Allow insecure binds for migration

Commit 5be9341fba disallowed simple bind over an insecure connection. Password logins were only allowed over LDAPS or LDAP+STARTTLS. The restriction broke 'ipa migrate-ds' in some cases. This commit lifts the restriction and permits insecure binds over plain LDAP. It also makes the migrate-ds plugin use STARTTLS when a CA certificate is configured with a plain LDAP connection. Fixes: https://pagure.io/freeipa/issue/8040 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Thomas Woerner <twoerner@redhat.com>
2025-02-25 18:55:28 -06:00 · 2019-08-13 17:22:01 +02:00
parent 17c2e31fdc
commit a36556e106
2 changed files with 9 additions and 8 deletions
--- a/ipapython/ipaldap.py
+++ b/ipapython/ipaldap.py
@@ -1206,12 +1206,14 @@ class LDAPClient:
        return conn

    def simple_bind(self, bind_dn, bind_password, server_controls=None,
-                    client_controls=None):
+                    client_controls=None, insecure_bind=False):
        """
        Perform simple bind operation.
        """
-        if self.protocol == 'ldap' and not self._start_tls and bind_password:
-            # non-empty bind must use a secure connection
+        if (self.protocol == 'ldap' and not self._start_tls and
+                bind_password and not insecure_bind):
+            # non-empty bind must use a secure connection unless
+            # insecure bind is explicitly enabled
            raise ValueError('simple_bind over insecure LDAP connection')
        with self.error_handler():
            self._flush_schema()