IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Add LDAP server fallback to client installer

Browse Source 
Change the discovery code to validate all servers, regardless of where
the originated (either via SRV records or --server). This will prevent
the client installer from failing if one of those records points to a
server that is either not running or is not an IPA server.

If a server is not available it is not removed from the list of configured
servers, simply moved to the end of the list.

If a server is not an IPA server it is removed.

https://fedorahosted.org/freeipa/ticket/3388
This commit is contained in:
Rob Crittenden
2013-02-04 09:35:13 -05:00
parent 076775a0f8
commit cbb262dc07
4 changed files with 101 additions and 61 deletions
Download Patch File Download Diff File Expand all files Collapse all files

33
ipa-client/ipa-install/ipa-client-automount
View File

@@ -384,30 +384,33 @@ def main():
sys.exit('automount is already configured on this system.\n')
autodiscover = False
server = options.server
servers = []
ds = ipadiscovery.IPADiscovery()
if not server:
if not options.server:
print "Searching for IPA server..."
ret = ds.search()
root_logger.debug('Executing DNS discovery')
if ret == ipadiscovery.NO_LDAP_SERVER:
root_logger.debug('Autodiscovery did not find LDAP server')
if not server:
s = urlparse.urlsplit(api.env.xmlrpc_uri)
server = s.netloc
root_logger.debug('Setting server to %s' % s.netloc)
s = urlparse.urlsplit(api.env.xmlrpc_uri)
server = [s.netloc]
root_logger.debug('Setting server to %s' % s.netloc)
else:
autodiscover = True
server = ds.getServerName()
if not server:
if not ds.servers:
sys.exit('Autodiscovery was successful but didn\'t return a server')
root_logger.debug('Autodiscovery success, setting server to %s' % server)
# Now confirm that our server is an IPA server
root_logger.debug("Verifying that %s is an IPA server" % server)
ldapret = ds.ipacheckldap(server, api.env.realm)
if ldapret[0] != 0:
sys.exit('Unable to confirm that %s is an IPA v2 server' % server)
root_logger.debug('Autodiscovery success, possible servers %s' % ','.join(ds.servers))
server = ds.servers[0]
else:
server = options.server
root_logger.debug("Verifying that %s is an IPA server" % server)
ldapret = ds.ipacheckldap(server, api.env.realm)
if ldapret[0] == ipadiscovery.NO_ACCESS_TO_LDAP:
print "Anonymous access to the LDAP server is disabled."
print "Proceeding without strict verification."
print "Note: This is not an error if anonymous access has been explicitly restricted."
elif ldapret[0] != 0:
sys.exit('Unable to confirm that %s is an IPA server' % server)
if not autodiscover:
print "IPA server: %s" % server

22
ipa-client/ipa-install/ipa-client-install
View File

@@ -1705,9 +1705,7 @@ def install(options, env, fstore, statestore):
# Create the discovery instance
ds = ipadiscovery.IPADiscovery()
# Do discovery on the first server passed in, we'll do sanity checking
# on any others
ret = ds.search(domain=options.domain, server=options.server, hostname=hostname, ca_cert_path=get_cert_path(options.ca_cert_file))
ret = ds.search(domain=options.domain, servers=options.server, hostname=hostname, ca_cert_path=get_cert_path(options.ca_cert_file))
if ret == ipadiscovery.BAD_HOST_CONFIG:
root_logger.error("Can't get the fully qualified name of this host")
@@ -1744,7 +1742,7 @@ def install(options, env, fstore, statestore):
cli_domain_source = 'Provided interactively'
root_logger.debug(
"will use interactively provided domain: %s", cli_domain)
ret = ds.search(domain=cli_domain, server=options.server, hostname=hostname, ca_cert_path=get_cert_path(options.ca_cert_file))
ret = ds.search(domain=cli_domain, servers=options.server, hostname=hostname, ca_cert_path=get_cert_path(options.ca_cert_file))
if not cli_domain:
if ds.domain:
@@ -1768,7 +1766,7 @@ def install(options, env, fstore, statestore):
cli_server = [user_input("Provide your IPA server name (ex: ipa.example.com)", allow_empty = False)]
cli_server_source = 'Provided interactively'
root_logger.debug("will use interactively provided server: %s", cli_server[0])
ret = ds.search(domain=cli_domain, server=cli_server, hostname=hostname, ca_cert_path=get_cert_path(options.ca_cert_file))
ret = ds.search(domain=cli_domain, servers=cli_server, hostname=hostname, ca_cert_path=get_cert_path(options.ca_cert_file))
else:
# Only set dnsok to True if we were not passed in one or more servers
@@ -1785,11 +1783,11 @@ def install(options, env, fstore, statestore):
if not cli_server:
if options.server:
cli_server = options.server
cli_server = ds.servers
cli_server_source = 'Provided as option'
root_logger.debug("will use provided server: %s", ', '.join(options.server))
elif ds.server:
cli_server = [ds.server]
cli_server = ds.servers
cli_server_source = ds.server_source
root_logger.debug("will use discovered server: %s", cli_server[0])
@@ -1860,16 +1858,6 @@ def install(options, env, fstore, statestore):
root_logger.debug("will use discovered basedn: %s", cli_basedn)
subject_base = DN(('O', cli_realm))
# Now do a sanity check on the other servers
if options.server and len(options.server) > 1:
for server in options.server[1:]:
ret = ds.search(domain=cli_domain, server=server, hostname=hostname, ca_cert_path=get_cert_path(options.ca_cert_file))
if ret == ipadiscovery.NOT_IPA_SERVER:
root_logger.error("%s is not an IPA v2 Server.", server)
print_port_conf_info()
root_logger.debug("(%s: %s)", server, cli_server_source)
return CLIENT_INSTALL_ERROR
root_logger.info("Hostname: %s", hostname)
root_logger.debug("Hostname source: %s", hostname_source)
root_logger.info("Realm: %s", cli_realm)