Use wrapper for sasl gssapi binds so it behaves like other binds

By calling directly sasl_interactive_bind_s() we were not calling __lateinit()
This in turn resulted in some variables like dbdir not to be set on the
IPAadmin object.
Keep all bind types in the same place so the same common sbind steps can be
performed in each case.

Related to: https://fedorahosted.org/freeipa/ticket/1022

4 files changed, 13 insertions, 12 deletions

diff --git a/install/tools/ipa-replica-manage b/install/tools/ipa-replica-manage
index 19ff1f90..931b1392 100755
--- a/install/tools/ipa-replica-manage
+++ b/install/tools/ipa-replica-manage
@@ -142,7 +142,7 @@ def list_masters(realm, host, replica, dirman_passwd, verbose):
             if dirman_passwd:
                 conn.do_simple_bind(bindpw=dirman_passwd)
             else:
-                conn.sasl_interactive_bind_s('', ipaldap.sasl_auth)
+                conn.do_sasl_gssapi_bind()
 
             dn = 'cn=masters,cn=ipa,cn=etc,%s' % util.realm_to_suffix(realm)
             entries = conn.search_s(dn, ldap.SCOPE_ONELEVEL)
diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py
index 1f1598a4..402577f1 100644
--- a/ipaserver/install/replication.py
+++ b/ipaserver/install/replication.py
@@ -39,8 +39,6 @@ TIMEOUT = 120
 IPA_REPLICA = 1
 WINSYNC = 2
 
-SASL_AUTH = ldap.sasl.sasl({}, 'GSSAPI')
-
 def check_replication_plugin():
     """
     Confirm that the 389-ds replication is installed.
@@ -64,7 +62,7 @@ def enable_replication_version_checking(hostname, realm, dirman_passwd):
     if dirman_passwd:
         conn.do_simple_bind(bindpw=dirman_passwd)
     else:
-        conn.sasl_interactive_bind_s('', SASL_AUTH)
+        conn.do_sasl_gssapi_bind()
     entry = conn.search_s('cn=IPA Version Replication,cn=plugins,cn=config', ldap.SCOPE_BASE, 'objectclass=*')
     if entry[0].getValue('nsslapd-pluginenabled') == 'off':
         conn.modify_s(entry[0].dn, [(ldap.MOD_REPLACE, 'nsslapd-pluginenabled', 'on')])
@@ -90,7 +88,7 @@ class ReplicationManager:
         if dirman_passwd:
             self.conn.do_simple_bind(bindpw=dirman_passwd)
         else:
-            self.conn.sasl_interactive_bind_s('', SASL_AUTH)
+            self.conn.do_sasl_gssapi_bind()
 
         self.repl_man_passwd = dirman_passwd
 
@@ -605,7 +603,7 @@ class ReplicationManager:
         if r_bindpw:
             r_conn.do_simple_bind(binddn=r_binddn, bindpw=r_bindpw)
         else:
-            r_conn.sasl_interactive_bind_s('', SASL_AUTH)
+            r_conn.do_sasl_gssapi_bind()
 
         #Setup the first half
         l_id = self._get_replica_id(self.conn, r_conn)
@@ -684,7 +682,7 @@ class ReplicationManager:
         if r_bindpw:
             r_conn.do_simple_bind(binddn=r_binddn, bindpw=r_bindpw)
         else:
-            r_conn.sasl_interactive_bind_s('', SASL_AUTH)
+            r_conn.do_sasl_gssapi_bind()
 
         # First off make sure servers are in sync so that both KDCs
         # have all princiapls and their passwords and can release
@@ -714,7 +712,7 @@ class ReplicationManager:
         if r_bindpw:
             r_conn.do_simple_bind(binddn=r_binddn, bindpw=r_bindpw)
         else:
-            r_conn.sasl_interactive_bind_s('', SASL_AUTH)
+            r_conn.do_sasl_gssapi_bind()
 
         # Allow krb principals to act as replicas
         self.setup_krb_princs_as_replica_binddns(self.conn, r_conn)
diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py
index 41b22141..ec4855f8 100644
--- a/ipaserver/install/service.py
+++ b/ipaserver/install/service.py
@@ -31,7 +31,6 @@ import datetime
 from ipaserver.install import installutils
 
 CACERT = "/etc/ipa/ca.crt"
-SASL_AUTH = ldap.sasl.sasl({}, 'GSSAPI')
 
 SERVICE_LIST = {
     'KDC':('krb5kdc', 10),
@@ -299,7 +298,7 @@ class Service:
             if dm_password:
                 conn.do_simple_bind(bindpw=dm_password)
             else:
-                conn.sasl_interactive_bind_s('', SASL_AUTH)
+                conn.do_sasl_gssapi_bind_()
         except Exception, e:
             logging.debug("Could not connect to the Directory Server on %s: %s" % (fqdn, str(e)))
             raise e
diff --git a/ipaserver/ipaldap.py b/ipaserver/ipaldap.py
index d2d3d98a..b72a43ee 100644
--- a/ipaserver/ipaldap.py
+++ b/ipaserver/ipaldap.py
@@ -36,7 +36,7 @@ from ipaserver import ipautil
 from ipalib import errors
 
 # Global variable to define SASL auth
-sasl_auth = ldap.sasl.sasl({},'GSSAPI')
+SASL_AUTH = ldap.sasl.sasl({},'GSSAPI')
 
 class Entry:
     """
@@ -338,7 +338,7 @@ class IPAdmin(SimpleLDAPObject):
         try:
             if krbccache is not None:
                 os.environ["KRB5CCNAME"] = krbccache
-                self.sasl_interactive_bind_s("", sasl_auth)
+                self.sasl_interactive_bind_s("", SASL_AUTH)
                 self.principal = principal
             self.proxydn = None
         except ldap.LDAPError, e:
@@ -350,6 +350,10 @@ class IPAdmin(SimpleLDAPObject):
         self.simple_bind_s(binddn, bindpw)
         self.__lateinit()
 
+    def do_sasl_gssapi_bind(self):
+        self.sasl_interactive_bind_s('', SASL_AUTH)
+        self.__lateinit()
+
     def do_external_bind(self, user_name=None):
         auth_tokens = ldap.sasl.external(user_name)
         self.sasl_interactive_bind_s("", auth_tokens)