Add export_root_ca_certificate() methods for LDAPS#248
Conversation
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request adds the export_root_ca_certificate method to both the Active Directory and Samba host classes to allow exporting LDAPS certificates in PEM format. The review feedback suggests updating the PowerShell script in the AD implementation to use the non-obsolete GetHostEntry method and to use a more robust regex-based approach for matching the certificate subject.
| """ | ||
| result = self.conn.run( | ||
| """ | ||
| $fqdn = [System.Net.Dns]::GetHostByName($env:COMPUTERNAME).HostName |
There was a problem hiding this comment.
The [System.Net.Dns]::GetHostByName method is obsolete. It is recommended to use [System.Net.Dns]::GetHostEntry instead, which is the modern replacement in .NET for resolving host information.
| $fqdn = [System.Net.Dns]::GetHostByName($env:COMPUTERNAME).HostName | |
| $fqdn = [System.Net.Dns]::GetHostEntry($env:COMPUTERNAME).HostName |
There was a problem hiding this comment.
ack, fixed it.
|
|
||
| # Get the LDAPS certificate from My store (server certificate with ServerAuth EKU) | ||
| $cert = Get-ChildItem Cert:\\LocalMachine\\My | Where-Object { | ||
| $_.Subject -eq "CN=$fqdn" -and |
There was a problem hiding this comment.
Using an exact match for the Subject property (-eq "CN=$fqdn") is fragile. Certificate subjects often contain additional Relative Distinguished Names (RDNs) such as Organizational Units (OU) or Domain Components (DC). A more robust approach is to use a regular expression match to identify the Common Name (CN) component specifically.
| $_.Subject -eq "CN=$fqdn" -and | |
| $_.Subject -match "CN=$([regex]::Escape($fqdn))($|,)" -and |
There was a problem hiding this comment.
ack, fixed this one
Add certificate export functionality to AD and Samba hosts to support LDAPS testing with proper certificate trust chains. AD (Windows): - Export LDAPS certificate from LocalMachine\My store (not Root) - Filter by FQDN subject and Server Authentication EKU (1.3.6.1.5.5.7.3.1) - Certificate has both CA:TRUE and ServerAuth for trust chain validation Samba (Linux): - Export CA certificate from /var/data/certs/ca.crt - Pre-configured LDAPS certificate in container setup These methods enable tests to: 1. Export certificates from providers 2. Trust them on client systems using TLSUtils.trust_ca_certificate() 3. Validate LDAPS connections (port 636) with proper TLS verification Used by adcli LDAPS tests to verify --use-ldaps functionality. Signed-off-by: shridhargadekar <shridhar.always@gmail.com>
shridhargadekar
force-pushed
the
add-export-certificate-methods
branch
from
3c51b44 to
7d0e6e6
Compare
1 participant
Add certificate export functionality to AD and Samba hosts to support LDAPS testing with proper certificate trust chains.
AD (Windows):
Samba (Linux):
These methods enable tests to:
Used by adcli LDAPS tests to verify --use-ldaps functionality.