Make ipa-join work against an LDAP server that disallows anon binds

We determine the realm in the client installer so we can deduce the base dn, pass that into ipa-join so we don't have to hunt for it. Re-order the bind so when doing an OTP enrollment so we can use the host entry to authenticate before we retrieve the subject base, then initiate the enrollment. If ipa-join is called without a basedn it will still attempt to determine it, but it will fail if anonymous binds are not allowed. https://fedorahosted.org/freeipa/ticket/1935
2025-02-25 18:55:28 -06:00 · 2011-10-11 17:30:33 -04:00
parent 498311d2ef
commit f2fb6552c9
3 changed files with 94 additions and 109 deletions
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -31,7 +31,7 @@ try:
    from ipaclient import ipadiscovery
    import ipaclient.ipachangeconf
    import ipaclient.ntpconf
-    from ipapython.ipautil import run, user_input, CalledProcessError, file_exists
+    from ipapython.ipautil import run, user_input, CalledProcessError, file_exists, realm_to_suffix
    import ipapython.services as ipaservices
    from ipapython import ipautil
    from ipapython import dnsclient
@@ -942,7 +942,7 @@ def install(options, env, fstore, statestore):
                print "Test kerberos configuration failed"
                return CLIENT_INSTALL_ERROR
            env['KRB5_CONFIG'] = krb_name
-            join_args = ["/usr/sbin/ipa-join", "-s", cli_server]
+            join_args = ["/usr/sbin/ipa-join", "-s", cli_server, "-b", realm_to_suffix(cli_realm)]
            if options.debug:
                join_args.append("-d")
            if options.hostname: