Use wrapper for sasl gssapi binds so it behaves like other binds

By calling directly sasl_interactive_bind_s() we were not calling __lateinit() This in turn resulted in some variables like dbdir not to be set on the IPAadmin object. Keep all bind types in the same place so the same common sbind steps can be performed in each case. Related to: https://fedorahosted.org/freeipa/ticket/1022
2025-02-25 18:55:28 -06:00 · 2011-02-25 18:37:45 -05:00 · 2011-02-25 18:37:45 -05:00 · 2028695d88
commit 2028695d88
parent 09dd05b49a
4 changed files with 13 additions and 12 deletions
--- a/install/tools/ipa-replica-manage
+++ b/install/tools/ipa-replica-manage
@ -142,7 +142,7 @@ def list_masters(realm, host, replica, dirman_passwd, verbose):
            if dirman_passwd:
                conn.do_simple_bind(bindpw=dirman_passwd)
            else:
-                conn.sasl_interactive_bind_s('', ipaldap.sasl_auth)
+                conn.do_sasl_gssapi_bind()

            dn = 'cn=masters,cn=ipa,cn=etc,%s' % util.realm_to_suffix(realm)
            entries = conn.search_s(dn, ldap.SCOPE_ONELEVEL)
--- a/ipaserver/install/replication.py
+++ b/ipaserver/install/replication.py
@ -39,8 +39,6 @@ TIMEOUT = 120
 IPA_REPLICA = 1
 WINSYNC = 2

-SASL_AUTH = ldap.sasl.sasl({}, 'GSSAPI')
-
 def check_replication_plugin():
    """
    Confirm that the 389-ds replication is installed.
@ -64,7 +62,7 @@ def enable_replication_version_checking(hostname, realm, dirman_passwd):
    if dirman_passwd:
        conn.do_simple_bind(bindpw=dirman_passwd)
    else:
-        conn.sasl_interactive_bind_s('', SASL_AUTH)
+        conn.do_sasl_gssapi_bind()
    entry = conn.search_s('cn=IPA Version Replication,cn=plugins,cn=config', ldap.SCOPE_BASE, 'objectclass=*')
    if entry[0].getValue('nsslapd-pluginenabled') == 'off':
        conn.modify_s(entry[0].dn, [(ldap.MOD_REPLACE, 'nsslapd-pluginenabled', 'on')])
@ -90,7 +88,7 @@ class ReplicationManager:
        if dirman_passwd:
            self.conn.do_simple_bind(bindpw=dirman_passwd)
        else:
-            self.conn.sasl_interactive_bind_s('', SASL_AUTH)
+            self.conn.do_sasl_gssapi_bind()

        self.repl_man_passwd = dirman_passwd

@ -605,7 +603,7 @@ class ReplicationManager:
        if r_bindpw:
            r_conn.do_simple_bind(binddn=r_binddn, bindpw=r_bindpw)
        else:
-            r_conn.sasl_interactive_bind_s('', SASL_AUTH)
+            r_conn.do_sasl_gssapi_bind()

        #Setup the first half
        l_id = self._get_replica_id(self.conn, r_conn)
@ -684,7 +682,7 @@ class ReplicationManager:
        if r_bindpw:
            r_conn.do_simple_bind(binddn=r_binddn, bindpw=r_bindpw)
        else:
-            r_conn.sasl_interactive_bind_s('', SASL_AUTH)
+            r_conn.do_sasl_gssapi_bind()

        # First off make sure servers are in sync so that both KDCs
        # have all princiapls and their passwords and can release
@ -714,7 +712,7 @@ class ReplicationManager:
        if r_bindpw:
            r_conn.do_simple_bind(binddn=r_binddn, bindpw=r_bindpw)
        else:
-            r_conn.sasl_interactive_bind_s('', SASL_AUTH)
+            r_conn.do_sasl_gssapi_bind()

        # Allow krb principals to act as replicas
        self.setup_krb_princs_as_replica_binddns(self.conn, r_conn)
--- a/ipaserver/install/service.py
+++ b/ipaserver/install/service.py
@ -31,7 +31,6 @@ import datetime
 from ipaserver.install import installutils

 CACERT = "/etc/ipa/ca.crt"
-SASL_AUTH = ldap.sasl.sasl({}, 'GSSAPI')

 SERVICE_LIST = {
    'KDC':('krb5kdc', 10),
@ -299,7 +298,7 @@ class Service:
            if dm_password:
                conn.do_simple_bind(bindpw=dm_password)
            else:
-                conn.sasl_interactive_bind_s('', SASL_AUTH)
+                conn.do_sasl_gssapi_bind_()
        except Exception, e:
            logging.debug("Could not connect to the Directory Server on %s: %s" % (fqdn, str(e)))
            raise e
--- a/ipaserver/ipaldap.py
+++ b/ipaserver/ipaldap.py
@ -36,7 +36,7 @@ from ipaserver import ipautil
 from ipalib import errors

 # Global variable to define SASL auth
-sasl_auth = ldap.sasl.sasl({},'GSSAPI')
+SASL_AUTH = ldap.sasl.sasl({},'GSSAPI')

 class Entry:
    """
@ -338,7 +338,7 @@ class IPAdmin(SimpleLDAPObject):
        try:
            if krbccache is not None:
                os.environ["KRB5CCNAME"] = krbccache
-                self.sasl_interactive_bind_s("", sasl_auth)
+                self.sasl_interactive_bind_s("", SASL_AUTH)
                self.principal = principal
            self.proxydn = None
        except ldap.LDAPError, e:
@ -350,6 +350,10 @@ class IPAdmin(SimpleLDAPObject):
        self.simple_bind_s(binddn, bindpw)
        self.__lateinit()

+    def do_sasl_gssapi_bind(self):
+        self.sasl_interactive_bind_s('', SASL_AUTH)
+        self.__lateinit()
+
    def do_external_bind(self, user_name=None):
        auth_tokens = ldap.sasl.external(user_name)
        self.sasl_interactive_bind_s("", auth_tokens)