|
 |
398fc5 |
From 64702b25951ce996532afea7d627612d6bba7451 Mon Sep 17 00:00:00 2001
|
|
|
398fc5 |
From: Rob Crittenden <rcritten@redhat.com>
|
|
|
398fc5 |
Date: Thu, 10 Oct 2019 18:24:32 +0000
|
|
|
398fc5 |
Subject: [PATCH] Try to pull the entire CA chain from IPA
|
|
|
398fc5 |
|
|
|
398fc5 |
IPA originally stored a single cert in cn=cacert which is
|
|
|
398fc5 |
what certmonger has always retrieved in fetch_roots. It was
|
|
|
398fc5 |
replaced to store cn=certificates as separate entries in order
|
|
|
398fc5 |
to more easily support chains and to include additional
|
|
|
398fc5 |
metadata about certificates.
|
|
|
398fc5 |
|
|
|
398fc5 |
Try to pull the chain from that location first and fall back
|
|
|
398fc5 |
to cn=cacert if no entries are found.
|
|
|
398fc5 |
|
|
|
398fc5 |
https://bugzilla.redhat.com/show_bug.cgi?id=1710632
|
|
|
398fc5 |
---
|
|
|
398fc5 |
src/ipa.c | 10 +++++++++-
|
|
|
398fc5 |
1 file changed, 9 insertions(+), 1 deletion(-)
|
|
|
398fc5 |
|
|
|
398fc5 |
diff --git a/src/ipa.c b/src/ipa.c
|
|
|
398fc5 |
index acd1a4e2..40a4b52c 100644
|
|
|
398fc5 |
--- a/src/ipa.c
|
|
|
398fc5 |
+++ b/src/ipa.c
|
|
|
398fc5 |
@@ -508,7 +508,8 @@ fetch_roots(const char *server, int ldap_uri_cmd, const char *ldap_uri,
|
|
|
398fc5 |
LDAP *ld = NULL;
|
|
|
398fc5 |
LDAPMessage *lresult = NULL, *lmsg = NULL;
|
|
|
398fc5 |
char *lattrs[2] = {"caCertificate;binary", NULL};
|
|
|
398fc5 |
- const char *relativedn = "cn=cacert,cn=ipa,cn=etc";
|
|
|
398fc5 |
+ const char *relativedn = "cn=certificates,cn=ipa,cn=etc";
|
|
|
398fc5 |
+ const char *relativecompatdn = "cn=cacert,cn=ipa,cn=etc";
|
|
|
398fc5 |
char ldn[LINE_MAX], lfilter[LINE_MAX], uri[LINE_MAX] = "", *kerr = NULL;
|
|
|
398fc5 |
struct berval **lbvalues, *lbv;
|
|
|
398fc5 |
unsigned char *bv_val;
|
|
|
398fc5 |
@@ -543,6 +544,13 @@ fetch_roots(const char *server, int ldap_uri_cmd, const char *ldap_uri,
|
|
|
398fc5 |
rc = ldap_search_ext_s(ld, ldn, LDAP_SCOPE_SUBTREE,
|
|
|
398fc5 |
lfilter, lattrs, 0, NULL, NULL, NULL,
|
|
|
398fc5 |
LDAP_NO_LIMIT, &lresult);
|
|
|
398fc5 |
+ if (rc == LDAP_SUCCESS && ldap_count_entries(ld, lresult) == 0) {
|
|
|
398fc5 |
+ /* Fall back to the old location */
|
|
|
398fc5 |
+ snprintf(ldn, sizeof(ldn), "%s,%s", relativecompatdn, basedn);
|
|
|
398fc5 |
+ rc = ldap_search_ext_s(ld, ldn, LDAP_SCOPE_SUBTREE,
|
|
|
398fc5 |
+ lfilter, lattrs, 0, NULL, NULL, NULL,
|
|
|
398fc5 |
+ LDAP_NO_LIMIT, &lresult);
|
|
|
398fc5 |
+ }
|
|
|
398fc5 |
if (rc != LDAP_SUCCESS) {
|
|
|
398fc5 |
fprintf(stderr, "Error searching '%s': %s.\n",
|
|
|
398fc5 |
ldn, ldap_err2string(rc));
|
|
|
398fc5 |
--
|
|
|
398fc5 |
2.21.0
|
|
|
398fc5 |
|