mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-23 23:50:03 -06:00
Use autobind instead of host keytab authentication in dogtag-ipa-ca-renew-agent
This commit makes sure that dogtag-ipa-ca-renew-agent CA helper can be used before Kerberos is configured. Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
This commit is contained in:
parent
2775042787
commit
7462adec13
@ -113,7 +113,7 @@ def ldap_connect():
|
||||
conn = None
|
||||
try:
|
||||
conn = ldap2(api)
|
||||
conn.connect(ccache=os.environ['KRB5CCNAME'])
|
||||
conn.connect(autobind=True)
|
||||
yield conn
|
||||
finally:
|
||||
if conn is not None and conn.isconnected():
|
||||
@ -505,11 +505,6 @@ def main():
|
||||
tmpdir = tempfile.mkdtemp(prefix="tmp-")
|
||||
certs.renewal_lock.acquire()
|
||||
try:
|
||||
principal = str('host/%s@%s' % (api.env.host, api.env.realm))
|
||||
ccache_filename = os.path.join(tmpdir, 'ccache')
|
||||
os.environ['KRB5CCNAME'] = ccache_filename
|
||||
ipautil.kinit_keytab(principal, paths.KRB5_KEYTAB, ccache_filename)
|
||||
|
||||
profile = os.environ.get('CERTMONGER_CA_PROFILE')
|
||||
if profile:
|
||||
handler = handlers.get(profile, request_and_store_cert)
|
||||
|
Loading…
Reference in New Issue
Block a user