IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

ipaldap: merge simple_bind into LDAPClient

Browse Source 
* Use LDAPClient.simple_bind instead of extra call to IPAdmin.do_simple_bind
* Rename binddn to bind_dn
* Rename bindpw to bind_password
* Explicitly specify bind_dn in all calls

https://fedorahosted.org/freeipa/ticket/6461

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
This commit is contained in:
Tomas Krizek 2016-10-05 17:42:32 +02:00 committed by Martin Basti
parent 5760b7e983
commit de58a5c605
13 changed files with 44 additions and 36 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
install/migration/migration.py
View File

@ -49,7 +49,7 @@ def bind(ldap_uri, base_dn, username, password):
bind_dn = DN(('uid', username), ('cn', 'users'), ('cn', 'accounts'), base_dn) bind_dn = DN(('uid', username), ('cn', 'users'), ('cn', 'accounts'), base_dn)
try: try:
conn = IPAdmin(ldap_uri=ldap_uri) conn = IPAdmin(ldap_uri=ldap_uri)
conn.do_simple_bind(bind_dn, password) conn.simple_bind(bind_dn, password)
except (errors.ACIError, errors.DatabaseError, errors.NotFound) as e: except (errors.ACIError, errors.DatabaseError, errors.NotFound) as e:
root_logger.error( root_logger.error(
'migration invalid credentials for %s: %s' % (bind_dn, e)) 'migration invalid credentials for %s: %s' % (bind_dn, e))

6
install/tools/ipa-csreplica-manage
View File

@ -94,7 +94,8 @@ def list_replicas(realm, host, replica, dirman_passwd, verbose):
try: try:
# connect to main IPA LDAP server # connect to main IPA LDAP server
conn = ipaldap.IPAdmin(host, 636, cacert=CACERT) conn = ipaldap.IPAdmin(host, 636, cacert=CACERT)
conn.do_simple_bind(bindpw=dirman_passwd) conn.simple_bind(bind_dn=ipaldap.DIRMAN_DN,
bind_password=dirman_passwd)
dn = DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'), ipautil.realm_to_suffix(realm)) dn = DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'), ipautil.realm_to_suffix(realm))
entries = conn.get_entries(dn, conn.SCOPE_ONELEVEL) entries = conn.get_entries(dn, conn.SCOPE_ONELEVEL)
@ -295,7 +296,8 @@ def add_link(realm, replica1, replica2, dirman_passwd, options):
sys.exit(str(e)) sys.exit(str(e))
try: try:
conn = ipaldap.IPAdmin(replica2, 636, cacert=CACERT) conn = ipaldap.IPAdmin(replica2, 636, cacert=CACERT)
conn.do_simple_bind(bindpw=dirman_passwd) conn.simple_bind(bind_dn=ipaldap.DIRMAN_DN,
bind_password=dirman_passwd)
dn = DN(('cn', 'CA'), ('cn', replica2), ('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'), dn = DN(('cn', 'CA'), ('cn', replica2), ('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'),
ipautil.realm_to_suffix(realm)) ipautil.realm_to_suffix(realm))

6
install/tools/ipa-managed-entries
View File

@ -91,7 +91,8 @@ def main():
if options.dirman_password: if options.dirman_password:
try: try:
conn.do_simple_bind(bindpw=options.dirman_password) conn.simple_bind(bind_dn=ipaldap.DIRMAN_DN,
bind_password=options.dirman_password)
except errors.ACIError: except errors.ACIError:
sys.exit("Invalid credentials") sys.exit("Invalid credentials")
else: else:
@ -101,7 +102,8 @@ def main():
if dirman_password is None: if dirman_password is None:
sys.exit("Directory Manager password required") sys.exit("Directory Manager password required")
try: try:
conn.do_simple_bind(bindpw=dirman_password) conn.simple_bind(bind_dn=ipaldap.DIRMAN_DN,
bind_password=dirman_password)
except errors.ACIError: except errors.ACIError:
sys.exit("Invalid credentials") sys.exit("Invalid credentials")
except errors.ExecutionError as lde: except errors.ExecutionError as lde:

9
install/tools/ipa-replica-manage
View File

@ -169,7 +169,8 @@ def list_replicas(realm, host, replica, dirman_passwd, verbose, nolookup=False):
try: try:
conn = ipaldap.IPAdmin(host, 636, cacert=CACERT) conn = ipaldap.IPAdmin(host, 636, cacert=CACERT)
if dirman_passwd: if dirman_passwd:
conn.do_simple_bind(bindpw=dirman_passwd) conn.simple_bind(bind_dn=ipaldap.DIRMAN_DN,
bind_password=dirman_passwd)
else: else:
conn.do_sasl_gssapi_bind() conn.do_sasl_gssapi_bind()
except Exception as e: except Exception as e:
@ -628,7 +629,8 @@ def clean_dangling_ruvs(realm, host, options):
""" """
conn = ipaldap.IPAdmin(host, 636, cacert=CACERT) conn = ipaldap.IPAdmin(host, 636, cacert=CACERT)
try: try:
conn.do_simple_bind(bindpw=options.dirman_passwd) conn.simple_bind(bind_dn=ipaldap.DIRMAN_DN,
bind_password=options.dirman_passwd)
# get all masters # get all masters
masters_dn = DN(api.env.container_masters, api.env.basedn) masters_dn = DN(api.env.container_masters, api.env.basedn)
@ -673,7 +675,8 @@ def clean_dangling_ruvs(realm, host, options):
for master_cn, master_info in info.items(): for master_cn, master_info in info.items():
try: try:
conn = ipaldap.IPAdmin(master_cn, 636, cacert=CACERT) conn = ipaldap.IPAdmin(master_cn, 636, cacert=CACERT)
conn.do_simple_bind(bindpw=options.dirman_passwd) conn.simple_bind(bind_dn=ipaldap.DIRMAN_DN,
bind_password=options.dirman_passwd)
master_info['online'] = True master_info['online'] = True
except Exception: except Exception:
print("The server '{host}' appears to be offline." print("The server '{host}' appears to be offline."

2
ipaclient/ipadiscovery.py
View File

@ -386,7 +386,7 @@ class IPADiscovery(object):
lh = ipaldap.IPAdmin(thost, protocol='ldap', lh = ipaldap.IPAdmin(thost, protocol='ldap',
no_schema=True, decode_attrs=False) no_schema=True, decode_attrs=False)
try: try:
lh.do_simple_bind(DN(), '') lh.simple_bind(DN(), '')
# get IPA base DN # get IPA base DN
root_logger.debug("Search LDAP server for IPA base DN") root_logger.debug("Search LDAP server for IPA base DN")

11
ipapython/ipaldap.py
View File

@ -61,6 +61,8 @@ TRUNCATED_SIZE_LIMIT = object()
TRUNCATED_TIME_LIMIT = object() TRUNCATED_TIME_LIMIT = object()
TRUNCATED_ADMIN_LIMIT = object() TRUNCATED_ADMIN_LIMIT = object()
DIRMAN_DN = DN(('cn', 'directory manager'))
def unicode_from_utf8(val): def unicode_from_utf8(val):
''' '''
@ -1050,6 +1052,7 @@ class LDAPClient(object):
def __enter__(self): def __enter__(self):
return self return self
def __exit__(self, exc_type, exc_value, traceback): def __exit__(self, exc_type, exc_value, traceback):
self.close() self.close()
@ -1075,8 +1078,6 @@ class LDAPClient(object):
""" """
with self.error_handler(): with self.error_handler():
self._flush_schema() self._flush_schema()
if bind_dn is None:
bind_dn = DN()
assert isinstance(bind_dn, DN) assert isinstance(bind_dn, DN)
bind_dn = str(bind_dn) bind_dn = str(bind_dn)
bind_password = self.encode(bind_password) bind_password = self.encode(bind_password)
@ -1630,10 +1631,6 @@ class IPAdmin(LDAPClient):
def __str__(self): def __str__(self):
return self.host + ":" + str(self.port) return self.host + ":" + str(self.port)
def do_simple_bind(self, binddn=DN(('cn', 'directory manager')),
bindpw=""):
self.simple_bind(binddn, bindpw)
def do_sasl_gssapi_bind(self): def do_sasl_gssapi_bind(self):
self.gssapi_bind() self.gssapi_bind()
@ -1642,7 +1639,7 @@ class IPAdmin(LDAPClient):
def do_bind(self, dm_password="", autobind=AUTOBIND_AUTO): def do_bind(self, dm_password="", autobind=AUTOBIND_AUTO):
if dm_password: if dm_password:
self.do_simple_bind(bindpw=dm_password) self.simple_bind(bind_dn=DIRMAN_DN, bind_password=dm_password)
return return
if autobind != AUTOBIND_DISABLED and os.getegid() == 0 and self.ldapi: if autobind != AUTOBIND_DISABLED and os.getegid() == 0 and self.ldapi:
try: try:

4
ipaserver/install/cainstance.py
View File

@ -1500,8 +1500,8 @@ def replica_ca_install_check(config):
with ipaldap.LDAPClient(ca_ldap_url, with ipaldap.LDAPClient(ca_ldap_url,
start_tls=True, start_tls=True,
force_schema_updates=False) as connection: force_schema_updates=False) as connection:
connection.simple_bind(DN(('cn', 'Directory Manager')), connection.simple_bind(bind_dn=ipaldap.DIRMAN_DN,
config.dirman_password) bind_password=config.dirman_password)
rschema = connection.schema rschema = connection.schema
result = rschema.get_obj(ldap.schema.models.ObjectClass, result = rschema.get_obj(ldap.schema.models.ObjectClass,
objectclass) objectclass)

13
ipaserver/install/dsinstance.py
View File

@ -659,8 +659,8 @@ class DsInstance(service.Service):
root_logger.debug("Waiting for memberof task to complete.") root_logger.debug("Waiting for memberof task to complete.")
conn = ipaldap.IPAdmin(self.fqdn) conn = ipaldap.IPAdmin(self.fqdn)
if self.dm_password: if self.dm_password:
conn.do_simple_bind( conn.simple_bind(bind_dn=ipaldap.DIRMAN_DN,
DN(('cn', 'directory manager')), self.dm_password) bind_password=self.dm_password)
else: else:
conn.do_sasl_gssapi_bind() conn.do_sasl_gssapi_bind()
replication.wait_for_task(conn, dn) replication.wait_for_task(conn, dn)
@ -794,7 +794,8 @@ class DsInstance(service.Service):
'restart_dirsrv %s' % self.serverid) 'restart_dirsrv %s' % self.serverid)
conn = ipaldap.IPAdmin(self.fqdn) conn = ipaldap.IPAdmin(self.fqdn)
conn.do_simple_bind(DN(('cn', 'directory manager')), self.dm_password) conn.simple_bind(bind_dn=ipaldap.DIRMAN_DN,
bind_password=self.dm_password)
mod = [(ldap.MOD_REPLACE, "nsSSLClientAuth", "allowed"), mod = [(ldap.MOD_REPLACE, "nsSSLClientAuth", "allowed"),
(ldap.MOD_REPLACE, "nsSSL3Ciphers", "default"), (ldap.MOD_REPLACE, "nsSSL3Ciphers", "default"),
@ -830,7 +831,8 @@ class DsInstance(service.Service):
trust_flags = dict(reversed(dsdb.list_certs())) trust_flags = dict(reversed(dsdb.list_certs()))
conn = ipaldap.IPAdmin(self.fqdn) conn = ipaldap.IPAdmin(self.fqdn)
conn.do_simple_bind(DN(('cn', 'directory manager')), self.dm_password) conn.simple_bind(bind_dn=ipaldap.DIRMAN_DN,
bind_password=self.dm_password)
nicknames = dsdb.find_root_cert(self.cacert_name)[:-1] nicknames = dsdb.find_root_cert(self.cacert_name)[:-1]
for nickname in nicknames: for nickname in nicknames:
@ -853,7 +855,8 @@ class DsInstance(service.Service):
subject_base=self.subject_base) subject_base=self.subject_base)
conn = ipaldap.IPAdmin(self.fqdn) conn = ipaldap.IPAdmin(self.fqdn)
conn.do_simple_bind(DN(('cn', 'directory manager')), self.dm_password) conn.simple_bind(bind_dn=ipaldap.DIRMAN_DN,
bind_password=self.dm_password)
self.import_ca_certs(dsdb, self.ca_is_configured, conn) self.import_ca_certs(dsdb, self.ca_is_configured, conn)

4
ipaserver/install/ldapupdate.py
View File

@ -59,8 +59,8 @@ def connect(ldapi=False, realm=None, fqdn=None, dm_password=None, pw_name=None):
conn = ipaldap.IPAdmin(fqdn, ldapi=False, realm=realm, decode_attrs=False) conn = ipaldap.IPAdmin(fqdn, ldapi=False, realm=realm, decode_attrs=False)
try: try:
if dm_password: if dm_password:
conn.do_simple_bind(binddn=DN(('cn', 'directory manager')), conn.simple_bind(bind_dn=ipaldap.DIRMAN_DN,
bindpw=dm_password) bind_password=dm_password)
elif os.getegid() == 0: elif os.getegid() == 0:
try: try:
# autobind # autobind

12
ipaserver/install/replication.py
View File

@ -117,7 +117,8 @@ def enable_replication_version_checking(hostname, realm, dirman_passwd):
""" """
conn = ipaldap.IPAdmin(hostname, realm=realm, ldapi=True) conn = ipaldap.IPAdmin(hostname, realm=realm, ldapi=True)
if dirman_passwd: if dirman_passwd:
conn.do_simple_bind(bindpw=dirman_passwd) conn.simple_bind(bind_dn=ipaldap.DIRMAN_DN,
bind_password=dirman_passwd)
else: else:
conn.do_sasl_gssapi_bind() conn.do_sasl_gssapi_bind()
entry = conn.get_entry(DN(('cn', 'IPA Version Replication'), entry = conn.get_entry(DN(('cn', 'IPA Version Replication'),
@ -217,7 +218,8 @@ class ReplicationManager(object):
else: else:
self.conn = ipaldap.IPAdmin(hostname, port=port, cacert=CACERT) self.conn = ipaldap.IPAdmin(hostname, port=port, cacert=CACERT)
if dirman_passwd: if dirman_passwd:
self.conn.do_simple_bind(bindpw=dirman_passwd) self.conn.simple_bind(bind_dn=ipaldap.DIRMAN_DN,
bind_password=dirman_passwd)
else: else:
self.conn.do_sasl_gssapi_bind() self.conn.do_sasl_gssapi_bind()
else: else:
@ -1009,7 +1011,7 @@ class ReplicationManager(object):
start_tls=True) start_tls=True)
if r_bindpw: if r_bindpw:
r_conn.do_simple_bind(binddn=r_binddn, bindpw=r_bindpw) r_conn.simple_bind(r_binddn, r_bindpw)
else: else:
r_conn.do_sasl_gssapi_bind() r_conn.do_sasl_gssapi_bind()
@ -1115,7 +1117,7 @@ class ReplicationManager(object):
def convert_to_gssapi_replication(self, r_hostname, r_binddn, r_bindpw): def convert_to_gssapi_replication(self, r_hostname, r_binddn, r_bindpw):
r_conn = ipaldap.IPAdmin(r_hostname, port=PORT, cacert=CACERT) r_conn = ipaldap.IPAdmin(r_hostname, port=PORT, cacert=CACERT)
if r_bindpw: if r_bindpw:
r_conn.do_simple_bind(binddn=r_binddn, bindpw=r_bindpw) r_conn.simple_bind(r_binddn, r_bindpw)
else: else:
r_conn.do_sasl_gssapi_bind() r_conn.do_sasl_gssapi_bind()
@ -1145,7 +1147,7 @@ class ReplicationManager(object):
# allow connections using two different CA certs # allow connections using two different CA certs
r_conn = ipaldap.IPAdmin(r_hostname, port=PORT, cacert=CACERT) r_conn = ipaldap.IPAdmin(r_hostname, port=PORT, cacert=CACERT)
if r_bindpw: if r_bindpw:
r_conn.do_simple_bind(binddn=r_binddn, bindpw=r_bindpw) r_conn.simple_bind(r_binddn, r_bindpw)
else: else:
r_conn.do_sasl_gssapi_bind() r_conn.do_sasl_gssapi_bind()

6
ipaserver/install/server/replicainstall.py
View File

@ -51,8 +51,6 @@ from .common import BaseServer
if six.PY3: if six.PY3:
unicode = str unicode = str
DIRMAN_DN = DN(('cn', 'directory manager'))
def get_dirman_password(): def get_dirman_password():
return installutils.read_password("Directory Manager (existing master)", return installutils.read_password("Directory Manager (existing master)",
@ -637,7 +635,7 @@ def install_check(installer):
replman = None replman = None
try: try:
# Try out the password # Try out the password
conn.connect(bind_dn=DIRMAN_DN, bind_pw=config.dirman_password, conn.connect(bind_dn=ipaldap.DIRMAN_DN, bind_pw=config.dirman_password,
tls_cacertfile=cafile) tls_cacertfile=cafile)
replman = ReplicationManager(config.realm_name, replman = ReplicationManager(config.realm_name,
config.master_host_name, config.master_host_name,
@ -791,7 +789,7 @@ def install(installer):
remote_api = installer._remote_api remote_api = installer._remote_api
conn = remote_api.Backend.ldap2 conn = remote_api.Backend.ldap2
try: try:
conn.connect(bind_dn=DIRMAN_DN, bind_pw=config.dirman_password, conn.connect(bind_dn=ipaldap.DIRMAN_DN, bind_pw=config.dirman_password,
tls_cacertfile=cafile) tls_cacertfile=cafile)
# Install CA cert so that we can do SSL connections with ldap # Install CA cert so that we can do SSL connections with ldap

3
ipatests/test_install/test_updates.py
View File

@ -64,7 +64,8 @@ class test_update(unittest.TestCase):
raise nose.SkipTest("No directory manager password") raise nose.SkipTest("No directory manager password")
self.updater = LDAPUpdate(dm_password=self.dm_password, sub_dict={}) self.updater = LDAPUpdate(dm_password=self.dm_password, sub_dict={})
self.ld = ipaldap.IPAdmin(fqdn) self.ld = ipaldap.IPAdmin(fqdn)
self.ld.do_simple_bind(bindpw=self.dm_password) self.ld.simple_bind(bind_dn=ipaldap.DIRMAN_DN,
bind_password=self.dm_password)
self.testdir = os.path.abspath(os.path.dirname(__file__)) self.testdir = os.path.abspath(os.path.dirname(__file__))
if not ipautil.file_exists(os.path.join(self.testdir, if not ipautil.file_exists(os.path.join(self.testdir,
"0_reset.update")): "0_reset.update")):

2
ipatests/test_integration/host.py
View File

@ -47,7 +47,7 @@ class Host(pytest_multihost.host.Host):
ldap = IPAdmin(self.external_hostname) ldap = IPAdmin(self.external_hostname)
binddn = self.config.dirman_dn binddn = self.config.dirman_dn
self.log.info('LDAP bind as %s' % binddn) self.log.info('LDAP bind as %s' % binddn)
ldap.do_simple_bind(binddn, self.config.dirman_password) ldap.simple_bind(binddn, self.config.dirman_password)
return ldap return ldap
@classmethod @classmethod