diff options
| author | Rob Crittenden <rcritten@redhat.com> | 2011-03-18 11:19:53 -0400 |
|---|---|---|
| committer | Rob Crittenden <rcritten@redhat.com> | 2011-03-21 13:23:53 -0400 |
| commit | ca5332951c68904b0763f79f3612209271206b2a (patch) | |
| tree | d2e39143f5d1b7b78fb40fd906e0d722c1b19d3d /ipaserver | |
| parent | ba5e0c43070c1ec77e45a032cd3dabbe0f7a76fc (diff) | |
| download | freeipa-ca5332951c68904b0763f79f3612209271206b2a.tar.gz freeipa-ca5332951c68904b0763f79f3612209271206b2a.tar.xz freeipa-ca5332951c68904b0763f79f3612209271206b2a.zip | |
Automatically update IPA LDAP on rpm upgrades
Re-enable ldapi code in ipa-ldap-updater and remove the searchbase
restriction when run in --upgrade mode. This allows us to autobind
giving root Directory Manager powers.
This also:
* corrects the ipa-ldap-updater man page
* remove automatic --realm, --server, --domain options
* handle upgrade errors properly
* saves a copy of dse.ldif before we change it so it can be recovered
* fixes an error discovered by pylint
ticket 1087
Diffstat (limited to 'ipaserver')
| -rw-r--r-- | ipaserver/install/ldapupdate.py | 43 | ||||
| -rw-r--r-- | ipaserver/install/upgradeinstance.py | 31 |
2 files changed, 53 insertions, 21 deletions
diff --git a/ipaserver/install/ldapupdate.py b/ipaserver/install/ldapupdate.py index a2eebebc..44a95465 100644 --- a/ipaserver/install/ldapupdate.py +++ b/ipaserver/install/ldapupdate.py @@ -109,7 +109,7 @@ class LDAPUpdate: if online: # Try out the password - #if not self.ldapi: + if not self.ldapi: try: conn = ipaldap.IPAdmin(fqdn, ldapi=True, realm=self.realm) conn.do_simple_bind(binddn="cn=directory manager", bindpw=self.dm_password) @@ -120,13 +120,16 @@ class LDAPUpdate: raise RuntimeError("Unable to connect to LDAP server %s" % fqdn) except ldap.INVALID_CREDENTIALS: raise RuntimeError("The password provided is incorrect for LDAP server %s" % fqdn) - # THIS IS COMMENTED OUT, BECAUSE: - # external_bind does work, but even as root, you don't always have - # enought power to do everything we need due to strict ACI rules - # - #else: - # conn = ipaldap.IPAdmin(ldapi=True, realm=self.realm) - # conn.do_external_bind(self.pw_name) + else: + conn = ipaldap.IPAdmin(ldapi=True, realm=self.realm) + try: + if os.getegid() == 0: + # autobind + conn.do_external_bind(self.pw_name) + else: + conn.do_sasl_gssapi_bind() + except ldap.LOCAL_ERROR, e: + raise RuntimeError('%s' % e.args[0].get('info', '').strip()) else: raise RuntimeError("Offline updates are not supported.") @@ -476,7 +479,7 @@ class LDAPUpdate: try: (old, new) = v.split(':', 1) except ValueError: - raise BadSyntax, "bad syntax in replace, needs to be in the format old: new in %s" % new_entry.dn + raise BadSyntax, "bad syntax in replace, needs to be in the format old: new in %s" % v try: e.remove(old) e.append(new) @@ -596,6 +599,9 @@ class LDAPUpdate: except errors.DatabaseError, e: logging.error("Update failed: %s", e) updated = False + except errors.ACIError, e: + logging.error("Update failed: %s", e) + updated = False if ("cn=index" in entry.dn and "cn=userRoot" in entry.dn): @@ -654,14 +660,17 @@ class LDAPUpdate: try: if self.online: - # THIS IS COMMENTED OUT, BECAUSE: - # external_bind does work, but even as root, you don't always have - # enought power to do everything we need due to strict ACI rules - # - #if self.ldapi: - # self.conn = ipaldap.IPAdmin(ldapi=True, realm=self.realm) - # self.conn.do_external_bind(self.pw_name) - #else: + if self.ldapi: + self.conn = ipaldap.IPAdmin(ldapi=True, realm=self.realm) + try: + if os.getegid() == 0: + # autobind + self.conn.do_external_bind(self.pw_name) + else: + self.conn.do_sasl_gssapi_bind() + except ldap.LOCAL_ERROR, e: + raise RuntimeError('%s' % e.args[0].get('info', '').strip()) + else: self.conn = ipaldap.IPAdmin(self.sub_dict['FQDN'], ldapi=self.ldapi, realm=self.realm) diff --git a/ipaserver/install/upgradeinstance.py b/ipaserver/install/upgradeinstance.py index 156c4c2d..ad977b74 100644 --- a/ipaserver/install/upgradeinstance.py +++ b/ipaserver/install/upgradeinstance.py @@ -19,6 +19,8 @@ import os import sys +import shutil +import random from ipaserver.install import installutils from ipaserver.install import dsinstance @@ -41,12 +43,19 @@ class IPAUpgrade(service.Service): live_run: boolean that defines if we are in test or live mode. """ + ext = '' + rand = random.Random() + for i in range(8): + h = "%02x" % rand.randint(0,255) + ext += h service.Service.__init__(self, "dirsrv") serverid = dsinstance.realm_to_serverid(realm_name) self.filename = '%s%s/%s' % (DSBASE, serverid, DSE) + self.savefilename = '%s%s/%s.ipa.%s' % (DSBASE, serverid, DSE, ext) self.live_run = live_run self.files = files self.modified = False + self.badsyntax = False def create_instance(self): self.step("stopping directory server", self.stop) @@ -61,21 +70,26 @@ class IPAUpgrade(service.Service): self.start_creation("Upgrading IPA:") def __save_config(self): + shutil.copy2(self.filename, self.savefilename) port = installutils.get_directive(self.filename, 'nsslapd-port', separator=':') security = installutils.get_directive(self.filename, 'nsslapd-security', separator=':') autobind = installutils.get_directive(self.filename, 'nsslapd-ldapiautobind', separator=':') + searchbase = installutils.get_directive(self.filename, + 'nsslapd-ldapientrysearchbase', separator=':') self.backup_state('nsslapd-port', port) self.backup_state('nsslapd-security', security) self.backup_state('nsslapd-ldapiautobind', autobind) + self.backup_state('nsslapd-ldapientrysearchbase', searchbase) def __restore_config(self): port = self.restore_state('nsslapd-port') security = self.restore_state('nsslapd-security') autobind = self.restore_state('nsslapd-ldapiautobind') + searchbase = self.restore_state('nsslapd-ldapientrysearchbase') installutils.set_directive(self.filename, 'nsslapd-port', port, quotes=False, separator=':') @@ -83,6 +97,9 @@ class IPAUpgrade(service.Service): security, quotes=False, separator=':') installutils.set_directive(self.filename, 'nsslapd-ldapiautobind', autobind, quotes=False, separator=':') + installutils.set_directive(self.filename, + 'nsslapd-ldapientrysearchbase', + searchbase, quotes=False, separator=':') def __disable_listeners(self): installutils.set_directive(self.filename, 'nsslapd-port', @@ -91,12 +108,18 @@ class IPAUpgrade(service.Service): 'off', quotes=False, separator=':') installutils.set_directive(self.filename, 'nsslapd-ldapiautobind', 'on', quotes=False, separator=':') + installutils.set_directive(self.filename, 'nsslapd-ldapientrysearchbase', + '', quotes=False, separator=':') def __upgrade(self): - ld = ldapupdate.LDAPUpdate(dm_password='', ldapi=True, live_run=self.live_run) - if len(self.files) == 0: - self.files = ld.get_all_files(ldapupdate.UPDATES_DIR) - self.modified = ld.update(self.files) + try: + ld = ldapupdate.LDAPUpdate(dm_password='', ldapi=True, live_run=self.live_run) + if len(self.files) == 0: + self.files = ld.get_all_files(ldapupdate.UPDATES_DIR) + self.modified = ld.update(self.files) + except ldapupdate.BadSyntax: + self.modified = False + self.badsyntax = True def main(): if os.getegid() != 0: |