diff options
| author | Martin Kosek <mkosek@redhat.com> | 2012-03-21 09:50:33 +0100 |
|---|---|---|
| committer | Rob Crittenden <rcritten@redhat.com> | 2012-03-22 00:54:57 -0400 |
| commit | 2d460003b9ec18d1dea52b745fc534090d82daab (patch) | |
| tree | f40a872716d999702567bd9ff5ee974b629fdc2d /ipaserver | |
| parent | 98a99cbca894b6122377976e51567d65513635e7 (diff) | |
| download | freeipa-2d460003b9ec18d1dea52b745fc534090d82daab.tar.gz freeipa-2d460003b9ec18d1dea52b745fc534090d82daab.tar.xz freeipa-2d460003b9ec18d1dea52b745fc534090d82daab.zip | |
Fix LDAP effective rights control with python-ldap 2.4.x
The new version of python-ldap changed the way it created LDAPv3
extended controls. The API used in 2.4.x can no longer be used
because it does not send the bind DN with effective rights
control and LDAP server thus rejects it.
This patch implements the new API in a backward compatible way
so that it works both with python-ldap versions 2.3.x and 2.4.x.
https://fedorahosted.org/freeipa/ticket/2565
Diffstat (limited to 'ipaserver')
| -rw-r--r-- | ipaserver/plugins/ldap2.py | 16 |
1 files changed, 14 insertions, 2 deletions
diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py index 178386c67..61341b082 100644 --- a/ipaserver/plugins/ldap2.py +++ b/ipaserver/plugins/ldap2.py @@ -42,7 +42,19 @@ import ldap as _ldap from ldap.ldapobject import SimpleLDAPObject import ldap.filter as _ldap_filter import ldap.sasl as _ldap_sasl -from ldap.controls import LDAPControl +try: + from ldap.controls.simple import GetEffectiveRightsControl #pylint: disable=F0401,E0611 +except ImportError: + """ + python-ldap 2.4.x introduced a new API for effective rights control, which + needs to be used or otherwise bind dn is not passed correctly. The following + class is created for backward compatibility with python-ldap 2.3.x. + Relevant BZ: https://bugzilla.redhat.com/show_bug.cgi?id=802675 + """ + from ldap.controls import LDAPControl + class GetEffectiveRightsControl(LDAPControl): + def __init__(self, criticality, authzId=None): + LDAPControl.__init__(self, '1.3.6.1.4.1.42.2.27.9.5.2', criticality, authzId) # for backward compatibility from ldap.functions import explode_dn from ipalib.dn import DN @@ -874,7 +886,7 @@ class ldap2(CrudBackend, Encoder): """ principal = getattr(context, 'principal') (binddn, attrs) = self.find_entry_by_attr("krbprincipalname", principal, "krbPrincipalAux") - sctrl = [LDAPControl("1.3.6.1.4.1.42.2.27.9.5.2", True, "dn: " + binddn.encode('UTF-8'))] + sctrl = [GetEffectiveRightsControl(True, "dn: " + binddn.encode('UTF-8'))] self.conn.set_option(_ldap.OPT_SERVER_CONTROLS, sctrl) (dn, attrs) = self.get_entry(dn, entry_attrs) # remove the control so subsequent operations don't include GER |