IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

install tools: ldap conn management

Browse Source 
* ipca-ca-install: Use a single ldap connection for the entire
    script. Connecting with ccache in promote is not needed.
* ipa-cacert-manage: Always connect to ldap, since renew and install
    are the only options and renew seems to need ldap connection even
    for self signed certificates.
* ipa-compat-manage: Use one ldap connection for the entire script.
    Replaced try-finally with proper disconnect, code block reindented.
* ipa-csreplica-manage: Properly establish and close the ldap connection.
* ipa-dns-install: Proper connect, disconnect to ldap.
* ipa-kra-install: Proper connect/disconnect for install and uninstall.
* ipa-ldap-update: Proper connect and disconnect to ldap.
* ipa-nis-manage: Proper connect/disconnect for ldap. Try-finally removed
    and code block reindented.
* ipa-replica-manage: Proper connect/disconnect to ldap.
* ipa-replica-prepare: Connect added to validate_options(), where api is
    initialized and disconnected added at the end of run. Reconnect in
    ask_for_options() to validate directory manager password.
* ipa-server-certinstall: Use api.Backend.ldap2 for ldap connections.
* ipa-server-upgrade: Connect to and disconnect from api.Backend.ldap2.

https://fedorahosted.org/freeipa/ticket/6461

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
This commit is contained in:
Tomas Krizek 2016-10-27 10:31:45 +02:00 committed by Martin Basti
parent 36d95472d9
commit 922062eb55
13 changed files with 206 additions and 284 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
install/tools/ipa-ca-install
View File

@ -33,7 +33,6 @@ from ipaserver.install import cainstance, custodiainstance, service
from ipapython import version
from ipalib import api
from ipalib.constants import DOMAIN_LEVEL_0
from ipapython.dn import DN
from ipapython.config import IPAOptionParser
from ipapython.ipa_log_manager import root_logger, standard_logging_setup
from ipaplatform.paths import paths
@ -156,17 +155,13 @@ def install_replica(safe_options, options, filename):
REPLICA_INFO_TOP_DIR = config.top_dir
config.setup_ca = True
conn = api.Backend.ldap2
conn.connect(bind_dn=DN(('cn', 'Directory Manager')),
bind_pw=dirman_password)
if config.subject_base is None:
attrs = conn.get_ipa_config()
attrs = api.Backend.ldap2.get_ipa_config()
config.subject_base = attrs.get('ipacertificatesubjectbase')[0]
if config.master_host_name is None:
config.ca_host_name = \
service.find_providing_server('CA', conn, api.env.ca_host)
service.find_providing_server('CA', api.Backend.ldap2, api.env.ca_host)
config.master_host_name = config.ca_host_name
else:
config.ca_host_name = config.master_host_name
@ -216,9 +211,6 @@ def install_master(safe_options, options):
if dm_password is None:
sys.exit("Directory Manager password required")
api.Backend.ldap2.connect(bind_dn=DN(('cn', 'Directory Manager')),
bind_pw=dm_password)
config = api.Command['config_show']()['result']
subject_base = config['ipacertificatesubjectbase'][0]
@ -262,10 +254,7 @@ def promote(safe_options, options, filename):
paths.KRB5_KEYTAB,
ccache)
conn = api.Backend.ldap2
conn.connect(ccache=ccache)
ca_host = service.find_providing_server('CA', conn)
conn.disconnect()
ca_host = service.find_providing_server('CA', api.Backend.ldap2)
if ca_host is None:
install_master(safe_options, options)
else:
@ -294,6 +283,7 @@ def main():
# functional dogtag backend plugins during CA install
api.bootstrap(in_server=True, ra_plugin='dogtag')
api.finalize()
api.Backend.ldap2.connect()
domain_level = dsinstance.get_domain_level(api)
if domain_level > DOMAIN_LEVEL_0:
@ -305,6 +295,8 @@ def main():
ipautil.run(['ipactl', 'start', '--ignore-service-failures'],
raiseonerr=False)
api.Backend.ldap2.disconnect()
fail_message = '''
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

160
install/tools/ipa-compat-manage
View File

@ -28,7 +28,6 @@ try:
from ipapython import ipautil, config
from ipaserver.install import installutils
from ipaserver.install.ldapupdate import LDAPUpdate
from ipaserver.plugins.ldap2 import ldap2
from ipalib import api, errors
from ipapython.ipa_log_manager import standard_logging_setup
from ipapython.dn import DN
@ -69,14 +68,14 @@ def get_dirman_password():
return password
def get_entry(dn, conn):
def get_entry(dn):
"""
Return the entry for the given DN. If the entry is not found return
None.
"""
entry = None
try:
entry = conn.get_entry(dn)
entry = api.Backend.ldap2.get_entry(dn)
except errors.NotFound:
pass
return entry
@ -105,98 +104,85 @@ def main():
api.bootstrap(context='cli', in_server=True, debug=options.debug)
api.finalize()
api.Backend.ldap2.connect()
conn = None
try:
if args[0] == "status":
entry = None
try:
conn = ldap2(api)
conn.connect(
bind_dn=DN(('cn', 'directory manager')), bind_pw=dirman_password
)
entry = get_entry(compat_dn)
if entry is not None and entry.get('nsslapd-pluginenabled', [''])[0].lower() == 'on':
print("Plugin Enabled")
else:
print("Plugin Disabled")
except errors.LDAPError as lde:
print("An error occurred while talking to the server.")
print(lde)
if args[0] == "enable":
entry = None
try:
entry = get_entry(compat_dn)
if entry is not None and entry.get('nsslapd-pluginenabled', [''])[0].lower() == 'on':
print("Plugin already Enabled")
retval = 2
else:
print("Enabling plugin")
if entry is None:
ld = LDAPUpdate(dm_password=dirman_password, sub_dict={})
if not ld.update(files):
print("Updating Directory Server failed.")
retval = 1
else:
entry['nsslapd-pluginenabled'] = ['on']
api.Backend.ldap2.update_entry(entry)
except errors.ExecutionError as lde:
sys.exit("An error occurred while connecting to the server.\n%s\n" % str(lde))
except errors.ACIError as e:
sys.exit("Authentication failed: %s" % e.info)
print("An error occurred while talking to the server.")
print(lde)
retval = 1
if args[0] == "status":
entry = None
try:
entry = get_entry(compat_dn, conn)
if entry is not None and entry.get('nsslapd-pluginenabled', [''])[0].lower() == 'on':
print("Plugin Enabled")
else:
print("Plugin Disabled")
except errors.LDAPError as lde:
print("An error occurred while talking to the server.")
print(lde)
if args[0] == "enable":
entry = None
try:
entry = get_entry(compat_dn, conn)
if entry is not None and entry.get('nsslapd-pluginenabled', [''])[0].lower() == 'on':
print("Plugin already Enabled")
retval = 2
else:
print("Enabling plugin")
if entry is None:
ld = LDAPUpdate(dm_password=dirman_password, sub_dict={})
if not ld.update(files):
print("Updating Directory Server failed.")
retval = 1
else:
entry['nsslapd-pluginenabled'] = ['on']
conn.update_entry(entry)
except errors.ExecutionError as lde:
print("An error occurred while talking to the server.")
print(lde)
retval = 1
elif args[0] == "disable":
entry = None
try:
entry = get_entry(nis_config_dn, conn)
# We can't disable schema compat if the NIS plugin is enabled
if entry is not None and entry.get('nsslapd-pluginenabled', [''])[0].lower() == 'on':
print("The NIS plugin is configured, cannot disable compatibility.", file=sys.stderr)
print("Run 'ipa-nis-manage disable' first.", file=sys.stderr)
retval = 2
except errors.ExecutionError as lde:
print("An error occurred while talking to the server.")
print(lde)
retval = 1
if retval == 0:
entry = None
try:
entry = get_entry(compat_dn, conn)
if entry is None or entry.get('nsslapd-pluginenabled', [''])[0].lower() == 'off':
print("Plugin is already disabled")
retval = 2
else:
print("Disabling plugin")
entry['nsslapd-pluginenabled'] = ['off']
conn.update_entry(entry)
except errors.DatabaseError as dbe:
print("An error occurred while talking to the server.")
print(dbe)
retval = 1
except errors.ExecutionError as lde:
print("An error occurred while talking to the server.")
print(lde)
retval = 1
else:
elif args[0] == "disable":
entry = None
try:
entry = get_entry(nis_config_dn)
# We can't disable schema compat if the NIS plugin is enabled
if entry is not None and entry.get('nsslapd-pluginenabled', [''])[0].lower() == 'on':
print("The NIS plugin is configured, cannot disable compatibility.", file=sys.stderr)
print("Run 'ipa-nis-manage disable' first.", file=sys.stderr)
retval = 2
except errors.ExecutionError as lde:
print("An error occurred while talking to the server.")
print(lde)
retval = 1
if retval == 0:
print("This setting will not take effect until you restart Directory Server.")
entry = None
try:
entry = get_entry(compat_dn)
if entry is None or entry.get('nsslapd-pluginenabled', [''])[0].lower() == 'off':
print("Plugin is already disabled")
retval = 2
else:
print("Disabling plugin")
finally:
if conn and conn.isconnected():
conn.disconnect()
entry['nsslapd-pluginenabled'] = ['off']
api.Backend.ldap2.update_entry(entry)
except errors.DatabaseError as dbe:
print("An error occurred while talking to the server.")
print(dbe)
retval = 1
except errors.ExecutionError as lde:
print("An error occurred while talking to the server.")
print(lde)
retval = 1
else:
retval = 1
if retval == 0:
print("This setting will not take effect until you restart Directory Server.")
api.Backend.ldap2.disconnect()
return retval

5
install/tools/ipa-csreplica-manage
View File

@ -439,8 +439,7 @@ def main():
options.dirman_passwd = dirman_passwd
api.Backend.ldap2.connect(bind_dn=DN(('cn', 'Directory Manager')),
bind_pw=options.dirman_passwd)
api.Backend.ldap2.connect(bind_pw=options.dirman_passwd)
if args[0] == "list":
replica = None
@ -485,6 +484,8 @@ def main():
replica = args[1]
set_renewal_master(realm, replica)
api.Backend.ldap2.disconnect()
try:
main()
except KeyboardInterrupt:

5
install/tools/ipa-dns-install
View File

@ -140,8 +140,7 @@ def main():
)
api.bootstrap(**cfg)
api.finalize()
api.Backend.ldap2.connect(autobind=True)
api.Backend.ldap2.connect()
options.setup_ca = None # must be None to enable autodetection
@ -159,6 +158,8 @@ def main():
ipautil.run(['ipactl', 'start', '--ignore-service-failures'],
raiseonerr=False)
api.Backend.ldap2.disconnect()
return 0
if __name__ == '__main__':

44
install/tools/ipa-managed-entries
View File

@ -24,10 +24,9 @@ import re
import sys
from optparse import OptionParser
from ipapython import config, ipaldap
from ipapython import config
from ipaserver.install import installutils
from ipalib import api, errors
from ipalib.constants import CACERT
from ipapython.ipa_log_manager import root_logger, standard_logging_setup
from ipapython.dn import DN
@ -73,9 +72,9 @@ def main():
sys.exit("Unrecognized action [" + args[0] + "]")
standard_logging_setup(None, debug=options.debug)
host = installutils.get_fqdn()
api.bootstrap(context='cli', debug=options.debug)
api.finalize()
api.Backend.ldap2.connect(bind_pw=options.dirman_password)
managed_entry_definitions_dn = DN(
('cn', 'Definitions'),
@ -84,39 +83,14 @@ def main():
api.env.basedn
)
conn = None
try:
filter = '(objectClass=extensibleObject)'
ldap_uri = ipaldap.get_ldap_uri(host, 636, cacert=CACERT)
conn = ipaldap.LDAPClient(ldap_uri, cacert=CACERT)
if options.dirman_password:
try:
conn.simple_bind(bind_dn=ipaldap.DIRMAN_DN,
bind_password=options.dirman_password)
except errors.ACIError:
sys.exit("Invalid credentials")
else:
conn.gssapi_bind()
except errors.ACIError:
dirman_password = get_dirman_password()
if dirman_password is None:
sys.exit("Directory Manager password required")
try:
conn.simple_bind(bind_dn=ipaldap.DIRMAN_DN,
bind_password=dirman_password)
except errors.ACIError:
sys.exit("Invalid credentials")
except errors.ExecutionError as lde:
sys.exit("An error occurred while connecting to the server.\n%s\n" %
str(lde))
filter = '(objectClass=extensibleObject)'
if options.list_managed_entries:
# List available Managed Entry Plugins
managed_entries = None
try:
entries = conn.get_entries(
managed_entry_definitions_dn, conn.SCOPE_SUBTREE, filter)
entries = api.Backend.ldap2.get_entries(
managed_entry_definitions_dn, api.Backend.ldap2.SCOPE_SUBTREE, filter)
except Exception as e:
root_logger.debug("Search for managed entries failed: %s" % str(e))
sys.exit("Unable to find managed entries at %s" % managed_entry_definitions_dn)
@ -135,7 +109,7 @@ def main():
disabled = True
try:
entry = conn.get_entry(def_dn)
entry = api.Backend.ldap2.get_entry(def_dn)
disable_attr = '(objectclass=disable)'
try:
org_filter = entry.single_value.get('originfilter')
@ -165,7 +139,7 @@ def main():
enable_attr = org_filter.replace(disable_attr, '')
#enable_attr = {'originfilter': enable_attr}
entry['originfilter'] = [enable_attr]
conn.update_entry(entry)
api.Backend.ldap2.update_entry(entry)
print("Enabling Plugin")
retval = 0
except errors.NotFound:
@ -189,7 +163,7 @@ def main():
else:
disable_attr = '(&%s(%s))' % (disable_attr, org_filter)
entry['originfilter'] = [disable_attr]
conn.update_entry(entry)
api.Backend.ldap2.update_entry(entry)
print("Disabling Plugin")
except errors.NotFound:
print("Plugin is already disabled")
@ -206,6 +180,8 @@ def main():
else:
retval = 1
api.Backend.ldap2.disconnect()
return retval
if __name__ == '__main__':

166
install/tools/ipa-nis-manage
View File

@ -29,7 +29,6 @@ try:
from ipapython import ipautil, config
from ipaserver.install import installutils
from ipaserver.install.ldapupdate import LDAPUpdate
from ipaserver.plugins.ldap2 import ldap2
from ipalib import api, errors
from ipapython.ipa_log_manager import standard_logging_setup
from ipapython.dn import DN
@ -71,14 +70,14 @@ def get_dirman_password():
return password
def get_entry(dn, conn):
def get_entry(dn):
"""
Return the entry for the given DN. If the entry is not found return
None.
"""
entry = None
try:
entry = conn.get_entry(dn)
entry = api.Backend.ldap2.get_entry(dn)
except errors.NotFound:
pass
return entry
@ -118,100 +117,87 @@ def main():
api.bootstrap(context='cli', debug=options.debug, in_server=True)
api.finalize()
api.Backend.ldap2.connect(bind_pw=dirman_password)
conn = None
try:
if args[0] == "enable":
compat = get_entry(compat_dn)
if compat is None or compat.get('nsslapd-pluginenabled', [''])[0].lower() == 'off':
sys.exit("The compat plugin needs to be enabled: ipa-compat-manage enable")
entry = None
try:
conn = ldap2(api)
conn.connect(
bind_dn=DN(('cn', 'directory manager')), bind_pw=dirman_password
)
entry = get_entry(nis_config_dn)
except errors.ExecutionError as lde:
sys.exit("An error occurred while connecting to the server: %s" % str(lde))
except errors.AuthorizationError:
sys.exit("Incorrect password")
if args[0] == "enable":
compat = get_entry(compat_dn, conn)
if compat is None or compat.get('nsslapd-pluginenabled', [''])[0].lower() == 'off':
sys.exit("The compat plugin needs to be enabled: ipa-compat-manage enable")
entry = None
try:
entry = get_entry(nis_config_dn, conn)
except errors.ExecutionError as lde:
print("An error occurred while talking to the server.")
print(lde)
retval = 1
# Enable either the portmap or rpcbind service
portmap = services.knownservices.portmap
rpcbind = services.knownservices.rpcbind
if portmap.is_installed():
portmap.enable()
servicemsg = portmap.service_name
elif rpcbind.is_installed():
rpcbind.enable()
servicemsg = rpcbind.service_name
else:
print("Unable to enable either %s or %s" % (portmap.service_name, rpcbind.service_name))
retval = 3
# The cn=config entry for the plugin may already exist but it
# could be turned off, handle both cases.
if entry is None:
print("Enabling plugin")
ld = LDAPUpdate(dm_password=dirman_password, sub_dict={}, ldapi=True)
if ld.update(files) != True:
retval = 1
elif entry.get('nsslapd-pluginenabled', [''])[0].lower() == 'off':
print("Enabling plugin")
# Already configured, just enable the plugin
entry['nsslapd-pluginenabled'] = ['on']
conn.update_entry(entry)
else:
print("Plugin already Enabled")
retval = 2
elif args[0] == "disable":
try:
entry = conn.get_entry(nis_config_dn, ['nsslapd-pluginenabled'])
entry['nsslapd-pluginenabled'] = ['off']
conn.update_entry(entry)
except (errors.NotFound, errors.EmptyModlist):
print("Plugin is already disabled")
retval = 2
except errors.LDAPError as lde:
print("An error occurred while talking to the server.")
print(lde)
retval = 1
elif args[0] == "status":
nis_entry = get_entry(nis_config_dn, conn)
enabled = (nis_entry and
nis_entry.get(
'nsslapd-pluginenabled', '')[0].lower() == "on")
if enabled:
print("Plugin is enabled")
retval = 0
else:
print("Plugin is not enabled")
retval = 4
else:
print("An error occurred while talking to the server.")
print(lde)
retval = 1
if retval == 0:
if args[0] in {"enable", "disable"}:
print("This setting will not take effect until you restart "
"Directory Server.")
# Enable either the portmap or rpcbind service
portmap = services.knownservices.portmap
rpcbind = services.knownservices.rpcbind
if args[0] == "enable":
print("The %s service may need to be started." % servicemsg)
if portmap.is_installed():
portmap.enable()
servicemsg = portmap.service_name
elif rpcbind.is_installed():
rpcbind.enable()
servicemsg = rpcbind.service_name
else:
print("Unable to enable either %s or %s" % (portmap.service_name, rpcbind.service_name))
retval = 3
finally:
if conn and conn.isconnected():
conn.disconnect()
# The cn=config entry for the plugin may already exist but it
# could be turned off, handle both cases.
if entry is None:
print("Enabling plugin")
ld = LDAPUpdate(dm_password=dirman_password, sub_dict={}, ldapi=True)
if ld.update(files) != True:
retval = 1
elif entry.get('nsslapd-pluginenabled', [''])[0].lower() == 'off':
print("Enabling plugin")
# Already configured, just enable the plugin
entry['nsslapd-pluginenabled'] = ['on']
api.Backend.ldap2.update_entry(entry)
else:
print("Plugin already Enabled")
retval = 2
elif args[0] == "disable":
try:
entry = api.Backend.ldap2.get_entry(nis_config_dn, ['nsslapd-pluginenabled'])
entry['nsslapd-pluginenabled'] = ['off']
api.Backend.ldap2.update_entry(entry)
except (errors.NotFound, errors.EmptyModlist):
print("Plugin is already disabled")
retval = 2
except errors.LDAPError as lde:
print("An error occurred while talking to the server.")
print(lde)
retval = 1
elif args[0] == "status":
nis_entry = get_entry(nis_config_dn)
enabled = (nis_entry and
nis_entry.get(
'nsslapd-pluginenabled', '')[0].lower() == "on")
if enabled:
print("Plugin is enabled")
retval = 0
else:
print("Plugin is not enabled")
retval = 4
else:
retval = 1
if retval == 0:
if args[0] in {"enable", "disable"}:
print("This setting will not take effect until you restart "
"Directory Server.")
if args[0] == "enable":
print("The %s service may need to be started." % servicemsg)
api.Backend.ldap2.disconnect()
return retval

8
install/tools/ipa-replica-manage
View File

@ -1537,11 +1537,7 @@ def main(options, args):
options.dirman_passwd = dirman_passwd
# Initialize the LDAP connection
if options.dirman_passwd:
api.Backend.ldap2.connect(bind_dn=DN(('cn', 'Directory Manager')),
bind_pw=options.dirman_passwd)
else:
api.Backend.ldap2.connect()
api.Backend.ldap2.connect(bind_pw=options.dirman_passwd)
if args[0] == "list":
replica = None
@ -1611,6 +1607,8 @@ def main(options, args):
set_DNA_range(args[1], args[2], realm, dirman_passwd, next_range=True,
nolookup=options.nolookup)
api.Backend.ldap2.disconnect()
try:
options, args = parse_options()
main(options, args)

11
ipaserver/install/ipa_cacert_manage.py
View File

@ -96,14 +96,11 @@ class CACertManage(admintool.AdminTool):
def run(self):
command = self.command
options = self.options
api.bootstrap(in_server=True)
api.finalize()
if ((command == 'renew' and options.external_cert_files) or
command == 'install'):
self.ldap_connect()
self.ldap_connect()
try:
if command == 'renew':
@ -111,8 +108,7 @@ class CACertManage(admintool.AdminTool):
elif command == 'install':
rc = self.install()
finally:
if api.Backend.ldap2.isconnected():
api.Backend.ldap2.disconnect()
api.Backend.ldap2.disconnect()
return rc
@ -132,8 +128,7 @@ class CACertManage(admintool.AdminTool):
raise admintool.ScriptError(
"Directory Manager password required")
api.Backend.ldap2.connect(bind_dn=DN(('cn', 'Directory Manager')), bind_pw=password)
api.Backend.ldap2.connect(bind_pw=password)
def renew(self):
ca = cainstance.CAInstance(api.env.realm, certs.NSS_DIR)

15
ipaserver/install/ipa_kra_install.py
View File

@ -28,7 +28,6 @@ from ipalib.constants import DOMAIN_LEVEL_0
from ipaplatform.paths import paths
from ipapython import admintool
from ipapython import ipautil
from ipapython.dn import DN
from ipaserver.install import service
from ipaserver.install import cainstance
from ipaserver.install import krainstance
@ -106,7 +105,9 @@ class KRAUninstaller(KRAInstall):
def run(self):
super(KRAUninstaller, self).run()
api.Backend.ldap2.connect()
kra.uninstall(True)
api.Backend.ldap2.disconnect()
class KRAInstaller(KRAInstall):
@ -181,9 +182,7 @@ class KRAInstaller(KRAInstall):
self.options.dm_password = self.options.password
self.options.setup_ca = False
conn = api.Backend.ldap2
conn.connect(bind_dn=DN(('cn', 'Directory Manager')),
bind_pw=self.options.password)
api.Backend.ldap2.connect()
config = None
if self.installing_replica:
@ -204,12 +203,12 @@ class KRAInstaller(KRAInstall):
self.options)
if config.subject_base is None:
attrs = conn.get_ipa_config()
attrs = api.Backend.ldap2.get_ipa_config()
config.subject_base = attrs.get('ipacertificatesubjectbase')[0]
if config.master_host_name is None:
config.kra_host_name = \
service.find_providing_server('KRA', conn, api.env.ca_host)
config.kra_host_name = service.find_providing_server(
'KRA', api.Backend.ldap2, api.env.ca_host)
config.master_host_name = config.kra_host_name
else:
config.kra_host_name = config.master_host_name
@ -226,3 +225,5 @@ class KRAInstaller(KRAInstall):
except:
self.log.error(dedent(self.FAIL_MESSAGE))
raise
api.Backend.ldap2.disconnect()

6
ipaserver/install/ipa_ldap_updater.py
View File

@ -101,6 +101,7 @@ class LDAPUpdater_Upgrade(LDAPUpdater):
def run(self):
super(LDAPUpdater_Upgrade, self).run()
api.Backend.ldap2.connect()
options = self.options
realm = api.env.realm
@ -120,12 +121,15 @@ class LDAPUpdater_Upgrade(LDAPUpdater):
else:
self.log.info('Update complete, no data were modified')
api.Backend.ldap2.disconnect()
class LDAPUpdater_NonUpgrade(LDAPUpdater):
log_file_name = paths.IPAUPGRADE_LOG
def run(self):
super(LDAPUpdater_NonUpgrade, self).run()
api.Backend.ldap2.connect()
options = self.options
modified = False
@ -148,3 +152,5 @@ class LDAPUpdater_NonUpgrade(LDAPUpdater):
self.log.info('Update complete')
else:
self.log.info('Update complete, no data were modified')
api.Backend.ldap2.disconnect()

40
ipaserver/install/ipa_replica_prepare.py
View File

@ -34,7 +34,6 @@ from six.moves.configparser import SafeConfigParser
from ipaserver.install import certs, installutils, bindinstance, dsinstance
from ipaserver.install.replication import enable_replication_version_checking
from ipaserver.plugins.ldap2 import ldap2
from ipaserver.install.bindinstance import (
add_zone, add_fwd_rr, add_ptr_rr, dns_container_exists)
from ipapython import ipautil, admintool
@ -180,6 +179,8 @@ class ReplicaPrepare(admintool.AdminTool):
api.bootstrap(in_server=True)
api.finalize()
# Connect to LDAP, connection is closed at the end of run()
api.Backend.ldap2.connect()
self.check_for_supported_domain_level()
@ -215,21 +216,18 @@ class ReplicaPrepare(admintool.AdminTool):
"Directory Manager password required")
# Try out the password & get the subject base
api.Backend.ldap2.disconnect()
try:
conn = api.Backend.ldap2
conn.connect(bind_dn=DN(('cn', 'directory manager')),
bind_pw=self.dirman_password)
api.Backend.ldap2.connect(bind_pw=self.dirman_password)
entry_attrs = conn.get_ipa_config()
entry_attrs = api.Backend.ldap2.get_ipa_config()
self.subject_base = entry_attrs.get(
'ipacertificatesubjectbase', [None])[0]
ca_enabled = api.Command.ca_is_enabled()['result']
conn.disconnect()
except errors.ACIError:
raise admintool.ScriptError("The password provided is incorrect "
"for LDAP server %s" % api.env.host)
"for LDAP server %s" % api.env.host)
except errors.LDAPError:
raise admintool.ScriptError(
"Unable to connect to LDAP server %s" % api.env.host)
@ -279,13 +277,6 @@ class ReplicaPrepare(admintool.AdminTool):
"record manually and then omit --ip-address option.")
raise admintool.ScriptError("Cannot add DNS record")
disconnect = False
if not api.Backend.ldap2.isconnected():
api.Backend.ldap2.connect(
bind_dn=DN(('cn', 'Directory Manager')),
bind_pw=self.dirman_password)
disconnect = True
options.reverse_zones = bindinstance.check_reverse_zones(
options.ip_addresses, options.reverse_zones, options, False,
True)
@ -297,9 +288,6 @@ class ReplicaPrepare(admintool.AdminTool):
"--ip-address option." % zone)
raise admintool.ScriptError("Cannot add DNS record")
if disconnect:
api.Backend.ldap2.disconnect()
self.http_pin = self.dirsrv_pin = self.pkinit_pin = None
if options.http_cert_files:
@ -387,6 +375,9 @@ class ReplicaPrepare(admintool.AdminTool):
if options.wait_for_dns:
self.wait_for_dns()
# Close LDAP connection that was opened in validate_options()
api.Backend.ldap2.disconnect()
def copy_ds_certificate(self):
options = self.options
@ -498,11 +489,6 @@ class ReplicaPrepare(admintool.AdminTool):
self.log.info("Adding DNS records for %s", self.replica_fqdn)
name, domain = self.replica_fqdn.split(".", 1)
if not api.Backend.ldap2.isconnected():
api.Backend.ldap2.connect(
bind_dn=DN(('cn', 'Directory Manager')),
bind_pw=self.dirman_password)
for reverse_zone in options.reverse_zones:
self.log.info("Adding reverse zone %s", reverse_zone)
add_zone(reverse_zone)
@ -658,14 +644,8 @@ class ReplicaPrepare(admintool.AdminTool):
os.remove(agent_name)
def update_pki_admin_password(self):
ldap = ldap2(api)
ldap.connect(
bind_dn=DN(('cn', 'directory manager')),
bind_pw=self.dirman_password
)
dn = DN('uid=admin', 'ou=people', 'o=ipaca')
ldap.modify_password(dn, self.dirman_password)
ldap.disconnect()
api.Backend.ldap2.modify_password(dn, self.dirman_password)
def regenerate_ca_file(self, ca_file):
dm_pwd_fd = ipautil.write_tmp_file(self.dirman_password)

7
ipaserver/install/ipa_server_certinstall.py
View File

@ -101,10 +101,7 @@ class ServerCertInstall(admintool.AdminTool):
def run(self):
api.bootstrap(in_server=True)
api.finalize()
conn = api.Backend.ldap2
conn.connect(bind_dn=DN(('cn', 'directory manager')),
bind_pw=self.options.dirman_password)
api.Backend.ldap2.connect(bind_pw=self.options.dirman_password)
if self.options.dirsrv:
self.install_dirsrv_cert()
@ -112,7 +109,7 @@ class ServerCertInstall(admintool.AdminTool):
if self.options.http:
self.install_http_cert()
conn.disconnect()
api.Backend.ldap2.disconnect()
def install_dirsrv_cert(self):
serverid = installutils.realm_to_serverid(api.env.realm)

3
ipaserver/install/ipa_server_upgrade.py
View File

@ -40,6 +40,7 @@ class ServerUpgrade(admintool.AdminTool):
api.bootstrap(in_server=True, context='updates')
api.finalize()
api.Backend.ldap2.connect()
try:
server.upgrade_check(self.options)
@ -47,6 +48,8 @@ class ServerUpgrade(admintool.AdminTool):
except RuntimeError as e:
raise admintool.ScriptError(str(e))
api.Backend.ldap2.disconnect()
def handle_error(self, exception):
if not isinstance(exception, SystemExit):
# do not log this message when ipa is not installed