diff options
| author | Martin Basti <mbasti@redhat.com> | 2013-11-21 17:01:36 +0100 |
|---|---|---|
| committer | Petr Viktorin <pviktori@redhat.com> | 2013-12-02 13:30:12 +0100 |
| commit | efffcfdbc24ad81d48c7b65443a75928b156cc49 (patch) | |
| tree | a51cd002a9f18b670238f847de52c300f613b6cd | |
| parent | db7dbbb14155883f6df7eb4739a0345073482001 (diff) | |
| download | freeipa-efffcfdbc24ad81d48c7b65443a75928b156cc49.tar.gz freeipa-efffcfdbc24ad81d48c7b65443a75928b156cc49.tar.xz freeipa-efffcfdbc24ad81d48c7b65443a75928b156cc49.zip | |
migrate-ds added --ca-cert-file=FILE option
FILE is used to specify CA certificate for DS connection when TLS is
required (ldaps://...).
Ticket: https://fedorahosted.org/freeipa/ticket/3243
| -rw-r--r-- | API.txt | 3 | ||||
| -rw-r--r-- | VERSION | 2 | ||||
| -rw-r--r-- | ipalib/plugins/migration.py | 25 |
3 files changed, 25 insertions, 5 deletions
@@ -2073,11 +2073,12 @@ output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDA output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None) output: Output('value', <type 'unicode'>, None) command: migrate_ds -args: 2,17,4 +args: 2,18,4 arg: Str('ldapuri', cli_name='ldap_uri') arg: Password('bindpw', cli_name='password', confirm=False) option: DNParam('basedn?', cli_name='base_dn') option: DNParam('binddn?', autofill=True, cli_name='bind_dn', default=ipapython.dn.DN('cn=directory manager')) +option: File('cacertfile?', cli_name='ca_cert_file', default=None) option: Flag('compat?', autofill=True, cli_name='with_compat', default=False) option: Flag('continue?', autofill=True, default=False) option: Str('exclude_groups*', autofill=True, cli_name='exclude_groups', csv=True, default=()) @@ -89,4 +89,4 @@ IPA_DATA_VERSION=20100614120000 # # ######################################################## IPA_API_VERSION_MAJOR=2 -IPA_API_VERSION_MINOR=68 +IPA_API_VERSION_MINOR=69 diff --git a/ipalib/plugins/migration.py b/ipalib/plugins/migration.py index 83bf40dbf..a89e944c9 100644 --- a/ipalib/plugins/migration.py +++ b/ipalib/plugins/migration.py @@ -20,7 +20,7 @@ import re from ipalib import api, errors, output -from ipalib import Command, Password, Str, Flag, StrEnum, DNParam +from ipalib import Command, Password, Str, Flag, StrEnum, DNParam, File from ipalib.cli import to_cli from ipalib.plugins.user import NO_UPG_MAGIC if api.env.in_server and api.env.context in ['lite', 'server']: @@ -30,6 +30,7 @@ if api.env.in_server and api.env.context in ['lite', 'server']: raise e from ipalib import _ from ipapython.dn import DN +from ipapython.ipautil import write_tmp_file import datetime __doc__ = _(""" @@ -593,6 +594,12 @@ class migrate_ds(Command): doc=_('Allows migration despite the usage of compat plugin'), default=False, ), + File('cacertfile?', + cli_name='ca_cert_file', + label=_('CA certificate'), + doc=_('Load CA certificate of LDAP server from FILE'), + default=None + ), ) has_output = ( @@ -844,7 +851,6 @@ can use their Kerberos accounts.''') def execute(self, ldapuri, bindpw, **options): ldap = self.api.Backend.ldap2 self.normalize_options(options) - config = ldap.get_ipa_config()[1] ds_base_dn = options.get('basedn') @@ -857,7 +863,20 @@ can use their Kerberos accounts.''') # connect to DS ds_ldap = ldap2(shared_instance=False, ldap_uri=ldapuri, base_dn='') - ds_ldap.connect(bind_dn=options['binddn'], bind_pw=bindpw) + + cacert = None + if options.get('cacertfile') is not None: + #store CA cert into file + tmp_ca_cert_f = write_tmp_file(options['cacertfile']) + cacert = tmp_ca_cert_f.name + + #start TLS connection + ds_ldap.connect(bind_dn=options['binddn'], bind_pw=bindpw, + tls_cacertfile=cacert) + + tmp_ca_cert_f.close() + else: + ds_ldap.connect(bind_dn=options['binddn'], bind_pw=bindpw) #check whether the compat plugin is enabled if not options.get('compat'): |