summaryrefslogtreecommitdiffstats
path: root/ipaserver
diff options
context:
space:
mode:
authorPetr Viktorin <pviktori@redhat.com>2012-11-20 07:18:08 -0500
committerMartin Kosek <mkosek@redhat.com>2012-11-23 12:19:20 +0100
commit994563bfe9df3ee37f1ccc54ec0f26ccb11f39fe (patch)
tree15211897de914745c84894036fa3e8ad3a7f3ed5 /ipaserver
parent83ef2e251fa0550ebecc68c4c54406b1cef7f3b3 (diff)
downloadfreeipa-994563bfe9df3ee37f1ccc54ec0f26ccb11f39fe.tar.gz
freeipa-994563bfe9df3ee37f1ccc54ec0f26ccb11f39fe.tar.xz
freeipa-994563bfe9df3ee37f1ccc54ec0f26ccb11f39fe.zip
Provide 'protocol' argument to IPAdmin
The ancient IPAdmin class used some heuristics to determine the protocol to connect with (ldap, ldaps, or ldapi). In turn, some calling code used questionable mechanisms to get the correct protocol: in ipaserver/install/replication.py, the CA cert was either passed to the constructor or added to the class afterwards, to get ldap:// or ldaps://. Add an explicit protocol argument and only fall back to backwards-compatible guessing if it is not given.
Diffstat (limited to 'ipaserver')
-rw-r--r--ipaserver/ipaldap.py38
1 files changed, 27 insertions, 11 deletions
diff --git a/ipaserver/ipaldap.py b/ipaserver/ipaldap.py
index 2e1b91a56..9b3b86fce 100644
--- a/ipaserver/ipaldap.py
+++ b/ipaserver/ipaldap.py
@@ -217,22 +217,37 @@ class Entry:
class IPAdmin(IPAEntryLDAPObject):
def __localinit(self):
- """If a CA certificate is provided then it is assumed that we are
- doing SSL client authentication with proxy auth.
+ if self.protocol == 'ldaps':
+ IPAEntryLDAPObject.__init__(self,'ldaps://%s' % format_netloc(self.host, self.port))
+ elif self.protocol == 'ldapi':
+ IPAEntryLDAPObject.__init__(self,'ldapi://%%2fvar%%2frun%%2fslapd-%s.socket' % "-".join(self.realm.split(".")))
+ elif self.protocol == 'ldap':
+ IPAEntryLDAPObject.__init__(self,'ldap://%s' % format_netloc(self.host, self.port))
+ else:
+ raise ValueError('Protocol %r not supported' % self.protocol)
+
+ def __guess_protocol(self):
+ """Return the protocol to use based on flags passed to the constructor
+
+ Only used when "protocol" is not specified explicitly.
- If a CA certificate is not present then it is assumed that we are
- using a forwarded kerberos ticket for SASL auth. SASL provides
- its own encryption.
+ If a CA certificate is provided then it is assumed that we are
+ doing SSL client authentication with proxy auth.
+
+ If a CA certificate is not present then it is assumed that we are
+ using a forwarded kerberos ticket for SASL auth. SASL provides
+ its own encryption.
"""
if self.cacert is not None:
- IPAEntryLDAPObject.__init__(self,'ldaps://%s' % format_netloc(self.host, self.port))
+ return 'ldaps'
+ elif self.ldapi:
+ return 'ldapi'
else:
- if self.ldapi:
- IPAEntryLDAPObject.__init__(self,'ldapi://%%2fvar%%2frun%%2fslapd-%s.socket' % "-".join(self.realm.split(".")))
- else:
- IPAEntryLDAPObject.__init__(self,'ldap://%s' % format_netloc(self.host, self.port))
+ return 'ldap'
- def __init__(self,host='',port=389,cacert=None,bindcert=None,bindkey=None,proxydn=None,debug=None,ldapi=False,realm=None):
+ def __init__(self, host='', port=389, cacert=None, bindcert=None,
+ bindkey=None, proxydn=None, debug=None, ldapi=False,
+ realm=None, protocol=None):
"""We just set our instance variables and wrap the methods - the real
work is done in __localinit. This is separated out this way so
that we can call it from places other than instance creation
@@ -257,6 +272,7 @@ class IPAdmin(IPAEntryLDAPObject):
self.ldapi = ldapi
self.realm = realm
self.suffixes = {}
+ self.protocol = protocol or self.__guess_protocol()
self.__localinit()
def __lateinit(self):