diff options
| author | Petr Viktorin <pviktori@redhat.com> | 2013-01-31 08:26:38 -0500 |
|---|---|---|
| committer | Martin Kosek <mkosek@redhat.com> | 2013-03-13 12:36:33 +0100 |
| commit | 664248d5b846321f61e0776b646cca82c5a17884 (patch) | |
| tree | 63547fb882cfc17b82284042da8a3073bc42f8bd /ipa-client | |
| parent | a0242334feb3da01430f517806768965dabe92c2 (diff) | |
| download | freeipa-664248d5b846321f61e0776b646cca82c5a17884.tar.gz freeipa-664248d5b846321f61e0776b646cca82c5a17884.tar.xz freeipa-664248d5b846321f61e0776b646cca82c5a17884.zip | |
Use IPAdmin rather than raw python-ldap in migration.py and ipadiscovery.py
These used ipautil.get_ipa_basedn. Convert that to use the new wrappers.
Beef up the error handling in ipaldap to accomodate the errors we catch
in the server discovery.
Add a DatabaseTimeout exception to errors.py.
These were the last uses of ipautil.convert_ldap_error, remove that.
https://fedorahosted.org/freeipa/ticket/3487
https://fedorahosted.org/freeipa/ticket/3446
Diffstat (limited to 'ipa-client')
| -rw-r--r-- | ipa-client/ipaclient/ipadiscovery.py | 91 |
1 files changed, 49 insertions, 42 deletions
diff --git a/ipa-client/ipaclient/ipadiscovery.py b/ipa-client/ipaclient/ipadiscovery.py index 7fc6aae88..d62430be4 100644 --- a/ipa-client/ipaclient/ipadiscovery.py +++ b/ipa-client/ipaclient/ipadiscovery.py @@ -19,16 +19,16 @@ import socket import os -import copy -from ipapython.ipa_log_manager import * import tempfile import ldap from ldap import LDAPError + +from ipapython.ipa_log_manager import root_logger from dns import resolver, rdatatype from dns.exception import DNSException - -from ipapython.ipautil import run, CalledProcessError, valid_ip, get_ipa_basedn, \ - realm_to_suffix, format_netloc +from ipalib import errors +from ipapython import ipaldap +from ipapython.ipautil import valid_ip, get_ipa_basedn, realm_to_suffix from ipapython.dn import DN CACERT = '/etc/ipa/ca.crt' @@ -328,16 +328,29 @@ class IPADiscovery(object): #now verify the server is really an IPA server try: - ldap_url = "ldap://" + format_netloc(thost, 389) - root_logger.debug("Init LDAP connection with: %s", ldap_url) - lh = ldap.initialize(ldap_url) + root_logger.debug("Init LDAP connection to: %s", thost) if ca_cert_path: - ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, True) - ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, ca_cert_path) - lh.set_option(ldap.OPT_X_TLS_DEMAND, True) - lh.start_tls_s() - lh.set_option(ldap.OPT_PROTOCOL_VERSION, 3) - lh.simple_bind_s("","") + lh = ipaldap.IPAdmin(thost, protocol='ldap', + cacert=ca_cert_path, start_tls=True, + demand_cert=True) + else: + lh = ipaldap.IPAdmin(thost, protocol='ldap') + try: + lh.do_simple_bind(DN(), '') + except errors.ACIError: + root_logger.debug("LDAP Error: Anonymous access not allowed") + return [NO_ACCESS_TO_LDAP] + except errors.DatabaseError, err: + root_logger.error("Error checking LDAP: %s" % err.strerror) + # We should only get UNWILLING_TO_PERFORM if the remote LDAP + # server has minssf > 0 and we have attempted a non-TLS conn. + if ca_cert_path is None: + root_logger.debug( + "Cannot connect to LDAP server. Check that minssf is " + "not enabled") + return [NO_TLS_LDAP] + else: + return [UNKNOWN_ERROR] # get IPA base DN root_logger.debug("Search LDAP server for IPA base DN") @@ -348,23 +361,23 @@ class IPADiscovery(object): return [NOT_IPA_SERVER] self.basedn = basedn - self.basedn_source = 'From IPA server %s' % ldap_url + self.basedn_source = 'From IPA server %s' % lh.ldap_uri #search and return known realms root_logger.debug( "Search for (objectClass=krbRealmContainer) in %s (sub)", self.basedn) - lret = lh.search_s(str(DN(('cn', 'kerberos'), self.basedn)), ldap.SCOPE_SUBTREE, "(objectClass=krbRealmContainer)") - if not lret: + try: + lret = lh.get_entries( + DN(('cn', 'kerberos'), self.basedn), + lh.SCOPE_SUBTREE, "(objectClass=krbRealmContainer)") + except errors.NotFound: #something very wrong return [REALM_NOT_FOUND] for lres in lret: - root_logger.debug("Found: %s", lres[0]) - for lattr in lres[1]: - if lattr.lower() == "cn": - lrealms.append(lres[1][lattr][0]) - + root_logger.debug("Found: %s", lres.dn) + lrealms.append(lres.single_value('cn')) if trealm: for r in lrealms: @@ -382,27 +395,21 @@ class IPADiscovery(object): #we shouldn't get here return [UNKNOWN_ERROR] - except LDAPError, err: - if isinstance(err, ldap.TIMEOUT): - root_logger.debug("LDAP Error: timeout") - return [NO_LDAP_SERVER] - - if isinstance(err, ldap.SERVER_DOWN): - root_logger.debug("LDAP Error: server down") - return [NO_LDAP_SERVER] - - if isinstance(err, ldap.INAPPROPRIATE_AUTH): - root_logger.debug("LDAP Error: Anonymous access not allowed") - return [NO_ACCESS_TO_LDAP] - - # We should only get UNWILLING_TO_PERFORM if the remote LDAP server - # has minssf > 0 and we have attempted a non-TLS connection. - if ca_cert_path is None and isinstance(err, ldap.UNWILLING_TO_PERFORM): - root_logger.debug("LDAP server returned UNWILLING_TO_PERFORM. This likely means that minssf is enabled") - return [NO_TLS_LDAP] + except errors.DatabaseTimeout: + root_logger.error("LDAP Error: timeout") + return [NO_LDAP_SERVER] + except errors.NetworkError, err: + root_logger.debug("LDAP Error: %s" % err.strerror) + return [NO_LDAP_SERVER] + except errors.ACIError: + root_logger.debug("LDAP Error: Anonymous access not allowed") + return [NO_ACCESS_TO_LDAP] + except errors.DatabaseError, err: + root_logger.error("Error checking LDAP: %s" % err.strerror) + return [UNKNOWN_ERROR] + except Exception, err: + root_logger.error("Error checking LDAP: %s" % err) - root_logger.error("LDAP Error: %s: %s" % - (err.args[0]['desc'], err.args[0].get('info', ''))) return [UNKNOWN_ERROR] |