diff options
author | Tomas Krizek <tkrizek@redhat.com> | 2016-11-01 14:52:33 +0100 |
---|---|---|
committer | Martin Basti <mbasti@redhat.com> | 2016-11-07 11:34:03 +0100 |
commit | 5b81dbfda1e4f0799d4ce87e9987a896af3ff299 (patch) | |
tree | bf0b256dec17a5e9ca7bacb414488cb0436aba49 /ipaserver | |
parent | 4f1a6a177666c475156f496d3f7719b37e66a7b0 (diff) | |
download | freeipa-5b81dbfda1e4f0799d4ce87e9987a896af3ff299.tar.gz freeipa-5b81dbfda1e4f0799d4ce87e9987a896af3ff299.tar.xz freeipa-5b81dbfda1e4f0799d4ce87e9987a896af3ff299.zip |
ipaldap: merge IPAdmin to LDAPClient
* move IPAdmin methods to LDAPClient
* add extra arguments (cacert, sasl_nocanon) to LDAPClient.__init__()
* add host, port, _protocol to LDAPClient (parsed from ldap_uri)
* create get_ldap_uri() method to create ldap_uri from former
IPAdmin.__init__() arguments
* replace IPAdmin with LDAPClient + get_ldap_uri()
* remove ununsed function argument hostname from
enable_replication_version_checking()
https://fedorahosted.org/freeipa/ticket/6461
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Diffstat (limited to 'ipaserver')
-rw-r--r-- | ipaserver/dcerpc.py | 13 | ||||
-rw-r--r-- | ipaserver/install/bindinstance.py | 8 | ||||
-rw-r--r-- | ipaserver/install/cainstance.py | 8 | ||||
-rw-r--r-- | ipaserver/install/dnskeysyncinstance.py | 7 | ||||
-rw-r--r-- | ipaserver/install/dogtaginstance.py | 8 | ||||
-rw-r--r-- | ipaserver/install/dsinstance.py | 23 | ||||
-rw-r--r-- | ipaserver/install/ipa_backup.py | 6 | ||||
-rw-r--r-- | ipaserver/install/ipa_replica_prepare.py | 3 | ||||
-rw-r--r-- | ipaserver/install/ipa_restore.py | 6 | ||||
-rw-r--r-- | ipaserver/install/ldapupdate.py | 6 | ||||
-rw-r--r-- | ipaserver/install/plugins/fix_replica_agreements.py | 2 | ||||
-rw-r--r-- | ipaserver/install/replication.py | 40 | ||||
-rw-r--r-- | ipaserver/install/server/install.py | 7 | ||||
-rw-r--r-- | ipaserver/install/service.py | 44 |
14 files changed, 89 insertions, 92 deletions
diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py index f1ddc417b..508bfabdc 100644 --- a/ipaserver/dcerpc.py +++ b/ipaserver/dcerpc.py @@ -45,7 +45,7 @@ import random from cryptography.hazmat.primitives.ciphers import Cipher, algorithms from cryptography.hazmat.backends import default_backend import ldap as _ldap -from ipapython.ipaldap import IPAdmin +from ipapython import ipaldap from ipaserver.session import krbccache_dir, krbccache_prefix from dns import resolver, rdatatype from dns.exception import DNSException @@ -760,11 +760,12 @@ class DomainValidator(object): entries = None try: - conn = IPAdmin(host=host, - port=389, # query the AD DC - no_schema=True, - decode_attrs=False, - sasl_nocanon=True) + ldap_uri = ipaldap.get_ldap_uri(host) + conn = ipaldap.LDAPClient( + ldap_uri, + no_schema=True, + decode_attrs=False, + sasl_nocanon=True) # sasl_nocanon used to avoid hard requirement for PTR # records pointing back to the same host name diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py index 350cb3c76..65fc462c7 100644 --- a/ipaserver/install/bindinstance.py +++ b/ipaserver/install/bindinstance.py @@ -237,11 +237,9 @@ def dns_container_exists(fqdn, suffix, dm_password=None, ldapi=False, realm=None try: # At install time we may need to use LDAPI to avoid chicken/egg # issues with SSL certs and truting CAs - if ldapi: - conn = ipaldap.IPAdmin(host=fqdn, ldapi=True, realm=realm) - else: - conn = ipaldap.IPAdmin(host=fqdn, port=636, cacert=CACERT) - + ldap_uri = ipaldap.get_ldap_uri(fqdn, 636, ldapi=ldapi, realm=realm, + cacert=CACERT) + conn = ipaldap.LDAPClient(ldap_uri, cacert=CACERT) conn.do_bind(dm_password, autobind=autobind) except ldap.SERVER_DOWN: raise RuntimeError('LDAP server on %s is not responding. Is IPA installed?' % fqdn) diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index e6a7e24f6..a39d11dd9 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -1497,9 +1497,11 @@ def replica_ca_install_check(config): objectclass = 'ipaObject' root_logger.debug('Checking if IPA schema is present in %s', ca_ldap_url) try: - with ipaldap.LDAPClient(ca_ldap_url, - start_tls=True, - force_schema_updates=False) as connection: + with ipaldap.LDAPClient( + ca_ldap_url, + start_tls=True, + cacert=config.dir + "/ca.cer", + force_schema_updates=False) as connection: connection.simple_bind(bind_dn=ipaldap.DIRMAN_DN, bind_password=config.dirman_password) rschema = connection.schema diff --git a/ipaserver/install/dnskeysyncinstance.py b/ipaserver/install/dnskeysyncinstance.py index f39787937..1ca6c7df3 100644 --- a/ipaserver/install/dnskeysyncinstance.py +++ b/ipaserver/install/dnskeysyncinstance.py @@ -41,10 +41,9 @@ def dnssec_container_exists(fqdn, suffix, dm_password=None, ldapi=False, try: # At install time we may need to use LDAPI to avoid chicken/egg # issues with SSL certs and truting CAs - if ldapi: - conn = ipaldap.IPAdmin(host=fqdn, ldapi=True, realm=realm) - else: - conn = ipaldap.IPAdmin(host=fqdn, port=636, cacert=CACERT) + ldap_uri = ipaldap.get_ldap_uri(fqdn, 636, ldapi=ldapi, realm=realm, + cacert=CACERT) + conn = ipaldap.LDAPClient(ldap_uri, cacert=CACERT) conn.do_bind(dm_password, autobind=autobind) except ldap.SERVER_DOWN: diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py index d7456a666..174191223 100644 --- a/ipaserver/install/dogtaginstance.py +++ b/ipaserver/install/dogtaginstance.py @@ -397,7 +397,8 @@ class DogtagInstance(service.Service): conn = None try: - conn = ipaldap.IPAdmin(self.fqdn, ldapi=True, realm=self.realm) + ldap_uri = ipaldap.get_ldap_uri(protocol='ldapi', realm=self.realm) + conn = ipaldap.LDAPClient(ldap_uri) conn.external_bind() entry_attrs = conn.get_entry(self.admin_dn, ['usercertificate']) @@ -466,9 +467,8 @@ class DogtagInstance(service.Service): self.__add_admin_to_group(group) # Now wait until the other server gets replicated this data - master_conn = ipaldap.IPAdmin(self.master_host, - port=389, - protocol='ldap') + ldap_uri = ipaldap.get_ldap_uri(self.master_host) + master_conn = ipaldap.LDAPClient(ldap_uri) master_conn.gssapi_bind() replication.wait_for_entry(master_conn, entry) del master_conn diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index 773880b23..9c88b4936 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -168,7 +168,8 @@ def create_ds_user(): def get_domain_level(api=api): - conn = ipaldap.IPAdmin(ldapi=True, realm=api.env.realm) + ldap_uri = ipaldap.get_ldap_uri(protocol='ldapi', realm=api.env.realm) + conn = ipaldap.LDAPClient(ldap_uri) conn.external_bind() dn = DN(('cn', 'Domain Level'), @@ -411,12 +412,13 @@ class DsInstance(service.Service): def __setup_replica(self): - replication.enable_replication_version_checking(self.fqdn, + replication.enable_replication_version_checking( self.realm, self.dm_password) # Always connect to self over ldapi - conn = ipaldap.IPAdmin(self.fqdn, ldapi=True, realm=self.realm) + ldap_uri = ipaldap.get_ldap_uri(protocol='ldapi', realm=self.realm) + conn = ipaldap.LDAPClient(ldap_uri) conn.external_bind() repl = replication.ReplicationManager(self.realm, self.fqdn, @@ -657,7 +659,8 @@ class DsInstance(service.Service): dn = DN(('cn', 'IPA install %s' % self.sub_dict["TIME"]), ('cn', 'memberof task'), ('cn', 'tasks'), ('cn', 'config')) root_logger.debug("Waiting for memberof task to complete.") - conn = ipaldap.IPAdmin(self.fqdn) + ldap_uri = ipaldap.get_ldap_uri(self.fqdn) + conn = ipaldap.LDAPClient(ldap_uri) if self.dm_password: conn.simple_bind(bind_dn=ipaldap.DIRMAN_DN, bind_password=self.dm_password) @@ -793,7 +796,8 @@ class DsInstance(service.Service): self.nickname, self.principal, dsdb.passwd_fname, 'restart_dirsrv %s' % self.serverid) - conn = ipaldap.IPAdmin(self.fqdn) + ldap_uri = ipaldap.get_ldap_uri(self.fqdn) + conn = ipaldap.LDAPClient(ldap_uri) conn.simple_bind(bind_dn=ipaldap.DIRMAN_DN, bind_password=self.dm_password) @@ -830,7 +834,8 @@ class DsInstance(service.Service): subject_base=self.subject_base) trust_flags = dict(reversed(dsdb.list_certs())) - conn = ipaldap.IPAdmin(self.fqdn) + ldap_uri = ipaldap.get_ldap_uri(self.fqdn) + conn = ipaldap.LDAPClient(ldap_uri) conn.simple_bind(bind_dn=ipaldap.DIRMAN_DN, bind_password=self.dm_password) @@ -854,7 +859,8 @@ class DsInstance(service.Service): dsdb = certs.CertDB(self.realm, nssdir=dirname, subject_base=self.subject_base) - conn = ipaldap.IPAdmin(self.fqdn) + ldap_uri = ipaldap.get_ldap_uri(self.fqdn) + conn = ipaldap.LDAPClient(ldap_uri) conn.simple_bind(bind_dn=ipaldap.DIRMAN_DN, bind_password=self.dm_password) @@ -1257,7 +1263,8 @@ class DsInstance(service.Service): db.create_pin_file() # Connect to self over ldapi as Directory Manager and configure SSL - conn = ipaldap.IPAdmin(self.fqdn, ldapi=True, realm=self.realm) + ldap_uri = ipaldap.get_ldap_uri(protocol='ldapi', realm=self.realm) + conn = ipaldap.LDAPClient(ldap_uri) conn.external_bind() mod = [(ldap.MOD_REPLACE, "nsSSLClientAuth", "allowed"), diff --git a/ipaserver/install/ipa_backup.py b/ipaserver/install/ipa_backup.py index def5e5856..6fc18706b 100644 --- a/ipaserver/install/ipa_backup.py +++ b/ipaserver/install/ipa_backup.py @@ -356,10 +356,8 @@ class Backup(admintool.AdminTool): if self._conn is not None: return self._conn - self._conn = ipaldap.IPAdmin(host=api.env.host, - ldapi=True, - protocol='ldapi', - realm=api.env.realm) + ldap_uri = ipaldap.get_ldap_uri(protocol='ldapi', realm=api.env.realm) + self._conn = ipaldap.LDAPClient(ldap_uri) try: self._conn.external_bind() diff --git a/ipaserver/install/ipa_replica_prepare.py b/ipaserver/install/ipa_replica_prepare.py index 2eef5fe43..00e971c8e 100644 --- a/ipaserver/install/ipa_replica_prepare.py +++ b/ipaserver/install/ipa_replica_prepare.py @@ -357,7 +357,8 @@ class ReplicaPrepare(admintool.AdminTool): self.log.info("Preparing replica for %s from %s", self.replica_fqdn, api.env.host) - enable_replication_version_checking(api.env.host, api.env.realm, + enable_replication_version_checking( + api.env.realm, self.dirman_password) self.top_dir = tempfile.mkdtemp("ipa") diff --git a/ipaserver/install/ipa_restore.py b/ipaserver/install/ipa_restore.py index ea69cc713..21403afcf 100644 --- a/ipaserver/install/ipa_restore.py +++ b/ipaserver/install/ipa_restore.py @@ -435,10 +435,8 @@ class Restore(admintool.AdminTool): if self._conn is not None: return self._conn - self._conn = ipaldap.IPAdmin(host=api.env.host, - ldapi=True, - protocol='ldapi', - realm=api.env.realm) + ldap_uri = ipaldap.get_ldap_uri(protocol='ldapi', realm=api.env.realm) + self._conn = ipaldap.LDAPClient(ldap_uri) try: self._conn.external_bind() diff --git a/ipaserver/install/ldapupdate.py b/ipaserver/install/ldapupdate.py index 5e8d44de3..de03856d5 100644 --- a/ipaserver/install/ldapupdate.py +++ b/ipaserver/install/ldapupdate.py @@ -53,10 +53,8 @@ UPDATE_SEARCH_TIME_LIMIT = 30 # seconds def connect(ldapi=False, realm=None, fqdn=None, dm_password=None): """Create a connection for updates""" - if ldapi: - conn = ipaldap.IPAdmin(ldapi=True, realm=realm, decode_attrs=False) - else: - conn = ipaldap.IPAdmin(fqdn, ldapi=False, realm=realm, decode_attrs=False) + ldap_uri = ipaldap.get_ldap_uri(fqdn, ldapi=ldapi, realm=realm) + conn = ipaldap.LDAPClient(ldap_uri, decode_attrs=False) try: if dm_password: conn.simple_bind(bind_dn=ipaldap.DIRMAN_DN, diff --git a/ipaserver/install/plugins/fix_replica_agreements.py b/ipaserver/install/plugins/fix_replica_agreements.py index 321ddc636..3840660f8 100644 --- a/ipaserver/install/plugins/fix_replica_agreements.py +++ b/ipaserver/install/plugins/fix_replica_agreements.py @@ -35,7 +35,7 @@ class update_replica_attribute_lists(Updater): """ def execute(self, **options): - # We need an IPAdmin connection to the backend + # We need an LDAPClient connection to the backend self.log.debug("Start replication agreement exclude list update task") conn = self.api.Backend.ldap2 diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py index de7140530..2131840bb 100644 --- a/ipaserver/install/replication.py +++ b/ipaserver/install/replication.py @@ -109,13 +109,15 @@ def replica_conn_check(master_host, host_name, realm, check_ca, else: print("Connection check OK") -def enable_replication_version_checking(hostname, realm, dirman_passwd): + +def enable_replication_version_checking(realm, dirman_passwd): """ Check the replication version checking plugin. If it is not enabled then enable it and restart 389-ds. If it is enabled the do nothing. """ - conn = ipaldap.IPAdmin(hostname, realm=realm, ldapi=True) + ldap_uri = ipaldap.get_ldap_uri(protocol='ldapi', realm=realm) + conn = ipaldap.LDAPClient(ldap_uri) if dirman_passwd: conn.simple_bind(bind_dn=ipaldap.DIRMAN_DN, bind_password=dirman_passwd) @@ -206,17 +208,16 @@ class ReplicationManager(object): self.db_suffix = self.suffix self.agreement_name_format = "meTo%s" - # The caller is allowed to pass in an existing IPAdmin connection. + # The caller is allowed to pass in an existing LDAPClient connection. # Open a new one if not provided if conn is None: # If we are passed a password we'll use it as the DM password # otherwise we'll do a GSSAPI bind. - if starttls: - self.conn = ipaldap.IPAdmin( - hostname, port=port, cacert=CACERT, protocol='ldap', - start_tls=True) - else: - self.conn = ipaldap.IPAdmin(hostname, port=port, cacert=CACERT) + protocol = 'ldap' if starttls else None + ldap_uri = ipaldap.get_ldap_uri( + hostname, port, protocol=protocol, cacert=CACERT) + self.conn = ipaldap.LDAPClient(ldap_uri, cacert=CACERT, + start_tls=starttls) if dirman_passwd: self.conn.simple_bind(bind_dn=ipaldap.DIRMAN_DN, bind_password=dirman_passwd) @@ -1006,9 +1007,9 @@ class ReplicationManager(object): local_port = r_port # note - there appears to be a bug in python-ldap - it does not # allow connections using two different CA certs - r_conn = ipaldap.IPAdmin( - r_hostname, port=r_port, cacert=CACERT, protocol='ldap', - start_tls=True) + ldap_uri = ipaldap.get_ldap_uri(r_hostname, r_port, cacert=CACERT, + protocol='ldap') + r_conn = ipaldap.LDAPClient(ldap_uri, cacert=CACERT, start_tls=True) if r_bindpw: r_conn.simple_bind(r_binddn, r_bindpw) @@ -1115,7 +1116,8 @@ class ReplicationManager(object): raise RuntimeError("Failed to start replication") def convert_to_gssapi_replication(self, r_hostname, r_binddn, r_bindpw): - r_conn = ipaldap.IPAdmin(r_hostname, port=PORT, cacert=CACERT) + ldap_uri = ipaldap.get_ldap_uri(r_hostname, PORT, cacert=CACERT) + r_conn = ipaldap.LDAPClient(ldap_uri, cacert=CACERT) if r_bindpw: r_conn.simple_bind(r_binddn, r_bindpw) else: @@ -1145,7 +1147,8 @@ class ReplicationManager(object): """ # note - there appears to be a bug in python-ldap - it does not # allow connections using two different CA certs - r_conn = ipaldap.IPAdmin(r_hostname, port=PORT, cacert=CACERT) + ldap_uri = ipaldap.get_ldap_uri(r_hostname, PORT, cacert=CACERT) + r_conn = ipaldap.LDAPClient(ldap_uri, cacert=CACERT) if r_bindpw: r_conn.simple_bind(r_binddn, r_bindpw) else: @@ -1603,7 +1606,8 @@ class ReplicationManager(object): def setup_promote_replication(self, r_hostname): # note - there appears to be a bug in python-ldap - it does not # allow connections using two different CA certs - r_conn = ipaldap.IPAdmin(r_hostname, port=389, protocol='ldap') + ldap_uri = ipaldap.get_ldap_uri(r_hostname) + r_conn = ipaldap.LDAPClient(ldap_uri) r_conn.gssapi_bind() # Setup the first half @@ -1739,7 +1743,8 @@ class CAReplicationManager(ReplicationManager): def __init__(self, realm, hostname): # Always connect to self over ldapi - conn = ipaldap.IPAdmin(hostname, ldapi=True, realm=realm) + ldap_uri = ipaldap.get_ldap_uri(protocol='ldapi', realm=realm) + conn = ipaldap.LDAPClient(ldap_uri) conn.external_bind() super(CAReplicationManager, self).__init__( realm, hostname, None, port=DEFAULT_PORT, conn=conn) @@ -1751,7 +1756,8 @@ class CAReplicationManager(ReplicationManager): Assumes a promote replica with working GSSAPI for replication and unified DS instance. """ - r_conn = ipaldap.IPAdmin(r_hostname, port=389, protocol='ldap') + ldap_uri = ipaldap.get_ldap_uri(r_hostname) + r_conn = ipaldap.LDAPClient(ldap_uri) r_conn.gssapi_bind() # Setup the first half diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py index 68af0a307..aecf0f638 100644 --- a/ipaserver/install/server/install.py +++ b/ipaserver/install/server/install.py @@ -985,11 +985,8 @@ def uninstall_check(installer): raise ScriptError("Aborting uninstall operation.") try: - conn = ipaldap.IPAdmin( - api.env.host, - ldapi=True, - realm=api.env.realm - ) + ldap_uri = ipaldap.get_ldap_uri(protocol='ldapi', realm=api.env.realm) + conn = ipaldap.LDAPClient(ldap_uri) conn.external_bind() api.Backend.ldap2.connect(autobind=True) domain_level = dsinstance.get_domain_level(api) diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py index eafacb102..8458db6b7 100644 --- a/ipaserver/install/service.py +++ b/ipaserver/install/service.py @@ -30,6 +30,7 @@ from ipapython.ipa_log_manager import root_logger from ipalib import api, errors, certstore from ipaplatform import services from ipaplatform.paths import paths +from ipapython.ipaldap import LDAPClient # The service name as stored in cn=masters,cn=ipa,cn=etc. In the tuple @@ -144,7 +145,6 @@ class Service(object): self.start_tls = start_tls self.fqdn = socket.gethostname() - self.admin_conn = None if sstore: self.sstore = sstore @@ -156,34 +156,26 @@ class Service(object): self.principal = None self.dercert = None - def ldap_connect(self): - # If DM password is provided, we use it - # If autobind was requested, attempt autobind when root and ldapi - # If autobind was disabled or not succeeded, go with GSSAPI - # LDAPI can be used with either autobind or GSSAPI - # LDAPI requires realm to be set - try: - if self.ldapi: - if not self.realm: - raise errors.NotFound(reason="realm is missing for %s" % (self)) - conn = ipaldap.IPAdmin(ldapi=self.ldapi, realm=self.realm) - elif self.start_tls: - conn = ipaldap.IPAdmin(self.fqdn, port=389, protocol='ldap', - cacert=paths.IPA_CA_CRT, - start_tls=self.start_tls) - else: - conn = ipaldap.IPAdmin(self.fqdn, port=389) - - conn.do_bind(self.dm_password, autobind=self.autobind) - except Exception as e: - root_logger.debug("Could not connect to the Directory Server on %s: %s" % (self.fqdn, str(e))) - raise + @property + def admin_conn(self): + """ + alias for api.Backend.ldap2 + :returns: None when ldap2 is not connected, ldap2 connection otherwise + """ + conn = api.Backend.ldap2 + if conn.isconnected(): + return conn + return None - self.admin_conn = conn + def ldap_connect(self): + """connect to ldap with installer's limits""" + if not self.admin_conn: + api.Backend.ldap2.connect(size_limit=LDAPClient.size_limit, + time_limit=LDAPClient.time_limit) def ldap_disconnect(self): - self.admin_conn.unbind() - self.admin_conn = None + """close the api.Backend.ldap2 connection""" + api.Backend.ldap2.disconnect() def _ldap_mod(self, ldif, sub_dict=None, raise_on_err=True): pw_name = None |