diff options
-rwxr-xr-x | install/tools/ipa-adtrust-install | 4 | ||||
-rw-r--r-- | ipapython/ipaldap.py | 37 | ||||
-rw-r--r-- | ipaserver/install/bindinstance.py | 25 | ||||
-rw-r--r-- | ipaserver/install/cainstance.py | 2 | ||||
-rw-r--r-- | ipaserver/install/dsinstance.py | 2 | ||||
-rw-r--r-- | ipaserver/install/service.py | 30 |
6 files changed, 50 insertions, 50 deletions
diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install index 7b616c1b6..6e55bbe3e 100755 --- a/install/tools/ipa-adtrust-install +++ b/install/tools/ipa-adtrust-install @@ -25,7 +25,7 @@ from ipaserver.install import adtrustinstance from ipaserver.install.installutils import * from ipaserver.install import service from ipapython import version -from ipapython import ipautil, sysrestore +from ipapython import ipautil, sysrestore, ipaldap from ipalib import api, errors, util from ipapython.config import IPAOptionParser import krbV @@ -405,7 +405,7 @@ def main(): smb = adtrustinstance.ADTRUSTInstance(fstore) smb.realm = api.env.realm - smb.autobind = service.ENABLED + smb.autobind = ipaldap.AUTOBIND_ENABLED smb.setup(api.env.host, ip_address, api.env.realm, api.env.domain, netbios_name, reset_netbios_name, options.rid_base, options.secondary_rid_base, diff --git a/ipapython/ipaldap.py b/ipapython/ipaldap.py index 2818f787b..1702daa25 100644 --- a/ipapython/ipaldap.py +++ b/ipapython/ipaldap.py @@ -27,6 +27,8 @@ from decimal import Decimal from copy import deepcopy import contextlib import collections +import os +import pwd import ldap import ldap.sasl @@ -53,6 +55,10 @@ _debug_log_ldap = False _missing = object() +# Autobind modes +AUTOBIND_AUTO = 1 +AUTOBIND_ENABLED = 2 +AUTOBIND_DISABLED = 3 def unicode_from_utf8(val): ''' @@ -1633,6 +1639,18 @@ class LDAPClient(object): with self.error_handler(): self.conn.delete_s(dn) + def entry_exists(self, dn): + """ + Test whether the given object exists in LDAP. + """ + assert isinstance(dn, DN) + try: + self.get_entry(dn, attrs_list=[]) + except errors.NotFound: + return False + else: + return True + class IPAdmin(LDAPClient): @@ -1742,6 +1760,25 @@ class IPAdmin(LDAPClient): self.__bind_with_wait( self.conn.sasl_interactive_bind_s, timeout, None, auth_tokens) + def do_bind(self, dm_password="", autobind=AUTOBIND_AUTO, timeout=DEFAULT_TIMEOUT): + if dm_password: + self.do_simple_bind(bindpw=dm_password, timeout=timeout) + return + if autobind != AUTOBIND_DISABLED and os.getegid() == 0 and self.ldapi: + try: + # autobind + pw_name = pwd.getpwuid(os.geteuid()).pw_name + self.do_external_bind(pw_name, timeout=timeout) + return + except errors.NotFound, e: + if autobind == AUTOBIND_ENABLED: + # autobind was required and failed, raise + # exception that it failed + raise + + #fall back + self.do_sasl_gssapi_bind(timeout=timeout) + def modify_s(self, *args, **kwargs): # FIXME: for backwards compatibility only return self.conn.modify_s(*args, **kwargs) diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py index 09760d667..cece85ec6 100644 --- a/ipaserver/install/bindinstance.py +++ b/ipaserver/install/bindinstance.py @@ -202,23 +202,11 @@ def named_conf_set_directive(name, value, section=NAMED_SECTION_IPA, with open(NAMED_CONF, 'w') as f: f.write("".join(new_lines)) -def dns_container_exists(fqdn, suffix, dm_password=None, ldapi=False, realm=None): +def dns_container_exists(fqdn, suffix, dm_password=None, ldapi=False, realm=None, + autobind=ipaldap.AUTOBIND_DISABLED): """ Test whether the dns container exists. """ - - def object_exists(dn): # FIXME, this should be a IPAdmin/ldap2 method so it can be shared - """ - Test whether the given object exists in LDAP. - """ - assert isinstance(dn, DN) - try: - conn.get_entry(dn) - except errors.NotFound: - return False - else: - return True - assert isinstance(suffix, DN) try: # At install time we may need to use LDAPI to avoid chicken/egg @@ -228,14 +216,11 @@ def dns_container_exists(fqdn, suffix, dm_password=None, ldapi=False, realm=None else: conn = ipaldap.IPAdmin(host=fqdn, port=636, cacert=CACERT) - if dm_password: - conn.do_simple_bind(bindpw=dm_password) - else: - conn.do_sasl_gssapi_bind() + conn.do_bind(dm_password, autobind=autobind) except ldap.SERVER_DOWN: raise RuntimeError('LDAP server on %s is not responding. Is IPA installed?' % fqdn) - ret = object_exists(DN(('cn', 'dns'), suffix)) + ret = conn.entry_exists(DN(('cn', 'dns'), suffix)) conn.unbind() return ret @@ -446,7 +431,7 @@ class BindInstance(service.Service): service_desc="DNS", dm_password=dm_password, ldapi=False, - autobind=service.DISABLED + autobind=ipaldap.AUTOBIND_DISABLED ) self.dns_backup = DnsBackup(self) self.named_user = None diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 45c72198d..b0037dd56 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -271,7 +271,7 @@ class CADSInstance(service.Service): service_desc="directory server for the CA", dm_password=dm_password, ldapi=False, - autobind=service.DISABLED) + autobind=ipaldap.AUTOBIND_DISABLED) self.serverid = "PKI-IPA" self.realm = realm_name diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index 0edd4ed63..6e79dc51f 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -192,7 +192,7 @@ class DsInstance(service.Service): service_desc="directory server", dm_password=dm_password, ldapi=False, - autobind=service.DISABLED + autobind=ipaldap.AUTOBIND_DISABLED ) self.nickname = 'Server-Cert' self.dm_password = dm_password diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py index 018c369ff..8fb802099 100644 --- a/ipaserver/install/service.py +++ b/ipaserver/install/service.py @@ -20,7 +20,6 @@ import sys import os, socket import tempfile -import pwd import time import datetime import traceback @@ -32,10 +31,6 @@ from ipalib import errors, certstore from ipaplatform import services from ipaplatform.paths import paths -# Autobind modes -AUTO = 1 -ENABLED = 2 -DISABLED = 3 # The service name as stored in cn=masters,cn=ipa,cn=etc. In the tuple # the first value is the *nix service name, the second the start order. @@ -74,7 +69,8 @@ def format_seconds(seconds): class Service(object): - def __init__(self, service_name, service_desc=None, sstore=None, dm_password=None, ldapi=True, autobind=AUTO): + def __init__(self, service_name, service_desc=None, sstore=None, dm_password=None, ldapi=True, + autobind=ipaldap.AUTOBIND_AUTO): self.service_name = service_name self.service_desc = service_desc self.service = services.service(service_name) @@ -110,26 +106,8 @@ class Service(object): conn = ipaldap.IPAdmin(ldapi=self.ldapi, realm=self.realm) else: conn = ipaldap.IPAdmin(self.fqdn, port=389) - if self.dm_password: - conn.do_simple_bind(bindpw=self.dm_password) - elif self.autobind in [AUTO, ENABLED]: - if os.getegid() == 0 and self.ldapi: - try: - # autobind - pw_name = pwd.getpwuid(os.geteuid()).pw_name - conn.do_external_bind(pw_name) - except errors.NotFound, e: - if self.autobind == AUTO: - # Fall back - conn.do_sasl_gssapi_bind() - else: - # autobind was required and failed, raise - # exception that it failed - raise e - else: - conn.do_sasl_gssapi_bind() - else: - conn.do_sasl_gssapi_bind() + + conn.do_bind(self.dm_password, autobind=self.autobind) except Exception, e: root_logger.debug("Could not connect to the Directory Server on %s: %s" % (self.fqdn, str(e))) raise |