Use IPAdmin rather than raw python-ldap in ipa-client-install

Part of the work for: https://fedorahosted.org/freeipa/ticket/3487
2024-12-23 07:33:27 -06:00 · 2013-01-31 07:46:33 -05:00 · 2013-01-31 07:46:33 -05:00 · a0242334fe
commit a0242334fe
parent 91a63cce62
2 changed files with 34 additions and 37 deletions
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@ -25,35 +25,30 @@ try:
    import os
    import time
    import socket
-    import ldap
-    import ldap.sasl
    import urlparse
-
-    from ipapython.ipa_log_manager import *
    import tempfile
    import getpass
+    from ConfigParser import RawConfigParser
+    from optparse import SUPPRESS_HELP, OptionGroup, OptionValueError
+
+    import nss.nss as nss
+    import SSSDConfig
+
+    from ipapython.ipa_log_manager import standard_logging_setup, root_logger
    from ipaclient import ipadiscovery
    from ipaclient.ipadiscovery import CACERT
    import ipaclient.ipachangeconf
    import ipaclient.ntpconf
-    from ipapython.ipautil import run, user_input, CalledProcessError,\
-                                  file_exists, realm_to_suffix,\
-                                  convert_ldap_error
+    from ipapython.ipautil import (
+        run, user_input, CalledProcessError, file_exists, realm_to_suffix)
    import ipapython.services as ipaservices
-    from ipapython import ipautil
-    from ipapython import sysrestore
-    from ipapython import version
-    from ipapython import certmonger
+    from ipapython import ipautil, sysrestore, version, certmonger, ipaldap
    from ipapython.config import IPAOptionParser
    from ipalib import api, errors
    from ipalib import x509
    from ipapython.dn import DN
    from ipapython.ssh import SSHPublicKey
    from ipalib.rpc import delete_persistent_client_session_data
-    import nss.nss as nss
-    import SSSDConfig
-    from ConfigParser import RawConfigParser
-    from optparse import SUPPRESS_HELP, OptionGroup, OptionValueError
 except ImportError:
    print >> sys.stderr, """\
 There was a problem importing one of the required Python modules. The
@ -1419,7 +1414,7 @@ def get_ca_cert_from_http(url, ca_file, warn=True):
    except CalledProcessError, e:
        raise errors.NoCertificateError(entry=url)

-def get_ca_cert_from_ldap(url, basedn, ca_file):
+def get_ca_cert_from_ldap(server, basedn, ca_file):
    '''
    Retrieve th CA cert from the LDAP server by binding to the
    server with GSSAPI using the current Kerberos credentials.
@ -1435,34 +1430,33 @@ def get_ca_cert_from_ldap(url, basedn, ca_file):
    ca_cert_attr = 'cAcertificate;binary'
    dn = DN(('cn', 'CAcert'), ('cn', 'ipa'), ('cn', 'etc'), basedn)

-    SASL_GSSAPI = ldap.sasl.sasl({},'GSSAPI')

-    root_logger.debug("trying to retrieve CA cert via LDAP from %s", url)
+    root_logger.debug("trying to retrieve CA cert via LDAP from %s", server)

-    conn = ldap.initialize(url)
-    conn.set_option(ldap.OPT_X_SASL_NOCANON, ldap.OPT_ON)
+    conn = ipaldap.IPAdmin(server, sasl_nocanon=True)
    try:
-        conn.sasl_interactive_bind_s('', SASL_GSSAPI)
-        result = conn.search_st(str(dn), ldap.SCOPE_BASE, 'objectclass=pkiCA',
-                                [ca_cert_attr], timeout=10)
-    except ldap.NO_SUCH_OBJECT, e:
-        root_logger.debug("get_ca_cert_from_ldap() error: %s",
-                          convert_ldap_error(e))
-        raise errors.NoCertificateError(entry=url)
+        conn.do_sasl_gssapi_bind()
+        result, truncated = conn.find_entries(
+            base_dn=dn,
+            scope=conn.SCOPE_BASE,
+            filter='(objectclass=pkiCA)',
+            attrs_list=[ca_cert_attr],
+            time_limit=10)
+    except errors.NotFound, e:
+        root_logger.debug("get_ca_cert_from_ldap() error: %s", e)
+        raise errors.NoCertificateError(entry=server)

-    except ldap.SERVER_DOWN, e:
-        root_logger.debug("get_ca_cert_from_ldap() error: %s",
-                          convert_ldap_error(e))
-        raise errors.NetworkError(uri=url, error=str(e))
+    except errors.NetworkError, e:
+        root_logger.debug("get_ca_cert_from_ldap() error: %s", e)
+        raise errors.NetworkError(uri=conn.ldap_uri, error=str(e))
    except Exception, e:
-        root_logger.debug("get_ca_cert_from_ldap() error: %s",
-                          convert_ldap_error(e))
+        root_logger.debug("get_ca_cert_from_ldap() error: %s", e)
        raise errors.LDAPError(str(e))

    if len(result) != 1:
        raise errors.OnlyOneValueAllowed(attr=ca_cert_attr)

-    attrs = result[0][1]
+    attrs = result[0]
    try:
        der_cert = attrs[ca_cert_attr][0]
    except KeyError:
@ -1605,9 +1599,9 @@ def get_ca_cert(fstore, options, server, basedn):
                    raise
        else:
            # Auth with user credentials
-            url = ldap_url()
            try:
-                get_ca_cert_from_ldap(url, basedn, ca_file)
+                url = ldap_url()
+                get_ca_cert_from_ldap(server, basedn, ca_file)
                try:
                    validate_new_ca_cert(existing_ca_cert,
                                         ca_file, interactive)
--- a/ipapython/ipaldap.py
+++ b/ipapython/ipaldap.py
@ -1658,7 +1658,7 @@ class IPAdmin(LDAPClient):
    def __init__(self, host='', port=389, cacert=None, debug=None, ldapi=False,
                 realm=None, protocol=None, force_schema_updates=True,
                 start_tls=False, ldap_uri=None, no_schema=False,
-                 decode_attrs=True):
+                 decode_attrs=True, sasl_nocanon=False):
        self.conn = None
        log_mgr.get_logger(self, True)
        if debug and debug.lower() == "on":
@ -1682,6 +1682,9 @@ class IPAdmin(LDAPClient):
                                        no_schema=no_schema,
                                        decode_attrs=decode_attrs)

+        if sasl_nocanon:
+            self.conn.set_option(ldap.OPT_X_SASL_NOCANON, ldap.OPT_ON)
+
        if start_tls:
            self.conn.start_tls_s()