Fix service-disable in CA-less install.

https://fedorahosted.org/freeipa/ticket/3886
author: Jan Cholasta <jcholast@redhat.com> 2013-08-29 08:44:43 +0200
committer: Petr Viktorin <pviktori@redhat.com> 2013-08-29 10:18:50 +0200
commit: fe4a96de52c15eb54d828a4ea0144b392d4a101b (patch)
tree: 4bbc972e2334464a6c8a9c932608f7e032502638
parent: c706859df2ae6a000d33874e4bb6bf79e9e9da52 (diff)
download: freeipa.git-fe4a96de52c15eb54d828a4ea0144b392d4a101b.tar.gz
freeipa.git-fe4a96de52c15eb54d828a4ea0144b392d4a101b.tar.xz
freeipa.git-fe4a96de52c15eb54d828a4ea0144b392d4a101b.zip
1 files changed, 21 insertions, 20 deletions
diff --git a/ipalib/plugins/service.py b/ipalib/plugins/service.py
index b10054f0..0a49d8d3 100644
--- a/ipalib/plugins/service.py
+++ b/ipalib/plugins/service.py
@@ -624,27 +624,28 @@ class service_disable(LDAPQuery):
         done_work = False
 
         if 'usercertificate' in entry_attrs:
-            cert = x509.normalize_certificate(entry_attrs.get('usercertificate')[0])
-            try:
-                serial = unicode(x509.get_serial_number(cert, x509.DER))
+            if self.api.env.enable_ra:
+                cert = x509.normalize_certificate(entry_attrs.get('usercertificate')[0])
                 try:
-                    result = api.Command['cert_show'](unicode(serial))['result']
-                    if 'revocation_reason' not in result:
-                        try:
-                            api.Command['cert_revoke'](unicode(serial), revocation_reason=4)
-                        except errors.NotImplementedError:
-                            # some CA's might not implement revoke
-                            pass
-                except errors.NotImplementedError:
-                    # some CA's might not implement revoke
-                    pass
-            except NSPRError, nsprerr:
-                if nsprerr.errno == -8183:
-                    # If we can't decode the cert them proceed with
-                    # disabling the service
-                    self.log.info("Problem decoding certificate %s" % nsprerr.args[1])
-                else:
-                    raise nsprerr
+                    serial = unicode(x509.get_serial_number(cert, x509.DER))
+                    try:
+                        result = api.Command['cert_show'](unicode(serial))['result']
+                        if 'revocation_reason' not in result:
+                            try:
+                                api.Command['cert_revoke'](unicode(serial), revocation_reason=4)
+                            except errors.NotImplementedError:
+                                # some CA's might not implement revoke
+                                pass
+                    except errors.NotImplementedError:
+                        # some CA's might not implement revoke
+                        pass
+                except NSPRError, nsprerr:
+                    if nsprerr.errno == -8183:
+                        # If we can't decode the cert them proceed with
+                        # disabling the service
+                        self.log.info("Problem decoding certificate %s" % nsprerr.args[1])
+                    else:
+                        raise nsprerr
 
             # Remove the usercertificate altogether
             ldap.update_entry(dn, {'usercertificate': None})
author	Jan Cholasta <jcholast@redhat.com>	2013-08-29 08:44:43 +0200
committer	Petr Viktorin <pviktori@redhat.com>	2013-08-29 10:18:50 +0200
commit	fe4a96de52c15eb54d828a4ea0144b392d4a101b (patch)
tree	4bbc972e2334464a6c8a9c932608f7e032502638
parent	c706859df2ae6a000d33874e4bb6bf79e9e9da52 (diff)
download	freeipa.git-fe4a96de52c15eb54d828a4ea0144b392d4a101b.tar.gz freeipa.git-fe4a96de52c15eb54d828a4ea0144b392d4a101b.tar.xz freeipa.git-fe4a96de52c15eb54d828a4ea0144b392d4a101b.zip