ipa-ldap-updater: make possible to use LDAPI with autobind in case of hardened LDAP configuration

When nsslapd-minssf is greater than 0, running as root ipa-ldap-updater [-l] will fail even if we force use of autobind for root over LDAPI. The reason for this is that schema updater doesn't get ldapi flag passed and attempts to connect to LDAP port instead and for hardened configurations using simple bind over LDAP is not enough. Additionally, report properly previously unhandled LDAP exceptions. https://fedorahosted.org/freeipa/ticket/3468 Reviewed-By: Petr Spacek <pspacek@redhat.com>
2025-02-25 18:55:28 -06:00 · 2014-07-02 16:30:18 +03:00 · 2014-07-02 16:30:18 +03:00 · a9fe37e066
commit a9fe37e066
parent 76ec9384fb
2 changed files with 6 additions and 1 deletions
--- a/ipapython/ipaldap.py
+++ b/ipapython/ipaldap.py
@ -1204,6 +1204,10 @@ class LDAPClient(object):
            pass
        except ldap.CONNECT_ERROR:
            raise errors.DatabaseError(desc=desc, info=info)
+        except ldap.UNWILLING_TO_PERFORM:
+            raise errors.DatabaseError(desc=desc, info=info)
+        except ldap.AUTH_UNKNOWN:
+            raise errors.ACIError(info='%s (%s)' % (info,desc))
        except ldap.LDAPError, e:
            if 'NOT_ALLOWED_TO_DELEGATE' in info:
                raise errors.ACIError(
--- a/ipaserver/install/ipa_ldap_updater.py
+++ b/ipaserver/install/ipa_ldap_updater.py
@ -204,7 +204,8 @@ class LDAPUpdater_NonUpgrade(LDAPUpdater):
            modified = schemaupdate.update_schema(
                options.schema_files,
                dm_password=self.dirman_password,
-                live_run=not options.test) or modified
+                live_run=not options.test,
+                ldapi=options.ldapi) or modified

        if not self.files:
            self.files = ld.get_all_files(UPDATES_DIR)