From e4877c946f71b2d091d01edfd64768ce7a7a47ee Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Mon, 28 Sep 2009 23:34:15 -0400 Subject: [PATCH] Only initialize the API once in the installer Make the ldap2 plugin schema loader ignore SERVER_DOWN errors 525303 --- install/tools/ipa-replica-install | 20 ++++++++------------ install/tools/ipa-server-install | 20 ++++++++------------ ipaserver/plugins/dogtag.py | 9 ++++++--- ipaserver/plugins/ldap2.py | 22 ++++++++++++++-------- 4 files changed, 36 insertions(+), 35 deletions(-) diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install index 1584dd58c..e8fabd705 100755 --- a/install/tools/ipa-replica-install +++ b/install/tools/ipa-replica-install @@ -32,7 +32,6 @@ from ipaserver.install import bindinstance, httpinstance, ntpinstance, certs from ipaserver import ipaldap from ipapython import version from ipalib import api, util -from ipalib.constants import DEFAULT_CONFIG CACERT="/usr/share/ipa/html/ca.crt" @@ -134,14 +133,6 @@ def install_ca(config): # FIXME, need to pass along the CA plugin to use cafile = config.dir + "/ca.p12" - # Just initialize the environment. This is so the installer can have - # access to the plugin environment - api.env._bootstrap() - default_config = dict(DEFAULT_CONFIG) - if ipautil.file_exists(cafile): - default_config['ra_plugin'] = 'dogtag' - api.env._finalize_core(**default_config) - if not ipautil.file_exists(cafile): return None @@ -320,6 +311,14 @@ def main(): except ldap.INVALID_CREDENTIALS, e : sys.exit("\nThe password provided is incorrect for LDAP server %s" % config.master_host_name) + if ipautil.file_exists(config.dir + "/ca.p12"): + ca_type = 'dogtag' + else: + ca_type = 'selfsign' + + api.bootstrap(in_server=True, ra_plugin=ca_type) + api.finalize() + # Install CA cert so that we can do SSL connections with ldap install_ca_cert(config) @@ -379,9 +378,6 @@ def main(): service.restart("krb5kdc") if options.setup_dns: - # First bootstrap the plug-in framework - api.bootstrap(in_server=True) - api.finalize() api.Backend.ldap2.connect(bind_dn="cn=Directory Manager", bind_pw=config.dirman_password) diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index 3aa6fae2f..094654dbf 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -52,7 +52,6 @@ from ipaserver.install.installutils import * from ipapython import sysrestore from ipapython.ipautil import * from ipalib import api, util -from ipalib.constants import DEFAULT_CONFIG pw_name = None @@ -402,14 +401,6 @@ def main(): signal.signal(signal.SIGTERM, signal_handler) signal.signal(signal.SIGINT, signal_handler) - # Just initialize the environment. This is so the installer can have - # access to the plugin environment - api.env._bootstrap() - default_config = dict(DEFAULT_CONFIG) - if options.ca: - default_config['ra_plugin'] = 'dogtag' - api.env._finalize_core(**default_config) - if options.uninstall: standard_logging_setup("/var/log/ipaserver-uninstall.log", options.debug) else: @@ -419,6 +410,14 @@ def main(): global fstore fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore') + if options.ca: + ca_type = 'dogtag' + else: + ca_type = 'selfsign' + + api.bootstrap(in_server=True, ra_plugin=ca_type) + api.finalize() + if options.uninstall: if not options.unattended: print "\nThis is a NON REVERSIBLE operation and will delete all data and configuration!\n" @@ -712,9 +711,6 @@ def main(): bind = bindinstance.BindInstance(fstore, dm_password) bind.setup(host_name, ip_address, realm_name, domain_name, dns_forwarders) if options.setup_dns: - # First bootstrap the plug-in framework - api.bootstrap(in_server=True) - api.finalize() api.Backend.ldap2.connect(bind_dn="cn=Directory Manager", bind_pw=dm_password) bind.create_instance() diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py index 2b1e84e7a..1bbabbf7c 100644 --- a/ipaserver/plugins/dogtag.py +++ b/ipaserver/plugins/dogtag.py @@ -60,9 +60,12 @@ class ra(rabase.rabase): self.ipa_key_size = "2048" self.ipa_certificate_nickname = "ipaCert" self.ca_certificate_nickname = "caCert" - f = open(self.pwd_file, "r") - self.password = f.readline().strip() - f.close() + try: + f = open(self.pwd_file, "r") + self.password = f.readline().strip() + f.close() + except IOError: + self.password = '' super(ra, self).__init__() def _request(self, url, **kw): diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py index 0deded937..1b133e570 100644 --- a/ipaserver/plugins/ldap2.py +++ b/ipaserver/plugins/ldap2.py @@ -121,12 +121,15 @@ def _get_url(host, port, using_cacert=False): # retrieves LDAP schema from server def _load_schema(url): + global _schema try: conn = _ldap.initialize(url) # assume anonymous access is enabled conn.simple_bind_s('', '') schema_entry = conn.search_s('cn=schema', _ldap.SCOPE_BASE)[0] conn.unbind_s() + except _ldap.SERVER_DOWN: + return None except _ldap.LDAPError, e: # TODO: raise a more appropriate exception _handle_errors(e, **{}) @@ -142,8 +145,9 @@ def _load_schema(url): _schema = _load_schema(api.env.ldap_uri) def _get_syntax(attr, value): - schema = api.Backend.ldap2._schema - obj = schema.get_obj(_ldap.schema.AttributeType, attr) + global _schema + + obj = _schema.get_obj(_ldap.schema.AttributeType, attr) if obj is not None: return obj.syntax else: @@ -176,7 +180,6 @@ class ldap2(CrudBackend, Encoder): self.encoder_settings.decode_dict_vals_table_keygen = _get_syntax self.encoder_settings.decode_postprocessor = lambda x: string.lower(x) self._ldapuri = api.env.ldap_uri - self._schema = _schema CrudBackend.__init__(self) def __del__(self): @@ -204,12 +207,13 @@ class ldap2(CrudBackend, Encoder): Extends backend.Connectible.create_connection. """ + global _schema if ldapuri is not None: self._ldapuri = ldapuri # if we don't have this server's schema cached, do it now - if self._ldapuri != api.env.ldap_uri: - self._schema = _load_schema(self._ldapuri) + if self._ldapuri != api.env.ldap_uri or _schema is None: + _schema = _load_schema(self._ldapuri) if tls_cacertfile is not None: _ldap.set_option(_ldap.OPT_X_TLS_CACERTFILE, tls_cacertfile) @@ -304,9 +308,10 @@ class ldap2(CrudBackend, Encoder): preferred_names -- list of preferred synomyms or None for defaults (default None) """ + global _schema if preferred_names: for n in preferred_names: - attr = self._schema.get_obj(_ldap.schema.AttributeType, n) + attr = _schema.get_obj(_ldap.schema.AttributeType, n) synonyms = [v.lower() for v in attr.names] synonyms.remove(n) for s in synonyms: @@ -315,7 +320,7 @@ class ldap2(CrudBackend, Encoder): del entry_attrs[s] else: for (k, v) in entry_attrs.items(): - attr = self._schema.get_obj(_ldap.schema.AttributeType, k) + attr = _schema.get_obj(_ldap.schema.AttributeType, k) synonyms = [v.lower() for v in attr.names] preferred_name = synonyms[0] if k in synonyms[1:]: @@ -492,8 +497,9 @@ class ldap2(CrudBackend, Encoder): return self.find_entries(filter, None, 'cn=etc', self.SCOPE_ONELEVEL)[0][0] def get_schema(self): + global _schema """Returns a copy of the current LDAP schema.""" - return copy.deepcopy(self._schema) + return copy.deepcopy(_schema) @encode_args(1, 2) def get_effective_rights(self, dn, entry_attrs):