Use ldapi: instead of unsecured ldap: in ipa core tools.

The patch also corrects exception handling in some of the tools. Fix #874
2025-02-25 18:55:28 -06:00 · 2011-02-15 14:11:27 -05:00 · 2011-02-15 14:11:27 -05:00 · 64575a411b
commit 64575a411b
parent eb6b3c7afc
9 changed files with 66 additions and 51 deletions
--- a/install/migration/migration.py
+++ b/install/migration/migration.py
@ -20,13 +20,14 @@
 Password migration script
 """

-import errno
-import ldap
 import cgi
+import errno
+import glob
+import ldap
 import wsgiref

 BASE_DN = ''
-LDAP_URI = 'ldap://localhost:389'
+LDAP_URI = 'ldaps://localhost:636'

 def wsgi_redirect(start_response, loc):
    start_response('302 Found', [('Location', loc)])
@ -83,6 +84,10 @@ def application(environ, start_response):
    if not form_data.has_key('username') or not form_data.has_key('password'):
        return wsgi_redirect(start_response, 'invalid.html')

+    slapd_sockets = glob.glob('/var/run/slapd-*.socket')
+    if slapd_sockets:
+        LDAP_URI = 'ldapi://%s' % slapd_sockets[0].replace('/', '%2f')
+
    try:
        bind(form_data['username'].value, form_data['password'].value)
    except IOError as err:
--- a/install/tools/ipa-compat-manage
+++ b/install/tools/ipa-compat-manage
@ -93,13 +93,12 @@ def main():

    conn = None
    try:
-        ldapuri = 'ldap://%s' % installutils.get_fqdn()
        try:
-            conn = ldap2(shared_instance=False, ldap_uri=ldapuri, base_dn='')
+            conn = ldap2(shared_instance=False, base_dn='')
            conn.connect(
                bind_dn='cn=directory manager', bind_pw=dirman_password
            )
-        except errors.LDAPError, lde:
+        except errors.ExecutionError, lde:
            sys.exit("An error occurred while connecting to the server.\n%s\n" % str(lde))
        except errors.ACIError, e:
            sys.exit("Authentication failed: %s" % e.info)
@ -122,7 +121,7 @@ def main():
                retval = 2
            except errors.NotFound:
                print "Enabling plugin"
-            except errors.LDAPError, lde:
+            except errors.ExecutionError, lde:
                print "An error occurred while talking to the server."
                print lde
                retval = 1
@ -158,7 +157,7 @@ def main():
                print "An error occurred while talking to the server."
                print dbe
                retval = 1
-            except errors.LDAPError, lde:
+            except errors.ExecutionError, lde:
                print "An error occurred while talking to the server."
                print lde
                retval = 1
@ -167,7 +166,7 @@ def main():
            retval = 1

    finally:
-        if conn.isconnected():
+        if conn and conn.isconnected():
            conn.disconnect()

    return retval
--- a/install/tools/ipa-compliance
+++ b/install/tools/ipa-compliance
@ -106,8 +106,7 @@ def check_compliance(tmpdir, debug=False):
        # Even if not registered they have some default entitlements
        pass

-    ldapuri = 'ldap://%s' % api.env.host
-    conn = ldap2(shared_instance=False, ldap_uri=ldapuri)
+    conn = ldap2(shared_instance=False)

    # Bind using GSSAPI
    conn.connect(ccache=ccache_file)
--- a/install/tools/ipa-host-net-manage
+++ b/install/tools/ipa-host-net-manage
@ -96,13 +96,12 @@ def main():

    conn = None
    try:
-        ldapuri = 'ldap://%s' % installutils.get_fqdn()
        try:
-            conn = ldap2(shared_instance=False, ldap_uri=ldapuri, base_dn='')
+            conn = ldap2(shared_instance=False, base_dn='')
            conn.connect(
                bind_dn='cn=directory manager', bind_pw=dirman_password
            )
-        except errors.LDAPError, lde:
+        except errors.ExecutionError, lde:
            sys.exit("An error occurred while connecting to the server.\n%s\n" %
                str(lde))
        except errors.ACIError, e:
@ -118,7 +117,7 @@ def main():
                    print "Plugin Disabled"
            except errors.NotFound:
                print "Plugin Disabled"
-            except errors.LDAPError, lde:
+            except errors.ExecutionError, lde:
                print "An error occurred while talking to the server."
                print lde
            return 0
@ -136,7 +135,7 @@ def main():
                retval = 2
            except errors.NotFound:
                print "Enabling Plugin"
-            except errors.LDAPError, lde:
+            except errors.ExecutionError, lde:
                print "An error occurred while talking to the server."
                print lde
                retval = 1
@ -184,7 +183,7 @@ def main():
                print "An error occurred while talking to the server."
                print dbe
                retval = 1
-            except errors.LDAPError, lde:
+            except errors.ExecutionError, lde:
                print "An error occurred while talking to the server."
                print lde
                retval = 1
@ -193,7 +192,7 @@ def main():
            retval = 1

    finally:
-        if conn.isconnected():
+        if conn and conn.isconnected():
            conn.disconnect()

    return retval
--- a/install/tools/ipa-nis-manage
+++ b/install/tools/ipa-nis-manage
@ -107,16 +107,15 @@ def main():

    conn = None
    try:
-        ldapuri = 'ldap://%s' % installutils.get_fqdn()
        try:
-            conn = ldap2(shared_instance=False, ldap_uri=ldapuri, base_dn='')
+            conn = ldap2(shared_instance=False, base_dn='')
            conn.connect(
                bind_dn='cn=directory manager', bind_pw=dirman_password
            )
-        except errors.ACIError:
-            sys.exit("Incorrect password")
-        except errors.LDAPError, lde:
+        except errors.ExecutionError, lde:
            sys.exit("An error occurred while connecting to the server: %s" % str(lde))
+        except errors.AuthorizationError:
+            sys.exit("Incorrect password")

        if args[0] == "enable":
            compat = get_entry(compat_dn, conn)
@ -125,7 +124,7 @@ def main():
            entry = None
            try:
                entry = get_entry(nis_config_dn, conn)
-            except errors.LDAPError, lde:
+            except errors.ExecutionError, lde:
                print "An error occurred while talking to the server."
                print lde
                retval = 1
@ -149,7 +148,7 @@ def main():
              entry.get('nsslapd-pluginenabled', [''])[0].lower() == 'off'):
                # Already configured, just enable the plugin
                print "Enabling plugin"
-                ld = LDAPUpdate(dm_password=dirman_password, sub_dict={})
+                ld = LDAPUpdate(dm_password=dirman_password, sub_dict={}, ldapi=True)
                if ld.update(files) != True:
                    retval = 1
                mod = {'nsslapd-pluginenabled': 'on'}
@ -186,7 +185,7 @@ def main():
                print "An error occurred while talking to the server."
                print dbe
                retval = 1
-            except errors.LDAPError, lde:
+            except errors.ExecutionError, lde:
                print "An error occurred while talking to the server."
                print lde
                retval = 1
--- a/install/tools/ipa-replica-prepare
+++ b/install/tools/ipa-replica-prepare
@ -88,9 +88,8 @@ def parse_options():
    return options, args

 def get_subject_base(host_name, dm_password, suffix):
-    ldapuri = 'ldap://%s:389' % host_name
    try:
-        conn = ldap2(shared_instance=False, ldap_uri=ldapuri, base_dn=suffix)
+        conn = ldap2(shared_instance=False, base_dn=suffix)
        conn.connect(bind_dn='cn=directory manager', bind_pw=dm_password)
    except errors.ExecutionError, e:
        logging.critical("Could not connect to the Directory Server on %s" % host_name)
@ -285,9 +284,8 @@ def main():
            sys.exit(0)

    # Try out the password
-    ldapuri = 'ldap://%s:389' % api.env.host
    try:
-        conn = ldap2(shared_instance=False, ldap_uri=ldapuri)
+        conn = ldap2(shared_instance=False)
        conn.connect(bind_dn='cn=directory manager', bind_pw=dirman_password)
        conn.disconnect()
    except errors.ACIError:
--- a/install/tools/ipa-server-certinstall
+++ b/install/tools/ipa-server-certinstall
@ -64,8 +64,7 @@ def parse_options():
    return options, args[0]

 def set_ds_cert_name(cert_name, dm_password):
-    ldapuri = 'ldap://127.0.0.1'
-    conn = ldap2(shared_instance=False, ldap_uri=ldapuri, base_dn='')
+    conn = ldap2(shared_instance=False, base_dn='')
    conn.connect(bind_dn='cn=directory manager', bind_pw=dm_password)
    mod = {'nssslpersonalityssl': cert_name}
    conn.update_entry('cn=RSA,cn=encryption,cn=config', mod)
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@ -444,13 +444,15 @@ def uninstall():
    return 0


-def set_subject_in_config(host_name, dm_password, suffix, subject_base):
-        ldapuri = 'ldap://%s' % host_name
+def set_subject_in_config(realm_name, dm_password, suffix, subject_base):
+        ldapuri = 'ldapi://%%2fvar%%2frun%%2fslapd-%s.socket' % (
+            dsinstance.realm_to_serverid(realm_name)
+        )
        try:
            conn = ldap2(shared_instance=False, ldap_uri=ldapuri, base_dn=suffix)
            conn.connect(bind_dn='cn=directory manager', bind_pw=dm_password)
        except errors.ExecutionError, e:
-            logging.critical("Could not connect to the Directory Server on %s" % host_name)
+            logging.critical("Could not connect to the Directory Server on %s" % realm_name)
            raise e
        (dn, entry_attrs) = conn.get_ipa_config()
        if 'ipacertificatesubjectbase' not in entry_attrs:
@ -851,7 +853,7 @@ def main():
        http.create_instance(realm_name, host_name, domain_name, dm_password, autoconfig=True, self_signed_ca=options.selfsign, subject_base=options.subject)
    ipautil.run(["/sbin/restorecon", "/var/cache/ipa/sessions"])

-    set_subject_in_config(host_name, dm_password, util.realm_to_suffix(realm_name), options.subject)
+    set_subject_in_config(realm_name, dm_password, util.realm_to_suffix(realm_name), options.subject)
    if not options.selfsign:
        service.print_msg("Setting the certificate subject base")
        ca.set_subject_in_config(util.realm_to_suffix(realm_name))
--- a/ipaserver/install/ldapupdate.py
+++ b/ipaserver/install/ldapupdate.py
@ -75,13 +75,18 @@ class LDAPUpdate:
            self.realm = None
            suffix = None

-        fqdn = installutils.get_fqdn()
-        if fqdn is None:
-            raise RuntimeError("Unable to determine hostname")
-
        domain = ipautil.get_domain_name()
        libarch = self.__identify_arch()

+        if not self.ldapi:
+            fqdn = installutils.get_fqdn()
+            if fqdn is None:
+                raise RuntimeError("Unable to determine hostname")
+        else:
+            fqdn = "ldapi://%%2fvar%%2frun%%2fslapd-%s.socket" % "-".join(
+                domain.upper().split(".")
+            )
+
        if not self.sub_dict.get("REALM") and self.realm is not None:
            self.sub_dict["REALM"] = self.realm
        if not self.sub_dict.get("FQDN"):
@ -96,13 +101,15 @@ class LDAPUpdate:
            self.sub_dict["LIBARCH"] = libarch
        if not self.sub_dict.get("TIME"):
            self.sub_dict["TIME"] = int(time.time())
+        if not self.sub_dict.get("DOMAIN") and domain is not None:
+            self.sub_dict["DOMAIN"] = domain

        if online:
            # Try out the password
-            if not self.ldapi:
+            #if not self.ldapi:
                try:
-                    conn = ipaldap.IPAdmin(fqdn)
-                    conn.do_simple_bind(bindpw=self.dm_password)
+                    conn = ipaldap.IPAdmin(fqdn, ldapi=True, realm=domain.upper())
+                    conn.do_simple_bind(binddn="cn=directory manager", bindpw=self.dm_password)
                    conn.unbind()
                except ldap.CONNECT_ERROR:
                    raise RuntimeError("Unable to connect to LDAP server %s" % fqdn)
@ -110,9 +117,13 @@ class LDAPUpdate:
                    raise RuntimeError("Unable to connect to LDAP server %s" % fqdn)
                except ldap.INVALID_CREDENTIALS:
                    raise RuntimeError("The password provided is incorrect for LDAP server %s" % fqdn)
-            else:
-                conn = ipaldap.IPAdmin(ldapi=True, realm=self.realm)
-                conn.do_external_bind(self.pw_name)
+            # THIS IS COMMENTED OUT, BECAUSE:
+            # external_bind does work, but even as root, you don't always have
+            # enought power to do everything we need due to strict ACI rules
+            #
+            #else:
+            #    conn = ipaldap.IPAdmin(ldapi=True, realm=self.realm)
+            #    conn.do_external_bind(self.pw_name)
        else:
            raise RuntimeError("Offline updates are not supported.")

@ -640,11 +651,15 @@ class LDAPUpdate:

        try:
            if self.online:
-                if self.ldapi:
-                    self.conn = ipaldap.IPAdmin(ldapi=True, realm=self.realm)
-                    self.conn.do_external_bind(self.pw_name)
-                else:
-                    self.conn = ipaldap.IPAdmin(self.sub_dict['FQDN'])
+                # THIS IS COMMENTED OUT, BECAUSE:
+                # external_bind does work, but even as root, you don't always have
+                # enought power to do everything we need due to strict ACI rules
+                #
+                #if self.ldapi:
+                #    self.conn = ipaldap.IPAdmin(ldapi=True, realm=self.realm)
+                #    self.conn.do_external_bind(self.pw_name)
+                #else:
+                    self.conn = ipaldap.IPAdmin(self.sub_dict['FQDN'], ldapi=self.ldapi, realm=self.sub_dict['DOMAIN'].upper())
                    self.conn.do_simple_bind(bindpw=self.dm_password)
            else:
                raise RuntimeError("Offline updates are not supported.")