Use ldap2 instead of legacy LDAP code from v1 in installer scripts.

11 files changed, 144 insertions, 148 deletions

diff --git a/install/tools/ipa-compat-manage b/install/tools/ipa-compat-manage
index 09a06caa..b22ce77f 100755
--- a/install/tools/ipa-compat-manage
+++ b/install/tools/ipa-compat-manage
@@ -22,12 +22,11 @@
 import sys
 try:
     from optparse import OptionParser
-    from ipaserver import ipaldap
     from ipapython import entity, ipautil, config
     from ipaserver.install import installutils
     from ipaserver.install.ldapupdate import LDAPUpdate, BadSyntax, UPDATES_DIR
+    from ipaserver.plugins.ldap2 import ldap2
     from ipalib import errors
-    import ldap
     import logging
     import re
     import krbV
@@ -95,26 +94,29 @@ def main():
     else:
         dirman_password = get_dirman_password()
 
+    conn = None
     try:
+        ldapuri = 'ldap://%s' % installutils.get_fqdn()
         try:
-            conn = ipaldap.IPAdmin(installutils.get_fqdn())
-            conn.do_simple_bind(bindpw=dirman_password)
-        except ldap.LDAPError, e:
+            conn = ldap2(shared_instance=False, ldap_uri=ldapuri, base_dn='')
+            conn.connect(
+                bind_dn='cn=directory manager', bind_pw=dirman_password
+            )
+        except errors.LDAPError, e:
             print "An error occurred while connecting to the server."
-            print "%s" % e[0]['desc']
+            print e
             return 1
 
         if args[0] == "enable":
             try:
-                conn.getEntry("cn=Schema Compatibility,cn=plugins,cn=config",
-                              ldap.SCOPE_BASE, "(objectclass=*)")
+                conn.get_entry('cn=Schema Compatibility,cn=plugins,cn=config')
                 print "Plugin already Enabled"
                 retval = 2
             except errors.NotFound:
                 print "Enabling plugin"
-            except ldap.LDAPError, e:
+            except errors.LDAPError, e:
                 print "An error occurred while talking to the server."
-                print "%s" % e[0]['desc']
+                print e
                 retval = 1
 
             if retval == 0:
@@ -127,17 +129,15 @@ def main():
             # Make a quick hack foir now, directly delete the entries by name,
             # In future we should add delete capabilites to LDAPUpdate
             try:
-                conn.getEntry("cn=Schema Compatibility,cn=plugins,cn=config",
-                              ldap.SCOPE_BASE, "(objectclass=*)")
-                conn.deleteEntry("cn=groups,cn=Schema Compatibility,cn=plugins,cn=config")
-                conn.deleteEntry("cn=users,cn=Schema Compatibility,cn=plugins,cn=config")
-                conn.deleteEntry("cn=Schema Compatibility,cn=plugins,cn=config")
+                conn.delete_entry('cn=groups,cn=Schema Compatibility,cn=plugins,cn=config')
+                conn.delete_entry('cn=users,cn=Schema Compatibility,cn=plugins,cn=config')
+                conn.delete_entry('cn=Schema Compatibility,cn=plugins,cn=config')
             except errors.NotFound:
                 print "Plugin is already disabled"
                 retval = 2
-            except ldap.LDAPError, e:
+            except errors.LDAPError, e:
                 print "An error occurred while talking to the server."
-                print "%s" % e[0]['desc']
+                print e
                 retval = 1
 
         else:
@@ -145,7 +145,7 @@ def main():
 
     finally:
         if conn:
-            conn.unbind()
+            conn.disconnect()
 
     return retval
 
@@ -167,6 +167,6 @@ except config.IPAConfigError, e:
     print "An IPA server to update cannot be found. Has one been configured yet?"
     print "The error was: %s" % e
     sys.exit(1)
-except ldap.LDAPError, e:
+except errors.LDAPError, e:
     print "An error occurred while performing operations: %s" % e
     sys.exit(1)
diff --git a/install/tools/ipa-dns-install b/install/tools/ipa-dns-install
index 0656794c..3413312a 100755
--- a/install/tools/ipa-dns-install
+++ b/install/tools/ipa-dns-install
@@ -22,13 +22,12 @@
 from optparse import OptionParser
 import traceback
 
-from ipaserver import ipaldap
+from ipaserver.plugins.ldap2 import ldap2
 from ipaserver.install import bindinstance, ntpinstance
 from ipaserver.install.installutils import *
 from ipapython import version
 from ipapython import ipautil, sysrestore
-from ipalib import api, util
-import ldap
+from ipalib import api, errors, util
 
 def parse_options():
     parser = OptionParser(version=version.VERSION)
@@ -134,14 +133,15 @@ def main():
         dm_password = options.dm_password
 
     # Try out the password
+    ldapuri = 'ldap://%s' % api.env.host
     try:
-        conn = ipaldap.IPAdmin(api.env.host)
-        conn.do_simple_bind(bindpw=dm_password)
-        conn.unbind()
-    except (ldap.CONNECT_ERROR, ldap.SERVER_DOWN), e:
-        sys.exit("\nUnable to connect to LDAP server %s" % api.env.host)
-    except ldap.INVALID_CREDENTIALS, e :
+        conn = ldap2(shared_instance=False, ldap_uri=ldapuri)
+        conn.connect(bind_dn='cn=directory manager', bind_pw=dm_password)
+        conn.disconnect()
+    except errors.ACIError:
         sys.exit("\nThe password provided is incorrect for LDAP server %s" % api.env.host)
+    except errors.LDAPError:
+        sys.exit("\nUnable to connect to LDAP server %s" % api.env.host)
 
     conf_ntp = ntpinstance.NTPInstance(fstore).is_enabled()
 
diff --git a/install/tools/ipa-fix-CVE-2008-3274 b/install/tools/ipa-fix-CVE-2008-3274
index 79ff904d..723d4121 100644
--- a/install/tools/ipa-fix-CVE-2008-3274
+++ b/install/tools/ipa-fix-CVE-2008-3274
@@ -25,13 +25,10 @@ try:
     import ipapython.ipautil
 
     import krbV
-    import ldap
-
-    from ldap import LDAPError
-    from ldap import ldapobject
 
+    from ipalib import errors
     from ipaclient import ipachangeconf
-    from ipaserver import ipaldap
+    from ipaserver.plugins.ldap2 import ldap2
 
     from pyasn1.type import univ, namedtype
     import pyasn1.codec.ber.encoder
@@ -70,22 +67,24 @@ def parse_options():
 
 def check_vuln(realm, suffix):
 
+    ldapuri = 'ldap://127.0.0.1'
     try:
-        conn = ldapobject.SimpleLDAPObject("ldap://127.0.0.1/")
-        conn.simple_bind()
-        msgid = conn.search("cn="+realm+",cn=kerberos,"+suffix,
-                            ldap.SCOPE_BASE,
-                            "(objectclass=krbRealmContainer)",
-                            ("krbmkey", "cn"))
-        res = conn.result(msgid)
-        conn.unbind()
-
-        if len(res) != 2:
+        conn = ldap2(shared_instance=False, ldap_uri=ldapuri, base_dn=suffix)
+        conn.connect()
+        try:
+            (entries, truncated) = conn.find_entries(
+                filter='(objectclass=krbRealmContainer)',
+                attrs_list=('krbmkey', 'cn'), scope=ldap2.SCOPE_BASE,
+                base_dn='cn=%s,cn=kerberos' % realm
+            )
+        except errors.NotFound:
             err = 'Realm Container not found, unable to proceed'
             print err
             raise Exception, err
+        finally:
+            conn.disconnect()
 
-        if 'krbmkey' in res[1][0][1]:
+        if 'krbmkey' in entries[0][1]:
             print 'System vulnerable'
             return 1
         else:
@@ -185,9 +184,10 @@ def change_mkey(password = None, quiet = False):
         password = getpass.getpass("Directory Manager password: ")
 
     # get a connection to the DS
+    ldapuri = 'ldap://%s' % ipapython.config.config.default_server[0]
     try:
-        conn = ipaldap.IPAdmin(ipapython.config.config.default_server[0])
-        conn.do_simple_bind(bindpw=password)
+        conn = ldap2(shared_instance=False, ldap_uri=ldapuri, base_dn=suffix)
+        conn.connect(bind_dn='cn=directory manager', bind_pw=password)
     except Exception, e:
         print "ERROR: Could not connect to the Directory Server on "+ipapython.config.config.default_server[0]+" ("+str(e)+")"
         return 1
@@ -298,8 +298,8 @@ def change_mkey(password = None, quiet = False):
         asn1key = pyasn1.codec.ber.encoder.encode(krbMKey)
 
         dn = "cn="+realm+",cn=kerberos,"+suffix
-        mod = [(ldap.MOD_REPLACE, 'krbMKey', str(asn1key))]
-        conn.modify_s(dn, mod)
+        mod = {'krbmkey': str(asn1key)}
+        conn.update_entry(dn, mod)
     except Exception, e:
         print "ERROR: Failed to upload the Master Key from the Stash file: "+newstashfile+" ("+str(e)+")"
         return 1
@@ -459,16 +459,25 @@ def fix_main(password, realm, suffix):
     krbMKey.setComponentByPosition(1, MasterKey)
     asn1key = pyasn1.codec.ber.encoder.encode(krbMKey)
 
-    dn = "cn=%s,cn=kerberos,%s" % (realm, suffix)
+    dn = 'cn=%s,cn=kerberos' % realm
     sub_dict = dict(REALM=realm, SUFFIX=suffix)
     #protect the master key by adding an appropriate deny rule along with the key
-    mod = [(ldap.MOD_ADD, 'aci', ipapython.ipautil.template_str(KRBMKEY_DENY_ACI, sub_dict)),
-           (ldap.MOD_REPLACE, 'krbMKey', str(asn1key))]
+    conn = ldap2(
+        shared_instance=False, ldap_uri='ldap://127.0.0.1',
+        base_dn=suffix
+    )
+    conn.connect(bind_dn='cn=directory manager', bind_pw=password)
+
+    (dn, entry_attrs) = conn.get_entry(dn, ['aci'])
+
+    entry_attrs['krbmkey'] = str(asn1key)
+    entry_attrs.setdefault('aci', []).append(
+        ipapython.ipautil.template_str(KRBMKEY_DENY_ACI, sub_dict)
+    )
+
+    conn.update_entry(dn, entry_attrs)
 
-    conn = ldapobject.SimpleLDAPObject("ldap://127.0.0.1/")
-    conn.simple_bind("cn=Directory Manager", password)
-    conn.modify_s(dn, mod)
-    conn.unbind()
+    conn.disconnect()
 
     print "\n"
     print "This server is now correctly configured and the master-key has been changed and secured."
diff --git a/install/tools/ipa-ldap-updater b/install/tools/ipa-ldap-updater
index 97d464cd..746cd421 100755
--- a/install/tools/ipa-ldap-updater
+++ b/install/tools/ipa-ldap-updater
@@ -26,11 +26,9 @@
 import sys
 try:
     from optparse import OptionParser
-    from ipaserver import ipaldap
     from ipapython import entity, ipautil, config
     from ipaserver.install import installutils
     from ipaserver.install.ldapupdate import LDAPUpdate, BadSyntax, UPDATES_DIR
-    import ldap
     import logging
     import re
     import krbV
diff --git a/install/tools/ipa-nis-manage b/install/tools/ipa-nis-manage
index 18a14639..22cfd432 100755
--- a/install/tools/ipa-nis-manage
+++ b/install/tools/ipa-nis-manage
@@ -22,12 +22,11 @@
 import sys
 try:
     from optparse import OptionParser
-    from ipaserver import ipaldap
     from ipapython import entity, ipautil, config
     from ipaserver.install import installutils
     from ipaserver.install.ldapupdate import LDAPUpdate, BadSyntax, UPDATES_DIR
+    from ipaserver.plugins.ldap2 import ldap2
     from ipalib import errors
-    import ldap
     import logging
 except ImportError:
     print >> sys.stderr, """\
@@ -68,12 +67,9 @@ def get_dirman_password():
 def get_nis_config(conn):
     entry = None
     try:
-        entry = conn.getEntry(nis_config_dn, ldap.SCOPE_BASE, "(objectclass=*)")
+        (dn, entry) = conn.get_entry(nis_config_dn)
     except errors.NotFound:
         pass
-    except ldap.LDAPError, e:
-        raise e
-
     return entry
 
 def main():
@@ -103,22 +99,26 @@ def main():
     else:
         dirman_password = get_dirman_password()
 
+    conn = None
     try:
+        ldapuri = 'ldap://%s' % installutils.get_fqdn()
         try:
-            conn = ipaldap.IPAdmin(installutils.get_fqdn())
-            conn.do_simple_bind(bindpw=dirman_password)
-        except ldap.LDAPError, e:
+            conn = ldap2(shared_instance=False, ldap_uri=ldapuri, base_dn='')
+            conn.connect(
+                bind_dn='cn=directory manager', bind_pw=dirman_password
+            )
+        except errors.LDAPError, e:
             print "An error occurred while connecting to the server."
-            print "%s" % e[0]['desc']
+            print e
             return 1
 
         if args[0] == "enable":
             entry = None
             try:
                 entry = get_nis_config(conn)
-            except ldap.LDAPError, e:
+            except errors.LDAPError, e:
                 print "An error occurred while talking to the server."
-                print "%s" % e[0]['desc']
+                print e
                 retval = 1
 
             # Enable either the portmap or rpcbind service
@@ -142,27 +142,25 @@ def main():
                     ld = LDAPUpdate(dm_password=dirman_password, sub_dict={})
                     retval = ld.update(files)
             else:
-                if entry.getValue('nsslapd-pluginenabled').lower() == "off":
+                if entry.get('nsslapd-pluginenabled', '').lower() == 'off':
                     # Already configured, just enable the plugin
                     print "Enabling plugin"
-                    mod = [(ldap.MOD_REPLACE, "nsslapd-pluginenabled", "on")]
-
-                    conn.modify_s(nis_config_dn, mod)
+                    mod = {'nsslapd-pluginenabled': 'on'}
+                    conn.update_entry(nis_config_dn, mod)
                 else:
                     print "Plugin already Enabled"
                     retval = 2
 
         elif args[0] == "disable":
             try:
-                mod = [(ldap.MOD_REPLACE, "nsslapd-pluginenabled", "off")]
-
-                conn.modify_s(nis_config_dn, mod)
+                mod = {'nsslapd-pluginenabled': 'off'}
+                conn.update_entry(nis_config_dn, mod)
             except errors.NotFound:
                 print "Plugin is already disabled"
                 retval = 2
-            except ldap.LDAPError, e:
+            except errors.LDAPError, e:
                 print "An error occurred while talking to the server."
-                print "%s" % e[0]['desc']
+                print e
                 retval = 1
 
         else:
@@ -176,7 +174,7 @@ def main():
 
     finally:
         if conn:
-            conn.unbind()
+            conn.disconnect()
 
     return retval
 
@@ -198,6 +196,6 @@ except config.IPAConfigError, e:
     print "An IPA server to update cannot be found. Has one been configured yet?"
     print "The error was: %s" % e
     sys.exit(1)
-except ldap.LDAPError, e:
+except errors.LDAPError, e:
     print "An error occurred while performing operations: %s" % e
     sys.exit(1)
diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install
index 4b348f64..da03809d 100755
--- a/install/tools/ipa-replica-install
+++ b/install/tools/ipa-replica-install
@@ -23,15 +23,14 @@ import socket
 
 import tempfile, os, pwd, traceback, logging, shutil
 from ConfigParser import SafeConfigParser
-import ldap
 
 from ipapython import ipautil
 
 from ipaserver.install import dsinstance, replication, installutils, krbinstance, service
 from ipaserver.install import bindinstance, httpinstance, ntpinstance, certs
-from ipaserver import ipaldap
+from ipaserver.plugins.ldap2 import ldap2
 from ipapython import version
-from ipalib import api, util
+from ipalib import api, errors, util
 
 CACERT="/usr/share/ipa/html/ca.crt"
 
@@ -300,16 +299,17 @@ def main():
     config.dir = dir
 
     # Try out the password
+    ldapuri = 'ldap://%s' % config.master_host_name
     try:
-        conn = ipaldap.IPAdmin(config.master_host_name)
-        conn.do_simple_bind(bindpw=config.dirman_password)
-        conn.unbind()
-    except ldap.CONNECT_ERROR, e:
-        sys.exit("\nUnable to connect to LDAP server %s" % config.master_host_name)
-    except ldap.SERVER_DOWN, e:
-        sys.exit("\nUnable to connect to LDAP server %s" % config.master_host_name)
-    except ldap.INVALID_CREDENTIALS, e :
+        conn = ldap2(shared_instance=False, ldap_uri=ldapuri, base_dn='')
+        conn.connect(
+            bind_dn='cn=directory manager', bind_pw=config.dirman_password
+        )
+        conn.disconnect()
+    except errors.ACIError:
         sys.exit("\nThe password provided is incorrect for LDAP server %s" % config.master_host_name)
+    except errors.LDAPError:
+        sys.exit("\nUnable to connect to LDAP server %s" % config.master_host_name)
 
     # Create the management framework config file
     # Note: We must do this before bootstraping and finalizing ipalib.api
diff --git a/install/tools/ipa-replica-manage b/install/tools/ipa-replica-manage
index b85c491e..91550bef 100755
--- a/install/tools/ipa-replica-manage
+++ b/install/tools/ipa-replica-manage
@@ -24,10 +24,9 @@ import traceback, logging
 
 from ipapython import ipautil
 from ipaserver.install import replication, dsinstance, installutils
-from ipaserver import ipaldap
+from ipaserver.plugins.ldap2 import ldap2
 from ipapython import version
-from ipalib import util
-from ipalib import errors
+from ipalib import errors, util
 
 def parse_options():
     from optparse import OptionParser
@@ -73,7 +72,8 @@ def get_realm_name():
     return c.default_realm
 
 def get_suffix():
-    suffix = ipaldap.IPAdmin.normalizeDN(util.realm_to_suffix(get_realm_name()))
+    l = ldap2(shared_instance=False, base_dn='')
+    suffix = l.normalize_dn(util.realm_to_suffix(get_realm_name()))
     return suffix
 
 def get_host_name():
diff --git a/install/tools/ipa-replica-prepare b/install/tools/ipa-replica-prepare
index 11649173..87a3ae4c 100755
--- a/install/tools/ipa-replica-prepare
+++ b/install/tools/ipa-replica-prepare
@@ -29,11 +29,9 @@ from optparse import OptionParser
 from ipapython import ipautil
 from ipaserver.install import bindinstance, dsinstance, installutils, certs, httpinstance
 from ipaserver.install.bindinstance import add_zone, add_reverze_zone, add_rr, add_ptr_rr
-from ipaserver import ipaldap
+from ipaserver.plugins.ldap2 import ldap2
 from ipapython import version
-from ipalib import api
-from ipalib import util
-import ldap
+from ipalib import api, errors, util
 
 def parse_options():
     usage = "%prog [options] FQDN (e.g. replica.example.com)"
@@ -75,14 +73,16 @@ def parse_options():
     return options, args
 
 def get_subject_base(host_name, dm_password, suffix):
+    ldapuri = 'ldap://%s:389' % host_name
     try:
-        conn = ipaldap.IPAdmin(host_name)
-        conn.do_simple_bind(bindpw=dm_password)
-    except Exception, e:
+        conn = ldap2(shared_instance=False, ldap_uri=ldapuri, base_dn=suffix)
+        conn.connect(bind_dn='cn=directory manager', bind_pw=dm_password)
+    except errors.ExecutionError, e:
         logging.critical("Could not connect to the Directory Server on %s" % host_name)
         raise e
-    entry = conn.getEntry("cn=ipaConfig, cn=etc, %s" % suffix, ldap.SCOPE_SUBTREE)
-    return entry.getValue('ipacertificatesubjectbase')
+    (dn, entry_attrs) = conn.get_ipa_config()
+    conn.disconnect()
+    return entry_attrs.get('ipacertificatesubjectbase', [None])[0]
 
 def check_ipa_configuration(realm_name):
     config_dir = dsinstance.config_dirname(dsinstance.realm_to_serverid(realm_name))
@@ -236,16 +236,15 @@ def main():
             sys.exit(0)
 
     # Try out the password
+    ldapuri = 'ldap://%s:389' % api.env.host
     try:
-        conn = ipaldap.IPAdmin(api.env.host)
-        conn.do_simple_bind(bindpw=dirman_password)
-        conn.unbind()
-    except ldap.CONNECT_ERROR, e:
-        sys.exit("\nUnable to connect to LDAP server %s" % api.env.host)
-    except ldap.SERVER_DOWN, e:
-        sys.exit("\nUnable to connect to LDAP server %s" % api.env.host)
-    except ldap.INVALID_CREDENTIALS, e :
+        conn = ldap2(shared_instance=False, ldap_uri=ldapuri)
+        conn.connect(bind_dn='cn=directory manager', bind_pw=dirman_password)
+        conn.disconnect()
+    except errors.ACIError:
         sys.exit("\nThe password provided is incorrect for LDAP server %s" % api.env.host)
+    except errors.LDAPError:
+        sys.exit("\nUnable to connect to LDAP server %s" % api.env.host)
 
     print "Preparing replica for %s from %s" % (replica_fqdn, api.env.host)
 
diff --git a/install/tools/ipa-server-certinstall b/install/tools/ipa-server-certinstall
index d02dbbba..d853f718 100755
--- a/install/tools/ipa-server-certinstall
+++ b/install/tools/ipa-server-certinstall
@@ -25,13 +25,13 @@ import tempfile
 
 import traceback
 
-import krbV, ldap, getpass
+import krbV, getpass
 
 from ipapython.ipautil import user_input
 
-from ipaserver import ipaldap
 from ipaserver.install import certs, dsinstance, httpinstance, installutils
 from ipalib import api
+from ipaserver.plugins.ldap2 import ldap2
 
 def get_realm_name():
     c = krbV.default_context()
@@ -64,14 +64,12 @@ def parse_options():
     return options, args[0]
 
 def set_ds_cert_name(cert_name, dm_password):
-    conn = ipaldap.IPAdmin("127.0.0.1")
-    conn.simple_bind_s("cn=directory manager", dm_password)
-
-    mod = [(ldap.MOD_REPLACE, "nsSSLPersonalitySSL", cert_name)]
-
-    conn.modify_s("cn=RSA,cn=encryption,cn=config", mod)
-
-    conn.unbind()
+    ldapuri = 'ldap://127.0.0.1'
+    conn = ldap2(shared_instance=False, ldap_uri=ldapuri, base_dn='')
+    conn.connect(bind_dn='cn=directory manager', bind_pw=dm_password)
+    mod = {'nssslpersonalityssl': cert_name}
+    conn.update_entry('cn=RSA,cn=encryption,cn=config', mod)
+    conn.disconnect()
 
 def choose_server_cert(server_certs):
     print "Please select the certificate to use:"
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index 314adf16..f0c3add0 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -35,7 +35,6 @@ import signal
 import shutil
 import glob
 import traceback
-import ldap
 from optparse import OptionParser
 from ConfigParser import RawConfigParser
 import random
@@ -51,11 +50,11 @@ from ipaserver.install import cainstance
 from ipaserver.install import service
 from ipapython import version
 from ipaserver.install.installutils import *
-from ipaserver import ipaldap
+from ipaserver.plugins.ldap2 import ldap2
 
 from ipapython import sysrestore
 from ipapython.ipautil import *
-from ipalib import api, util
+from ipalib import api, errors, util
 
 import ipawebui
 
@@ -411,19 +410,18 @@ def render_assets():
     ui.render_assets()
 
 def set_subject_in_config(host_name, dm_password, suffix, subject_base):
+        ldapuri = 'ldap://%s' % host_name
         try:
-            conn = ipaldap.IPAdmin(host_name)
-            conn.do_simple_bind(bindpw=dm_password)
-        except Exception, e:
+            conn = ldap2(shared_instance=False, ldap_uri=ldapuri, base_dn=suffix)
+            conn.connect(bind_dn='cn=directory manager', bind_pw=dm_password)
+        except errors.ExecutionError, e:
             logging.critical("Could not connect to the Directory Server on %s" % host_name)
             raise e
-        entry = conn.getEntry("cn=ipaConfig, cn=etc, %s" % suffix, ldap.SCOPE_SUBTREE)
-        if entry.getValue('ipaCertificateSubjectBase') is None:
-            newentry = entry.toDict()
-            newentry['ipaCertificateSubjectBase'] = subject_base
-            conn.updateEntry(entry.dn, entry.toDict(), newentry)
-
-        conn.unbind()
+        (dn, entry_attrs) = conn.get_ipa_config()
+        if 'ipacertificatesubjectbase' not in entry_attrs:
+            mod = {'ipacertificatesubjectbase': subject_base}
+            conn.update_entry(dn, mod)
+        conn.disconnect()
 
 def main():
     global ds
diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py
index 84a91780..33b85f35 100644
--- a/ipaserver/plugins/ldap2.py
+++ b/ipaserver/plugins/ldap2.py
@@ -219,19 +219,15 @@ class ldap2(CrudBackend, Encoder):
         self.encoder_settings.decode_dict_vals_table = self._SYNTAX_MAPPING
         self.encoder_settings.decode_dict_vals_table_keygen = get_syntax
         self.encoder_settings.decode_postprocessor = lambda x: string.lower(x)
-        if ldap_uri is None:
-            self.ldap_uri = api.env.ldap_uri
-        else:
-            self.ldap_uri = ldap_uri
-        if base_dn is None:
-            self.base_dn = api.env.basedn
-        else:
-            self.base_dn = base_dn
-        if schema is None:
-            self.schema = _schema
-        else:
-            self.schema = schema
-
+        try:
+            self.ldap_uri = ldap_uri or api.env.ldap_uri
+        except AttributeError:
+            self.ldap_uri = 'ldap://example.com'
+        try:
+            self.base_dn = base_dn or api.env.basedn
+        except AttributeError:
+            self.base_dn = ''
+        self.schema = schema or _schema
 
     def __del__(self):
         if self.isconnected():