sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-02-28 01:58:17 +03:00
Code

gpo: Cert Auto Enroll use ldap trust cert if NDES disabled

Browse Source 
If the CA does not have the Network Device
Enrollment Service enabled, we can still use the
certificate from the ldap request (unless this is
a complex request and ldap config isn't present).

Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri May 13 15:38:53 UTC 2022 on sn-devel-184
This commit is contained in:
David Mulder 2022-05-12 13:24:07 -06:00 committed by Andreas Schneider
parent 73b12a8072
commit 8231eaf856
1 changed files with 17 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
python/samba/gp_cert_auto_enroll_ext.py
View File

@ -194,9 +194,9 @@ def get_supported_templates(server):
return []
def getca(ca_name, url, trust_dir):
def getca(ca, url, trust_dir):
"""Fetch Certificate Chain from the CA."""
root_cert = os.path.join(trust_dir, '%s.crt' % ca_name)
root_cert = os.path.join(trust_dir, '%s.crt' % ca['name'])
root_certs = []
try:
@ -205,10 +205,21 @@ def getca(ca_name, url, trust_dir):
except requests.exceptions.ConnectionError:
log.warn('Failed to establish a new connection')
r = None
if r is None or r.content == b'':
if r is None or r.content == b'' or r.headers['Content-Type'] == 'text/html':
log.warn('Failed to fetch the root certificate chain.')
log.warn('Ensure you have installed and configured the'
' Network Device Enrollment Service.')
log.warn('The Network Device Enrollment Service is either not' +
' installed or not configured.')
if 'cACertificate' in ca:
log.warn('Installing the server certificate only.')
try:
cert = load_der_x509_certificate(ca['cACertificate'])
except TypeError:
cert = load_der_x509_certificate(ca['cACertificate'],
default_backend())
cert_data = cert.public_bytes(Encoding.PEM)
with open(root_cert, 'wb') as w:
w.write(cert_data)
root_certs.append(root_cert)
return root_certs
if r.headers['Content-Type'] == 'application/x-x509-ca-cert':
@ -239,7 +250,7 @@ def cert_enroll(ca, ldb, trust_dir, private_dir, auth='Kerberos'):
"""Install the root certificate chain."""
data = {'files': [], 'templates': []}
url = 'http://%s/CertSrv/mscep/mscep.dll/pkiclient.exe?' % ca['hostname']
root_certs = getca(ca['name'], url, trust_dir)
root_certs = getca(ca, url, trust_dir)
data['files'].extend(root_certs)
for src in root_certs:
# Symlink the certs to global trust dir