sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-02-28 01:58:17 +03:00
Code

gpo: Cert Auto Enroll use ldap trust cert if NDES disabled

Browse Source 
If the CA does not have the Network Device
Enrollment Service enabled, we can still use the
certificate from the ldap request (unless this is
a complex request and ldap config isn't present).

Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri May 13 15:38:53 UTC 2022 on sn-devel-184
This commit is contained in:
David Mulder 2022-05-12 13:24:07 -06:00 committed by Andreas Schneider
parent 73b12a8072
commit 8231eaf856
1 changed files with 17 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
python/samba/gp_cert_auto_enroll_ext.py
View File

@ -194,9 +194,9 @@ def get_supported_templates(server):
return [] return []
def getca(ca_name, url, trust_dir): def getca(ca, url, trust_dir):
"""Fetch Certificate Chain from the CA.""" """Fetch Certificate Chain from the CA."""
root_cert = os.path.join(trust_dir, '%s.crt' % ca_name) root_cert = os.path.join(trust_dir, '%s.crt' % ca['name'])
root_certs = [] root_certs = []
try: try:
@ -205,10 +205,21 @@ def getca(ca_name, url, trust_dir):
except requests.exceptions.ConnectionError: except requests.exceptions.ConnectionError:
log.warn('Failed to establish a new connection') log.warn('Failed to establish a new connection')
r = None r = None
if r is None or r.content == b'': if r is None or r.content == b'' or r.headers['Content-Type'] == 'text/html':
log.warn('Failed to fetch the root certificate chain.') log.warn('Failed to fetch the root certificate chain.')
log.warn('Ensure you have installed and configured the' log.warn('The Network Device Enrollment Service is either not' +
' Network Device Enrollment Service.') ' installed or not configured.')
if 'cACertificate' in ca:
log.warn('Installing the server certificate only.')
try:
cert = load_der_x509_certificate(ca['cACertificate'])
except TypeError:
cert = load_der_x509_certificate(ca['cACertificate'],
default_backend())
cert_data = cert.public_bytes(Encoding.PEM)
with open(root_cert, 'wb') as w:
w.write(cert_data)
root_certs.append(root_cert)
return root_certs return root_certs
if r.headers['Content-Type'] == 'application/x-x509-ca-cert': if r.headers['Content-Type'] == 'application/x-x509-ca-cert':
@ -239,7 +250,7 @@ def cert_enroll(ca, ldb, trust_dir, private_dir, auth='Kerberos'):
"""Install the root certificate chain.""" """Install the root certificate chain."""
data = {'files': [], 'templates': []} data = {'files': [], 'templates': []}
url = 'http://%s/CertSrv/mscep/mscep.dll/pkiclient.exe?' % ca['hostname'] url = 'http://%s/CertSrv/mscep/mscep.dll/pkiclient.exe?' % ca['hostname']
root_certs = getca(ca['name'], url, trust_dir) root_certs = getca(ca, url, trust_dir)
data['files'].extend(root_certs) data['files'].extend(root_certs)
for src in root_certs: for src in root_certs:
# Symlink the certs to global trust dir # Symlink the certs to global trust dir