From 64575a411b27dde7919406fdaf5bdec07c6645f3 Mon Sep 17 00:00:00 2001 From: Pavel Zuna Date: Tue, 15 Feb 2011 14:11:27 -0500 Subject: Use ldapi: instead of unsecured ldap: in ipa core tools. The patch also corrects exception handling in some of the tools. Fix #874 --- install/migration/migration.py | 9 ++++++-- install/tools/ipa-compat-manage | 11 ++++----- install/tools/ipa-compliance | 3 +-- install/tools/ipa-host-net-manage | 13 +++++------ install/tools/ipa-nis-manage | 15 ++++++------ install/tools/ipa-replica-prepare | 6 ++--- install/tools/ipa-server-certinstall | 3 +-- install/tools/ipa-server-install | 10 ++++---- ipaserver/install/ldapupdate.py | 45 ++++++++++++++++++++++++------------ 9 files changed, 65 insertions(+), 50 deletions(-) diff --git a/install/migration/migration.py b/install/migration/migration.py index 6b447f377..ed6ade9ef 100644 --- a/install/migration/migration.py +++ b/install/migration/migration.py @@ -20,13 +20,14 @@ Password migration script """ +import cgi import errno +import glob import ldap -import cgi import wsgiref BASE_DN = '' -LDAP_URI = 'ldap://localhost:389' +LDAP_URI = 'ldaps://localhost:636' def wsgi_redirect(start_response, loc): start_response('302 Found', [('Location', loc)]) @@ -83,6 +84,10 @@ def application(environ, start_response): if not form_data.has_key('username') or not form_data.has_key('password'): return wsgi_redirect(start_response, 'invalid.html') + slapd_sockets = glob.glob('/var/run/slapd-*.socket') + if slapd_sockets: + LDAP_URI = 'ldapi://%s' % slapd_sockets[0].replace('/', '%2f') + try: bind(form_data['username'].value, form_data['password'].value) except IOError as err: diff --git a/install/tools/ipa-compat-manage b/install/tools/ipa-compat-manage index c990f9d42..723950f5d 100755 --- a/install/tools/ipa-compat-manage +++ b/install/tools/ipa-compat-manage @@ -93,13 +93,12 @@ def main(): conn = None try: - ldapuri = 'ldap://%s' % installutils.get_fqdn() try: - conn = ldap2(shared_instance=False, ldap_uri=ldapuri, base_dn='') + conn = ldap2(shared_instance=False, base_dn='') conn.connect( bind_dn='cn=directory manager', bind_pw=dirman_password ) - except errors.LDAPError, lde: + except errors.ExecutionError, lde: sys.exit("An error occurred while connecting to the server.\n%s\n" % str(lde)) except errors.ACIError, e: sys.exit("Authentication failed: %s" % e.info) @@ -122,7 +121,7 @@ def main(): retval = 2 except errors.NotFound: print "Enabling plugin" - except errors.LDAPError, lde: + except errors.ExecutionError, lde: print "An error occurred while talking to the server." print lde retval = 1 @@ -158,7 +157,7 @@ def main(): print "An error occurred while talking to the server." print dbe retval = 1 - except errors.LDAPError, lde: + except errors.ExecutionError, lde: print "An error occurred while talking to the server." print lde retval = 1 @@ -167,7 +166,7 @@ def main(): retval = 1 finally: - if conn.isconnected(): + if conn and conn.isconnected(): conn.disconnect() return retval diff --git a/install/tools/ipa-compliance b/install/tools/ipa-compliance index 8b7ad776b..e1de25283 100644 --- a/install/tools/ipa-compliance +++ b/install/tools/ipa-compliance @@ -106,8 +106,7 @@ def check_compliance(tmpdir, debug=False): # Even if not registered they have some default entitlements pass - ldapuri = 'ldap://%s' % api.env.host - conn = ldap2(shared_instance=False, ldap_uri=ldapuri) + conn = ldap2(shared_instance=False) # Bind using GSSAPI conn.connect(ccache=ccache_file) diff --git a/install/tools/ipa-host-net-manage b/install/tools/ipa-host-net-manage index ae8a224aa..5da7b9222 100755 --- a/install/tools/ipa-host-net-manage +++ b/install/tools/ipa-host-net-manage @@ -96,13 +96,12 @@ def main(): conn = None try: - ldapuri = 'ldap://%s' % installutils.get_fqdn() try: - conn = ldap2(shared_instance=False, ldap_uri=ldapuri, base_dn='') + conn = ldap2(shared_instance=False, base_dn='') conn.connect( bind_dn='cn=directory manager', bind_pw=dirman_password ) - except errors.LDAPError, lde: + except errors.ExecutionError, lde: sys.exit("An error occurred while connecting to the server.\n%s\n" % str(lde)) except errors.ACIError, e: @@ -118,7 +117,7 @@ def main(): print "Plugin Disabled" except errors.NotFound: print "Plugin Disabled" - except errors.LDAPError, lde: + except errors.ExecutionError, lde: print "An error occurred while talking to the server." print lde return 0 @@ -136,7 +135,7 @@ def main(): retval = 2 except errors.NotFound: print "Enabling Plugin" - except errors.LDAPError, lde: + except errors.ExecutionError, lde: print "An error occurred while talking to the server." print lde retval = 1 @@ -184,7 +183,7 @@ def main(): print "An error occurred while talking to the server." print dbe retval = 1 - except errors.LDAPError, lde: + except errors.ExecutionError, lde: print "An error occurred while talking to the server." print lde retval = 1 @@ -193,7 +192,7 @@ def main(): retval = 1 finally: - if conn.isconnected(): + if conn and conn.isconnected(): conn.disconnect() return retval diff --git a/install/tools/ipa-nis-manage b/install/tools/ipa-nis-manage index 310ee1494..d611134e6 100755 --- a/install/tools/ipa-nis-manage +++ b/install/tools/ipa-nis-manage @@ -107,16 +107,15 @@ def main(): conn = None try: - ldapuri = 'ldap://%s' % installutils.get_fqdn() try: - conn = ldap2(shared_instance=False, ldap_uri=ldapuri, base_dn='') + conn = ldap2(shared_instance=False, base_dn='') conn.connect( bind_dn='cn=directory manager', bind_pw=dirman_password ) - except errors.ACIError: - sys.exit("Incorrect password") - except errors.LDAPError, lde: + except errors.ExecutionError, lde: sys.exit("An error occurred while connecting to the server: %s" % str(lde)) + except errors.AuthorizationError: + sys.exit("Incorrect password") if args[0] == "enable": compat = get_entry(compat_dn, conn) @@ -125,7 +124,7 @@ def main(): entry = None try: entry = get_entry(nis_config_dn, conn) - except errors.LDAPError, lde: + except errors.ExecutionError, lde: print "An error occurred while talking to the server." print lde retval = 1 @@ -149,7 +148,7 @@ def main(): entry.get('nsslapd-pluginenabled', [''])[0].lower() == 'off'): # Already configured, just enable the plugin print "Enabling plugin" - ld = LDAPUpdate(dm_password=dirman_password, sub_dict={}) + ld = LDAPUpdate(dm_password=dirman_password, sub_dict={}, ldapi=True) if ld.update(files) != True: retval = 1 mod = {'nsslapd-pluginenabled': 'on'} @@ -186,7 +185,7 @@ def main(): print "An error occurred while talking to the server." print dbe retval = 1 - except errors.LDAPError, lde: + except errors.ExecutionError, lde: print "An error occurred while talking to the server." print lde retval = 1 diff --git a/install/tools/ipa-replica-prepare b/install/tools/ipa-replica-prepare index f0661a378..36e34d78b 100755 --- a/install/tools/ipa-replica-prepare +++ b/install/tools/ipa-replica-prepare @@ -88,9 +88,8 @@ def parse_options(): return options, args def get_subject_base(host_name, dm_password, suffix): - ldapuri = 'ldap://%s:389' % host_name try: - conn = ldap2(shared_instance=False, ldap_uri=ldapuri, base_dn=suffix) + conn = ldap2(shared_instance=False, base_dn=suffix) conn.connect(bind_dn='cn=directory manager', bind_pw=dm_password) except errors.ExecutionError, e: logging.critical("Could not connect to the Directory Server on %s" % host_name) @@ -285,9 +284,8 @@ def main(): sys.exit(0) # Try out the password - ldapuri = 'ldap://%s:389' % api.env.host try: - conn = ldap2(shared_instance=False, ldap_uri=ldapuri) + conn = ldap2(shared_instance=False) conn.connect(bind_dn='cn=directory manager', bind_pw=dirman_password) conn.disconnect() except errors.ACIError: diff --git a/install/tools/ipa-server-certinstall b/install/tools/ipa-server-certinstall index 5fc5811d4..74ded157c 100755 --- a/install/tools/ipa-server-certinstall +++ b/install/tools/ipa-server-certinstall @@ -64,8 +64,7 @@ def parse_options(): return options, args[0] def set_ds_cert_name(cert_name, dm_password): - ldapuri = 'ldap://127.0.0.1' - conn = ldap2(shared_instance=False, ldap_uri=ldapuri, base_dn='') + conn = ldap2(shared_instance=False, base_dn='') conn.connect(bind_dn='cn=directory manager', bind_pw=dm_password) mod = {'nssslpersonalityssl': cert_name} conn.update_entry('cn=RSA,cn=encryption,cn=config', mod) diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index 6a030b973..fd202beae 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -444,13 +444,15 @@ def uninstall(): return 0 -def set_subject_in_config(host_name, dm_password, suffix, subject_base): - ldapuri = 'ldap://%s' % host_name +def set_subject_in_config(realm_name, dm_password, suffix, subject_base): + ldapuri = 'ldapi://%%2fvar%%2frun%%2fslapd-%s.socket' % ( + dsinstance.realm_to_serverid(realm_name) + ) try: conn = ldap2(shared_instance=False, ldap_uri=ldapuri, base_dn=suffix) conn.connect(bind_dn='cn=directory manager', bind_pw=dm_password) except errors.ExecutionError, e: - logging.critical("Could not connect to the Directory Server on %s" % host_name) + logging.critical("Could not connect to the Directory Server on %s" % realm_name) raise e (dn, entry_attrs) = conn.get_ipa_config() if 'ipacertificatesubjectbase' not in entry_attrs: @@ -851,7 +853,7 @@ def main(): http.create_instance(realm_name, host_name, domain_name, dm_password, autoconfig=True, self_signed_ca=options.selfsign, subject_base=options.subject) ipautil.run(["/sbin/restorecon", "/var/cache/ipa/sessions"]) - set_subject_in_config(host_name, dm_password, util.realm_to_suffix(realm_name), options.subject) + set_subject_in_config(realm_name, dm_password, util.realm_to_suffix(realm_name), options.subject) if not options.selfsign: service.print_msg("Setting the certificate subject base") ca.set_subject_in_config(util.realm_to_suffix(realm_name)) diff --git a/ipaserver/install/ldapupdate.py b/ipaserver/install/ldapupdate.py index 958904950..0cee70ba9 100644 --- a/ipaserver/install/ldapupdate.py +++ b/ipaserver/install/ldapupdate.py @@ -75,13 +75,18 @@ class LDAPUpdate: self.realm = None suffix = None - fqdn = installutils.get_fqdn() - if fqdn is None: - raise RuntimeError("Unable to determine hostname") - domain = ipautil.get_domain_name() libarch = self.__identify_arch() + if not self.ldapi: + fqdn = installutils.get_fqdn() + if fqdn is None: + raise RuntimeError("Unable to determine hostname") + else: + fqdn = "ldapi://%%2fvar%%2frun%%2fslapd-%s.socket" % "-".join( + domain.upper().split(".") + ) + if not self.sub_dict.get("REALM") and self.realm is not None: self.sub_dict["REALM"] = self.realm if not self.sub_dict.get("FQDN"): @@ -96,13 +101,15 @@ class LDAPUpdate: self.sub_dict["LIBARCH"] = libarch if not self.sub_dict.get("TIME"): self.sub_dict["TIME"] = int(time.time()) + if not self.sub_dict.get("DOMAIN") and domain is not None: + self.sub_dict["DOMAIN"] = domain if online: # Try out the password - if not self.ldapi: + #if not self.ldapi: try: - conn = ipaldap.IPAdmin(fqdn) - conn.do_simple_bind(bindpw=self.dm_password) + conn = ipaldap.IPAdmin(fqdn, ldapi=True, realm=domain.upper()) + conn.do_simple_bind(binddn="cn=directory manager", bindpw=self.dm_password) conn.unbind() except ldap.CONNECT_ERROR: raise RuntimeError("Unable to connect to LDAP server %s" % fqdn) @@ -110,9 +117,13 @@ class LDAPUpdate: raise RuntimeError("Unable to connect to LDAP server %s" % fqdn) except ldap.INVALID_CREDENTIALS: raise RuntimeError("The password provided is incorrect for LDAP server %s" % fqdn) - else: - conn = ipaldap.IPAdmin(ldapi=True, realm=self.realm) - conn.do_external_bind(self.pw_name) + # THIS IS COMMENTED OUT, BECAUSE: + # external_bind does work, but even as root, you don't always have + # enought power to do everything we need due to strict ACI rules + # + #else: + # conn = ipaldap.IPAdmin(ldapi=True, realm=self.realm) + # conn.do_external_bind(self.pw_name) else: raise RuntimeError("Offline updates are not supported.") @@ -640,11 +651,15 @@ class LDAPUpdate: try: if self.online: - if self.ldapi: - self.conn = ipaldap.IPAdmin(ldapi=True, realm=self.realm) - self.conn.do_external_bind(self.pw_name) - else: - self.conn = ipaldap.IPAdmin(self.sub_dict['FQDN']) + # THIS IS COMMENTED OUT, BECAUSE: + # external_bind does work, but even as root, you don't always have + # enought power to do everything we need due to strict ACI rules + # + #if self.ldapi: + # self.conn = ipaldap.IPAdmin(ldapi=True, realm=self.realm) + # self.conn.do_external_bind(self.pw_name) + #else: + self.conn = ipaldap.IPAdmin(self.sub_dict['FQDN'], ldapi=self.ldapi, realm=self.sub_dict['DOMAIN'].upper()) self.conn.do_simple_bind(bindpw=self.dm_password) else: raise RuntimeError("Offline updates are not supported.") -- cgit