-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 https://fedorahosted.org/freeipa/ticket/154
The second patch removes the /ipatest section that has been commented out in ipa.conf anyway..plus, we don't ship /usr/share/ipatest anymore :-) I also have two questions: 1) how should exceptions be handled? In the patch, I only explicitly handle exceptions that could happen very easily (like, password being wrong, or the LDAP server down..). Anything else would just trigger 500 Server Error.. 2) When playing with the migration command line plugin, I noticed that it can only handle RFC2307bis groups (member: dn) and has the objectclass for groups hardcoded to "(|(objectclass=groupOfNames)(objectclass=groupOfUniqueNames))". I think it would be worthwile (and easy, too!) to modify the plugin to accept also RFC2307 schema and allow specifying a different objectclass (posixGroup might come handy..). Thoughts? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkzK4oYACgkQHsardTLnvCUANACgwidrGVAya9a/eZ42mg0whdXH cLAAoMnUui/dhEL1Q5chdbXbqlSz1yz2 =n8X6 -----END PGP SIGNATURE-----
From 35b17154a9ed29692cdbb7b5e6d6270bc3e60622 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek <jhro...@redhat.com> Date: Fri, 29 Oct 2010 09:38:17 -0400 Subject: [PATCH 1/2] Rewrite the migration page using WSGI --- install/conf/ipa-rewrite.conf | 3 +- install/conf/ipa.conf | 4 +- install/migration/index.html | 2 +- install/migration/migration.py | 45 ++++++++++++++++++++++++++++++++------- ipa.spec.in | 1 - 5 files changed, 41 insertions(+), 14 deletions(-) diff --git a/install/conf/ipa-rewrite.conf b/install/conf/ipa-rewrite.conf index ef49430..f6bc9d0 100644 --- a/install/conf/ipa-rewrite.conf +++ b/install/conf/ipa-rewrite.conf @@ -3,8 +3,7 @@ RewriteEngine on # By default forward all requests to /ipa. If you don't want IPA -# to be the default on your web server comment this line out. You will -# need to modify ipa_webgui.cfg as well. +# to be the default on your web server comment this line out. RewriteRule ^/$$ https://$FQDN/ipa/ui [L,NC,R=301] # Redirect to the fully-qualified hostname. Not redirecting to secure diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf index 91e8373..19a4f6d 100644 --- a/install/conf/ipa.conf +++ b/install/conf/ipa.conf @@ -125,8 +125,8 @@ Alias /ipa/migration "/usr/share/ipa/migration" AllowOverride None Satisfy Any Allow from all - AddHandler mod_python .py - PythonHandler mod_python.publisher + Options ExecCGI + AddHandler wsgi-script .py </Directory> diff --git a/install/migration/index.html b/install/migration/index.html index b3ea46b..43a6483 100644 --- a/install/migration/index.html +++ b/install/migration/index.html @@ -23,7 +23,7 @@ Upon successful login your Kerberos account will be activated. </p> <div class="migration_form"> <div class="migration_form_inner"> -<form action="migration.py/bind" method="post"> +<form action="migration.py" method="post"> <div class="migration_form_title"> <span>Password Migration</span> </div> diff --git a/install/migration/migration.py b/install/migration/migration.py index bf12c5c..eeabd21 100644 --- a/install/migration/migration.py +++ b/install/migration/migration.py @@ -20,13 +20,24 @@ Password migration script """ +import errno import ldap -from mod_python import apache, util - +import cgi +import wsgiref BASE_DN = '' LDAP_URI = 'ldap://localhost:389' +def wsgi_redirect(start_response, loc): + start_response('302 Found', [('Location', loc)]) + return [] + +def get_ui_url(environ): + full_url = wsgiref.util.request_uri(environ) + index = full_url.rfind(environ.get('SCRIPT_NAME','')) + if index == -1: + raise ValueError('Cannot strip the script URL from full URL "%s"' % full_url) + return full_url[:index] + "/ipa/ui" def get_base_dn(): """ @@ -48,20 +59,38 @@ def get_base_dn(): except (IndexError, KeyError): return '' - -def bind(req, username, password): +def bind(username, password): base_dn = get_base_dn() if not base_dn: - util.redirect(req, '/ipa/migration/error.html') + raise IOError(errno.EIO, 'Cannot get Base DN') bind_dn = 'uid=%s,cn=users,cn=accounts,%s' % (username, base_dn) try: conn = ldap.initialize(LDAP_URI) conn.simple_bind_s(bind_dn, password) except (ldap.INVALID_CREDENTIALS, ldap.UNWILLING_TO_PERFORM, ldap.NO_SUCH_OBJECT): - util.redirect(req, '/ipa/migration/invalid.html') + raise IOError(errno.EPERM, 'Invalid LDAP credentials for user %s' % username) except ldap.LDAPError: - util.redirect(req, '/ipa/migration/error.html') + raise IOError(errno.EIO, 'Bind error') + conn.unbind_s() - util.redirect(req, '/ipa/ui') + +def application(environ, start_response): + if environ.get('REQUEST_METHOD', None) != 'POST': + return wsgi_redirect(start_response, 'index.html') + + form_data = cgi.FieldStorage(fp=environ['wsgi.input'], environ=environ) + if not form_data.has_key('username') or not form_data.has_key('password'): + return wsgi_redirect(start_response, 'invalid.html') + + try: + bind(form_data['username'].value, form_data['password'].value) + except IOError as err: + if err.errno == errno.EPERM: + return wsgi_redirect(start_response, 'invalid.html') + if err.errno == errno.EIO: + return wsgi_redirect(start_response, 'error.html') + + ui_url = get_ui_url(environ) + return wsgi_redirect(start_response, ui_url) diff --git a/ipa.spec.in b/ipa.spec.in index ee5db47..15e40de 100644 --- a/ipa.spec.in +++ b/ipa.spec.in @@ -74,7 +74,6 @@ Requires: krb5-server-ldap Requires: cyrus-sasl-gssapi Requires: ntp Requires: httpd -Requires: mod_python Requires: mod_wsgi Requires: mod_auth_kerb %if 0%{?fedora} >= 12 || 0%{?rhel} >= 6 -- 1.7.2.3
From ec97e37112d245399651b4c2a8af5dea0088dbf1 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek <jhro...@redhat.com> Date: Fri, 29 Oct 2010 09:49:05 -0400 Subject: [PATCH 2/2] Remove some more mod_python references --- install/conf/ipa.conf | 21 --------------------- install/tools/README | 2 +- 2 files changed, 1 insertions(+), 22 deletions(-) diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf index 19a4f6d..1806018 100644 --- a/install/conf/ipa.conf +++ b/install/conf/ipa.conf @@ -128,24 +128,3 @@ Alias /ipa/migration "/usr/share/ipa/migration" Options ExecCGI AddHandler wsgi-script .py </Directory> - - -#Alias /ipatest "/usr/share/ipa/ipatest" -#<Directory "/usr/share/ipa/ipatest"> -# AuthType Kerberos -# AuthName "Kerberos Login" -# KrbMethodNegotiate on -# KrbMethodK5Passwd off -# KrbServiceName HTTP -# KrbAuthRealms $REALM -# Krb5KeyTab /etc/httpd/conf/ipa.keytab -# KrbSaveCredentials on -# Require valid-user -# ErrorDocument 401 /ipa/errors/unauthorized.html -# -# SetHandler mod_python -# PythonHandler test_mod_python -# -# PythonDebug Off -# -#</Directory> diff --git a/install/tools/README b/install/tools/README index a52cede..219e74c 100644 --- a/install/tools/README +++ b/install/tools/README @@ -15,7 +15,7 @@ openssl-devel nspr-devel nss-devel mozldap-devel -mod_python +mod_wsgi gcc python-ldap TurboGears -- 1.7.2.3
jhrozek-freeipa-0002-Rewrite-the-migration-page-using-WSGI.patch.sig
Description: PGP signature
jhrozek-freeipa-0003-Remove-some-more-mod_python-references.patch.sig
Description: PGP signature
_______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel