Use IPAdmin rather than raw python-ldap in migration.py and ipadiscovery.py

These used ipautil.get_ipa_basedn. Convert that to use the new wrappers.

Beef up the error handling in ipaldap to accomodate the errors we catch
in the server discovery.
Add a DatabaseTimeout exception to errors.py.

These were the last uses of ipautil.convert_ldap_error, remove that.

https://fedorahosted.org/freeipa/ticket/3487
https://fedorahosted.org/freeipa/ticket/3446

1 files changed, 30 insertions, 23 deletions

diff --git a/ipapython/ipaldap.py b/ipapython/ipaldap.py
index 1403c9e80..10492d178 100644
--- a/ipapython/ipaldap.py
+++ b/ipapython/ipaldap.py
@@ -899,9 +899,7 @@ class LDAPClient(object):
             try:
                 yield
             except ldap.TIMEOUT:
-                desc = ''
-                info = ''
-                raise
+                raise errors.DatabaseTimeout()
             except ldap.LDAPError, e:
                 desc = e.args[0]['desc'].strip()
                 info = e.args[0].get('info', '').strip()
@@ -923,6 +921,8 @@ class LDAPClient(object):
             raise errors.ACIError(info=info)
         except ldap.INVALID_CREDENTIALS:
             raise errors.ACIError(info="%s %s" % (info, desc))
+        except ldap.INAPPROPRIATE_AUTH:
+            raise errors.ACIError(info="%s: %s" % (desc, info))
         except ldap.NO_SUCH_ATTRIBUTE:
             # this is raised when a 'delete' attribute isn't found.
             # it indicates the previous attribute was removed by another
@@ -946,16 +946,19 @@ class LDAPClient(object):
             raise errors.NotAllowedOnNonLeaf()
         except ldap.SERVER_DOWN:
             raise errors.NetworkError(uri=self.ldap_uri,
-                                      error=u'LDAP Server Down')
+                                      error=info)
         except ldap.LOCAL_ERROR:
             raise errors.ACIError(info=info)
         except ldap.SUCCESS:
             pass
+        except ldap.CONNECT_ERROR:
+            raise errors.DatabaseError(desc=desc, info=info)
         except ldap.LDAPError, e:
             if 'NOT_ALLOWED_TO_DELEGATE' in info:
                 raise errors.ACIError(
                     info="KDC returned NOT_ALLOWED_TO_DELEGATE")
-            self.log.info('Unhandled LDAPError: %s' % str(e))
+            self.log.debug(
+                'Unhandled LDAPError: %s: %s' % (type(e).__name__, str(e)))
             raise errors.DatabaseError(desc=desc, info=info)
 
     @property
@@ -1658,7 +1661,7 @@ class IPAdmin(LDAPClient):
     def __init__(self, host='', port=389, cacert=None, debug=None, ldapi=False,
                  realm=None, protocol=None, force_schema_updates=True,
                  start_tls=False, ldap_uri=None, no_schema=False,
-                 decode_attrs=True, sasl_nocanon=False):
+                 decode_attrs=True, sasl_nocanon=False, demand_cert=False):
         self.conn = None
         log_mgr.get_logger(self, True)
         if debug and debug.lower() == "on":
@@ -1678,15 +1681,21 @@ class IPAdmin(LDAPClient):
 
         LDAPClient.__init__(self, ldap_uri)
 
-        self.conn = IPASimpleLDAPObject(ldap_uri, force_schema_updates=True,
-                                        no_schema=no_schema,
-                                        decode_attrs=decode_attrs)
+        with self.error_handler():
+            self.conn = IPASimpleLDAPObject(ldap_uri,
+                                            force_schema_updates=True,
+                                            no_schema=no_schema,
+                                            decode_attrs=decode_attrs)
+
+            if demand_cert:
+                ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, True)
+                self.conn.set_option(ldap.OPT_X_TLS_DEMAND, True)
 
-        if sasl_nocanon:
-            self.conn.set_option(ldap.OPT_X_SASL_NOCANON, ldap.OPT_ON)
+            if sasl_nocanon:
+                self.conn.set_option(ldap.OPT_X_SASL_NOCANON, ldap.OPT_ON)
 
-        if start_tls:
-            self.conn.start_tls_s()
+            if start_tls:
+                self.conn.start_tls_s()
 
     def __str__(self):
         return self.host + ":" + str(self.port)
@@ -1700,18 +1709,16 @@ class IPAdmin(LDAPClient):
             wait_for_open_ports(host, int(port), timeout)
 
     def __bind_with_wait(self, bind_func, timeout, *args, **kwargs):
-        try:
-            bind_func(*args, **kwargs)
-        except (ldap.CONNECT_ERROR, ldap.SERVER_DOWN), e:
-            if not timeout or 'TLS' in e.args[0].get('info', ''):
-                # No connection to continue on if we have a TLS failure
-                # https://bugzilla.redhat.com/show_bug.cgi?id=784989
-                raise e
+        with self.error_handler():
             try:
+                bind_func(*args, **kwargs)
+            except (ldap.CONNECT_ERROR, ldap.SERVER_DOWN), e:
+                if not timeout or 'TLS' in e.args[0].get('info', ''):
+                    # No connection to continue on if we have a TLS failure
+                    # https://bugzilla.redhat.com/show_bug.cgi?id=784989
+                    raise
                 self.__wait_for_connection(timeout)
-            except:
-                raise e
-            bind_func(*args, **kwargs)
+                bind_func(*args, **kwargs)
 
     def do_simple_bind(self, binddn=DN(('cn', 'directory manager')), bindpw="",
                        timeout=DEFAULT_TIMEOUT):