Test instructions are attached to the ticket.
---
The new version of python-ldap changed the way it created LDAPv3
extended controls. The API used in 2.4.x can no longer be used
because it does not send the bind DN with effective rights
control and LDAP server thus rejects it.

This patch implements the new API in a backward compatible way
so that it works both with python-ldap versions 2.3.x and 2.4.x.

https://fedorahosted.org/freeipa/ticket/2565

>From a410da213c0977d0f036df01933099b5b19d37a0 Mon Sep 17 00:00:00 2001
From: Martin Kosek <mko...@redhat.com>
Date: Wed, 21 Mar 2012 09:50:33 +0100
Subject: [PATCH] Fix LDAP effective rights control with python-ldap 2.4.x

The new version of python-ldap changed the way it created LDAPv3
extended controls. The API used in 2.4.x can no longer be used
because it does not send the bind DN with effective rights
control and LDAP server thus rejects it.

This patch implements the new API in a backward compatible way
so that it works both with python-ldap versions 2.3.x and 2.4.x.

https://fedorahosted.org/freeipa/ticket/2565
---
 ipaserver/plugins/ldap2.py |   21 ++++++++++++++++++++-
 1 files changed, 20 insertions(+), 1 deletions(-)

diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py
index dd5756735405d5a5a9c76d4fa0d82459007a2233..dd89943d9a27f86265cc0a40ba302424abe0dbbc 100644
--- a/ipaserver/plugins/ldap2.py
+++ b/ipaserver/plugins/ldap2.py
@@ -81,6 +81,25 @@ def _encode_bool(self, value):
 # set own Bool parameter encoder
 Bool._encode = _encode_bool
 
+def get_effective_rights_control(binddn):
+    """
+    Get effective rights control that will work both in python-ldap 2.4.x and
+    python-ldap 2.3.x.
+    Relevant Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=802675
+
+    @param binddn Unicode string containing user bind DN
+    """
+    ctrl_param = "dn: " + binddn.encode('UTF-8')
+    try:
+        from ldap.controls.simple import GetEffectiveRightsControl
+    except ImportError:
+        # python-ldap 2.3.x style
+        sctrl = LDAPControl("1.3.6.1.4.1.42.2.27.9.5.2", True, ctrl_param)
+    else:
+        # python-ldap 2.4.x style
+        sctrl = GetEffectiveRightsControl(True, ctrl_param)
+    return [sctrl]
+
 class IPASimpleLDAPObject(SimpleLDAPObject):
     '''
     This is a thin layer over SimpleLDAPObject which allows us to utilize
@@ -871,7 +890,7 @@ class ldap2(CrudBackend, Encoder):
         """
         principal = getattr(context, 'principal')
         (binddn, attrs) = self.find_entry_by_attr("krbprincipalname", principal, "krbPrincipalAux")
-        sctrl = [LDAPControl("1.3.6.1.4.1.42.2.27.9.5.2", True, "dn: " + binddn.encode('UTF-8'))]
+        sctrl = get_effective_rights_control(binddn)
         self.conn.set_option(_ldap.OPT_SERVER_CONTROLS, sctrl)
         (dn, attrs) = self.get_entry(dn, entry_attrs)
         # remove the control so subsequent operations don't include GER
-- 
1.7.7.6

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to