From a9fe37e0664079ad2da7b0d9b9b7c7e244a25bf9 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Wed, 2 Jul 2014 16:30:18 +0300
Subject: ipa-ldap-updater: make possible to use LDAPI with autobind in case of
 hardened LDAP configuration

When nsslapd-minssf is greater than 0, running as root
  ipa-ldap-updater [-l]
will fail even if we force use of autobind for root over LDAPI.

The reason for this is that schema updater doesn't get ldapi flag passed and
attempts to connect to LDAP port instead and for hardened configurations
using simple bind over LDAP is not enough.

Additionally, report properly previously unhandled LDAP exceptions.
https://fedorahosted.org/freeipa/ticket/3468

Reviewed-By: Petr Spacek <pspacek@redhat.com>
---
 ipapython/ipaldap.py | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'ipapython')

diff --git a/ipapython/ipaldap.py b/ipapython/ipaldap.py
index 44918c39a..2818f787b 100644
--- a/ipapython/ipaldap.py
+++ b/ipapython/ipaldap.py
@@ -1204,6 +1204,10 @@ class LDAPClient(object):
             pass
         except ldap.CONNECT_ERROR:
             raise errors.DatabaseError(desc=desc, info=info)
+        except ldap.UNWILLING_TO_PERFORM:
+            raise errors.DatabaseError(desc=desc, info=info)
+        except ldap.AUTH_UNKNOWN:
+            raise errors.ACIError(info='%s (%s)' % (info,desc))
         except ldap.LDAPError, e:
             if 'NOT_ALLOWED_TO_DELEGATE' in info:
                 raise errors.ACIError(
-- 
cgit