migrate-ds added --ca-cert-file=FILE option

FILE is used to specify CA certificate for DS connection when TLS is
required (ldaps://...).

Ticket: https://fedorahosted.org/freeipa/ticket/3243

API.txt

@@ -2073,11 +2073,12 @@ output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDA
 output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
 output: Output('value', <type 'unicode'>, None)
 command: migrate_ds
-args: 2,17,4
+args: 2,18,4
 arg: Str('ldapuri', cli_name='ldap_uri')
 arg: Password('bindpw', cli_name='password', confirm=False)
 option: DNParam('basedn?', cli_name='base_dn')
 option: DNParam('binddn?', autofill=True, cli_name='bind_dn', default=ipapython.dn.DN('cn=directory manager'))
+option: File('cacertfile?', cli_name='ca_cert_file', default=None)
 option: Flag('compat?', autofill=True, cli_name='with_compat', default=False)
 option: Flag('continue?', autofill=True, default=False)
 option: Str('exclude_groups*', autofill=True, cli_name='exclude_groups', csv=True, default=())

VERSION

@@ -89,4 +89,4 @@ IPA_DATA_VERSION=20100614120000
 #                                                      #
 ########################################################
 IPA_API_VERSION_MAJOR=2
-IPA_API_VERSION_MINOR=68
+IPA_API_VERSION_MINOR=69

ipalib/plugins/migration.py

@@ -20,7 +20,7 @@
 import re
 
 from ipalib import api, errors, output
-from ipalib import Command, Password, Str, Flag, StrEnum, DNParam
+from ipalib import Command, Password, Str, Flag, StrEnum, DNParam, File
 from ipalib.cli import to_cli
 from ipalib.plugins.user import NO_UPG_MAGIC
 if api.env.in_server and api.env.context in ['lite', 'server']:
@@ -30,6 +30,7 @@ if api.env.in_server and api.env.context in ['lite', 'server']:
         raise e
 from ipalib import _
 from ipapython.dn import DN
+from ipapython.ipautil import write_tmp_file
 import datetime
 
 __doc__ = _("""
@@ -593,6 +594,12 @@ class migrate_ds(Command):
             doc=_('Allows migration despite the usage of compat plugin'),
             default=False,
         ),
+        File('cacertfile?',
+            cli_name='ca_cert_file',
+            label=_('CA certificate'),
+            doc=_('Load CA certificate of LDAP server from FILE'),
+            default=None
+        ),
     )
 
     has_output = (
@@ -844,7 +851,6 @@ can use their Kerberos accounts.''')
     def execute(self, ldapuri, bindpw, **options):
         ldap = self.api.Backend.ldap2
         self.normalize_options(options)
-
         config = ldap.get_ipa_config()[1]
 
         ds_base_dn = options.get('basedn')
@@ -857,7 +863,20 @@ can use their Kerberos accounts.''')
 
         # connect to DS
         ds_ldap = ldap2(shared_instance=False, ldap_uri=ldapuri, base_dn='')
-        ds_ldap.connect(bind_dn=options['binddn'], bind_pw=bindpw)
+
+        cacert = None
+        if options.get('cacertfile') is not None:
+            #store CA cert into file
+            tmp_ca_cert_f = write_tmp_file(options['cacertfile'])
+            cacert = tmp_ca_cert_f.name
+
+            #start TLS connection
+            ds_ldap.connect(bind_dn=options['binddn'], bind_pw=bindpw,
+                tls_cacertfile=cacert)
+
+            tmp_ca_cert_f.close()
+        else:
+            ds_ldap.connect(bind_dn=options['binddn'], bind_pw=bindpw)
 
         #check whether the compat plugin is enabled
         if not options.get('compat'):