From 64702b25951ce996532afea7d627612d6bba7451 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Oct 16 2019 20:19:14 +0000 Subject: Try to pull the entire CA chain from IPA IPA originally stored a single cert in cn=cacert which is what certmonger has always retrieved in fetch_roots. It was replaced to store cn=certificates as separate entries in order to more easily support chains and to include additional metadata about certificates. Try to pull the chain from that location first and fall back to cn=cacert if no entries are found. https://bugzilla.redhat.com/show_bug.cgi?id=1710632 --- diff --git a/src/ipa.c b/src/ipa.c index acd1a4e..40a4b52 100644 --- a/src/ipa.c +++ b/src/ipa.c @@ -508,7 +508,8 @@ fetch_roots(const char *server, int ldap_uri_cmd, const char *ldap_uri, LDAP *ld = NULL; LDAPMessage *lresult = NULL, *lmsg = NULL; char *lattrs[2] = {"caCertificate;binary", NULL}; - const char *relativedn = "cn=cacert,cn=ipa,cn=etc"; + const char *relativedn = "cn=certificates,cn=ipa,cn=etc"; + const char *relativecompatdn = "cn=cacert,cn=ipa,cn=etc"; char ldn[LINE_MAX], lfilter[LINE_MAX], uri[LINE_MAX] = "", *kerr = NULL; struct berval **lbvalues, *lbv; unsigned char *bv_val; @@ -543,6 +544,13 @@ fetch_roots(const char *server, int ldap_uri_cmd, const char *ldap_uri, rc = ldap_search_ext_s(ld, ldn, LDAP_SCOPE_SUBTREE, lfilter, lattrs, 0, NULL, NULL, NULL, LDAP_NO_LIMIT, &lresult); + if (rc == LDAP_SUCCESS && ldap_count_entries(ld, lresult) == 0) { + /* Fall back to the old location */ + snprintf(ldn, sizeof(ldn), "%s,%s", relativecompatdn, basedn); + rc = ldap_search_ext_s(ld, ldn, LDAP_SCOPE_SUBTREE, + lfilter, lattrs, 0, NULL, NULL, NULL, + LDAP_NO_LIMIT, &lresult); + } if (rc != LDAP_SUCCESS) { fprintf(stderr, "Error searching '%s': %s.\n", ldn, ldap_err2string(rc));