From 457131218990e7c6a9de21de0e3fb9e9ecf6a6fe Mon Sep 17 00:00:00 2001

From: Fraser Tweedale <ftweedal@redhat.com>

Date: Tue, 30 Jul 2019 16:21:35 +1000

Subject: [PATCH] CustodiaClient: fix IPASecStore config on ipa-4-7

The backport of a Custodia client fix for f30 and related refactors

and improvements, to the ipa-4-7 branch, had no conflicts.  But

there is a change on newer branches that broke the backport.  The

running of Custodia handlers in separate processes simplified the

configuration of the ISecStore.  For ipa-4-7 we need to continue to

explicitly configure it, so restore the old configuration behaviour.

Part of: https://pagure.io/freeipa/issue/7964

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>

Reviewed-By: Rob Crittenden <rcritten@redhat.com>

---

 ipaserver/secrets/client.py | 7 ++++++-

 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/ipaserver/secrets/client.py b/ipaserver/secrets/client.py

index 4c03ef8e4140dd507156d88941600a234b71184e..2363b081dbbf3671e8147497bb52811825bdf1a4 100644

--- a/ipaserver/secrets/client.py

+++ b/ipaserver/secrets/client.py

@@ -52,7 +52,12 @@ class CustodiaClient(object):

         self.service_name = gssapi.Name(

             'HTTP@{}'.format(server), gssapi.NameType.hostbased_service

         )

-        self.keystore = IPASecStore()

+

+        config = {'ldap_uri': self.ldap_uri}

+        if auth_type is not None:

+            config['auth_type'] = auth_type

+        self.keystore = IPASecStore(config)

+

         # use in-process MEMORY ccache. Handler process don't need a TGT.

         token = b64encode(os.urandom(8)).decode('ascii')

         self.ccache = 'MEMORY:Custodia_{}'.format(token)

-- 

2.20.1