Remove support for DN normalization from LDAPClient.

install/restart_scripts/renew_ca_cert

@@ -70,11 +70,11 @@ try:
     try:
         (entry_dn, entry_attrs) = conn.get_entry(dn, ['usercertificate'])
         entry_attrs['usercertificate'] = cert
-        conn.update_entry(dn, entry_attrs, normalize=False)
+        conn.update_entry(dn, entry_attrs)
     except errors.NotFound:
         entry_attrs = dict(objectclass=['top', 'pkiuser', 'nscontainer'],
                                         usercertificate=cert)
-        conn.add_entry(dn, entry_attrs, normalize=False)
+        conn.add_entry(dn, entry_attrs)
     except errors.EmptyModlist:
         pass
     conn.disconnect()

install/restart_scripts/renew_ra_cert

@@ -60,11 +60,11 @@ while attempts < 10:
         try:
             (entry_dn, entry_attrs) = conn.get_entry(dn, ['usercertificate'])
             entry_attrs['usercertificate'] = dercert
-            conn.update_entry(dn, entry_attrs, normalize=False)
+            conn.update_entry(dn, entry_attrs)
         except errors.NotFound:
             entry_attrs = dict(objectclass=['top', 'pkiuser', 'nscontainer'],
                                             usercertificate=dercert)
-            conn.add_entry(dn, entry_attrs, normalize=False)
+            conn.add_entry(dn, entry_attrs)
         except errors.EmptyModlist:
             pass
         updated = True

install/tools/ipa-compat-manage

@@ -73,7 +73,7 @@ def get_entry(dn, conn):
     """
     entry = None
     try:
-        (dn, entry) = conn.get_entry(dn, normalize=False)
+        (dn, entry) = conn.get_entry(dn)
     except errors.NotFound:
         pass
     return entry
@@ -144,7 +144,7 @@ def main():
                             retval = 1
                     else:
                         mod = {'nsslapd-pluginenabled': 'on'}
-                        conn.update_entry(compat_dn, mod, normalize=False)
+                        conn.update_entry(compat_dn, mod)
             except errors.ExecutionError, lde:
                 print "An error occurred while talking to the server."
                 print lde
@@ -175,7 +175,7 @@ def main():
                         print "Disabling plugin"
 
                         mod = {'nsslapd-pluginenabled': 'off'}
-                        conn.update_entry(compat_dn, mod, normalize=False)
+                        conn.update_entry(compat_dn, mod)
                 except errors.DatabaseError, dbe:
                     print "An error occurred while talking to the server."
                     print dbe

install/tools/ipa-nis-manage

@@ -75,7 +75,7 @@ def get_entry(dn, conn):
     """
     entry = None
     try:
-        (dn, entry) = conn.get_entry(dn, normalize=False)
+        (dn, entry) = conn.get_entry(dn)
     except errors.NotFound:
         pass
     return entry
@@ -166,7 +166,7 @@ def main():
                 print "Enabling plugin"
                 # Already configured, just enable the plugin
                 mod = {'nsslapd-pluginenabled': 'on'}
-                conn.update_entry(nis_config_dn, mod, normalize=False)
+                conn.update_entry(nis_config_dn, mod)
             else:
                 print "Plugin already Enabled"
                 retval = 2
@@ -174,7 +174,7 @@ def main():
         elif args[0] == "disable":
             try:
                 mod = {'nsslapd-pluginenabled': 'off'}
-                conn.update_entry(nis_config_dn, mod, normalize=False)
+                conn.update_entry(nis_config_dn, mod)
             except errors.NotFound:
                 print "Plugin is already disabled"
                 retval = 2

ipalib/plugins/migration.py

@@ -346,7 +346,6 @@ def _pre_migrate_group(ldap, pkey, dn, entry_attrs, failed, config, ctx, **kwarg
                 api.log.error('entry %s does not belong into any known container' % m)
                 continue
 
-            m = ldap.normalize_dn(m)
             new_members.append(m)
 
         del entry_attrs[member_attr]
@@ -363,7 +362,7 @@ def _pre_migrate_group(ldap, pkey, dn, entry_attrs, failed, config, ctx, **kwarg
         for m in entry_attrs[member_attr]:
             memberdn = DN((api.Object.user.primary_key.name, m),
                           api.env.container_user, api.env.basedn)
-            new_members.append(ldap.normalize_dn(memberdn))
+            new_members.append(memberdn)
         entry_attrs['member'] = new_members
 
     assert isinstance(dn, DN)
@@ -863,7 +862,7 @@ can use their Kerberos accounts.''')
         #check whether the compat plugin is enabled
         if not options.get('compat'):
             try:
-                (dn,check_compat) = ldap.get_entry(_compat_dn, normalize=False)
+                (dn,check_compat) = ldap.get_entry(_compat_dn)
                 assert isinstance(dn, DN)
                 if check_compat is not None and \
                         check_compat.get('nsslapd-pluginenabled', [''])[0].lower() == 'on':

ipaserver/install/cainstance.py

@@ -1915,12 +1915,11 @@ def update_people_entry(uid, dercert):
             conn = ldap2.ldap2(shared_instance=False, ldap_uri=dogtag_uri)
             conn.connect(bind_dn=DN(('cn', 'directory manager')),
                 bind_pw=dm_password)
-            (entry_dn, entry_attrs) = conn.get_entry(dn, ['usercertificate'],
-                normalize=False)
+            (entry_dn, entry_attrs) = conn.get_entry(dn, ['usercertificate'])
             entry_attrs['usercertificate'].append(dercert)
             entry_attrs['description'] = '2;%d;%s;%s' % (serial_number, issuer,
                 subject)
-            conn.update_entry(dn, entry_attrs, normalize=False)
+            conn.update_entry(dn, entry_attrs)
             updated = True
             break
         except errors.NetworkError:

ipaserver/install/plugins/rename_managed.py

@@ -67,7 +67,7 @@ class GenerateUpdateMixin(object):
         try:
             definitions_managed_entries, truncated = ldap.find_entries(
                 searchfilter, ['*'], old_definition_container,
-                ldap.SCOPE_ONELEVEL, normalize=False)
+                ldap.SCOPE_ONELEVEL)
         except errors.NotFound, e:
             return (False, update_list)
 
@@ -77,7 +77,7 @@ class GenerateUpdateMixin(object):
                 old_dn = entry.data['managedtemplate'][0]
                 assert isinstance(old_dn, DN)
                 try:
-                    (old_dn, entry) = ldap.get_entry(old_dn, ['*'], normalize=False)
+                    (old_dn, entry) = ldap.get_entry(old_dn, ['*'])
                 except errors.NotFound, e:
                     pass
                 else:

ipaserver/ipaldap.py

@@ -984,11 +984,6 @@ class LDAPClient(object):
         obj = self.schema.get_obj(ldap.schema.AttributeType, attr)
         return obj and obj.single_value
 
-    def normalize_dn(self, dn):
-        """Override to normalize all DNs passed to LDAPClient methods"""
-        assert isinstance(dn, DN)
-        return dn
-
     def make_dn_from_attr(self, attr, value, parent_dn=None):
         """
         Make distinguished name from attribute.
@@ -998,7 +993,6 @@ class LDAPClient(object):
         """
         if parent_dn is None:
             parent_dn = DN()
-        parent_dn = self.normalize_dn(parent_dn)
 
         if isinstance(value, (list, tuple)):
             value = value[0]
@@ -1015,11 +1009,8 @@ class LDAPClient(object):
         """
 
         assert primary_key in entry_attrs
+        assert isinstance(parent_dn, DN)
 
-        if parent_dn is None:
-            parent_dn = DN()
-
-        parent_dn = self.normalize_dn(parent_dn)
         return DN((primary_key, entry_attrs[primary_key]), parent_dn)
 
     def make_entry(self, _dn=None, _obj=None, **kwargs):
@@ -1172,7 +1163,7 @@ class LDAPClient(object):
 
     def find_entries(self, filter=None, attrs_list=None, base_dn=None,
                      scope=ldap.SCOPE_SUBTREE, time_limit=None,
-                     size_limit=None, normalize=True, search_refs=False):
+                     size_limit=None, search_refs=False):
         """
         Return a list of entries and indication of whether the results were
         truncated ([(dn, entry_attrs)], truncated) matching specified search
@@ -1186,15 +1177,12 @@ class LDAPClient(object):
         time_limit -- time limit in seconds (default use IPA config values)
         size_limit -- size (number of entries returned) limit
             (default use IPA config values)
-        normalize -- normalize the DN (default True)
         search_refs -- allow search references to be returned
             (default skips these entries)
         """
         if base_dn is None:
             base_dn = DN()
         assert isinstance(base_dn, DN)
-        if normalize:
-            base_dn = self.normalize_dn(base_dn)
         if not filter:
             filter = '(objectClass=*)'
         res = []
@@ -1247,8 +1235,7 @@ class LDAPClient(object):
                     members = r[1]['member']
                     indirect = self.get_members(
                         r[0], members, membertype=MEMBERS_INDIRECT,
-                        time_limit=time_limit, size_limit=size_limit,
-                        normalize=normalize)
+                        time_limit=time_limit, size_limit=size_limit)
                     if len(indirect) > 0:
                         r[1]['memberindirect'] = indirect
         if attrs_list and (
@@ -1264,7 +1251,7 @@ class LDAPClient(object):
                     continue
                 direct, indirect = self.get_memberof(
                     r[0], memberof, time_limit=time_limit,
-                    size_limit=size_limit, normalize=normalize)
+                    size_limit=size_limit)
                 if len(direct) > 0:
                     r[1]['memberof'] = direct
                 if len(indirect) > 0:
@@ -1299,7 +1286,7 @@ class LDAPClient(object):
                 return entries[0]
 
     def get_entry(self, dn, attrs_list=None, time_limit=None,
-                  size_limit=None, normalize=True):
+                  size_limit=None):
         """
         Get entry (dn, entry_attrs) by dn.
 
@@ -1311,7 +1298,7 @@ class LDAPClient(object):
 
         (entry, truncated) = self.find_entries(
             None, attrs_list, dn, self.SCOPE_BASE, time_limit=time_limit,
-            size_limit=size_limit, normalize=normalize
+            size_limit=size_limit
         )
 
         if truncated:
@@ -1326,7 +1313,7 @@ class LDAPClient(object):
         return {}
 
     def get_memberof(self, entry_dn, memberof, time_limit=None,
-                     size_limit=None, normalize=True):
+                     size_limit=None):
         """
         Examine the objects that an entry is a member of and determine if they
         are a direct or indirect member of that group.
@@ -1361,7 +1348,7 @@ class LDAPClient(object):
                 result, truncated = self.find_entries(
                     searchfilter, attr_list,
                     group, time_limit=time_limit, size_limit=size_limit,
-                    scope=ldap.SCOPE_BASE, normalize=normalize)
+                    scope=ldap.SCOPE_BASE)
                 results.extend(list(result))
             except errors.NotFound:
                 pass
@@ -1386,8 +1373,7 @@ class LDAPClient(object):
         return (direct, indirect)
 
     def get_members(self, group_dn, members, attr_list=[],
-                    membertype=MEMBERS_ALL, time_limit=None, size_limit=None,
-                    normalize=True):
+                    membertype=MEMBERS_ALL, time_limit=None, size_limit=None):
         """Do a memberOf search of groupdn and return the attributes in
            attr_list (an empty list returns all attributes).
 
@@ -1441,7 +1427,7 @@ class LDAPClient(object):
                     result, truncated = self.find_entries(
                         searchfilter, attr_list, member_dn,
                         time_limit=time_limit, size_limit=size_limit,
-                        scope=ldap.SCOPE_BASE, normalize=normalize)
+                        scope=ldap.SCOPE_BASE)
                     if truncated:
                         raise errors.LimitsExceeded()
                     results.append(list(result[0]))
@@ -1477,31 +1463,28 @@ class LDAPClient(object):
         self.log.debug("get_members: result=%s", entries)
         return entries
 
-    def _get_dn_and_attrs(self, entry_or_dn, entry_attrs, normalize):
+    def _get_dn_and_attrs(self, entry_or_dn, entry_attrs):
         """Helper for legacy calling style for {add,update}_entry
         """
         if entry_attrs is None:
-            assert normalize is None
             return entry_or_dn.dn, entry_or_dn
         else:
             assert isinstance(entry_or_dn, DN)
-            if normalize is None or normalize:
-                entry_or_dn = self.normalize_dn(entry_or_dn)
             entry_attrs = self.make_entry(entry_or_dn, entry_attrs)
             for key, value in entry_attrs.items():
                 if value is None:
                     entry_attrs[key] = []
             return entry_or_dn, entry_attrs
 
-    def add_entry(self, entry, entry_attrs=None, normalize=None):
+    def add_entry(self, entry, entry_attrs=None):
         """Create a new entry.
 
         This should be called as add_entry(entry).
 
-        The legacy two/three-argument variant is:
-            add_entry(dn, entry_attrs, normalize=True)
+        The legacy two-argument variant is:
+            add_entry(dn, entry_attrs)
         """
-        dn, attrs = self._get_dn_and_attrs(entry, entry_attrs, normalize)
+        dn, attrs = self._get_dn_and_attrs(entry, entry_attrs)
 
         # remove all [] values (python-ldap hates 'em)
         attrs = dict((k, v) for k, v in attrs.iteritems()
@@ -1523,19 +1506,17 @@ class LDAPClient(object):
         assert isinstance(dn, DN)
         assert isinstance(new_rdn, RDN)
 
-        dn = self.normalize_dn(dn)
         if dn[0] == new_rdn:
             raise errors.EmptyModlist()
         with self.error_handler():
             self.conn.rename_s(dn, new_rdn, delold=int(del_old))
             time.sleep(.3)  # Give memberOf plugin a chance to work
 
-    def _generate_modlist(self, dn, entry_attrs, normalize):
+    def _generate_modlist(self, dn, entry_attrs):
         assert isinstance(dn, DN)
 
         # get original entry
-        dn, entry_attrs_old = self.get_entry(
-            dn, entry_attrs.keys(), normalize=normalize)
+        dn, entry_attrs_old = self.get_entry(dn, entry_attrs.keys())
 
         # generate modlist
         # for multi value attributes: no MOD_REPLACE to handle simultaneous
@@ -1593,18 +1574,18 @@ class LDAPClient(object):
 
         return modlist
 
-    def update_entry(self, entry, entry_attrs=None, normalize=None):
+    def update_entry(self, entry, entry_attrs=None):
         """Update entry's attributes.
 
         This should be called as update_entry(entry).
 
-        The legacy two/three-argument variant is:
-            update_entry(dn, entry_attrs, normalize=True)
+        The legacy two-argument variant is:
+            update_entry(dn, entry_attrs)
         """
-        dn, attrs = self._get_dn_and_attrs(entry, entry_attrs, normalize)
+        dn, attrs = self._get_dn_and_attrs(entry, entry_attrs)
 
         # generate modlist
-        modlist = self._generate_modlist(dn, attrs, normalize)
+        modlist = self._generate_modlist(dn, attrs)
         if not modlist:
             raise errors.EmptyModlist()
 
@@ -1612,14 +1593,11 @@ class LDAPClient(object):
         with self.error_handler():
             self.conn.modify_s(dn, modlist)
 
-    def delete_entry(self, entry_or_dn, normalize=None):
+    def delete_entry(self, entry_or_dn):
         """Delete an entry given either the DN or the entry itself"""
         if isinstance(entry_or_dn, DN):
             dn = entry_or_dn
-            if normalize is None or normalize:
-                dn = self.normalize_dn(dn)
         else:
-            assert normalize is None
             dn = entry_or_dn.dn
 
         with self.error_handler():

ipaserver/plugins/ldap2.py

@@ -176,25 +176,6 @@ class ldap2(LDAPClient, CrudBackend):
             # ignore when trying to unbind multiple times
             pass
 
-    def normalize_dn(self, dn):
-        """
-        Normalize distinguished name by assuring it ends with
-        the base_dn.
-
-        Note: ldap2 methods normalize DNs internally, but relying on this is
-            not recommended.
-        """
-
-        assert isinstance(dn, DN)
-
-        if not dn.endswith(self.base_dn):
-            # DN's are mutable, don't use in-place addtion (+=) which would
-            # modify the dn passed in with unintended side-effects. Addition
-            # returns a new DN object which is the concatenation of the two.
-            dn = dn + self.base_dn
-
-        return dn
-
     config_defaults = {'ipasearchtimelimit': [2], 'ipasearchrecordslimit': [0]}
     def get_ipa_config(self, attrs_list=None):
         """Returns the IPA configuration entry (dn, entry_attrs)."""
@@ -255,7 +236,8 @@ class ldap2(LDAPClient, CrudBackend):
         assert isinstance(dn, DN)
 
         principal = getattr(context, 'principal')
-        (binddn, attrs) = self.find_entry_by_attr("krbprincipalname", principal, "krbPrincipalAux")
+        (binddn, attrs) = self.find_entry_by_attr("krbprincipalname", principal,
+            "krbPrincipalAux", base_dn=api.env.basedn)
         assert isinstance(binddn, DN)
         sctrl = [GetEffectiveRightsControl(True, "dn: " + str(binddn))]
         self.conn.set_option(_ldap.OPT_SERVER_CONTROLS, sctrl)
@@ -336,7 +318,6 @@ class ldap2(LDAPClient, CrudBackend):
         """Set user password."""
 
         assert isinstance(dn, DN)
-        dn = self.normalize_dn(dn)
 
         # The python-ldap passwd command doesn't verify the old password
         # so we'll do a simple bind to validate it.
@@ -456,7 +437,6 @@ class ldap2(LDAPClient, CrudBackend):
         """Remove a kerberos principal key."""
 
         assert isinstance(dn, DN)
-        dn = self.normalize_dn(dn)
 
         # We need to do this directly using the LDAP library because we
         # don't have read access to krbprincipalkey so we need to delete