From fa58071221bfb37159db6d6dc4f3bcfd088d80b1 Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Fri, 9 Oct 2020 10:11:53 +0200 Subject: [PATCH] Reuse main LDAP connection cainstance and krainstance now reuse the main LDAP connection api.Backend.ldap2 in all helper functions. Some functions used to create and tear down their own LDAP connection. This was a remnant of the old CA LDAP instance in FreeIPA 3.x. Related: https://pagure.io/freeipa/issue/8521 Signed-off-by: Christian Heimes Reviewed-By: Fraser Tweedale Reviewed-By: Alexander Bokovoy --- ipaserver/install/cainstance.py | 43 +++++++++----------------------- ipaserver/install/krainstance.py | 9 ++----- 2 files changed, 14 insertions(+), 38 deletions(-) diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 7ca492b6a..fca829de0 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -60,7 +60,6 @@ from ipaserver.install import installutils from ipaserver.install import replication from ipaserver.install import sysupgrade from ipaserver.install.dogtaginstance import DogtagInstance, INTERNAL_TOKEN -from ipaserver.plugins import ldap2 from ipaserver.masters import ENABLED_SERVICE logger = logging.getLogger(__name__) @@ -739,10 +738,7 @@ class CAInstance(DogtagInstance): Create CA agent, assign a certificate, and add the user to the appropriate groups for accessing CA services. """ - - # connect to CA database - conn = ldap2.ldap2(api) - conn.connect(autobind=True) + conn = api.Backend.ldap2 # create ipara user with RA certificate user_dn = DN(('uid', "ipara"), ('ou', 'People'), self.basedn) @@ -772,8 +768,6 @@ class CAInstance(DogtagInstance): self.basedn) conn.add_entry_to_group(user_dn, group_dn, 'uniqueMember') - conn.disconnect() - def __get_ca_chain(self): try: return dogtag.get_ca_certchain(ca_host=self.fqdn) @@ -1561,18 +1555,14 @@ def __update_entry_from_cert(make_filter, make_entry, cert): vacuously successful) otherwise ``False``. """ - base_dn = DN(('o', 'ipaca')) + conn = api.Backend.ldap2 attempts = 0 updated = False while attempts < 10: - conn = None try: - conn = ldap2.ldap2(api) - conn.connect(autobind=True) - db_filter = make_filter(cert) try: entries = conn.get_entries(base_dn, conn.SCOPE_SUBTREE, db_filter) @@ -1606,9 +1596,6 @@ def __update_entry_from_cert(make_filter, make_entry, cert): except Exception as e: syslog.syslog(syslog.LOG_ERR, 'Caught unhandled exception: %s' % e) break - finally: - if conn is not None and conn.isconnected(): - conn.disconnect() if not updated: syslog.syslog(syslog.LOG_ERR, 'Update failed.') @@ -1622,16 +1609,17 @@ def update_people_entry(cert): is needed when a certificate is renewed. """ def make_filter(cert): + ldap = api.Backend.ldap2 subject = DN(cert.subject) issuer = DN(cert.issuer) - return ldap2.ldap2.combine_filters( + return ldap.combine_filters( [ - ldap2.ldap2.make_filter({'objectClass': 'inetOrgPerson'}), - ldap2.ldap2.make_filter( + ldap.make_filter({'objectClass': 'inetOrgPerson'}), + ldap.make_filter( {'description': ';%s;%s' % (issuer, subject)}, exact=False, trailing_wildcard=False), ], - ldap2.ldap2.MATCH_ALL) + ldap.MATCH_ALL) def make_entry(cert, entry): serial_number = cert.serial_number @@ -1650,10 +1638,11 @@ def update_authority_entry(cert): serial number to match the given cert. """ def make_filter(cert): + ldap = api.Backend.ldap2 subject = str(DN(cert.subject)) - return ldap2.ldap2.make_filter( + return ldap.make_filter( dict(objectclass='authority', authoritydn=subject), - rules=ldap2.ldap2.MATCH_ALL, + rules=ldap.MATCH_ALL, ) def make_entry(cert, entry): @@ -1760,10 +1749,7 @@ def ensure_entry(dn, **attrs): otherwise add the entry and return ``True``. """ - conn = ldap2.ldap2(api) - if not conn.isconnected(): - conn.connect(autobind=True) - + conn = api.Backend.ldap2 try: conn.get_entry(dn) return False @@ -1772,8 +1758,6 @@ def ensure_entry(dn, **attrs): entry = conn.make_entry(dn, **attrs) conn.add_entry(entry) return True - finally: - conn.disconnect() def configure_profiles_acl(): @@ -1879,9 +1863,7 @@ def __get_profile_config(profile_id): return ipautil.template_file(profile_filename, sub_dict) def import_included_profiles(): - conn = ldap2.ldap2(api) - if not conn.isconnected(): - conn.connect(autobind=True) + conn = api.Backend.ldap2 ensure_entry( DN(('cn', 'ca'), api.env.basedn), @@ -1922,7 +1904,6 @@ def import_included_profiles(): ) api.Backend.ra_certprofile.override_port = None - conn.disconnect() def repair_profile_caIPAserviceCert(): diff --git a/ipaserver/install/krainstance.py b/ipaserver/install/krainstance.py index a5f169442..bbd2660e8 100644 --- a/ipaserver/install/krainstance.py +++ b/ipaserver/install/krainstance.py @@ -34,7 +34,7 @@ from ipapython.dn import DN from ipaserver.install import cainstance from ipaserver.install import installutils from ipaserver.install.dogtaginstance import DogtagInstance -from ipaserver.plugins import ldap2 + logger = logging.getLogger(__name__) @@ -233,14 +233,11 @@ class KRAInstance(DogtagInstance): Create KRA agent, assign a certificate, and add the user to the appropriate groups for accessing KRA services. """ + conn = api.Backend.ldap2 # get RA agent certificate cert = x509.load_certificate_from_file(paths.RA_AGENT_PEM) - # connect to KRA database - conn = ldap2.ldap2(api) - conn.connect(autobind=True) - # create ipakra user with RA agent certificate entry = conn.make_entry( KRA_AGENT_DN, @@ -263,8 +260,6 @@ class KRAInstance(DogtagInstance): KRA_BASEDN) conn.add_entry_to_group(KRA_AGENT_DN, group_dn, 'uniqueMember') - conn.disconnect() - def __add_vault_container(self): self._ldap_mod( 'vault.ldif', {'SUFFIX': self.suffix}, raise_on_err=True)