diff options
-rw-r--r-- | install/restart_scripts/renew_ca_cert | 4 | ||||
-rw-r--r-- | install/restart_scripts/renew_ra_cert | 4 | ||||
-rwxr-xr-x | install/tools/ipa-compat-manage | 6 | ||||
-rwxr-xr-x | install/tools/ipa-nis-manage | 6 | ||||
-rw-r--r-- | ipalib/plugins/migration.py | 5 | ||||
-rw-r--r-- | ipaserver/install/cainstance.py | 5 | ||||
-rw-r--r-- | ipaserver/install/plugins/rename_managed.py | 4 | ||||
-rw-r--r-- | ipaserver/ipaldap.py | 68 | ||||
-rw-r--r-- | ipaserver/plugins/ldap2.py | 24 |
9 files changed, 41 insertions, 85 deletions
diff --git a/install/restart_scripts/renew_ca_cert b/install/restart_scripts/renew_ca_cert index b1efd8f9..5768db3f 100644 --- a/install/restart_scripts/renew_ca_cert +++ b/install/restart_scripts/renew_ca_cert @@ -70,11 +70,11 @@ try: try: (entry_dn, entry_attrs) = conn.get_entry(dn, ['usercertificate']) entry_attrs['usercertificate'] = cert - conn.update_entry(dn, entry_attrs, normalize=False) + conn.update_entry(dn, entry_attrs) except errors.NotFound: entry_attrs = dict(objectclass=['top', 'pkiuser', 'nscontainer'], usercertificate=cert) - conn.add_entry(dn, entry_attrs, normalize=False) + conn.add_entry(dn, entry_attrs) except errors.EmptyModlist: pass conn.disconnect() diff --git a/install/restart_scripts/renew_ra_cert b/install/restart_scripts/renew_ra_cert index e5418fda..e541e4ba 100644 --- a/install/restart_scripts/renew_ra_cert +++ b/install/restart_scripts/renew_ra_cert @@ -60,11 +60,11 @@ while attempts < 10: try: (entry_dn, entry_attrs) = conn.get_entry(dn, ['usercertificate']) entry_attrs['usercertificate'] = dercert - conn.update_entry(dn, entry_attrs, normalize=False) + conn.update_entry(dn, entry_attrs) except errors.NotFound: entry_attrs = dict(objectclass=['top', 'pkiuser', 'nscontainer'], usercertificate=dercert) - conn.add_entry(dn, entry_attrs, normalize=False) + conn.add_entry(dn, entry_attrs) except errors.EmptyModlist: pass updated = True diff --git a/install/tools/ipa-compat-manage b/install/tools/ipa-compat-manage index e88d9228..87fa47fe 100755 --- a/install/tools/ipa-compat-manage +++ b/install/tools/ipa-compat-manage @@ -73,7 +73,7 @@ def get_entry(dn, conn): """ entry = None try: - (dn, entry) = conn.get_entry(dn, normalize=False) + (dn, entry) = conn.get_entry(dn) except errors.NotFound: pass return entry @@ -144,7 +144,7 @@ def main(): retval = 1 else: mod = {'nsslapd-pluginenabled': 'on'} - conn.update_entry(compat_dn, mod, normalize=False) + conn.update_entry(compat_dn, mod) except errors.ExecutionError, lde: print "An error occurred while talking to the server." print lde @@ -175,7 +175,7 @@ def main(): print "Disabling plugin" mod = {'nsslapd-pluginenabled': 'off'} - conn.update_entry(compat_dn, mod, normalize=False) + conn.update_entry(compat_dn, mod) except errors.DatabaseError, dbe: print "An error occurred while talking to the server." print dbe diff --git a/install/tools/ipa-nis-manage b/install/tools/ipa-nis-manage index 5ef3ce0e..a35e19f9 100755 --- a/install/tools/ipa-nis-manage +++ b/install/tools/ipa-nis-manage @@ -75,7 +75,7 @@ def get_entry(dn, conn): """ entry = None try: - (dn, entry) = conn.get_entry(dn, normalize=False) + (dn, entry) = conn.get_entry(dn) except errors.NotFound: pass return entry @@ -166,7 +166,7 @@ def main(): print "Enabling plugin" # Already configured, just enable the plugin mod = {'nsslapd-pluginenabled': 'on'} - conn.update_entry(nis_config_dn, mod, normalize=False) + conn.update_entry(nis_config_dn, mod) else: print "Plugin already Enabled" retval = 2 @@ -174,7 +174,7 @@ def main(): elif args[0] == "disable": try: mod = {'nsslapd-pluginenabled': 'off'} - conn.update_entry(nis_config_dn, mod, normalize=False) + conn.update_entry(nis_config_dn, mod) except errors.NotFound: print "Plugin is already disabled" retval = 2 diff --git a/ipalib/plugins/migration.py b/ipalib/plugins/migration.py index d9448433..7884e08c 100644 --- a/ipalib/plugins/migration.py +++ b/ipalib/plugins/migration.py @@ -346,7 +346,6 @@ def _pre_migrate_group(ldap, pkey, dn, entry_attrs, failed, config, ctx, **kwarg api.log.error('entry %s does not belong into any known container' % m) continue - m = ldap.normalize_dn(m) new_members.append(m) del entry_attrs[member_attr] @@ -363,7 +362,7 @@ def _pre_migrate_group(ldap, pkey, dn, entry_attrs, failed, config, ctx, **kwarg for m in entry_attrs[member_attr]: memberdn = DN((api.Object.user.primary_key.name, m), api.env.container_user, api.env.basedn) - new_members.append(ldap.normalize_dn(memberdn)) + new_members.append(memberdn) entry_attrs['member'] = new_members assert isinstance(dn, DN) @@ -863,7 +862,7 @@ can use their Kerberos accounts.''') #check whether the compat plugin is enabled if not options.get('compat'): try: - (dn,check_compat) = ldap.get_entry(_compat_dn, normalize=False) + (dn,check_compat) = ldap.get_entry(_compat_dn) assert isinstance(dn, DN) if check_compat is not None and \ check_compat.get('nsslapd-pluginenabled', [''])[0].lower() == 'on': diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 25647987..a1107cee 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -1915,12 +1915,11 @@ def update_people_entry(uid, dercert): conn = ldap2.ldap2(shared_instance=False, ldap_uri=dogtag_uri) conn.connect(bind_dn=DN(('cn', 'directory manager')), bind_pw=dm_password) - (entry_dn, entry_attrs) = conn.get_entry(dn, ['usercertificate'], - normalize=False) + (entry_dn, entry_attrs) = conn.get_entry(dn, ['usercertificate']) entry_attrs['usercertificate'].append(dercert) entry_attrs['description'] = '2;%d;%s;%s' % (serial_number, issuer, subject) - conn.update_entry(dn, entry_attrs, normalize=False) + conn.update_entry(dn, entry_attrs) updated = True break except errors.NetworkError: diff --git a/ipaserver/install/plugins/rename_managed.py b/ipaserver/install/plugins/rename_managed.py index 206e0a0d..e0fa36bb 100644 --- a/ipaserver/install/plugins/rename_managed.py +++ b/ipaserver/install/plugins/rename_managed.py @@ -67,7 +67,7 @@ class GenerateUpdateMixin(object): try: definitions_managed_entries, truncated = ldap.find_entries( searchfilter, ['*'], old_definition_container, - ldap.SCOPE_ONELEVEL, normalize=False) + ldap.SCOPE_ONELEVEL) except errors.NotFound, e: return (False, update_list) @@ -77,7 +77,7 @@ class GenerateUpdateMixin(object): old_dn = entry.data['managedtemplate'][0] assert isinstance(old_dn, DN) try: - (old_dn, entry) = ldap.get_entry(old_dn, ['*'], normalize=False) + (old_dn, entry) = ldap.get_entry(old_dn, ['*']) except errors.NotFound, e: pass else: diff --git a/ipaserver/ipaldap.py b/ipaserver/ipaldap.py index 10deca78..4a465326 100644 --- a/ipaserver/ipaldap.py +++ b/ipaserver/ipaldap.py @@ -984,11 +984,6 @@ class LDAPClient(object): obj = self.schema.get_obj(ldap.schema.AttributeType, attr) return obj and obj.single_value - def normalize_dn(self, dn): - """Override to normalize all DNs passed to LDAPClient methods""" - assert isinstance(dn, DN) - return dn - def make_dn_from_attr(self, attr, value, parent_dn=None): """ Make distinguished name from attribute. @@ -998,7 +993,6 @@ class LDAPClient(object): """ if parent_dn is None: parent_dn = DN() - parent_dn = self.normalize_dn(parent_dn) if isinstance(value, (list, tuple)): value = value[0] @@ -1015,11 +1009,8 @@ class LDAPClient(object): """ assert primary_key in entry_attrs + assert isinstance(parent_dn, DN) - if parent_dn is None: - parent_dn = DN() - - parent_dn = self.normalize_dn(parent_dn) return DN((primary_key, entry_attrs[primary_key]), parent_dn) def make_entry(self, _dn=None, _obj=None, **kwargs): @@ -1172,7 +1163,7 @@ class LDAPClient(object): def find_entries(self, filter=None, attrs_list=None, base_dn=None, scope=ldap.SCOPE_SUBTREE, time_limit=None, - size_limit=None, normalize=True, search_refs=False): + size_limit=None, search_refs=False): """ Return a list of entries and indication of whether the results were truncated ([(dn, entry_attrs)], truncated) matching specified search @@ -1186,15 +1177,12 @@ class LDAPClient(object): time_limit -- time limit in seconds (default use IPA config values) size_limit -- size (number of entries returned) limit (default use IPA config values) - normalize -- normalize the DN (default True) search_refs -- allow search references to be returned (default skips these entries) """ if base_dn is None: base_dn = DN() assert isinstance(base_dn, DN) - if normalize: - base_dn = self.normalize_dn(base_dn) if not filter: filter = '(objectClass=*)' res = [] @@ -1247,8 +1235,7 @@ class LDAPClient(object): members = r[1]['member'] indirect = self.get_members( r[0], members, membertype=MEMBERS_INDIRECT, - time_limit=time_limit, size_limit=size_limit, - normalize=normalize) + time_limit=time_limit, size_limit=size_limit) if len(indirect) > 0: r[1]['memberindirect'] = indirect if attrs_list and ( @@ -1264,7 +1251,7 @@ class LDAPClient(object): continue direct, indirect = self.get_memberof( r[0], memberof, time_limit=time_limit, - size_limit=size_limit, normalize=normalize) + size_limit=size_limit) if len(direct) > 0: r[1]['memberof'] = direct if len(indirect) > 0: @@ -1299,7 +1286,7 @@ class LDAPClient(object): return entries[0] def get_entry(self, dn, attrs_list=None, time_limit=None, - size_limit=None, normalize=True): + size_limit=None): """ Get entry (dn, entry_attrs) by dn. @@ -1311,7 +1298,7 @@ class LDAPClient(object): (entry, truncated) = self.find_entries( None, attrs_list, dn, self.SCOPE_BASE, time_limit=time_limit, - size_limit=size_limit, normalize=normalize + size_limit=size_limit ) if truncated: @@ -1326,7 +1313,7 @@ class LDAPClient(object): return {} def get_memberof(self, entry_dn, memberof, time_limit=None, - size_limit=None, normalize=True): + size_limit=None): """ Examine the objects that an entry is a member of and determine if they are a direct or indirect member of that group. @@ -1361,7 +1348,7 @@ class LDAPClient(object): result, truncated = self.find_entries( searchfilter, attr_list, group, time_limit=time_limit, size_limit=size_limit, - scope=ldap.SCOPE_BASE, normalize=normalize) + scope=ldap.SCOPE_BASE) results.extend(list(result)) except errors.NotFound: pass @@ -1386,8 +1373,7 @@ class LDAPClient(object): return (direct, indirect) def get_members(self, group_dn, members, attr_list=[], - membertype=MEMBERS_ALL, time_limit=None, size_limit=None, - normalize=True): + membertype=MEMBERS_ALL, time_limit=None, size_limit=None): """Do a memberOf search of groupdn and return the attributes in attr_list (an empty list returns all attributes). @@ -1441,7 +1427,7 @@ class LDAPClient(object): result, truncated = self.find_entries( searchfilter, attr_list, member_dn, time_limit=time_limit, size_limit=size_limit, - scope=ldap.SCOPE_BASE, normalize=normalize) + scope=ldap.SCOPE_BASE) if truncated: raise errors.LimitsExceeded() results.append(list(result[0])) @@ -1477,31 +1463,28 @@ class LDAPClient(object): self.log.debug("get_members: result=%s", entries) return entries - def _get_dn_and_attrs(self, entry_or_dn, entry_attrs, normalize): + def _get_dn_and_attrs(self, entry_or_dn, entry_attrs): """Helper for legacy calling style for {add,update}_entry """ if entry_attrs is None: - assert normalize is None return entry_or_dn.dn, entry_or_dn else: assert isinstance(entry_or_dn, DN) - if normalize is None or normalize: - entry_or_dn = self.normalize_dn(entry_or_dn) entry_attrs = self.make_entry(entry_or_dn, entry_attrs) for key, value in entry_attrs.items(): if value is None: entry_attrs[key] = [] return entry_or_dn, entry_attrs - def add_entry(self, entry, entry_attrs=None, normalize=None): + def add_entry(self, entry, entry_attrs=None): """Create a new entry. This should be called as add_entry(entry). - The legacy two/three-argument variant is: - add_entry(dn, entry_attrs, normalize=True) + The legacy two-argument variant is: + add_entry(dn, entry_attrs) """ - dn, attrs = self._get_dn_and_attrs(entry, entry_attrs, normalize) + dn, attrs = self._get_dn_and_attrs(entry, entry_attrs) # remove all [] values (python-ldap hates 'em) attrs = dict((k, v) for k, v in attrs.iteritems() @@ -1523,19 +1506,17 @@ class LDAPClient(object): assert isinstance(dn, DN) assert isinstance(new_rdn, RDN) - dn = self.normalize_dn(dn) if dn[0] == new_rdn: raise errors.EmptyModlist() with self.error_handler(): self.conn.rename_s(dn, new_rdn, delold=int(del_old)) time.sleep(.3) # Give memberOf plugin a chance to work - def _generate_modlist(self, dn, entry_attrs, normalize): + def _generate_modlist(self, dn, entry_attrs): assert isinstance(dn, DN) # get original entry - dn, entry_attrs_old = self.get_entry( - dn, entry_attrs.keys(), normalize=normalize) + dn, entry_attrs_old = self.get_entry(dn, entry_attrs.keys()) # generate modlist # for multi value attributes: no MOD_REPLACE to handle simultaneous @@ -1593,18 +1574,18 @@ class LDAPClient(object): return modlist - def update_entry(self, entry, entry_attrs=None, normalize=None): + def update_entry(self, entry, entry_attrs=None): """Update entry's attributes. This should be called as update_entry(entry). - The legacy two/three-argument variant is: - update_entry(dn, entry_attrs, normalize=True) + The legacy two-argument variant is: + update_entry(dn, entry_attrs) """ - dn, attrs = self._get_dn_and_attrs(entry, entry_attrs, normalize) + dn, attrs = self._get_dn_and_attrs(entry, entry_attrs) # generate modlist - modlist = self._generate_modlist(dn, attrs, normalize) + modlist = self._generate_modlist(dn, attrs) if not modlist: raise errors.EmptyModlist() @@ -1612,14 +1593,11 @@ class LDAPClient(object): with self.error_handler(): self.conn.modify_s(dn, modlist) - def delete_entry(self, entry_or_dn, normalize=None): + def delete_entry(self, entry_or_dn): """Delete an entry given either the DN or the entry itself""" if isinstance(entry_or_dn, DN): dn = entry_or_dn - if normalize is None or normalize: - dn = self.normalize_dn(dn) else: - assert normalize is None dn = entry_or_dn.dn with self.error_handler(): diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py index 93d54650..f21ce4fa 100644 --- a/ipaserver/plugins/ldap2.py +++ b/ipaserver/plugins/ldap2.py @@ -176,25 +176,6 @@ class ldap2(LDAPClient, CrudBackend): # ignore when trying to unbind multiple times pass - def normalize_dn(self, dn): - """ - Normalize distinguished name by assuring it ends with - the base_dn. - - Note: ldap2 methods normalize DNs internally, but relying on this is - not recommended. - """ - - assert isinstance(dn, DN) - - if not dn.endswith(self.base_dn): - # DN's are mutable, don't use in-place addtion (+=) which would - # modify the dn passed in with unintended side-effects. Addition - # returns a new DN object which is the concatenation of the two. - dn = dn + self.base_dn - - return dn - config_defaults = {'ipasearchtimelimit': [2], 'ipasearchrecordslimit': [0]} def get_ipa_config(self, attrs_list=None): """Returns the IPA configuration entry (dn, entry_attrs).""" @@ -255,7 +236,8 @@ class ldap2(LDAPClient, CrudBackend): assert isinstance(dn, DN) principal = getattr(context, 'principal') - (binddn, attrs) = self.find_entry_by_attr("krbprincipalname", principal, "krbPrincipalAux") + (binddn, attrs) = self.find_entry_by_attr("krbprincipalname", principal, + "krbPrincipalAux", base_dn=api.env.basedn) assert isinstance(binddn, DN) sctrl = [GetEffectiveRightsControl(True, "dn: " + str(binddn))] self.conn.set_option(_ldap.OPT_SERVER_CONTROLS, sctrl) @@ -336,7 +318,6 @@ class ldap2(LDAPClient, CrudBackend): """Set user password.""" assert isinstance(dn, DN) - dn = self.normalize_dn(dn) # The python-ldap passwd command doesn't verify the old password # so we'll do a simple bind to validate it. @@ -456,7 +437,6 @@ class ldap2(LDAPClient, CrudBackend): """Remove a kerberos principal key.""" assert isinstance(dn, DN) - dn = self.normalize_dn(dn) # We need to do this directly using the LDAP library because we # don't have read access to krbprincipalkey so we need to delete |