From 861aa9c1b8ddf757b358f3a66e3ca57d4cc05b4c Mon Sep 17 00:00:00 2001
From: Simo Sorce <ssorce@redhat.com>
Date: Wed, 19 Jan 2011 15:17:25 -0500
Subject: Allow SASL/EXTERNAL authentication for the root user

This gives the root user low privileges so that when anonymous searches are
denied the init scripts can still search the directory via ldapi to get the
list of serevices to start.

Fixes: https://fedorahosted.org/freeipa/ticket/795
---
 install/tools/ipactl | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

(limited to 'install/tools/ipactl')

diff --git a/install/tools/ipactl b/install/tools/ipactl
index 0254a2762..fc652c975 100755
--- a/install/tools/ipactl
+++ b/install/tools/ipactl
@@ -26,6 +26,7 @@ try:
     from ipalib import api, errors
     import logging
     import ldap
+    import ldap.sasl
     import socket
 except ImportError:
     print >> sys.stderr, """\
@@ -36,6 +37,8 @@ error was:
 """ % sys.exc_value
     sys.exit(1)
 
+SASL_EXTERNAL = ldap.sasl.sasl({}, 'EXTERNAL')
+
 def parse_options():
     usage = "%prog start|stop|restart|status\n"
     parser = config.IPAOptionParser(usage=usage,
@@ -60,7 +63,7 @@ def get_config():
 
     try:
         con = ldap.initialize(api.env.ldap_uri)
-        con.simple_bind()
+        con.sasl_interactive_bind_s('', SASL_EXTERNAL)
         res = con.search_st(base,
                             ldap.SCOPE_SUBTREE,
                             filterstr=srcfilter,
-- 
cgit