IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Reuse main LDAP connection

Browse Source 
cainstance and krainstance now reuse the main LDAP connection
api.Backend.ldap2 in all helper functions. Some functions used to create
and tear down their own LDAP connection. This was a remnant of the old
CA LDAP instance in FreeIPA 3.x.

Related: https://pagure.io/freeipa/issue/8521
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This commit is contained in:
Christian Heimes 2020-10-09 10:11:53 +02:00
parent a9d34c8e66
commit fa58071221
2 changed files with 14 additions and 38 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

43
ipaserver/install/cainstance.py
View File

@ -60,7 +60,6 @@ from ipaserver.install import installutils
from ipaserver.install import replication from ipaserver.install import replication
from ipaserver.install import sysupgrade from ipaserver.install import sysupgrade
from ipaserver.install.dogtaginstance import DogtagInstance, INTERNAL_TOKEN from ipaserver.install.dogtaginstance import DogtagInstance, INTERNAL_TOKEN
from ipaserver.plugins import ldap2
from ipaserver.masters import ENABLED_SERVICE from ipaserver.masters import ENABLED_SERVICE
logger = logging.getLogger(__name__) logger = logging.getLogger(__name__)
@ -739,10 +738,7 @@ class CAInstance(DogtagInstance):
Create CA agent, assign a certificate, and add the user to Create CA agent, assign a certificate, and add the user to
the appropriate groups for accessing CA services. the appropriate groups for accessing CA services.
""" """
conn = api.Backend.ldap2
# connect to CA database
conn = ldap2.ldap2(api)
conn.connect(autobind=True)
# create ipara user with RA certificate # create ipara user with RA certificate
user_dn = DN(('uid', "ipara"), ('ou', 'People'), self.basedn) user_dn = DN(('uid', "ipara"), ('ou', 'People'), self.basedn)
@ -772,8 +768,6 @@ class CAInstance(DogtagInstance):
self.basedn) self.basedn)
conn.add_entry_to_group(user_dn, group_dn, 'uniqueMember') conn.add_entry_to_group(user_dn, group_dn, 'uniqueMember')
conn.disconnect()
def __get_ca_chain(self): def __get_ca_chain(self):
try: try:
return dogtag.get_ca_certchain(ca_host=self.fqdn) return dogtag.get_ca_certchain(ca_host=self.fqdn)
@ -1561,18 +1555,14 @@ def __update_entry_from_cert(make_filter, make_entry, cert):
vacuously successful) otherwise ``False``. vacuously successful) otherwise ``False``.
""" """
base_dn = DN(('o', 'ipaca')) base_dn = DN(('o', 'ipaca'))
conn = api.Backend.ldap2
attempts = 0 attempts = 0
updated = False updated = False
while attempts < 10: while attempts < 10:
conn = None
try: try:
conn = ldap2.ldap2(api)
conn.connect(autobind=True)
db_filter = make_filter(cert) db_filter = make_filter(cert)
try: try:
entries = conn.get_entries(base_dn, conn.SCOPE_SUBTREE, db_filter) entries = conn.get_entries(base_dn, conn.SCOPE_SUBTREE, db_filter)
@ -1606,9 +1596,6 @@ def __update_entry_from_cert(make_filter, make_entry, cert):
except Exception as e: except Exception as e:
syslog.syslog(syslog.LOG_ERR, 'Caught unhandled exception: %s' % e) syslog.syslog(syslog.LOG_ERR, 'Caught unhandled exception: %s' % e)
break break
finally:
if conn is not None and conn.isconnected():
conn.disconnect()
if not updated: if not updated:
syslog.syslog(syslog.LOG_ERR, 'Update failed.') syslog.syslog(syslog.LOG_ERR, 'Update failed.')
@ -1622,16 +1609,17 @@ def update_people_entry(cert):
is needed when a certificate is renewed. is needed when a certificate is renewed.
""" """
def make_filter(cert): def make_filter(cert):
ldap = api.Backend.ldap2
subject = DN(cert.subject) subject = DN(cert.subject)
issuer = DN(cert.issuer) issuer = DN(cert.issuer)
return ldap2.ldap2.combine_filters( return ldap.combine_filters(
[ [
ldap2.ldap2.make_filter({'objectClass': 'inetOrgPerson'}), ldap.make_filter({'objectClass': 'inetOrgPerson'}),
ldap2.ldap2.make_filter( ldap.make_filter(
{'description': ';%s;%s' % (issuer, subject)}, {'description': ';%s;%s' % (issuer, subject)},
exact=False, trailing_wildcard=False), exact=False, trailing_wildcard=False),
], ],
ldap2.ldap2.MATCH_ALL) ldap.MATCH_ALL)
def make_entry(cert, entry): def make_entry(cert, entry):
serial_number = cert.serial_number serial_number = cert.serial_number
@ -1650,10 +1638,11 @@ def update_authority_entry(cert):
serial number to match the given cert. serial number to match the given cert.
""" """
def make_filter(cert): def make_filter(cert):
ldap = api.Backend.ldap2
subject = str(DN(cert.subject)) subject = str(DN(cert.subject))
return ldap2.ldap2.make_filter( return ldap.make_filter(
dict(objectclass='authority', authoritydn=subject), dict(objectclass='authority', authoritydn=subject),
rules=ldap2.ldap2.MATCH_ALL, rules=ldap.MATCH_ALL,
) )
def make_entry(cert, entry): def make_entry(cert, entry):
@ -1760,10 +1749,7 @@ def ensure_entry(dn, **attrs):
otherwise add the entry and return ``True``. otherwise add the entry and return ``True``.
""" """
conn = ldap2.ldap2(api) conn = api.Backend.ldap2
if not conn.isconnected():
conn.connect(autobind=True)
try: try:
conn.get_entry(dn) conn.get_entry(dn)
return False return False
@ -1772,8 +1758,6 @@ def ensure_entry(dn, **attrs):
entry = conn.make_entry(dn, **attrs) entry = conn.make_entry(dn, **attrs)
conn.add_entry(entry) conn.add_entry(entry)
return True return True
finally:
conn.disconnect()
def configure_profiles_acl(): def configure_profiles_acl():
@ -1879,9 +1863,7 @@ def __get_profile_config(profile_id):
return ipautil.template_file(profile_filename, sub_dict) return ipautil.template_file(profile_filename, sub_dict)
def import_included_profiles(): def import_included_profiles():
conn = ldap2.ldap2(api) conn = api.Backend.ldap2
if not conn.isconnected():
conn.connect(autobind=True)
ensure_entry( ensure_entry(
DN(('cn', 'ca'), api.env.basedn), DN(('cn', 'ca'), api.env.basedn),
@ -1922,7 +1904,6 @@ def import_included_profiles():
) )
api.Backend.ra_certprofile.override_port = None api.Backend.ra_certprofile.override_port = None
conn.disconnect()
def repair_profile_caIPAserviceCert(): def repair_profile_caIPAserviceCert():

9
ipaserver/install/krainstance.py
View File

@ -34,7 +34,7 @@ from ipapython.dn import DN
from ipaserver.install import cainstance from ipaserver.install import cainstance
from ipaserver.install import installutils from ipaserver.install import installutils
from ipaserver.install.dogtaginstance import DogtagInstance from ipaserver.install.dogtaginstance import DogtagInstance
from ipaserver.plugins import ldap2
logger = logging.getLogger(__name__) logger = logging.getLogger(__name__)
@ -233,14 +233,11 @@ class KRAInstance(DogtagInstance):
Create KRA agent, assign a certificate, and add the user to Create KRA agent, assign a certificate, and add the user to
the appropriate groups for accessing KRA services. the appropriate groups for accessing KRA services.
""" """
conn = api.Backend.ldap2
# get RA agent certificate # get RA agent certificate
cert = x509.load_certificate_from_file(paths.RA_AGENT_PEM) cert = x509.load_certificate_from_file(paths.RA_AGENT_PEM)
# connect to KRA database
conn = ldap2.ldap2(api)
conn.connect(autobind=True)
# create ipakra user with RA agent certificate # create ipakra user with RA agent certificate
entry = conn.make_entry( entry = conn.make_entry(
KRA_AGENT_DN, KRA_AGENT_DN,
@ -263,8 +260,6 @@ class KRAInstance(DogtagInstance):
KRA_BASEDN) KRA_BASEDN)
conn.add_entry_to_group(KRA_AGENT_DN, group_dn, 'uniqueMember') conn.add_entry_to_group(KRA_AGENT_DN, group_dn, 'uniqueMember')
conn.disconnect()
def __add_vault_container(self): def __add_vault_container(self):
self._ldap_mod( self._ldap_mod(
'vault.ldif', {'SUFFIX': self.suffix}, raise_on_err=True) 'vault.ldif', {'SUFFIX': self.suffix}, raise_on_err=True)