On 15/07/15 16:04, David Kupka wrote:
On 15/07/15 15:34, Jan Cholasta wrote:
Dne 15.7.2015 v 15:21 David Kupka napsal(a):
https://fedorahosted.org/freeipa/ticket/4953
To test this patch:
1. Migrate users from LDAP or other FreeIPA server
(https://www.freeipa.org/page/Howto/Migration)
2. Disable anonymous bind to Directory Server
(https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/disabling-anon-binds.html)
3. Go to FreeIPA migration page (ipa.example.com/ipa/migration/) and
enter name and password of one of the migrated users.
Without this patch you will get an error page.
NACK, you are calling do_bind with wrong arguments.
Updated patch attached.
With Honza, we've found better solution. Instead of binding to the LDAP
just to get base DN we can instantiate api and use api.env.basedn
variable. In the same time we can use api.anv.ldap_uri instead of
searching filesystem for ldapi socket.
Patch attached.
--
David Kupka
From 3fa339547c580ea8dac13fd529bd8adecec0c3dc Mon Sep 17 00:00:00 2001
From: David Kupka <dku...@redhat.com>
Date: Thu, 16 Jul 2015 10:15:36 +0200
Subject: [PATCH] migration: Use api.env variables.
Use api.env.basedn instead of anonymously accessing LDAP to get base DN.
Use api.env.basedn instead of searching filesystem for ldapi socket.
https://fedorahosted.org/freeipa/ticket/4953
---
install/migration/migration.py | 33 +++++----------------------------
1 file changed, 5 insertions(+), 28 deletions(-)
diff --git a/install/migration/migration.py b/install/migration/migration.py
index b629b1c9ff7bd58f1ea64e4c2b2433428a939f28..8c440175a0358b01acba227ea3179318af50fa32 100644
--- a/install/migration/migration.py
+++ b/install/migration/migration.py
@@ -22,14 +22,13 @@ Password migration script
import cgi
import errno
-import glob
from wsgiref.util import request_uri
from ipapython.ipa_log_manager import root_logger
from ipapython.ipautil import get_ipa_basedn
from ipapython.dn import DN
from ipapython.ipaldap import IPAdmin
-from ipalib import errors
+from ipalib import errors, create_api
from ipaplatform.paths import paths
@@ -45,23 +44,6 @@ def get_ui_url(environ):
return full_url[:index] + "/ipa/ui"
-def get_base_dn(ldap_uri):
- """
- Retrieve LDAP server base DN.
- """
- try:
- conn = IPAdmin(ldap_uri=ldap_uri)
- conn.do_simple_bind(DN(), '')
- base_dn = get_ipa_basedn(conn)
- except Exception, e:
- root_logger.error('migration context search failed: %s' % e)
- return ''
- finally:
- conn.unbind()
-
- return base_dn
-
-
def bind(ldap_uri, base_dn, username, password):
if not base_dn:
root_logger.error('migration unable to get base dn')
@@ -90,16 +72,11 @@ def application(environ, start_response):
if not form_data.has_key('username') or not form_data.has_key('password'):
return wsgi_redirect(start_response, 'invalid.html')
- slapd_sockets = glob.glob(paths.ALL_SLAPD_INSTANCE_SOCKETS)
- if slapd_sockets:
- ldap_uri = 'ldapi://%s' % slapd_sockets[0].replace('/', '%2f')
- else:
- ldap_uri = 'ldaps://localhost:636'
-
- base_dn = get_base_dn(ldap_uri)
-
+ # API object only for configuration, finalize() not needed
+ api = create_api(mode=None)
+ api.bootstrap(context='server', in_server=True)
try:
- bind(ldap_uri, base_dn,
+ bind(api.env.ldap_uri, api.env.basedn,
form_data['username'].value, form_data['password'].value)
except IOError as err:
if err.errno == errno.EPERM:
--
2.4.3
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code