From dc0d1fc196db273edc01678931cd53c04cc87503 Mon Sep 17 00:00:00 2001
From: Thomas Woerner <twoerner@redhat.com>
Date: Wed, 21 Nov 2018 17:07:55 +0100
Subject: [PATCH] ipaclient: Fix gathering of subject_base from server in
 ipaapi.py module

The api command to get the server config is failing with more recent
freeipa versions. Therefore another way to gather the server config using
api.Backend.rpcclient.forward has been added in case the first version
fails.

The new code is from freeipa commit 8af6accfa5734a7e9a7c92fcf38d5440482413d4
(https://github.com/freeipa/freeipa/commit/8af6accf)
---
 roles/ipaclient/library/ipaapi.py | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/roles/ipaclient/library/ipaapi.py b/roles/ipaclient/library/ipaapi.py
index 95901b4e..f46b9d86 100644
--- a/roles/ipaclient/library/ipaapi.py
+++ b/roles/ipaclient/library/ipaapi.py
@@ -198,7 +198,19 @@ def main():
         config = api.Command['config_show']()['result']
         subject_base = str(DN(config['ipacertificatesubjectbase'][0]))
     except errors.PublicError as e:
-        module.fail_json(msg="Cannot get subject base from server: %s" % e)
+        try:
+            config = api.Backend.rpcclient.forward(
+                'config_show',
+                raw=True,  # so that servroles are not queried
+                version=u'2.0'
+            )['result']
+        except Exception as e:
+            logger.debug("config_show failed %s", e, exc_info=True)
+            module.fail_json(
+                "Failed to retrieve CA certificate subject base: {}".format(e),
+                rval=CLIENT_INSTALL_ERROR)
+        else:
+            subject_base = str(DN(config['ipacertificatesubjectbase'][0]))
 
     module.exit_json(changed=True,
                      ca_enabled=ca_enabled,