The call to create_connection in the backend was outside a try/except so
we would miss public ACI errors. This will catch them.
To test this you can delete the S4U2Proxy delegation:
$ ldapmodify -x -D 'cn=directory manager' -W
LDAP Password:
dn: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,$SUFFIX
changetype: modify
delete: memberPrincipal
$ kinit admin
$ user-show admin
ipa: ERROR: Insufficient access: KDC returned NOT_ALLOWED_TO_DELEGATE
To fix your instance run:
# ipa-ldap-updater --ldapi /usr/share/ipa/updates/30-s4u2proxy.update
rob
>From 51dc727ccc20d79b1f8fe80c426d3e16a87b8a79 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcrit...@redhat.com>
Date: Thu, 23 Feb 2012 17:25:53 -0500
Subject: [PATCH] Catch public exceptions when creating the LDAP context in
WSGI.
Made specifically for the case where S4U2Proxy delegation fails.
https://fedorahosted.org/freeipa/ticket/2414
---
ipaserver/plugins/ldap2.py | 3 +++
ipaserver/rpcserver.py | 8 +++++++-
2 files changed, 10 insertions(+), 1 deletions(-)
diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py
index 6ed21217a9b5f6951d95a7d3c2b7e12552300dc5..182de76a9b6de53b8e7fdcee17fe4aca506cb21d 100644
--- a/ipaserver/plugins/ldap2.py
+++ b/ipaserver/plugins/ldap2.py
@@ -240,6 +240,9 @@ def _handle_errors(e, **kw):
except _ldap.SUCCESS:
pass
except _ldap.LDAPError, e:
+ if 'NOT_ALLOWED_TO_DELEGATE' in info:
+ raise errors.ACIError(info="KDC returned NOT_ALLOWED_TO_DELEGATE")
+ root_logger.info('Unhandled LDAPError: %s' % str(e))
raise errors.DatabaseError(desc=desc, info=info)
diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py
index 91e525a317304fa39f6f0828e0b4dd0c007891bb..205dc7655235fdaa749b711b8a268aeb044a5274 100644
--- a/ipaserver/rpcserver.py
+++ b/ipaserver/rpcserver.py
@@ -317,9 +317,15 @@ class xmlserver(WSGIExecutioner):
'''
self.debug('WSGI xmlserver.__call__:')
- self.create_context(ccache=environ.get('KRB5CCNAME'))
try:
+ self.create_context(ccache=environ.get('KRB5CCNAME'))
response = super(xmlserver, self).__call__(environ, start_response)
+ except PublicError, e:
+ status = '200 OK'
+ response = status
+ headers = [('Content-Type', 'text/plain')]
+ start_response(status, headers)
+ return self.marshal(None, e)
finally:
destroy_context()
return response
--
1.7.6.5
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel