors, x509, certstore
class CertUpdate(admintool.AdminTool):
@@ -59,10 +59,26 @@ class CertUpdate(admintool.AdminTool):
principal = str('host/%s@%s' % (api.env.host, api.env.realm))
ipautil.kinit_hostprincipal(paths.KRB5_KEYTAB, tmpdir, principal)
api.Backend.rpcclient.connect()
try:
result = api.Backend.rpcclient.forward(
'ca_is_enabled',
version=u'2.0',
)
ca_enabled = result['result']
except errors.CommandError:
result = api.Backend.rpcclient.forward(
'env',
server=True,
version=u'2.0',
)
ca_enabled = result['result']['enable_ra']
api.Backend.rpcclient.disconnect()
ldap.do_sasl_gssapi_bind()
certs = certstore.get_ca_certs(ldap, api.env.basedn,
api.env.realm, api.env.enable_ra)
api.env.realm, ca_enabled)
finally:
shutil.rmtree(tmpdir)