From a44ccf872262b1289cd2577a6ba55071066a5209 Mon Sep 17 00:00:00 2001
From: Matthew Harmsen <mharmsen@redhat.com>
Date: Fri, 13 Mar 2015 16:53:52 -0600
Subject: Allow use of secure LDAPS connection

- PKI TRAC Ticket #1144 - pkispawn needs option to specify ca cert for ldap
---
 .../deployment/scriptlets/security_databases.py    | 26 ++++++++++++++++++++--
 1 file changed, 24 insertions(+), 2 deletions(-)

(limited to 'base/server/python/pki/server/deployment/scriptlets/security_databases.py')

diff --git a/base/server/python/pki/server/deployment/scriptlets/security_databases.py b/base/server/python/pki/server/deployment/scriptlets/security_databases.py
index 8adb3c4e3..546050725 100644
--- a/base/server/python/pki/server/deployment/scriptlets/security_databases.py
+++ b/base/server/python/pki/server/deployment/scriptlets/security_databases.py
@@ -95,8 +95,30 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
                 # Delete the temporary 'noise' file
                 deployer.file.delete(
                     deployer.mdict['pki_self_signed_noise_file'])
-            # Delete the temporary 'pfile'
-            deployer.file.delete(deployer.mdict['pki_shared_pfile'])
+
+            # Check to see if a secure connection is being used for the DS
+            if config.str2bool(deployer.mdict['pki_ds_secure_connection']):
+                # Check to see if a directory server CA certificate
+                # using the same nickname already exists
+                rv = deployer.certutil.verify_certificate_exists(
+                    deployer.mdict['pki_database_path'],
+                    deployer.mdict['pki_cert_database'],
+                    deployer.mdict['pki_key_database'],
+                    deployer.mdict['pki_secmod_database'],
+                    deployer.mdict['pki_self_signed_token'],
+                    deployer.mdict['pki_ds_secure_connection_ca_nickname'],
+                    password_file=deployer.mdict['pki_shared_pfile'])
+                if not rv:
+                    # Import the directory server CA certificate
+                    rv = deployer.certutil.import_cert(
+                        deployer.mdict['pki_ds_secure_connection_ca_nickname'],
+                        deployer.mdict['pki_ds_secure_connection_ca_trustargs'],
+                        deployer.mdict['pki_ds_secure_connection_ca_pem_file'],
+                        password_file=deployer.mdict['pki_shared_pfile'],
+                        path=deployer.mdict['pki_database_path'])
+
+        # Always delete the temporary 'pfile'
+        deployer.file.delete(deployer.mdict['pki_shared_pfile'])
         return self.rv
 
     def destroy(self, deployer):
-- 
cgit