mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-01-11 00:31:56 -06:00
22022ae2ff
OpenLDAP has made it explicit to use default CA store as provided by OpenSSL in 2016: branches 2.5 and later: commit 4962dd6083ae0fe722eb23a618ad39e47611429b Author: Howard Guo <hguo@suse.com> Date: Thu Nov 10 15:39:03 2016 +0100 branch 2.4: commit e3affc71e05b33bfac43833c7b95fd7b7c3188f8 Author: Howard Guo <hguo@suse.com> Date: Thu Nov 10 15:39:03 2016 +0100 This means starting with OpenLDAP 2.4.45 we can drop the explicit CA configuration in ldap.conf. There are several use cases where an explicit IPA CA should be specified in the configuration. These mostly concern situations where a higher security level must be maintained. For these configurations an administrator would need to add an explicit CA configuration to ldap.conf if we wouldn't add it during the ipa-client-install setup. RN: FreeIPA client installer does not add explicit TLS CA configuration RN: to OpenLDAP's ldap.conf anymore. Since OpenLDAP 2.4.45, explicit CA RN: configuration is not required as OpenLDAP uses the default CA store RN: provided by OpenSSL and IPA CA is installed in the default store RN: by the installer already. Fixes: https://pagure.io/freeipa/issue/9258 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
112 lines
2.7 KiB
Python
112 lines
2.7 KiB
Python
#
|
|
# Copyright (C) 2019 FreeIPA Contributors see COPYING for license
|
|
#
|
|
|
|
import os
|
|
import shutil
|
|
import tempfile
|
|
|
|
import pytest
|
|
|
|
from ipaplatform.paths import paths
|
|
|
|
import ipatests.util
|
|
ipatests.util.check_ipaclient_unittests() # noqa: E402
|
|
|
|
from ipaclient.install.client import configure_openldap_conf
|
|
|
|
# with single URI and space
|
|
LDAP_CONF_1 = """
|
|
#
|
|
# LDAP Defaults
|
|
#
|
|
|
|
BASE dc=example,dc=com
|
|
URI ldap://ldap.example.com
|
|
|
|
# Turning this off breaks GSSAPI used with krb5 when rdns = false
|
|
SASL_NOCANON on
|
|
"""
|
|
|
|
# URI with two entries and tabs
|
|
LDAP_CONF_2 = """
|
|
#
|
|
# LDAP Defaults
|
|
#
|
|
|
|
BASE\tdc=example,dc=com
|
|
URI\tldap://ldap.example.com ldap://ldap-master.example.com:666
|
|
|
|
# Turning this off breaks GSSAPI used with krb5 when rdns = false
|
|
SASL_NOCANON on
|
|
"""
|
|
|
|
BASEDN = 'cn=ipa,cn=example'
|
|
SERVER = 'ldap.ipa.example'
|
|
|
|
|
|
class DummyFStore:
|
|
def backup_file(self, fname):
|
|
pass
|
|
|
|
|
|
def ldap_conf(content):
|
|
# fixture tmp_path is pytest >= 3.9
|
|
tmp_path = tempfile.mkdtemp()
|
|
cfgfile = os.path.join(tmp_path, 'ldap.conf')
|
|
if content is not None:
|
|
with open(cfgfile, 'w') as f:
|
|
f.write(content)
|
|
orig_ldap_conf = paths.OPENLDAP_LDAP_CONF
|
|
try:
|
|
paths.OPENLDAP_LDAP_CONF = cfgfile
|
|
configure_openldap_conf(DummyFStore(), BASEDN, [SERVER])
|
|
|
|
with open(cfgfile) as f:
|
|
text = f.read()
|
|
|
|
settings = {}
|
|
for line in text.split('\n'):
|
|
line = line.strip()
|
|
if not line or line.startswith('#'):
|
|
continue
|
|
k, v = line.split(None, 1)
|
|
settings.setdefault(k, []).append(v)
|
|
finally:
|
|
paths.OPENLDAP_LDAP_CONF = orig_ldap_conf
|
|
shutil.rmtree(tmp_path)
|
|
return text, settings
|
|
|
|
|
|
def test_openldap_conf_empty():
|
|
text, settings = ldap_conf("")
|
|
assert '# File modified by ipa-client-install' in text
|
|
assert settings == {
|
|
'BASE': [BASEDN],
|
|
'URI': ['ldaps://{}'.format(SERVER)],
|
|
'SASL_MECH': ['GSSAPI']
|
|
}
|
|
|
|
|
|
def test_openldap_conf_spaces():
|
|
text, settings = ldap_conf(LDAP_CONF_1)
|
|
assert '# File modified by ipa-client-install' in text
|
|
assert settings == {
|
|
'BASE': ['dc=example,dc=com'],
|
|
'URI': ['ldap://ldap.example.com'],
|
|
'SASL_NOCANON': ['on'],
|
|
'SASL_MECH': ['GSSAPI']
|
|
}
|
|
|
|
|
|
@pytest.mark.xfail(reason="freeipa ticket 7838", strict=True)
|
|
def test_openldap_conf_mixed():
|
|
text, settings = ldap_conf(LDAP_CONF_2)
|
|
assert '# File modified by ipa-client-install' in text
|
|
assert settings == {
|
|
'BASE': ['dc=example,dc=com'],
|
|
'URI': ['ldap://ldap.example.com ldap://ldap-master.example.com:666'],
|
|
'SASL_NOCANON': ['on'],
|
|
'SASL_MECH': ['GSSAPI']
|
|
}
|