summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAna Krivokapic <akrivoka@redhat.com>2013-11-05 18:38:55 +0100
committerMartin Kosek <mkosek@redhat.com>2013-11-14 15:01:05 +0100
commiteaaf7ed0f20b81ce10e1e36ce36c673445a83f2b (patch)
tree323df18dd5bde217c75205496e5657103401afdf
parent3693b8e51ae11b4bcda9cd7e90ff729fc66a5862 (diff)
downloadfreeipa-eaaf7ed0f20b81ce10e1e36ce36c673445a83f2b.tar.gz
freeipa-eaaf7ed0f20b81ce10e1e36ce36c673445a83f2b.tar.xz
freeipa-eaaf7ed0f20b81ce10e1e36ce36c673445a83f2b.zip
Use EXTERNAL auth mechanism in ldapmodify
Default to using the EXTERNAL authorization mechanism in calls to ldapmodify https://fedorahosted.org/freeipa/ticket/3895
-rw-r--r--ipaserver/install/service.py20
1 files changed, 10 insertions, 10 deletions
diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py
index 4a244abb9..0d7a66456 100644
--- a/ipaserver/install/service.py
+++ b/ipaserver/install/service.py
@@ -121,17 +121,15 @@ class Service(object):
self.admin_conn = conn
-
def ldap_disconnect(self):
self.admin_conn.unbind()
self.admin_conn = None
- def _ldap_mod(self, ldif, sub_dict = None):
-
+ def _ldap_mod(self, ldif, sub_dict=None):
pw_name = None
fd = None
path = ipautil.SHARE_DIR + ldif
- nologlist=[]
+ nologlist = []
if sub_dict is not None:
txt = ipautil.template_file(path, sub_dict)
@@ -139,9 +137,9 @@ class Service(object):
path = fd.name
# do not log passwords
- if sub_dict.has_key('PASSWORD'):
+ if 'PASSWORD' in sub_dict:
nologlist.append(sub_dict['PASSWORD'])
- if sub_dict.has_key('RANDOM_PASSWORD'):
+ if 'RANDOM_PASSWORD' in sub_dict:
nologlist.append(sub_dict['RANDOM_PASSWORD'])
args = ["/usr/bin/ldapmodify", "-v", "-f", path]
@@ -152,16 +150,18 @@ class Service(object):
self.ldap_connect()
args += ["-H", self.admin_conn.ldap_uri]
- auth_parms = []
+ # If DM password is available, use it
if self.dm_password:
[pw_fd, pw_name] = tempfile.mkstemp()
os.write(pw_fd, self.dm_password)
os.close(pw_fd)
auth_parms = ["-x", "-D", "cn=Directory Manager", "-y", pw_name]
+ # Use GSSAPI auth when not using DM password or not being root
+ elif os.getegid() != 0:
+ auth_parms = ["-Y", "GSSAPI"]
+ # Default to EXTERNAL auth mechanism
else:
- # always try GSSAPI auth when not using DM password or not being root
- if os.getegid() != 0:
- auth_parms = ["-Y", "GSSAPI"]
+ auth_parms = ["-Y", "EXTERNAL"]
args += auth_parms