Blob Blame Raw
From 64702b25951ce996532afea7d627612d6bba7451 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 10 Oct 2019 18:24:32 +0000
Subject: [PATCH] Try to pull the entire CA chain from IPA

IPA originally stored a single cert in cn=cacert which is
what certmonger has always retrieved in fetch_roots. It was
replaced to store cn=certificates as separate entries in order
to more easily support chains and to include additional
metadata about certificates.

Try to pull the chain from that location first and fall back
to cn=cacert if no entries are found.

https://bugzilla.redhat.com/show_bug.cgi?id=1710632
---
 src/ipa.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/src/ipa.c b/src/ipa.c
index acd1a4e2..40a4b52c 100644
--- a/src/ipa.c
+++ b/src/ipa.c
@@ -508,7 +508,8 @@ fetch_roots(const char *server, int ldap_uri_cmd, const char *ldap_uri,
 	LDAP *ld = NULL;
 	LDAPMessage *lresult = NULL, *lmsg = NULL;
 	char *lattrs[2] = {"caCertificate;binary", NULL};
-	const char *relativedn = "cn=cacert,cn=ipa,cn=etc";
+	const char *relativedn = "cn=certificates,cn=ipa,cn=etc";
+	const char *relativecompatdn = "cn=cacert,cn=ipa,cn=etc";
 	char ldn[LINE_MAX], lfilter[LINE_MAX], uri[LINE_MAX] = "", *kerr = NULL;
 	struct berval **lbvalues, *lbv;
 	unsigned char *bv_val;
@@ -543,6 +544,13 @@ fetch_roots(const char *server, int ldap_uri_cmd, const char *ldap_uri,
 	rc = ldap_search_ext_s(ld, ldn, LDAP_SCOPE_SUBTREE,
 			       lfilter, lattrs, 0, NULL, NULL, NULL,
 			       LDAP_NO_LIMIT, &lresult);
+    if (rc == LDAP_SUCCESS && ldap_count_entries(ld, lresult) == 0) {
+		/* Fall back to the old location */
+		snprintf(ldn, sizeof(ldn), "%s,%s", relativecompatdn, basedn);
+		rc = ldap_search_ext_s(ld, ldn, LDAP_SCOPE_SUBTREE,
+				       lfilter, lattrs, 0, NULL, NULL, NULL,
+				       LDAP_NO_LIMIT, &lresult);
+	}
 	if (rc != LDAP_SUCCESS) {
 		fprintf(stderr, "Error searching '%s': %s.\n",
 			ldn, ldap_err2string(rc));
-- 
2.21.0