Use ldap2 instead of legacy LDAP code from v1 in installer scripts.

2025-02-25 18:55:28 -06:00 · 2010-03-24 15:51:31 +01:00 · 2010-03-24 15:51:31 +01:00 · 3620135ec9
commit 3620135ec9
parent cc336cf9c1
11 changed files with 144 additions and 148 deletions
--- a/install/tools/ipa-compat-manage
+++ b/install/tools/ipa-compat-manage
@ -22,12 +22,11 @@
 import sys
 try:
    from optparse import OptionParser
    from ipaserver import ipaldap
    from ipapython import entity, ipautil, config
    from ipaserver.install import installutils
    from ipaserver.install.ldapupdate import LDAPUpdate, BadSyntax, UPDATES_DIR
    from ipaserver.plugins.ldap2 import ldap2
    from ipalib import errors
    import ldap
    import logging
    import re
    import krbV
@ -95,26 +94,29 @@ def main():
    else:
        dirman_password = get_dirman_password()
    conn = None
    try:
        ldapuri = 'ldap://%s' % installutils.get_fqdn()
        try:
-            conn = ipaldap.IPAdmin(installutils.get_fqdn())
+            conn = ldap2(shared_instance=False, ldap_uri=ldapuri, base_dn='')
-            conn.do_simple_bind(bindpw=dirman_password)
+            conn.connect(
-        except ldap.LDAPError, e:
+                bind_dn='cn=directory manager', bind_pw=dirman_password
            )
        except errors.LDAPError, e:
            print "An error occurred while connecting to the server."
-            print "%s" % e[0]['desc']
+            print e
            return 1
        if args[0] == "enable":
            try:
-                conn.getEntry("cn=Schema Compatibility,cn=plugins,cn=config",
+                conn.get_entry('cn=Schema Compatibility,cn=plugins,cn=config')
                              ldap.SCOPE_BASE, "(objectclass=*)")
                print "Plugin already Enabled"
                retval = 2
            except errors.NotFound:
                print "Enabling plugin"
-            except ldap.LDAPError, e:
+            except errors.LDAPError, e:
                print "An error occurred while talking to the server."
-                print "%s" % e[0]['desc']
+                print e
                retval = 1
            if retval == 0:
@ -127,17 +129,15 @@ def main():
            # Make a quick hack foir now, directly delete the entries by name,
            # In future we should add delete capabilites to LDAPUpdate
            try:
-                conn.getEntry("cn=Schema Compatibility,cn=plugins,cn=config",
+                conn.delete_entry('cn=groups,cn=Schema Compatibility,cn=plugins,cn=config')
-                              ldap.SCOPE_BASE, "(objectclass=*)")
+                conn.delete_entry('cn=users,cn=Schema Compatibility,cn=plugins,cn=config')
-                conn.deleteEntry("cn=groups,cn=Schema Compatibility,cn=plugins,cn=config")
+                conn.delete_entry('cn=Schema Compatibility,cn=plugins,cn=config')
                conn.deleteEntry("cn=users,cn=Schema Compatibility,cn=plugins,cn=config")
                conn.deleteEntry("cn=Schema Compatibility,cn=plugins,cn=config")
            except errors.NotFound:
                print "Plugin is already disabled"
                retval = 2
-            except ldap.LDAPError, e:
+            except errors.LDAPError, e:
                print "An error occurred while talking to the server."
-                print "%s" % e[0]['desc']
+                print e
                retval = 1
        else:
@ -145,7 +145,7 @@ def main():
    finally:
        if conn:
-            conn.unbind()
+            conn.disconnect()
    return retval
@ -167,6 +167,6 @@ except config.IPAConfigError, e:
    print "An IPA server to update cannot be found. Has one been configured yet?"
    print "The error was: %s" % e
    sys.exit(1)
-except ldap.LDAPError, e:
+except errors.LDAPError, e:
    print "An error occurred while performing operations: %s" % e
    sys.exit(1)
--- a/install/tools/ipa-dns-install
+++ b/install/tools/ipa-dns-install
@ -22,13 +22,12 @@
 from optparse import OptionParser
 import traceback
-from ipaserver import ipaldap
+from ipaserver.plugins.ldap2 import ldap2
 from ipaserver.install import bindinstance, ntpinstance
 from ipaserver.install.installutils import *
 from ipapython import version
 from ipapython import ipautil, sysrestore
-from ipalib import api, util
+from ipalib import api, errors, util
 import ldap
 def parse_options():
    parser = OptionParser(version=version.VERSION)
@ -134,14 +133,15 @@ def main():
        dm_password = options.dm_password
    # Try out the password
    ldapuri = 'ldap://%s' % api.env.host
    try:
-        conn = ipaldap.IPAdmin(api.env.host)
+        conn = ldap2(shared_instance=False, ldap_uri=ldapuri)
-        conn.do_simple_bind(bindpw=dm_password)
+        conn.connect(bind_dn='cn=directory manager', bind_pw=dm_password)
-        conn.unbind()
+        conn.disconnect()
-    except (ldap.CONNECT_ERROR, ldap.SERVER_DOWN), e:
+    except errors.ACIError:
        sys.exit("\nUnable to connect to LDAP server %s" % api.env.host)
    except ldap.INVALID_CREDENTIALS, e :
        sys.exit("\nThe password provided is incorrect for LDAP server %s" % api.env.host)
    except errors.LDAPError:
        sys.exit("\nUnable to connect to LDAP server %s" % api.env.host)
    conf_ntp = ntpinstance.NTPInstance(fstore).is_enabled()
--- a/install/tools/ipa-fix-CVE-2008-3274
+++ b/install/tools/ipa-fix-CVE-2008-3274
@ -25,13 +25,10 @@ try:
    import ipapython.ipautil
    import krbV
    import ldap
    from ldap import LDAPError
    from ldap import ldapobject
    from ipalib import errors
    from ipaclient import ipachangeconf
-    from ipaserver import ipaldap
+    from ipaserver.plugins.ldap2 import ldap2
    from pyasn1.type import univ, namedtype
    import pyasn1.codec.ber.encoder
@ -70,22 +67,24 @@ def parse_options():
 def check_vuln(realm, suffix):
    ldapuri = 'ldap://127.0.0.1'
    try:
-        conn = ldapobject.SimpleLDAPObject("ldap://127.0.0.1/")
+        conn = ldap2(shared_instance=False, ldap_uri=ldapuri, base_dn=suffix)
-        conn.simple_bind()
+        conn.connect()
-        msgid = conn.search("cn="+realm+",cn=kerberos,"+suffix,
+        try:
-                            ldap.SCOPE_BASE,
+            (entries, truncated) = conn.find_entries(
-                            "(objectclass=krbRealmContainer)",
+                filter='(objectclass=krbRealmContainer)',
-                            ("krbmkey", "cn"))
+                attrs_list=('krbmkey', 'cn'), scope=ldap2.SCOPE_BASE,
-        res = conn.result(msgid)
+                base_dn='cn=%s,cn=kerberos' % realm
-        conn.unbind()
+            )
-
+        except errors.NotFound:
        if len(res) != 2:
            err = 'Realm Container not found, unable to proceed'
            print err
            raise Exception, err
        finally:
            conn.disconnect()
-        if 'krbmkey' in res[1][0][1]:
+        if 'krbmkey' in entries[0][1]:
            print 'System vulnerable'
            return 1
        else:
@ -185,9 +184,10 @@ def change_mkey(password = None, quiet = False):
        password = getpass.getpass("Directory Manager password: ")
    # get a connection to the DS
    ldapuri = 'ldap://%s' % ipapython.config.config.default_server[0]
    try:
-        conn = ipaldap.IPAdmin(ipapython.config.config.default_server[0])
+        conn = ldap2(shared_instance=False, ldap_uri=ldapuri, base_dn=suffix)
-        conn.do_simple_bind(bindpw=password)
+        conn.connect(bind_dn='cn=directory manager', bind_pw=password)
    except Exception, e:
        print "ERROR: Could not connect to the Directory Server on "+ipapython.config.config.default_server[0]+" ("+str(e)+")"
        return 1
@ -298,8 +298,8 @@ def change_mkey(password = None, quiet = False):
        asn1key = pyasn1.codec.ber.encoder.encode(krbMKey)
        dn = "cn="+realm+",cn=kerberos,"+suffix
-        mod = [(ldap.MOD_REPLACE, 'krbMKey', str(asn1key))]
+        mod = {'krbmkey': str(asn1key)}
-        conn.modify_s(dn, mod)
+        conn.update_entry(dn, mod)
    except Exception, e:
        print "ERROR: Failed to upload the Master Key from the Stash file: "+newstashfile+" ("+str(e)+")"
        return 1
@ -459,16 +459,25 @@ def fix_main(password, realm, suffix):
    krbMKey.setComponentByPosition(1, MasterKey)
    asn1key = pyasn1.codec.ber.encoder.encode(krbMKey)
-    dn = "cn=%s,cn=kerberos,%s" % (realm, suffix)
+    dn = 'cn=%s,cn=kerberos' % realm
    sub_dict = dict(REALM=realm, SUFFIX=suffix)
    #protect the master key by adding an appropriate deny rule along with the key
-    mod = [(ldap.MOD_ADD, 'aci', ipapython.ipautil.template_str(KRBMKEY_DENY_ACI, sub_dict)),
+    conn = ldap2(
-           (ldap.MOD_REPLACE, 'krbMKey', str(asn1key))]
+        shared_instance=False, ldap_uri='ldap://127.0.0.1',
        base_dn=suffix
    )
    conn.connect(bind_dn='cn=directory manager', bind_pw=password)
-    conn = ldapobject.SimpleLDAPObject("ldap://127.0.0.1/")
+    (dn, entry_attrs) = conn.get_entry(dn, ['aci'])
-    conn.simple_bind("cn=Directory Manager", password)
+
-    conn.modify_s(dn, mod)
+    entry_attrs['krbmkey'] = str(asn1key)
-    conn.unbind()
+    entry_attrs.setdefault('aci', []).append(
        ipapython.ipautil.template_str(KRBMKEY_DENY_ACI, sub_dict)
    )
    conn.update_entry(dn, entry_attrs)
    conn.disconnect()
    print "\n"
    print "This server is now correctly configured and the master-key has been changed and secured."
--- a/install/tools/ipa-ldap-updater
+++ b/install/tools/ipa-ldap-updater
@ -26,11 +26,9 @@
 import sys
 try:
    from optparse import OptionParser
    from ipaserver import ipaldap
    from ipapython import entity, ipautil, config
    from ipaserver.install import installutils
    from ipaserver.install.ldapupdate import LDAPUpdate, BadSyntax, UPDATES_DIR
    import ldap
    import logging
    import re
    import krbV
--- a/install/tools/ipa-nis-manage
+++ b/install/tools/ipa-nis-manage
@ -22,12 +22,11 @@
 import sys
 try:
    from optparse import OptionParser
    from ipaserver import ipaldap
    from ipapython import entity, ipautil, config
    from ipaserver.install import installutils
    from ipaserver.install.ldapupdate import LDAPUpdate, BadSyntax, UPDATES_DIR
    from ipaserver.plugins.ldap2 import ldap2
    from ipalib import errors
    import ldap
    import logging
 except ImportError:
    print >> sys.stderr, """\
@ -68,12 +67,9 @@ def get_dirman_password():
 def get_nis_config(conn):
    entry = None
    try:
-        entry = conn.getEntry(nis_config_dn, ldap.SCOPE_BASE, "(objectclass=*)")
+        (dn, entry) = conn.get_entry(nis_config_dn)
    except errors.NotFound:
        pass
    except ldap.LDAPError, e:
        raise e
    return entry
 def main():
@ -103,22 +99,26 @@ def main():
    else:
        dirman_password = get_dirman_password()
    conn = None
    try:
        ldapuri = 'ldap://%s' % installutils.get_fqdn()
        try:
-            conn = ipaldap.IPAdmin(installutils.get_fqdn())
+            conn = ldap2(shared_instance=False, ldap_uri=ldapuri, base_dn='')
-            conn.do_simple_bind(bindpw=dirman_password)
+            conn.connect(
-        except ldap.LDAPError, e:
+                bind_dn='cn=directory manager', bind_pw=dirman_password
            )
        except errors.LDAPError, e:
            print "An error occurred while connecting to the server."
-            print "%s" % e[0]['desc']
+            print e
            return 1
        if args[0] == "enable":
            entry = None
            try:
                entry = get_nis_config(conn)
-            except ldap.LDAPError, e:
+            except errors.LDAPError, e:
                print "An error occurred while talking to the server."
-                print "%s" % e[0]['desc']
+                print e
                retval = 1
            # Enable either the portmap or rpcbind service
@ -142,27 +142,25 @@ def main():
                    ld = LDAPUpdate(dm_password=dirman_password, sub_dict={})
                    retval = ld.update(files)
            else:
-                if entry.getValue('nsslapd-pluginenabled').lower() == "off":
+                if entry.get('nsslapd-pluginenabled', '').lower() == 'off':
                    # Already configured, just enable the plugin
                    print "Enabling plugin"
-                    mod = [(ldap.MOD_REPLACE, "nsslapd-pluginenabled", "on")]
+                    mod = {'nsslapd-pluginenabled': 'on'}
-
+                    conn.update_entry(nis_config_dn, mod)
                    conn.modify_s(nis_config_dn, mod)
                else:
                    print "Plugin already Enabled"
                    retval = 2
        elif args[0] == "disable":
            try:
-                mod = [(ldap.MOD_REPLACE, "nsslapd-pluginenabled", "off")]
+                mod = {'nsslapd-pluginenabled': 'off'}
-
+                conn.update_entry(nis_config_dn, mod)
                conn.modify_s(nis_config_dn, mod)
            except errors.NotFound:
                print "Plugin is already disabled"
                retval = 2
-            except ldap.LDAPError, e:
+            except errors.LDAPError, e:
                print "An error occurred while talking to the server."
-                print "%s" % e[0]['desc']
+                print e
                retval = 1
        else:
@ -176,7 +174,7 @@ def main():
    finally:
        if conn:
-            conn.unbind()
+            conn.disconnect()
    return retval
@ -198,6 +196,6 @@ except config.IPAConfigError, e:
    print "An IPA server to update cannot be found. Has one been configured yet?"
    print "The error was: %s" % e
    sys.exit(1)
-except ldap.LDAPError, e:
+except errors.LDAPError, e:
    print "An error occurred while performing operations: %s" % e
    sys.exit(1)
--- a/install/tools/ipa-replica-install
+++ b/install/tools/ipa-replica-install
@ -23,15 +23,14 @@ import socket
 import tempfile, os, pwd, traceback, logging, shutil
 from ConfigParser import SafeConfigParser
 import ldap
 from ipapython import ipautil
 from ipaserver.install import dsinstance, replication, installutils, krbinstance, service
 from ipaserver.install import bindinstance, httpinstance, ntpinstance, certs
-from ipaserver import ipaldap
+from ipaserver.plugins.ldap2 import ldap2
 from ipapython import version
-from ipalib import api, util
+from ipalib import api, errors, util
 CACERT="/usr/share/ipa/html/ca.crt"
@ -300,16 +299,17 @@ def main():
    config.dir = dir
    # Try out the password
    ldapuri = 'ldap://%s' % config.master_host_name
    try:
-        conn = ipaldap.IPAdmin(config.master_host_name)
+        conn = ldap2(shared_instance=False, ldap_uri=ldapuri, base_dn='')
-        conn.do_simple_bind(bindpw=config.dirman_password)
+        conn.connect(
-        conn.unbind()
+            bind_dn='cn=directory manager', bind_pw=config.dirman_password
-    except ldap.CONNECT_ERROR, e:
+        )
-        sys.exit("\nUnable to connect to LDAP server %s" % config.master_host_name)
+        conn.disconnect()
-    except ldap.SERVER_DOWN, e:
+    except errors.ACIError:
        sys.exit("\nUnable to connect to LDAP server %s" % config.master_host_name)
    except ldap.INVALID_CREDENTIALS, e :
        sys.exit("\nThe password provided is incorrect for LDAP server %s" % config.master_host_name)
    except errors.LDAPError:
        sys.exit("\nUnable to connect to LDAP server %s" % config.master_host_name)
    # Create the management framework config file
    # Note: We must do this before bootstraping and finalizing ipalib.api
--- a/install/tools/ipa-replica-manage
+++ b/install/tools/ipa-replica-manage
@ -24,10 +24,9 @@ import traceback, logging
 from ipapython import ipautil
 from ipaserver.install import replication, dsinstance, installutils
-from ipaserver import ipaldap
+from ipaserver.plugins.ldap2 import ldap2
 from ipapython import version
-from ipalib import util
+from ipalib import errors, util
 from ipalib import errors
 def parse_options():
    from optparse import OptionParser
@ -73,7 +72,8 @@ def get_realm_name():
    return c.default_realm
 def get_suffix():
-    suffix = ipaldap.IPAdmin.normalizeDN(util.realm_to_suffix(get_realm_name()))
+    l = ldap2(shared_instance=False, base_dn='')
    suffix = l.normalize_dn(util.realm_to_suffix(get_realm_name()))
    return suffix
 def get_host_name():
--- a/install/tools/ipa-replica-prepare
+++ b/install/tools/ipa-replica-prepare
@ -29,11 +29,9 @@ from optparse import OptionParser
 from ipapython import ipautil
 from ipaserver.install import bindinstance, dsinstance, installutils, certs, httpinstance
 from ipaserver.install.bindinstance import add_zone, add_reverze_zone, add_rr, add_ptr_rr
-from ipaserver import ipaldap
+from ipaserver.plugins.ldap2 import ldap2
 from ipapython import version
-from ipalib import api
+from ipalib import api, errors, util
 from ipalib import util
 import ldap
 def parse_options():
    usage = "%prog [options] FQDN (e.g. replica.example.com)"
@ -75,14 +73,16 @@ def parse_options():
    return options, args
 def get_subject_base(host_name, dm_password, suffix):
    ldapuri = 'ldap://%s:389' % host_name
    try:
-        conn = ipaldap.IPAdmin(host_name)
+        conn = ldap2(shared_instance=False, ldap_uri=ldapuri, base_dn=suffix)
-        conn.do_simple_bind(bindpw=dm_password)
+        conn.connect(bind_dn='cn=directory manager', bind_pw=dm_password)
-    except Exception, e:
+    except errors.ExecutionError, e:
        logging.critical("Could not connect to the Directory Server on %s" % host_name)
        raise e
-    entry = conn.getEntry("cn=ipaConfig, cn=etc, %s" % suffix, ldap.SCOPE_SUBTREE)
+    (dn, entry_attrs) = conn.get_ipa_config()
-    return entry.getValue('ipacertificatesubjectbase')
+    conn.disconnect()
    return entry_attrs.get('ipacertificatesubjectbase', [None])[0]
 def check_ipa_configuration(realm_name):
    config_dir = dsinstance.config_dirname(dsinstance.realm_to_serverid(realm_name))
@ -236,16 +236,15 @@ def main():
            sys.exit(0)
    # Try out the password
    ldapuri = 'ldap://%s:389' % api.env.host
    try:
-        conn = ipaldap.IPAdmin(api.env.host)
+        conn = ldap2(shared_instance=False, ldap_uri=ldapuri)
-        conn.do_simple_bind(bindpw=dirman_password)
+        conn.connect(bind_dn='cn=directory manager', bind_pw=dirman_password)
-        conn.unbind()
+        conn.disconnect()
-    except ldap.CONNECT_ERROR, e:
+    except errors.ACIError:
        sys.exit("\nUnable to connect to LDAP server %s" % api.env.host)
    except ldap.SERVER_DOWN, e:
        sys.exit("\nUnable to connect to LDAP server %s" % api.env.host)
    except ldap.INVALID_CREDENTIALS, e :
        sys.exit("\nThe password provided is incorrect for LDAP server %s" % api.env.host)
    except errors.LDAPError:
        sys.exit("\nUnable to connect to LDAP server %s" % api.env.host)
    print "Preparing replica for %s from %s" % (replica_fqdn, api.env.host)
--- a/install/tools/ipa-server-certinstall
+++ b/install/tools/ipa-server-certinstall
@ -25,13 +25,13 @@ import tempfile
 import traceback
-import krbV, ldap, getpass
+import krbV, getpass
 from ipapython.ipautil import user_input
 from ipaserver import ipaldap
 from ipaserver.install import certs, dsinstance, httpinstance, installutils
 from ipalib import api
 from ipaserver.plugins.ldap2 import ldap2
 def get_realm_name():
    c = krbV.default_context()
@ -64,14 +64,12 @@ def parse_options():
    return options, args[0]
 def set_ds_cert_name(cert_name, dm_password):
-    conn = ipaldap.IPAdmin("127.0.0.1")
+    ldapuri = 'ldap://127.0.0.1'
-    conn.simple_bind_s("cn=directory manager", dm_password)
+    conn = ldap2(shared_instance=False, ldap_uri=ldapuri, base_dn='')
-
+    conn.connect(bind_dn='cn=directory manager', bind_pw=dm_password)
-    mod = [(ldap.MOD_REPLACE, "nsSSLPersonalitySSL", cert_name)]
+    mod = {'nssslpersonalityssl': cert_name}
-
+    conn.update_entry('cn=RSA,cn=encryption,cn=config', mod)
-    conn.modify_s("cn=RSA,cn=encryption,cn=config", mod)
+    conn.disconnect()
    conn.unbind()
 def choose_server_cert(server_certs):
    print "Please select the certificate to use:"
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@ -35,7 +35,6 @@ import signal
 import shutil
 import glob
 import traceback
 import ldap
 from optparse import OptionParser
 from ConfigParser import RawConfigParser
 import random
@ -51,11 +50,11 @@ from ipaserver.install import cainstance
 from ipaserver.install import service
 from ipapython import version
 from ipaserver.install.installutils import *
-from ipaserver import ipaldap
+from ipaserver.plugins.ldap2 import ldap2
 from ipapython import sysrestore
 from ipapython.ipautil import *
-from ipalib import api, util
+from ipalib import api, errors, util
 import ipawebui
@ -411,19 +410,18 @@ def render_assets():
    ui.render_assets()
 def set_subject_in_config(host_name, dm_password, suffix, subject_base):
        ldapuri = 'ldap://%s' % host_name
        try:
-            conn = ipaldap.IPAdmin(host_name)
+            conn = ldap2(shared_instance=False, ldap_uri=ldapuri, base_dn=suffix)
-            conn.do_simple_bind(bindpw=dm_password)
+            conn.connect(bind_dn='cn=directory manager', bind_pw=dm_password)
-        except Exception, e:
+        except errors.ExecutionError, e:
            logging.critical("Could not connect to the Directory Server on %s" % host_name)
            raise e
-        entry = conn.getEntry("cn=ipaConfig, cn=etc, %s" % suffix, ldap.SCOPE_SUBTREE)
+        (dn, entry_attrs) = conn.get_ipa_config()
-        if entry.getValue('ipaCertificateSubjectBase') is None:
+        if 'ipacertificatesubjectbase' not in entry_attrs:
-            newentry = entry.toDict()
+            mod = {'ipacertificatesubjectbase': subject_base}
-            newentry['ipaCertificateSubjectBase'] = subject_base
+            conn.update_entry(dn, mod)
-            conn.updateEntry(entry.dn, entry.toDict(), newentry)
+        conn.disconnect()
        conn.unbind()
 def main():
    global ds
--- a/ipaserver/plugins/ldap2.py
+++ b/ipaserver/plugins/ldap2.py
@ -219,19 +219,15 @@ class ldap2(CrudBackend, Encoder):
        self.encoder_settings.decode_dict_vals_table = self._SYNTAX_MAPPING
        self.encoder_settings.decode_dict_vals_table_keygen = get_syntax
        self.encoder_settings.decode_postprocessor = lambda x: string.lower(x)
-        if ldap_uri is None:
+        try:
-            self.ldap_uri = api.env.ldap_uri
+            self.ldap_uri = ldap_uri or api.env.ldap_uri
-        else:
+        except AttributeError:
-            self.ldap_uri = ldap_uri
+            self.ldap_uri = 'ldap://example.com'
-        if base_dn is None:
+        try:
-            self.base_dn = api.env.basedn
+            self.base_dn = base_dn or api.env.basedn
-        else:
+        except AttributeError:
-            self.base_dn = base_dn
+            self.base_dn = ''
-        if schema is None:
+        self.schema = schema or _schema
            self.schema = _schema
        else:
            self.schema = schema
    def __del__(self):
        if self.isconnected():