Use autobind instead of host keytab authentication in dogtag-ipa-ca-renew-agent

This commit makes sure that dogtag-ipa-ca-renew-agent CA helper can be used
before Kerberos is configured.

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
This commit is contained in:
Florence Blanc-Renaud 2016-11-08 09:02:57 +01:00 committed by David Kupka
parent 2775042787
commit 7462adec13

View File

@ -113,7 +113,7 @@ def ldap_connect():
conn = None
try:
conn = ldap2(api)
conn.connect(ccache=os.environ['KRB5CCNAME'])
conn.connect(autobind=True)
yield conn
finally:
if conn is not None and conn.isconnected():
@ -505,11 +505,6 @@ def main():
tmpdir = tempfile.mkdtemp(prefix="tmp-")
certs.renewal_lock.acquire()
try:
principal = str('host/%s@%s' % (api.env.host, api.env.realm))
ccache_filename = os.path.join(tmpdir, 'ccache')
os.environ['KRB5CCNAME'] = ccache_filename
ipautil.kinit_keytab(principal, paths.KRB5_KEYTAB, ccache_filename)
profile = os.environ.get('CERTMONGER_CA_PROFILE')
if profile:
handler = handlers.get(profile, request_and_store_cert)