diff options
author | John Dennis <jdennis@redhat.com> | 2012-11-15 14:57:52 -0500 |
---|---|---|
committer | Rob Crittenden <rcritten@redhat.com> | 2013-01-23 14:26:42 -0500 |
commit | a1991aeac19c3fec1fdd0d184c6760c90c9f9fc9 (patch) | |
tree | 1832274281bcb92cd933b2262b2be221efd031f5 /ipapython | |
parent | 91f4af7e6af53e1c6bf17ed36cb2161863eddae4 (diff) | |
download | freeipa-a1991aeac19c3fec1fdd0d184c6760c90c9f9fc9.tar.gz freeipa-a1991aeac19c3fec1fdd0d184c6760c90c9f9fc9.tar.xz freeipa-a1991aeac19c3fec1fdd0d184c6760c90c9f9fc9.zip |
Use secure method to acquire IPA CA certificate
Major changes ipa-client-install:
* Use GSSAPI connection to LDAP server to download CA cert (now
the default method)
* Add --ca-cert-file option to load the CA cert from a disk file.
Validate the file. If this option is used the supplied CA cert
is considered definitive.
* The insecure HTTP retrieval method is still supported but it must be
explicitly forced and a warning will be emitted.
* Remain backward compatible with unattended case (except for aberrant
condition when preexisting /etc/ipa/ca.crt differs from securely
obtained CA cert, see below)
* If /etc/ipa/ca.crt CA cert preexists the validate it matches the
securely acquired CA cert, if not:
- If --unattended and not --force abort with error
- If interactive query user to accept new CA cert, if not abort
In either case warn user.
* If interactive and LDAP retrieval fails prompt user if they want to
proceed with insecure HTTP method
* If not interactive and LDAP retrieval fails abort unless --force
* Backup preexisting /etc/ipa/ca.crt in FileStore prior to execution,
if ipa-client-install fails it will be restored.
Other changes:
* Add new exception class CertificateInvalidError
* Add utility convert_ldap_error() to ipalib.ipautil
* Replace all hardcoded instances of /etc/ipa/ca.crt in
ipa-client-install with CACERT constant (matches existing practice
elsewhere).
* ipadiscovery no longer retrieves CA cert via HTTP.
* Handle LDAP minssf failures during discovery, treat failure to check
ldap server as a warninbg in absebce of a provided CA certificate via
--ca-cert-file or though existing /etc/ipa/ca.crt file.
Signed-off-by: Simo Sorce <simo@redhat.com>
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Diffstat (limited to 'ipapython')
-rw-r--r-- | ipapython/ipautil.py | 36 |
1 files changed, 36 insertions, 0 deletions
diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py index fbb3c26d8..9fdd2fd76 100644 --- a/ipapython/ipautil.py +++ b/ipapython/ipautil.py @@ -1174,3 +1174,39 @@ def restore_hostname(statestore): run(['/bin/hostname', old_hostname]) except CalledProcessError, e: print >>sys.stderr, "Failed to set this machine hostname back to %s: %s" % (old_hostname, str(e)) + +def convert_ldap_error(exc): + """ + Make LDAP exceptions prettier. + + Some LDAP exceptions have a dict with descriptive information, if + this exception has a dict extract useful information from it and + format it into something usable and return that. If the LDAP + exception does not have an information dict then return the name + of the LDAP exception. + + If the exception is not an LDAP exception then convert the + exception to a string and return that instead. + """ + if isinstance(exc, ldap.LDAPError): + name = exc.__class__.__name__ + + if len(exc.args): + d = exc.args[0] + if isinstance(d, dict): + desc = d.get('desc', '').strip() + info = d.get('info', '').strip() + if desc and info: + return '%s %s' % (desc, info) + elif desc: + return desc + elif info: + return info + else: + return name + else: + return name + else: + return name + else: + return str(exc) |