Enable ipa_memcached when upgrading

Add support for autobind to services. This is a bit of a special case
so I currently require the caller to specify ldapi separately. It only
makes sense to do this only in upgrade cases.

Also uninstall ipa_memcached when uninstalling the server.

https://fedorahosted.org/freeipa/ticket/2399

install/tools/ipa-server-install

@@ -464,6 +464,7 @@ def uninstall():
     httpinstance.HTTPInstance(fstore).uninstall()
     krbinstance.KrbInstance(fstore).uninstall()
     dsinstance.DsInstance(fstore=fstore).uninstall()
+    memcacheinstance.MemcacheInstance().uninstall()
     fstore.restore_all_files()
     try:
         os.remove(ANSWER_CACHE)

install/tools/ipa-upgradeconfig

@@ -29,12 +29,15 @@ try:
     from ipaserver.install import installutils
     from ipaserver.install import dsinstance
     from ipaserver.install import httpinstance
+    from ipaserver.install import memcacheinstance
     from ipaserver.install import service
+    import ldap
     import krbV
     import re
     import os
     import shutil
     import fileinput
+    import ipalib.errors
 except ImportError:
     print >> sys.stderr, """\
 There was a problem importing one of the required Python modules. The
@@ -254,6 +257,15 @@ def main():
     http = httpinstance.HTTPInstance()
     http.remove_httpd_ccache()
 
+    memcache = memcacheinstance.MemcacheInstance()
+    memcache.ldapi = True
+    memcache.realm = krbctx.default_realm
+    try:
+        if not memcache.is_configured():
+            memcache.create_instance('MEMCACHE', fqdn, None, ipautil.realm_to_suffix(krbctx.default_realm))
+    except (ldap.ALREADY_EXISTS, ipalib.errors.DuplicateEntry):
+        pass
+
 try:
     if __name__ == "__main__":
         sys.exit(main())

ipaserver/install/installutils.py

@@ -36,7 +36,7 @@ from ipapython import ipautil, dnsclient, sysrestore
 from ipapython.ipa_log_manager import *
 
 # Used to determine install status
-IPA_MODULES = ['httpd', 'kadmin', 'dirsrv', 'pki-cad', 'pkids', 'install', 'krb5kdc', 'ntpd', 'named']
+IPA_MODULES = ['httpd', 'kadmin', 'dirsrv', 'pki-cad', 'pkids', 'install', 'krb5kdc', 'ntpd', 'named', 'ipa_memcached']
 
 class BadHostError(Exception):
     pass

ipaserver/install/service.py

@@ -20,6 +20,7 @@
 import sys
 import os, socket
 import tempfile
+import pwd
 from ipapython import sysrestore
 from ipapython import ipautil
 from ipapython import services as ipaservices
@@ -51,12 +52,13 @@ def print_msg(message, output_fd=sys.stdout):
 
 
 class Service(object):
-    def __init__(self, service_name, sstore=None, dm_password=None):
+    def __init__(self, service_name, sstore=None, dm_password=None, ldapi=False):
         self.service_name = service_name
         self.service = ipaservices.service(service_name)
         self.steps = []
         self.output_fd = sys.stdout
         self.dm_password = dm_password
+        self.ldapi = ldapi
 
         self.fqdn = socket.gethostname()
         self.admin_conn = None
@@ -72,7 +74,12 @@ class Service(object):
         self.dercert = None
 
     def ldap_connect(self):
-        self.admin_conn = self.__get_conn(self.fqdn, self.dm_password)
+        if self.ldapi:
+            if not self.realm:
+                raise RuntimeError('realm must be set to use ldapi connection')
+            self.admin_conn = self.__get_conn(None, None, ldapi=True, realm=self.realm)
+        else:
+            self.admin_conn = self.__get_conn(self.fqdn, self.dm_password)
 
     def ldap_disconnect(self):
         self.admin_conn.unbind()
@@ -258,14 +265,25 @@ class Service(object):
 
         self.steps = []
 
-    def __get_conn(self, fqdn, dm_password):
+    def __get_conn(self, fqdn, dm_password, ldapi=False, realm=None):
         # If we are passed a password we'll use it as the DM password
         # otherwise we'll do a GSSAPI bind.
         try:
 #            conn = ipaldap.IPAdmin(fqdn, port=636, cacert=CACERT)
-            conn = ipaldap.IPAdmin(fqdn, port=389)
+            if ldapi:
+                conn = ipaldap.IPAdmin(ldapi=ldapi, realm=realm)
+            else:
+                conn = ipaldap.IPAdmin(fqdn, port=389)
             if dm_password:
                 conn.do_simple_bind(bindpw=dm_password)
+            elif os.getegid() == 0 and self.ldapi:
+                try:
+                    # autobind
+                    pw_name = pwd.getpwuid(os.geteuid()).pw_name
+                    conn.do_external_bind(pw_name)
+                except errors.NotFound:
+                    # Fall back
+                    conn.do_sasl_gssapi_bind()
             else:
                 conn.do_sasl_gssapi_bind()
         except Exception, e:
@@ -276,7 +294,8 @@ class Service(object):
 
     def ldap_enable(self, name, fqdn, dm_password, ldap_suffix):
         self.disable()
-        conn = self.__get_conn(fqdn, dm_password)
+        if not self.admin_conn:
+            self.ldap_connect()
 
         entry_name = "cn=%s,cn=%s,%s,%s" % (name, fqdn,
                                             "cn=masters,cn=ipa,cn=etc",
@@ -290,9 +309,9 @@ class Service(object):
                         "enabledService", "startOrder " + str(order))
 
         try:
-            conn.addEntry(entry)
+            self.admin_conn.addEntry(entry)
-        except ldap.ALREADY_EXISTS, e:
+        except (ldap.ALREADY_EXISTS, errors.DuplicateEntry), e:
-            root_logger.critical("failed to add %s Service startup entry" % name)
+            root_logger.debug("failed to add %s Service startup entry" % name)
             raise e
 
 class SimpleServiceInstance(Service):