Refuse PORT, HOST in /etc/openldap/ldap.conf

OpenLDAP has deprecated PORT and HOST stanzes in ldap.conf. The presence
of either option causes FreeIPA installation to fail. Refuse
installation when a deprecated and unsupported option is present.

Fixes: https://pagure.io/freeipa/issue/7418
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>

ipaclient/install/client.py

@@ -20,6 +20,7 @@ import getpass
 import gssapi
 import netifaces
 import os
+import re
 import SSSDConfig
 import shutil
 import socket
@@ -201,6 +202,31 @@ def nssldap_exists():
     return (retval, files_found)
 
 
+def check_ldap_conf(conf=paths.OPENLDAP_LDAP_CONF,
+                    error_rval=CLIENT_INSTALL_ERROR):
+    if not os.path.isfile(conf):
+        return False
+
+    pat = re.compile(r"^\s*(PORT|HOST).*")
+    unsupported = set()
+
+    with open(conf) as f:
+        for line in f:
+            mo = pat.match(line)
+            if mo is not None:
+                unsupported.add(mo.group(1))
+
+    if unsupported:
+        raise ScriptError(
+            "'{}' contains deprecated and unsupported entries: {}".format(
+                conf, ", ".join(sorted(unsupported))
+            ),
+            rval=error_rval
+        )
+    else:
+        return True
+
+
 def delete_ipa_domain():
     """Helper function for uninstall.
     Deletes IPA domain from sssd.conf
@@ -2008,6 +2034,8 @@ def install_check(options):
             "using 'ipa-client-install --uninstall'.")
         raise ScriptError(rval=CLIENT_ALREADY_CONFIGURED)
 
+    check_ldap_conf()
+
     if options.conf_ntp:
         try:
             timeconf.check_timedate_services()

ipaserver/install/server/install.py

@@ -16,6 +16,7 @@ import textwrap
 
 import six
 
+from ipaclient.install.client import check_ldap_conf
 from ipaclient.install.ipachangeconf import IPAChangeConf
 from ipalib.install import certmonger, sysrestore
 from ipapython import ipautil
@@ -312,6 +313,7 @@ def install_check(installer):
 
     tasks.check_ipv6_stack_enabled()
     tasks.check_selinux_status()
+    check_ldap_conf()
 
     if options.master_password:
         msg = ("WARNING:\noption '-P/--master-password' is deprecated. "

ipaserver/install/server/replicainstall.py

@@ -22,6 +22,7 @@ import traceback
 from pkg_resources import parse_version
 import six
 
+from ipaclient.install.client import check_ldap_conf
 from ipaclient.install.ipachangeconf import IPAChangeConf
 import ipaclient.install.timeconf
 from ipalib.install import certstore, sysrestore
@@ -570,6 +571,7 @@ def check_remote_version(client, local_version):
 def common_check(no_ntp):
     tasks.check_ipv6_stack_enabled()
     tasks.check_selinux_status()
+    check_ldap_conf()
 
     if is_ipa_configured():
         raise ScriptError(

ipatests/test_install/test_install_checks.py

@@ -0,0 +1,37 @@
+# Copyright (C) 2018  FreeIPA Contributors see COPYING for license
+
+from __future__ import absolute_import
+
+import tempfile
+
+import pytest
+
+from ipaclient.install.client import check_ldap_conf
+from ipapython.admintool import ScriptError
+
+
+@pytest.mark.parametrize("lines,expected", [
+    (["PORT 389"], "PORT"),
+    (["HOST example.org"], "HOST"),
+    (["HOST example.org", "# PORT 389"], "HOST"),
+    (["\tHOST example.org", "# PORT 389"], "HOST"),
+    (["HOST example.org", "PORT 389"], "HOST, PORT"),
+    (["# HOST example.org", "# PORT 389"], None),
+    (["URI PORT"], None),
+    ([], None),
+])
+def test_check_ldap(lines, expected):
+    with tempfile.NamedTemporaryFile('w+') as f:
+        for line in lines:
+            f.write(line)
+            f.write('\n')
+        f.write('\n')
+        f.flush()
+
+        if expected is None:
+            assert check_ldap_conf(f.name) is True
+        else:
+            with pytest.raises(ScriptError) as e:
+                check_ldap_conf(f.name)
+            msg = e.value.msg
+            assert msg.endswith(expected)