From a1991aeac19c3fec1fdd0d184c6760c90c9f9fc9 Mon Sep 17 00:00:00 2001
From: John Dennis <jdennis@redhat.com>
Date: Thu, 15 Nov 2012 14:57:52 -0500
Subject: Use secure method to acquire IPA CA certificate

Major changes ipa-client-install:

* Use GSSAPI connection to LDAP server to download CA cert (now
  the default method)

* Add --ca-cert-file option to load the CA cert from a disk file.
  Validate the file. If this option is used the supplied CA cert
  is considered definitive.

* The insecure HTTP retrieval method is still supported but it must be
  explicitly forced and a warning will be emitted.

* Remain backward compatible with unattended case (except for aberrant
  condition when preexisting /etc/ipa/ca.crt differs from securely
  obtained CA cert, see below)

* If /etc/ipa/ca.crt CA cert preexists the validate it matches the
  securely acquired CA cert, if not:

  - If --unattended and not --force abort with error

  - If interactive query user to accept new CA cert, if not abort

  In either case warn user.

* If interactive and LDAP retrieval fails prompt user if they want to
  proceed with insecure HTTP method

* If not interactive and LDAP retrieval fails abort unless --force

* Backup preexisting /etc/ipa/ca.crt in FileStore prior to execution,
  if ipa-client-install fails it will be restored.

Other changes:

* Add new exception class CertificateInvalidError

* Add utility convert_ldap_error() to ipalib.ipautil

* Replace all hardcoded instances of /etc/ipa/ca.crt in
  ipa-client-install with CACERT constant (matches existing practice
  elsewhere).

* ipadiscovery no longer retrieves CA cert via HTTP.

* Handle LDAP minssf failures during discovery, treat failure to check
  ldap server as a warninbg in absebce of a provided CA certificate via
  --ca-cert-file or though existing /etc/ipa/ca.crt file.

Signed-off-by: Simo Sorce <simo@redhat.com>
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
---
 ipalib/errors.py | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

(limited to 'ipalib/errors.py')

diff --git a/ipalib/errors.py b/ipalib/errors.py
index a391ada67..0524cad87 100644
--- a/ipalib/errors.py
+++ b/ipalib/errors.py
@@ -1682,6 +1682,23 @@ class ProtectedEntryError(ExecutionError):
     format = _('%(label)s %(key)s cannot be deleted/modified: %(reason)s')
 
 
+class CertificateInvalidError(CertificateError):
+    """
+    **4310** Raised when a certificate is not valid
+
+    For example:
+
+    >>> raise CertificateInvalidError(name=_(u'CA'))
+    Traceback (most recent call last):
+      ...
+    CertificateInvalidError: CA certificate is not valid
+
+    """
+
+    errno = 4310
+    format = _('%(name)s certificate is not valid')
+
+
 ##############################################################################
 # 5000 - 5999: Generic errors
 
-- 
cgit