From a1991aeac19c3fec1fdd0d184c6760c90c9f9fc9 Mon Sep 17 00:00:00 2001
From: John Dennis <jdennis@redhat.com>
Date: Thu, 15 Nov 2012 14:57:52 -0500
Subject: Use secure method to acquire IPA CA certificate

Major changes ipa-client-install:

* Use GSSAPI connection to LDAP server to download CA cert (now
  the default method)

* Add --ca-cert-file option to load the CA cert from a disk file.
  Validate the file. If this option is used the supplied CA cert
  is considered definitive.

* The insecure HTTP retrieval method is still supported but it must be
  explicitly forced and a warning will be emitted.

* Remain backward compatible with unattended case (except for aberrant
  condition when preexisting /etc/ipa/ca.crt differs from securely
  obtained CA cert, see below)

* If /etc/ipa/ca.crt CA cert preexists the validate it matches the
  securely acquired CA cert, if not:

  - If --unattended and not --force abort with error

  - If interactive query user to accept new CA cert, if not abort

  In either case warn user.

* If interactive and LDAP retrieval fails prompt user if they want to
  proceed with insecure HTTP method

* If not interactive and LDAP retrieval fails abort unless --force

* Backup preexisting /etc/ipa/ca.crt in FileStore prior to execution,
  if ipa-client-install fails it will be restored.

Other changes:

* Add new exception class CertificateInvalidError

* Add utility convert_ldap_error() to ipalib.ipautil

* Replace all hardcoded instances of /etc/ipa/ca.crt in
  ipa-client-install with CACERT constant (matches existing practice
  elsewhere).

* ipadiscovery no longer retrieves CA cert via HTTP.

* Handle LDAP minssf failures during discovery, treat failure to check
  ldap server as a warninbg in absebce of a provided CA certificate via
  --ca-cert-file or though existing /etc/ipa/ca.crt file.

Signed-off-by: Simo Sorce <simo@redhat.com>
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
---
 ipapython/ipautil.py | 36 ++++++++++++++++++++++++++++++++++++
 1 file changed, 36 insertions(+)

(limited to 'ipapython/ipautil.py')

diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py
index fbb3c26d..9fdd2fd7 100644
--- a/ipapython/ipautil.py
+++ b/ipapython/ipautil.py
@@ -1174,3 +1174,39 @@ def restore_hostname(statestore):
             run(['/bin/hostname', old_hostname])
         except CalledProcessError, e:
             print >>sys.stderr, "Failed to set this machine hostname back to %s: %s" % (old_hostname, str(e))
+
+def convert_ldap_error(exc):
+    """
+    Make LDAP exceptions prettier.
+
+    Some LDAP exceptions have a dict with descriptive information, if
+    this exception has a dict extract useful information from it and
+    format it into something usable and return that. If the LDAP
+    exception does not have an information dict then return the name
+    of the LDAP exception.
+
+    If the exception is not an LDAP exception then convert the
+    exception to a string and return that instead.
+    """
+    if isinstance(exc, ldap.LDAPError):
+        name = exc.__class__.__name__
+
+        if len(exc.args):
+            d = exc.args[0]
+            if isinstance(d, dict):
+                desc = d.get('desc', '').strip()
+                info = d.get('info', '').strip()
+                if desc and info:
+                    return '%s %s' % (desc, info)
+                elif desc:
+                    return desc
+                elif info:
+                    return info
+                else:
+                    return name
+            else:
+                return name
+        else:
+            return name
+    else:
+        return str(exc)
-- 
cgit