diff options
author | Martin Kosek <mkosek@redhat.com> | 2014-07-24 09:57:54 +0200 |
---|---|---|
committer | Petr Viktorin <pviktori@redhat.com> | 2014-07-29 17:48:05 +0200 |
commit | aa0639284c233d10b1bb4c02317155436685dc38 (patch) | |
tree | 807349c08cd6a7abb11afe3d4c512403bfbcc6e6 /ipa-client/ipaclient | |
parent | 724391a71b018c94aca71b588a24983e228cf2a7 (diff) | |
download | freeipa-aa0639284c233d10b1bb4c02317155436685dc38.tar.gz freeipa-aa0639284c233d10b1bb4c02317155436685dc38.tar.xz freeipa-aa0639284c233d10b1bb4c02317155436685dc38.zip |
Do not crash client basedn discovery when SSF not met
ipa-client-install runs anonymous search in non-rootdse space which
may raise UNWILLING_TO_PERFORM error. This case was only covered for
BIND, but not for the actual LDAP queries.
https://fedorahosted.org/freeipa/ticket/4459
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Diffstat (limited to 'ipa-client/ipaclient')
-rw-r--r-- | ipa-client/ipaclient/ipadiscovery.py | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/ipa-client/ipaclient/ipadiscovery.py b/ipa-client/ipaclient/ipadiscovery.py index 1e084dba1..0532f618e 100644 --- a/ipa-client/ipaclient/ipadiscovery.py +++ b/ipa-client/ipaclient/ipadiscovery.py @@ -335,6 +335,10 @@ class IPADiscovery(object): no_schema=True, decode_attrs=False) try: lh.do_simple_bind(DN(), '') + + # get IPA base DN + root_logger.debug("Search LDAP server for IPA base DN") + basedn = get_ipa_basedn(lh) except errors.ACIError: root_logger.debug("LDAP Error: Anonymous access not allowed") return [NO_ACCESS_TO_LDAP] @@ -350,10 +354,6 @@ class IPADiscovery(object): else: return [UNKNOWN_ERROR] - # get IPA base DN - root_logger.debug("Search LDAP server for IPA base DN") - basedn = get_ipa_basedn(lh) - if basedn is None: root_logger.debug("The server is not an IPA server") return [NOT_IPA_SERVER] |