summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDavid Kupka <dkupka@redhat.com>2015-02-26 04:44:26 -0500
committerPetr Vobornik <pvoborni@redhat.com>2015-03-05 10:59:01 +0100
commitaa745b31d3762121bb0df1432cb2a48d1d15fd2a (patch)
treeae0b7a9068e512eaf86dfc4a6c5ad03294e261ae
parentae4ee6b53376bb7f3d1b4707c4e105c91b5cd8ab (diff)
downloadfreeipa-aa745b31d3762121bb0df1432cb2a48d1d15fd2a.tar.gz
freeipa-aa745b31d3762121bb0df1432cb2a48d1d15fd2a.tar.xz
freeipa-aa745b31d3762121bb0df1432cb2a48d1d15fd2a.zip
Use IPA CA certificate when available and ignore NO_TLS_LDAP when not.
ipa-client-automount is run after ipa-client-install so the CA certificate should be available. If the certificate is not available and ipadiscovery.ipacheckldap returns NO_TLS_LDAP warn user and try to continue. https://fedorahosted.org/freeipa/ticket/4902 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
-rwxr-xr-xipa-client/ipa-install/ipa-client-automount10
1 files changed, 8 insertions, 2 deletions
diff --git a/ipa-client/ipa-install/ipa-client-automount b/ipa-client/ipa-install/ipa-client-automount
index 7b9e701de..ca56f9783 100755
--- a/ipa-client/ipa-install/ipa-client-automount
+++ b/ipa-client/ipa-install/ipa-client-automount
@@ -374,6 +374,10 @@ def main():
api.bootstrap(**cfg)
api.finalize()
+ ca_cert_path = None
+ if os.path.exists(paths.IPA_CA_CRT):
+ ca_cert_path = paths.IPA_CA_CRT
+
if options.uninstall:
return uninstall(fstore, statestore)
@@ -385,7 +389,7 @@ def main():
ds = ipadiscovery.IPADiscovery()
if not options.server:
print "Searching for IPA server..."
- ret = ds.search()
+ ret = ds.search(ca_cert_path=ca_cert_path)
root_logger.debug('Executing DNS discovery')
if ret == ipadiscovery.NO_LDAP_SERVER:
root_logger.debug('Autodiscovery did not find LDAP server')
@@ -401,11 +405,13 @@ def main():
else:
server = options.server
root_logger.debug("Verifying that %s is an IPA server" % server)
- ldapret = ds.ipacheckldap(server, api.env.realm)
+ ldapret = ds.ipacheckldap(server, api.env.realm, ca_cert_path)
if ldapret[0] == ipadiscovery.NO_ACCESS_TO_LDAP:
print "Anonymous access to the LDAP server is disabled."
print "Proceeding without strict verification."
print "Note: This is not an error if anonymous access has been explicitly restricted."
+ elif ldapret[0] == ipadiscovery.NO_TLS_LDAP:
+ root_logger.warning("Unencrypted access to LDAP is not supported.")
elif ldapret[0] != 0:
sys.exit('Unable to confirm that %s is an IPA server' % server)