Refactoring of autobind, object_exists

Required to prevent code duplications

ipaldap.IPAdmin now has method do_bind, which tries several bind methods
ipaldap.IPAClient now has method object_exists(dn)

Reviewed-By: Jan Cholasta <jcholast@redhat.com>

install/tools/ipa-adtrust-install

@@ -25,7 +25,7 @@ from ipaserver.install import adtrustinstance
 from ipaserver.install.installutils import *
 from ipaserver.install import service
 from ipapython import version
-from ipapython import ipautil, sysrestore
+from ipapython import ipautil, sysrestore, ipaldap
 from ipalib import api, errors, util
 from ipapython.config import IPAOptionParser
 import krbV
@@ -405,7 +405,7 @@ def main():
 
     smb = adtrustinstance.ADTRUSTInstance(fstore)
     smb.realm = api.env.realm
-    smb.autobind = service.ENABLED
+    smb.autobind = ipaldap.AUTOBIND_ENABLED
     smb.setup(api.env.host, ip_address, api.env.realm, api.env.domain,
               netbios_name, reset_netbios_name,
               options.rid_base, options.secondary_rid_base,

ipapython/ipaldap.py

@@ -27,6 +27,8 @@ from decimal import Decimal
 from copy import deepcopy
 import contextlib
 import collections
+import os
+import pwd
 
 import ldap
 import ldap.sasl
@@ -53,6 +55,10 @@ _debug_log_ldap = False
 
 _missing = object()
 
+# Autobind modes
+AUTOBIND_AUTO = 1
+AUTOBIND_ENABLED = 2
+AUTOBIND_DISABLED = 3
 
 def unicode_from_utf8(val):
     '''
@@ -1633,6 +1639,18 @@ class LDAPClient(object):
         with self.error_handler():
             self.conn.delete_s(dn)
 
+    def entry_exists(self, dn):
+        """
+        Test whether the given object exists in LDAP.
+        """
+        assert isinstance(dn, DN)
+        try:
+            self.get_entry(dn, attrs_list=[])
+        except errors.NotFound:
+            return False
+        else:
+            return True
+
 
 class IPAdmin(LDAPClient):
 
@@ -1742,6 +1760,25 @@ class IPAdmin(LDAPClient):
         self.__bind_with_wait(
             self.conn.sasl_interactive_bind_s, timeout, None, auth_tokens)
 
+    def do_bind(self, dm_password="", autobind=AUTOBIND_AUTO, timeout=DEFAULT_TIMEOUT):
+        if dm_password:
+            self.do_simple_bind(bindpw=dm_password, timeout=timeout)
+            return
+        if autobind != AUTOBIND_DISABLED and os.getegid() == 0 and self.ldapi:
+            try:
+                # autobind
+                pw_name = pwd.getpwuid(os.geteuid()).pw_name
+                self.do_external_bind(pw_name, timeout=timeout)
+                return
+            except errors.NotFound, e:
+                if autobind == AUTOBIND_ENABLED:
+                    # autobind was required and failed, raise
+                    # exception that it failed
+                    raise
+
+        #fall back
+        self.do_sasl_gssapi_bind(timeout=timeout)
+
     def modify_s(self, *args, **kwargs):
         # FIXME: for backwards compatibility only
         return self.conn.modify_s(*args, **kwargs)

ipaserver/install/bindinstance.py

@@ -202,23 +202,11 @@ def named_conf_set_directive(name, value, section=NAMED_SECTION_IPA,
     with open(NAMED_CONF, 'w') as f:
         f.write("".join(new_lines))
 
-def dns_container_exists(fqdn, suffix, dm_password=None, ldapi=False, realm=None):
+def dns_container_exists(fqdn, suffix, dm_password=None, ldapi=False, realm=None,
+                         autobind=ipaldap.AUTOBIND_DISABLED):
     """
     Test whether the dns container exists.
     """
-
-    def object_exists(dn):      # FIXME, this should be a IPAdmin/ldap2 method so it can be shared
-        """
-        Test whether the given object exists in LDAP.
-        """
-        assert isinstance(dn, DN)
-        try:
-            conn.get_entry(dn)
-        except errors.NotFound:
-            return False
-        else:
-            return True
-
     assert isinstance(suffix, DN)
     try:
         # At install time we may need to use LDAPI to avoid chicken/egg
@@ -228,14 +216,11 @@ def dns_container_exists(fqdn, suffix, dm_password=None, ldapi=False, realm=None
         else:
             conn = ipaldap.IPAdmin(host=fqdn, port=636, cacert=CACERT)
 
-        if dm_password:
+        conn.do_bind(dm_password, autobind=autobind)
-            conn.do_simple_bind(bindpw=dm_password)
-        else:
-            conn.do_sasl_gssapi_bind()
     except ldap.SERVER_DOWN:
         raise RuntimeError('LDAP server on %s is not responding. Is IPA installed?' % fqdn)
 
-    ret = object_exists(DN(('cn', 'dns'), suffix))
+    ret = conn.entry_exists(DN(('cn', 'dns'), suffix))
     conn.unbind()
 
     return ret
@@ -446,7 +431,7 @@ class BindInstance(service.Service):
             service_desc="DNS",
             dm_password=dm_password,
             ldapi=False,
-            autobind=service.DISABLED
+            autobind=ipaldap.AUTOBIND_DISABLED
             )
         self.dns_backup = DnsBackup(self)
         self.named_user = None

ipaserver/install/cainstance.py

@@ -271,7 +271,7 @@ class CADSInstance(service.Service):
             service_desc="directory server for the CA",
             dm_password=dm_password,
             ldapi=False,
-            autobind=service.DISABLED)
+            autobind=ipaldap.AUTOBIND_DISABLED)
 
         self.serverid = "PKI-IPA"
         self.realm = realm_name

ipaserver/install/dsinstance.py

@@ -192,7 +192,7 @@ class DsInstance(service.Service):
             service_desc="directory server",
             dm_password=dm_password,
             ldapi=False,
-            autobind=service.DISABLED
+            autobind=ipaldap.AUTOBIND_DISABLED
             )
         self.nickname = 'Server-Cert'
         self.dm_password = dm_password

ipaserver/install/service.py

@@ -20,7 +20,6 @@
 import sys
 import os, socket
 import tempfile
-import pwd
 import time
 import datetime
 import traceback
@@ -32,10 +31,6 @@ from ipalib import errors, certstore
 from ipaplatform import services
 from ipaplatform.paths import paths
 
-# Autobind modes
-AUTO = 1
-ENABLED = 2
-DISABLED = 3
 
 # The service name as stored in cn=masters,cn=ipa,cn=etc. In the tuple
 # the first value is the *nix service name, the second the start order.
@@ -74,7 +69,8 @@ def format_seconds(seconds):
 
 
 class Service(object):
-    def __init__(self, service_name, service_desc=None, sstore=None, dm_password=None, ldapi=True, autobind=AUTO):
+    def __init__(self, service_name, service_desc=None, sstore=None, dm_password=None, ldapi=True,
+                 autobind=ipaldap.AUTOBIND_AUTO):
         self.service_name = service_name
         self.service_desc = service_desc
         self.service = services.service(service_name)
@@ -110,26 +106,8 @@ class Service(object):
                 conn = ipaldap.IPAdmin(ldapi=self.ldapi, realm=self.realm)
             else:
                 conn = ipaldap.IPAdmin(self.fqdn, port=389)
-            if self.dm_password:
+
-                conn.do_simple_bind(bindpw=self.dm_password)
+            conn.do_bind(self.dm_password, autobind=self.autobind)
-            elif self.autobind in [AUTO, ENABLED]:
-                if os.getegid() == 0 and self.ldapi:
-                    try:
-                        # autobind
-                        pw_name = pwd.getpwuid(os.geteuid()).pw_name
-                        conn.do_external_bind(pw_name)
-                    except errors.NotFound, e:
-                        if self.autobind == AUTO:
-                            # Fall back
-                            conn.do_sasl_gssapi_bind()
-                        else:
-                            # autobind was required and failed, raise
-                            # exception that it failed
-                            raise e
-                else:
-                    conn.do_sasl_gssapi_bind()
-            else:
-                conn.do_sasl_gssapi_bind()
         except Exception, e:
             root_logger.debug("Could not connect to the Directory Server on %s: %s" % (self.fqdn, str(e)))
             raise