|
|
0af72f |
From 64702b25951ce996532afea7d627612d6bba7451 Mon Sep 17 00:00:00 2001
|
|
|
0af72f |
From: Rob Crittenden <rcritten@redhat.com>
|
|
|
0af72f |
Date: Thu, 10 Oct 2019 18:24:32 +0000
|
|
|
0af72f |
Subject: [PATCH] Try to pull the entire CA chain from IPA
|
|
|
0af72f |
|
|
|
0af72f |
IPA originally stored a single cert in cn=cacert which is
|
|
|
0af72f |
what certmonger has always retrieved in fetch_roots. It was
|
|
|
0af72f |
replaced to store cn=certificates as separate entries in order
|
|
|
0af72f |
to more easily support chains and to include additional
|
|
|
0af72f |
metadata about certificates.
|
|
|
0af72f |
|
|
|
0af72f |
Try to pull the chain from that location first and fall back
|
|
|
0af72f |
to cn=cacert if no entries are found.
|
|
|
0af72f |
|
|
|
0af72f |
https://bugzilla.redhat.com/show_bug.cgi?id=1710632
|
|
|
0af72f |
---
|
|
|
0af72f |
src/ipa.c | 10 +++++++++-
|
|
|
0af72f |
1 file changed, 9 insertions(+), 1 deletion(-)
|
|
|
0af72f |
|
|
|
0af72f |
diff --git a/src/ipa.c b/src/ipa.c
|
|
|
0af72f |
index acd1a4e2..40a4b52c 100644
|
|
|
0af72f |
--- a/src/ipa.c
|
|
|
0af72f |
+++ b/src/ipa.c
|
|
|
0af72f |
@@ -508,7 +508,8 @@ fetch_roots(const char *server, int ldap_uri_cmd, const char *ldap_uri,
|
|
|
0af72f |
LDAP *ld = NULL;
|
|
|
0af72f |
LDAPMessage *lresult = NULL, *lmsg = NULL;
|
|
|
0af72f |
char *lattrs[2] = {"caCertificate;binary", NULL};
|
|
|
0af72f |
- const char *relativedn = "cn=cacert,cn=ipa,cn=etc";
|
|
|
0af72f |
+ const char *relativedn = "cn=certificates,cn=ipa,cn=etc";
|
|
|
0af72f |
+ const char *relativecompatdn = "cn=cacert,cn=ipa,cn=etc";
|
|
|
0af72f |
char ldn[LINE_MAX], lfilter[LINE_MAX], uri[LINE_MAX] = "", *kerr = NULL;
|
|
|
0af72f |
struct berval **lbvalues, *lbv;
|
|
|
0af72f |
unsigned char *bv_val;
|
|
|
0af72f |
@@ -543,6 +544,13 @@ fetch_roots(const char *server, int ldap_uri_cmd, const char *ldap_uri,
|
|
|
0af72f |
rc = ldap_search_ext_s(ld, ldn, LDAP_SCOPE_SUBTREE,
|
|
|
0af72f |
lfilter, lattrs, 0, NULL, NULL, NULL,
|
|
|
0af72f |
LDAP_NO_LIMIT, &lresult);
|
|
|
0af72f |
+ if (rc == LDAP_SUCCESS && ldap_count_entries(ld, lresult) == 0) {
|
|
|
0af72f |
+ /* Fall back to the old location */
|
|
|
0af72f |
+ snprintf(ldn, sizeof(ldn), "%s,%s", relativecompatdn, basedn);
|
|
|
0af72f |
+ rc = ldap_search_ext_s(ld, ldn, LDAP_SCOPE_SUBTREE,
|
|
|
0af72f |
+ lfilter, lattrs, 0, NULL, NULL, NULL,
|
|
|
0af72f |
+ LDAP_NO_LIMIT, &lresult);
|
|
|
0af72f |
+ }
|
|
|
0af72f |
if (rc != LDAP_SUCCESS) {
|
|
|
0af72f |
fprintf(stderr, "Error searching '%s': %s.\n",
|
|
|
0af72f |
ldn, ldap_err2string(rc));
|
|
|
0af72f |
--
|
|
|
0af72f |
2.21.0
|
|
|
0af72f |
|