diff options
| author | Jan Cholasta <jcholast@redhat.com> | 2013-02-04 11:50:58 +0100 |
|---|---|---|
| committer | Martin Kosek <mkosek@redhat.com> | 2013-03-01 16:59:47 +0100 |
| commit | 61c0938c769f5ece202f04095138a5348f95aa18 (patch) | |
| tree | 6168745816d79a4e3b8cb652ff64cfc5dc0297f1 /ipaserver | |
| parent | 5b2e0e2ba5808d6300de1cac743c96db0607121c (diff) | |
| download | freeipa.git-61c0938c769f5ece202f04095138a5348f95aa18.tar.gz freeipa.git-61c0938c769f5ece202f04095138a5348f95aa18.tar.xz freeipa.git-61c0938c769f5ece202f04095138a5348f95aa18.zip | |
Remove support for DN normalization from LDAPClient.
Diffstat (limited to 'ipaserver')
| -rw-r--r-- | ipaserver/install/cainstance.py | 5 | ||||
| -rw-r--r-- | ipaserver/install/plugins/rename_managed.py | 4 | ||||
| -rw-r--r-- | ipaserver/ipaldap.py | 68 | ||||
| -rw-r--r-- | ipaserver/plugins/ldap2.py | 24 |
4 files changed, 29 insertions, 72 deletions
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 25647987..a1107cee 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -1915,12 +1915,11 @@ def update_people_entry(uid, dercert): conn = ldap2.ldap2(shared_instance=False, ldap_uri=dogtag_uri) conn.connect(bind_dn=DN(('cn', 'directory manager')), bind_pw=dm_password) - (entry_dn, entry_attrs) = conn.get_entry(dn, ['usercertificate'], - normalize=False) + (entry_dn, entry_attrs) = conn.get_entry(dn, ['usercertificate']) entry_attrs['usercertificate'].append(dercert) entry_attrs['description'] = '2;%d;%s;%s' % (serial_number, issuer, subject) - conn.update_entry(dn, entry_attrs, normalize=False) + conn.update_entry(dn, entry_attrs) updated = True break except errors.NetworkError: diff --git a/ipaserver/install/plugins/rename_managed.py b/ipaserver/install/plugins/rename_managed.py index 206e0a0d..e0fa36bb 100644 --- a/ipaserver/install/plugins/rename_managed.py +++ b/ipaserver/install/plugins/rename_managed.py @@ -67,7 +67,7 @@ class GenerateUpdateMixin(object): try: definitions_managed_entries, truncated = ldap.find_entries( searchfilter, ['*'], old_definition_container, - ldap.SCOPE_ONELEVEL, normalize=False) + ldap.SCOPE_ONELEVEL) except errors.NotFound, e: return (False, update_list) @@ -77,7 +77,7 @@ class GenerateUpdateMixin(object): old_dn = entry.data['managedtemplate'][0] assert isinstance(old_dn, DN) try: - (old_dn, entry) = ldap.get_entry(old_dn, ['*'], normalize=False) + (old_dn, entry) = ldap.get_entry(old_dn, ['*']) except errors.NotFound, e: pass else: diff --git a/ipaserver/ipaldap.py b/ipaserver/ipaldap.py index 10deca78..4a465326 100644 --- a/ipaserver/ipaldap.py +++ b/ipaserver/ipaldap.py @@ -984,11 +984,6 @@ class LDAPClient(object): obj = self.schema.get_obj(ldap.schema.AttributeType, attr) return obj and obj.single_value - def normalize_dn(self, dn): - """Override to normalize all DNs passed to LDAPClient methods""" - assert isinstance(dn, DN) - return dn - def make_dn_from_attr(self, attr, value, parent_dn=None): """ Make distinguished name from attribute. @@ -998,7 +993,6 @@ class LDAPClient(object): """ if parent_dn is None: parent_dn = DN() - parent_dn = self.normalize_dn(parent_dn) if isinstance(value, (list, tuple)): value = value[0] @@ -1015,11 +1009,8 @@ class LDAPClient(object): """ assert primary_key in entry_attrs + assert isinstance(parent_dn, DN) - if parent_dn is None: - parent_dn = DN() - - parent_dn = self.normalize_dn(parent_dn) return DN((primary_key, entry_attrs[primary_key]), parent_dn) def make_entry(self, _dn=None, _obj=None, **kwargs): @@ -1172,7 +1163,7 @@ class LDAPClient(object): def find_entries(self, filter=None, attrs_list=None, base_dn=None, scope=ldap.SCOPE_SUBTREE, time_limit=None, - size_limit=None, normalize=True, search_refs=False): + size_limit=None, search_refs=False): """ Return a list of entries and indication of whether the results were truncated ([(dn, entry_attrs)], truncated) matching specified search @@ -1186,15 +1177,12 @@ class LDAPClient(object): time_limit -- time limit in seconds (default use IPA config values) size_limit -- size (number of entries returned) limit (default use IPA config values) - normalize -- normalize the DN (default True) search_refs -- allow search references to be returned (default skips these entries) """ if base_dn is None: base_dn = DN() assert isinstance(base_dn, DN) - if normalize: - base_dn = self.normalize_dn(base_dn) if not filter: filter = '(objectClass=*)' res = [] @@ -1247,8 +1235,7 @@ class LDAPClient(object): members = r[1]['member'] indirect = self.get_members( r[0], members, membertype=MEMBERS_INDIRECT, - time_limit=time_limit, size_limit=size_limit, - normalize=normalize) + time_limit=time_limit, size_limit=size_limit) if len(indirect) > 0: r[1]['memberindirect'] = indirect if attrs_list and ( @@ -1264,7 +1251,7 @@ class LDAPClient(object): continue direct, indirect = self.get_memberof( r[0], memberof, time_limit=time_limit, - size_limit=size_limit, normalize=normalize) + size_limit=size_limit) if len(direct) > 0: r[1]['memberof'] = direct if len(indirect) > 0: @@ -1299,7 +1286,7 @@ class LDAPClient(object): return entries[0] def get_entry(self, dn, attrs_list=None, time_limit=None, - size_limit=None, normalize=True): + size_limit=None): """ Get entry (dn, entry_attrs) by dn. @@ -1311,7 +1298,7 @@ class LDAPClient(object): (entry, truncated) = self.find_entries( None, attrs_list, dn, self.SCOPE_BASE, time_limit=time_limit, - size_limit=size_limit, normalize=normalize + size_limit=size_limit ) if truncated: @@ -1326,7 +1313,7 @@ class LDAPClient(object): return {} def get_memberof(self, entry_dn, memberof, time_limit=None, - size_limit=None, normalize=True): + size_limit=None): """ Examine the objects that an entry is a member of and determine if they are a direct or indirect member of that group. @@ -1361,7 +1348,7 @@ class LDAPClient(object): result, truncated = self.find_entries( searchfilter, attr_list, group, time_limit=time_limit, size_limit=size_limit, - scope=ldap.SCOPE_BASE, normalize=normalize) + scope=ldap.SCOPE_BASE) results.extend(list(result)) except errors.NotFound: pass @@ -1386,8 +1373,7 @@ class LDAPClient(object): return (direct, indirect) def get_members(self, group_dn, members, attr_list=[], - membertype=MEMBERS_ALL, time_limit=None, size_limit=None, - normalize=True): + membertype=MEMBERS_ALL, time_limit=None, size_limit=None): """Do a memberOf search of groupdn and return the attributes in attr_list (an empty list returns all attributes). @@ -1441,7 +1427,7 @@ class LDAPClient(object): result, truncated = self.find_entries( searchfilter, attr_list, member_dn, time_limit=time_limit, size_limit=size_limit, - scope=ldap.SCOPE_BASE, normalize=normalize) + scope=ldap.SCOPE_BASE) if truncated: raise errors.LimitsExceeded() results.append(list(result[0])) @@ -1477,31 +1463,28 @@ class LDAPClient(object): self.log.debug("get_members: result=%s", entries) return entries - def _get_dn_and_attrs(self, entry_or_dn, entry_attrs, normalize): + def _get_dn_and_attrs(self, entry_or_dn, entry_attrs): """Helper for legacy calling style for {add,update}_entry """ if entry_attrs is None: - assert normalize is None return entry_or_dn.dn, entry_or_dn else: assert isinstance(entry_or_dn, DN) - if normalize is None or normalize: - entry_or_dn = self.normalize_dn(entry_or_dn) entry_attrs = self.make_entry(entry_or_dn, entry_attrs) for key, value in entry_attrs.items(): if value is None: entry_attrs[key] = [] return entry_or_dn, entry_attrs - def add_entry(self, entry, entry_attrs=None, normalize=None): + def add_entry(self, entry, entry_attrs=None): """Create a new entry. This should be called as add_entry(entry). - The legacy two/three-argument variant is: - add_entry(dn, entry_attrs, normalize=True) + The legacy two-argument variant is: + add_entry(dn, entry_attrs) """ - dn, attrs = self._get_dn_and_attrs(entry, entry_attrs, normalize) + dn, attrs = self._get_dn_and_attrs(entry, entry_attrs) # remove all [] values (python-ldap hates 'em) attrs = dict((k, v) for k, v in attrs.iteritems() @@ -1523,19 +1506,17 @@ class LDAPClient(object): assert isinstance(dn, DN) assert isinstance(new_rdn, RDN) - dn = self.normalize_dn(dn) if dn[0] == new_rdn: raise errors.EmptyModlist() with self.error_handler(): self.conn.rename_s(dn, new_rdn, delold=int(del_old)) time.sleep(.3) # Give memberOf plugin a chance to work - def _generate_modlist(self, dn, entry_attrs, normalize): + def _generate_modlist(self, dn, entry_attrs): assert isinstance(dn, DN) # get original entry - dn, entry_attrs_old = self.get_entry( - dn, entry_attrs.keys(), normalize=normalize) + dn, entry_attrs_old = self.get_entry(dn, entry_attrs.keys()) # generate modlist # for multi value attributes: no MOD_REPLACE to handle simultaneous @@ -1593,18 +1574,18 @@ class LDAPClient(object): return modlist - def update_entry(self, entry, entry_attrs=None, normalize=None): + def update_entry(self, entry, entry_attrs=None): """Update entry's attributes. This should be called as update_entry(entry). - The legacy two/three-argument variant is: - update_entry(dn, entry_attrs, normalize=True) + The legacy two-argument variant is: + update_entry(dn, entry_attrs) """ - dn, attrs = self._get_dn_and_attrs(entry, entry_attrs, normalize) + dn, attrs = self._get_dn_and_attrs(entry, entry_attrs) # generate modlist - modlist = self._generate_modlist(dn, attrs, normalize) + modlist = self._generate_modlist(dn, attrs) if not modlist: raise errors.EmptyModlist() @@ -1612,14 +1593,11 @@ class LDAPClient(object): with self.error_handler(): self.conn.modify_s(dn, modlist) - def delete_entry(self, entry_or_dn, normalize=None): + def delete_entry(self, entry_or_dn): """Delete an entry given either the DN or the entry itself""" if isinstance(entry_or_dn, DN): dn = entry_or_dn - if normalize is None or normalize: - dn = self.normalize_dn(dn) else: - assert normalize is None dn = entry_or_dn.dn with self.error_handler(): diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py index 93d54650..f21ce4fa 100644 --- a/ipaserver/plugins/ldap2.py +++ b/ipaserver/plugins/ldap2.py @@ -176,25 +176,6 @@ class ldap2(LDAPClient, CrudBackend): # ignore when trying to unbind multiple times pass - def normalize_dn(self, dn): - """ - Normalize distinguished name by assuring it ends with - the base_dn. - - Note: ldap2 methods normalize DNs internally, but relying on this is - not recommended. - """ - - assert isinstance(dn, DN) - - if not dn.endswith(self.base_dn): - # DN's are mutable, don't use in-place addtion (+=) which would - # modify the dn passed in with unintended side-effects. Addition - # returns a new DN object which is the concatenation of the two. - dn = dn + self.base_dn - - return dn - config_defaults = {'ipasearchtimelimit': [2], 'ipasearchrecordslimit': [0]} def get_ipa_config(self, attrs_list=None): """Returns the IPA configuration entry (dn, entry_attrs).""" @@ -255,7 +236,8 @@ class ldap2(LDAPClient, CrudBackend): assert isinstance(dn, DN) principal = getattr(context, 'principal') - (binddn, attrs) = self.find_entry_by_attr("krbprincipalname", principal, "krbPrincipalAux") + (binddn, attrs) = self.find_entry_by_attr("krbprincipalname", principal, + "krbPrincipalAux", base_dn=api.env.basedn) assert isinstance(binddn, DN) sctrl = [GetEffectiveRightsControl(True, "dn: " + str(binddn))] self.conn.set_option(_ldap.OPT_SERVER_CONTROLS, sctrl) @@ -336,7 +318,6 @@ class ldap2(LDAPClient, CrudBackend): """Set user password.""" assert isinstance(dn, DN) - dn = self.normalize_dn(dn) # The python-ldap passwd command doesn't verify the old password # so we'll do a simple bind to validate it. @@ -456,7 +437,6 @@ class ldap2(LDAPClient, CrudBackend): """Remove a kerberos principal key.""" assert isinstance(dn, DN) - dn = self.normalize_dn(dn) # We need to do this directly using the LDAP library because we # don't have read access to krbprincipalkey so we need to delete |