From 7462adec13c5b25b6868d2863dc38062c97d0ff7 Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud Date: Nov 10 2016 13:15:57 +0000 Subject: Use autobind instead of host keytab authentication in dogtag-ipa-ca-renew-agent This commit makes sure that dogtag-ipa-ca-renew-agent CA helper can be used before Kerberos is configured. Reviewed-By: Jan Cholasta Reviewed-By: Fraser Tweedale --- diff --git a/install/certmonger/dogtag-ipa-ca-renew-agent-submit b/install/certmonger/dogtag-ipa-ca-renew-agent-submit index 41f7a62..e98dd53 100755 --- a/install/certmonger/dogtag-ipa-ca-renew-agent-submit +++ b/install/certmonger/dogtag-ipa-ca-renew-agent-submit @@ -113,7 +113,7 @@ def ldap_connect(): conn = None try: conn = ldap2(api) - conn.connect(ccache=os.environ['KRB5CCNAME']) + conn.connect(autobind=True) yield conn finally: if conn is not None and conn.isconnected(): @@ -505,11 +505,6 @@ def main(): tmpdir = tempfile.mkdtemp(prefix="tmp-") certs.renewal_lock.acquire() try: - principal = str('host/%s@%s' % (api.env.host, api.env.realm)) - ccache_filename = os.path.join(tmpdir, 'ccache') - os.environ['KRB5CCNAME'] = ccache_filename - ipautil.kinit_keytab(principal, paths.KRB5_KEYTAB, ccache_filename) - profile = os.environ.get('CERTMONGER_CA_PROFILE') if profile: handler = handlers.get(profile, request_and_store_cert)