Clean up existing DN object usage

install/tools/ipa-server-install

@@ -89,9 +89,9 @@ def subject_callback(option, opt_str, value, parser):
     v = unicode(value, 'utf-8')
     try:
         dn = DN(v)
-        for x in xrange(len(dn)):
+        for rdn in dn:
-            if dn[x][0].attr.lower() not in VALID_SUBJECT_ATTRS:
+            if rdn.attr.lower() not in VALID_SUBJECT_ATTRS:
-                raise ValueError('invalid attribute: %s' % dn[x][0].attr.lower())
+                raise ValueError('invalid attribute: %s' % rdn.attr)
     except ValueError, e:
         raise ValueError('Invalid subject base format: %s' % str(e))
     parser.values.subject = str(dn) # may as well normalize it

ipaserver/install/cainstance.py

@@ -933,7 +933,7 @@ class CAInstance(service.Service):
         st = 1
         en = 0
         subid = 0
-        normalized_base = str(DN(self.subject_base))
+        ca_dn = DN(('CN','Certificate Authority'), self.subject_base)
         while st > 0:
             st = certlist.find('-----BEGIN', en)
             en = certlist.find('-----END', en+1)
@@ -942,11 +942,11 @@ class CAInstance(service.Service):
                     (chain_fd, chain_name) = tempfile.mkstemp()
                     os.write(chain_fd, certlist[st:en+25])
                     os.close(chain_fd)
-                    (rdn, subject) = certs.get_cert_nickname(certlist[st:en+25])
+                    (rdn, subject_dn) = certs.get_cert_nickname(certlist[st:en+25])
-                    if subject.lower() == ('CN=Certificate Authority,%s' % normalized_base).lower():
+                    if subject_dn == ca_dn:
                         nick = get_ca_nickname(self.realm)
                     else:
-                        nick = subject
+                        nick = str(subject_dn)
                     self.__run_certutil(
                         ['-A', '-t', 'CT,C,C', '-n', nick, '-a',
                          '-i', chain_name]

ipaserver/install/certs.py

@@ -89,13 +89,15 @@ def get_cert_nickname(cert):
     for NSS. The caller can decide whether to use just the RDN
     or the whole subject.
 
-    Returns a tuple of (rdn, subject)
+    Returns a tuple of (rdn, subject_dn) when rdn is the string
+    representation of the first RDN in the subject and subject_dn
+    is a DN object.
     """
     nsscert = x509.load_certificate(cert)
     subject = str(nsscert.subject)
     dn = DN(subject)
 
-    return (str(dn[0]), str(dn))
+    return (str(dn[0]), dn)
 
 def next_serial(serial_file=CA_SERIALNO):
     """
@@ -430,16 +432,16 @@ class CertDB(object):
         certs = fd.read()
         fd.close()
 
-        normalized_base = str(DN(self.subject_base))
+        ca_dn = DN(('CN','Certificate Authority'), self.subject_base)
         st = 0
         while True:
             try:
                 (cert, st) = find_cert_from_txt(certs, st)
-                (nick, subject) = get_cert_nickname(cert)
+                (rdn, subject_dn) = get_cert_nickname(cert)
-                if subject.lower() == ('CN=Certificate Authority,%s' % normalized_base).lower():
+                if subject_dn == ca_dn:
                     nick = get_ca_nickname(self.realm)
                 else:
-                    nick = subject
+                    nick = str(subject_dn)
                 self.run_certutil(["-A", "-n", nick,
                                    "-t", "CT,,C",
                                    "-a"],

ipaserver/install/replication.py

@@ -121,7 +121,7 @@ class ReplicationManager(object):
         self.realm = realm
         self.starttls = starttls
         tmp = util.realm_to_suffix(realm)
-        self.suffix = ipaldap.IPAdmin.normalizeDN(tmp)
+        self.suffix = str(DN(tmp)).lower()
 
         # If we are passed a password we'll use it as the DM password
         # otherwise we'll do a GSSAPI bind.
@@ -162,7 +162,7 @@ class ReplicationManager(object):
         # Ok, either the entry doesn't exist or the attribute isn't set
         # so get it from the other master
         retval = -1
-        dn = str(DN("cn=replication, cn=etc, %s" % self.suffix))
+        dn = str(DN(('cn','replication'),('cn','etc'), self.suffix))
         try:
             replica = master_conn.search_s(dn, ldap.SCOPE_BASE, "objectclass=*")[0]
             if not replica.getValue('nsDS5ReplicaId'):
@@ -258,7 +258,7 @@ class ReplicationManager(object):
             return "2"
 
     def replica_dn(self):
-        return str(DN('cn=replica, cn="%s", cn=mapping tree, cn=config' % self.suffix))
+        return str(DN(('cn','replica'),('cn',self.suffix),('cn','mapping tree'),('cn','config')))
 
     def replica_config(self, conn, replica_id, replica_binddn):
         dn = self.replica_dn()
@@ -754,7 +754,7 @@ class ReplicationManager(object):
         logging.info("Agreement is ready, starting replication . . .")
 
         # Add winsync replica to the public DIT
-        dn = str(DN('cn=%s,cn=replicas,cn=ipa,cn=etc,%s' % (ad_dc_name, self.suffix)))
+        dn = str(DN(('cn',ad_dc_name),('cn','replicas'),('cn','ipa'),('cn','etc'), self.suffix))
         entry = ipaldap.Entry(dn)
         entry.setValues("objectclass", ["nsContainer", "ipaConfigObject"])
         entry.setValues("cn", ad_dc_name)

ipaserver/ipaldap.py

@@ -709,13 +709,6 @@ class IPAdmin(SimpleLDAPObject):
         obj = self.schema.get_obj(ldap.schema.AttributeType, attr)
         return obj and obj.single_value
 
-    def normalizeDN(dn):
-        # not great, but will do until we use a newer version of python-ldap
-        # that has DN utilities
-        ary = ldap.explode_dn(dn.lower())
-        return ",".join(ary)
-    normalizeDN = staticmethod(normalizeDN)
-
     def get_dns_sorted_by_length(self, entries, reverse=False):
         """
         Sorts a list of entries [(dn, entry_attrs)] based on their DN.