From f45a79c437fa9e774940913b6ae2b091590bcf37 Mon Sep 17 00:00:00 2001
From: Christian Heimes <cheimes@redhat.com>
Date: Jan 31 2021 14:01:07 +0000
Subject: Fix cert_request for KDC cert


ca_kdc_check() expects an API object, not an LDAP connection. Issue was
introduced in commit 8f4abf7bc1607fc44f528b8a443b69cb82269e69.

See: https://pagure.io/freeipa/issue/6739
Fixes: https://pagure.io/freeipa/issue/8686
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>

---

diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py
index a5be24a..ee67a18 100644
--- a/ipaserver/plugins/cert.py
+++ b/ipaserver/plugins/cert.py
@@ -873,7 +873,7 @@ class cert_request(Create, BaseCertMethod, VirtualCommand):
                             "with subject alt name '%s'.") % name)
                 if not bypass_caacl:
                     if principal_type == KRBTGT:
-                        ca_kdc_check(ldap, alt_principal.hostname)
+                        ca_kdc_check(self.api, alt_principal.hostname)
                     else:
                         caacl_check(alt_principal, ca, profile_id)