From cbb262dc07ea0615068a630e6c7136e3200d5a06 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Mon, 4 Feb 2013 09:35:13 -0500
Subject: Add LDAP server fallback to client installer

Change the discovery code to validate all servers, regardless of where
the originated (either via SRV records or --server). This will prevent
the client installer from failing if one of those records points to a
server that is either not running or is not an IPA server.

If a server is not available it is not removed from the list of configured
servers, simply moved to the end of the list.

If a server is not an IPA server it is removed.

https://fedorahosted.org/freeipa/ticket/3388
---
 ipa-client/ipa-install/ipa-client-automount | 33 ++++++++++++++++-------------
 ipa-client/ipa-install/ipa-client-install   | 22 +++++--------------
 2 files changed, 23 insertions(+), 32 deletions(-)

(limited to 'ipa-client/ipa-install')

diff --git a/ipa-client/ipa-install/ipa-client-automount b/ipa-client/ipa-install/ipa-client-automount
index fd922b8a9..3952642b4 100755
--- a/ipa-client/ipa-install/ipa-client-automount
+++ b/ipa-client/ipa-install/ipa-client-automount
@@ -384,30 +384,33 @@ def main():
         sys.exit('automount is already configured on this system.\n')
 
     autodiscover = False
-    server = options.server
+    servers = []
     ds = ipadiscovery.IPADiscovery()
-    if not server:
+    if not options.server:
         print "Searching for IPA server..."
         ret = ds.search()
         root_logger.debug('Executing DNS discovery')
         if ret == ipadiscovery.NO_LDAP_SERVER:
             root_logger.debug('Autodiscovery did not find LDAP server')
-            if not server:
-                s = urlparse.urlsplit(api.env.xmlrpc_uri)
-                server = s.netloc
-                root_logger.debug('Setting server to %s' % s.netloc)
+            s = urlparse.urlsplit(api.env.xmlrpc_uri)
+            server = [s.netloc]
+            root_logger.debug('Setting server to %s' % s.netloc)
         else:
             autodiscover = True
-            server = ds.getServerName()
-            if not server:
+            if not ds.servers:
                 sys.exit('Autodiscovery was successful but didn\'t return a server')
-            root_logger.debug('Autodiscovery success, setting server to %s' % server)
-
-    # Now confirm that our server is an IPA server
-    root_logger.debug("Verifying that %s is an IPA server" % server)
-    ldapret = ds.ipacheckldap(server, api.env.realm)
-    if ldapret[0] != 0:
-        sys.exit('Unable to confirm that %s is an IPA v2 server' % server)
+            root_logger.debug('Autodiscovery success, possible servers %s' % ','.join(ds.servers))
+            server = ds.servers[0]
+    else:
+        server = options.server
+        root_logger.debug("Verifying that %s is an IPA server" % server)
+        ldapret = ds.ipacheckldap(server, api.env.realm)
+        if ldapret[0] == ipadiscovery.NO_ACCESS_TO_LDAP:
+            print "Anonymous access to the LDAP server is disabled."
+            print "Proceeding without strict verification."
+            print "Note: This is not an error if anonymous access has been explicitly restricted."
+        elif ldapret[0] != 0:
+            sys.exit('Unable to confirm that %s is an IPA server' % server)
 
     if not autodiscover:
         print "IPA server: %s" % server
diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index 024b94f46..2d32e28ec 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -1705,9 +1705,7 @@ def install(options, env, fstore, statestore):
     # Create the discovery instance
     ds = ipadiscovery.IPADiscovery()
 
-    # Do discovery on the first server passed in, we'll do sanity checking
-    # on any others
-    ret = ds.search(domain=options.domain, server=options.server, hostname=hostname, ca_cert_path=get_cert_path(options.ca_cert_file))
+    ret = ds.search(domain=options.domain, servers=options.server, hostname=hostname, ca_cert_path=get_cert_path(options.ca_cert_file))
 
     if ret == ipadiscovery.BAD_HOST_CONFIG:
         root_logger.error("Can't get the fully qualified name of this host")
@@ -1744,7 +1742,7 @@ def install(options, env, fstore, statestore):
             cli_domain_source = 'Provided interactively'
             root_logger.debug(
                 "will use interactively provided domain: %s", cli_domain)
-        ret = ds.search(domain=cli_domain, server=options.server, hostname=hostname, ca_cert_path=get_cert_path(options.ca_cert_file))
+        ret = ds.search(domain=cli_domain, servers=options.server, hostname=hostname, ca_cert_path=get_cert_path(options.ca_cert_file))
 
     if not cli_domain:
         if ds.domain:
@@ -1768,7 +1766,7 @@ def install(options, env, fstore, statestore):
             cli_server = [user_input("Provide your IPA server name (ex: ipa.example.com)", allow_empty = False)]
             cli_server_source = 'Provided interactively'
             root_logger.debug("will use interactively provided server: %s", cli_server[0])
-        ret = ds.search(domain=cli_domain, server=cli_server, hostname=hostname, ca_cert_path=get_cert_path(options.ca_cert_file))
+        ret = ds.search(domain=cli_domain, servers=cli_server, hostname=hostname, ca_cert_path=get_cert_path(options.ca_cert_file))
 
     else:
         # Only set dnsok to True if we were not passed in one or more servers
@@ -1785,11 +1783,11 @@ def install(options, env, fstore, statestore):
 
     if not cli_server:
         if options.server:
-            cli_server = options.server
+            cli_server = ds.servers
             cli_server_source = 'Provided as option'
             root_logger.debug("will use provided server: %s", ', '.join(options.server))
         elif ds.server:
-            cli_server = [ds.server]
+            cli_server = ds.servers
             cli_server_source = ds.server_source
             root_logger.debug("will use discovered server: %s", cli_server[0])
 
@@ -1860,16 +1858,6 @@ def install(options, env, fstore, statestore):
     root_logger.debug("will use discovered basedn: %s", cli_basedn)
     subject_base = DN(('O', cli_realm))
 
-    # Now do a sanity check on the other servers
-    if options.server and len(options.server) > 1:
-        for server in options.server[1:]:
-            ret = ds.search(domain=cli_domain, server=server, hostname=hostname, ca_cert_path=get_cert_path(options.ca_cert_file))
-            if ret == ipadiscovery.NOT_IPA_SERVER:
-                root_logger.error("%s is not an IPA v2 Server.", server)
-                print_port_conf_info()
-                root_logger.debug("(%s: %s)", server, cli_server_source)
-                return CLIENT_INSTALL_ERROR
-
     root_logger.info("Hostname: %s", hostname)
     root_logger.debug("Hostname source: %s", hostname_source)
     root_logger.info("Realm: %s", cli_realm)
-- 
cgit