From 64702b25951ce996532afea7d627612d6bba7451 Mon Sep 17 00:00:00 2001

From: Rob Crittenden <rcritten@redhat.com>

Date: Thu, 10 Oct 2019 18:24:32 +0000

Subject: [PATCH] Try to pull the entire CA chain from IPA

IPA originally stored a single cert in cn=cacert which is

what certmonger has always retrieved in fetch_roots. It was

replaced to store cn=certificates as separate entries in order

to more easily support chains and to include additional

metadata about certificates.

Try to pull the chain from that location first and fall back

to cn=cacert if no entries are found.

https://bugzilla.redhat.com/show_bug.cgi?id=1710632

---

 src/ipa.c | 10 +++++++++-

 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/src/ipa.c b/src/ipa.c

index acd1a4e2..40a4b52c 100644

--- a/src/ipa.c

+++ b/src/ipa.c

@@ -508,7 +508,8 @@ fetch_roots(const char *server, int ldap_uri_cmd, const char *ldap_uri,

 	LDAP *ld = NULL;

 	LDAPMessage *lresult = NULL, *lmsg = NULL;

 	char *lattrs[2] = {"caCertificate;binary", NULL};

-	const char *relativedn = "cn=cacert,cn=ipa,cn=etc";

+	const char *relativedn = "cn=certificates,cn=ipa,cn=etc";

+	const char *relativecompatdn = "cn=cacert,cn=ipa,cn=etc";

 	char ldn[LINE_MAX], lfilter[LINE_MAX], uri[LINE_MAX] = "", *kerr = NULL;

 	struct berval **lbvalues, *lbv;

 	unsigned char *bv_val;

@@ -543,6 +544,13 @@ fetch_roots(const char *server, int ldap_uri_cmd, const char *ldap_uri,

 	rc = ldap_search_ext_s(ld, ldn, LDAP_SCOPE_SUBTREE,

 			       lfilter, lattrs, 0, NULL, NULL, NULL,

 			       LDAP_NO_LIMIT, &lresult);

+    if (rc == LDAP_SUCCESS && ldap_count_entries(ld, lresult) == 0) {

+		/* Fall back to the old location */

+		snprintf(ldn, sizeof(ldn), "%s,%s", relativecompatdn, basedn);

+		rc = ldap_search_ext_s(ld, ldn, LDAP_SCOPE_SUBTREE,

+				       lfilter, lattrs, 0, NULL, NULL, NULL,

+				       LDAP_NO_LIMIT, &lresult);

+	}

 	if (rc != LDAP_SUCCESS) {

 		fprintf(stderr, "Error searching '%s': %s.\n",

 			ldn, ldap_err2string(rc));

-- 

2.21.0