diff options
author | Jan Cholasta <jcholast@redhat.com> | 2014-10-13 14:30:15 +0200 |
---|---|---|
committer | Martin Kosek <mkosek@redhat.com> | 2014-10-17 12:53:11 +0200 |
commit | 608851d3f86a9082b394c30fe0c7a7b33d43f363 (patch) | |
tree | 4e1e34c392d56672d22c7d8d00c0794163048119 /ipa-client/ipa-install/ipa-client-install | |
parent | 6227ebb0cd2d8661d9233e26adb5e0bff7fe4c0d (diff) | |
download | freeipa-608851d3f86a9082b394c30fe0c7a7b33d43f363.tar.gz freeipa-608851d3f86a9082b394c30fe0c7a7b33d43f363.tar.xz freeipa-608851d3f86a9082b394c30fe0c7a7b33d43f363.zip |
Check LDAP instead of local configuration to see if IPA CA is enabled
The check is done using a new hidden command ca_is_enabled.
https://fedorahosted.org/freeipa/ticket/4621
Reviewed-By: David Kupka <dkupka@redhat.com>
Diffstat (limited to 'ipa-client/ipa-install/ipa-client-install')
-rwxr-xr-x | ipa-client/ipa-install/ipa-client-install | 33 |
1 files changed, 20 insertions, 13 deletions
diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index 3b6e581c7..7b1e2f8b0 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -1093,11 +1093,11 @@ def configure_krb5_conf(cli_realm, cli_domain, cli_server, cli_kdc, dnsok, return 0 def configure_certmonger(fstore, subject_base, cli_realm, hostname, options, - remote_env): + ca_enabled): if not options.request_cert: return - if not remote_env['enable_ra']: + if not ca_enabled: root_logger.warning( "An RA is not configured on the server. " "Not requesting host certificate.") @@ -1696,11 +1696,11 @@ def print_port_conf_info(): " TCP: 464\n" " UDP: 464, 123 (if NTP enabled)") -def get_certs_from_ldap(server, base_dn, realm, enable_ra): +def get_certs_from_ldap(server, base_dn, realm, ca_enabled): conn = ipaldap.IPAdmin(server, sasl_nocanon=True) try: conn.do_sasl_gssapi_bind() - certs = certstore.get_ca_certs(conn, base_dn, realm, enable_ra) + certs = certstore.get_ca_certs(conn, base_dn, realm, ca_enabled) except errors.NotFound: raise errors.NoCertificateError(entry=server) except errors.NetworkError, e: @@ -2640,13 +2640,20 @@ def install(options, env, fstore, statestore): return CLIENT_INSTALL_ERROR # Use the RPC directly so older servers are supported - result = api.Backend.rpcclient.forward( - 'env', - server=True, - version=u'2.0', - ) - remote_env = result['result'] - if not remote_env['enable_ra']: + try: + result = api.Backend.rpcclient.forward( + 'ca_is_enabled', + version=u'2.0', + ) + ca_enabled = result['result'] + except errors.CommandError: + result = api.Backend.rpcclient.forward( + 'env', + server=True, + version=u'2.0', + ) + ca_enabled = result['result']['enable_ra'] + if not ca_enabled: disable_ra() # Create IPA NSS database @@ -2658,7 +2665,7 @@ def install(options, env, fstore, statestore): # Get CA certificates from the certificate store ca_certs = get_certs_from_ldap(cli_server[0], cli_basedn, cli_realm, - remote_env['enable_ra']) + ca_enabled) ca_certs_trust = [(c, n, certstore.key_policy_to_trust_flags(t, True, u)) for (c, n, t, u) in ca_certs] @@ -2692,7 +2699,7 @@ def install(options, env, fstore, statestore): if not options.on_master: client_dns(cli_server[0], hostname, options.dns_updates) configure_certmonger(fstore, subject_base, cli_realm, hostname, - options, remote_env) + options, ca_enabled) update_ssh_keys(cli_server[0], hostname, services.knownservices.sshd.get_config_dir(), options.create_sshfp) |