Re: [Freeipa-devel] [PATCH 0057] Do not use anonymous bind in migration UI.

David Kupka Thu, 16 Jul 2015 03:18:06 -0700

On 15/07/15 16:04, David Kupka wrote:

On 15/07/15 15:34, Jan Cholasta wrote:

Dne 15.7.2015 v 15:21 David Kupka napsal(a):

https://fedorahosted.org/freeipa/ticket/4953


To test this patch:

1. Migrate users from LDAP or other FreeIPA server
(https://www.freeipa.org/page/Howto/Migration)

2. Disable anonymous bind to Directory Server
(https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/disabling-anon-binds.html)




3. Go to FreeIPA migration page (ipa.example.com/ipa/migration/) and
enter name and password of one of the migrated users.

Without this patch you will get an error page.


NACK, you are calling do_bind with wrong arguments.

Updated patch attached.

With Honza, we've found better solution. Instead of binding to the LDAPjust to get base DN we can instantiate api and use api.env.basednvariable. In the same time we can use api.anv.ldap_uri instead ofsearching filesystem for ldapi socket.

Patch attached.
--
David Kupka

From 3fa339547c580ea8dac13fd529bd8adecec0c3dc Mon Sep 17 00:00:00 2001
From: David Kupka <dku...@redhat.com>
Date: Thu, 16 Jul 2015 10:15:36 +0200
Subject: [PATCH] migration: Use api.env variables.

Use api.env.basedn instead of anonymously accessing LDAP to get base DN.
Use api.env.basedn instead of searching filesystem for ldapi socket.

https://fedorahosted.org/freeipa/ticket/4953
---
 install/migration/migration.py | 33 +++++----------------------------
 1 file changed, 5 insertions(+), 28 deletions(-)

diff --git a/install/migration/migration.py b/install/migration/migration.py
index b629b1c9ff7bd58f1ea64e4c2b2433428a939f28..8c440175a0358b01acba227ea3179318af50fa32 100644
--- a/install/migration/migration.py
+++ b/install/migration/migration.py
@@ -22,14 +22,13 @@ Password migration script
 
 import cgi
 import errno
-import glob
 from wsgiref.util import request_uri
 
 from ipapython.ipa_log_manager import root_logger
 from ipapython.ipautil import get_ipa_basedn
 from ipapython.dn import DN
 from ipapython.ipaldap import IPAdmin
-from ipalib import errors
+from ipalib import errors, create_api
 from ipaplatform.paths import paths
 
 
@@ -45,23 +44,6 @@ def get_ui_url(environ):
     return full_url[:index] + "/ipa/ui"
 
 
-def get_base_dn(ldap_uri):
-    """
-    Retrieve LDAP server base DN.
-    """
-    try:
-        conn = IPAdmin(ldap_uri=ldap_uri)
-        conn.do_simple_bind(DN(), '')
-        base_dn = get_ipa_basedn(conn)
-    except Exception, e:
-        root_logger.error('migration context search failed: %s' % e)
-        return ''
-    finally:
-        conn.unbind()
-
-    return base_dn
-
-
 def bind(ldap_uri, base_dn, username, password):
     if not base_dn:
         root_logger.error('migration unable to get base dn')
@@ -90,16 +72,11 @@ def application(environ, start_response):
     if not form_data.has_key('username') or not form_data.has_key('password'):
         return wsgi_redirect(start_response, 'invalid.html')
 
-    slapd_sockets = glob.glob(paths.ALL_SLAPD_INSTANCE_SOCKETS)
-    if slapd_sockets:
-        ldap_uri = 'ldapi://%s' % slapd_sockets[0].replace('/', '%2f')
-    else:
-        ldap_uri = 'ldaps://localhost:636'
-
-    base_dn = get_base_dn(ldap_uri)
-
+    # API object only for configuration, finalize() not needed
+    api = create_api(mode=None)
+    api.bootstrap(context='server', in_server=True)
     try:
-        bind(ldap_uri, base_dn,
+        bind(api.env.ldap_uri, api.env.basedn,
              form_data['username'].value, form_data['password'].value)
     except IOError as err:
         if err.errno == errno.EPERM:
-- 
2.4.3

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0057] Do not use anonymous bind in migration UI.

Reply via email to