IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Use EXTERNAL auth mechanism in ldapmodify

Browse Source 
Default to using the EXTERNAL authorization mechanism in calls to ldapmodify

https://fedorahosted.org/freeipa/ticket/3895
This commit is contained in:
Ana Krivokapic 2013-11-05 18:38:55 +01:00 committed by Martin Kosek
parent 3693b8e51a
commit eaaf7ed0f2
1 changed files with 10 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
ipaserver/install/service.py
View File

@ -121,17 +121,15 @@ class Service(object):
self.admin_conn = conn self.admin_conn = conn
def ldap_disconnect(self): def ldap_disconnect(self):
self.admin_conn.unbind() self.admin_conn.unbind()
self.admin_conn = None self.admin_conn = None
def _ldap_mod(self, ldif, sub_dict = None): def _ldap_mod(self, ldif, sub_dict=None):
pw_name = None pw_name = None
fd = None fd = None
path = ipautil.SHARE_DIR + ldif path = ipautil.SHARE_DIR + ldif
nologlist=[] nologlist = []
if sub_dict is not None: if sub_dict is not None:
txt = ipautil.template_file(path, sub_dict) txt = ipautil.template_file(path, sub_dict)
@ -139,9 +137,9 @@ class Service(object):
path = fd.name path = fd.name
# do not log passwords # do not log passwords
if sub_dict.has_key('PASSWORD'): if 'PASSWORD' in sub_dict:
nologlist.append(sub_dict['PASSWORD']) nologlist.append(sub_dict['PASSWORD'])
if sub_dict.has_key('RANDOM_PASSWORD'): if 'RANDOM_PASSWORD' in sub_dict:
nologlist.append(sub_dict['RANDOM_PASSWORD']) nologlist.append(sub_dict['RANDOM_PASSWORD'])
args = ["/usr/bin/ldapmodify", "-v", "-f", path] args = ["/usr/bin/ldapmodify", "-v", "-f", path]
@ -152,16 +150,18 @@ class Service(object):
self.ldap_connect() self.ldap_connect()
args += ["-H", self.admin_conn.ldap_uri] args += ["-H", self.admin_conn.ldap_uri]
auth_parms = [] # If DM password is available, use it
if self.dm_password: if self.dm_password:
[pw_fd, pw_name] = tempfile.mkstemp() [pw_fd, pw_name] = tempfile.mkstemp()
os.write(pw_fd, self.dm_password) os.write(pw_fd, self.dm_password)
os.close(pw_fd) os.close(pw_fd)
auth_parms = ["-x", "-D", "cn=Directory Manager", "-y", pw_name] auth_parms = ["-x", "-D", "cn=Directory Manager", "-y", pw_name]
# Use GSSAPI auth when not using DM password or not being root
elif os.getegid() != 0:
auth_parms = ["-Y", "GSSAPI"]
# Default to EXTERNAL auth mechanism
else: else:
# always try GSSAPI auth when not using DM password or not being root auth_parms = ["-Y", "EXTERNAL"]
if os.getegid() != 0:
auth_parms = ["-Y", "GSSAPI"]
args += auth_parms args += auth_parms