From 531b0b66a74b100986ba086fc134fb5f2e587c69 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Wed, 19 Jun 2019 19:11:39 +1000 Subject: [PATCH] CustodiaClient: use ldapi when ldap_uri not specified Reinstate ldap_uri selection behaviour that was lost during the refactor in the previous commit. This is required because, on the ipa-4-7 branch at least, the IPASecStore needs to use LDAPI to set the Directory Manager passphrase digest. Use LDAPI when the ldap_uri has not been explicity specified. Part of: https://pagure.io/freeipa/issue/7964 Reviewed-By: Alexander Bokovoy Reviewed-By: Rob Crittenden --- ipaserver/secrets/client.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ipaserver/secrets/client.py b/ipaserver/secrets/client.py index 40df6c4e69cd673dd8e3c36fbf33f2cda8544a67..4c03ef8e4140dd507156d88941600a234b71184e 100644 --- a/ipaserver/secrets/client.py +++ b/ipaserver/secrets/client.py @@ -13,6 +13,7 @@ from custodia.message.kem import KEMClient, KEY_USAGE_SIG, KEY_USAGE_ENC from jwcrypto.common import json_decode from jwcrypto.jwk import JWK from ipalib.krb_utils import krb5_format_service_principal_name +from ipaserver.install.installutils import realm_to_ldapi_uri from ipaserver.secrets.kem import IPAKEMKeys from ipaserver.secrets.store import IPASecStore from ipaplatform.paths import paths @@ -46,7 +47,7 @@ class CustodiaClient(object): self.keytab = keytab self.server = server self.realm = realm - self.ldap_uri = ldap_uri + self.ldap_uri = ldap_uri or realm_to_ldapi_uri(realm) self.auth_type = auth_type self.service_name = gssapi.Name( 'HTTP@{}'.format(server), gssapi.NameType.hostbased_service -- 2.20.1