diff options
Diffstat (limited to 'ipaserver/plugins')
-rw-r--r-- | ipaserver/plugins/ldap2.py | 16 |
1 files changed, 14 insertions, 2 deletions
diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py index 178386c67..61341b082 100644 --- a/ipaserver/plugins/ldap2.py +++ b/ipaserver/plugins/ldap2.py @@ -42,7 +42,19 @@ import ldap as _ldap from ldap.ldapobject import SimpleLDAPObject import ldap.filter as _ldap_filter import ldap.sasl as _ldap_sasl -from ldap.controls import LDAPControl +try: + from ldap.controls.simple import GetEffectiveRightsControl #pylint: disable=F0401,E0611 +except ImportError: + """ + python-ldap 2.4.x introduced a new API for effective rights control, which + needs to be used or otherwise bind dn is not passed correctly. The following + class is created for backward compatibility with python-ldap 2.3.x. + Relevant BZ: https://bugzilla.redhat.com/show_bug.cgi?id=802675 + """ + from ldap.controls import LDAPControl + class GetEffectiveRightsControl(LDAPControl): + def __init__(self, criticality, authzId=None): + LDAPControl.__init__(self, '1.3.6.1.4.1.42.2.27.9.5.2', criticality, authzId) # for backward compatibility from ldap.functions import explode_dn from ipalib.dn import DN @@ -874,7 +886,7 @@ class ldap2(CrudBackend, Encoder): """ principal = getattr(context, 'principal') (binddn, attrs) = self.find_entry_by_attr("krbprincipalname", principal, "krbPrincipalAux") - sctrl = [LDAPControl("1.3.6.1.4.1.42.2.27.9.5.2", True, "dn: " + binddn.encode('UTF-8'))] + sctrl = [GetEffectiveRightsControl(True, "dn: " + binddn.encode('UTF-8'))] self.conn.set_option(_ldap.OPT_SERVER_CONTROLS, sctrl) (dn, attrs) = self.get_entry(dn, entry_attrs) # remove the control so subsequent operations don't include GER |