Allow insecure binds for migration

Commit 5be9341fba disallowed simple bind
over an insecure connection. Password logins were only allowed over LDAPS
or LDAP+STARTTLS. The restriction broke 'ipa migrate-ds' in some cases.

This commit lifts the restriction and permits insecure binds over plain
LDAP. It also makes the migrate-ds plugin use STARTTLS when a CA
certificate is configured with a plain LDAP connection.

Fixes: https://pagure.io/freeipa/issue/8040
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>

ipaserver/plugins/migration.py

@@ -901,20 +901,19 @@ migration process might be incomplete\n''')
             return dict(result={}, failed={}, enabled=False, compat=True)
 
         # connect to DS
-        cacert = None
         if options.get('cacertfile') is not None:
             # store CA cert into file
             tmp_ca_cert_f = write_tmp_file(options['cacertfile'])
             cacert = tmp_ca_cert_f.name
 
-            # start TLS connection
-            ds_ldap = LDAPClient(ldapuri, cacert=cacert)
+            # start TLS connection or STARTTLS
+            ds_ldap = LDAPClient(ldapuri, cacert=cacert, start_tls=True)
             ds_ldap.simple_bind(options['binddn'], bindpw)
 
             tmp_ca_cert_f.close()
         else:
-            ds_ldap = LDAPClient(ldapuri, cacert=cacert)
-            ds_ldap.simple_bind(options['binddn'], bindpw)
+            ds_ldap = LDAPClient(ldapuri)
+            ds_ldap.simple_bind(options['binddn'], bindpw, insecure_bind=True)
 
         # check whether the compat plugin is enabled
         if not options.get('compat'):