On pe, 23 elo 2019, lune voo via FreeIPA-users wrote:
Thank you again for your answer Alexander.
A last question :
I'm setting up a python virtual environment for an old project that I need
to maintain without any modification.
This old project use currently an ipa 3.0 on a physical RHEL 6.6 using
python 2.6.6.
I don't think we supported any use of pip-based ipaclient at that
version.
I'm trying to create the python environment using python 2.6 for
the
project because the server will soon be upgraded in RHEL7.
I'm using ipalib to perform ipa user-show etc... command directly in python.
But I get an "(SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has
been marked as not trusted by the user." when I try to use it.
Pretty sure this is related with my ca.crt file being not found.
This is related to
nssdb in use -- at that time we didn't have any
support for relocating files and we also used nssdb at /etc/ipa/nssdb, I
think. So check whether you have trust flags on the certificates in that
NSS database.
Any hope there is a way to check the default path which is used by the
ca.crt file ?
Best regards.
Lune
Le ven. 23 août 2019 à 15:41, Alexander Bokovoy <abokovoy(a)redhat.com> a
écrit :
> On pe, 23 elo 2019, lune voo wrote:
> >Hello Alexander.
> >
> >Thank you for your answer.
> >Do you know if I will have any problem with the certificate to connect to
> >the server ?
> >Generally there is a ca.crt in /etc/ipa/ca.crt, does it need to be
> included
> >in the virtual environment also ?
>
> See manual page for ipa(1) tool, it documents use of IPA_CONFDIR to
> specify /etc/ipa location. However, /etc/ipa/ca.crt is not configurable
> this way, only through ipaplatform.paths.IPA_CA_CRT value.
>
> $ python3
> Python 3.7.4 (default, Jul 9 2019, 16:32:37)
> [GCC 9.1.1 20190503 (Red Hat 9.1.1-1)] on linux
> Type "help", "copyright", "credits" or
"license" for more information.
> >>> from ipaplatform.paths import paths
> >>> paths.IPA_CA_CRT
> '/etc/ipa/ca.crt'
> >>> paths.IPA_CA_CRT="./my.ca.crt"
> >>> from ipaclient.discovery import IPADiscovery
> >>> discover = IPADiscovery()
> >>> discover.search("vda.li", ca_cert_path=paths.IPA_CA_CRT)
> 0
> >>> discover.realm
> 'VDA.LI'
> >>> discover.basedn
> ipapython.dn.DN('dc=vda,dc=li')
> >>>
>
> So, for most of Python code you can redefine paths. But for ipa-join and
> other binaries you cannot.
>
> --
> / Alexander Bokovoy
> Sr. Principal Software Engineer
> Security / Identity Management Engineering
> Red Hat Limited, Finland
>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland