From 6dc469fdb828b5ab9a4a049bbcf9f28a6fc03e7f Mon Sep 17 00:00:00 2001
From: Thomas Woerner <twoerner@redhat.com>
Date: Mon, 25 Sep 2017 15:52:27 +0200
Subject: [PATCH] library/ipaapi.py: Add call to api to get subject base form
 server

The subject base generated in discovery is only a guess and might have been
changed by the admin at installation process. Therefore it is needed to
get this from the server.

subject_base has been added as a new return value.

Use subject base form ipaapi in roles/ipaclient/tasks/install.yml instead of
guessed value from ipadiscovery.
---
 library/ipaapi.py                 | 17 ++++++++++++++++-
 roles/ipaclient/tasks/install.yml |  2 +-
 2 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/library/ipaapi.py b/library/ipaapi.py
index a97840d5..524962fd 100644
--- a/library/ipaapi.py
+++ b/library/ipaapi.py
@@ -63,6 +63,11 @@ ca_enabled:
   description: Wheter the Certificate Authority is enabled or not.
   returned: always
   type: bool
+subject_base:
+  description: The subject base, needed for certmonger
+  returned: always
+  type: string
+  sample: O=EXAMPLE.COM
 '''
 
 import os
@@ -88,6 +93,7 @@ from ipalib.rpc import delete_persistent_client_session_data
 from ipapython import certdb
 from ipapython.ipautil import CalledProcessError, write_tmp_file, \
     ipa_generate_password
+from ipapython.dn import DN
 ipa_client_install = None
 try:
     from ipaclient.install.client import SECURE_PATH, disable_ra
@@ -236,7 +242,16 @@ def main():
     if not ca_enabled:
         disable_ra()
 
-    module.exit_json(changed=True, ca_enabled=ca_enabled)
+    # Get subject base from ipa server
+    try:
+        config = api.Command['config_show']()['result']
+        subject_base = str(DN(config['ipacertificatesubjectbase'][0]))
+    except errors.PublicError as e:
+        module.fail_json(msg="Cannot get subject base from server: %s" % e)
+
+    module.exit_json(changed=True,
+                     ca_enabled=ca_enabled,
+                     subject_base=subject_base)
 
 if __name__ == '__main__':
     main()
diff --git a/roles/ipaclient/tasks/install.yml b/roles/ipaclient/tasks/install.yml
index ed3900c6..7f4d565e 100644
--- a/roles/ipaclient/tasks/install.yml
+++ b/roles/ipaclient/tasks/install.yml
@@ -174,7 +174,7 @@
     realm: "{{ ipadiscovery.realm }}"
     basedn: "{{ ipadiscovery.basedn }}"
     hostname: "{{ ipadiscovery.hostname }}"
-    subject_base: "{{ ipadiscovery.subject_base }}"
+    subject_base: "{{ ipaapi.subject_base }}"
     principal: "{{ ipaadmin_principal | default(omit) }}"
     mkhomedir: "{{ ipaclient_mkhomedir | default(omit) }}"
     ca_enabled: "{{ ipaapi.ca_enabled | default(omit) }}"
-- 
GitLab