Provide 'protocol' argument to IPAdmin

The ancient IPAdmin class used some heuristics to determine the protocol to connect with (ldap, ldaps, or ldapi). In turn, some calling code used questionable mechanisms to get the correct protocol: in ipaserver/install/replication.py, the CA cert was either passed to the constructor or added to the class afterwards, to get ldap:// or ldaps://. Add an explicit protocol argument and only fall back to backwards-compatible guessing if it is not given.
2025-01-11 00:31:56 -06:00 · 2012-11-20 07:18:08 -05:00 · 2012-11-20 07:18:08 -05:00 · 994563bfe9
commit 994563bfe9
parent 83ef2e251f
1 changed files with 27 additions and 11 deletions
--- a/ipaserver/ipaldap.py
+++ b/ipaserver/ipaldap.py
@ -217,22 +217,37 @@ class Entry:
 class IPAdmin(IPAEntryLDAPObject):

    def __localinit(self):
-        """If a CA certificate is provided then it is assumed that we are
-           doing SSL client authentication with proxy auth.
+        if self.protocol == 'ldaps':
+            IPAEntryLDAPObject.__init__(self,'ldaps://%s' % format_netloc(self.host, self.port))
+        elif self.protocol == 'ldapi':
+            IPAEntryLDAPObject.__init__(self,'ldapi://%%2fvar%%2frun%%2fslapd-%s.socket' % "-".join(self.realm.split(".")))
+        elif self.protocol == 'ldap':
+            IPAEntryLDAPObject.__init__(self,'ldap://%s' % format_netloc(self.host, self.port))
+        else:
+            raise ValueError('Protocol %r not supported' % self.protocol)

-           If a CA certificate is not present then it is assumed that we are
-           using a forwarded kerberos ticket for SASL auth. SASL provides
-           its own encryption.
+    def __guess_protocol(self):
+        """Return the protocol to use based on flags passed to the constructor
+
+        Only used when "protocol" is not specified explicitly.
+
+        If a CA certificate is provided then it is assumed that we are
+        doing SSL client authentication with proxy auth.
+
+        If a CA certificate is not present then it is assumed that we are
+        using a forwarded kerberos ticket for SASL auth. SASL provides
+        its own encryption.
        """
        if self.cacert is not None:
-            IPAEntryLDAPObject.__init__(self,'ldaps://%s' % format_netloc(self.host, self.port))
+            return 'ldaps'
+        elif self.ldapi:
+            return 'ldapi'
        else:
-            if self.ldapi:
-                IPAEntryLDAPObject.__init__(self,'ldapi://%%2fvar%%2frun%%2fslapd-%s.socket' % "-".join(self.realm.split(".")))
-            else:
-                IPAEntryLDAPObject.__init__(self,'ldap://%s' % format_netloc(self.host, self.port))
+            return 'ldap'

-    def __init__(self,host='',port=389,cacert=None,bindcert=None,bindkey=None,proxydn=None,debug=None,ldapi=False,realm=None):
+    def __init__(self, host='', port=389, cacert=None, bindcert=None,
+                 bindkey=None, proxydn=None, debug=None, ldapi=False,
+                 realm=None, protocol=None):
        """We just set our instance variables and wrap the methods - the real
           work is done in __localinit. This is separated out this way so
           that we can call it from places other than instance creation
@ -257,6 +272,7 @@ class IPAdmin(IPAEntryLDAPObject):
        self.ldapi = ldapi
        self.realm = realm
        self.suffixes = {}
+        self.protocol = protocol or self.__guess_protocol()
        self.__localinit()

    def __lateinit(self):