From 5d0ed95344115508e001cad9e87d60686ed4db23 Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud Date: May 23 2019 06:21:18 +0000 Subject: CA: set ipaconfigstring:compatCA in cn=DOMAIN IPA CA Commit fa50068 introduced a regression. Previously, the upgrade plugin upload_cacrt was setting the attribute ipaconfigstring: compatCA in the entry cn=DOMAIN IPA CA,cn=certificates,cn=ipa,cn=etc,BASEDN After commit fa50068, the value is not set any more. As a consequence, the LDAP entry is not identified as the CA and CA renewal does not update the entry cn=CAcert,cn=certificates,cn=ipa,cn=etc,BASEDN. RHEL 6 client rely on this entry to retrieve the CA and client install fails because cn=CAcert is out-of-date. The fix makes sure that upload_cacrt plugin properly sets ipaconfigstring: compatCA in the entry cn=DOMAIN IPA CA,cn=certificates,cn=ipa,cn=etc,BASEDN Fixed: https://pagure.io/freeipa/issue/7928 Reviewed-By: Rob Crittenden --- diff --git a/ipaserver/install/plugins/upload_cacrt.py b/ipaserver/install/plugins/upload_cacrt.py index 763da1e..91fbb4e 100644 --- a/ipaserver/install/plugins/upload_cacrt.py +++ b/ipaserver/install/plugins/upload_cacrt.py @@ -92,7 +92,7 @@ class update_upload_cacrt(Updater): config = entry.setdefault('ipaConfigString', []) if ca_enabled: config.append('ipaCa') - config.append('ipaCa') + config.append('compatCA') try: ldap.add_entry(entry)