From 87c3c1abecdfb8b5eb227239eeacfbee386a7ed7 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Nov 11 2016 11:17:25 +0000
Subject: install: use ldaps for pkispawn in ipa-ca-install


Commit 822e1bc82af3a6c1556546c4fbe96eeafad45762 undone the fix from commit
276d16775a4ce8af5d39ca8a7bf5bcd638df343f, breaking ipa-ca-install on
servers with hardened DS configuration.

Put the fix back to make ipa-ca-install work on hardened DS configuration
again.

https://fedorahosted.org/freeipa/ticket/6392

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>

---

diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py
index a033e23..10352c9 100644
--- a/ipaserver/install/ca.py
+++ b/ipaserver/install/ca.py
@@ -188,7 +188,8 @@ def install_step_0(standalone, replica_config, options):
                           master_replication_port=master_replication_port,
                           ra_p12=ra_p12,
                           ra_only=ra_only,
-                          promote=promote)
+                          promote=promote,
+                          use_ldaps=standalone)
 
 
 def install_step_1(standalone, replica_config, options):
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 97eb392..9a42d8e 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -330,7 +330,7 @@ class CAInstance(DogtagInstance):
                            master_replication_port=None,
                            subject_base=None, ca_signing_algorithm=None,
                            ca_type=None, ra_p12=None, ra_only=False,
-                           promote=False):
+                           promote=False, use_ldaps=False):
         """Create a CA instance.
 
            To create a clone, pass in pkcs12_info.
@@ -363,6 +363,7 @@ class CAInstance(DogtagInstance):
         else:
             self.ca_type = 'generic'
         self.no_db_setup = promote
+        self.use_ldaps = use_ldaps
 
         # Determine if we are installing as an externally-signed CA and
         # what stage we're in.
@@ -495,6 +496,9 @@ class CAInstance(DogtagInstance):
         config.set("CA", "pki_ds_base_dn", self.basedn)
         config.set("CA", "pki_ds_database", "ipaca")
 
+        if self.use_ldaps:
+            self._use_ldaps_during_spawn(config)
+
         # Certificate subject DN's
         config.set("CA", "pki_subsystem_subject_dn",
             str(DN(('cn', 'CA Subsystem'), self.subject_base)))