Rewrite the migration page using WSGI

install/conf/ipa-rewrite.conf

@@ -3,8 +3,7 @@
 RewriteEngine on
 
 # By default forward all requests to /ipa. If you don't want IPA
-# to be the default on your web server comment this line out. You will
-# need to modify ipa_webgui.cfg as well.
+# to be the default on your web server comment this line out.
 RewriteRule ^/$$ https://$FQDN/ipa/ui [L,NC,R=301]
 
 # Redirect to the fully-qualified hostname. Not redirecting to secure

install/conf/ipa.conf

@@ -116,8 +116,8 @@ Alias /ipa/migration "/usr/share/ipa/migration"
     AllowOverride None
     Satisfy Any
     Allow from all
-    AddHandler mod_python .py
-    PythonHandler mod_python.publisher
+    Options ExecCGI
+    AddHandler wsgi-script .py
 </Directory>
 
 

install/migration/index.html

@@ -23,7 +23,7 @@ Upon successful login your Kerberos account will be activated.
 </p>
 <div class="migration_form">
 <div class="migration_form_inner">
-<form action="migration.py/bind" method="post">
+<form action="migration.py" method="post">
     <div class="migration_form_title">
         <span>Password Migration</span>
     </div>

install/migration/migration.py

@@ -20,13 +20,24 @@
 Password migration script
 """
 
+import errno
 import ldap
-from mod_python import apache, util
-
+import cgi
+import wsgiref
 
 BASE_DN = ''
 LDAP_URI = 'ldap://localhost:389'
 
+def wsgi_redirect(start_response, loc):
+    start_response('302 Found', [('Location', loc)])
+    return []
+
+def get_ui_url(environ):
+    full_url = wsgiref.util.request_uri(environ)
+    index = full_url.rfind(environ.get('SCRIPT_NAME',''))
+    if index == -1:
+        raise ValueError('Cannot strip the script URL from full URL "%s"' % full_url)
+    return full_url[:index] + "/ipa/ui"
 
 def get_base_dn():
     """
@@ -48,20 +59,38 @@ def get_base_dn():
     except (IndexError, KeyError):
         return ''
 
-
-def bind(req, username, password):
+def bind(username, password):
     base_dn = get_base_dn()
     if not base_dn:
-        util.redirect(req, '/ipa/migration/error.html')
+        raise IOError(errno.EIO, 'Cannot get Base DN')
     bind_dn = 'uid=%s,cn=users,cn=accounts,%s' % (username, base_dn)
     try:
         conn = ldap.initialize(LDAP_URI)
         conn.simple_bind_s(bind_dn, password)
     except (ldap.INVALID_CREDENTIALS, ldap.UNWILLING_TO_PERFORM,
             ldap.NO_SUCH_OBJECT):
-        util.redirect(req, '/ipa/migration/invalid.html')
+        raise IOError(errno.EPERM, 'Invalid LDAP credentials for user %s' % username)
     except ldap.LDAPError:
-        util.redirect(req, '/ipa/migration/error.html')
-    conn.unbind_s()
-    util.redirect(req, '/ipa/ui')
+        raise IOError(errno.EIO, 'Bind error')
+
+    conn.unbind_s()
+
+def application(environ, start_response):
+    if environ.get('REQUEST_METHOD', None) != 'POST':
+        return wsgi_redirect(start_response, 'index.html')
+
+    form_data = cgi.FieldStorage(fp=environ['wsgi.input'], environ=environ)
+    if not form_data.has_key('username') or not form_data.has_key('password'):
+        return wsgi_redirect(start_response, 'invalid.html')
+
+    try:
+        bind(form_data['username'].value, form_data['password'].value)
+    except IOError as err:
+        if err.errno == errno.EPERM:
+            return wsgi_redirect(start_response, 'invalid.html')
+        if err.errno == errno.EIO:
+            return wsgi_redirect(start_response, 'error.html')
+
+    ui_url = get_ui_url(environ)
+    return wsgi_redirect(start_response, ui_url)
 

ipa.spec.in

@@ -74,7 +74,6 @@ Requires: krb5-server-ldap
 Requires: cyrus-sasl-gssapi
 Requires: ntp
 Requires: httpd
-Requires: mod_python
 Requires: mod_wsgi
 Requires: mod_auth_kerb
 %if 0%{?fedora} >= 12 || 0%{?rhel} >= 6