Use autobind instead of host keytab authentication in dogtag-ipa-ca-renew-agent

This commit makes sure that dogtag-ipa-ca-renew-agent CA helper can be used
before Kerberos is configured.

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>

1 files changed, 1 insertions, 6 deletions

diff --git a/install/certmonger/dogtag-ipa-ca-renew-agent-submit b/install/certmonger/dogtag-ipa-ca-renew-agent-submit
index 41f7a62b1..e98dd53f5 100755
--- a/install/certmonger/dogtag-ipa-ca-renew-agent-submit
+++ b/install/certmonger/dogtag-ipa-ca-renew-agent-submit
@@ -113,7 +113,7 @@ def ldap_connect():
     conn = None
     try:
         conn = ldap2(api)
-        conn.connect(ccache=os.environ['KRB5CCNAME'])
+        conn.connect(autobind=True)
         yield conn
     finally:
         if conn is not None and conn.isconnected():
@@ -505,11 +505,6 @@ def main():
     tmpdir = tempfile.mkdtemp(prefix="tmp-")
     certs.renewal_lock.acquire()
     try:
-        principal = str('host/%s@%s' % (api.env.host, api.env.realm))
-        ccache_filename = os.path.join(tmpdir, 'ccache')
-        os.environ['KRB5CCNAME'] = ccache_filename
-        ipautil.kinit_keytab(principal, paths.KRB5_KEYTAB, ccache_filename)
-
         profile = os.environ.get('CERTMONGER_CA_PROFILE')
         if profile:
             handler = handlers.get(profile, request_and_store_cert)