From eeade50933cb2251b43ee34c642bcae69a216655 Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Mon, 8 Jul 2024 10:20:47 -0400
Subject: [PATCH] ipa-migrate - starttls does not work

We were previousily taking the provided ca cert and creating a temporary
file from it. This was incorrect and caused the secure connection to
fail.  Instead just use the file path provided.

Fixes: https://pagure.io/freeipa/issue/9619

Signed-off-by: Mark Reynolds <mreynolds@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
 install/tools/man/ipa-migrate.1  |  2 +-
 ipaserver/install/ipa_migrate.py | 25 +++++++++++++++++--------
 2 files changed, 18 insertions(+), 9 deletions(-)

diff --git a/install/tools/man/ipa-migrate.1 b/install/tools/man/ipa-migrate.1
index 2d9d2c650a4c44a2f397d1c2ccb42fb95eea2bae..47ae47ea4afa3a5a6fe25dd9bbd14c27ab5f1fdb 100644
--- a/install/tools/man/ipa-migrate.1
+++ b/install/tools/man/ipa-migrate.1
@@ -25,7 +25,7 @@ network interruptions)
 In this mode everything will be migrated including the current user SIDs and
 DNA ranges
 .TP
-\fBstage\-mod\fR
+\fBstage\-mode\fR
 In this mode, SIDs & DNA ranges are not migrated, and DNA attributes are reset
 
 .SH "COMMANDS"
diff --git a/ipaserver/install/ipa_migrate.py b/ipaserver/install/ipa_migrate.py
index 6be8d9ba23b36779bf6296df757c1aca551968c0..0e19b98b5be532c513876e165561f0af176baa27 100644
--- a/ipaserver/install/ipa_migrate.py
+++ b/ipaserver/install/ipa_migrate.py
@@ -27,7 +27,6 @@ from ipalib.x509 import IPACertificate
 from ipaplatform.paths import paths
 from ipapython.dn import DN
 from ipapython.ipaldap import LDAPClient, LDAPEntry, realm_to_ldapi_uri
-from ipapython.ipautil import write_tmp_file
 from ipapython.ipa_log_manager import standard_logging_setup
 from ipaserver.install.ipa_migrate_constants import (
     DS_CONFIG, DB_OBJECTS, DS_INDEXES, BIND_DN, LOG_FILE_NAME,
@@ -758,13 +757,19 @@ class IPAMigrate():
         insecure_bind = False
 
         if self.args.cacertfile is not None:
-            # Store CA cert into file
-            tmp_ca_cert_f = write_tmp_file(self.args.cacertfile)
-            cacert = tmp_ca_cert_f.name
-
             # Start TLS connection (START_TLS)
-            ds_conn = LDAPClient(ldapuri, cacert=cacert, start_tls=True)
-            tmp_ca_cert_f.close()
+            try:
+                ds_conn = LDAPClient(ldapuri, cacert=self.args.cacertfile,
+                                     start_tls=True)
+            except (
+                ldap.LDAPError,
+                errors.NetworkError,
+                errors.DatabaseError,
+                IOError
+            ) as e:
+                self.handle_error(
+                    f"Failed to connect to remote server: {str(e)}"
+                )
         else:
             # LDAP (insecure)
             ds_conn = LDAPClient(ldapuri)
@@ -773,7 +778,11 @@ class IPAMigrate():
         try:
             ds_conn.simple_bind(DN(self.args.bind_dn), self.bindpw,
                                 insecure_bind=insecure_bind)
-        except (errors.NetworkError, errors.ACIError) as e:
+        except (
+            errors.NetworkError,
+            errors.ACIError,
+            errors.DatabaseError
+        ) as e:
             self.handle_error(f"Failed to bind to remote server: {str(e)}")
 
         # All set, stash the remote connection
-- 
2.45.2