diff options
| -rw-r--r-- | ipaserver/dcerpc.py | 5 | ||||
| -rw-r--r-- | ipaserver/ipaldap.py | 10 | ||||
| -rw-r--r-- | ipaserver/plugins/ldap2.py | 4 |
3 files changed, 6 insertions, 13 deletions
diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py index 140e26f77..a0c6e6919 100644 --- a/ipaserver/dcerpc.py +++ b/ipaserver/dcerpc.py @@ -441,15 +441,12 @@ class DomainValidator(object): if auth: (ccache_name, principal) = self.__kinit_as_trusted_account(info, auth) if ccache_name: - cb_info = dict() - # pass empty dict, SASL GSSAPI is able to get all from the ccache - sasl_auth = _ldap.sasl.sasl(cb_info,'GSSAPI') old_ccache = os.environ.get('KRB5CCNAME') os.environ["KRB5CCNAME"] = ccache_name # OPT_X_SASL_NOCANON is used to avoid hard requirement for PTR # records pointing back to the same host name conn.set_option(_ldap.OPT_X_SASL_NOCANON, _ldap.OPT_ON) - conn.sasl_interactive_bind_s(None, sasl_auth) + conn.do_sasl_gssapi_bind() if basedn is None: # Use domain root base DN basedn = DN(*map(lambda p: ('dc', p), info['dns_domain'].split('.'))) diff --git a/ipaserver/ipaldap.py b/ipaserver/ipaldap.py index 5fed6f3ac..7010ee5e3 100644 --- a/ipaserver/ipaldap.py +++ b/ipaserver/ipaldap.py @@ -41,7 +41,7 @@ from ipapython.ipa_log_manager import log_mgr from ipapython.dn import DN, RDN # Global variable to define SASL auth -SASL_AUTH = ldap.sasl.sasl({}, 'GSSAPI') +SASL_GSSAPI = ldap.sasl.sasl({}, 'GSSAPI') DEFAULT_TIMEOUT = 10 DN_SYNTAX_OID = '1.3.6.1.4.1.1466.115.121.1.12' @@ -1617,12 +1617,12 @@ class IPAdmin(LDAPClient): def do_sasl_gssapi_bind(self, timeout=DEFAULT_TIMEOUT): self.__bind_with_wait( - self.sasl_interactive_bind_s, timeout, None, SASL_AUTH) + self.conn.sasl_interactive_bind_s, timeout, None, SASL_GSSAPI) def do_external_bind(self, user_name=None, timeout=DEFAULT_TIMEOUT): auth_tokens = ldap.sasl.external(user_name) self.__bind_with_wait( - self.sasl_interactive_bind_s, timeout, None, auth_tokens) + self.conn.sasl_interactive_bind_s, timeout, None, auth_tokens) def updateEntry(self,dn,oldentry,newentry): # FIXME: for backwards compatibility only @@ -1712,10 +1712,6 @@ class IPAdmin(LDAPClient): # FIXME: for backwards compatibility only return self.conn.set_option(*args, **kwargs) - def sasl_interactive_bind_s(self, *args, **kwargs): - # FIXME: for backwards compatibility only - return self.conn.sasl_interactive_bind_s(*args, **kwargs) - def encode(self, *args, **kwargs): # FIXME: for backwards compatibility only return self.conn.encode(*args, **kwargs) diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py index c095dc62e..619e9a079 100644 --- a/ipaserver/plugins/ldap2.py +++ b/ipaserver/plugins/ldap2.py @@ -36,7 +36,7 @@ import krbV import ldap as _ldap from ipapython.dn import DN -from ipaserver.ipaldap import SASL_AUTH, IPASimpleLDAPObject, LDAPClient +from ipaserver.ipaldap import SASL_GSSAPI, IPASimpleLDAPObject, LDAPClient try: @@ -156,7 +156,7 @@ class ldap2(LDAPClient, CrudBackend): context=krbV.default_context()).principal().name os.environ['KRB5CCNAME'] = ccache - conn.sasl_interactive_bind_s(None, SASL_AUTH) + conn.sasl_interactive_bind_s(None, SASL_GSSAPI) setattr(context, 'principal', principal) else: # no kerberos ccache, use simple bind or external sasl |