From 32e4914584b3dd6c62ebeeea8f6b5b657e5c6bdb Mon Sep 17 00:00:00 2001 From: Jr Aquino Date: Mon, 21 Feb 2011 12:32:21 -0800 Subject: 18 Use TLS for ipadiscovery during ipa-client-install https://fedorahosted.org/freeipa/ticket/974 --- ipa-client/ipaclient/ipadiscovery.py | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/ipa-client/ipaclient/ipadiscovery.py b/ipa-client/ipaclient/ipadiscovery.py index 68b579116..e7c5830da 100644 --- a/ipa-client/ipaclient/ipadiscovery.py +++ b/ipa-client/ipaclient/ipadiscovery.py @@ -18,10 +18,13 @@ # import socket +import os import logging import ipapython.dnsclient +import tempfile import ldap from ldap import LDAPError +from ipapython.ipautil import run, CalledProcessError class IPADiscovery: @@ -172,10 +175,27 @@ class IPADiscovery: i = 0 + # Get the CA certificate + try: + # Create TempDir + temp_ca_dir = tempfile.mkdtemp() + except OSError, e: + raise RuntimeError("Creating temporary directory failed: %s" % str(e)) + + try: + run(["/usr/bin/wget", "-O", "%s/ca.crt" % temp_ca_dir, "http://%s/ipa/config/ca.crt" % thost]) + except CalledProcessError, e: + raise RuntimeError('Retrieving CA from %s failed.\n%s' % (thost, str(e))) + #now verify the server is really an IPA server try: logging.debug("Init ldap with: ldap://"+thost+":389") lh = ldap.initialize("ldap://"+thost+":389") + ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, True) + ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, "%s/ca.crt" % temp_ca_dir) + lh.set_option(ldap.OPT_PROTOCOL_VERSION, 3) + lh.set_option(ldap.OPT_X_TLS_DEMAND, True) + lh.start_tls_s() lh.simple_bind_s("","") logging.debug("Search rootdse") @@ -236,6 +256,10 @@ class IPADiscovery: logging.error("LDAP Error: timeout") return [] + finally: + os.remove("%s/ca.crt" % temp_ca_dir) + os.removedirs(temp_ca_dir) + def ipadnssearchldap(self, tdomain): servers = "" -- cgit