Do not crash client basedn discovery when SSF not met

ipa-client-install runs anonymous search in non-rootdse space which
may raise UNWILLING_TO_PERFORM error. This case was only covered for
BIND, but not for the actual LDAP queries.

https://fedorahosted.org/freeipa/ticket/4459

Reviewed-By: Petr Viktorin <pviktori@redhat.com>

1 files changed, 4 insertions, 4 deletions

diff --git a/ipa-client/ipaclient/ipadiscovery.py b/ipa-client/ipaclient/ipadiscovery.py
index 1e084dba1..0532f618e 100644
--- a/ipa-client/ipaclient/ipadiscovery.py
+++ b/ipa-client/ipaclient/ipadiscovery.py
@@ -335,6 +335,10 @@ class IPADiscovery(object):
                                      no_schema=True, decode_attrs=False)
             try:
                 lh.do_simple_bind(DN(), '')
+
+                # get IPA base DN
+                root_logger.debug("Search LDAP server for IPA base DN")
+                basedn = get_ipa_basedn(lh)
             except errors.ACIError:
                 root_logger.debug("LDAP Error: Anonymous access not allowed")
                 return [NO_ACCESS_TO_LDAP]
@@ -350,10 +354,6 @@ class IPADiscovery(object):
                 else:
                     return [UNKNOWN_ERROR]
 
-            # get IPA base DN
-            root_logger.debug("Search LDAP server for IPA base DN")
-            basedn = get_ipa_basedn(lh)
-
             if basedn is None:
                 root_logger.debug("The server is not an IPA server")
                 return [NOT_IPA_SERVER]