Block camellia in krbenctypes update in FIPS

Add FIPS conditional to updates to prevent updater from adding camellia
encsalttypes.

Fixes: https://pagure.io/freeipa/issue/8111
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>

install/updates/50-krbenctypes.update

@@ -1,8 +1,8 @@
 dn: cn=$REALM,cn=kerberos,$SUFFIX
-add: krbSupportedEncSaltTypes: camellia128-cts-cmac:normal
-add: krbSupportedEncSaltTypes: camellia128-cts-cmac:special
-add: krbSupportedEncSaltTypes: camellia256-cts-cmac:normal
-add: krbSupportedEncSaltTypes: camellia256-cts-cmac:special
+${FIPS}add: krbSupportedEncSaltTypes: camellia128-cts-cmac:normal
+${FIPS}add: krbSupportedEncSaltTypes: camellia128-cts-cmac:special
+${FIPS}add: krbSupportedEncSaltTypes: camellia256-cts-cmac:normal
+${FIPS}add: krbSupportedEncSaltTypes: camellia256-cts-cmac:special
 add: krbSupportedEncSaltTypes: aes128-sha2:normal
 add: krbSupportedEncSaltTypes: aes128-sha2:special
 add: krbSupportedEncSaltTypes: aes256-sha2:normal

ipaserver/install/ldapupdate.py

@@ -42,6 +42,7 @@ from ipalib import api, create_api
 from ipalib import constants
 from ipaplatform.constants import constants as platformconstants
 from ipaplatform.paths import paths
+from ipaplatform.tasks import tasks
 from ipapython.dn import DN
 
 if six.PY3:
@@ -325,6 +326,8 @@ class LDAPUpdate:
         if not self.sub_dict.get("SELINUX_USERMAP_ORDER"):
             self.sub_dict["SELINUX_USERMAP_ORDER"] = \
                 platformconstants.SELINUX_USERMAP_ORDER
+        if "FIPS" not in self.sub_dict:
+            self.sub_dict["FIPS"] = '#' if tasks.is_fips_enabled() else ''
         self.api = create_api(mode=None)
         self.api.bootstrap(in_server=True,
                            context='updates',