IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

install: remove adhoc dis/connect from services

Browse Source 
Remove ldap_connect and ldap_disconnect from services. admin_conn is
just an alias to api.Backend.ldap2 and therefore the connection should
be managed elsewhere.

https://fedorahosted.org/freeipa/ticket/6461

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
This commit is contained in:
Tomas Krizek 2016-10-26 17:00:12 +02:00 committed by Martin Basti
parent c51b04fae7
commit 03d113cdd7
16 changed files with 1 additions and 129 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
ipaserver/install/adtrustinstance.py
View File

@ -282,9 +282,6 @@ class ADTRUSTInstance(service.Service):
to enable the sidgen plugin we have to reconnect to the directory to enable the sidgen plugin we have to reconnect to the directory
server. server.
""" """
self.ldap_connect()
try: try:
dom_entry = self.admin_conn.get_entry(self.smb_dom_dn) dom_entry = self.admin_conn.get_entry(self.smb_dom_dn)
except errors.NotFound: except errors.NotFound:
@ -777,8 +774,6 @@ class ADTRUSTInstance(service.Service):
self.__setup_sub_dict() self.__setup_sub_dict()
def find_local_id_range(self): def find_local_id_range(self):
self.ldap_connect()
if self.admin_conn.get_entries( if self.admin_conn.get_entries(
DN(api.env.container_ranges, self.suffix), DN(api.env.container_ranges, self.suffix),
ldap.SCOPE_ONELEVEL, ldap.SCOPE_ONELEVEL,
@ -821,9 +816,6 @@ class ADTRUSTInstance(service.Service):
self.admin_conn.add_entry(entry) self.admin_conn.add_entry(entry)
def create_instance(self): def create_instance(self):
self.ldap_connect()
self.step("stopping smbd", self.__stop) self.step("stopping smbd", self.__stop)
self.step("creating samba domain object", \ self.step("creating samba domain object", \
self.__create_samba_domain_object) self.__create_samba_domain_object)

3
ipaserver/install/bindinstance.py
View File

@ -698,9 +698,6 @@ class BindInstance(service.Service):
except Exception: except Exception:
pass pass
# get a connection to the DS
self.ldap_connect()
for ip_address in self.ip_addresses: for ip_address in self.ip_addresses:
if installutils.record_in_hosts(str(ip_address), self.fqdn) is None: if installutils.record_in_hosts(str(ip_address), self.fqdn) is None:
installutils.add_record_to_hosts(str(ip_address), self.fqdn) installutils.add_record_to_hosts(str(ip_address), self.fqdn)

14
ipaserver/install/cainstance.py
View File

@ -1192,9 +1192,6 @@ class CAInstance(DogtagInstance):
if fqdn is None: if fqdn is None:
fqdn = api.env.host fqdn = api.env.host
if not self.admin_conn:
self.ldap_connect()
dn = DN(('cn', 'CA'), ('cn', fqdn), ('cn', 'masters'), ('cn', 'ipa'), dn = DN(('cn', 'CA'), ('cn', fqdn), ('cn', 'masters'), ('cn', 'ipa'),
('cn', 'etc'), api.env.basedn) ('cn', 'etc'), api.env.basedn)
renewal_filter = '(ipaConfigString=caRenewalMaster)' renewal_filter = '(ipaConfigString=caRenewalMaster)'
@ -1210,9 +1207,6 @@ class CAInstance(DogtagInstance):
if fqdn is None: if fqdn is None:
fqdn = api.env.host fqdn = api.env.host
if not self.admin_conn:
self.ldap_connect()
base_dn = DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'), base_dn = DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'),
api.env.basedn) api.env.basedn)
filter = '(&(cn=CA)(ipaConfigString=caRenewalMaster))' filter = '(&(cn=CA)(ipaConfigString=caRenewalMaster))'
@ -1270,9 +1264,6 @@ class CAInstance(DogtagInstance):
pki_ds_create_new_db is set to False pki_ds_create_new_db is set to False
''' '''
if not self.admin_conn:
self.ldap_connect()
backend = 'ipaca' backend = 'ipaca'
suffix = DN(('o', 'ipaca')) suffix = DN(('o', 'ipaca'))
@ -1426,8 +1417,6 @@ class CAInstance(DogtagInstance):
root_logger.info('Creating principal') root_logger.info('Creating principal')
installutils.kadmin_addprinc(principal) installutils.kadmin_addprinc(principal)
self.suffix = ipautil.realm_to_suffix(self.realm) self.suffix = ipautil.realm_to_suffix(self.realm)
if not self.admin_conn:
self.ldap_connect()
self.move_service(principal) self.move_service(principal)
root_logger.info('Retrieving keytab') root_logger.info('Retrieving keytab')
@ -1460,9 +1449,6 @@ class CAInstance(DogtagInstance):
os.chown(keyfile, pent.pw_uid, pent.pw_gid) os.chown(keyfile, pent.pw_uid, pent.pw_gid)
def __add_lightweight_ca_tracking_requests(self): def __add_lightweight_ca_tracking_requests(self):
if not self.admin_conn:
self.ldap_connect()
try: try:
lwcas = self.admin_conn.get_entries( lwcas = self.admin_conn.get_entries(
base_dn=api.env.basedn, base_dn=api.env.basedn,

2
ipaserver/install/custodiainstance.py
View File

@ -156,8 +156,6 @@ class CustodiaInstance(SimpleServiceInstance):
# Add CA certificates # Add CA certificates
tmpdb = CertDB(self.realm, nssdir=tmpnssdir) tmpdb = CertDB(self.realm, nssdir=tmpnssdir)
self.suffix = ipautil.realm_to_suffix(self.realm) self.suffix = ipautil.realm_to_suffix(self.realm)
if self.admin_conn is not None:
self.ldap_disconnect()
self.import_ca_certs(tmpdb, True) self.import_ca_certs(tmpdb, True)
# Now that we gathered all certs, re-export # Now that we gathered all certs, re-export

5
ipaserver/install/dns.py
View File

@ -70,19 +70,14 @@ def _disable_dnssec():
ods.uninstall() # needs keytab to flush the latest ods database ods.uninstall() # needs keytab to flush the latest ods database
ods_exporter.uninstall() ods_exporter.uninstall()
ods.ldap_connect()
ods.ldap_disable('DNSSEC', api.env.host, api.env.basedn) ods.ldap_disable('DNSSEC', api.env.host, api.env.basedn)
ods.ldap_remove_service_container('DNSSEC', api.env.host, api.env.basedn) ods.ldap_remove_service_container('DNSSEC', api.env.host, api.env.basedn)
ods_exporter.ldap_connect()
ods_exporter.ldap_disable('DNSKeyExporter', api.env.host, api.env.basedn) ods_exporter.ldap_disable('DNSKeyExporter', api.env.host, api.env.basedn)
ods_exporter.remove_service() ods_exporter.remove_service()
ods_exporter.ldap_remove_service_container('DNSKeyExporter', api.env.host, ods_exporter.ldap_remove_service_container('DNSKeyExporter', api.env.host,
api.env.basedn) api.env.basedn)
ods.ldap_disconnect()
ods_exporter.ldap_disconnect()
conn = api.Backend.ldap2 conn = api.Backend.ldap2
dn = DN(('cn', 'DNSSEC'), ('cn', api.env.host), ('cn', 'masters'), dn = DN(('cn', 'DNSSEC'), ('cn', api.env.host), ('cn', 'masters'),
('cn', 'ipa'), ('cn', 'etc'), api.env.basedn) ('cn', 'ipa'), ('cn', 'etc'), api.env.basedn)

2
ipaserver/install/dnskeysyncinstance.py
View File

@ -125,8 +125,6 @@ class DNSKeySyncInstance(service.Service):
except Exception: except Exception:
pass pass
# get a connection to the DS
self.ldap_connect()
# checking status step must be first # checking status step must be first
self.step("checking status", self.__check_dnssec_status) self.step("checking status", self.__check_dnssec_status)
self.step("setting up bind-dyndb-ldap working directory", self.step("setting up bind-dyndb-ldap working directory",

8
ipaserver/install/dogtaginstance.py
View File

@ -432,10 +432,6 @@ class DogtagInstance(service.Service):
def setup_admin(self): def setup_admin(self):
self.admin_user = "admin-%s" % self.fqdn self.admin_user = "admin-%s" % self.fqdn
self.admin_password = binascii.hexlify(os.urandom(16)) self.admin_password = binascii.hexlify(os.urandom(16))
if not self.admin_conn:
self.ldap_connect()
self.admin_dn = DN(('uid', self.admin_user), self.admin_dn = DN(('uid', self.admin_user),
('ou', 'people'), ('o', 'ipaca')) ('ou', 'people'), ('o', 'ipaca'))
@ -480,10 +476,6 @@ class DogtagInstance(service.Service):
pass pass
def teardown_admin(self): def teardown_admin(self):
if not self.admin_conn:
self.ldap_connect()
for group in self.admin_groups: for group in self.admin_groups:
self.__remove_admin_from_group(group) self.__remove_admin_from_group(group)
self.admin_conn.delete_entry(self.admin_dn) self.admin_conn.delete_entry(self.admin_dn)

20
ipaserver/install/dsinstance.py
View File

@ -428,18 +428,10 @@ class DsInstance(service.Service):
r_bindpw=self.dm_password) r_bindpw=self.dm_password)
self.run_init_memberof = repl.needs_memberof_fixup() self.run_init_memberof = repl.needs_memberof_fixup()
# Now that the server is up make sure all changes happen against
# the local server (as repica pomotion does not have the DM password.
if self.admin_conn:
self.ldap_disconnect()
def __configure_sasl_mappings(self): def __configure_sasl_mappings(self):
# we need to remove any existing SASL mappings in the directory as otherwise they # we need to remove any existing SASL mappings in the directory as otherwise they
# they may conflict. # they may conflict.
if not self.admin_conn:
self.ldap_connect()
try: try:
res = self.admin_conn.get_entries( res = self.admin_conn.get_entries(
DN(('cn', 'mapping'), ('cn', 'sasl'), ('cn', 'config')), DN(('cn', 'mapping'), ('cn', 'sasl'), ('cn', 'config')),
@ -1102,9 +1094,6 @@ class DsInstance(service.Service):
""" """
Add sidgen plugin configuration only if it does not already exist. Add sidgen plugin configuration only if it does not already exist.
""" """
if not self.admin_conn:
self.ldap_connect()
dn = DN('cn=IPA SIDGEN,cn=plugins,cn=config') dn = DN('cn=IPA SIDGEN,cn=plugins,cn=config')
try: try:
self.admin_conn.get_entry(dn) self.admin_conn.get_entry(dn)
@ -1123,9 +1112,6 @@ class DsInstance(service.Service):
""" """
Add extdom configuration if it does not already exist. Add extdom configuration if it does not already exist.
""" """
if not self.admin_conn:
self.ldap_connect()
dn = DN('cn=ipa_extdom_extop,cn=plugins,cn=config') dn = DN('cn=ipa_extdom_extop,cn=plugins,cn=config')
try: try:
self.admin_conn.get_entry(dn) self.admin_conn.get_entry(dn)
@ -1135,8 +1121,6 @@ class DsInstance(service.Service):
root_logger.debug("extdom plugin is already configured") root_logger.debug("extdom plugin is already configured")
def replica_populate(self): def replica_populate(self):
self.ldap_connect()
dn = DN(('cn', 'default'), ('ou', 'profile'), self.suffix) dn = DN(('cn', 'default'), ('ou', 'profile'), self.suffix)
try: try:
entry = self.admin_conn.get_entry(dn) entry = self.admin_conn.get_entry(dn)
@ -1152,8 +1136,6 @@ class DsInstance(service.Service):
except ldap.TYPE_OR_VALUE_EXISTS: except ldap.TYPE_OR_VALUE_EXISTS:
pass pass
self.ldap_disconnect()
def find_subject_base(self): def find_subject_base(self):
""" """
Try to find the current value of certificate subject base. Try to find the current value of certificate subject base.
@ -1302,8 +1284,6 @@ class DsInstance(service.Service):
('cn', 'config')) ('cn', 'config'))
dna_config_base = DN(('cn', 'posix IDs'), dna_plugin) dna_config_base = DN(('cn', 'posix IDs'), dna_plugin)
if not self.admin_conn:
self.ldap_connect()
conn = self.admin_conn conn = self.admin_conn
# Check the plugin is enabled else it is useless to update # Check the plugin is enabled else it is useless to update

4
ipaserver/install/httpinstance.py
View File

@ -150,10 +150,6 @@ class HTTPInstance(service.Service):
self.ca_is_configured = ca_is_configured self.ca_is_configured = ca_is_configured
self.promote = promote self.promote = promote
# get a connection to the DS
self.ldap_connect()
self.step("setting mod_nss port to 443", self.__set_mod_nss_port) self.step("setting mod_nss port to 443", self.__set_mod_nss_port)
self.step("setting mod_nss cipher suite", self.step("setting mod_nss cipher suite",
self.set_mod_nss_cipher_suite) self.set_mod_nss_cipher_suite)

1
ipaserver/install/kra.py
View File

@ -101,7 +101,6 @@ def uninstall(standalone):
kra = krainstance.KRAInstance(api.env.realm) kra = krainstance.KRAInstance(api.env.realm)
if standalone: if standalone:
kra.ldap_connect()
try: try:
kra.admin_conn.delete_entry(DN(('cn', 'KRA'), ('cn', api.env.host), kra.admin_conn.delete_entry(DN(('cn', 'KRA'), ('cn', api.env.host),
('cn', 'masters'), ('cn', 'ipa'), ('cn', 'masters'), ('cn', 'ipa'),

4
ipaserver/install/krainstance.py
View File

@ -318,10 +318,6 @@ class KRAInstance(DogtagInstance):
self.log.debug("Vault container already exists") self.log.debug("Vault container already exists")
else: else:
self.log.error("Failed to add vault container: {0}".format(e)) self.log.error("Failed to add vault container: {0}".format(e))
finally:
# we need to disconnect from LDAP, because _ldap_mod() makes the
# connection without actually using it
self.ldap_disconnect()
def __apply_updates(self): def __apply_updates(self):
sub_dict = { sub_dict = {

3
ipaserver/install/krbinstance.py
View File

@ -130,9 +130,6 @@ class KrbInstance(service.Service):
self.__setup_sub_dict() self.__setup_sub_dict()
# get a connection to the DS
self.ldap_connect()
self.backup_state("running", self.is_running()) self.backup_state("running", self.is_running())
try: try:
self.stop() self.stop()

2
ipaserver/install/odsexporterinstance.py
View File

@ -48,8 +48,6 @@ class ODSExporterInstance(service.Service):
except Exception: except Exception:
pass pass
# get a connection to the DS
self.ldap_connect()
# checking status step must be first # checking status step must be first
self.step("checking status", self.__check_dnssec_status) self.step("checking status", self.__check_dnssec_status)
self.step("setting up DNS Key Exporter", self.__setup_key_exporter) self.step("setting up DNS Key Exporter", self.__setup_key_exporter)

5
ipaserver/install/opendnssecinstance.py
View File

@ -82,8 +82,6 @@ class OpenDNSSECInstance(service.Service):
suffix = ipautil.dn_attribute_property('_suffix') suffix = ipautil.dn_attribute_property('_suffix')
def get_masters(self): def get_masters(self):
if not self.admin_conn:
self.ldap_connect()
return get_dnssec_key_masters(self.admin_conn) return get_dnssec_key_masters(self.admin_conn)
def create_instance(self, fqdn, realm_name, generate_master_key=True, def create_instance(self, fqdn, realm_name, generate_master_key=True,
@ -102,9 +100,6 @@ class OpenDNSSECInstance(service.Service):
except Exception: except Exception:
pass pass
# get a connection to the DS
if not self.admin_conn:
self.ldap_connect()
# checking status must be first # checking status must be first
self.step("checking status", self.__check_dnssec_status) self.step("checking status", self.__check_dnssec_status)
self.step("setting up configuration files", self.__setup_conf_files) self.step("setting up configuration files", self.__setup_conf_files)

3
ipaserver/install/server/upgrade.py
View File

@ -1614,10 +1614,8 @@ def upgrade_configuration():
ds.suffix = ipautil.realm_to_suffix(api.env.realm) ds.suffix = ipautil.realm_to_suffix(api.env.realm)
ds.principal = "ldap/%s@%s" % (ds.fqdn, ds.realm) ds.principal = "ldap/%s@%s" % (ds.fqdn, ds.realm)
ds.ldap_connect()
ds_enable_sidgen_extdom_plugins(ds) ds_enable_sidgen_extdom_plugins(ds)
ds.update_dna_shared_config() ds.update_dna_shared_config()
ds.ldap_disconnect()
# Now 389-ds is available, run the remaining http tasks # Now 389-ds is available, run the remaining http tasks
if not http.is_kdcproxy_configured(): if not http.is_kdcproxy_configured():
@ -1627,7 +1625,6 @@ def upgrade_configuration():
ds.start() ds.start()
http.ldapi = True http.ldapi = True
http.suffix = ipautil.realm_to_suffix(api.env.realm) http.suffix = ipautil.realm_to_suffix(api.env.realm)
http.ldap_connect()
httpinstance.create_kdcproxy_user() httpinstance.create_kdcproxy_user()
http.create_kdcproxy_conf() http.create_kdcproxy_conf()
http.enable_kdcproxy() http.enable_kdcproxy()

46
ipaserver/install/service.py
View File

@ -30,7 +30,6 @@ from ipapython.ipa_log_manager import root_logger
from ipalib import api, errors, certstore from ipalib import api, errors, certstore
from ipaplatform import services from ipaplatform import services
from ipaplatform.paths import paths from ipaplatform.paths import paths
from ipapython.ipaldap import LDAPClient
# The service name as stored in cn=masters,cn=ipa,cn=etc. In the tuple # The service name as stored in cn=masters,cn=ipa,cn=etc. In the tuple
@ -154,22 +153,8 @@ class Service(object):
def admin_conn(self): def admin_conn(self):
""" """
alias for api.Backend.ldap2 alias for api.Backend.ldap2
:returns: None when ldap2 is not connected, ldap2 connection otherwise
""" """
conn = api.Backend.ldap2 return api.Backend.ldap2
if conn.isconnected():
return conn
return None
def ldap_connect(self):
"""connect to ldap with installer's limits"""
if not self.admin_conn:
api.Backend.ldap2.connect(size_limit=LDAPClient.size_limit,
time_limit=LDAPClient.time_limit)
def ldap_disconnect(self):
"""close the api.Backend.ldap2 connection"""
api.Backend.ldap2.disconnect()
def _ldap_mod(self, ldif, sub_dict=None, raise_on_err=True, def _ldap_mod(self, ldif, sub_dict=None, raise_on_err=True,
ldap_uri=None, dm_password=None): ldap_uri=None, dm_password=None):
@ -194,8 +179,6 @@ class Service(object):
# As we always connect to the local host, # As we always connect to the local host,
# use URI of admin connection # use URI of admin connection
if not ldap_uri: if not ldap_uri:
if not self.admin_conn:
self.ldap_connect()
ldap_uri = self.admin_conn.ldap_uri ldap_uri = self.admin_conn.ldap_uri
args += ["-H", ldap_uri] args += ["-H", ldap_uri]
@ -256,9 +239,6 @@ class Service(object):
The principal needs to be fully-formed: service/host@REALM The principal needs to be fully-formed: service/host@REALM
""" """
if not self.admin_conn:
self.ldap_connect()
dn = DN(('krbprincipalname', principal), ('cn', 'services'), ('cn', 'accounts'), self.suffix) dn = DN(('krbprincipalname', principal), ('cn', 'services'), ('cn', 'accounts'), self.suffix)
hostdn = DN(('fqdn', self.fqdn), ('cn', 'computers'), ('cn', 'accounts'), self.suffix) hostdn = DN(('fqdn', self.fqdn), ('cn', 'computers'), ('cn', 'accounts'), self.suffix)
entry = self.admin_conn.make_entry( entry = self.admin_conn.make_entry(
@ -279,21 +259,6 @@ class Service(object):
This server cert should be in DER format. This server cert should be in DER format.
""" """
# add_cert_to_service() is relatively rare operation
# we actually call it twice during ipa-server-install, for different
# instances: ds and cs. Unfortunately, it may happen that admin
# connection was created well before add_cert_to_service() is called
# If there are other operations in between, it will become stale and
# since we are using SimpleLDAPObject, not ReconnectLDAPObject, the
# action will fail. Thus, explicitly disconnect and connect again.
# Using ReconnectLDAPObject instead of SimpleLDAPObject was considered
# but consequences for other parts of the framework are largely
# unknown.
if self.admin_conn:
self.ldap_disconnect()
self.ldap_connect()
dn = DN(('krbprincipalname', self.principal), ('cn', 'services'), dn = DN(('krbprincipalname', self.principal), ('cn', 'services'),
('cn', 'accounts'), self.suffix) ('cn', 'accounts'), self.suffix)
entry = self.admin_conn.get_entry(dn) entry = self.admin_conn.get_entry(dn)
@ -305,8 +270,6 @@ class Service(object):
def import_ca_certs(self, db, ca_is_configured, conn=None): def import_ca_certs(self, db, ca_is_configured, conn=None):
if conn is None: if conn is None:
if not self.admin_conn:
self.ldap_connect()
conn = self.admin_conn conn = self.admin_conn
try: try:
@ -455,8 +418,6 @@ class Service(object):
config=[]): config=[]):
assert isinstance(ldap_suffix, DN) assert isinstance(ldap_suffix, DN)
self.disable() self.disable()
if not self.admin_conn:
self.ldap_connect()
entry_name = DN(('cn', name), ('cn', fqdn), ('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'), ldap_suffix) entry_name = DN(('cn', name), ('cn', fqdn), ('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'), ldap_suffix)
@ -502,8 +463,6 @@ class Service(object):
def ldap_disable(self, name, fqdn, ldap_suffix): def ldap_disable(self, name, fqdn, ldap_suffix):
assert isinstance(ldap_suffix, DN) assert isinstance(ldap_suffix, DN)
if not self.admin_conn:
self.ldap_connect()
entry_dn = DN(('cn', name), ('cn', fqdn), ('cn', 'masters'), entry_dn = DN(('cn', name), ('cn', fqdn), ('cn', 'masters'),
('cn', 'ipa'), ('cn', 'etc'), ldap_suffix) ('cn', 'ipa'), ('cn', 'etc'), ldap_suffix)
@ -539,9 +498,6 @@ class Service(object):
root_logger.debug("service %s startup entry disabled", name) root_logger.debug("service %s startup entry disabled", name)
def ldap_remove_service_container(self, name, fqdn, ldap_suffix): def ldap_remove_service_container(self, name, fqdn, ldap_suffix):
if not self.admin_conn:
self.ldap_connect()
entry_dn = DN(('cn', name), ('cn', fqdn), ('cn', 'masters'), entry_dn = DN(('cn', name), ('cn', fqdn), ('cn', 'masters'),
('cn', 'ipa'), ('cn', 'etc'), ldap_suffix) ('cn', 'ipa'), ('cn', 'etc'), ldap_suffix)
try: try: