Install the ca.crt file early on so that we can always enforce SSL

protected connections to other LDAP servers Fix error reporting on replica creation.
author: Simo Sorce <ssorce@redhat.com> 2008-08-11 16:15:30 -0400
committer: Simo Sorce <ssorce@redhat.com> 2008-08-13 15:36:57 -0400
commit: f5177e6b84a44d417e0e37df40fe92f62de9262d (patch)
tree: 0f3c76c38cdc45fda14582d29fbc1b500ef6bec8 /ipa-server/ipaserver
parent: 0d6b6fa084830c9c93ee2a53707b6697f6cbcfa9 (diff)
download: freeipa-f5177e6b84a44d417e0e37df40fe92f62de9262d.tar.gz
freeipa-f5177e6b84a44d417e0e37df40fe92f62de9262d.tar.xz
freeipa-f5177e6b84a44d417e0e37df40fe92f62de9262d.zip
2 files changed, 9 insertions, 15 deletions
diff --git a/ipa-server/ipaserver/ipaldap.py b/ipa-server/ipaserver/ipaldap.py
index 04e86680c..3006d479b 100644
--- a/ipa-server/ipaserver/ipaldap.py
+++ b/ipa-server/ipaserver/ipaldap.py
@@ -270,7 +270,9 @@ class IPAdmin(SimpleLDAPObject):
             ldap.set_option(ldap.OPT_DEBUG_LEVEL,255)
         if cacert is not None:
             ldap.set_option(ldap.OPT_X_TLS_CACERTFILE,cacert)
+        if bindcert is not None:
             ldap.set_option(ldap.OPT_X_TLS_CERTFILE,bindcert)
+        if bindkey is not None:
             ldap.set_option(ldap.OPT_X_TLS_KEYFILE,bindkey)
 
         self.__wrapmethods()
diff --git a/ipa-server/ipaserver/replication.py b/ipa-server/ipaserver/replication.py
index d8bb60066..d3b1551c8 100644
--- a/ipa-server/ipaserver/replication.py
+++ b/ipa-server/ipaserver/replication.py
@@ -24,6 +24,7 @@ from ldap import modlist
 from ipa import ipaerror
 
 DIRMAN_CN = "cn=directory manager"
+CACERT="/usr/share/ipa/html/ca.crt"
 PORT = 636
 TIMEOUT = 120
 
@@ -32,13 +33,9 @@ class ReplicationManager:
     def __init__(self, hostname, dirman_passwd):
         self.hostname = hostname
         self.dirman_passwd = dirman_passwd
-        try:
-            self.conn = ipaldap.IPAdmin(hostname)
-            self.conn.do_simple_bind(bindpw=dirman_passwd)
-        except ldap.CONNECT_ERROR, e:
-            return None
-        except ldap.SERVER_DOWN, e:
-            return None
+
+        self.conn = ipaldap.IPAdmin(hostname, port=PORT, cacert=CACERT)
+        self.conn.do_simple_bind(bindpw=dirman_passwd)
 
         self.repl_man_passwd = dirman_passwd
 
@@ -175,7 +172,7 @@ class ReplicationManager:
             logging.debug("failed to find mappting tree entry for %s" % self.suffix)
             raise e
 
-        return entry        
+        return entry
 
 
     def enable_chain_on_update(self, bename):
@@ -301,13 +298,8 @@ class ReplicationManager:
            - the directory manager password needs to be the same on
              both directories.
         """
-        try:
-            other_conn = ipaldap.IPAdmin(other_hostname)
-            other_conn.do_simple_bind(bindpw=self.dirman_passwd)
-        except ldap.CONNECT_ERROR, e:
-            return None
-        except ldap.SERVER_DOWN, e:
-            return None
+        other_conn = ipaldap.IPAdmin(other_hostname, port=PORT, cacert=CACERT)
+        other_conn.do_simple_bind(bindpw=self.dirman_passwd)
 
         self.suffix = ipaldap.IPAdmin.normalizeDN(dsinstance.realm_to_suffix(realm_name))
author	Simo Sorce <ssorce@redhat.com>	2008-08-11 16:15:30 -0400
committer	Simo Sorce <ssorce@redhat.com>	2008-08-13 15:36:57 -0400
commit	f5177e6b84a44d417e0e37df40fe92f62de9262d (patch)
tree	0f3c76c38cdc45fda14582d29fbc1b500ef6bec8 /ipa-server/ipaserver
parent	0d6b6fa084830c9c93ee2a53707b6697f6cbcfa9 (diff)
download	freeipa-f5177e6b84a44d417e0e37df40fe92f62de9262d.tar.gz freeipa-f5177e6b84a44d417e0e37df40fe92f62de9262d.tar.xz freeipa-f5177e6b84a44d417e0e37df40fe92f62de9262d.zip