summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPavel Zuna <pzuna@redhat.com>2011-02-15 14:11:27 -0500
committerRob Crittenden <rcritten@redhat.com>2011-03-03 14:04:34 -0500
commit64575a411b27dde7919406fdaf5bdec07c6645f3 (patch)
treeab0870adf6181f4457959f44fb936ec705f741d2
parenteb6b3c7afc4065f12960f09791f2a5b645abef8b (diff)
downloadfreeipa-64575a411b27dde7919406fdaf5bdec07c6645f3.zip
freeipa-64575a411b27dde7919406fdaf5bdec07c6645f3.tar.gz
freeipa-64575a411b27dde7919406fdaf5bdec07c6645f3.tar.xz
Use ldapi: instead of unsecured ldap: in ipa core tools.
The patch also corrects exception handling in some of the tools. Fix #874
-rw-r--r--install/migration/migration.py9
-rwxr-xr-xinstall/tools/ipa-compat-manage11
-rw-r--r--install/tools/ipa-compliance3
-rwxr-xr-xinstall/tools/ipa-host-net-manage13
-rwxr-xr-xinstall/tools/ipa-nis-manage15
-rwxr-xr-xinstall/tools/ipa-replica-prepare6
-rwxr-xr-xinstall/tools/ipa-server-certinstall3
-rwxr-xr-xinstall/tools/ipa-server-install10
-rw-r--r--ipaserver/install/ldapupdate.py45
9 files changed, 65 insertions, 50 deletions
diff --git a/install/migration/migration.py b/install/migration/migration.py
index 6b447f3..ed6ade9 100644
--- a/install/migration/migration.py
+++ b/install/migration/migration.py
@@ -20,13 +20,14 @@
Password migration script
"""
+import cgi
import errno
+import glob
import ldap
-import cgi
import wsgiref
BASE_DN = ''
-LDAP_URI = 'ldap://localhost:389'
+LDAP_URI = 'ldaps://localhost:636'
def wsgi_redirect(start_response, loc):
start_response('302 Found', [('Location', loc)])
@@ -83,6 +84,10 @@ def application(environ, start_response):
if not form_data.has_key('username') or not form_data.has_key('password'):
return wsgi_redirect(start_response, 'invalid.html')
+ slapd_sockets = glob.glob('/var/run/slapd-*.socket')
+ if slapd_sockets:
+ LDAP_URI = 'ldapi://%s' % slapd_sockets[0].replace('/', '%2f')
+
try:
bind(form_data['username'].value, form_data['password'].value)
except IOError as err:
diff --git a/install/tools/ipa-compat-manage b/install/tools/ipa-compat-manage
index c990f9d..723950f 100755
--- a/install/tools/ipa-compat-manage
+++ b/install/tools/ipa-compat-manage
@@ -93,13 +93,12 @@ def main():
conn = None
try:
- ldapuri = 'ldap://%s' % installutils.get_fqdn()
try:
- conn = ldap2(shared_instance=False, ldap_uri=ldapuri, base_dn='')
+ conn = ldap2(shared_instance=False, base_dn='')
conn.connect(
bind_dn='cn=directory manager', bind_pw=dirman_password
)
- except errors.LDAPError, lde:
+ except errors.ExecutionError, lde:
sys.exit("An error occurred while connecting to the server.\n%s\n" % str(lde))
except errors.ACIError, e:
sys.exit("Authentication failed: %s" % e.info)
@@ -122,7 +121,7 @@ def main():
retval = 2
except errors.NotFound:
print "Enabling plugin"
- except errors.LDAPError, lde:
+ except errors.ExecutionError, lde:
print "An error occurred while talking to the server."
print lde
retval = 1
@@ -158,7 +157,7 @@ def main():
print "An error occurred while talking to the server."
print dbe
retval = 1
- except errors.LDAPError, lde:
+ except errors.ExecutionError, lde:
print "An error occurred while talking to the server."
print lde
retval = 1
@@ -167,7 +166,7 @@ def main():
retval = 1
finally:
- if conn.isconnected():
+ if conn and conn.isconnected():
conn.disconnect()
return retval
diff --git a/install/tools/ipa-compliance b/install/tools/ipa-compliance
index 8b7ad77..e1de252 100644
--- a/install/tools/ipa-compliance
+++ b/install/tools/ipa-compliance
@@ -106,8 +106,7 @@ def check_compliance(tmpdir, debug=False):
# Even if not registered they have some default entitlements
pass
- ldapuri = 'ldap://%s' % api.env.host
- conn = ldap2(shared_instance=False, ldap_uri=ldapuri)
+ conn = ldap2(shared_instance=False)
# Bind using GSSAPI
conn.connect(ccache=ccache_file)
diff --git a/install/tools/ipa-host-net-manage b/install/tools/ipa-host-net-manage
index ae8a224..5da7b92 100755
--- a/install/tools/ipa-host-net-manage
+++ b/install/tools/ipa-host-net-manage
@@ -96,13 +96,12 @@ def main():
conn = None
try:
- ldapuri = 'ldap://%s' % installutils.get_fqdn()
try:
- conn = ldap2(shared_instance=False, ldap_uri=ldapuri, base_dn='')
+ conn = ldap2(shared_instance=False, base_dn='')
conn.connect(
bind_dn='cn=directory manager', bind_pw=dirman_password
)
- except errors.LDAPError, lde:
+ except errors.ExecutionError, lde:
sys.exit("An error occurred while connecting to the server.\n%s\n" %
str(lde))
except errors.ACIError, e:
@@ -118,7 +117,7 @@ def main():
print "Plugin Disabled"
except errors.NotFound:
print "Plugin Disabled"
- except errors.LDAPError, lde:
+ except errors.ExecutionError, lde:
print "An error occurred while talking to the server."
print lde
return 0
@@ -136,7 +135,7 @@ def main():
retval = 2
except errors.NotFound:
print "Enabling Plugin"
- except errors.LDAPError, lde:
+ except errors.ExecutionError, lde:
print "An error occurred while talking to the server."
print lde
retval = 1
@@ -184,7 +183,7 @@ def main():
print "An error occurred while talking to the server."
print dbe
retval = 1
- except errors.LDAPError, lde:
+ except errors.ExecutionError, lde:
print "An error occurred while talking to the server."
print lde
retval = 1
@@ -193,7 +192,7 @@ def main():
retval = 1
finally:
- if conn.isconnected():
+ if conn and conn.isconnected():
conn.disconnect()
return retval
diff --git a/install/tools/ipa-nis-manage b/install/tools/ipa-nis-manage
index 310ee14..d611134 100755
--- a/install/tools/ipa-nis-manage
+++ b/install/tools/ipa-nis-manage
@@ -107,16 +107,15 @@ def main():
conn = None
try:
- ldapuri = 'ldap://%s' % installutils.get_fqdn()
try:
- conn = ldap2(shared_instance=False, ldap_uri=ldapuri, base_dn='')
+ conn = ldap2(shared_instance=False, base_dn='')
conn.connect(
bind_dn='cn=directory manager', bind_pw=dirman_password
)
- except errors.ACIError:
- sys.exit("Incorrect password")
- except errors.LDAPError, lde:
+ except errors.ExecutionError, lde:
sys.exit("An error occurred while connecting to the server: %s" % str(lde))
+ except errors.AuthorizationError:
+ sys.exit("Incorrect password")
if args[0] == "enable":
compat = get_entry(compat_dn, conn)
@@ -125,7 +124,7 @@ def main():
entry = None
try:
entry = get_entry(nis_config_dn, conn)
- except errors.LDAPError, lde:
+ except errors.ExecutionError, lde:
print "An error occurred while talking to the server."
print lde
retval = 1
@@ -149,7 +148,7 @@ def main():
entry.get('nsslapd-pluginenabled', [''])[0].lower() == 'off'):
# Already configured, just enable the plugin
print "Enabling plugin"
- ld = LDAPUpdate(dm_password=dirman_password, sub_dict={})
+ ld = LDAPUpdate(dm_password=dirman_password, sub_dict={}, ldapi=True)
if ld.update(files) != True:
retval = 1
mod = {'nsslapd-pluginenabled': 'on'}
@@ -186,7 +185,7 @@ def main():
print "An error occurred while talking to the server."
print dbe
retval = 1
- except errors.LDAPError, lde:
+ except errors.ExecutionError, lde:
print "An error occurred while talking to the server."
print lde
retval = 1
diff --git a/install/tools/ipa-replica-prepare b/install/tools/ipa-replica-prepare
index f0661a3..36e34d7 100755
--- a/install/tools/ipa-replica-prepare
+++ b/install/tools/ipa-replica-prepare
@@ -88,9 +88,8 @@ def parse_options():
return options, args
def get_subject_base(host_name, dm_password, suffix):
- ldapuri = 'ldap://%s:389' % host_name
try:
- conn = ldap2(shared_instance=False, ldap_uri=ldapuri, base_dn=suffix)
+ conn = ldap2(shared_instance=False, base_dn=suffix)
conn.connect(bind_dn='cn=directory manager', bind_pw=dm_password)
except errors.ExecutionError, e:
logging.critical("Could not connect to the Directory Server on %s" % host_name)
@@ -285,9 +284,8 @@ def main():
sys.exit(0)
# Try out the password
- ldapuri = 'ldap://%s:389' % api.env.host
try:
- conn = ldap2(shared_instance=False, ldap_uri=ldapuri)
+ conn = ldap2(shared_instance=False)
conn.connect(bind_dn='cn=directory manager', bind_pw=dirman_password)
conn.disconnect()
except errors.ACIError:
diff --git a/install/tools/ipa-server-certinstall b/install/tools/ipa-server-certinstall
index 5fc5811..74ded15 100755
--- a/install/tools/ipa-server-certinstall
+++ b/install/tools/ipa-server-certinstall
@@ -64,8 +64,7 @@ def parse_options():
return options, args[0]
def set_ds_cert_name(cert_name, dm_password):
- ldapuri = 'ldap://127.0.0.1'
- conn = ldap2(shared_instance=False, ldap_uri=ldapuri, base_dn='')
+ conn = ldap2(shared_instance=False, base_dn='')
conn.connect(bind_dn='cn=directory manager', bind_pw=dm_password)
mod = {'nssslpersonalityssl': cert_name}
conn.update_entry('cn=RSA,cn=encryption,cn=config', mod)
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index 6a030b9..fd202be 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -444,13 +444,15 @@ def uninstall():
return 0
-def set_subject_in_config(host_name, dm_password, suffix, subject_base):
- ldapuri = 'ldap://%s' % host_name
+def set_subject_in_config(realm_name, dm_password, suffix, subject_base):
+ ldapuri = 'ldapi://%%2fvar%%2frun%%2fslapd-%s.socket' % (
+ dsinstance.realm_to_serverid(realm_name)
+ )
try:
conn = ldap2(shared_instance=False, ldap_uri=ldapuri, base_dn=suffix)
conn.connect(bind_dn='cn=directory manager', bind_pw=dm_password)
except errors.ExecutionError, e:
- logging.critical("Could not connect to the Directory Server on %s" % host_name)
+ logging.critical("Could not connect to the Directory Server on %s" % realm_name)
raise e
(dn, entry_attrs) = conn.get_ipa_config()
if 'ipacertificatesubjectbase' not in entry_attrs:
@@ -851,7 +853,7 @@ def main():
http.create_instance(realm_name, host_name, domain_name, dm_password, autoconfig=True, self_signed_ca=options.selfsign, subject_base=options.subject)
ipautil.run(["/sbin/restorecon", "/var/cache/ipa/sessions"])
- set_subject_in_config(host_name, dm_password, util.realm_to_suffix(realm_name), options.subject)
+ set_subject_in_config(realm_name, dm_password, util.realm_to_suffix(realm_name), options.subject)
if not options.selfsign:
service.print_msg("Setting the certificate subject base")
ca.set_subject_in_config(util.realm_to_suffix(realm_name))
diff --git a/ipaserver/install/ldapupdate.py b/ipaserver/install/ldapupdate.py
index 9589049..0cee70b 100644
--- a/ipaserver/install/ldapupdate.py
+++ b/ipaserver/install/ldapupdate.py
@@ -75,13 +75,18 @@ class LDAPUpdate:
self.realm = None
suffix = None
- fqdn = installutils.get_fqdn()
- if fqdn is None:
- raise RuntimeError("Unable to determine hostname")
-
domain = ipautil.get_domain_name()
libarch = self.__identify_arch()
+ if not self.ldapi:
+ fqdn = installutils.get_fqdn()
+ if fqdn is None:
+ raise RuntimeError("Unable to determine hostname")
+ else:
+ fqdn = "ldapi://%%2fvar%%2frun%%2fslapd-%s.socket" % "-".join(
+ domain.upper().split(".")
+ )
+
if not self.sub_dict.get("REALM") and self.realm is not None:
self.sub_dict["REALM"] = self.realm
if not self.sub_dict.get("FQDN"):
@@ -96,13 +101,15 @@ class LDAPUpdate:
self.sub_dict["LIBARCH"] = libarch
if not self.sub_dict.get("TIME"):
self.sub_dict["TIME"] = int(time.time())
+ if not self.sub_dict.get("DOMAIN") and domain is not None:
+ self.sub_dict["DOMAIN"] = domain
if online:
# Try out the password
- if not self.ldapi:
+ #if not self.ldapi:
try:
- conn = ipaldap.IPAdmin(fqdn)
- conn.do_simple_bind(bindpw=self.dm_password)
+ conn = ipaldap.IPAdmin(fqdn, ldapi=True, realm=domain.upper())
+ conn.do_simple_bind(binddn="cn=directory manager", bindpw=self.dm_password)
conn.unbind()
except ldap.CONNECT_ERROR:
raise RuntimeError("Unable to connect to LDAP server %s" % fqdn)
@@ -110,9 +117,13 @@ class LDAPUpdate:
raise RuntimeError("Unable to connect to LDAP server %s" % fqdn)
except ldap.INVALID_CREDENTIALS:
raise RuntimeError("The password provided is incorrect for LDAP server %s" % fqdn)
- else:
- conn = ipaldap.IPAdmin(ldapi=True, realm=self.realm)
- conn.do_external_bind(self.pw_name)
+ # THIS IS COMMENTED OUT, BECAUSE:
+ # external_bind does work, but even as root, you don't always have
+ # enought power to do everything we need due to strict ACI rules
+ #
+ #else:
+ # conn = ipaldap.IPAdmin(ldapi=True, realm=self.realm)
+ # conn.do_external_bind(self.pw_name)
else:
raise RuntimeError("Offline updates are not supported.")
@@ -640,11 +651,15 @@ class LDAPUpdate:
try:
if self.online:
- if self.ldapi:
- self.conn = ipaldap.IPAdmin(ldapi=True, realm=self.realm)
- self.conn.do_external_bind(self.pw_name)
- else:
- self.conn = ipaldap.IPAdmin(self.sub_dict['FQDN'])
+ # THIS IS COMMENTED OUT, BECAUSE:
+ # external_bind does work, but even as root, you don't always have
+ # enought power to do everything we need due to strict ACI rules
+ #
+ #if self.ldapi:
+ # self.conn = ipaldap.IPAdmin(ldapi=True, realm=self.realm)
+ # self.conn.do_external_bind(self.pw_name)
+ #else:
+ self.conn = ipaldap.IPAdmin(self.sub_dict['FQDN'], ldapi=self.ldapi, realm=self.sub_dict['DOMAIN'].upper())
self.conn.do_simple_bind(bindpw=self.dm_password)
else:
raise RuntimeError("Offline updates are not supported.")