IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Fix LDAP effective rights control with python-ldap 2.4.x

Browse Source 
The new version of python-ldap changed the way it created LDAPv3
extended controls. The API used in 2.4.x can no longer be used
because it does not send the bind DN with effective rights
control and LDAP server thus rejects it.

This patch implements the new API in a backward compatible way
so that it works both with python-ldap versions 2.3.x and 2.4.x.

https://fedorahosted.org/freeipa/ticket/2565
This commit is contained in:
Martin Kosek
2012-03-21 09:50:33 +01:00
committed by Rob Crittenden
parent 98a99cbca8
commit 2d460003b9
1 changed files with 14 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
ipaserver/plugins/ldap2.py
View File

@@ -42,7 +42,19 @@ import ldap as _ldap
from ldap.ldapobject import SimpleLDAPObject
import ldap.filter as _ldap_filter
import ldap.sasl as _ldap_sasl
from ldap.controls import LDAPControl
try:
from ldap.controls.simple import GetEffectiveRightsControl #pylint: disable=F0401,E0611
except ImportError:
"""
python-ldap 2.4.x introduced a new API for effective rights control, which
needs to be used or otherwise bind dn is not passed correctly. The following
class is created for backward compatibility with python-ldap 2.3.x.
Relevant BZ: https://bugzilla.redhat.com/show_bug.cgi?id=802675
"""
from ldap.controls import LDAPControl
class GetEffectiveRightsControl(LDAPControl):
def __init__(self, criticality, authzId=None):
LDAPControl.__init__(self, '1.3.6.1.4.1.42.2.27.9.5.2', criticality, authzId)
# for backward compatibility
from ldap.functions import explode_dn
from ipalib.dn import DN
@@ -874,7 +886,7 @@ class ldap2(CrudBackend, Encoder):
"""
principal = getattr(context, 'principal')
(binddn, attrs) = self.find_entry_by_attr("krbprincipalname", principal, "krbPrincipalAux")
sctrl = [LDAPControl("1.3.6.1.4.1.42.2.27.9.5.2", True, "dn: " + binddn.encode('UTF-8'))]
sctrl = [GetEffectiveRightsControl(True, "dn: " + binddn.encode('UTF-8'))]
self.conn.set_option(_ldap.OPT_SERVER_CONTROLS, sctrl)
(dn, attrs) = self.get_entry(dn, entry_attrs)
# remove the control so subsequent operations don't include GER