diff options
author | Martin Basti <mbasti@redhat.com> | 2013-11-21 17:01:36 +0100 |
---|---|---|
committer | Petr Viktorin <pviktori@redhat.com> | 2013-12-02 13:30:12 +0100 |
commit | efffcfdbc24ad81d48c7b65443a75928b156cc49 (patch) | |
tree | a51cd002a9f18b670238f847de52c300f613b6cd /ipalib/plugins | |
parent | db7dbbb14155883f6df7eb4739a0345073482001 (diff) | |
download | freeipa-efffcfdbc24ad81d48c7b65443a75928b156cc49.tar.gz freeipa-efffcfdbc24ad81d48c7b65443a75928b156cc49.tar.xz freeipa-efffcfdbc24ad81d48c7b65443a75928b156cc49.zip |
migrate-ds added --ca-cert-file=FILE option
FILE is used to specify CA certificate for DS connection when TLS is
required (ldaps://...).
Ticket: https://fedorahosted.org/freeipa/ticket/3243
Diffstat (limited to 'ipalib/plugins')
-rw-r--r-- | ipalib/plugins/migration.py | 25 |
1 files changed, 22 insertions, 3 deletions
diff --git a/ipalib/plugins/migration.py b/ipalib/plugins/migration.py index 83bf40dbf..a89e944c9 100644 --- a/ipalib/plugins/migration.py +++ b/ipalib/plugins/migration.py @@ -20,7 +20,7 @@ import re from ipalib import api, errors, output -from ipalib import Command, Password, Str, Flag, StrEnum, DNParam +from ipalib import Command, Password, Str, Flag, StrEnum, DNParam, File from ipalib.cli import to_cli from ipalib.plugins.user import NO_UPG_MAGIC if api.env.in_server and api.env.context in ['lite', 'server']: @@ -30,6 +30,7 @@ if api.env.in_server and api.env.context in ['lite', 'server']: raise e from ipalib import _ from ipapython.dn import DN +from ipapython.ipautil import write_tmp_file import datetime __doc__ = _(""" @@ -593,6 +594,12 @@ class migrate_ds(Command): doc=_('Allows migration despite the usage of compat plugin'), default=False, ), + File('cacertfile?', + cli_name='ca_cert_file', + label=_('CA certificate'), + doc=_('Load CA certificate of LDAP server from FILE'), + default=None + ), ) has_output = ( @@ -844,7 +851,6 @@ can use their Kerberos accounts.''') def execute(self, ldapuri, bindpw, **options): ldap = self.api.Backend.ldap2 self.normalize_options(options) - config = ldap.get_ipa_config()[1] ds_base_dn = options.get('basedn') @@ -857,7 +863,20 @@ can use their Kerberos accounts.''') # connect to DS ds_ldap = ldap2(shared_instance=False, ldap_uri=ldapuri, base_dn='') - ds_ldap.connect(bind_dn=options['binddn'], bind_pw=bindpw) + + cacert = None + if options.get('cacertfile') is not None: + #store CA cert into file + tmp_ca_cert_f = write_tmp_file(options['cacertfile']) + cacert = tmp_ca_cert_f.name + + #start TLS connection + ds_ldap.connect(bind_dn=options['binddn'], bind_pw=bindpw, + tls_cacertfile=cacert) + + tmp_ca_cert_f.close() + else: + ds_ldap.connect(bind_dn=options['binddn'], bind_pw=bindpw) #check whether the compat plugin is enabled if not options.get('compat'): |