diff options
| author | Petr Viktorin <pviktori@redhat.com> | 2012-11-20 07:18:08 -0500 |
|---|---|---|
| committer | Martin Kosek <mkosek@redhat.com> | 2012-11-23 12:19:20 +0100 |
| commit | 994563bfe9df3ee37f1ccc54ec0f26ccb11f39fe (patch) | |
| tree | 15211897de914745c84894036fa3e8ad3a7f3ed5 | |
| parent | 83ef2e251fa0550ebecc68c4c54406b1cef7f3b3 (diff) | |
| download | freeipa.git-994563bfe9df3ee37f1ccc54ec0f26ccb11f39fe.tar.gz freeipa.git-994563bfe9df3ee37f1ccc54ec0f26ccb11f39fe.tar.xz freeipa.git-994563bfe9df3ee37f1ccc54ec0f26ccb11f39fe.zip | |
Provide 'protocol' argument to IPAdmin
The ancient IPAdmin class used some heuristics to determine the protocol
to connect with (ldap, ldaps, or ldapi). In turn, some calling code used
questionable mechanisms to get the correct protocol: in
ipaserver/install/replication.py, the CA cert was either passed to the
constructor or added to the class afterwards, to get ldap:// or ldaps://.
Add an explicit protocol argument and only fall back to backwards-compatible
guessing if it is not given.
| -rw-r--r-- | ipaserver/ipaldap.py | 38 |
1 files changed, 27 insertions, 11 deletions
diff --git a/ipaserver/ipaldap.py b/ipaserver/ipaldap.py index 2e1b91a5..9b3b86fc 100644 --- a/ipaserver/ipaldap.py +++ b/ipaserver/ipaldap.py @@ -217,22 +217,37 @@ class Entry: class IPAdmin(IPAEntryLDAPObject): def __localinit(self): - """If a CA certificate is provided then it is assumed that we are - doing SSL client authentication with proxy auth. + if self.protocol == 'ldaps': + IPAEntryLDAPObject.__init__(self,'ldaps://%s' % format_netloc(self.host, self.port)) + elif self.protocol == 'ldapi': + IPAEntryLDAPObject.__init__(self,'ldapi://%%2fvar%%2frun%%2fslapd-%s.socket' % "-".join(self.realm.split("."))) + elif self.protocol == 'ldap': + IPAEntryLDAPObject.__init__(self,'ldap://%s' % format_netloc(self.host, self.port)) + else: + raise ValueError('Protocol %r not supported' % self.protocol) + + def __guess_protocol(self): + """Return the protocol to use based on flags passed to the constructor + + Only used when "protocol" is not specified explicitly. - If a CA certificate is not present then it is assumed that we are - using a forwarded kerberos ticket for SASL auth. SASL provides - its own encryption. + If a CA certificate is provided then it is assumed that we are + doing SSL client authentication with proxy auth. + + If a CA certificate is not present then it is assumed that we are + using a forwarded kerberos ticket for SASL auth. SASL provides + its own encryption. """ if self.cacert is not None: - IPAEntryLDAPObject.__init__(self,'ldaps://%s' % format_netloc(self.host, self.port)) + return 'ldaps' + elif self.ldapi: + return 'ldapi' else: - if self.ldapi: - IPAEntryLDAPObject.__init__(self,'ldapi://%%2fvar%%2frun%%2fslapd-%s.socket' % "-".join(self.realm.split("."))) - else: - IPAEntryLDAPObject.__init__(self,'ldap://%s' % format_netloc(self.host, self.port)) + return 'ldap' - def __init__(self,host='',port=389,cacert=None,bindcert=None,bindkey=None,proxydn=None,debug=None,ldapi=False,realm=None): + def __init__(self, host='', port=389, cacert=None, bindcert=None, + bindkey=None, proxydn=None, debug=None, ldapi=False, + realm=None, protocol=None): """We just set our instance variables and wrap the methods - the real work is done in __localinit. This is separated out this way so that we can call it from places other than instance creation @@ -257,6 +272,7 @@ class IPAdmin(IPAEntryLDAPObject): self.ldapi = ldapi self.realm = realm self.suffixes = {} + self.protocol = protocol or self.__guess_protocol() self.__localinit() def __lateinit(self): |