Use autobind when updating CA people entries during certificate renewal

Requires fix for <https://bugzilla.redhat.com/show_bug.cgi?id=1122110>, bump
selinux-policy in the spec file.

https://fedorahosted.org/freeipa/ticket/4005

Reviewed-By: Petr Viktorin <pviktori@redhat.com>

2 files changed, 4 insertions, 12 deletions

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 0c1ea20d6..c6c5d87fc 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -109,7 +109,7 @@ Requires: dbus-python
 Requires: systemd-units >= 38
 Requires(pre): systemd-units
 Requires(post): systemd-units
-Requires: selinux-policy >= 3.12.1-176
+Requires: selinux-policy >= 3.12.1-179
 Requires(post): selinux-policy-base
 Requires: slapi-nis >= 0.47.7
 Requires: pki-ca >= 10.1.1
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index c237c7464..8c1b139b7 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -1890,23 +1890,15 @@ def update_people_entry(dercert):
     issuer = x509.get_issuer(dercert, datatype=x509.DER)
 
     attempts = 0
-    configured_constants = dogtag.configured_constants(api)
-    dogtag_uri = 'ldap://localhost:%d' % configured_constants.DS_PORT
+    server_id = dsinstance.realm_to_serverid(api.env.realm)
+    dogtag_uri = 'ldapi://%%2fvar%%2frun%%2fslapd-%s.socket' % server_id
     updated = False
 
-    try:
-        dm_password = certmonger.get_pin('internaldb')
-    except IOError, e:
-        syslog.syslog(
-            syslog.LOG_ERR, 'Unable to determine PIN for CA instance: %s' % e)
-        return False
-
     while attempts < 10:
         conn = None
         try:
             conn = ldap2.ldap2(shared_instance=False, ldap_uri=dogtag_uri)
-            conn.connect(
-                bind_dn=DN(('cn', 'directory manager')), bind_pw=dm_password)
+            conn.connect(autobind=True)
 
             filter = conn.make_filter(
                 {'description': ';%s;%s' % (issuer, subject)},