From c442b95db57a3f56f291de35e6f11767c1dbaf9f Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: May 23 2019 06:23:10 +0000
Subject: CA: set ipaconfigstring:compatCA in cn=DOMAIN IPA CA


Commit fa50068 introduced a regression. Previously, the
upgrade plugin upload_cacrt was setting the attribute
ipaconfigstring: compatCA in the entry
cn=DOMAIN IPA CA,cn=certificates,cn=ipa,cn=etc,BASEDN

After commit fa50068, the value is not set any more. As a
consequence, the LDAP entry is not identified as the CA and
CA renewal does not update the entry
cn=CAcert,cn=certificates,cn=ipa,cn=etc,BASEDN.

RHEL 6 client rely on this entry to retrieve the CA and
client install fails because cn=CAcert is out-of-date.

The fix makes sure that upload_cacrt plugin properly sets
ipaconfigstring: compatCA in the entry
cn=DOMAIN IPA CA,cn=certificates,cn=ipa,cn=etc,BASEDN

Fixed: https://pagure.io/freeipa/issue/7928
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>

---

diff --git a/ipaserver/install/plugins/upload_cacrt.py b/ipaserver/install/plugins/upload_cacrt.py
index dc58f08..6a5bfbd 100644
--- a/ipaserver/install/plugins/upload_cacrt.py
+++ b/ipaserver/install/plugins/upload_cacrt.py
@@ -92,7 +92,7 @@ class update_upload_cacrt(Updater):
                 config = entry.setdefault('ipaConfigString', [])
                 if ca_enabled:
                     config.append('ipaCa')
-                config.append('ipaCa')
+                config.append('compatCA')
 
             try:
                 ldap.add_entry(entry)