Fix ipa-compat-manage and ipa-nis-manage

Neither of these was working properly, I assume due to changes in the ldap backend. The normalizer now appends the basedn if it isn't included and this was causing havoc with these utilities. After fixing the basics I found a few corner cases that I also addressed: - you can't/shouldn't disable compat if the nis plugin is enabled - we always want to load the nis LDAP update so we get the netgroup config - LDAPupdate.update() returns True/False, not an integer I took some time and fixed up some things pylint complained about too. Ticket #83
2025-01-26 16:16:31 -06:00 · 2010-07-14 13:56:46 -04:00 · 2010-07-14 13:56:46 -04:00 · ed488c6349
commit ed488c6349
parent 18476c9538
2 changed files with 100 additions and 54 deletions
--- a/install/tools/ipa-compat-manage
+++ b/install/tools/ipa-compat-manage
@ -22,18 +22,12 @@
 import sys
 try:
    from optparse import OptionParser
-    from ipapython import entity, ipautil, config
+    from ipapython import ipautil, config
    from ipaserver.install import installutils
-    from ipaserver.install.ldapupdate import LDAPUpdate, BadSyntax, UPDATES_DIR
+    from ipaserver.install.ldapupdate import LDAPUpdate, BadSyntax
    from ipaserver.plugins.ldap2 import ldap2
-    from ipalib import errors
+    from ipalib import api, errors
    import logging
-    import re
-    import krbV
-    import platform
-    import shlex
-    import time
-    import random
 except ImportError:
    print >> sys.stderr, """\
 There was a problem importing one of the required Python modules. The
@ -43,6 +37,8 @@ error was:
 """ % sys.exc_value
    sys.exit(1)

+netgroup_compat_dn = "cn=ng,cn=Schema Compatibility,cn=plugins,cn=config"
+
 def parse_options():
    usage = "%prog [options] <enable|disable>\n"
    usage += "%prog [options]\n"
@ -71,7 +67,7 @@ def get_dirman_password():
 def main():
    retval = 0
    loglevel = logging.ERROR
-    files=['/usr/share/ipa/schema_compat.uldif']
+    files = ['/usr/share/ipa/schema_compat.uldif']

    options, args = parse_options()
    if options.debug:
@ -94,6 +90,9 @@ def main():
    else:
        dirman_password = get_dirman_password()

+    api.bootstrap(context='cli', debug=options.debug)
+    api.finalize()
+
    conn = None
    try:
        ldapuri = 'ldap://%s' % installutils.get_fqdn()
@ -102,42 +101,57 @@ def main():
            conn.connect(
                bind_dn='cn=directory manager', bind_pw=dirman_password
            )
-        except errors.LDAPError, e:
+        except errors.LDAPError, lde:
            print "An error occurred while connecting to the server."
-            print e
+            print lde
            return 1

        if args[0] == "enable":
            try:
-                conn.get_entry('cn=Schema Compatibility,cn=plugins,cn=config')
+                conn.get_entry('cn=Schema Compatibility,cn=plugins,cn=config', normalize=False)
                print "Plugin already Enabled"
                retval = 2
            except errors.NotFound:
                print "Enabling plugin"
-            except errors.LDAPError, e:
+            except errors.LDAPError, lde:
                print "An error occurred while talking to the server."
-                print e
+                print lde
                retval = 1

            if retval == 0:
                ld = LDAPUpdate(dm_password=dirman_password, sub_dict={})
-                retval = ld.update(files)
-                if retval == 0:
+                rv = ld.update(files)
+                if rv:
                    print "This setting will not take effect until you restart Directory Server."
+                else:
+                    print "Updating Directory Server failed."
+                    retval = 1

        elif args[0] == "disable":
-            # Make a quick hack foir now, directly delete the entries by name,
+            # We can't disable schema compat if the NIS plugin is enabled
+            try:
+                conn.get_entry(netgroup_compat_dn, normalize=False)
+                print "The NIS plugin is configured, cannot disable compatibility."
+                print "Run 'ipa-nis-manage disable' first."
+                return 2
+            except errors.NotFound:
+                pass
+            # Make a quick hack for now, directly delete the entries by name,
            # In future we should add delete capabilites to LDAPUpdate
            try:
-                conn.delete_entry('cn=groups,cn=Schema Compatibility,cn=plugins,cn=config')
-                conn.delete_entry('cn=users,cn=Schema Compatibility,cn=plugins,cn=config')
-                conn.delete_entry('cn=Schema Compatibility,cn=plugins,cn=config')
+                conn.delete_entry('cn=groups,cn=Schema Compatibility,cn=plugins,cn=config', normalize=False)
+                conn.delete_entry('cn=users,cn=Schema Compatibility,cn=plugins,cn=config', normalize=False)
+                conn.delete_entry('cn=Schema Compatibility,cn=plugins,cn=config', normalize=False)
            except errors.NotFound:
                print "Plugin is already disabled"
                retval = 2
-            except errors.LDAPError, e:
+            except errors.DatabaseError, dbe:
                print "An error occurred while talking to the server."
-                print e
+                print lde
+                retval = 1
+            except errors.LDAPError, lde:
+                print "An error occurred while talking to the server."
+                print lde
                retval = 1

        else:
--- a/install/tools/ipa-nis-manage
+++ b/install/tools/ipa-nis-manage
@ -22,11 +22,11 @@
 import sys
 try:
    from optparse import OptionParser
-    from ipapython import entity, ipautil, config
+    from ipapython import ipautil, config
    from ipaserver.install import installutils
-    from ipaserver.install.ldapupdate import LDAPUpdate, BadSyntax, UPDATES_DIR
+    from ipaserver.install.ldapupdate import LDAPUpdate, BadSyntax
    from ipaserver.plugins.ldap2 import ldap2
-    from ipalib import errors
+    from ipalib import api, errors
    import logging
 except ImportError:
    print >> sys.stderr, """\
@ -38,6 +38,7 @@ error was:
    sys.exit(1)

 nis_config_dn = "cn=NIS Server, cn=plugins, cn=config"
+compat_dn = "cn=Schema Compatibility,cn=plugins,cn=config"

 def parse_options():
    usage = "%prog [options] <enable|disable>\n"
@ -64,10 +65,14 @@ def get_dirman_password():

    return password

-def get_nis_config(conn):
+def get_entry(dn, conn):
+    """
+    Return the entry for the given DN. If the entry is not found return
+    None.
+    """
    entry = None
    try:
-        (dn, entry) = conn.get_entry(nis_config_dn)
+        (dn, entry) = conn.get_entry(dn, normalize=False)
    except errors.NotFound:
        pass
    return entry
@ -75,7 +80,7 @@ def get_nis_config(conn):
 def main():
    retval = 0
    loglevel = logging.ERROR
-    files=['/usr/share/ipa/nis.uldif']
+    files = ['/usr/share/ipa/nis.uldif']
    servicemsg = ""

    options, args = parse_options()
@ -99,6 +104,9 @@ def main():
    else:
        dirman_password = get_dirman_password()

+    api.bootstrap(context='cli', debug=options.debug)
+    api.finalize()
+
    conn = None
    try:
        ldapuri = 'ldap://%s' % installutils.get_fqdn()
@ -107,62 +115,86 @@ def main():
            conn.connect(
                bind_dn='cn=directory manager', bind_pw=dirman_password
            )
-        except errors.LDAPError, e:
+        except errors.LDAPError, lde:
            print "An error occurred while connecting to the server."
-            print e
+            print lde
            return 1

        if args[0] == "enable":
+            compat = get_entry(compat_dn, conn)
+            if compat is None:
+                print "The compat plugin needs to be enabled: ipa-compat-manage enable"
+                return 1
            entry = None
            try:
-                entry = get_nis_config(conn)
-            except errors.LDAPError, e:
+                entry = get_entry(nis_config_dn, conn)
+            except errors.LDAPError, lde:
                print "An error occurred while talking to the server."
-                print e
+                print lde
                retval = 1

            # Enable either the portmap or rpcbind service
            try:
                ipautil.run(["/sbin/chkconfig", "portmap", "on"])
                servicemsg = "portmap"
-            except ipautil.CalledProcessError, e:
-                if e.returncode == 1:
+            except ipautil.CalledProcessError, cpe:
+                if cpe.returncode == 1:
                    try:
                        ipautil.run(["/sbin/chkconfig", "rpcbind", "on"])
                        servicemsg = "rpcbind"
-                    except ipautil.CalledProcessError, e:
+                    except ipautil.CalledProcessError, cpe:
                        print "Unable to enable either portmap or rpcbind"
                        retval = 3

-            if entry is None:
+            # The cn=config entry for the plugin may already exist but it
+            # could be turned off, handle both cases.
+            if (entry is None or
+              entry.get('nsslapd-pluginenabled', [''])[0].lower() == 'off'):
+                # Already configured, just enable the plugin
                print "Enabling plugin"
-
-                if entry is None:
-                    # Load the plugin configuration
-                    ld = LDAPUpdate(dm_password=dirman_password, sub_dict={})
-                    retval = ld.update(files)
+                ld = LDAPUpdate(dm_password=dirman_password, sub_dict={})
+                if ld.update(files) != True:
+                    retval = 1
+                mod = {'nsslapd-pluginenabled': 'on'}
+                try:
+                    conn.update_entry(nis_config_dn, mod, normalize=False)
+                except errors.EmptyModlist:
+                    # plugin is already enabled, silently continue
+                    pass
            else:
-                if entry.get('nsslapd-pluginenabled', '').lower() == 'off':
-                    # Already configured, just enable the plugin
-                    print "Enabling plugin"
-                    mod = {'nsslapd-pluginenabled': 'on'}
-                    conn.update_entry(nis_config_dn, mod)
-                else:
-                    print "Plugin already Enabled"
-                    retval = 2
+                print "Plugin already Enabled"
+                retval = 2

        elif args[0] == "disable":
            try:
                mod = {'nsslapd-pluginenabled': 'off'}
-                conn.update_entry(nis_config_dn, mod)
+                conn.update_entry(nis_config_dn, mod, normalize=False)
            except errors.NotFound:
                print "Plugin is already disabled"
                retval = 2
-            except errors.LDAPError, e:
+            except errors.EmptyModlist:
+                print "Plugin is already disabled"
+                retval = 2
+            except errors.LDAPError, lde:
                print "An error occurred while talking to the server."
-                print e
+                print lde
                retval = 1

+            # delete the netgroups compat area.
+            try:
+                conn.delete_entry('cn=ng,cn=Schema Compatibility,cn=plugins,cn=config', normalize=False)
+            except errors.NotFound:
+                pass
+            except errors.DatabaseError, dbe:
+                print "An error occurred while talking to the server."
+                print lde
+                retval = 1
+            except errors.LDAPError, lde:
+                print "An error occurred while talking to the server."
+                print lde
+                retval = 1
+
+
        else:
            retval = 1