Martin Kosek wrote:
On Mon, 2011-09-19 at 09:03 -0400, Rob Crittenden wrote:
Jan Cholasta wrote:
On 16.9.2011 21:16, Rob Crittenden wrote:
Prompt for the current password when changing your own password using
ipa passwd.
I had to jump through several hoops with this:
- Added a new sortorder option so the Current password is prompted first
IMO something like "before='password'" would be more readable and
probably less error-prone than "sortorder=-1".
The params are sorted numerically based on whether they are required,
have a default, etc. A negative value means it will appear first. This
is intended to be generic enough without having to worry about nested
resolution (A before B, B before C, C before A).
- Pass a magic value for current_password if changing someone else's
password
NOTE: This breaks the API for passwd. There is no way around it. I have
this as a minor update as it won't cause older clients to blow up too
badly, but their passwd command won't work.
rob
Honza
Generally, it works fine except for the case when user passes its own
user name. Do we want to support the following way?
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: f...@idm.lab.bos.redhat.com
Valid starting Expires Service principal
09/23/11 09:48:05 09/24/11 09:48:05
krbtgt/idm.lab.bos.redhat....@idm.lab.bos.redhat.com
# ipa passwd fbar
New Password:
Enter New Password again to verify:
ipa: ERROR: Insufficient access: Invalid credentials
Maybe we could throw an error when user passes its own principal to ipa
passwd command. After all, this argument is for changing _other_ user
passwords.
Martin
Fixed. The username wasn't being normalized into a principal until after
the default was set (where we determine whether to prompt for current
password).
rob
>From fc5325be152c394a15ca79d5abda07b06c021e3d Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcrit...@redhat.com>
Date: Mon, 26 Sep 2011 22:19:57 -0400
Subject: [PATCH] Migration: don't assume there is only one naming context,
add logging.
We can't assume that there will be only one naming context. Look at each
one until we find an IPA one.
Add logging so you can know that a migration attempt fails and why.
https://fedorahosted.org/freeipa/ticket/1834
https://fedorahosted.org/freeipa/ticket/1835
---
install/migration/invalid.html | 2 +-
install/migration/migration.py | 54 ++++++++++++++++++++++++++++++++-------
2 files changed, 45 insertions(+), 11 deletions(-)
diff --git a/install/migration/invalid.html b/install/migration/invalid.html
index a641d1a..91de79f 100644
--- a/install/migration/invalid.html
+++ b/install/migration/invalid.html
@@ -35,7 +35,7 @@
<p>If the problem persists, contact your administrator.</p>
</div>
</div>
- <form id="login" action="" name="">
+ <form id="login" action="migration.py" method="post" name="">
<ul>
<li>
<label for="username">Username:</label>
diff --git a/install/migration/migration.py b/install/migration/migration.py
index ed6ade9..e8100ef 100644
--- a/install/migration/migration.py
+++ b/install/migration/migration.py
@@ -25,10 +25,24 @@ import errno
import glob
import ldap
import wsgiref
+import logging
BASE_DN = ''
LDAP_URI = 'ldaps://localhost:636'
+def convert_exception(error):
+ """
+ Convert an LDAP exception into something more readable.
+ """
+ if not isinstance(error, ldap.TIMEOUT):
+ desc = error.args[0]['desc'].strip()
+ info = error.args[0].get('info', '').strip()
+ else:
+ desc = ''
+ info = ''
+
+ return '%s (%s)' % (desc, info)
+
def wsgi_redirect(start_response, loc):
start_response('302 Found', [('Location', loc)])
return []
@@ -44,6 +58,8 @@ def get_base_dn():
"""
Retrieve LDAP server base DN.
"""
+ global BASE_DN
+
if BASE_DN:
return BASE_DN
try:
@@ -52,31 +68,50 @@ def get_base_dn():
entries = conn.search_ext_s(
'', scope=ldap.SCOPE_BASE, attrlist=['namingcontexts']
)
- except ldap.LDAPError:
- return ''
- conn.unbind_s()
- try:
- return entries[0][1]['namingcontexts'][0]
- except (IndexError, KeyError):
+ contexts = entries[0][1]['namingcontexts']
+ for c in contexts:
+ try:
+ entry = conn.search_s(c, ldap.SCOPE_BASE, "(info=IPA*)")
+ if len(entry) == 0:
+ continue
+ if entry[0][1]['info'][0].lower() != 'ipa v2.0':
+ continue
+ BASE_DN = c
+ break
+ except ldap.LDAPError, e:
+ logging.error('migration context search failed: %s' % e)
+ conn.unbind_s()
+ return ''
+ except ldap.LDAPError, e:
+ logging.error('migration context search failed: %s' % e)
return ''
+ finally:
+ conn.unbind_s()
+
+ return BASE_DN
def bind(username, password):
base_dn = get_base_dn()
if not base_dn:
+ logging.error('migration unable to get base dn')
raise IOError(errno.EIO, 'Cannot get Base DN')
bind_dn = 'uid=%s,cn=users,cn=accounts,%s' % (username, base_dn)
try:
conn = ldap.initialize(LDAP_URI)
conn.simple_bind_s(bind_dn, password)
except (ldap.INVALID_CREDENTIALS, ldap.UNWILLING_TO_PERFORM,
- ldap.NO_SUCH_OBJECT):
+ ldap.NO_SUCH_OBJECT), e:
+ logging.error('migration invalid credentials for %s: %s' % (bind_dn, convert_exception(e)))
raise IOError(errno.EPERM, 'Invalid LDAP credentials for user %s' % username)
except ldap.LDAPError:
+ logging.error('migration bind failed: %s' % convert_exception(e))
raise IOError(errno.EIO, 'Bind error')
-
- conn.unbind_s()
+ finally:
+ conn.unbind_s()
def application(environ, start_response):
+ global LDAP_URI
+
if environ.get('REQUEST_METHOD', None) != 'POST':
return wsgi_redirect(start_response, 'index.html')
@@ -98,4 +133,3 @@ def application(environ, start_response):
ui_url = get_ui_url(environ)
return wsgi_redirect(start_response, ui_url)
-
--
1.7.6
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
