URL: https://github.com/freeipa/freeipa/pull/214 Author: tomaskrizek Title: #214: ipaldap: remove do_bind from LDAPClient Action: synchronized
To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/214/head:pr214 git checkout pr214
From f27333f7a60a41599a3a1b68a54ca3eea9945353 Mon Sep 17 00:00:00 2001 From: Tomas Krizek <tkri...@redhat.com> Date: Tue, 8 Nov 2016 12:16:09 +0100 Subject: [PATCH 1/2] ipaldap: remove do_bind from LDAPClient Remove do_bind() method that was a relict used in IPAdmin. Replace its uses with simple / external binds. https://fedorahosted.org/freeipa/ticket/6461 --- install/tools/ipa-httpd-kdcproxy | 2 +- ipapython/ipaldap.py | 20 -------------------- ipaserver/install/bindinstance.py | 2 +- ipaserver/install/dnskeysyncinstance.py | 3 +-- 4 files changed, 3 insertions(+), 24 deletions(-) diff --git a/install/tools/ipa-httpd-kdcproxy b/install/tools/ipa-httpd-kdcproxy index 20674c2..329565c 100755 --- a/install/tools/ipa-httpd-kdcproxy +++ b/install/tools/ipa-httpd-kdcproxy @@ -79,7 +79,7 @@ class KDCProxyConfig(object): self.log.debug('ldap_uri: %s', self.ldap_uri) try: self.con = LDAPClient(self.ldap_uri) - self.con.do_bind() + self.con.external_bind() except (errors.NetworkError, socket.timeout) as e: msg = 'Unable to connect to dirsrv: %s' % e raise CheckError(msg) diff --git a/ipapython/ipaldap.py b/ipapython/ipaldap.py index 2994c01..ed5c804 100644 --- a/ipapython/ipaldap.py +++ b/ipapython/ipaldap.py @@ -749,26 +749,6 @@ def __init__(self, ldap_uri, start_tls=False, force_schema_updates=False, def __str__(self): return self.ldap_uri - def do_bind(self, dm_password="", autobind=AUTOBIND_AUTO): - if dm_password: - self.simple_bind(bind_dn=DIRMAN_DN, - bind_password=dm_password) - return - if (autobind != AUTOBIND_DISABLED and os.getegid() == 0 and - self._protocol == 'ldapi'): - try: - # autobind - self.external_bind() - return - except errors.NotFound: - if autobind == AUTOBIND_ENABLED: - # autobind was required and failed, raise - # exception that it failed - raise - - # fall back - self.gssapi_bind() - def modify_s(self, dn, modlist): # FIXME: for backwards compatibility only assert isinstance(dn, DN) diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py index 7d6f3ba..9810246 100644 --- a/ipaserver/install/bindinstance.py +++ b/ipaserver/install/bindinstance.py @@ -241,7 +241,7 @@ def dns_container_exists(fqdn, suffix, dm_password=None, ldapi=False, ldap_uri = ipaldap.get_ldap_uri(fqdn, 636, ldapi=ldapi, realm=realm, cacert=CACERT) conn = ipaldap.LDAPClient(ldap_uri, cacert=CACERT) - conn.do_bind(dm_password) + conn.simple_bind(ipaldap.DIRMAN_DN, dm_password) except ldap.SERVER_DOWN: raise RuntimeError('LDAP server on %s is not responding. Is IPA installed?' % fqdn) diff --git a/ipaserver/install/dnskeysyncinstance.py b/ipaserver/install/dnskeysyncinstance.py index a6c1013..bc2477b 100644 --- a/ipaserver/install/dnskeysyncinstance.py +++ b/ipaserver/install/dnskeysyncinstance.py @@ -44,8 +44,7 @@ def dnssec_container_exists(fqdn, suffix, dm_password=None, ldapi=False, ldap_uri = ipaldap.get_ldap_uri(fqdn, 636, ldapi=ldapi, realm=realm, cacert=CACERT) conn = ipaldap.LDAPClient(ldap_uri, cacert=CACERT) - - conn.do_bind(dm_password) + conn.simple_bind(ipaldap.DIRMAN_DN, dm_password) except ldap.SERVER_DOWN: raise RuntimeError('LDAP server on %s is not responding. Is IPA installed?' % fqdn) From 0c761653179e91c0da6e25aaf6c5e4aca68f349d Mon Sep 17 00:00:00 2001 From: Tomas Krizek <tkri...@redhat.com> Date: Fri, 11 Nov 2016 12:45:11 +0100 Subject: [PATCH 2/2] dns: check if container exists using ldapi Previously an adhoc connection was established for checking if dns(sec) container exists. A simple or external bind was used. Instead, always connect with ldapi through api.Backend.ldap2. https://fedorahosted.org/freeipa/ticket/6461 --- install/tools/ipa-ca-install | 3 +-- install/tools/ipa-csreplica-manage | 3 +-- install/tools/ipa-replica-manage | 3 +-- ipaserver/install/bindinstance.py | 23 ++++------------------- ipaserver/install/ca.py | 2 +- ipaserver/install/dnskeysyncinstance.py | 28 +++++----------------------- ipaserver/install/ipa_replica_prepare.py | 9 ++------- ipaserver/install/server/replicainstall.py | 4 +--- 8 files changed, 16 insertions(+), 59 deletions(-) diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install index 079773d..462a5c7 100755 --- a/install/tools/ipa-ca-install +++ b/install/tools/ipa-ca-install @@ -191,8 +191,7 @@ def install_replica(safe_options, options, filename): subject_base=config.subject_base, ca_cert_bundle=ca_data) # Install CA DNS records - if bindinstance.dns_container_exists(api.env.host, api.env.basedn, - ldapi=True, realm=api.env.realm): + if bindinstance.dns_container_exists(api.env.basedn): bind = bindinstance.BindInstance() bind.update_system_records() else: diff --git a/install/tools/ipa-csreplica-manage b/install/tools/ipa-csreplica-manage index fd384d6..532e353 100755 --- a/install/tools/ipa-csreplica-manage +++ b/install/tools/ipa-csreplica-manage @@ -281,8 +281,7 @@ def del_master(realm, hostname, options): # 7. And clean up the removed replica DNS entries if any. try: - if bindinstance.dns_container_exists(options.host, api.env.basedn, - dm_password=options.dirman_passwd): + if bindinstance.dns_container_exists(api.env.basedn): bind = bindinstance.BindInstance() bind.update_system_records() except Exception as e: diff --git a/install/tools/ipa-replica-manage b/install/tools/ipa-replica-manage index 48a28bd..68d9a92 100755 --- a/install/tools/ipa-replica-manage +++ b/install/tools/ipa-replica-manage @@ -903,8 +903,7 @@ def ensure_last_services(conn, hostname, masters, options): def cleanup_server_dns_entries(realm, hostname, suffix, options): try: - if bindinstance.dns_container_exists(options.host, suffix, - dm_password=options.dirman_passwd): + if bindinstance.dns_container_exists(suffix): bindinstance.remove_master_dns_records(hostname, realm) dnskeysyncinstance.remove_replica_public_keys(hostname) except Exception as e: diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py index 9810246..5af6027 100644 --- a/ipaserver/install/bindinstance.py +++ b/ipaserver/install/bindinstance.py @@ -39,7 +39,7 @@ from ipaserver.install import installutils from ipaserver.install import service from ipaserver.install import sysupgrade -from ipapython import sysrestore, ipautil, ipaldap +from ipapython import sysrestore, ipautil from ipapython import dnsutil from ipapython.dnsutil import DNSName from ipapython.ipa_log_manager import root_logger @@ -58,7 +58,6 @@ zone_is_reverse, validate_dnssec_global_forwarder, DNSSECSignatureMissingError, EDNS0UnsupportedError, UnresolvableRecordError) -from ipalib.constants import CACERT if six.PY3: unicode = str @@ -229,26 +228,13 @@ def named_conf_add_include(path): f.write(named_conf_include_template % {'path': path}) -def dns_container_exists(fqdn, suffix, dm_password=None, ldapi=False, - realm=None): +def dns_container_exists(suffix): """ Test whether the dns container exists. """ assert isinstance(suffix, DN) - try: - # At install time we may need to use LDAPI to avoid chicken/egg - # issues with SSL certs and truting CAs - ldap_uri = ipaldap.get_ldap_uri(fqdn, 636, ldapi=ldapi, realm=realm, - cacert=CACERT) - conn = ipaldap.LDAPClient(ldap_uri, cacert=CACERT) - conn.simple_bind(ipaldap.DIRMAN_DN, dm_password) - except ldap.SERVER_DOWN: - raise RuntimeError('LDAP server on %s is not responding. Is IPA installed?' % fqdn) - - ret = conn.entry_exists(DN(('cn', 'dns'), suffix)) - conn.unbind() + return api.Backend.ldap2.entry_exists(DN(('cn', 'dns'), suffix)) - return ret def dns_zone_exists(name, api=api): try: @@ -659,8 +645,7 @@ def setup(self, fqdn, ip_addresses, realm_name, domain_name, forwarders, else: self.zonemgr = normalize_zonemgr(zonemgr) - self.first_instance = not dns_container_exists( - self.fqdn, self.suffix, realm=self.realm, ldapi=True) + self.first_instance = not dns_container_exists(self.suffix) self.__setup_sub_dict() diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py index 88ec627..2af2390 100644 --- a/ipaserver/install/ca.py +++ b/ipaserver/install/ca.py @@ -225,7 +225,7 @@ def install_step_1(standalone, replica_config, options): services.knownservices.httpd.restart(capture_output=True) # Install CA DNS records - if bindinstance.dns_container_exists(host_name, basedn, dm_password): + if bindinstance.dns_container_exists(basedn): bind = bindinstance.BindInstance() bind.update_system_records() diff --git a/ipaserver/install/dnskeysyncinstance.py b/ipaserver/install/dnskeysyncinstance.py index bc2477b..20ef72f 100644 --- a/ipaserver/install/dnskeysyncinstance.py +++ b/ipaserver/install/dnskeysyncinstance.py @@ -19,12 +19,10 @@ from ipaserver.install import installutils from ipapython.ipa_log_manager import root_logger from ipapython.dn import DN -from ipapython import ipaldap from ipapython import sysrestore, ipautil from ipaplatform.constants import constants from ipaplatform.paths import paths from ipalib import errors, api -from ipalib.constants import CACERT from ipaserver.install.bindinstance import dns_container_exists softhsm_token_label = u'ipaDNSSEC' @@ -32,26 +30,13 @@ replica_keylabel_template = u"dnssec-replica:%s" -def dnssec_container_exists(fqdn, suffix, dm_password=None, ldapi=False, - realm=None): +def dnssec_container_exists(suffix): """ Test whether the dns container exists. """ assert isinstance(suffix, DN) - try: - # At install time we may need to use LDAPI to avoid chicken/egg - # issues with SSL certs and truting CAs - ldap_uri = ipaldap.get_ldap_uri(fqdn, 636, ldapi=ldapi, realm=realm, - cacert=CACERT) - conn = ipaldap.LDAPClient(ldap_uri, cacert=CACERT) - conn.simple_bind(ipaldap.DIRMAN_DN, dm_password) - except ldap.SERVER_DOWN: - raise RuntimeError('LDAP server on %s is not responding. Is IPA installed?' % fqdn) - - ret = conn.entry_exists(DN(('cn', 'sec'), ('cn', 'dns'), suffix)) - conn.unbind() - - return ret + return api.Backend.ldap2.entry_exists( + DN(('cn', 'sec'), ('cn', 'dns'), suffix)) def remove_replica_public_keys(hostname): @@ -162,9 +147,7 @@ def __check_dnssec_status(self): except KeyError: raise RuntimeError("OpenDNSSEC GID not found") - if not dns_container_exists( - self.fqdn, self.suffix, realm=self.realm, ldapi=True - ): + if not dns_container_exists(self.suffix): raise RuntimeError("DNS container does not exist") # ready to be installed, storing a state is required to run uninstall @@ -174,8 +157,7 @@ def __setup_dnssec_containers(self): """ Setup LDAP containers for DNSSEC """ - if dnssec_container_exists(self.fqdn, self.suffix, ldapi=True, - realm=self.realm): + if dnssec_container_exists(self.suffix): self.logger.info("DNSSEC container exists (step skipped)") return diff --git a/ipaserver/install/ipa_replica_prepare.py b/ipaserver/install/ipa_replica_prepare.py index e6699d8..227d296 100644 --- a/ipaserver/install/ipa_replica_prepare.py +++ b/ipaserver/install/ipa_replica_prepare.py @@ -253,10 +253,7 @@ def ask_for_options(self): except installutils.BadHostError as e: if isinstance(e, installutils.HostLookupError): if not options.ip_addresses: - if dns_container_exists( - api.env.host, api.env.basedn, - dm_password=self.dirman_password, - ldapi=True, realm=api.env.realm): + if dns_container_exists(api.env.basedn): self.log.info('You might use the --ip-address option ' 'to create a DNS entry if the DNS zone ' 'is managed by IPA.') @@ -268,9 +265,7 @@ def ask_for_options(self): raise if options.ip_addresses: - if not dns_container_exists(api.env.host, api.env.basedn, - dm_password=self.dirman_password, - ldapi=True, realm=api.env.realm): + if not dns_container_exists(api.env.basedn): self.log.error( "It is not possible to add a DNS record automatically " "because DNS is not managed by IPA. Please create DNS " diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py index aeae6b3..e6888dc 100644 --- a/ipaserver/install/server/replicainstall.py +++ b/ipaserver/install/server/replicainstall.py @@ -193,9 +193,7 @@ def install_http(config, auto_redirect, ca_is_configured, promote=False, def install_dns_records(config, options, remote_api): if not bindinstance.dns_container_exists( - config.host_name, - ipautil.realm_to_suffix(config.realm_name), - realm=config.realm_name, ldapi=True): + ipautil.realm_to_suffix(config.realm_name)): return try:
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code