diff options
| author | John Dennis <jdennis@redhat.com> | 2012-11-15 14:57:52 -0500 |
|---|---|---|
| committer | Rob Crittenden <rcritten@redhat.com> | 2013-01-23 14:26:42 -0500 |
| commit | a1991aeac19c3fec1fdd0d184c6760c90c9f9fc9 (patch) | |
| tree | 1832274281bcb92cd933b2262b2be221efd031f5 /ipalib/errors.py | |
| parent | 91f4af7e6af53e1c6bf17ed36cb2161863eddae4 (diff) | |
| download | freeipa-a1991aeac19c3fec1fdd0d184c6760c90c9f9fc9.tar.gz freeipa-a1991aeac19c3fec1fdd0d184c6760c90c9f9fc9.tar.xz freeipa-a1991aeac19c3fec1fdd0d184c6760c90c9f9fc9.zip | |
Use secure method to acquire IPA CA certificate
Major changes ipa-client-install:
* Use GSSAPI connection to LDAP server to download CA cert (now
the default method)
* Add --ca-cert-file option to load the CA cert from a disk file.
Validate the file. If this option is used the supplied CA cert
is considered definitive.
* The insecure HTTP retrieval method is still supported but it must be
explicitly forced and a warning will be emitted.
* Remain backward compatible with unattended case (except for aberrant
condition when preexisting /etc/ipa/ca.crt differs from securely
obtained CA cert, see below)
* If /etc/ipa/ca.crt CA cert preexists the validate it matches the
securely acquired CA cert, if not:
- If --unattended and not --force abort with error
- If interactive query user to accept new CA cert, if not abort
In either case warn user.
* If interactive and LDAP retrieval fails prompt user if they want to
proceed with insecure HTTP method
* If not interactive and LDAP retrieval fails abort unless --force
* Backup preexisting /etc/ipa/ca.crt in FileStore prior to execution,
if ipa-client-install fails it will be restored.
Other changes:
* Add new exception class CertificateInvalidError
* Add utility convert_ldap_error() to ipalib.ipautil
* Replace all hardcoded instances of /etc/ipa/ca.crt in
ipa-client-install with CACERT constant (matches existing practice
elsewhere).
* ipadiscovery no longer retrieves CA cert via HTTP.
* Handle LDAP minssf failures during discovery, treat failure to check
ldap server as a warninbg in absebce of a provided CA certificate via
--ca-cert-file or though existing /etc/ipa/ca.crt file.
Signed-off-by: Simo Sorce <simo@redhat.com>
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Diffstat (limited to 'ipalib/errors.py')
| -rw-r--r-- | ipalib/errors.py | 17 |
1 files changed, 17 insertions, 0 deletions
diff --git a/ipalib/errors.py b/ipalib/errors.py index a391ada67..0524cad87 100644 --- a/ipalib/errors.py +++ b/ipalib/errors.py @@ -1682,6 +1682,23 @@ class ProtectedEntryError(ExecutionError): format = _('%(label)s %(key)s cannot be deleted/modified: %(reason)s') +class CertificateInvalidError(CertificateError): + """ + **4310** Raised when a certificate is not valid + + For example: + + >>> raise CertificateInvalidError(name=_(u'CA')) + Traceback (most recent call last): + ... + CertificateInvalidError: CA certificate is not valid + + """ + + errno = 4310 + format = _('%(name)s certificate is not valid') + + ############################################################################## # 5000 - 5999: Generic errors |