diff options
author | Rob Crittenden <rcritten@redhat.com> | 2009-11-12 16:47:35 -0500 |
---|---|---|
committer | Rob Crittenden <rcritten@redhat.com> | 2009-11-19 14:37:41 -0500 |
commit | 6e5c15b1db6703922ed690755260f9c58bfaf85b (patch) | |
tree | f85f98a124f389380c7261f8ac97691ad8381a43 /ipaserver/plugins | |
parent | 34f6cba0c3bbad69ce2c371e0c2cb34964305f66 (diff) | |
download | freeipa-6e5c15b1db6703922ed690755260f9c58bfaf85b.tar.gz freeipa-6e5c15b1db6703922ed690755260f9c58bfaf85b.tar.xz freeipa-6e5c15b1db6703922ed690755260f9c58bfaf85b.zip |
Gracefully handle a valid kerberos ticket for a deleted entry.
I saw this with a host where I joined a host, obtained a host
principal, kinited to that principal, then deleted the host from the
IPA server. The ticket was still valid so Apache let it through but
it failed to bind to LDAP.
Diffstat (limited to 'ipaserver/plugins')
-rw-r--r-- | ipaserver/plugins/ldap2.py | 17 |
1 files changed, 10 insertions, 7 deletions
diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py index a7cd100d2..4d1f89695 100644 --- a/ipaserver/plugins/ldap2.py +++ b/ipaserver/plugins/ldap2.py @@ -99,6 +99,8 @@ def _handle_errors(e, **kw): raise errors.DatabaseError(desc=desc, info=info) except _ldap.INSUFFICIENT_ACCESS, e: raise errors.ACIError(info=info) + except _ldap.INVALID_CREDENTIALS, e: + raise errors.ACIError(info="%s %s" % (info, desc)) except _ldap.NO_SUCH_ATTRIBUTE: # this is raised when a 'delete' attribute isn't found. # it indicates the previous attribute was removed by another @@ -226,11 +228,14 @@ class ldap2(CrudBackend, Encoder): conn = _ldap.initialize(self._ldapuri) if ccache is not None: - os.environ['KRB5CCNAME'] = ccache - conn.sasl_interactive_bind_s('', _sasl_auth) - principal = krbV.CCache(name=ccache, - context=krbV.default_context()).principal().name - setattr(context, "principal", principal) + try: + os.environ['KRB5CCNAME'] = ccache + conn.sasl_interactive_bind_s('', _sasl_auth) + principal = krbV.CCache(name=ccache, + context=krbV.default_context()).principal().name + setattr(context, "principal", principal) + except _ldap.LDAPError, e: + _handle_errors(e, **{}) else: # no kerberos ccache, use simple bind conn.simple_bind_s(bind_dn, bind_pw) @@ -549,8 +554,6 @@ class ldap2(CrudBackend, Encoder): on the entry. """ (dn, attrs) = self.get_effective_rights(dn, ["*"]) - import pdb - pdb.set_trace() if 'entrylevelrights' in attrs: entry_rights = attrs['entrylevelrights'][0].decode('UTF-8') if 'd' in entry_rights: |