Make ipa-join work against an LDAP server that disallows anon binds

We determine the realm in the client installer so we can deduce
the base dn, pass that into ipa-join so we don't have to hunt for
it.

Re-order the bind so when doing an OTP enrollment so we can use the host
entry to authenticate before we retrieve the subject base, then initiate
the enrollment.

If ipa-join is called without a basedn it will still attempt to
determine it, but it will fail if anonymous binds are not allowed.

https://fedorahosted.org/freeipa/ticket/1935

1 files changed, 2 insertions, 2 deletions

diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index 1b9c48845..a1d3d6577 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -31,7 +31,7 @@ try:
     from ipaclient import ipadiscovery
     import ipaclient.ipachangeconf
     import ipaclient.ntpconf
-    from ipapython.ipautil import run, user_input, CalledProcessError, file_exists
+    from ipapython.ipautil import run, user_input, CalledProcessError, file_exists, realm_to_suffix
     import ipapython.services as ipaservices
     from ipapython import ipautil
     from ipapython import dnsclient
@@ -942,7 +942,7 @@ def install(options, env, fstore, statestore):
                 print "Test kerberos configuration failed"
                 return CLIENT_INSTALL_ERROR
             env['KRB5_CONFIG'] = krb_name
-            join_args = ["/usr/sbin/ipa-join", "-s", cli_server]
+            join_args = ["/usr/sbin/ipa-join", "-s", cli_server, "-b", realm_to_suffix(cli_realm)]
             if options.debug:
                 join_args.append("-d")
             if options.hostname: