diff options
author | Martin Babinsky <mbabinsk@redhat.com> | 2017-03-15 14:00:49 +0100 |
---|---|---|
committer | Martin Basti <mbasti@redhat.com> | 2017-03-15 16:39:39 +0100 |
commit | 8f4abf7bc1607fc44f528b8a443b69cb82269e69 (patch) | |
tree | 80ecceae540a54ef2c412fdb896ea15a84f9ece0 | |
parent | 069948466e81d99a0dd48ffffa32af50351d0189 (diff) | |
download | freeipa-8f4abf7bc1607fc44f528b8a443b69cb82269e69.tar.gz freeipa-8f4abf7bc1607fc44f528b8a443b69cb82269e69.tar.xz freeipa-8f4abf7bc1607fc44f528b8a443b69cb82269e69.zip |
check that the master requesting PKINIT cert has KDC enabled
https://pagure.io/freeipa/issue/6739
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
-rw-r--r-- | ipaserver/plugins/cert.py | 22 |
1 files changed, 17 insertions, 5 deletions
diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py index 8b9b86369..47c10f343 100644 --- a/ipaserver/plugins/cert.py +++ b/ipaserver/plugins/cert.py @@ -215,11 +215,23 @@ def caacl_check(principal, ca, profile_id): ) -def ca_kdc_check(ldap, hostname): - result = api.Command.config_show()['result'] - if hostname not in result['ipa_master_server']: +def ca_kdc_check(api_instance, hostname): + master_dn = api_instance.Object.server.get_dn(unicode(hostname)) + kdc_dn = DN(('cn', 'KDC'), master_dn) + + try: + kdc_entry = api_instance.Backend.ldap2.get_entry( + kdc_dn, ['ipaConfigString']) + + ipaconfigstring = {val.lower() for val in kdc_entry['ipaConfigString']} + + if 'enabledservice' not in ipaconfigstring: + raise errors.NotFound() + + except errors.NotFound: raise errors.ACIError(info=_( - "Host '%(hostname)s' is not a KDC") % dict(hostname=hostname)) + "Host '%(hostname)s' is not an active KDC") + % dict(hostname=hostname)) def validate_certificate(value): @@ -604,7 +616,7 @@ class cert_request(Create, BaseCertMethod, VirtualCommand): if not bypass_caacl: if principal_type == KRBTGT: - ca_kdc_check(ldap, bind_principal.hostname) + ca_kdc_check(self.api, bind_principal.hostname) else: caacl_check(principal, ca, profile_id) |