IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Use ldapi: instead of unsecured ldap: in ipa core tools.

Browse Source 
The patch also corrects exception handling in some of the tools.

Fix #874
This commit is contained in:
Pavel Zuna 2011-02-15 14:11:27 -05:00 committed by Rob Crittenden
parent eb6b3c7afc
commit 64575a411b
9 changed files with 66 additions and 51 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
install/migration/migration.py
View File

@ -20,13 +20,14 @@
Password migration script Password migration script
""" """
import errno
import ldap
import cgi import cgi
import errno
import glob
import ldap
import wsgiref import wsgiref
BASE_DN = '' BASE_DN = ''
LDAP_URI = 'ldap://localhost:389' LDAP_URI = 'ldaps://localhost:636'
def wsgi_redirect(start_response, loc): def wsgi_redirect(start_response, loc):
start_response('302 Found', [('Location', loc)]) start_response('302 Found', [('Location', loc)])
@ -83,6 +84,10 @@ def application(environ, start_response):
if not form_data.has_key('username') or not form_data.has_key('password'): if not form_data.has_key('username') or not form_data.has_key('password'):
return wsgi_redirect(start_response, 'invalid.html') return wsgi_redirect(start_response, 'invalid.html')
slapd_sockets = glob.glob('/var/run/slapd-*.socket')
if slapd_sockets:
LDAP_URI = 'ldapi://%s' % slapd_sockets[0].replace('/', '%2f')
try: try:
bind(form_data['username'].value, form_data['password'].value) bind(form_data['username'].value, form_data['password'].value)
except IOError as err: except IOError as err:

11
install/tools/ipa-compat-manage
View File

@ -93,13 +93,12 @@ def main():
conn = None conn = None
try: try:
ldapuri = 'ldap://%s' % installutils.get_fqdn()
try: try:
conn = ldap2(shared_instance=False, ldap_uri=ldapuri, base_dn='') conn = ldap2(shared_instance=False, base_dn='')
conn.connect( conn.connect(
bind_dn='cn=directory manager', bind_pw=dirman_password bind_dn='cn=directory manager', bind_pw=dirman_password
) )
except errors.LDAPError, lde: except errors.ExecutionError, lde:
sys.exit("An error occurred while connecting to the server.\n%s\n" % str(lde)) sys.exit("An error occurred while connecting to the server.\n%s\n" % str(lde))
except errors.ACIError, e: except errors.ACIError, e:
sys.exit("Authentication failed: %s" % e.info) sys.exit("Authentication failed: %s" % e.info)
@ -122,7 +121,7 @@ def main():
retval = 2 retval = 2
except errors.NotFound: except errors.NotFound:
print "Enabling plugin" print "Enabling plugin"
except errors.LDAPError, lde: except errors.ExecutionError, lde:
print "An error occurred while talking to the server." print "An error occurred while talking to the server."
print lde print lde
retval = 1 retval = 1
@ -158,7 +157,7 @@ def main():
print "An error occurred while talking to the server." print "An error occurred while talking to the server."
print dbe print dbe
retval = 1 retval = 1
except errors.LDAPError, lde: except errors.ExecutionError, lde:
print "An error occurred while talking to the server." print "An error occurred while talking to the server."
print lde print lde
retval = 1 retval = 1
@ -167,7 +166,7 @@ def main():
retval = 1 retval = 1
finally: finally:
if conn.isconnected(): if conn and conn.isconnected():
conn.disconnect() conn.disconnect()
return retval return retval

3
install/tools/ipa-compliance
View File

@ -106,8 +106,7 @@ def check_compliance(tmpdir, debug=False):
# Even if not registered they have some default entitlements # Even if not registered they have some default entitlements
pass pass
ldapuri = 'ldap://%s' % api.env.host conn = ldap2(shared_instance=False)
conn = ldap2(shared_instance=False, ldap_uri=ldapuri)
# Bind using GSSAPI # Bind using GSSAPI
conn.connect(ccache=ccache_file) conn.connect(ccache=ccache_file)

13
install/tools/ipa-host-net-manage
View File

@ -96,13 +96,12 @@ def main():
conn = None conn = None
try: try:
ldapuri = 'ldap://%s' % installutils.get_fqdn()
try: try:
conn = ldap2(shared_instance=False, ldap_uri=ldapuri, base_dn='') conn = ldap2(shared_instance=False, base_dn='')
conn.connect( conn.connect(
bind_dn='cn=directory manager', bind_pw=dirman_password bind_dn='cn=directory manager', bind_pw=dirman_password
) )
except errors.LDAPError, lde: except errors.ExecutionError, lde:
sys.exit("An error occurred while connecting to the server.\n%s\n" % sys.exit("An error occurred while connecting to the server.\n%s\n" %
str(lde)) str(lde))
except errors.ACIError, e: except errors.ACIError, e:
@ -118,7 +117,7 @@ def main():
print "Plugin Disabled" print "Plugin Disabled"
except errors.NotFound: except errors.NotFound:
print "Plugin Disabled" print "Plugin Disabled"
except errors.LDAPError, lde: except errors.ExecutionError, lde:
print "An error occurred while talking to the server." print "An error occurred while talking to the server."
print lde print lde
return 0 return 0
@ -136,7 +135,7 @@ def main():
retval = 2 retval = 2
except errors.NotFound: except errors.NotFound:
print "Enabling Plugin" print "Enabling Plugin"
except errors.LDAPError, lde: except errors.ExecutionError, lde:
print "An error occurred while talking to the server." print "An error occurred while talking to the server."
print lde print lde
retval = 1 retval = 1
@ -184,7 +183,7 @@ def main():
print "An error occurred while talking to the server." print "An error occurred while talking to the server."
print dbe print dbe
retval = 1 retval = 1
except errors.LDAPError, lde: except errors.ExecutionError, lde:
print "An error occurred while talking to the server." print "An error occurred while talking to the server."
print lde print lde
retval = 1 retval = 1
@ -193,7 +192,7 @@ def main():
retval = 1 retval = 1
finally: finally:
if conn.isconnected(): if conn and conn.isconnected():
conn.disconnect() conn.disconnect()
return retval return retval

15
install/tools/ipa-nis-manage
View File

@ -107,16 +107,15 @@ def main():
conn = None conn = None
try: try:
ldapuri = 'ldap://%s' % installutils.get_fqdn()
try: try:
conn = ldap2(shared_instance=False, ldap_uri=ldapuri, base_dn='') conn = ldap2(shared_instance=False, base_dn='')
conn.connect( conn.connect(
bind_dn='cn=directory manager', bind_pw=dirman_password bind_dn='cn=directory manager', bind_pw=dirman_password
) )
except errors.ACIError: except errors.ExecutionError, lde:
sys.exit("Incorrect password")
except errors.LDAPError, lde:
sys.exit("An error occurred while connecting to the server: %s" % str(lde)) sys.exit("An error occurred while connecting to the server: %s" % str(lde))
except errors.AuthorizationError:
sys.exit("Incorrect password")
if args[0] == "enable": if args[0] == "enable":
compat = get_entry(compat_dn, conn) compat = get_entry(compat_dn, conn)
@ -125,7 +124,7 @@ def main():
entry = None entry = None
try: try:
entry = get_entry(nis_config_dn, conn) entry = get_entry(nis_config_dn, conn)
except errors.LDAPError, lde: except errors.ExecutionError, lde:
print "An error occurred while talking to the server." print "An error occurred while talking to the server."
print lde print lde
retval = 1 retval = 1
@ -149,7 +148,7 @@ def main():
entry.get('nsslapd-pluginenabled', [''])[0].lower() == 'off'): entry.get('nsslapd-pluginenabled', [''])[0].lower() == 'off'):
# Already configured, just enable the plugin # Already configured, just enable the plugin
print "Enabling plugin" print "Enabling plugin"
ld = LDAPUpdate(dm_password=dirman_password, sub_dict={}) ld = LDAPUpdate(dm_password=dirman_password, sub_dict={}, ldapi=True)
if ld.update(files) != True: if ld.update(files) != True:
retval = 1 retval = 1
mod = {'nsslapd-pluginenabled': 'on'} mod = {'nsslapd-pluginenabled': 'on'}
@ -186,7 +185,7 @@ def main():
print "An error occurred while talking to the server." print "An error occurred while talking to the server."
print dbe print dbe
retval = 1 retval = 1
except errors.LDAPError, lde: except errors.ExecutionError, lde:
print "An error occurred while talking to the server." print "An error occurred while talking to the server."
print lde print lde
retval = 1 retval = 1

6
install/tools/ipa-replica-prepare
View File

@ -88,9 +88,8 @@ def parse_options():
return options, args return options, args
def get_subject_base(host_name, dm_password, suffix): def get_subject_base(host_name, dm_password, suffix):
ldapuri = 'ldap://%s:389' % host_name
try: try:
conn = ldap2(shared_instance=False, ldap_uri=ldapuri, base_dn=suffix) conn = ldap2(shared_instance=False, base_dn=suffix)
conn.connect(bind_dn='cn=directory manager', bind_pw=dm_password) conn.connect(bind_dn='cn=directory manager', bind_pw=dm_password)
except errors.ExecutionError, e: except errors.ExecutionError, e:
logging.critical("Could not connect to the Directory Server on %s" % host_name) logging.critical("Could not connect to the Directory Server on %s" % host_name)
@ -285,9 +284,8 @@ def main():
sys.exit(0) sys.exit(0)
# Try out the password # Try out the password
ldapuri = 'ldap://%s:389' % api.env.host
try: try:
conn = ldap2(shared_instance=False, ldap_uri=ldapuri) conn = ldap2(shared_instance=False)
conn.connect(bind_dn='cn=directory manager', bind_pw=dirman_password) conn.connect(bind_dn='cn=directory manager', bind_pw=dirman_password)
conn.disconnect() conn.disconnect()
except errors.ACIError: except errors.ACIError:

3
install/tools/ipa-server-certinstall
View File

@ -64,8 +64,7 @@ def parse_options():
return options, args[0] return options, args[0]
def set_ds_cert_name(cert_name, dm_password): def set_ds_cert_name(cert_name, dm_password):
ldapuri = 'ldap://127.0.0.1' conn = ldap2(shared_instance=False, base_dn='')
conn = ldap2(shared_instance=False, ldap_uri=ldapuri, base_dn='')
conn.connect(bind_dn='cn=directory manager', bind_pw=dm_password) conn.connect(bind_dn='cn=directory manager', bind_pw=dm_password)
mod = {'nssslpersonalityssl': cert_name} mod = {'nssslpersonalityssl': cert_name}
conn.update_entry('cn=RSA,cn=encryption,cn=config', mod) conn.update_entry('cn=RSA,cn=encryption,cn=config', mod)

10
install/tools/ipa-server-install
View File

@ -444,13 +444,15 @@ def uninstall():
return 0 return 0
def set_subject_in_config(host_name, dm_password, suffix, subject_base): def set_subject_in_config(realm_name, dm_password, suffix, subject_base):
ldapuri = 'ldap://%s' % host_name ldapuri = 'ldapi://%%2fvar%%2frun%%2fslapd-%s.socket' % (
dsinstance.realm_to_serverid(realm_name)
)
try: try:
conn = ldap2(shared_instance=False, ldap_uri=ldapuri, base_dn=suffix) conn = ldap2(shared_instance=False, ldap_uri=ldapuri, base_dn=suffix)
conn.connect(bind_dn='cn=directory manager', bind_pw=dm_password) conn.connect(bind_dn='cn=directory manager', bind_pw=dm_password)
except errors.ExecutionError, e: except errors.ExecutionError, e:
logging.critical("Could not connect to the Directory Server on %s" % host_name) logging.critical("Could not connect to the Directory Server on %s" % realm_name)
raise e raise e
(dn, entry_attrs) = conn.get_ipa_config() (dn, entry_attrs) = conn.get_ipa_config()
if 'ipacertificatesubjectbase' not in entry_attrs: if 'ipacertificatesubjectbase' not in entry_attrs:
@ -851,7 +853,7 @@ def main():
http.create_instance(realm_name, host_name, domain_name, dm_password, autoconfig=True, self_signed_ca=options.selfsign, subject_base=options.subject) http.create_instance(realm_name, host_name, domain_name, dm_password, autoconfig=True, self_signed_ca=options.selfsign, subject_base=options.subject)
ipautil.run(["/sbin/restorecon", "/var/cache/ipa/sessions"]) ipautil.run(["/sbin/restorecon", "/var/cache/ipa/sessions"])
set_subject_in_config(host_name, dm_password, util.realm_to_suffix(realm_name), options.subject) set_subject_in_config(realm_name, dm_password, util.realm_to_suffix(realm_name), options.subject)
if not options.selfsign: if not options.selfsign:
service.print_msg("Setting the certificate subject base") service.print_msg("Setting the certificate subject base")
ca.set_subject_in_config(util.realm_to_suffix(realm_name)) ca.set_subject_in_config(util.realm_to_suffix(realm_name))

45
ipaserver/install/ldapupdate.py
View File

@ -75,13 +75,18 @@ class LDAPUpdate:
self.realm = None self.realm = None
suffix = None suffix = None
fqdn = installutils.get_fqdn()
if fqdn is None:
raise RuntimeError("Unable to determine hostname")
domain = ipautil.get_domain_name() domain = ipautil.get_domain_name()
libarch = self.__identify_arch() libarch = self.__identify_arch()
if not self.ldapi:
fqdn = installutils.get_fqdn()
if fqdn is None:
raise RuntimeError("Unable to determine hostname")
else:
fqdn = "ldapi://%%2fvar%%2frun%%2fslapd-%s.socket" % "-".join(
domain.upper().split(".")
)
if not self.sub_dict.get("REALM") and self.realm is not None: if not self.sub_dict.get("REALM") and self.realm is not None:
self.sub_dict["REALM"] = self.realm self.sub_dict["REALM"] = self.realm
if not self.sub_dict.get("FQDN"): if not self.sub_dict.get("FQDN"):
@ -96,13 +101,15 @@ class LDAPUpdate:
self.sub_dict["LIBARCH"] = libarch self.sub_dict["LIBARCH"] = libarch
if not self.sub_dict.get("TIME"): if not self.sub_dict.get("TIME"):
self.sub_dict["TIME"] = int(time.time()) self.sub_dict["TIME"] = int(time.time())
if not self.sub_dict.get("DOMAIN") and domain is not None:
self.sub_dict["DOMAIN"] = domain
if online: if online:
# Try out the password # Try out the password
if not self.ldapi: #if not self.ldapi:
try: try:
conn = ipaldap.IPAdmin(fqdn) conn = ipaldap.IPAdmin(fqdn, ldapi=True, realm=domain.upper())
conn.do_simple_bind(bindpw=self.dm_password) conn.do_simple_bind(binddn="cn=directory manager", bindpw=self.dm_password)
conn.unbind() conn.unbind()
except ldap.CONNECT_ERROR: except ldap.CONNECT_ERROR:
raise RuntimeError("Unable to connect to LDAP server %s" % fqdn) raise RuntimeError("Unable to connect to LDAP server %s" % fqdn)
@ -110,9 +117,13 @@ class LDAPUpdate:
raise RuntimeError("Unable to connect to LDAP server %s" % fqdn) raise RuntimeError("Unable to connect to LDAP server %s" % fqdn)
except ldap.INVALID_CREDENTIALS: except ldap.INVALID_CREDENTIALS:
raise RuntimeError("The password provided is incorrect for LDAP server %s" % fqdn) raise RuntimeError("The password provided is incorrect for LDAP server %s" % fqdn)
else: # THIS IS COMMENTED OUT, BECAUSE:
conn = ipaldap.IPAdmin(ldapi=True, realm=self.realm) # external_bind does work, but even as root, you don't always have
conn.do_external_bind(self.pw_name) # enought power to do everything we need due to strict ACI rules
#
#else:
# conn = ipaldap.IPAdmin(ldapi=True, realm=self.realm)
# conn.do_external_bind(self.pw_name)
else: else:
raise RuntimeError("Offline updates are not supported.") raise RuntimeError("Offline updates are not supported.")
@ -640,11 +651,15 @@ class LDAPUpdate:
try: try:
if self.online: if self.online:
if self.ldapi: # THIS IS COMMENTED OUT, BECAUSE:
self.conn = ipaldap.IPAdmin(ldapi=True, realm=self.realm) # external_bind does work, but even as root, you don't always have
self.conn.do_external_bind(self.pw_name) # enought power to do everything we need due to strict ACI rules
else: #
self.conn = ipaldap.IPAdmin(self.sub_dict['FQDN']) #if self.ldapi:
# self.conn = ipaldap.IPAdmin(ldapi=True, realm=self.realm)
# self.conn.do_external_bind(self.pw_name)
#else:
self.conn = ipaldap.IPAdmin(self.sub_dict['FQDN'], ldapi=self.ldapi, realm=self.sub_dict['DOMAIN'].upper())
self.conn.do_simple_bind(bindpw=self.dm_password) self.conn.do_simple_bind(bindpw=self.dm_password)
else: else:
raise RuntimeError("Offline updates are not supported.") raise RuntimeError("Offline updates are not supported.")