Check through all LDAP servers in the domain during IPA discovery

When discovering IPA LDAP servers through DNS records, look through all
servers found until first success. A master might be not available or
denied access but replica may succeed.

Ticket #1827
https://fedorahosted.org/freeipa/ticket/1827
This commit is contained in:
Alexander Bokovoy 2011-12-07 14:40:46 +02:00 committed by Rob Crittenden
parent 808e75c13d
commit 790ffc42a8

View File

@ -25,7 +25,7 @@ import tempfile
import ldap
from ldap import LDAPError
from ipapython.ipautil import run, CalledProcessError, valid_ip, get_ipa_basedn, \
realm_to_suffix, format_netloc
realm_to_suffix, format_netloc, parse_items
NOT_FQDN = -1
@ -170,19 +170,35 @@ class IPADiscovery:
self.kdc = krbret[1]
root_logger.debug("[ipacheckldap]")
# check ldap now
ldapret = self.ipacheckldap(self.server, self.realm)
# We may have received multiple servers corresponding to the domain
# Iterate through all of those to check if it is IPA LDAP server
servers = parse_items(self.server)
ldapret = [NOT_IPA_SERVER]
ldapaccess = True
for server in servers:
# check ldap now
ldapret = self.ipacheckldap(server, self.realm)
if ldapret[0] == 0:
self.server = ldapret[1]
self.realm = ldapret[2]
if ldapret[0] == 0:
self.server = ldapret[1]
self.realm = ldapret[2]
break
if ldapret[0] == NO_ACCESS_TO_LDAP and self.realm is None:
if ldapret[0] == NO_ACCESS_TO_LDAP:
ldapaccess = False
# If one of LDAP servers checked rejects access (may be anonymous
# bind is disabled), assume realm and basedn generated off domain.
# Note that in case ldapret[0] == 0 and ldapaccess == False (one of
# servers didn't provide access but another one succeeded), self.realm
# will be set already to a proper value above, self.basdn will be
# initialized during the LDAP check itself and we'll skip these two checks.
if not ldapaccess and self.realm is None:
# Assume realm is the same as domain.upper()
self.realm = self.domain.upper()
root_logger.debug("Assuming realm is the same as domain: %s" % self.realm)
if ldapret[0] == NO_ACCESS_TO_LDAP and self.basedn is None:
if not ldapaccess and self.basedn is None:
# Generate suffix from realm
self.basedn = realm_to_suffix(self.realm)
root_logger.debug("Generate basedn from realm: %s" % self.basedn)
@ -200,7 +216,7 @@ class IPADiscovery:
Errno is an error number:
0 means all ok
1 means we could not check the info in LDAP (may happend when
anonymous binds are siabled)
anonymous binds are disabled)
2 means the server is certainly not an IPA server
"""