mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-23 23:50:03 -06:00
Do not crash client basedn discovery when SSF not met
ipa-client-install runs anonymous search in non-rootdse space which may raise UNWILLING_TO_PERFORM error. This case was only covered for BIND, but not for the actual LDAP queries. https://fedorahosted.org/freeipa/ticket/4459 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
This commit is contained in:
parent
724391a71b
commit
aa0639284c
@ -335,6 +335,10 @@ class IPADiscovery(object):
|
||||
no_schema=True, decode_attrs=False)
|
||||
try:
|
||||
lh.do_simple_bind(DN(), '')
|
||||
|
||||
# get IPA base DN
|
||||
root_logger.debug("Search LDAP server for IPA base DN")
|
||||
basedn = get_ipa_basedn(lh)
|
||||
except errors.ACIError:
|
||||
root_logger.debug("LDAP Error: Anonymous access not allowed")
|
||||
return [NO_ACCESS_TO_LDAP]
|
||||
@ -350,10 +354,6 @@ class IPADiscovery(object):
|
||||
else:
|
||||
return [UNKNOWN_ERROR]
|
||||
|
||||
# get IPA base DN
|
||||
root_logger.debug("Search LDAP server for IPA base DN")
|
||||
basedn = get_ipa_basedn(lh)
|
||||
|
||||
if basedn is None:
|
||||
root_logger.debug("The server is not an IPA server")
|
||||
return [NOT_IPA_SERVER]
|
||||
|
Loading…
Reference in New Issue
Block a user