From a42c4c1be12f64228f196b42f30fb57019e3943e Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal@redhat.com>
Date: Tue, 30 Jul 2019 16:21:35 +1000
Subject: [PATCH] CustodiaClient: fix IPASecStore config on ipa-4-7

The backport of a Custodia client fix for f30 and related refactors
and improvements, to the ipa-4-7 branch, had no conflicts.  But
there is a change on newer branches that broke the backport.  The
running of Custodia handlers in separate processes simplified the
configuration of the ISecStore.  For ipa-4-7 we need to continue to
explicitly configure it, so restore the old configuration behaviour.

Part of: https://pagure.io/freeipa/issue/7964

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
 ipaserver/secrets/client.py | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/ipaserver/secrets/client.py b/ipaserver/secrets/client.py
index 4c03ef8e4140dd507156d88941600a234b71184e..2363b081dbbf3671e8147497bb52811825bdf1a4 100644
--- a/ipaserver/secrets/client.py
+++ b/ipaserver/secrets/client.py
@@ -52,7 +52,12 @@ class CustodiaClient(object):
         self.service_name = gssapi.Name(
             'HTTP@{}'.format(server), gssapi.NameType.hostbased_service
         )
-        self.keystore = IPASecStore()
+
+        config = {'ldap_uri': self.ldap_uri}
+        if auth_type is not None:
+            config['auth_type'] = auth_type
+        self.keystore = IPASecStore(config)
+
         # use in-process MEMORY ccache. Handler process don't need a TGT.
         token = b64encode(os.urandom(8)).decode('ascii')
         self.ccache = 'MEMORY:Custodia_{}'.format(token)
-- 
2.20.1