Install the ca.crt file early on so that we can always enforce SSL

protected connections to other LDAP servers
Fix error reporting on replica creation.

3 files changed, 27 insertions, 22 deletions

diff --git a/ipa-server/ipa-install/ipa-replica-install b/ipa-server/ipa-install/ipa-replica-install
index d1f859179..0b6727e22 100644
--- a/ipa-server/ipa-install/ipa-replica-install
+++ b/ipa-server/ipa-install/ipa-replica-install
@@ -30,6 +30,8 @@ from ipaserver import dsinstance, replication, installutils, krbinstance, servic
 from ipaserver import httpinstance, ntpinstance, certs, ipaldap
 from ipa import version
 
+CACERT="/usr/share/ipa/html/ca.crt"
+
 class ReplicaConfig:
     def __init__(self):
         self.realm_name = ""
@@ -122,6 +124,15 @@ def install_krb(config):
                        config.domain_name, config.dirman_password,
                        ldappwd_filename, kpasswd_filename)
 
+def install_ca_cert(config):
+    if ipautil.file_exists(config.dir + "/ca.crt"):
+        try:
+            shutil.copy(config.dir + "/ca.crt", CACERT)
+            os.chmod(CACERT, 0444)
+        except Exception, e:
+            print "error copying files: " + str(e)
+            sys.exit(1)
+
 def install_http(config):
     # if we have a pkcs12 file, create the cert db from
     # that. Otherwise the ds setup will create the CA
@@ -139,8 +150,6 @@ def install_http(config):
         try:
             shutil.copy(config.dir + "/preferences.html", "/usr/share/ipa/html/preferences.html")
             shutil.copy(config.dir + "/configure.jar", "/usr/share/ipa/html/configure.jar")
-            shutil.copy(config.dir + "/ca.crt", "/usr/share/ipa/html/ca.crt")
-            os.chmod("/usr/share/ipa/html/ca.crt", 0444)
         except Exception, e:
             print "error copying files: " + str(e)
             sys.exit(1)
@@ -234,12 +243,14 @@ def main():
     # Configure dirsrv
     ds = install_ds(config)
 
-    repl = replication.ReplicationManager(config.host_name, config.dirman_password)
-    if repl is None:
+    # Install CA cert so that we can do SSL connections with ldap
+    install_ca_cert(config)
+
+    try:
+        repl = replication.ReplicationManager(config.host_name, config.dirman_password)
+        ret = repl.setup_replication(config.master_host_name, config.realm_name)
+    except:
         raise RuntimeError("Unable to connect to LDAP server %s." % config.host_name)
-    ret = repl.setup_replication(config.master_host_name, config.realm_name)
-    if ret is None:
-        raise RuntimeError("Unable to connect to LDAP server %s." % config.master_host_name)
     if ret != 0:
         raise RuntimeError("Failed to start replication")
 
diff --git a/ipa-server/ipaserver/ipaldap.py b/ipa-server/ipaserver/ipaldap.py
index 04e86680c..3006d479b 100644
--- a/ipa-server/ipaserver/ipaldap.py
+++ b/ipa-server/ipaserver/ipaldap.py
@@ -270,7 +270,9 @@ class IPAdmin(SimpleLDAPObject):
             ldap.set_option(ldap.OPT_DEBUG_LEVEL,255)
         if cacert is not None:
             ldap.set_option(ldap.OPT_X_TLS_CACERTFILE,cacert)
+        if bindcert is not None:
             ldap.set_option(ldap.OPT_X_TLS_CERTFILE,bindcert)
+        if bindkey is not None:
             ldap.set_option(ldap.OPT_X_TLS_KEYFILE,bindkey)
 
         self.__wrapmethods()
diff --git a/ipa-server/ipaserver/replication.py b/ipa-server/ipaserver/replication.py
index d8bb60066..d3b1551c8 100644
--- a/ipa-server/ipaserver/replication.py
+++ b/ipa-server/ipaserver/replication.py
@@ -24,6 +24,7 @@ from ldap import modlist
 from ipa import ipaerror
 
 DIRMAN_CN = "cn=directory manager"
+CACERT="/usr/share/ipa/html/ca.crt"
 PORT = 636
 TIMEOUT = 120
 
@@ -32,13 +33,9 @@ class ReplicationManager:
     def __init__(self, hostname, dirman_passwd):
         self.hostname = hostname
         self.dirman_passwd = dirman_passwd
-        try:
-            self.conn = ipaldap.IPAdmin(hostname)
-            self.conn.do_simple_bind(bindpw=dirman_passwd)
-        except ldap.CONNECT_ERROR, e:
-            return None
-        except ldap.SERVER_DOWN, e:
-            return None
+
+        self.conn = ipaldap.IPAdmin(hostname, port=PORT, cacert=CACERT)
+        self.conn.do_simple_bind(bindpw=dirman_passwd)
 
         self.repl_man_passwd = dirman_passwd
 
@@ -175,7 +172,7 @@ class ReplicationManager:
             logging.debug("failed to find mappting tree entry for %s" % self.suffix)
             raise e
 
-        return entry        
+        return entry
 
 
     def enable_chain_on_update(self, bename):
@@ -301,13 +298,8 @@ class ReplicationManager:
            - the directory manager password needs to be the same on
              both directories.
         """
-        try:
-            other_conn = ipaldap.IPAdmin(other_hostname)
-            other_conn.do_simple_bind(bindpw=self.dirman_passwd)
-        except ldap.CONNECT_ERROR, e:
-            return None
-        except ldap.SERVER_DOWN, e:
-            return None
+        other_conn = ipaldap.IPAdmin(other_hostname, port=PORT, cacert=CACERT)
+        other_conn.do_simple_bind(bindpw=self.dirman_passwd)
 
         self.suffix = ipaldap.IPAdmin.normalizeDN(dsinstance.realm_to_suffix(realm_name))