diff options
author | John Dennis <jdennis@redhat.com> | 2012-11-15 14:57:52 -0500 |
---|---|---|
committer | Rob Crittenden <rcritten@redhat.com> | 2013-01-23 14:26:42 -0500 |
commit | a1991aeac19c3fec1fdd0d184c6760c90c9f9fc9 (patch) | |
tree | 1832274281bcb92cd933b2262b2be221efd031f5 /ipa-client/config.c | |
parent | 91f4af7e6af53e1c6bf17ed36cb2161863eddae4 (diff) | |
download | freeipa-a1991aeac19c3fec1fdd0d184c6760c90c9f9fc9.tar.gz freeipa-a1991aeac19c3fec1fdd0d184c6760c90c9f9fc9.tar.xz freeipa-a1991aeac19c3fec1fdd0d184c6760c90c9f9fc9.zip |
Use secure method to acquire IPA CA certificate
Major changes ipa-client-install:
* Use GSSAPI connection to LDAP server to download CA cert (now
the default method)
* Add --ca-cert-file option to load the CA cert from a disk file.
Validate the file. If this option is used the supplied CA cert
is considered definitive.
* The insecure HTTP retrieval method is still supported but it must be
explicitly forced and a warning will be emitted.
* Remain backward compatible with unattended case (except for aberrant
condition when preexisting /etc/ipa/ca.crt differs from securely
obtained CA cert, see below)
* If /etc/ipa/ca.crt CA cert preexists the validate it matches the
securely acquired CA cert, if not:
- If --unattended and not --force abort with error
- If interactive query user to accept new CA cert, if not abort
In either case warn user.
* If interactive and LDAP retrieval fails prompt user if they want to
proceed with insecure HTTP method
* If not interactive and LDAP retrieval fails abort unless --force
* Backup preexisting /etc/ipa/ca.crt in FileStore prior to execution,
if ipa-client-install fails it will be restored.
Other changes:
* Add new exception class CertificateInvalidError
* Add utility convert_ldap_error() to ipalib.ipautil
* Replace all hardcoded instances of /etc/ipa/ca.crt in
ipa-client-install with CACERT constant (matches existing practice
elsewhere).
* ipadiscovery no longer retrieves CA cert via HTTP.
* Handle LDAP minssf failures during discovery, treat failure to check
ldap server as a warninbg in absebce of a provided CA certificate via
--ca-cert-file or though existing /etc/ipa/ca.crt file.
Signed-off-by: Simo Sorce <simo@redhat.com>
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Diffstat (limited to 'ipa-client/config.c')
0 files changed, 0 insertions, 0 deletions