gpo: Cert Auto Enroll use ldap trust cert if NDES disabled

If the CA does not have the Network Device
Enrollment Service enabled, we can still use the
certificate from the ldap request (unless this is
a complex request and ldap config isn't present).

Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri May 13 15:38:53 UTC 2022 on sn-devel-184

diff --git a/python/samba/gp_cert_auto_enroll_ext.py b/python/samba/gp_cert_auto_enroll_ext.py
index 6f84f174b2b69d4a1aa1106c12db74359f969fe5..680525c9ced46c6f27bc616a71b5b770da047f63 100644 (file)
--- a/python/samba/gp_cert_auto_enroll_ext.py
+++ b/python/samba/gp_cert_auto_enroll_ext.py
@@ -194,9 +194,9 @@ def get_supported_templates(server):
     return []
 
 
-def getca(ca_name, url, trust_dir):
+def getca(ca, url, trust_dir):
     """Fetch Certificate Chain from the CA."""
-    root_cert = os.path.join(trust_dir, '%s.crt' % ca_name)
+    root_cert = os.path.join(trust_dir, '%s.crt' % ca['name'])
     root_certs = []
 
     try:
@@ -205,10 +205,21 @@ def getca(ca_name, url, trust_dir):
     except requests.exceptions.ConnectionError:
         log.warn('Failed to establish a new connection')
         r = None
-    if r is None or r.content == b'':
+    if r is None or r.content == b'' or r.headers['Content-Type'] == 'text/html':
         log.warn('Failed to fetch the root certificate chain.')
-        log.warn('Ensure you have installed and configured the'
-                 ' Network Device Enrollment Service.')
+        log.warn('The Network Device Enrollment Service is either not' +
+                 ' installed or not configured.')
+        if 'cACertificate' in ca:
+            log.warn('Installing the server certificate only.')
+            try:
+                cert = load_der_x509_certificate(ca['cACertificate'])
+            except TypeError:
+                cert = load_der_x509_certificate(ca['cACertificate'],
+                                                 default_backend())
+            cert_data = cert.public_bytes(Encoding.PEM)
+            with open(root_cert, 'wb') as w:
+                w.write(cert_data)
+            root_certs.append(root_cert)
         return root_certs
 
     if r.headers['Content-Type'] == 'application/x-x509-ca-cert':
@@ -239,7 +250,7 @@ def cert_enroll(ca, ldb, trust_dir, private_dir, auth='Kerberos'):
     """Install the root certificate chain."""
     data = {'files': [], 'templates': []}
     url = 'http://%s/CertSrv/mscep/mscep.dll/pkiclient.exe?' % ca['hostname']
-    root_certs = getca(ca['name'], url, trust_dir)
+    root_certs = getca(ca, url, trust_dir)
     data['files'].extend(root_certs)
     for src in root_certs:
         # Symlink the certs to global trust dir