On pe, 23 elo 2019, lune voo via FreeIPA-users wrote:
Thank you again for your answer Alexander.
A last question :
I'm setting up a python virtual environment for an old project that I need
to maintain without any modification.
This old project use currently an ipa 3.0 on a physical RHEL 6.6 using
python 2.6.6.
I don't think we supported any use of pip-based ipaclient at that
version.
I'm trying to create the python environment using python 2.6 for the
project because the server will soon be upgraded in RHEL7.
I'm using ipalib to perform ipa user-show etc... command directly in python.
But I get an "(SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has
been marked as not trusted by the user." when I try to use it.
Pretty sure this is related with my ca.crt file being not found.
This is related to nssdb in use -- at that time we didn't have any
support for relocating files and we also used nssdb at /etc/ipa/nssdb, I
think. So check whether you have trust flags on the certificates in that
NSS database.
Any hope there is a way to check the default path which is used by the
ca.crt file ?
Best regards.
Lune
Le ven. 23 août 2019 à 15:41, Alexander Bokovoy <[email protected]> a
écrit :
On pe, 23 elo 2019, lune voo wrote:
>Hello Alexander.
>
>Thank you for your answer.
>Do you know if I will have any problem with the certificate to connect to
>the server ?
>Generally there is a ca.crt in /etc/ipa/ca.crt, does it need to be
included
>in the virtual environment also ?
See manual page for ipa(1) tool, it documents use of IPA_CONFDIR to
specify /etc/ipa location. However, /etc/ipa/ca.crt is not configurable
this way, only through ipaplatform.paths.IPA_CA_CRT value.
$ python3
Python 3.7.4 (default, Jul 9 2019, 16:32:37)
[GCC 9.1.1 20190503 (Red Hat 9.1.1-1)] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> from ipaplatform.paths import paths
>>> paths.IPA_CA_CRT
'/etc/ipa/ca.crt'
>>> paths.IPA_CA_CRT="./my.ca.crt"
>>> from ipaclient.discovery import IPADiscovery
>>> discover = IPADiscovery()
>>> discover.search("vda.li", ca_cert_path=paths.IPA_CA_CRT)
0
>>> discover.realm
'VDA.LI'
>>> discover.basedn
ipapython.dn.DN('dc=vda,dc=li')
>>>
So, for most of Python code you can redefine paths. But for ipa-join and
other binaries you cannot.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
