Hi,

the attached patch fixes <https://fedorahosted.org/freeipa/ticket/3886>.

Honza

--
Jan Cholasta
>From 90f08d568ecc085bc559c7565bb106e6e7415839 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jchol...@redhat.com>
Date: Thu, 29 Aug 2013 08:44:43 +0200
Subject: [PATCH] Fix service-disable in CA-less install.

https://fedorahosted.org/freeipa/ticket/3886
---
 ipalib/plugins/service.py | 41 +++++++++++++++++++++--------------------
 1 file changed, 21 insertions(+), 20 deletions(-)

diff --git a/ipalib/plugins/service.py b/ipalib/plugins/service.py
index b10054f..0a49d8d 100644
--- a/ipalib/plugins/service.py
+++ b/ipalib/plugins/service.py
@@ -624,27 +624,28 @@ class service_disable(LDAPQuery):
         done_work = False
 
         if 'usercertificate' in entry_attrs:
-            cert = x509.normalize_certificate(entry_attrs.get('usercertificate')[0])
-            try:
-                serial = unicode(x509.get_serial_number(cert, x509.DER))
+            if self.api.env.enable_ra:
+                cert = x509.normalize_certificate(entry_attrs.get('usercertificate')[0])
                 try:
-                    result = api.Command['cert_show'](unicode(serial))['result']
-                    if 'revocation_reason' not in result:
-                        try:
-                            api.Command['cert_revoke'](unicode(serial), revocation_reason=4)
-                        except errors.NotImplementedError:
-                            # some CA's might not implement revoke
-                            pass
-                except errors.NotImplementedError:
-                    # some CA's might not implement revoke
-                    pass
-            except NSPRError, nsprerr:
-                if nsprerr.errno == -8183:
-                    # If we can't decode the cert them proceed with
-                    # disabling the service
-                    self.log.info("Problem decoding certificate %s" % nsprerr.args[1])
-                else:
-                    raise nsprerr
+                    serial = unicode(x509.get_serial_number(cert, x509.DER))
+                    try:
+                        result = api.Command['cert_show'](unicode(serial))['result']
+                        if 'revocation_reason' not in result:
+                            try:
+                                api.Command['cert_revoke'](unicode(serial), revocation_reason=4)
+                            except errors.NotImplementedError:
+                                # some CA's might not implement revoke
+                                pass
+                    except errors.NotImplementedError:
+                        # some CA's might not implement revoke
+                        pass
+                except NSPRError, nsprerr:
+                    if nsprerr.errno == -8183:
+                        # If we can't decode the cert them proceed with
+                        # disabling the service
+                        self.log.info("Problem decoding certificate %s" % nsprerr.args[1])
+                    else:
+                        raise nsprerr
 
             # Remove the usercertificate altogether
             ldap.update_entry(dn, {'usercertificate': None})
-- 
1.8.4

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to