On 07/30/2012 01:34 PM, Alexander Bokovoy wrote:
> On Fri, 27 Jul 2012, Rob Crittenden wrote:
>> Alexander Bokovoy wrote:
>>> On Thu, 26 Jul 2012, Alexander Bokovoy wrote:
>>>> When setting up AD trusts support, ipa-adtrust-install utility
>>>> needs to be run as:
>>>> - root, for performing Samba configuration and using LDAPI/autobind
>>>> - kinit-ed IPA admin user, to ensure proper ACIs are granted to
>>>> fetch keytab
>>>> As result, we can get rid of Directory Manager credentials in
>>>> This ticket also simplifies a bit the way we handle admin connection in
>>>> Service class and particulary in Service._ldap_mod() by defaulting to
>>>> LDAPI/autobind in case of running as root and to GSSAPI otherwise.
>>>> Except few cases in remote replica management (not applicable in
>>>> _ldap_mod() case) we always run installation tools as root and can
>>>> benefit from using autobind feature. Unfortunately, it is not yet
>>>> possible to get away from using DM credentials for all cases as the same
>>>> class is used to perform initial directory server instance
>>>> One side effect is explicit disconnect and reconnect in
>>>> Service.add_cert_to_service() due to way how SimpleLDAPObject class
>>>> handles stale connections (no handling at all). I've put some comments
>>>> in place so that others would not try to err out optimizing it in
>>>> Finally, with next patch series which will introduce syncing ipaNTHash
>>>> attribute with RC4 key in existing kerberos credentials, we can remove
>>>> requirements to change passwords or re-kinit for majority of trust
>>>> cases. This should then conclude our trusts content for beta2 release.
>>> Patch updated, fixed small typo (auth_parms was initialized as
>>> auth_params which led to non-existing auth_parms in ipa-adtrust-install
>> Nack, a couple of minor issues:
>> The exception handling is rather unusual in
>> ensure_kerberos_admin_rights(api). I'm not sure if this is any more efficient
>> than a series of excepts...
> I've rewrote this code and put it directly in the main.
>> You don't need to pass in api, it's a global.
>> It may be safe to see if the user is in the group the way you are doing it, I
>> wonder if it would be clearer to cast those into DN objects.
> Not sure if checking DNs would be sustaining in long run. Ideally we
> should check ACI here, not just hardcoded group name. I'd like to keep
> it explicit with memberof for now because it shows what exactly we want
> to check.
>> In the Service class what is the point of ldapi if it is going to be ignored
>> in the case we know the realm? What if I really, really just want to use a
> LDAPI bind in IPAAdmin.__local_init() requires that there is realm known.
> No realm -- no LDAPI use because we otherwise cannot construct the
> socket name. For 'just want to use a password' case you can simply set
> However, I've changed the code in Service.ldap_connect() to do
> 1. if DM password is provided, we'll try to use it
> 2. Otherwise, if LDAPI is asked for and realm is set, we'll use LDAPI and
> 3. Otherwise (ldapi was False or realm not provided), we'll try to
> connect to fqdn:389 with GSSAPI
> I think this covers all cases.
>> And later where it forces ldapi, it seems better to either commit all the way
>> and drop the ldapi argument or convert it to a better name (like autobind).
> ldapi requires realm but can be used with either GSSAPI or autobind.
> Calling it autobind isn't really correct as autobind only available on
> ldapi under root.
Works fine, I also have just few minor-ish issues:
1) Uncatched exception
We may want to also catch for DatabaseException in this section:
+ except errors.ACIError, e:
+ sys.exit("Outdated Kerberos credentials. Use kdestroy and kinit to
update your ticket")
Otherwise ipa-adtrust-install throws unexpected exception when IPA is down:
# ipactl stop
NetBIOS domain name [IDM]:
Unexpected error - see /var/log/ipaserver-install.log for details:
DatabaseError: Can't contact LDAP server:
2) Wrong indentation:
+ except errors.RequirementError, e:
+ sys.exit("Must have administrative privileges to setup AD trusts on
+ except Exception, e:
+ sys.exit("Unrecognized error during check of admin rights: %s" %
Freeipa-devel mailing list