diff options
| author | Simo Sorce <ssorce@redhat.com> | 2011-01-19 15:17:25 -0500 |
|---|---|---|
| committer | Simo Sorce <ssorce@redhat.com> | 2011-01-20 15:49:30 -0500 |
| commit | 861aa9c1b8ddf757b358f3a66e3ca57d4cc05b4c (patch) | |
| tree | 50e0025b2cdc32721bca357102daf4935e712c01 /install/tools | |
| parent | 5af80a7583edfd0061a70abde4868d4582247608 (diff) | |
| download | freeipa-861aa9c1b8ddf757b358f3a66e3ca57d4cc05b4c.tar.gz freeipa-861aa9c1b8ddf757b358f3a66e3ca57d4cc05b4c.tar.xz freeipa-861aa9c1b8ddf757b358f3a66e3ca57d4cc05b4c.zip | |
Allow SASL/EXTERNAL authentication for the root user
This gives the root user low privileges so that when anonymous searches are
denied the init scripts can still search the directory via ldapi to get the
list of serevices to start.
Fixes: https://fedorahosted.org/freeipa/ticket/795
Diffstat (limited to 'install/tools')
| -rwxr-xr-x | install/tools/ipactl | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/install/tools/ipactl b/install/tools/ipactl index 0254a276..fc652c97 100755 --- a/install/tools/ipactl +++ b/install/tools/ipactl @@ -26,6 +26,7 @@ try: from ipalib import api, errors import logging import ldap + import ldap.sasl import socket except ImportError: print >> sys.stderr, """\ @@ -36,6 +37,8 @@ error was: """ % sys.exc_value sys.exit(1) +SASL_EXTERNAL = ldap.sasl.sasl({}, 'EXTERNAL') + def parse_options(): usage = "%prog start|stop|restart|status\n" parser = config.IPAOptionParser(usage=usage, @@ -60,7 +63,7 @@ def get_config(): try: con = ldap.initialize(api.env.ldap_uri) - con.simple_bind() + con.sasl_interactive_bind_s('', SASL_EXTERNAL) res = con.search_st(base, ldap.SCOPE_SUBTREE, filterstr=srcfilter, |