From 64702b25951ce996532afea7d627612d6bba7451 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Thu, 10 Oct 2019 18:24:32 +0000 Subject: [PATCH] Try to pull the entire CA chain from IPA IPA originally stored a single cert in cn=cacert which is what certmonger has always retrieved in fetch_roots. It was replaced to store cn=certificates as separate entries in order to more easily support chains and to include additional metadata about certificates. Try to pull the chain from that location first and fall back to cn=cacert if no entries are found. https://bugzilla.redhat.com/show_bug.cgi?id=1710632 --- src/ipa.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/src/ipa.c b/src/ipa.c index acd1a4e2..40a4b52c 100644 --- a/src/ipa.c +++ b/src/ipa.c @@ -508,7 +508,8 @@ fetch_roots(const char *server, int ldap_uri_cmd, const char *ldap_uri, LDAP *ld = NULL; LDAPMessage *lresult = NULL, *lmsg = NULL; char *lattrs[2] = {"caCertificate;binary", NULL}; - const char *relativedn = "cn=cacert,cn=ipa,cn=etc"; + const char *relativedn = "cn=certificates,cn=ipa,cn=etc"; + const char *relativecompatdn = "cn=cacert,cn=ipa,cn=etc"; char ldn[LINE_MAX], lfilter[LINE_MAX], uri[LINE_MAX] = "", *kerr = NULL; struct berval **lbvalues, *lbv; unsigned char *bv_val; @@ -543,6 +544,13 @@ fetch_roots(const char *server, int ldap_uri_cmd, const char *ldap_uri, rc = ldap_search_ext_s(ld, ldn, LDAP_SCOPE_SUBTREE, lfilter, lattrs, 0, NULL, NULL, NULL, LDAP_NO_LIMIT, &lresult); + if (rc == LDAP_SUCCESS && ldap_count_entries(ld, lresult) == 0) { + /* Fall back to the old location */ + snprintf(ldn, sizeof(ldn), "%s,%s", relativecompatdn, basedn); + rc = ldap_search_ext_s(ld, ldn, LDAP_SCOPE_SUBTREE, + lfilter, lattrs, 0, NULL, NULL, NULL, + LDAP_NO_LIMIT, &lresult); + } if (rc != LDAP_SUCCESS) { fprintf(stderr, "Error searching '%s': %s.\n", ldn, ldap_err2string(rc)); -- 2.21.0