summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJr Aquino <jr.aquino@citrix.com>2011-02-21 12:32:21 -0800
committerRob Crittenden <rcritten@redhat.com>2011-02-21 16:09:37 -0500
commit32e4914584b3dd6c62ebeeea8f6b5b657e5c6bdb (patch)
treed0cd25e9854cca3c97ec607802997b3622e3d33b
parent88870b1abedb22c3a1d77928c35ed1b1ab87f79e (diff)
downloadfreeipa-32e4914584b3dd6c62ebeeea8f6b5b657e5c6bdb.zip
freeipa-32e4914584b3dd6c62ebeeea8f6b5b657e5c6bdb.tar.gz
freeipa-32e4914584b3dd6c62ebeeea8f6b5b657e5c6bdb.tar.xz
18 Use TLS for ipadiscovery during ipa-client-install https://fedorahosted.org/freeipa/ticket/974
-rw-r--r--ipa-client/ipaclient/ipadiscovery.py24
1 files changed, 24 insertions, 0 deletions
diff --git a/ipa-client/ipaclient/ipadiscovery.py b/ipa-client/ipaclient/ipadiscovery.py
index 68b5791..e7c5830 100644
--- a/ipa-client/ipaclient/ipadiscovery.py
+++ b/ipa-client/ipaclient/ipadiscovery.py
@@ -18,10 +18,13 @@
#
import socket
+import os
import logging
import ipapython.dnsclient
+import tempfile
import ldap
from ldap import LDAPError
+from ipapython.ipautil import run, CalledProcessError
class IPADiscovery:
@@ -172,10 +175,27 @@ class IPADiscovery:
i = 0
+ # Get the CA certificate
+ try:
+ # Create TempDir
+ temp_ca_dir = tempfile.mkdtemp()
+ except OSError, e:
+ raise RuntimeError("Creating temporary directory failed: %s" % str(e))
+
+ try:
+ run(["/usr/bin/wget", "-O", "%s/ca.crt" % temp_ca_dir, "http://%s/ipa/config/ca.crt" % thost])
+ except CalledProcessError, e:
+ raise RuntimeError('Retrieving CA from %s failed.\n%s' % (thost, str(e)))
+
#now verify the server is really an IPA server
try:
logging.debug("Init ldap with: ldap://"+thost+":389")
lh = ldap.initialize("ldap://"+thost+":389")
+ ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, True)
+ ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, "%s/ca.crt" % temp_ca_dir)
+ lh.set_option(ldap.OPT_PROTOCOL_VERSION, 3)
+ lh.set_option(ldap.OPT_X_TLS_DEMAND, True)
+ lh.start_tls_s()
lh.simple_bind_s("","")
logging.debug("Search rootdse")
@@ -236,6 +256,10 @@ class IPADiscovery:
logging.error("LDAP Error: timeout")
return []
+ finally:
+ os.remove("%s/ca.crt" % temp_ca_dir)
+ os.removedirs(temp_ca_dir)
+
def ipadnssearchldap(self, tdomain):
servers = ""