diff options
| author | Ana Krivokapic <akrivoka@redhat.com> | 2013-11-05 18:38:55 +0100 |
|---|---|---|
| committer | Martin Kosek <mkosek@redhat.com> | 2013-11-14 15:01:05 +0100 |
| commit | eaaf7ed0f20b81ce10e1e36ce36c673445a83f2b (patch) | |
| tree | 323df18dd5bde217c75205496e5657103401afdf | |
| parent | 3693b8e51ae11b4bcda9cd7e90ff729fc66a5862 (diff) | |
| download | freeipa-eaaf7ed0f20b81ce10e1e36ce36c673445a83f2b.tar.gz freeipa-eaaf7ed0f20b81ce10e1e36ce36c673445a83f2b.tar.xz freeipa-eaaf7ed0f20b81ce10e1e36ce36c673445a83f2b.zip | |
Use EXTERNAL auth mechanism in ldapmodify
Default to using the EXTERNAL authorization mechanism in calls to ldapmodify
https://fedorahosted.org/freeipa/ticket/3895
| -rw-r--r-- | ipaserver/install/service.py | 20 |
1 files changed, 10 insertions, 10 deletions
diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py index 4a244abb9..0d7a66456 100644 --- a/ipaserver/install/service.py +++ b/ipaserver/install/service.py @@ -121,17 +121,15 @@ class Service(object): self.admin_conn = conn - def ldap_disconnect(self): self.admin_conn.unbind() self.admin_conn = None - def _ldap_mod(self, ldif, sub_dict = None): - + def _ldap_mod(self, ldif, sub_dict=None): pw_name = None fd = None path = ipautil.SHARE_DIR + ldif - nologlist=[] + nologlist = [] if sub_dict is not None: txt = ipautil.template_file(path, sub_dict) @@ -139,9 +137,9 @@ class Service(object): path = fd.name # do not log passwords - if sub_dict.has_key('PASSWORD'): + if 'PASSWORD' in sub_dict: nologlist.append(sub_dict['PASSWORD']) - if sub_dict.has_key('RANDOM_PASSWORD'): + if 'RANDOM_PASSWORD' in sub_dict: nologlist.append(sub_dict['RANDOM_PASSWORD']) args = ["/usr/bin/ldapmodify", "-v", "-f", path] @@ -152,16 +150,18 @@ class Service(object): self.ldap_connect() args += ["-H", self.admin_conn.ldap_uri] - auth_parms = [] + # If DM password is available, use it if self.dm_password: [pw_fd, pw_name] = tempfile.mkstemp() os.write(pw_fd, self.dm_password) os.close(pw_fd) auth_parms = ["-x", "-D", "cn=Directory Manager", "-y", pw_name] + # Use GSSAPI auth when not using DM password or not being root + elif os.getegid() != 0: + auth_parms = ["-Y", "GSSAPI"] + # Default to EXTERNAL auth mechanism else: - # always try GSSAPI auth when not using DM password or not being root - if os.getegid() != 0: - auth_parms = ["-Y", "GSSAPI"] + auth_parms = ["-Y", "EXTERNAL"] args += auth_parms |