summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMartin Babinsky <mbabinsk@redhat.com>2017-03-15 14:00:49 +0100
committerMartin Basti <mbasti@redhat.com>2017-03-15 16:39:39 +0100
commit8f4abf7bc1607fc44f528b8a443b69cb82269e69 (patch)
tree80ecceae540a54ef2c412fdb896ea15a84f9ece0
parent069948466e81d99a0dd48ffffa32af50351d0189 (diff)
downloadfreeipa-8f4abf7bc1607fc44f528b8a443b69cb82269e69.tar.gz
freeipa-8f4abf7bc1607fc44f528b8a443b69cb82269e69.tar.xz
freeipa-8f4abf7bc1607fc44f528b8a443b69cb82269e69.zip
check that the master requesting PKINIT cert has KDC enabled
https://pagure.io/freeipa/issue/6739 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
-rw-r--r--ipaserver/plugins/cert.py22
1 files changed, 17 insertions, 5 deletions
diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py
index 8b9b86369..47c10f343 100644
--- a/ipaserver/plugins/cert.py
+++ b/ipaserver/plugins/cert.py
@@ -215,11 +215,23 @@ def caacl_check(principal, ca, profile_id):
)
-def ca_kdc_check(ldap, hostname):
- result = api.Command.config_show()['result']
- if hostname not in result['ipa_master_server']:
+def ca_kdc_check(api_instance, hostname):
+ master_dn = api_instance.Object.server.get_dn(unicode(hostname))
+ kdc_dn = DN(('cn', 'KDC'), master_dn)
+
+ try:
+ kdc_entry = api_instance.Backend.ldap2.get_entry(
+ kdc_dn, ['ipaConfigString'])
+
+ ipaconfigstring = {val.lower() for val in kdc_entry['ipaConfigString']}
+
+ if 'enabledservice' not in ipaconfigstring:
+ raise errors.NotFound()
+
+ except errors.NotFound:
raise errors.ACIError(info=_(
- "Host '%(hostname)s' is not a KDC") % dict(hostname=hostname))
+ "Host '%(hostname)s' is not an active KDC")
+ % dict(hostname=hostname))
def validate_certificate(value):
@@ -604,7 +616,7 @@ class cert_request(Create, BaseCertMethod, VirtualCommand):
if not bypass_caacl:
if principal_type == KRBTGT:
- ca_kdc_check(ldap, bind_principal.hostname)
+ ca_kdc_check(self.api, bind_principal.hostname)
else:
caacl_check(principal, ca, profile_id)