Do not crash client basedn discovery when SSF not met

ipa-client-install runs anonymous search in non-rootdse space which
may raise UNWILLING_TO_PERFORM error. This case was only covered for
BIND, but not for the actual LDAP queries.

https://fedorahosted.org/freeipa/ticket/4459

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
This commit is contained in:
Martin Kosek 2014-07-24 09:57:54 +02:00 committed by Petr Viktorin
parent 724391a71b
commit aa0639284c

View File

@ -335,6 +335,10 @@ class IPADiscovery(object):
no_schema=True, decode_attrs=False) no_schema=True, decode_attrs=False)
try: try:
lh.do_simple_bind(DN(), '') lh.do_simple_bind(DN(), '')
# get IPA base DN
root_logger.debug("Search LDAP server for IPA base DN")
basedn = get_ipa_basedn(lh)
except errors.ACIError: except errors.ACIError:
root_logger.debug("LDAP Error: Anonymous access not allowed") root_logger.debug("LDAP Error: Anonymous access not allowed")
return [NO_ACCESS_TO_LDAP] return [NO_ACCESS_TO_LDAP]
@ -350,10 +354,6 @@ class IPADiscovery(object):
else: else:
return [UNKNOWN_ERROR] return [UNKNOWN_ERROR]
# get IPA base DN
root_logger.debug("Search LDAP server for IPA base DN")
basedn = get_ipa_basedn(lh)
if basedn is None: if basedn is None:
root_logger.debug("The server is not an IPA server") root_logger.debug("The server is not an IPA server")
return [NOT_IPA_SERVER] return [NOT_IPA_SERVER]