diff options
author | Pavel Zuna <pzuna@redhat.com> | 2011-02-15 14:11:27 -0500 |
---|---|---|
committer | Rob Crittenden <rcritten@redhat.com> | 2011-03-03 14:04:34 -0500 |
commit | 64575a411b27dde7919406fdaf5bdec07c6645f3 (patch) | |
tree | ab0870adf6181f4457959f44fb936ec705f741d2 /ipaserver/install/ldapupdate.py | |
parent | eb6b3c7afc4065f12960f09791f2a5b645abef8b (diff) | |
download | freeipa.git-64575a411b27dde7919406fdaf5bdec07c6645f3.tar.gz freeipa.git-64575a411b27dde7919406fdaf5bdec07c6645f3.tar.xz freeipa.git-64575a411b27dde7919406fdaf5bdec07c6645f3.zip |
Use ldapi: instead of unsecured ldap: in ipa core tools.
The patch also corrects exception handling in some of the tools.
Fix #874
Diffstat (limited to 'ipaserver/install/ldapupdate.py')
-rw-r--r-- | ipaserver/install/ldapupdate.py | 45 |
1 files changed, 30 insertions, 15 deletions
diff --git a/ipaserver/install/ldapupdate.py b/ipaserver/install/ldapupdate.py index 95890495..0cee70ba 100644 --- a/ipaserver/install/ldapupdate.py +++ b/ipaserver/install/ldapupdate.py @@ -75,13 +75,18 @@ class LDAPUpdate: self.realm = None suffix = None - fqdn = installutils.get_fqdn() - if fqdn is None: - raise RuntimeError("Unable to determine hostname") - domain = ipautil.get_domain_name() libarch = self.__identify_arch() + if not self.ldapi: + fqdn = installutils.get_fqdn() + if fqdn is None: + raise RuntimeError("Unable to determine hostname") + else: + fqdn = "ldapi://%%2fvar%%2frun%%2fslapd-%s.socket" % "-".join( + domain.upper().split(".") + ) + if not self.sub_dict.get("REALM") and self.realm is not None: self.sub_dict["REALM"] = self.realm if not self.sub_dict.get("FQDN"): @@ -96,13 +101,15 @@ class LDAPUpdate: self.sub_dict["LIBARCH"] = libarch if not self.sub_dict.get("TIME"): self.sub_dict["TIME"] = int(time.time()) + if not self.sub_dict.get("DOMAIN") and domain is not None: + self.sub_dict["DOMAIN"] = domain if online: # Try out the password - if not self.ldapi: + #if not self.ldapi: try: - conn = ipaldap.IPAdmin(fqdn) - conn.do_simple_bind(bindpw=self.dm_password) + conn = ipaldap.IPAdmin(fqdn, ldapi=True, realm=domain.upper()) + conn.do_simple_bind(binddn="cn=directory manager", bindpw=self.dm_password) conn.unbind() except ldap.CONNECT_ERROR: raise RuntimeError("Unable to connect to LDAP server %s" % fqdn) @@ -110,9 +117,13 @@ class LDAPUpdate: raise RuntimeError("Unable to connect to LDAP server %s" % fqdn) except ldap.INVALID_CREDENTIALS: raise RuntimeError("The password provided is incorrect for LDAP server %s" % fqdn) - else: - conn = ipaldap.IPAdmin(ldapi=True, realm=self.realm) - conn.do_external_bind(self.pw_name) + # THIS IS COMMENTED OUT, BECAUSE: + # external_bind does work, but even as root, you don't always have + # enought power to do everything we need due to strict ACI rules + # + #else: + # conn = ipaldap.IPAdmin(ldapi=True, realm=self.realm) + # conn.do_external_bind(self.pw_name) else: raise RuntimeError("Offline updates are not supported.") @@ -640,11 +651,15 @@ class LDAPUpdate: try: if self.online: - if self.ldapi: - self.conn = ipaldap.IPAdmin(ldapi=True, realm=self.realm) - self.conn.do_external_bind(self.pw_name) - else: - self.conn = ipaldap.IPAdmin(self.sub_dict['FQDN']) + # THIS IS COMMENTED OUT, BECAUSE: + # external_bind does work, but even as root, you don't always have + # enought power to do everything we need due to strict ACI rules + # + #if self.ldapi: + # self.conn = ipaldap.IPAdmin(ldapi=True, realm=self.realm) + # self.conn.do_external_bind(self.pw_name) + #else: + self.conn = ipaldap.IPAdmin(self.sub_dict['FQDN'], ldapi=self.ldapi, realm=self.sub_dict['DOMAIN'].upper()) self.conn.do_simple_bind(bindpw=self.dm_password) else: raise RuntimeError("Offline updates are not supported.") |