diff options
| author | David Kupka <dkupka@redhat.com> | 2015-02-26 04:44:26 -0500 |
|---|---|---|
| committer | Petr Vobornik <pvoborni@redhat.com> | 2015-03-05 10:59:01 +0100 |
| commit | aa745b31d3762121bb0df1432cb2a48d1d15fd2a (patch) | |
| tree | ae0b7a9068e512eaf86dfc4a6c5ad03294e261ae /ipa-client | |
| parent | ae4ee6b53376bb7f3d1b4707c4e105c91b5cd8ab (diff) | |
| download | freeipa-aa745b31d3762121bb0df1432cb2a48d1d15fd2a.tar.gz freeipa-aa745b31d3762121bb0df1432cb2a48d1d15fd2a.tar.xz freeipa-aa745b31d3762121bb0df1432cb2a48d1d15fd2a.zip | |
Use IPA CA certificate when available and ignore NO_TLS_LDAP when not.
ipa-client-automount is run after ipa-client-install so the CA certificate
should be available. If the certificate is not available and ipadiscovery.ipacheckldap
returns NO_TLS_LDAP warn user and try to continue.
https://fedorahosted.org/freeipa/ticket/4902
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Diffstat (limited to 'ipa-client')
| -rwxr-xr-x | ipa-client/ipa-install/ipa-client-automount | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/ipa-client/ipa-install/ipa-client-automount b/ipa-client/ipa-install/ipa-client-automount index 7b9e701de..ca56f9783 100755 --- a/ipa-client/ipa-install/ipa-client-automount +++ b/ipa-client/ipa-install/ipa-client-automount @@ -374,6 +374,10 @@ def main(): api.bootstrap(**cfg) api.finalize() + ca_cert_path = None + if os.path.exists(paths.IPA_CA_CRT): + ca_cert_path = paths.IPA_CA_CRT + if options.uninstall: return uninstall(fstore, statestore) @@ -385,7 +389,7 @@ def main(): ds = ipadiscovery.IPADiscovery() if not options.server: print "Searching for IPA server..." - ret = ds.search() + ret = ds.search(ca_cert_path=ca_cert_path) root_logger.debug('Executing DNS discovery') if ret == ipadiscovery.NO_LDAP_SERVER: root_logger.debug('Autodiscovery did not find LDAP server') @@ -401,11 +405,13 @@ def main(): else: server = options.server root_logger.debug("Verifying that %s is an IPA server" % server) - ldapret = ds.ipacheckldap(server, api.env.realm) + ldapret = ds.ipacheckldap(server, api.env.realm, ca_cert_path) if ldapret[0] == ipadiscovery.NO_ACCESS_TO_LDAP: print "Anonymous access to the LDAP server is disabled." print "Proceeding without strict verification." print "Note: This is not an error if anonymous access has been explicitly restricted." + elif ldapret[0] == ipadiscovery.NO_TLS_LDAP: + root_logger.warning("Unencrypted access to LDAP is not supported.") elif ldapret[0] != 0: sys.exit('Unable to confirm that %s is an IPA server' % server) |