From 41098e3f7bb517f7445ed34d555bc3fb2083c6ce Mon Sep 17 00:00:00 2001
From: Tomas Krizek <tkrizek@redhat.com>
Date: Nov 07 2016 10:34:03 +0000
Subject: ldap2: modify arguments for create_connection


* Remove unused and obsolete function arguments:
    * tls_certfile
    * tls_keyfile
    * debug_level
* Rename tls_cacertfile to cacert (same as name in LDAPClient)
* Set cacert to constants.CACERT by default.

https://fedorahosted.org/freeipa/ticket/6461

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>

---

diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index 0df2455..aeae6b3 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -633,7 +633,7 @@ def install_check(installer):
     try:
         # Try out the password
         conn.connect(bind_dn=ipaldap.DIRMAN_DN, bind_pw=config.dirman_password,
-                     tls_cacertfile=cafile)
+                     cacert=cafile)
         replman = ReplicationManager(config.realm_name,
                                      config.master_host_name,
                                      config.dirman_password)
@@ -787,7 +787,7 @@ def install(installer):
     conn = remote_api.Backend.ldap2
     try:
         conn.connect(bind_dn=ipaldap.DIRMAN_DN, bind_pw=config.dirman_password,
-                     tls_cacertfile=cafile)
+                     cacert=cafile)
 
         # Install CA cert so that we can do SSL connections with ldap
         install_ca_cert(conn, api.env.basedn, api.env.realm, cafile)
diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py
index 2d08f1c..82b2dba 100644
--- a/ipaserver/plugins/ldap2.py
+++ b/ipaserver/plugins/ldap2.py
@@ -31,7 +31,7 @@ import os
 
 import ldap as _ldap
 
-from ipalib import krb_utils
+from ipalib import krb_utils, constants
 from ipapython.dn import DN
 from ipapython.ipaldap import (LDAPClient, AUTOBIND_AUTO, AUTOBIND_ENABLED,
                                AUTOBIND_DISABLED)
@@ -126,8 +126,7 @@ class ldap2(CrudBackend, LDAPClient):
         return self.ldap_uri
 
     def create_connection(
-            self, ccache=None, bind_dn=None, bind_pw='', tls_cacertfile=None,
-            tls_certfile=None, tls_keyfile=None, debug_level=0,
+            self, ccache=None, bind_dn=None, bind_pw='', cacert=None,
             autobind=AUTOBIND_AUTO, serverctrls=None, clientctrls=None,
             time_limit=_missing, size_limit=_missing):
         """
@@ -139,9 +138,7 @@ class ldap2(CrudBackend, LDAPClient):
         bind_dn -- dn used to bind to the server
         bind_pw -- password used to bind to the server
         debug_level -- LDAP debug level option
-        tls_cacertfile -- TLS CA certificate filename
-        tls_certfile -- TLS certificate filename
-        tls_keyfile - TLS bind key filename
+        cacert -- TLS CA certificate filename
         autobind - autobind as the current user
         time_limit, size_limit -- maximum time and size limit for LDAP
             possible options:
@@ -155,23 +152,18 @@ class ldap2(CrudBackend, LDAPClient):
         if bind_dn is None:
             bind_dn = DN(('cn', 'directory manager'))
         assert isinstance(bind_dn, DN)
-        if tls_cacertfile is not None:
-            _ldap.set_option(_ldap.OPT_X_TLS_CACERTFILE, tls_cacertfile)
-        if tls_certfile is not None:
-            _ldap.set_option(_ldap.OPT_X_TLS_CERTFILE, tls_certfile)
-        if tls_keyfile is not None:
-            _ldap.set_option(_ldap.OPT_X_TLS_KEYFILE, tls_keyfile)
+
+        if cacert is None:
+            cacert = constants.CACERT
 
         if time_limit is not _missing:
             self.time_limit = time_limit
         if size_limit is not _missing:
             self.size_limit = size_limit
 
-        if debug_level:
-            _ldap.set_option(_ldap.OPT_DEBUG_LEVEL, debug_level)
-
         client = LDAPClient(self.ldap_uri,
-                            force_schema_updates=self._force_schema_updates)
+                            force_schema_updates=self._force_schema_updates,
+                            cacert=cacert)
         conn = client._conn
 
         with client.error_handler():
diff --git a/ipaserver/plugins/migration.py b/ipaserver/plugins/migration.py
index b61ef96..5090a26 100644
--- a/ipaserver/plugins/migration.py
+++ b/ipaserver/plugins/migration.py
@@ -890,19 +890,19 @@ migration process might be incomplete\n''')
 
         cacert = None
         if options.get('cacertfile') is not None:
-            #store CA cert into file
+            # store CA cert into file
             tmp_ca_cert_f = write_tmp_file(options['cacertfile'])
             cacert = tmp_ca_cert_f.name
 
-            #start TLS connection
+            # start TLS connection
             ds_ldap.connect(bind_dn=options['binddn'], bind_pw=bindpw,
-                tls_cacertfile=cacert)
+                            cacert=cacert)
 
             tmp_ca_cert_f.close()
         else:
             ds_ldap.connect(bind_dn=options['binddn'], bind_pw=bindpw)
 
-        #check whether the compat plugin is enabled
+        # check whether the compat plugin is enabled
         if not options.get('compat'):
             try:
                 ldap.get_entry(DN(('cn', 'compat'), (api.env.basedn)))