diff options
author | Rob Crittenden <rcritten@redhat.com> | 2011-04-11 15:30:11 -0400 |
---|---|---|
committer | Rob Crittenden <rcritten@redhat.com> | 2011-04-11 15:33:03 -0400 |
commit | d42bf3f530759824586bba0df52f9bd8a6f20df7 (patch) | |
tree | ba7cdd29f4564b69051d9ed03bdd667128564d8f /ipaserver/install | |
parent | 68ff18ed10a957bf022c654c38518915bd68fcc8 (diff) | |
download | freeipa-d42bf3f530759824586bba0df52f9bd8a6f20df7.tar.gz freeipa-d42bf3f530759824586bba0df52f9bd8a6f20df7.tar.xz freeipa-d42bf3f530759824586bba0df52f9bd8a6f20df7.zip |
Fix traceback in ipa-nis-manage.
The root user cannot use ldapi because of the autobind configuration.
Fall back to a standard GSSAPI sasl bind if the external bind fails.
With --ldapi a regular user may be trying this as well, catch that
and report a reasonable error message.
This also gives priority to the DM password if it is passed in.
Also require the user be root to run the ipa-nis-manage command.
We enable/disable and start/stop services which need to be done as root.
Add a new option to ipa-ldap-updater to prompt for the DM password.
Remove restriction to be run as root except when doing an upgrade.
Ticket 1157
Diffstat (limited to 'ipaserver/install')
-rw-r--r-- | ipaserver/install/ldapupdate.py | 60 |
1 files changed, 32 insertions, 28 deletions
diff --git a/ipaserver/install/ldapupdate.py b/ipaserver/install/ldapupdate.py index 4feb0cf43..5a827fdfb 100644 --- a/ipaserver/install/ldapupdate.py +++ b/ipaserver/install/ldapupdate.py @@ -108,28 +108,27 @@ class LDAPUpdate: self.sub_dict["DOMAIN"] = domain if online: - # Try out the password - if not self.ldapi: - try: - conn = ipaldap.IPAdmin(fqdn, ldapi=True, realm=self.realm) + # Try out the connection/password + try: + conn = ipaldap.IPAdmin(fqdn, ldapi=self.ldapi, realm=self.realm) + if self.dm_password: conn.do_simple_bind(binddn="cn=directory manager", bindpw=self.dm_password) - conn.unbind() - except ldap.CONNECT_ERROR: - raise RuntimeError("Unable to connect to LDAP server %s" % fqdn) - except ldap.SERVER_DOWN: - raise RuntimeError("Unable to connect to LDAP server %s" % fqdn) - except ldap.INVALID_CREDENTIALS: - raise RuntimeError("The password provided is incorrect for LDAP server %s" % fqdn) - else: - conn = ipaldap.IPAdmin(ldapi=True, realm=self.realm) - try: - if os.getegid() == 0: + elif os.getegid() == 0: + try: # autobind conn.do_external_bind(self.pw_name) - else: + except errors.NotFound: + # Fall back conn.do_sasl_gssapi_bind() - except ldap.LOCAL_ERROR, e: - raise RuntimeError('%s' % e.args[0].get('info', '').strip()) + else: + conn.do_sasl_gssapi_bind() + conn.unbind() + except (ldap.CONNECT_ERROR, ldap.SERVER_DOWN): + raise RuntimeError("Unable to connect to LDAP server %s" % fqdn) + except ldap.INVALID_CREDENTIALS: + raise RuntimeError("The password provided is incorrect for LDAP server %s" % fqdn) + except ldap.LOCAL_ERROR, e: + raise RuntimeError('%s' % e.args[0].get('info', '').strip()) else: raise RuntimeError("Offline updates are not supported.") @@ -662,19 +661,24 @@ class LDAPUpdate: if self.online: if self.ldapi: self.conn = ipaldap.IPAdmin(ldapi=True, realm=self.realm) - try: - if os.getegid() == 0: - # autobind - self.conn.do_external_bind(self.pw_name) - else: - self.conn.do_sasl_gssapi_bind() - except ldap.LOCAL_ERROR, e: - raise RuntimeError('%s' % e.args[0].get('info', '').strip()) else: self.conn = ipaldap.IPAdmin(self.sub_dict['FQDN'], - ldapi=self.ldapi, + ldapi=False, realm=self.realm) - self.conn.do_simple_bind(bindpw=self.dm_password) + try: + if self.dm_password: + self.conn.do_simple_bind(binddn="cn=directory manager", bindpw=self.dm_password) + elif os.getegid() == 0: + try: + # autobind + self.conn.do_external_bind(self.pw_name) + except errors.NotFound: + # Fall back + self.conn.do_sasl_gssapi_bind() + else: + self.conn.do_sasl_gssapi_bind() + except ldap.LOCAL_ERROR, e: + raise RuntimeError('%s' % e.args[0].get('info', '').strip()) else: raise RuntimeError("Offline updates are not supported.") all_updates = {} |