summaryrefslogtreecommitdiffstats
path: root/ipapython/ipaldap.py
Commit message (Collapse)AuthorAgeFilesLines
* Fix Python 3 bugs discovered by pylintChristian Heimes2016-11-251-1/+4
| | | | | | | | | | | | In Python 3 exception instances no longer have a message attribute. For most exceptions, str(e) or string formatting give the same result. Fix some renamed modules, module members and functions. https://fedorahosted.org/freeipa/ticket/4985 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com>
* Fix ipa migrate-ds when it finds a search referenceFlorence Blanc-Renaud2016-11-171-8/+4
| | | | | | | | | | | | | | | | | | | | When ipa migrate-ds finds user entries and a search reference, it complains that the LDAP search did not return any result and does not migrate the entries or the groups. The issue comes from LDAPClient._convert_result which returns an empty result list when the input is a search reference. In turn LDAPClient.find_entries assumes that the empty result list corresponds to a Search Result Done and returns without any entry. The fix examines first the objtype returned by self.conn.result3. If it is a search result done, then the loop can be exited. Otherwise (referral or entry), _convert_result is called and the result (if not empty) is appended to the list of returned entries. https://fedorahosted.org/freeipa/ticket/6358 Reviewed-By: Martin Basti <mbasti@redhat.com>
* ipaldap: remove do_bind from LDAPClientTomas Krizek2016-11-101-20/+0
| | | | | | | | | Remove do_bind() method that was a relict used in IPAdmin. Replace its uses with simple / external binds. https://fedorahosted.org/freeipa/ticket/6461 Reviewed-By: Martin Basti <mbasti@redhat.com>
* ipaldap: merge IPAdmin to LDAPClientTomas Krizek2016-11-071-90/+63
| | | | | | | | | | | | | | | | * move IPAdmin methods to LDAPClient * add extra arguments (cacert, sasl_nocanon) to LDAPClient.__init__() * add host, port, _protocol to LDAPClient (parsed from ldap_uri) * create get_ldap_uri() method to create ldap_uri from former IPAdmin.__init__() arguments * replace IPAdmin with LDAPClient + get_ldap_uri() * remove ununsed function argument hostname from enable_replication_version_checking() https://fedorahosted.org/freeipa/ticket/6461 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* ipaldap: merge gssapi_bind to LDAPClientTomas Krizek2016-11-071-4/+1
| | | | | | | | | * Rename do_sasl_gssapi_bind to gssapi_bind https://fedorahosted.org/freeipa/ticket/6461 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* ipaldap: merge external_bind into LDAPClientTomas Krizek2016-11-071-7/+3
| | | | | | | | | | | * Rename do_external_bind to external_bind * Remove user_name argument in external_bind() and always set it to effective user name https://fedorahosted.org/freeipa/ticket/6461 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* ipaldap: merge simple_bind into LDAPClientTomas Krizek2016-11-071-7/+4
| | | | | | | | | | | | * Use LDAPClient.simple_bind instead of extra call to IPAdmin.do_simple_bind * Rename binddn to bind_dn * Rename bindpw to bind_password * Explicitly specify bind_dn in all calls https://fedorahosted.org/freeipa/ticket/6461 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* ipaldap: remove wait/timeout during bindsTomas Krizek2016-11-071-38/+12
| | | | | | | | | | Testing whether it is possible to connect to directory server is already done in RedHatDirectoryService.restart(). https://fedorahosted.org/freeipa/ticket/6461 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* do not use keys() method when iterating through dictionariesMartin Babinsky2016-10-121-1/+1
| | | | | | | | | pylint-1.6.4-1.fc26.noarch reports "C0201(consider-iterating-dictionary)" when building FreeIPA, we have to fix these errors https://fedorahosted.org/freeipa/ticket/6391 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Pylint: fix the rest of unused local variablesMartin Basti2016-10-111-9/+3
| | | | Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
* Pylint: enable check for unused-variablesMartin Basti2016-09-271-0/+2
| | | | | | | | | | | | | | | Unused variables may: * make code less readable * create dead code * potentialy hide issues/errors Enabled check should prevent to leave unused variable in code Check is locally disabled for modules that fix is not clear or easy or have too many occurences of unused variables Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com> Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* ipalib: introduce Principal parameterMartin Babinsky2016-07-011-1/+5
| | | | | | | | | | | This patch introduces a separate Principal parameter that allows the framework to syntactically validate incoming/outcoming principals by using a single shared codebase. https://fedorahosted.org/freeipa/ticket/3864 Reviewed-By: David Kupka <dkupka@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* ipaldap: turn LDAP filter utility functions into class methodsFraser Tweedale2016-06-291-16/+19
| | | | | | | | | The LDAP filter utilities do not use any instance attributes, so collectively turn them into class methods to promote reuse. Part of: https://fedorahosted.org/freeipa/ticket/4559 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* ldap: fix handling of binary data in search filtersJan Cholasta2016-06-211-1/+6
| | | | | | | | | | This fixes a UnicodeDecodeError when passing non-UTF-8 binary data to LDAPClient.make_filter() and friends. https://fedorahosted.org/freeipa/ticket/5381 Reviewed-By: David Kupka <dkupka@redhat.com> Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
* add context to exception on LdapEntry decode errorFlorence Blanc-Renaud2016-06-091-2/+10
| | | | | | | | | | | | | When reading the content of an invalid LDAP entry, the exception only displays the attribute name and value, but not the DN of the entry. Because of this, it is difficult to identify the root cause of the problem. The fix raises a ValueError exception which also contains the entry DN. https://fedorahosted.org/freeipa/ticket/5434 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* ipaldap: Convert dict items to list before iteratingPetr Viktorin2016-05-301-1/+1
| | | | | | | | | In Python 3, dict.items() returns a view. When such a view is iterated over, the dict cannot change size. Part of the work for: https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Martin Basti <mbasti@redhat.com>
* ipaldap: Keep attribute names as text, not bytesPetr Viktorin2016-05-301-2/+2
| | | | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Remove unused variable and finally block in SchemaCacheMartin Basti2016-05-121-5/+0
| | | | | | | Handling exceptions in python is expensive operation, removing of uneeded finally block is good for performance. Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* differentiate between limit types when LDAP search exceeds configured limitsMartin Babinsky2016-04-131-18/+50
| | | | | | | | | | | When LDAP search fails on exceeded limits, we should raise an specific exception for the type of limit raised (size, time, administrative) so that the consumer can distinguish between e.g. searches returning too many entries and those timing out. https://fedorahosted.org/freeipa/ticket/5677 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* pylint: supress false positive no-member errorsMartin Basti2016-03-021-1/+1
| | | | | | | | | pylint 1.5 prints many false positive no-member errors which are supressed by this commit. https://fedorahosted.org/freeipa/ticket/5615 Reviewed-By: David Kupka <dkupka@redhat.com>
* ipaldap, ldapupdate: Encoding fixes for Python 3Petr Viktorin2016-02-171-4/+10
| | | | | | https://fedorahosted.org/freeipa/ticket/5638 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Remove unused importsMartin Basti2015-12-231-4/+1
| | | | | | | This patch removes unused imports, alse pylint has been configured to check unused imports. Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Upgrade: increase time limit for upgradesMartin Basti2015-12-011-2/+9
| | | | | | | | | | | | | | | | Default ldap search limit is now 30 sec by default during upgrade. Limits must be changed for the whole ldap2 connection, because this connection is used inside update plugins and commands called from upgrade. Together with increasing the time limit, also size limit should be unlimited during upgrade. With sizelimit=None we may get the TimeExceeded exception from getting default value of the sizelimit from LDAP. https://fedorahosted.org/freeipa/ticket/5267 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Fix more bytes/unicode issuesPetr Viktorin2015-10-221-2/+3
| | | | Reviewed-By: Tomas Babej <tbabej@redhat.com>
* ipaldap: Remove extraneous `long` (included in six.int_types)Petr Viktorin2015-10-131-1/+1
| | | | Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Use bytes instead of str where appropriateJan Cholasta2015-09-171-17/+17
| | | | | | Under Python 2, "str" and "bytes" are synonyms. Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Alias "unicode" to "str" under Python 3Jan Cholasta2015-09-171-0/+3
| | | | | | | | | The six way of doing this is to replace all occurences of "unicode" with "six.text_type". However, "unicode" is non-ambiguous and (arguably) easier to read. Also, using it makes the patches smaller, which should help with backporting. Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Use six.python_2_unicode_compatibleJan Cholasta2015-09-071-1/+3
| | | | | | | | | | | Rename __unicode__ to __str__ in classes which define it and use the six.python_2_unicode_compatible decorator on them to make them compatible with both Python 2 and 3. Additional changes were required for the ipapython.dnsutil.DNSName class, because it defined both __str__ and __unicode__. Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ldap: Make ldap2 connection management thread-safe againJan Cholasta2015-09-041-23/+9
| | | | | | | | | | | This fixes the connection code in LDAPClient to not store the LDAP connection in an attribute of the object, which in combination with ldap2's per-thread connections lead to race conditions resulting in connection failures. ldap2 code was updated accordingly. https://fedorahosted.org/freeipa/ticket/5268 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Use six.integer_types instead of (long, int)Petr Viktorin2015-09-011-1/+1
| | | | | Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Use Python3-compatible dict method namesPetr Viktorin2015-09-011-8/+8
| | | | | | | | | | | | | | | | | | | | | | Python 2 has keys()/values()/items(), which return lists, iterkeys()/itervalues()/iteritems(), which return iterators, and viewkeys()/viewvalues()/viewitems() which return views. Python 3 has only keys()/values()/items(), which return views. To get iterators, one can use iter() or a for loop/comprehension; for lists there's the list() constructor. When iterating through the entire dict, without modifying the dict, the difference between Python 2's items() and iteritems() is negligible, especially on small dicts (the main overhead is extra memory, not CPU time). In the interest of simpler code, this patch changes many instances of iteritems() to items(), iterkeys() to keys() etc. In other cases, helpers like six.itervalues are used. Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Use six.string_types instead of "basestring"Petr Viktorin2015-09-011-1/+2
| | | | | Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Modernize 'except' clausesPetr Viktorin2015-08-121-7/+7
| | | | | | | The 'as' syntax works from Python 2 on, and Python 3 will drop the "comma" syntax. Reviewed-By: Tomas Babej <tbabej@redhat.com>
* allow to call ldap2.destroy_connection multiple timesPetr Vobornik2015-05-071-1/+1
| | | | | | A regression fix. Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
* speed up indirect member processingPetr Vobornik2015-04-271-0/+2
| | | | | | | | | | | | | | | the old implementation tried to get all entries which are member of group. That means also user. User can't have any members therefore this costly processing was unnecessary. New implementation reduces the search only to entries which have members. Also page size was removed to avoid paging by small pages(default size: 100) which is very slow for many members. https://fedorahosted.org/freeipa/ticket/4947 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* ldap: Remove IPASimpleLDAPObjectJan Cholasta2015-04-161-105/+0
| | | | Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ldap: Use SimpleLDAPObject instead of IPASimpleLDAPObject in LDAPClientJan Cholasta2015-04-161-2/+2
| | | | Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ldap: Move schema handling from IPASimpleLDAPObject to LDAPClientJan Cholasta2015-04-161-280/+261
| | | | Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ldap: Use LDAPClient instead of IPASimpleLDAPObject in LDAPEntryJan Cholasta2015-04-161-4/+7
| | | | Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ldap: Move value encoding from IPASimpleLDAPObject to LDAPClientJan Cholasta2015-04-161-133/+80
| | | | Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ldap: Use LDAPClient bind and unbind methods in IPAdminJan Cholasta2015-04-161-19/+16
| | | | Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ldap: Add bind and unbind methods to LDAPClientJan Cholasta2015-04-161-0/+35
| | | | Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ldap: Use LDAPClient connection management in IPAdminJan Cholasta2015-04-161-12/+3
| | | | Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ldap: Add connection management to LDAPClientJan Cholasta2015-04-161-9/+64
| | | | Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ldap: Remove unused IPAdmin methodsJan Cholasta2015-04-161-8/+0
| | | | Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ldap: Drop python-ldap tuple compatibilityJan Cholasta2015-04-161-66/+3
| | | | Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* User life cycle: allows MODRDN from ldap2Thierry Bordaz2015-04-161-6/+23
| | | | | | | | | enhance update_entry_rdn so that is allows to move an entry a new superior https://fedorahosted.org/freeipa/ticket/3813 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* baseldap: Handle missing parent objects properly in *-find commandsTomas Babej2015-01-131-1/+1
| | | | | | | | | | | | | | | | | | | | The find_entries function in ipaldap does not differentiate between a LDAP search that returns error code 32 (No such object) and LDAP search returning error code 0 (Success), but returning no results. In both cases errors.NotFound is raised. In turn, LDAPSearch commands interpret NotFound exception as no results. To differentiate between the cases, a new error EmptyResult was added, which inherits from NotFound to preserve the compatibility with the new code. This error is raised by ipaldap.find_entries in case it is performing a search with and the target dn does not exist. https://fedorahosted.org/freeipa/ticket/4659 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Refactoring of autobind, object_existsMartin Basti2014-09-261-0/+37
| | | | | | | | | Required to prevent code duplications ipaldap.IPAdmin now has method do_bind, which tries several bind methods ipaldap.IPAClient now has method object_exists(dn) Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* ipa-ldap-updater: make possible to use LDAPI with autobind in case of ↵Alexander Bokovoy2014-07-041-0/+4
| | | | | | | | | | | | | | | | | hardened LDAP configuration When nsslapd-minssf is greater than 0, running as root ipa-ldap-updater [-l] will fail even if we force use of autobind for root over LDAPI. The reason for this is that schema updater doesn't get ldapi flag passed and attempts to connect to LDAP port instead and for hardened configurations using simple bind over LDAP is not enough. Additionally, report properly previously unhandled LDAP exceptions. https://fedorahosted.org/freeipa/ticket/3468 Reviewed-By: Petr Spacek <pspacek@redhat.com>
generated by cgit (git 2.34.1) at 2026-02-01 03:48:47 +0000