Add plugin framework to LDAP updates.

There are two reasons for the plugin framework: 1. To provide a way of doing manual/complex LDAP changes without having to keep extending ldapupdate.py (like we did with managed entries). 2. Allows for better control of restarts. There are two types of plugins, preop and postop. A preop plugin runs before any file-based updates are loaded. A postop plugin runs after all file-based updates are applied. A preop plugin may update LDAP directly or craft update entries to be applied with the file-based updates. Either a preop or postop plugin may attempt to restart the dirsrv instance. The instance is only restartable if ipa-ldap-updater is being executed as root. A warning is printed if a restart is requested for a non-root user. Plugins are not executed by default. This is so we can use ldapupdate to apply simple updates in commands like ipa-nis-manage. https://fedorahosted.org/freeipa/ticket/1789 https://fedorahosted.org/freeipa/ticket/1790 https://fedorahosted.org/freeipa/ticket/2032
2025-02-25 18:55:28 -06:00 · 2011-11-23 16:52:40 -05:00
parent 56401c1abe
commit 2f4b3972a0
19 changed files with 648 additions and 87 deletions
--- a/ipaserver/plugins/ldap2.py
+++ b/ipaserver/plugins/ldap2.py
@@ -34,6 +34,7 @@ import shutil
 import tempfile
 import time
 import re
+import pwd

 import krbV
 from ipapython.ipa_log_manager import *
@@ -313,7 +314,7 @@ class ldap2(CrudBackend, Encoder):
    @encode_args(2, 3, 'bind_dn', 'bind_pw')
    def create_connection(self, ccache=None, bind_dn='', bind_pw='',
            tls_cacertfile=None, tls_certfile=None, tls_keyfile=None,
-            debug_level=0):
+            debug_level=0, autobind=False):
        """
        Connect to LDAP server.

@@ -326,6 +327,7 @@ class ldap2(CrudBackend, Encoder):
        tls_cacertfile -- TLS CA certificate filename
        tls_certfile -- TLS certificate filename
        tls_keyfile - TLS bind key filename
+        autobind - autobind as the current user

        Extends backend.Connectible.create_connection.
        """
@@ -342,7 +344,7 @@ class ldap2(CrudBackend, Encoder):

        try:
            conn = _ldap.initialize(self.ldap_uri)
-            if self.ldap_uri.startswith('ldapi://'):
+            if self.ldap_uri.startswith('ldapi://') and ccache:
                conn.set_option(_ldap.OPT_HOST_NAME, api.env.host)
            if ccache is not None:
                os.environ['KRB5CCNAME'] = ccache
@@ -351,8 +353,14 @@ class ldap2(CrudBackend, Encoder):
                            context=krbV.default_context()).principal().name
                setattr(context, 'principal', principal)
            else:
-                # no kerberos ccache, use simple bind
-                conn.simple_bind_s(bind_dn, bind_pw)
+                # no kerberos ccache, use simple bind or external sasl
+                if autobind:
+                    pent = pwd.getpwuid(os.geteuid())
+                    auth_tokens = _ldap.sasl.external(pent.pw_name)
+                    conn.sasl_interactive_bind_s("", auth_tokens)
+                else:
+                    conn.simple_bind_s(bind_dn, bind_pw)
+
        except _ldap.LDAPError, e:
            _handle_errors(e, **{})