Hello,

This patch addresses ticket https://fedorahosted.org/freeipa/ticket/3895.

-- 
Regards,

Ana Krivokapic
Associate Software Engineer
FreeIPA team
Red Hat Inc.

From 3bd13d7424a05d3900c13c911bf58899baa8d429 Mon Sep 17 00:00:00 2001
From: Ana Krivokapic <akriv...@redhat.com>
Date: Tue, 5 Nov 2013 18:38:55 +0100
Subject: [PATCH] Use EXTERNAL auth mechanism in ldapmodify

Default to using the EXTERNAL authorization mechanism in calls to ldapmodify

https://fedorahosted.org/freeipa/ticket/3895
---
 ipaserver/install/service.py | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py
index 4a244abb9135ae4c712abcb27456bc2436728215..0d7a664561fdf2b02353dd7284392e250f61a9f2 100644
--- a/ipaserver/install/service.py
+++ b/ipaserver/install/service.py
@@ -121,17 +121,15 @@ def ldap_connect(self):
 
         self.admin_conn = conn
 
-
     def ldap_disconnect(self):
         self.admin_conn.unbind()
         self.admin_conn = None
 
-    def _ldap_mod(self, ldif, sub_dict = None):
-
+    def _ldap_mod(self, ldif, sub_dict=None):
         pw_name = None
         fd = None
         path = ipautil.SHARE_DIR + ldif
-        nologlist=[]
+        nologlist = []
 
         if sub_dict is not None:
             txt = ipautil.template_file(path, sub_dict)
@@ -139,9 +137,9 @@ def _ldap_mod(self, ldif, sub_dict = None):
             path = fd.name
 
             # do not log passwords
-            if sub_dict.has_key('PASSWORD'):
+            if 'PASSWORD' in sub_dict:
                 nologlist.append(sub_dict['PASSWORD'])
-            if sub_dict.has_key('RANDOM_PASSWORD'):
+            if 'RANDOM_PASSWORD' in sub_dict:
                 nologlist.append(sub_dict['RANDOM_PASSWORD'])
 
         args = ["/usr/bin/ldapmodify", "-v", "-f", path]
@@ -152,16 +150,18 @@ def _ldap_mod(self, ldif, sub_dict = None):
             self.ldap_connect()
         args += ["-H", self.admin_conn.ldap_uri]
 
-        auth_parms = []
+        # If DM password is available, use it
         if self.dm_password:
             [pw_fd, pw_name] = tempfile.mkstemp()
             os.write(pw_fd, self.dm_password)
             os.close(pw_fd)
             auth_parms = ["-x", "-D", "cn=Directory Manager", "-y", pw_name]
+        # Use GSSAPI auth when not using DM password or not being root
+        elif os.getegid() != 0:
+            auth_parms = ["-Y", "GSSAPI"]
+        # Default to EXTERNAL auth mechanism
         else:
-            # always try GSSAPI auth when not using DM password or not being root
-            if os.getegid() != 0:
-                auth_parms = ["-Y", "GSSAPI"]
+            auth_parms = ["-Y", "EXTERNAL"]
 
         args += auth_parms
 
-- 
1.8.3.1

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to