On 20/11/15 08:29, Jan Cholasta wrote:
On 19.11.2015 17:28, David Kupka wrote:
https://fedorahosted.org/freeipa/ticket/5468


ipa-cacert-manage is not the only code which uses ldap2 this way.

It would be better to find the root cause of this rather than working
around it.


The root cause is that some scripts are creating custom connection to LDAP and using api which is not connected to LDAP. As we discussed personally ipa-cacert-manage and ipa-otptoken-import have this issue.
Updated patch and new one for ipa-otptoken-import attached.

--
David Kupka
From e27b336324e383f14ca97fac0e1af8c4633a0263 Mon Sep 17 00:00:00 2001
From: David Kupka <dku...@redhat.com>
Date: Mon, 23 Nov 2015 07:48:40 +0000
Subject: [PATCH] ipa-otptoken-import: Fix connection to ldap.

https://fedorahosted.org/freeipa/ticket/5475
---
 ipaserver/install/ipa_otptoken_import.py | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/ipaserver/install/ipa_otptoken_import.py b/ipaserver/install/ipa_otptoken_import.py
index 9e70b74a166ad9a02774e66f98405ed2f7368d48..10b8af6f158ee957036889b162dcccc21cb45e47 100644
--- a/ipaserver/install/ipa_otptoken_import.py
+++ b/ipaserver/install/ipa_otptoken_import.py
@@ -36,7 +36,7 @@ from six.moves import xrange
 
 from ipapython import admintool
 from ipalib import api, errors
-from ipaserver.plugins.ldap2 import ldap2
+from ipaserver.plugins.ldap2 import ldap2, AUTOBIND_DISABLED
 
 if six.PY3:
     unicode = str
@@ -511,9 +511,9 @@ class OTPTokenImport(admintool.AdminTool):
         api.bootstrap(in_server=True)
         api.finalize()
 
-        conn = ldap2(api)
         try:
-            conn.connect()
+            api.Backend.ldap2.connect(ccache=os.environ.get('KRB5CCNAME'),
+                                      autobind=AUTOBIND_DISABLED)
         except (gssapi.exceptions.GSSError, errors.ACIError):
             raise admintool.ScriptError("Unable to connect to LDAP! Did you kinit?")
 
@@ -528,7 +528,7 @@ class OTPTokenImport(admintool.AdminTool):
                     self.log.info("Added token: %s", keypkg.id)
                     keypkg.remove()
         finally:
-            conn.disconnect()
+            api.Backend.ldap2.disconnect()
 
         # Write out the XML file without the tokens that succeeded.
         self.doc.save(self.output)
-- 
2.4.3

From 2ce1775b663c4c96751ce2386583696ae1cab5c4 Mon Sep 17 00:00:00 2001
From: David Kupka <dku...@redhat.com>
Date: Mon, 23 Nov 2015 06:38:17 +0000
Subject: [PATCH] ipa-cacert-renew: Fix connection to ldap.

https://fedorahosted.org/freeipa/ticket/5468
---
 ipaserver/install/ipa_cacert_manage.py | 30 +++++++++++++-----------------
 1 file changed, 13 insertions(+), 17 deletions(-)

diff --git a/ipaserver/install/ipa_cacert_manage.py b/ipaserver/install/ipa_cacert_manage.py
index 66cba891fad4b679ae51a4a11a094de341c24e88..96de6bffb99f8783d1c961cc7d6306b2cff7ca5e 100644
--- a/ipaserver/install/ipa_cacert_manage.py
+++ b/ipaserver/install/ipa_cacert_manage.py
@@ -107,9 +107,7 @@ class CACertManage(admintool.AdminTool):
 
         if ((command == 'renew' and options.external_cert_files) or
             command == 'install'):
-            self.conn = self.ldap_connect()
-        else:
-            self.conn = None
+            self.ldap_connect()
 
         try:
             if command == 'renew':
@@ -117,22 +115,20 @@ class CACertManage(admintool.AdminTool):
             elif command == 'install':
                 rc = self.install()
         finally:
-            if self.conn is not None:
-                self.conn.disconnect()
+            if api.Backend.ldap2.isconnected():
+                api.Backend.ldap2.disconnect()
 
         return rc
 
     def ldap_connect(self):
-        conn = ldap2(api)
-
         password = self.options.password
         if not password:
             try:
-                conn.connect()
+                api.Backend.ldap2.connect(ccache=os.environ.get('KRB5CCNAME'))
             except (gssapi.exceptions.GSSError, errors.ACIError):
                 pass
             else:
-                return conn
+                return
 
             password = installutils.read_password(
                 "Directory Manager", confirm=False, validate=False)
@@ -140,9 +136,8 @@ class CACertManage(admintool.AdminTool):
                 raise admintool.ScriptError(
                     "Directory Manager password required")
 
-        conn.connect(bind_dn=DN(('cn', 'Directory Manager')), bind_pw=password)
+        api.Backend.ldap2.connect(bind_dn=DN(('cn', 'Directory Manager')), bind_pw=password)
 
-        return conn
 
     def renew(self):
         ca = cainstance.CAInstance(api.env.realm, certs.NSS_DIR)
@@ -206,6 +201,7 @@ class CACertManage(admintool.AdminTool):
         print("Importing the renewed CA certificate, please wait")
 
         options = self.options
+        conn = api.Backend.ldap2
         cert_file, ca_file = installutils.load_external_cert(
             options.external_cert_files, x509.subject_base())
 
@@ -274,21 +270,21 @@ class CACertManage(admintool.AdminTool):
                 except RuntimeError:
                     break
                 certstore.put_ca_cert_nss(
-                    self.conn, api.env.basedn, ca_cert, nickname, ',,')
+                    conn, api.env.basedn, ca_cert, nickname, ',,')
 
         dn = DN(('cn', self.cert_nickname), ('cn', 'ca_renewal'),
                 ('cn', 'ipa'), ('cn', 'etc'), api.env.basedn)
         try:
-            entry = self.conn.get_entry(dn, ['usercertificate'])
+            entry = conn.get_entry(dn, ['usercertificate'])
             entry['usercertificate'] = [cert]
-            self.conn.update_entry(entry)
+            conn.update_entry(entry)
         except errors.NotFound:
-            entry = self.conn.make_entry(
+            entry = conn.make_entry(
                 dn,
                 objectclass=['top', 'pkiuser', 'nscontainer'],
                 cn=[self.cert_nickname],
                 usercertificate=[cert])
-            self.conn.add_entry(entry)
+            conn.add_entry(entry)
         except errors.EmptyModlist:
             pass
 
@@ -363,7 +359,7 @@ class CACertManage(admintool.AdminTool):
 
         try:
             certstore.put_ca_cert_nss(
-                self.conn, api.env.basedn, cert, nickname, trust_flags)
+                api.Backend.ldap2, api.env.basedn, cert, nickname, trust_flags)
         except ValueError as e:
             raise admintool.ScriptError(
                 "Failed to install the certificate: %s" % e)
-- 
2.4.3

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to