summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJan Cholasta <jcholast@redhat.com>2013-02-04 11:50:58 +0100
committerMartin Kosek <mkosek@redhat.com>2013-03-01 16:59:47 +0100
commit61c0938c769f5ece202f04095138a5348f95aa18 (patch)
tree6168745816d79a4e3b8cb652ff64cfc5dc0297f1
parent5b2e0e2ba5808d6300de1cac743c96db0607121c (diff)
downloadfreeipa-61c0938c769f5ece202f04095138a5348f95aa18.tar.gz
freeipa-61c0938c769f5ece202f04095138a5348f95aa18.tar.xz
freeipa-61c0938c769f5ece202f04095138a5348f95aa18.zip
Remove support for DN normalization from LDAPClient.
Diffstat
-rw-r--r--install/restart_scripts/renew_ca_cert4
-rw-r--r--install/restart_scripts/renew_ra_cert4
-rwxr-xr-xinstall/tools/ipa-compat-manage6
-rwxr-xr-xinstall/tools/ipa-nis-manage6
-rw-r--r--ipalib/plugins/migration.py5
-rw-r--r--ipaserver/install/cainstance.py5
-rw-r--r--ipaserver/install/plugins/rename_managed.py4
-rw-r--r--ipaserver/ipaldap.py68
-rw-r--r--ipaserver/plugins/ldap2.py24
9 files changed, 41 insertions, 85 deletions
diff --git a/install/restart_scripts/renew_ca_cert b/install/restart_scripts/renew_ca_cert
index b1efd8f9d..5768db3f7 100644
--- a/install/restart_scripts/renew_ca_cert
+++ b/install/restart_scripts/renew_ca_cert
@@ -70,11 +70,11 @@ try:
try:
(entry_dn, entry_attrs) = conn.get_entry(dn, ['usercertificate'])
entry_attrs['usercertificate'] = cert
- conn.update_entry(dn, entry_attrs, normalize=False)
+ conn.update_entry(dn, entry_attrs)
except errors.NotFound:
entry_attrs = dict(objectclass=['top', 'pkiuser', 'nscontainer'],
usercertificate=cert)
- conn.add_entry(dn, entry_attrs, normalize=False)
+ conn.add_entry(dn, entry_attrs)
except errors.EmptyModlist:
pass
conn.disconnect()
diff --git a/install/restart_scripts/renew_ra_cert b/install/restart_scripts/renew_ra_cert
index e5418fdaf..e541e4ba4 100644
--- a/install/restart_scripts/renew_ra_cert
+++ b/install/restart_scripts/renew_ra_cert
@@ -60,11 +60,11 @@ while attempts < 10:
try:
(entry_dn, entry_attrs) = conn.get_entry(dn, ['usercertificate'])
entry_attrs['usercertificate'] = dercert
- conn.update_entry(dn, entry_attrs, normalize=False)
+ conn.update_entry(dn, entry_attrs)
except errors.NotFound:
entry_attrs = dict(objectclass=['top', 'pkiuser', 'nscontainer'],
usercertificate=dercert)
- conn.add_entry(dn, entry_attrs, normalize=False)
+ conn.add_entry(dn, entry_attrs)
except errors.EmptyModlist:
pass
updated = True
diff --git a/install/tools/ipa-compat-manage b/install/tools/ipa-compat-manage
index e88d92286..87fa47fe0 100755
--- a/install/tools/ipa-compat-manage
+++ b/install/tools/ipa-compat-manage
@@ -73,7 +73,7 @@ def get_entry(dn, conn):
"""
entry = None
try:
- (dn, entry) = conn.get_entry(dn, normalize=False)
+ (dn, entry) = conn.get_entry(dn)
except errors.NotFound:
pass
return entry
@@ -144,7 +144,7 @@ def main():
retval = 1
else:
mod = {'nsslapd-pluginenabled': 'on'}
- conn.update_entry(compat_dn, mod, normalize=False)
+ conn.update_entry(compat_dn, mod)
except errors.ExecutionError, lde:
print "An error occurred while talking to the server."
print lde
@@ -175,7 +175,7 @@ def main():
print "Disabling plugin"
mod = {'nsslapd-pluginenabled': 'off'}
- conn.update_entry(compat_dn, mod, normalize=False)
+ conn.update_entry(compat_dn, mod)
except errors.DatabaseError, dbe:
print "An error occurred while talking to the server."
print dbe
diff --git a/install/tools/ipa-nis-manage b/install/tools/ipa-nis-manage
index 5ef3ce0e6..a35e19f97 100755
--- a/install/tools/ipa-nis-manage
+++ b/install/tools/ipa-nis-manage
@@ -75,7 +75,7 @@ def get_entry(dn, conn):
"""
entry = None
try:
- (dn, entry) = conn.get_entry(dn, normalize=False)
+ (dn, entry) = conn.get_entry(dn)
except errors.NotFound:
pass
return entry
@@ -166,7 +166,7 @@ def main():
print "Enabling plugin"
# Already configured, just enable the plugin
mod = {'nsslapd-pluginenabled': 'on'}
- conn.update_entry(nis_config_dn, mod, normalize=False)
+ conn.update_entry(nis_config_dn, mod)
else:
print "Plugin already Enabled"
retval = 2
@@ -174,7 +174,7 @@ def main():
elif args[0] == "disable":
try:
mod = {'nsslapd-pluginenabled': 'off'}
- conn.update_entry(nis_config_dn, mod, normalize=False)
+ conn.update_entry(nis_config_dn, mod)
except errors.NotFound:
print "Plugin is already disabled"
retval = 2
diff --git a/ipalib/plugins/migration.py b/ipalib/plugins/migration.py
index d94484331..7884e08cf 100644
--- a/ipalib/plugins/migration.py
+++ b/ipalib/plugins/migration.py
@@ -346,7 +346,6 @@ def _pre_migrate_group(ldap, pkey, dn, entry_attrs, failed, config, ctx, **kwarg
api.log.error('entry %s does not belong into any known container' % m)
continue
- m = ldap.normalize_dn(m)
new_members.append(m)
del entry_attrs[member_attr]
@@ -363,7 +362,7 @@ def _pre_migrate_group(ldap, pkey, dn, entry_attrs, failed, config, ctx, **kwarg
for m in entry_attrs[member_attr]:
memberdn = DN((api.Object.user.primary_key.name, m),
api.env.container_user, api.env.basedn)
- new_members.append(ldap.normalize_dn(memberdn))
+ new_members.append(memberdn)
entry_attrs['member'] = new_members
assert isinstance(dn, DN)
@@ -863,7 +862,7 @@ can use their Kerberos accounts.''')
#check whether the compat plugin is enabled
if not options.get('compat'):
try:
- (dn,check_compat) = ldap.get_entry(_compat_dn, normalize=False)
+ (dn,check_compat) = ldap.get_entry(_compat_dn)
assert isinstance(dn, DN)
if check_compat is not None and \
check_compat.get('nsslapd-pluginenabled', [''])[0].lower() == 'on':
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 256479875..a1107cee8 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -1915,12 +1915,11 @@ def update_people_entry(uid, dercert):
conn = ldap2.ldap2(shared_instance=False, ldap_uri=dogtag_uri)
conn.connect(bind_dn=DN(('cn', 'directory manager')),
bind_pw=dm_password)
- (entry_dn, entry_attrs) = conn.get_entry(dn, ['usercertificate'],
- normalize=False)
+ (entry_dn, entry_attrs) = conn.get_entry(dn, ['usercertificate'])
entry_attrs['usercertificate'].append(dercert)
entry_attrs['description'] = '2;%d;%s;%s' % (serial_number, issuer,
subject)
- conn.update_entry(dn, entry_attrs, normalize=False)
+ conn.update_entry(dn, entry_attrs)
updated = True
break
except errors.NetworkError:
diff --git a/ipaserver/install/plugins/rename_managed.py b/ipaserver/install/plugins/rename_managed.py
index 206e0a0da..e0fa36bb7 100644
--- a/ipaserver/install/plugins/rename_managed.py
+++ b/ipaserver/install/plugins/rename_managed.py
@@ -67,7 +67,7 @@ class GenerateUpdateMixin(object):
try:
definitions_managed_entries, truncated = ldap.find_entries(
searchfilter, ['*'], old_definition_container,
- ldap.SCOPE_ONELEVEL, normalize=False)
+ ldap.SCOPE_ONELEVEL)
except errors.NotFound, e:
return (False, update_list)
@@ -77,7 +77,7 @@ class GenerateUpdateMixin(object):
old_dn = entry.data['managedtemplate'][0]
assert isinstance(old_dn, DN)
try:
- (old_dn, entry) = ldap.get_entry(old_dn, ['*'], normalize=False)
+ (old_dn, entry) = ldap.get_entry(old_dn, ['*'])
except errors.NotFound, e:
pass
else:
diff --git a/ipaserver/ipaldap.py b/ipaserver/ipaldap.py
index 10deca787..4a4653264 100644
--- a/ipaserver/ipaldap.py
+++ b/ipaserver/ipaldap.py
@@ -984,11 +984,6 @@ class LDAPClient(object):
obj = self.schema.get_obj(ldap.schema.AttributeType, attr)
return obj and obj.single_value
- def normalize_dn(self, dn):
- """Override to normalize all DNs passed to LDAPClient methods"""
- assert isinstance(dn, DN)
- return dn
-
def make_dn_from_attr(self, attr, value, parent_dn=None):
"""
Make distinguished name from attribute.
@@ -998,7 +993,6 @@ class LDAPClient(object):
"""
if parent_dn is None:
parent_dn = DN()
- parent_dn = self.normalize_dn(parent_dn)
if isinstance(value, (list, tuple)):
value = value[0]
@@ -1015,11 +1009,8 @@ class LDAPClient(object):
"""
assert primary_key in entry_attrs
+ assert isinstance(parent_dn, DN)
- if parent_dn is None:
- parent_dn = DN()
-
- parent_dn = self.normalize_dn(parent_dn)
return DN((primary_key, entry_attrs[primary_key]), parent_dn)
def make_entry(self, _dn=None, _obj=None, **kwargs):
@@ -1172,7 +1163,7 @@ class LDAPClient(object):
def find_entries(self, filter=None, attrs_list=None, base_dn=None,
scope=ldap.SCOPE_SUBTREE, time_limit=None,
- size_limit=None, normalize=True, search_refs=False):
+ size_limit=None, search_refs=False):
"""
Return a list of entries and indication of whether the results were
truncated ([(dn, entry_attrs)], truncated) matching specified search
@@ -1186,15 +1177,12 @@ class LDAPClient(object):
time_limit -- time limit in seconds (default use IPA config values)
size_limit -- size (number of entries returned) limit
(default use IPA config values)
- normalize -- normalize the DN (default True)
search_refs -- allow search references to be returned
(default skips these entries)
"""
if base_dn is None:
base_dn = DN()
assert isinstance(base_dn, DN)
- if normalize:
- base_dn = self.normalize_dn(base_dn)
if not filter:
filter = '(objectClass=*)'
res = []
@@ -1247,8 +1235,7 @@ class LDAPClient(object):
members = r[1]['member']
indirect = self.get_members(
r[0], members, membertype=MEMBERS_INDIRECT,
- time_limit=time_limit, size_limit=size_limit,
- normalize=normalize)
+ time_limit=time_limit, size_limit=size_limit)
if len(indirect) > 0:
r[1]['memberindirect'] = indirect
if attrs_list and (
@@ -1264,7 +1251,7 @@ class LDAPClient(object):
continue
direct, indirect = self.get_memberof(
r[0], memberof, time_limit=time_limit,
- size_limit=size_limit, normalize=normalize)
+ size_limit=size_limit)
if len(direct) > 0:
r[1]['memberof'] = direct
if len(indirect) > 0:
@@ -1299,7 +1286,7 @@ class LDAPClient(object):
return entries[0]
def get_entry(self, dn, attrs_list=None, time_limit=None,
- size_limit=None, normalize=True):
+ size_limit=None):
"""
Get entry (dn, entry_attrs) by dn.
@@ -1311,7 +1298,7 @@ class LDAPClient(object):
(entry, truncated) = self.find_entries(
None, attrs_list, dn, self.SCOPE_BASE, time_limit=time_limit,
- size_limit=size_limit, normalize=normalize
+ size_limit=size_limit
)
if truncated:
@@ -1326,7 +1313,7 @@ class LDAPClient(object):
return {}
def get_memberof(self, entry_dn, memberof, time_limit=None,
- size_limit=None, normalize=True):
+ size_limit=None):
"""
Examine the objects that an entry is a member of and determine if they
are a direct or indirect member of that group.
@@ -1361,7 +1348,7 @@ class LDAPClient(object):
result, truncated = self.find_entries(
searchfilter, attr_list,
group, time_limit=time_limit, size_limit=size_limit,
- scope=ldap.SCOPE_BASE, normalize=normalize)
+ scope=ldap.SCOPE_BASE)
results.extend(list(result))
except errors.NotFound:
pass
@@ -1386,8 +1373,7 @@ class LDAPClient(object):
return (direct, indirect)
def get_members(self, group_dn, members, attr_list=[],
- membertype=MEMBERS_ALL, time_limit=None, size_limit=None,
- normalize=True):
+ membertype=MEMBERS_ALL, time_limit=None, size_limit=None):
"""Do a memberOf search of groupdn and return the attributes in
attr_list (an empty list returns all attributes).
@@ -1441,7 +1427,7 @@ class LDAPClient(object):
result, truncated = self.find_entries(
searchfilter, attr_list, member_dn,
time_limit=time_limit, size_limit=size_limit,
- scope=ldap.SCOPE_BASE, normalize=normalize)
+ scope=ldap.SCOPE_BASE)
if truncated:
raise errors.LimitsExceeded()
results.append(list(result[0]))
@@ -1477,31 +1463,28 @@ class LDAPClient(object):
self.log.debug("get_members: result=%s", entries)
return entries
- def _get_dn_and_attrs(self, entry_or_dn, entry_attrs, normalize):
+ def _get_dn_and_attrs(self, entry_or_dn, entry_attrs):
"""Helper for legacy calling style for {add,update}_entry
"""
if entry_attrs is None:
- assert normalize is None
return entry_or_dn.dn, entry_or_dn
else:
assert isinstance(entry_or_dn, DN)
- if normalize is None or normalize:
- entry_or_dn = self.normalize_dn(entry_or_dn)
entry_attrs = self.make_entry(entry_or_dn, entry_attrs)
for key, value in entry_attrs.items():
if value is None:
entry_attrs[key] = []
return entry_or_dn, entry_attrs
- def add_entry(self, entry, entry_attrs=None, normalize=None):
+ def add_entry(self, entry, entry_attrs=None):
"""Create a new entry.
This should be called as add_entry(entry).
- The legacy two/three-argument variant is:
- add_entry(dn, entry_attrs, normalize=True)
+ The legacy two-argument variant is:
+ add_entry(dn, entry_attrs)
"""
- dn, attrs = self._get_dn_and_attrs(entry, entry_attrs, normalize)
+ dn, attrs = self._get_dn_and_attrs(entry, entry_attrs)
# remove all [] values (python-ldap hates 'em)
attrs = dict((k, v) for k, v in attrs.iteritems()
@@ -1523,19 +1506,17 @@ class LDAPClient(object):
assert isinstance(dn, DN)
assert isinstance(new_rdn, RDN)
- dn = self.normalize_dn(dn)
if dn[0] == new_rdn:
raise errors.EmptyModlist()
with self.error_handler():
self.conn.rename_s(dn, new_rdn, delold=int(del_old))
time.sleep(.3) # Give memberOf plugin a chance to work
- def _generate_modlist(self, dn, entry_attrs, normalize):
+ def _generate_modlist(self, dn, entry_attrs):
assert isinstance(dn, DN)
# get original entry
- dn, entry_attrs_old = self.get_entry(
- dn, entry_attrs.keys(), normalize=normalize)
+ dn, entry_attrs_old = self.get_entry(dn, entry_attrs.keys())
# generate modlist
# for multi value attributes: no MOD_REPLACE to handle simultaneous
@@ -1593,18 +1574,18 @@ class LDAPClient(object):
return modlist
- def update_entry(self, entry, entry_attrs=None, normalize=None):
+ def update_entry(self, entry, entry_attrs=None):
"""Update entry's attributes.
This should be called as update_entry(entry).
- The legacy two/three-argument variant is:
- update_entry(dn, entry_attrs, normalize=True)
+ The legacy two-argument variant is:
+ update_entry(dn, entry_attrs)
"""
- dn, attrs = self._get_dn_and_attrs(entry, entry_attrs, normalize)
+ dn, attrs = self._get_dn_and_attrs(entry, entry_attrs)
# generate modlist
- modlist = self._generate_modlist(dn, attrs, normalize)
+ modlist = self._generate_modlist(dn, attrs)
if not modlist:
raise errors.EmptyModlist()
@@ -1612,14 +1593,11 @@ class LDAPClient(object):
with self.error_handler():
self.conn.modify_s(dn, modlist)
- def delete_entry(self, entry_or_dn, normalize=None):
+ def delete_entry(self, entry_or_dn):
"""Delete an entry given either the DN or the entry itself"""
if isinstance(entry_or_dn, DN):
dn = entry_or_dn
- if normalize is None or normalize:
- dn = self.normalize_dn(dn)
else:
- assert normalize is None
dn = entry_or_dn.dn
with self.error_handler():
diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py
index 93d546500..f21ce4fab 100644
--- a/ipaserver/plugins/ldap2.py
+++ b/ipaserver/plugins/ldap2.py
@@ -176,25 +176,6 @@ class ldap2(LDAPClient, CrudBackend):
# ignore when trying to unbind multiple times
pass
- def normalize_dn(self, dn):
- """
- Normalize distinguished name by assuring it ends with
- the base_dn.
-
- Note: ldap2 methods normalize DNs internally, but relying on this is
- not recommended.
- """
-
- assert isinstance(dn, DN)
-
- if not dn.endswith(self.base_dn):
- # DN's are mutable, don't use in-place addtion (+=) which would
- # modify the dn passed in with unintended side-effects. Addition
- # returns a new DN object which is the concatenation of the two.
- dn = dn + self.base_dn
-
- return dn
-
config_defaults = {'ipasearchtimelimit': [2], 'ipasearchrecordslimit': [0]}
def get_ipa_config(self, attrs_list=None):
"""Returns the IPA configuration entry (dn, entry_attrs)."""
@@ -255,7 +236,8 @@ class ldap2(LDAPClient, CrudBackend):
assert isinstance(dn, DN)
principal = getattr(context, 'principal')
- (binddn, attrs) = self.find_entry_by_attr("krbprincipalname", principal, "krbPrincipalAux")
+ (binddn, attrs) = self.find_entry_by_attr("krbprincipalname", principal,
+ "krbPrincipalAux", base_dn=api.env.basedn)
assert isinstance(binddn, DN)
sctrl = [GetEffectiveRightsControl(True, "dn: " + str(binddn))]
self.conn.set_option(_ldap.OPT_SERVER_CONTROLS, sctrl)
@@ -336,7 +318,6 @@ class ldap2(LDAPClient, CrudBackend):
"""Set user password."""
assert isinstance(dn, DN)
- dn = self.normalize_dn(dn)
# The python-ldap passwd command doesn't verify the old password
# so we'll do a simple bind to validate it.
@@ -456,7 +437,6 @@ class ldap2(LDAPClient, CrudBackend):
"""Remove a kerberos principal key."""
assert isinstance(dn, DN)
- dn = self.normalize_dn(dn)
# We need to do this directly using the LDAP library because we
# don't have read access to krbprincipalkey so we need to delete
generated by cgit (git 2.34.1) at 2024-05-07 11:24:54 +0000