On 07/26/2013 04:04 PM, Rich Megginson wrote:
> On 07/26/2013 05:43 AM, Martin Kosek wrote:
>> One find_entry_by_attr call did not set a search base leading to
>> LDAP search call with zero search base. This leads to false negative
>> results from LDAP.
>> ----
>> Pushed to master, ipa-3-2 as a one-liner.
> Does the migrate code correctly handle the search return?  Before it was
> working fine when it got the err=32 - it just assumed the user did not already
> exist.  With the correct search base, the search will return err=0, and will
> return no search entries, which migration should assume means the user does 
> not
> already exist.

Thanks for double-checking this Rich. But our LDAP library raised exception
when LDAP returns no entry, I double checked this particular call I changed:

>>> conn.find_entry_by_attr('krbprincipalname', 'ad...@example.com',
'krbprincipalaux', [''], DN(api.env.container_user, api.env.basedn))

>>> conn.find_entry_by_attr('krbprincipalname', 'doesnotex...@example.com',
'krbprincipalaux', [''], DN(api.env.container_user, api.env.basedn))
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1299, in
    (entries, truncated) = self.find_entries(filter, attrs_list, base_dn)
  File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1248, in
    raise errors.NotFound(reason='no such entry')
ipalib.errors.NotFound: no such entry

So the change should work correctly.


Freeipa-devel mailing list

Reply via email to