Sasl gssapi binds were done w/o a wrapper, this caused sasl binds to behave differently in some cases ad __lateinit() was never called on them.
Unify sasl binds in ipaldap.py This is needed in conjuction with patch 0092 to fix managing replicas with krb credentials Simo. -- Simo Sorce * Red Hat, Inc * New York
>From 470af639c121fdef65768f09a2db6d56bcd9d33e Mon Sep 17 00:00:00 2001 From: Simo Sorce <sso...@redhat.com> Date: Fri, 25 Feb 2011 18:37:45 -0500 Subject: [PATCH 6/8] Use wrapper for sasl gssapi binds so it behaves like other binds By calling directly sasl_interactive_bind_s() we were not calling __lateinit() This in turn resulted in some variables like dbdir not to be set on the IPAadmin object. Keep all bind types in the same place so the same common sbind steps can be performed in each case. Related to: https://fedorahosted.org/freeipa/ticket/1022 --- install/tools/ipa-replica-manage | 2 +- ipaserver/install/replication.py | 12 +++++------- ipaserver/install/service.py | 3 +-- ipaserver/ipaldap.py | 8 ++++++-- 4 files changed, 13 insertions(+), 12 deletions(-) diff --git a/install/tools/ipa-replica-manage b/install/tools/ipa-replica-manage index 19ff1f904fff0966d3ef0534366f787b7aa244db..931b13921b3a3bf4a340a7f301d325a487333497 100755 --- a/install/tools/ipa-replica-manage +++ b/install/tools/ipa-replica-manage @@ -142,7 +142,7 @@ def list_masters(realm, host, replica, dirman_passwd, verbose): if dirman_passwd: conn.do_simple_bind(bindpw=dirman_passwd) else: - conn.sasl_interactive_bind_s('', ipaldap.sasl_auth) + conn.do_sasl_gssapi_bind() dn = 'cn=masters,cn=ipa,cn=etc,%s' % util.realm_to_suffix(realm) entries = conn.search_s(dn, ldap.SCOPE_ONELEVEL) diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py index 86a42b16b4f0820c0ceb10b726fc37664913edba..0a8a65e0562b774366f5e1ff7b1c4fa920f98059 100644 --- a/ipaserver/install/replication.py +++ b/ipaserver/install/replication.py @@ -39,8 +39,6 @@ TIMEOUT = 120 IPA_REPLICA = 1 WINSYNC = 2 -SASL_AUTH = ldap.sasl.sasl({}, 'GSSAPI') - def check_replication_plugin(): """ Confirm that the 389-ds replication is installed. @@ -64,7 +62,7 @@ def enable_replication_version_checking(hostname, realm, dirman_passwd): if dirman_passwd: conn.do_simple_bind(bindpw=dirman_passwd) else: - conn.sasl_interactive_bind_s('', SASL_AUTH) + conn.do_sasl_gssapi_bind() entry = conn.search_s('cn=IPA Version Replication,cn=plugins,cn=config', ldap.SCOPE_BASE, 'objectclass=*') if entry[0].getValue('nsslapd-pluginenabled') == 'off': conn.modify_s(entry[0].dn, [(ldap.MOD_REPLACE, 'nsslapd-pluginenabled', 'on')]) @@ -90,7 +88,7 @@ class ReplicationManager: if dirman_passwd: self.conn.do_simple_bind(bindpw=dirman_passwd) else: - self.conn.sasl_interactive_bind_s('', SASL_AUTH) + self.conn.do_sasl_gssapi_bind() self.repl_man_passwd = dirman_passwd @@ -605,7 +603,7 @@ class ReplicationManager: if r_bindpw: r_conn.do_simple_bind(binddn=r_binddn, bindpw=r_bindpw) else: - r_conn.sasl_interactive_bind_s('', SASL_AUTH) + r_conn.do_sasl_gssapi_bind() #Setup the first half l_id = self._get_replica_id(self.conn, r_conn) @@ -684,7 +682,7 @@ class ReplicationManager: if r_bindpw: r_conn.do_simple_bind(binddn=r_binddn, bindpw=r_bindpw) else: - r_conn.sasl_interactive_bind_s('', SASL_AUTH) + r_conn.do_sasl_gssapi_bind() # First off make sure servers are in sync so that both KDCs # have all princiapls and their passwords and can release @@ -714,7 +712,7 @@ class ReplicationManager: if r_bindpw: r_conn.do_simple_bind(binddn=r_binddn, bindpw=r_bindpw) else: - r_conn.sasl_interactive_bind_s('', SASL_AUTH) + r_conn.do_sasl_gssapi_bind() # Allow krb principals to act as replicas self.setup_krb_princs_as_replica_binddns(self.conn, r_conn) diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py index 1235eaffd93e8e199773349b6d9b0ed68121ac7b..adb77b358859988fa49ca710d0638117cfcbfc4f 100644 --- a/ipaserver/install/service.py +++ b/ipaserver/install/service.py @@ -31,7 +31,6 @@ import datetime from ipaserver.install import installutils CACERT = "/etc/ipa/ca.crt" -SASL_AUTH = ldap.sasl.sasl({}, 'GSSAPI') SERVICE_LIST = { 'KDC':('krb5kdc', 10), @@ -297,7 +296,7 @@ class Service: if dm_password: conn.do_simple_bind(bindpw=dm_password) else: - conn.sasl_interactive_bind_s('', SASL_AUTH) + conn.do_sasl_gssapi_bind_() except Exception, e: logging.debug("Could not connect to the Directory Server on %s: %s" % (fqdn, str(e))) raise e diff --git a/ipaserver/ipaldap.py b/ipaserver/ipaldap.py index d2d3d98a70529eca14eede1221aee04ad6a83230..b72a43ee33209e5555ae96589969c0626a43b7dc 100644 --- a/ipaserver/ipaldap.py +++ b/ipaserver/ipaldap.py @@ -36,7 +36,7 @@ from ipaserver import ipautil from ipalib import errors # Global variable to define SASL auth -sasl_auth = ldap.sasl.sasl({},'GSSAPI') +SASL_AUTH = ldap.sasl.sasl({},'GSSAPI') class Entry: """ @@ -338,7 +338,7 @@ class IPAdmin(SimpleLDAPObject): try: if krbccache is not None: os.environ["KRB5CCNAME"] = krbccache - self.sasl_interactive_bind_s("", sasl_auth) + self.sasl_interactive_bind_s("", SASL_AUTH) self.principal = principal self.proxydn = None except ldap.LDAPError, e: @@ -350,6 +350,10 @@ class IPAdmin(SimpleLDAPObject): self.simple_bind_s(binddn, bindpw) self.__lateinit() + def do_sasl_gssapi_bind(self): + self.sasl_interactive_bind_s('', SASL_AUTH) + self.__lateinit() + def do_external_bind(self, user_name=None): auth_tokens = ldap.sasl.external(user_name) self.sasl_interactive_bind_s("", auth_tokens) -- 1.7.4
_______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
