diff options
author | Rob Crittenden <rcritten@redhat.com> | 2011-11-23 16:52:40 -0500 |
---|---|---|
committer | Rob Crittenden <rcritten@redhat.com> | 2011-11-22 23:57:10 -0500 |
commit | 2f4b3972a04e3ebf99ea7fd51c2b102cc8342582 (patch) | |
tree | e2dcc0f790fd56b4067b4f8f50ee7756a2e87e41 /ipaserver/plugins | |
parent | 56401c1abe7d4c78650acfcd9bbe8c8edc1dac57 (diff) | |
download | freeipa-2f4b3972a04e3ebf99ea7fd51c2b102cc8342582.tar.gz freeipa-2f4b3972a04e3ebf99ea7fd51c2b102cc8342582.tar.xz freeipa-2f4b3972a04e3ebf99ea7fd51c2b102cc8342582.zip |
Add plugin framework to LDAP updates.
There are two reasons for the plugin framework:
1. To provide a way of doing manual/complex LDAP changes without having
to keep extending ldapupdate.py (like we did with managed entries).
2. Allows for better control of restarts.
There are two types of plugins, preop and postop. A preop plugin runs
before any file-based updates are loaded. A postop plugin runs after
all file-based updates are applied.
A preop plugin may update LDAP directly or craft update entries to be
applied with the file-based updates.
Either a preop or postop plugin may attempt to restart the dirsrv instance.
The instance is only restartable if ipa-ldap-updater is being executed
as root. A warning is printed if a restart is requested for a non-root
user.
Plugins are not executed by default. This is so we can use ldapupdate
to apply simple updates in commands like ipa-nis-manage.
https://fedorahosted.org/freeipa/ticket/1789
https://fedorahosted.org/freeipa/ticket/1790
https://fedorahosted.org/freeipa/ticket/2032
Diffstat (limited to 'ipaserver/plugins')
-rw-r--r-- | ipaserver/plugins/ldap2.py | 16 |
1 files changed, 12 insertions, 4 deletions
diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py index 57981869d..1229e5bbc 100644 --- a/ipaserver/plugins/ldap2.py +++ b/ipaserver/plugins/ldap2.py @@ -34,6 +34,7 @@ import shutil import tempfile import time import re +import pwd import krbV from ipapython.ipa_log_manager import * @@ -313,7 +314,7 @@ class ldap2(CrudBackend, Encoder): @encode_args(2, 3, 'bind_dn', 'bind_pw') def create_connection(self, ccache=None, bind_dn='', bind_pw='', tls_cacertfile=None, tls_certfile=None, tls_keyfile=None, - debug_level=0): + debug_level=0, autobind=False): """ Connect to LDAP server. @@ -326,6 +327,7 @@ class ldap2(CrudBackend, Encoder): tls_cacertfile -- TLS CA certificate filename tls_certfile -- TLS certificate filename tls_keyfile - TLS bind key filename + autobind - autobind as the current user Extends backend.Connectible.create_connection. """ @@ -342,7 +344,7 @@ class ldap2(CrudBackend, Encoder): try: conn = _ldap.initialize(self.ldap_uri) - if self.ldap_uri.startswith('ldapi://'): + if self.ldap_uri.startswith('ldapi://') and ccache: conn.set_option(_ldap.OPT_HOST_NAME, api.env.host) if ccache is not None: os.environ['KRB5CCNAME'] = ccache @@ -351,8 +353,14 @@ class ldap2(CrudBackend, Encoder): context=krbV.default_context()).principal().name setattr(context, 'principal', principal) else: - # no kerberos ccache, use simple bind - conn.simple_bind_s(bind_dn, bind_pw) + # no kerberos ccache, use simple bind or external sasl + if autobind: + pent = pwd.getpwuid(os.geteuid()) + auth_tokens = _ldap.sasl.external(pent.pw_name) + conn.sasl_interactive_bind_s("", auth_tokens) + else: + conn.simple_bind_s(bind_dn, bind_pw) + except _ldap.LDAPError, e: _handle_errors(e, **{}) |