From aa745b31d3762121bb0df1432cb2a48d1d15fd2a Mon Sep 17 00:00:00 2001
From: David Kupka <dkupka@redhat.com>
Date: Thu, 26 Feb 2015 04:44:26 -0500
Subject: Use IPA CA certificate when available and ignore NO_TLS_LDAP when
 not.

ipa-client-automount is run after ipa-client-install so the CA certificate
should be available. If the certificate is not available and ipadiscovery.ipacheckldap
returns NO_TLS_LDAP warn user and try to continue.

https://fedorahosted.org/freeipa/ticket/4902

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
 ipa-client/ipa-install/ipa-client-automount | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

(limited to 'ipa-client')

diff --git a/ipa-client/ipa-install/ipa-client-automount b/ipa-client/ipa-install/ipa-client-automount
index 7b9e701de..ca56f9783 100755
--- a/ipa-client/ipa-install/ipa-client-automount
+++ b/ipa-client/ipa-install/ipa-client-automount
@@ -374,6 +374,10 @@ def main():
     api.bootstrap(**cfg)
     api.finalize()
 
+    ca_cert_path = None
+    if os.path.exists(paths.IPA_CA_CRT):
+        ca_cert_path = paths.IPA_CA_CRT
+
     if options.uninstall:
         return uninstall(fstore, statestore)
 
@@ -385,7 +389,7 @@ def main():
     ds = ipadiscovery.IPADiscovery()
     if not options.server:
         print "Searching for IPA server..."
-        ret = ds.search()
+        ret = ds.search(ca_cert_path=ca_cert_path)
         root_logger.debug('Executing DNS discovery')
         if ret == ipadiscovery.NO_LDAP_SERVER:
             root_logger.debug('Autodiscovery did not find LDAP server')
@@ -401,11 +405,13 @@ def main():
     else:
         server = options.server
         root_logger.debug("Verifying that %s is an IPA server" % server)
-        ldapret = ds.ipacheckldap(server, api.env.realm)
+        ldapret = ds.ipacheckldap(server, api.env.realm, ca_cert_path)
         if ldapret[0] == ipadiscovery.NO_ACCESS_TO_LDAP:
             print "Anonymous access to the LDAP server is disabled."
             print "Proceeding without strict verification."
             print "Note: This is not an error if anonymous access has been explicitly restricted."
+        elif ldapret[0] == ipadiscovery.NO_TLS_LDAP:
+            root_logger.warning("Unencrypted access to LDAP is not supported.")
         elif ldapret[0] != 0:
             sys.exit('Unable to confirm that %s is an IPA server' % server)
 
-- 
cgit