On 02/26/2015 02:55 PM, Rob Crittenden wrote:
Martin Basti wrote:
On 26/02/15 10:57, David Kupka wrote:
https://fedorahosted.org/freeipa/ticket/4902
_______________________________________________
Freeipa-devel mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-devel
Works for me, ACK.
NACK.
If you simply pass in /etc/ipa/ca.crt as the cacert path then it will
use TLS.
rob
_______________________________________________
Freeipa-devel mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-devel
Thanks for the catch Rob. Updated patch attached.
--
David Kupka
From 4811019508953c197a77aac081732f0af4cce614 Mon Sep 17 00:00:00 2001
From: David Kupka <[email protected]>
Date: Thu, 26 Feb 2015 04:44:26 -0500
Subject: [PATCH] Use IPA CA certificate when available and ignore NO_TLS_LDAP
when not.
ipa-client-automount is run after ipa-client-install so the CA certificate
should be available. If the certificate is not available and ipadiscovery.ipacheckldap
returns NO_TLS_LDAP warn user and try to continue.
https://fedorahosted.org/freeipa/ticket/4902
---
ipa-client/ipa-install/ipa-client-automount | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/ipa-client/ipa-install/ipa-client-automount b/ipa-client/ipa-install/ipa-client-automount
index 110e0ba13287e8c3061864b2e6c7b27d0ca83a6c..9e38412c8893c5d5b7459627a29aadee1c876f3a 100755
--- a/ipa-client/ipa-install/ipa-client-automount
+++ b/ipa-client/ipa-install/ipa-client-automount
@@ -379,6 +379,10 @@ def main():
api.bootstrap(**cfg)
api.finalize()
+ ca_cert_path = None
+ if os.path.exists(paths.IPA_CA_CRT):
+ ca_cert_path = paths.IPA_CA_CRT
+
if options.uninstall:
return uninstall(fstore, statestore)
@@ -390,7 +394,7 @@ def main():
ds = ipadiscovery.IPADiscovery()
if not options.server:
print "Searching for IPA server..."
- ret = ds.search()
+ ret = ds.search(ca_cert_path=ca_cert_path)
root_logger.debug('Executing DNS discovery')
if ret == ipadiscovery.NO_LDAP_SERVER:
root_logger.debug('Autodiscovery did not find LDAP server')
@@ -406,11 +410,13 @@ def main():
else:
server = options.server
root_logger.debug("Verifying that %s is an IPA server" % server)
- ldapret = ds.ipacheckldap(server, api.env.realm)
+ ldapret = ds.ipacheckldap(server, api.env.realm, ca_cert_path)
if ldapret[0] == ipadiscovery.NO_ACCESS_TO_LDAP:
print "Anonymous access to the LDAP server is disabled."
print "Proceeding without strict verification."
print "Note: This is not an error if anonymous access has been explicitly restricted."
+ elif ldapret[0] == ipadiscovery.NO_TLS_LDAP:
+ root_logger.warning("Unencrypted access to LDAP is not supported.")
elif ldapret[0] != 0:
sys.exit('Unable to confirm that %s is an IPA server' % server)
--
2.1.0
_______________________________________________
Freeipa-devel mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-devel
