On Thu, 2011-09-29 at 09:35 -0400, Simo Sorce wrote: > On Thu, 2011-09-29 at 15:20 +0200, Martin Kosek wrote: > > How to test: > > 1) Add new naming context (suffix) to your LDAP database with installed > > IPA (see attached LDIF). The server should return the new suffix as the > > first one. You can change with its base DN if it does not. > > 2) Install IPA client against the server. ipa-client-install should the > > LDAP server as the IPA one only if the patch is applied on the client > > > > --- > > > > When LDAP server contains more that one suffixes, the ipa client > > installation does not detect it as IPA server and fails to install. > > Fix ipa server discovery so that it correctly searches all naming > > contexts for the IPA one. > > > > https://fedorahosted.org/freeipa/ticket/1868 > > Martin, this patch break my patch to fix ipa-client-install when > annoymous binds are disabled as it suppress the exceptions I need to > check against. > > Can you rebase on my patch for #1881 w/o loosing the information I check > and return from there ? > > Simo. >
I rebased the patch + changed the try blocks so that we don't loose information you need. Martin
>From dfd08c95281559d860510f01de254f55cdd4db7d Mon Sep 17 00:00:00 2001 From: Martin Kosek <[email protected]> Date: Thu, 29 Sep 2011 17:21:22 +0200 Subject: [PATCH] ipa-client assumes a single namingcontext When LDAP server contains more that one suffixes, the ipa client installation does not detect it as IPA server and fails to install. Fix ipa server discovery so that it correctly searches all naming contexts for the IPA one. https://fedorahosted.org/freeipa/ticket/1868 --- ipa-client/ipaclient/ipadiscovery.py | 23 +++++--------------- ipapython/ipautil.py | 37 ++++++++++++++++++++++++++++++++++ 2 files changed, 43 insertions(+), 17 deletions(-) diff --git a/ipa-client/ipaclient/ipadiscovery.py b/ipa-client/ipaclient/ipadiscovery.py index 44bdc4bff408f3e3cb75bb4bfb4a3d679637ab8d..55ebc5c5c1daa42825395499d8058c57650d1d4f 100644 --- a/ipa-client/ipaclient/ipadiscovery.py +++ b/ipa-client/ipaclient/ipadiscovery.py @@ -24,7 +24,7 @@ import ipapython.dnsclient import tempfile import ldap from ldap import LDAPError -from ipapython.ipautil import run, CalledProcessError, valid_ip +from ipapython.ipautil import run, CalledProcessError, valid_ip, get_ipa_basedn NOT_FQDN = -1 @@ -229,25 +229,14 @@ class IPADiscovery: lh.start_tls_s() lh.simple_bind_s("","") - logging.debug("Search rootdse") - lret = lh.search_s("", ldap.SCOPE_BASE, "(objectClass=*)") - for lattr in lret[0][1]: - if lattr.lower() == "namingcontexts": - self.basedn = lret[0][1][lattr][0] + # get IPA base DN + logging.debug("Search LDAP server for IPA base DN") + basedn = get_ipa_basedn(lh) - logging.debug("Search for (info=*) in "+self.basedn+"(base)") - lret = lh.search_s(self.basedn, ldap.SCOPE_BASE, "(info=IPA*)") - if not lret: + if basedn is None: return [NOT_IPA_SERVER] - logging.debug("Found: "+str(lret)) - for lattr in lret[0][1]: - if lattr.lower() == "info": - linfo = lret[0][1][lattr][0].lower() - break - - if not linfo or linfo.lower() != 'ipa v2.0': - return [NOT_IPA_SERVER] + self.basedn = basedn #search and return known realms logging.debug("Search for (objectClass=krbRealmContainer) in "+self.basedn+"(sub)") diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py index 490981a4a903a68996e306548f9b16c64feed8ac..533abe4bc0a19fdfd3a032832721f825d44c54c2 100644 --- a/ipapython/ipautil.py +++ b/ipapython/ipautil.py @@ -22,6 +22,8 @@ PLUGINS_SHARE_DIR = "/usr/share/ipa/plugins" GEN_PWD_LEN = 12 +IPA_BASEDN_INFO = 'ipa v2.0' + import string import tempfile import logging @@ -33,6 +35,7 @@ import stat import shutil import urllib2 import socket +import ldap from ipapython import ipavalidate from types import * @@ -1127,3 +1130,37 @@ def bind_port_responder(port, socket_stream=True, socket_timeout=None, responder finally: s.close() + +def get_ipa_basedn(conn): + """ + Get base DN of IPA suffix in given LDAP server. + + None is returned if the suffix is not found + + :param conn: Bound LDAP connection that will be used for searching + """ + entries = conn.search_ext_s( + '', scope=ldap.SCOPE_BASE, attrlist=['namingcontexts'] + ) + + contexts = entries[0][1]['namingcontexts'] + for context in contexts: + logging.debug("Check if naming context '%s' is for IPA" % context) + try: + entry = conn.search_s(context, ldap.SCOPE_BASE, "(info=IPA*)") + except ldap.NO_SUCH_OBJECT: + logging.debug("LDAP server did not return info attribute to check for IPA version") + continue + if len(entry) == 0: + logging.debug("Info attribute with IPA server version not found") + continue + info = entry[0][1]['info'][0].lower() + if info != IPA_BASEDN_INFO: + logging.debug("Detected IPA server version (%s) did not match the client (%s)" \ + % (info, IPA_BASEDN_INFO)) + continue + logging.debug("Naming context '%s' is a valid IPA context" % context) + return context + + return None + -- 1.7.6.2
_______________________________________________ Freeipa-devel mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-devel
