Automatically update IPA LDAP on rpm upgrades

Re-enable ldapi code in ipa-ldap-updater and remove the searchbase restriction when run in --upgrade mode. This allows us to autobind giving root Directory Manager powers. This also: * corrects the ipa-ldap-updater man page * remove automatic --realm, --server, --domain options * handle upgrade errors properly * saves a copy of dse.ldif before we change it so it can be recovered * fixes an error discovered by pylint ticket 1087
author: Rob Crittenden <rcritten@redhat.com> 2011-03-18 11:19:53 -0400
committer: Rob Crittenden <rcritten@redhat.com> 2011-03-21 13:23:53 -0400
commit: ca5332951c68904b0763f79f3612209271206b2a (patch)
tree: d2e39143f5d1b7b78fb40fd906e0d722c1b19d3d /ipaserver
parent: ba5e0c43070c1ec77e45a032cd3dabbe0f7a76fc (diff)
download: freeipa-ca5332951c68904b0763f79f3612209271206b2a.tar.gz
freeipa-ca5332951c68904b0763f79f3612209271206b2a.tar.xz
freeipa-ca5332951c68904b0763f79f3612209271206b2a.zip
2 files changed, 53 insertions, 21 deletions
diff --git a/ipaserver/install/ldapupdate.py b/ipaserver/install/ldapupdate.py
index a2eebebcc..44a95465f 100644
--- a/ipaserver/install/ldapupdate.py
+++ b/ipaserver/install/ldapupdate.py
@@ -109,7 +109,7 @@ class LDAPUpdate:
 
         if online:
             # Try out the password
-            #if not self.ldapi:
+            if not self.ldapi:
                 try:
                     conn = ipaldap.IPAdmin(fqdn, ldapi=True, realm=self.realm)
                     conn.do_simple_bind(binddn="cn=directory manager", bindpw=self.dm_password)
@@ -120,13 +120,16 @@ class LDAPUpdate:
                     raise RuntimeError("Unable to connect to LDAP server %s" % fqdn)
                 except ldap.INVALID_CREDENTIALS:
                     raise RuntimeError("The password provided is incorrect for LDAP server %s" % fqdn)
-            # THIS IS COMMENTED OUT, BECAUSE:
-            # external_bind does work, but even as root, you don't always have
-            # enought power to do everything we need due to strict ACI rules
-            #
-            #else:
-            #    conn = ipaldap.IPAdmin(ldapi=True, realm=self.realm)
-            #    conn.do_external_bind(self.pw_name)
+            else:
+                conn = ipaldap.IPAdmin(ldapi=True, realm=self.realm)
+                try:
+                    if os.getegid() == 0:
+                        # autobind
+                        conn.do_external_bind(self.pw_name)
+                    else:
+                        conn.do_sasl_gssapi_bind()
+                except ldap.LOCAL_ERROR, e:
+                    raise RuntimeError('%s' % e.args[0].get('info', '').strip())
         else:
             raise RuntimeError("Offline updates are not supported.")
 
@@ -476,7 +479,7 @@ class LDAPUpdate:
                     try:
                         (old, new) = v.split(':', 1)
                     except ValueError:
-                        raise BadSyntax, "bad syntax in replace, needs to be in the format old: new in %s" % new_entry.dn
+                        raise BadSyntax, "bad syntax in replace, needs to be in the format old: new in %s" % v
                     try:
                         e.remove(old)
                         e.append(new)
@@ -596,6 +599,9 @@ class LDAPUpdate:
             except errors.DatabaseError, e:
                 logging.error("Update failed: %s", e)
                 updated = False
+            except errors.ACIError, e:
+                logging.error("Update failed: %s", e)
+                updated = False
 
             if ("cn=index" in entry.dn and
                 "cn=userRoot" in entry.dn):
@@ -654,14 +660,17 @@ class LDAPUpdate:
 
         try:
             if self.online:
-                # THIS IS COMMENTED OUT, BECAUSE:
-                # external_bind does work, but even as root, you don't always have
-                # enought power to do everything we need due to strict ACI rules
-                #
-                #if self.ldapi:
-                #    self.conn = ipaldap.IPAdmin(ldapi=True, realm=self.realm)
-                #    self.conn.do_external_bind(self.pw_name)
-                #else:
+                if self.ldapi:
+                    self.conn = ipaldap.IPAdmin(ldapi=True, realm=self.realm)
+                    try:
+                        if os.getegid() == 0:
+                            # autobind
+                            self.conn.do_external_bind(self.pw_name)
+                        else:
+                            self.conn.do_sasl_gssapi_bind()
+                    except ldap.LOCAL_ERROR, e:
+                        raise RuntimeError('%s' % e.args[0].get('info', '').strip())
+                else:
                     self.conn = ipaldap.IPAdmin(self.sub_dict['FQDN'],
                                                 ldapi=self.ldapi,
                                                 realm=self.realm)
diff --git a/ipaserver/install/upgradeinstance.py b/ipaserver/install/upgradeinstance.py
index 156c4c2db..ad977b745 100644
--- a/ipaserver/install/upgradeinstance.py
+++ b/ipaserver/install/upgradeinstance.py
@@ -19,6 +19,8 @@
 
 import os
 import sys
+import shutil
+import random
 
 from ipaserver.install import installutils
 from ipaserver.install import dsinstance
@@ -41,12 +43,19 @@ class IPAUpgrade(service.Service):
         live_run: boolean that defines if we are in test or live mode.
         """
 
+        ext = ''
+        rand = random.Random()
+        for i in range(8):
+            h = "%02x" % rand.randint(0,255)
+            ext += h
         service.Service.__init__(self, "dirsrv")
         serverid = dsinstance.realm_to_serverid(realm_name)
         self.filename = '%s%s/%s' % (DSBASE, serverid, DSE)
+        self.savefilename = '%s%s/%s.ipa.%s' % (DSBASE, serverid, DSE, ext)
         self.live_run = live_run
         self.files = files
         self.modified = False
+        self.badsyntax = False
 
     def create_instance(self):
         self.step("stopping directory server", self.stop)
@@ -61,21 +70,26 @@ class IPAUpgrade(service.Service):
         self.start_creation("Upgrading IPA:")
 
     def __save_config(self):
+        shutil.copy2(self.filename, self.savefilename)
         port = installutils.get_directive(self.filename, 'nsslapd-port',
                separator=':')
         security = installutils.get_directive(self.filename, 'nsslapd-security',
                    separator=':')
         autobind = installutils.get_directive(self.filename,
                    'nsslapd-ldapiautobind', separator=':')
+        searchbase = installutils.get_directive(self.filename,
+                   'nsslapd-ldapientrysearchbase', separator=':')
 
         self.backup_state('nsslapd-port', port)
         self.backup_state('nsslapd-security', security)
         self.backup_state('nsslapd-ldapiautobind', autobind)
+        self.backup_state('nsslapd-ldapientrysearchbase', searchbase)
 
     def __restore_config(self):
         port = self.restore_state('nsslapd-port')
         security = self.restore_state('nsslapd-security')
         autobind = self.restore_state('nsslapd-ldapiautobind')
+        searchbase = self.restore_state('nsslapd-ldapientrysearchbase')
 
         installutils.set_directive(self.filename, 'nsslapd-port',
             port, quotes=False, separator=':')
@@ -83,6 +97,9 @@ class IPAUpgrade(service.Service):
             security, quotes=False, separator=':')
         installutils.set_directive(self.filename, 'nsslapd-ldapiautobind',
             autobind, quotes=False, separator=':')
+        installutils.set_directive(self.filename,
+            'nsslapd-ldapientrysearchbase',
+            searchbase, quotes=False, separator=':')
 
     def __disable_listeners(self):
         installutils.set_directive(self.filename, 'nsslapd-port',
@@ -91,12 +108,18 @@ class IPAUpgrade(service.Service):
             'off', quotes=False, separator=':')
         installutils.set_directive(self.filename, 'nsslapd-ldapiautobind',
             'on', quotes=False, separator=':')
+        installutils.set_directive(self.filename, 'nsslapd-ldapientrysearchbase',
+            '', quotes=False, separator=':')
 
     def __upgrade(self):
-        ld = ldapupdate.LDAPUpdate(dm_password='', ldapi=True, live_run=self.live_run)
-        if len(self.files) == 0:
-            self.files = ld.get_all_files(ldapupdate.UPDATES_DIR)
-        self.modified = ld.update(self.files)
+        try:
+            ld = ldapupdate.LDAPUpdate(dm_password='', ldapi=True, live_run=self.live_run)
+            if len(self.files) == 0:
+                self.files = ld.get_all_files(ldapupdate.UPDATES_DIR)
+            self.modified = ld.update(self.files)
+        except ldapupdate.BadSyntax:
+            self.modified = False
+            self.badsyntax = True
 
 def main():
     if os.getegid() != 0:
author	Rob Crittenden <rcritten@redhat.com>	2011-03-18 11:19:53 -0400
committer	Rob Crittenden <rcritten@redhat.com>	2011-03-21 13:23:53 -0400
commit	ca5332951c68904b0763f79f3612209271206b2a (patch)
tree	d2e39143f5d1b7b78fb40fd906e0d722c1b19d3d /ipaserver
parent	ba5e0c43070c1ec77e45a032cd3dabbe0f7a76fc (diff)
download	freeipa-ca5332951c68904b0763f79f3612209271206b2a.tar.gz freeipa-ca5332951c68904b0763f79f3612209271206b2a.tar.xz freeipa-ca5332951c68904b0763f79f3612209271206b2a.zip