CA: set ipaconfigstring:compatCA in cn=DOMAIN IPA CA

Commit fa50068 introduced a regression. Previously, the upgrade plugin upload_cacrt was setting the attribute ipaconfigstring: compatCA in the entry cn=DOMAIN IPA CA,cn=certificates,cn=ipa,cn=etc,BASEDN After commit fa50068, the value is not set any more. As a consequence, the LDAP entry is not identified as the CA and CA renewal does not update the entry cn=CAcert,cn=certificates,cn=ipa,cn=etc,BASEDN. RHEL 6 client rely on this entry to retrieve the CA and client install fails because cn=CAcert is out-of-date. The fix makes sure that upload_cacrt plugin properly sets ipaconfigstring: compatCA in the entry cn=DOMAIN IPA CA,cn=certificates,cn=ipa,cn=etc,BASEDN Fixed: https://pagure.io/freeipa/issue/7928 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2025-02-25 18:55:28 -06:00 · 2019-05-21 21:19:29 +02:00 · 2019-05-21 21:19:29 +02:00 · 9cd88587e4
commit 9cd88587e4
parent 5263c36c1b
1 changed files with 1 additions and 1 deletions
--- a/ipaserver/install/plugins/upload_cacrt.py
+++ b/ipaserver/install/plugins/upload_cacrt.py
@ -92,7 +92,7 @@ class update_upload_cacrt(Updater):
                config = entry.setdefault('ipaConfigString', [])
                if ca_enabled:
                    config.append('ipaCa')
-                config.append('ipaCa')
+                config.append('compatCA')

            try:
                ldap.add_entry(entry)