From 03d113cdd7c5f943d8937eb4fec1086bfe47e909 Mon Sep 17 00:00:00 2001 From: Tomas Krizek Date: Wed, 26 Oct 2016 17:00:12 +0200 Subject: [PATCH] install: remove adhoc dis/connect from services Remove ldap_connect and ldap_disconnect from services. admin_conn is just an alias to api.Backend.ldap2 and therefore the connection should be managed elsewhere. https://fedorahosted.org/freeipa/ticket/6461 Reviewed-By: Martin Basti Reviewed-By: Jan Cholasta --- ipaserver/install/adtrustinstance.py | 8 ----- ipaserver/install/bindinstance.py | 3 -- ipaserver/install/cainstance.py | 14 -------- ipaserver/install/custodiainstance.py | 2 -- ipaserver/install/dns.py | 5 --- ipaserver/install/dnskeysyncinstance.py | 2 -- ipaserver/install/dogtaginstance.py | 8 ----- ipaserver/install/dsinstance.py | 20 ----------- ipaserver/install/httpinstance.py | 4 --- ipaserver/install/kra.py | 1 - ipaserver/install/krainstance.py | 4 --- ipaserver/install/krbinstance.py | 3 -- ipaserver/install/odsexporterinstance.py | 2 -- ipaserver/install/opendnssecinstance.py | 5 --- ipaserver/install/server/upgrade.py | 3 -- ipaserver/install/service.py | 46 +----------------------- 16 files changed, 1 insertion(+), 129 deletions(-) diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py index 486e43e83..7ccd3026a 100644 --- a/ipaserver/install/adtrustinstance.py +++ b/ipaserver/install/adtrustinstance.py @@ -282,9 +282,6 @@ class ADTRUSTInstance(service.Service): to enable the sidgen plugin we have to reconnect to the directory server. """ - - self.ldap_connect() - try: dom_entry = self.admin_conn.get_entry(self.smb_dom_dn) except errors.NotFound: @@ -777,8 +774,6 @@ class ADTRUSTInstance(service.Service): self.__setup_sub_dict() def find_local_id_range(self): - self.ldap_connect() - if self.admin_conn.get_entries( DN(api.env.container_ranges, self.suffix), ldap.SCOPE_ONELEVEL, @@ -821,9 +816,6 @@ class ADTRUSTInstance(service.Service): self.admin_conn.add_entry(entry) def create_instance(self): - - self.ldap_connect() - self.step("stopping smbd", self.__stop) self.step("creating samba domain object", \ self.__create_samba_domain_object) diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py index 20ae1f20b..7d6f3baf2 100644 --- a/ipaserver/install/bindinstance.py +++ b/ipaserver/install/bindinstance.py @@ -698,9 +698,6 @@ class BindInstance(service.Service): except Exception: pass - # get a connection to the DS - self.ldap_connect() - for ip_address in self.ip_addresses: if installutils.record_in_hosts(str(ip_address), self.fqdn) is None: installutils.add_record_to_hosts(str(ip_address), self.fqdn) diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 84149b329..1b7acef70 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -1192,9 +1192,6 @@ class CAInstance(DogtagInstance): if fqdn is None: fqdn = api.env.host - if not self.admin_conn: - self.ldap_connect() - dn = DN(('cn', 'CA'), ('cn', fqdn), ('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'), api.env.basedn) renewal_filter = '(ipaConfigString=caRenewalMaster)' @@ -1210,9 +1207,6 @@ class CAInstance(DogtagInstance): if fqdn is None: fqdn = api.env.host - if not self.admin_conn: - self.ldap_connect() - base_dn = DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'), api.env.basedn) filter = '(&(cn=CA)(ipaConfigString=caRenewalMaster))' @@ -1270,9 +1264,6 @@ class CAInstance(DogtagInstance): pki_ds_create_new_db is set to False ''' - if not self.admin_conn: - self.ldap_connect() - backend = 'ipaca' suffix = DN(('o', 'ipaca')) @@ -1426,8 +1417,6 @@ class CAInstance(DogtagInstance): root_logger.info('Creating principal') installutils.kadmin_addprinc(principal) self.suffix = ipautil.realm_to_suffix(self.realm) - if not self.admin_conn: - self.ldap_connect() self.move_service(principal) root_logger.info('Retrieving keytab') @@ -1460,9 +1449,6 @@ class CAInstance(DogtagInstance): os.chown(keyfile, pent.pw_uid, pent.pw_gid) def __add_lightweight_ca_tracking_requests(self): - if not self.admin_conn: - self.ldap_connect() - try: lwcas = self.admin_conn.get_entries( base_dn=api.env.basedn, diff --git a/ipaserver/install/custodiainstance.py b/ipaserver/install/custodiainstance.py index b373344d2..7d2082ca2 100644 --- a/ipaserver/install/custodiainstance.py +++ b/ipaserver/install/custodiainstance.py @@ -156,8 +156,6 @@ class CustodiaInstance(SimpleServiceInstance): # Add CA certificates tmpdb = CertDB(self.realm, nssdir=tmpnssdir) self.suffix = ipautil.realm_to_suffix(self.realm) - if self.admin_conn is not None: - self.ldap_disconnect() self.import_ca_certs(tmpdb, True) # Now that we gathered all certs, re-export diff --git a/ipaserver/install/dns.py b/ipaserver/install/dns.py index bfff0d856..9b2dd162e 100644 --- a/ipaserver/install/dns.py +++ b/ipaserver/install/dns.py @@ -70,19 +70,14 @@ def _disable_dnssec(): ods.uninstall() # needs keytab to flush the latest ods database ods_exporter.uninstall() - ods.ldap_connect() ods.ldap_disable('DNSSEC', api.env.host, api.env.basedn) ods.ldap_remove_service_container('DNSSEC', api.env.host, api.env.basedn) - ods_exporter.ldap_connect() ods_exporter.ldap_disable('DNSKeyExporter', api.env.host, api.env.basedn) ods_exporter.remove_service() ods_exporter.ldap_remove_service_container('DNSKeyExporter', api.env.host, api.env.basedn) - ods.ldap_disconnect() - ods_exporter.ldap_disconnect() - conn = api.Backend.ldap2 dn = DN(('cn', 'DNSSEC'), ('cn', api.env.host), ('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'), api.env.basedn) diff --git a/ipaserver/install/dnskeysyncinstance.py b/ipaserver/install/dnskeysyncinstance.py index 95c658567..a6c1013ed 100644 --- a/ipaserver/install/dnskeysyncinstance.py +++ b/ipaserver/install/dnskeysyncinstance.py @@ -125,8 +125,6 @@ class DNSKeySyncInstance(service.Service): except Exception: pass - # get a connection to the DS - self.ldap_connect() # checking status step must be first self.step("checking status", self.__check_dnssec_status) self.step("setting up bind-dyndb-ldap working directory", diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py index 970c0c979..2890b4b92 100644 --- a/ipaserver/install/dogtaginstance.py +++ b/ipaserver/install/dogtaginstance.py @@ -432,10 +432,6 @@ class DogtagInstance(service.Service): def setup_admin(self): self.admin_user = "admin-%s" % self.fqdn self.admin_password = binascii.hexlify(os.urandom(16)) - - if not self.admin_conn: - self.ldap_connect() - self.admin_dn = DN(('uid', self.admin_user), ('ou', 'people'), ('o', 'ipaca')) @@ -480,10 +476,6 @@ class DogtagInstance(service.Service): pass def teardown_admin(self): - - if not self.admin_conn: - self.ldap_connect() - for group in self.admin_groups: self.__remove_admin_from_group(group) self.admin_conn.delete_entry(self.admin_dn) diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index 2e5e12ae0..d27eba12d 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -428,18 +428,10 @@ class DsInstance(service.Service): r_bindpw=self.dm_password) self.run_init_memberof = repl.needs_memberof_fixup() - # Now that the server is up make sure all changes happen against - # the local server (as repica pomotion does not have the DM password. - if self.admin_conn: - self.ldap_disconnect() - def __configure_sasl_mappings(self): # we need to remove any existing SASL mappings in the directory as otherwise they # they may conflict. - if not self.admin_conn: - self.ldap_connect() - try: res = self.admin_conn.get_entries( DN(('cn', 'mapping'), ('cn', 'sasl'), ('cn', 'config')), @@ -1102,9 +1094,6 @@ class DsInstance(service.Service): """ Add sidgen plugin configuration only if it does not already exist. """ - if not self.admin_conn: - self.ldap_connect() - dn = DN('cn=IPA SIDGEN,cn=plugins,cn=config') try: self.admin_conn.get_entry(dn) @@ -1123,9 +1112,6 @@ class DsInstance(service.Service): """ Add extdom configuration if it does not already exist. """ - if not self.admin_conn: - self.ldap_connect() - dn = DN('cn=ipa_extdom_extop,cn=plugins,cn=config') try: self.admin_conn.get_entry(dn) @@ -1135,8 +1121,6 @@ class DsInstance(service.Service): root_logger.debug("extdom plugin is already configured") def replica_populate(self): - self.ldap_connect() - dn = DN(('cn', 'default'), ('ou', 'profile'), self.suffix) try: entry = self.admin_conn.get_entry(dn) @@ -1152,8 +1136,6 @@ class DsInstance(service.Service): except ldap.TYPE_OR_VALUE_EXISTS: pass - self.ldap_disconnect() - def find_subject_base(self): """ Try to find the current value of certificate subject base. @@ -1302,8 +1284,6 @@ class DsInstance(service.Service): ('cn', 'config')) dna_config_base = DN(('cn', 'posix IDs'), dna_plugin) - if not self.admin_conn: - self.ldap_connect() conn = self.admin_conn # Check the plugin is enabled else it is useless to update diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index 9a19389a2..bd19621db 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -150,10 +150,6 @@ class HTTPInstance(service.Service): self.ca_is_configured = ca_is_configured self.promote = promote - # get a connection to the DS - self.ldap_connect() - - self.step("setting mod_nss port to 443", self.__set_mod_nss_port) self.step("setting mod_nss cipher suite", self.set_mod_nss_cipher_suite) diff --git a/ipaserver/install/kra.py b/ipaserver/install/kra.py index 87aab97c4..85ae57d20 100644 --- a/ipaserver/install/kra.py +++ b/ipaserver/install/kra.py @@ -101,7 +101,6 @@ def uninstall(standalone): kra = krainstance.KRAInstance(api.env.realm) if standalone: - kra.ldap_connect() try: kra.admin_conn.delete_entry(DN(('cn', 'KRA'), ('cn', api.env.host), ('cn', 'masters'), ('cn', 'ipa'), diff --git a/ipaserver/install/krainstance.py b/ipaserver/install/krainstance.py index f32c1e928..315057808 100644 --- a/ipaserver/install/krainstance.py +++ b/ipaserver/install/krainstance.py @@ -318,10 +318,6 @@ class KRAInstance(DogtagInstance): self.log.debug("Vault container already exists") else: self.log.error("Failed to add vault container: {0}".format(e)) - finally: - # we need to disconnect from LDAP, because _ldap_mod() makes the - # connection without actually using it - self.ldap_disconnect() def __apply_updates(self): sub_dict = { diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py index cfcbfdec8..c53657e85 100644 --- a/ipaserver/install/krbinstance.py +++ b/ipaserver/install/krbinstance.py @@ -130,9 +130,6 @@ class KrbInstance(service.Service): self.__setup_sub_dict() - # get a connection to the DS - self.ldap_connect() - self.backup_state("running", self.is_running()) try: self.stop() diff --git a/ipaserver/install/odsexporterinstance.py b/ipaserver/install/odsexporterinstance.py index 7c3afc5a7..f0d903471 100644 --- a/ipaserver/install/odsexporterinstance.py +++ b/ipaserver/install/odsexporterinstance.py @@ -48,8 +48,6 @@ class ODSExporterInstance(service.Service): except Exception: pass - # get a connection to the DS - self.ldap_connect() # checking status step must be first self.step("checking status", self.__check_dnssec_status) self.step("setting up DNS Key Exporter", self.__setup_key_exporter) diff --git a/ipaserver/install/opendnssecinstance.py b/ipaserver/install/opendnssecinstance.py index bda2ac025..7f3269f82 100644 --- a/ipaserver/install/opendnssecinstance.py +++ b/ipaserver/install/opendnssecinstance.py @@ -82,8 +82,6 @@ class OpenDNSSECInstance(service.Service): suffix = ipautil.dn_attribute_property('_suffix') def get_masters(self): - if not self.admin_conn: - self.ldap_connect() return get_dnssec_key_masters(self.admin_conn) def create_instance(self, fqdn, realm_name, generate_master_key=True, @@ -102,9 +100,6 @@ class OpenDNSSECInstance(service.Service): except Exception: pass - # get a connection to the DS - if not self.admin_conn: - self.ldap_connect() # checking status must be first self.step("checking status", self.__check_dnssec_status) self.step("setting up configuration files", self.__setup_conf_files) diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index 0ec01c919..bea1276e5 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -1614,10 +1614,8 @@ def upgrade_configuration(): ds.suffix = ipautil.realm_to_suffix(api.env.realm) ds.principal = "ldap/%s@%s" % (ds.fqdn, ds.realm) - ds.ldap_connect() ds_enable_sidgen_extdom_plugins(ds) ds.update_dna_shared_config() - ds.ldap_disconnect() # Now 389-ds is available, run the remaining http tasks if not http.is_kdcproxy_configured(): @@ -1627,7 +1625,6 @@ def upgrade_configuration(): ds.start() http.ldapi = True http.suffix = ipautil.realm_to_suffix(api.env.realm) - http.ldap_connect() httpinstance.create_kdcproxy_user() http.create_kdcproxy_conf() http.enable_kdcproxy() diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py index 91137ddd7..c2b8e0012 100644 --- a/ipaserver/install/service.py +++ b/ipaserver/install/service.py @@ -30,7 +30,6 @@ from ipapython.ipa_log_manager import root_logger from ipalib import api, errors, certstore from ipaplatform import services from ipaplatform.paths import paths -from ipapython.ipaldap import LDAPClient # The service name as stored in cn=masters,cn=ipa,cn=etc. In the tuple @@ -154,22 +153,8 @@ class Service(object): def admin_conn(self): """ alias for api.Backend.ldap2 - :returns: None when ldap2 is not connected, ldap2 connection otherwise """ - conn = api.Backend.ldap2 - if conn.isconnected(): - return conn - return None - - def ldap_connect(self): - """connect to ldap with installer's limits""" - if not self.admin_conn: - api.Backend.ldap2.connect(size_limit=LDAPClient.size_limit, - time_limit=LDAPClient.time_limit) - - def ldap_disconnect(self): - """close the api.Backend.ldap2 connection""" - api.Backend.ldap2.disconnect() + return api.Backend.ldap2 def _ldap_mod(self, ldif, sub_dict=None, raise_on_err=True, ldap_uri=None, dm_password=None): @@ -194,8 +179,6 @@ class Service(object): # As we always connect to the local host, # use URI of admin connection if not ldap_uri: - if not self.admin_conn: - self.ldap_connect() ldap_uri = self.admin_conn.ldap_uri args += ["-H", ldap_uri] @@ -256,9 +239,6 @@ class Service(object): The principal needs to be fully-formed: service/host@REALM """ - if not self.admin_conn: - self.ldap_connect() - dn = DN(('krbprincipalname', principal), ('cn', 'services'), ('cn', 'accounts'), self.suffix) hostdn = DN(('fqdn', self.fqdn), ('cn', 'computers'), ('cn', 'accounts'), self.suffix) entry = self.admin_conn.make_entry( @@ -279,21 +259,6 @@ class Service(object): This server cert should be in DER format. """ - - # add_cert_to_service() is relatively rare operation - # we actually call it twice during ipa-server-install, for different - # instances: ds and cs. Unfortunately, it may happen that admin - # connection was created well before add_cert_to_service() is called - # If there are other operations in between, it will become stale and - # since we are using SimpleLDAPObject, not ReconnectLDAPObject, the - # action will fail. Thus, explicitly disconnect and connect again. - # Using ReconnectLDAPObject instead of SimpleLDAPObject was considered - # but consequences for other parts of the framework are largely - # unknown. - if self.admin_conn: - self.ldap_disconnect() - self.ldap_connect() - dn = DN(('krbprincipalname', self.principal), ('cn', 'services'), ('cn', 'accounts'), self.suffix) entry = self.admin_conn.get_entry(dn) @@ -305,8 +270,6 @@ class Service(object): def import_ca_certs(self, db, ca_is_configured, conn=None): if conn is None: - if not self.admin_conn: - self.ldap_connect() conn = self.admin_conn try: @@ -455,8 +418,6 @@ class Service(object): config=[]): assert isinstance(ldap_suffix, DN) self.disable() - if not self.admin_conn: - self.ldap_connect() entry_name = DN(('cn', name), ('cn', fqdn), ('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'), ldap_suffix) @@ -502,8 +463,6 @@ class Service(object): def ldap_disable(self, name, fqdn, ldap_suffix): assert isinstance(ldap_suffix, DN) - if not self.admin_conn: - self.ldap_connect() entry_dn = DN(('cn', name), ('cn', fqdn), ('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'), ldap_suffix) @@ -539,9 +498,6 @@ class Service(object): root_logger.debug("service %s startup entry disabled", name) def ldap_remove_service_container(self, name, fqdn, ldap_suffix): - if not self.admin_conn: - self.ldap_connect() - entry_dn = DN(('cn', name), ('cn', fqdn), ('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'), ldap_suffix) try: