user, migration: use LDAPClient for ad-hoc LDAP connections

Use LDAPClient instead of ldap2 for ad-hoc remote LDAP connections in the
user_status and migrate-ds plugins.

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>

ipaserver/plugins/migration.py

@@ -28,13 +28,9 @@ from ipalib import Command, Password, Str, Flag, StrEnum, DNParam, Bool
 from ipalib.cli import to_cli
 from ipalib.plugable import Registry
 from .user import NO_UPG_MAGIC
-if api.env.in_server and api.env.context in ['lite', 'server']:
-    try:
-        from ipaserver.plugins.ldap2 import ldap2
-    except Exception as e:
-        raise e
 from ipalib import _
 from ipapython.dn import DN
+from ipapython.ipaldap import LDAPClient
 from ipapython.ipautil import write_tmp_file
 from ipapython.kerberos import Principal
 import datetime
@@ -885,8 +881,6 @@ migration process might be incomplete\n''')
             return dict(result={}, failed={}, enabled=False, compat=True)
 
         # connect to DS
-        ds_ldap = ldap2(self.api, ldap_uri=ldapuri)
-
         cacert = None
         if options.get('cacertfile') is not None:
             # store CA cert into file
@@ -894,12 +888,13 @@ migration process might be incomplete\n''')
             cacert = tmp_ca_cert_f.name
 
             # start TLS connection
-            ds_ldap.connect(bind_dn=options['binddn'], bind_pw=bindpw,
+            ds_ldap = LDAPClient(ldapuri, cacert=cacert)
-                            cacert=cacert)
+            ds_ldap.simple_bind(options['binddn'], bindpw)
 
             tmp_ca_cert_f.close()
         else:
-            ds_ldap.connect(bind_dn=options['binddn'], bind_pw=bindpw)
+            ds_ldap = LDAPClient(ldapuri, cacert=cacert)
+            ds_ldap.simple_bind(options['binddn'], bindpw)
 
         # check whether the compat plugin is enabled
         if not options.get('compat'):

ipaserver/plugins/user.py

@@ -21,7 +21,7 @@
 import time
 from time import gmtime, strftime
 import posixpath
-import os
+
 import six
 
 from ipalib import api
@@ -63,12 +63,10 @@ from ipalib import _, ngettext
 from ipalib import output
 from ipaplatform.paths import paths
 from ipapython.dn import DN
+from ipapython.ipaldap import LDAPClient
 from ipapython.ipautil import ipa_generate_password, TMP_PWD_ENTROPY_BITS
 from ipalib.capabilities import client_has_capability
 
-if api.env.in_server:
-    from ipaserver.plugins.ldap2 import ldap2
-
 if six.PY3:
     unicode = str
 
@@ -1119,9 +1117,9 @@ class user_status(LDAPQuery):
             if host == api.env.host:
                 other_ldap = self.obj.backend
             else:
-                other_ldap = ldap2(self.api, ldap_uri='ldap://%s' % host)
                 try:
-                    other_ldap.connect(ccache=os.environ['KRB5CCNAME'])
+                    other_ldap = LDAPClient(ldap_uri='ldap://%s' % host)
+                    other_ldap.gssapi_bind()
                 except Exception as e:
                     self.error("user_status: Connecting to %s failed with %s" % (host, str(e)))
                     newresult = {'dn': dn}
@@ -1166,7 +1164,7 @@ class user_status(LDAPQuery):
                 count += 1
 
             if host != api.env.host:
-                other_ldap.disconnect()
+                other_ldap.close()
 
         return dict(result=entries,
                     count=count,