URL: https://github.com/freeipa/freeipa/pull/223 Author: tomaskrizek Title: #223: LDAP refactoring: remove admin_conn Action: synchronized
To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/223/head:pr223 git checkout pr223
From bedcc0dcc2e51164cb02a97c4ef6942d6cf6bbbd Mon Sep 17 00:00:00 2001 From: Tomas Krizek <tkri...@redhat.com> Date: Wed, 9 Nov 2016 12:53:14 +0100 Subject: [PATCH 1/3] services: replace admin_conn with api.Backend.ldap2 Since service.admin_conn is only an alias to api.Backend.ldap2, replace it everywhere with the explicit api.Backend.ldap2 instead. https://fedorahosted.org/freeipa/ticket/6461 --- install/tools/ipa-adtrust-install | 6 +-- ipaserver/install/adtrustinstance.py | 79 +++++++++++++++++--------------- ipaserver/install/bindinstance.py | 10 ++-- ipaserver/install/cainstance.py | 22 ++++----- ipaserver/install/dnskeysyncinstance.py | 6 +-- ipaserver/install/dogtaginstance.py | 16 +++---- ipaserver/install/dsinstance.py | 18 ++++---- ipaserver/install/httpinstance.py | 9 ++-- ipaserver/install/kra.py | 7 +-- ipaserver/install/krbinstance.py | 13 +++--- ipaserver/install/odsexporterinstance.py | 4 +- ipaserver/install/opendnssecinstance.py | 6 +-- ipaserver/install/service.py | 44 ++++++++---------- 13 files changed, 120 insertions(+), 120 deletions(-) diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install index 8eed519..8b75d5c 100755 --- a/install/tools/ipa-adtrust-install +++ b/install/tools/ipa-adtrust-install @@ -411,7 +411,7 @@ def main(): try: # Search only masters which have support for domain levels # because only these masters will have SSSD recent enough to support AD trust agents - entries_m, _truncated = smb.admin_conn.find_entries( + entries_m, _truncated = api.Backend.ldap2.find_entries( filter="(&(objectclass=ipaSupportedDomainLevelConfig)(ipaMaxDomainLevel=*)(ipaMinDomainLevel=*))", base_dn=masters_dn, attrs_list=['cn'], scope=ldap.SCOPE_ONELEVEL) except errors.NotFound: @@ -421,7 +421,7 @@ def main(): print(unicode(e)) try: - entries_a, _truncated = smb.admin_conn.find_entries( + entries_a, _truncated = api.Backend.ldap2.find_entries( filter="", base_dn=agents_dn, attrs_list=['member'], scope=ldap.SCOPE_BASE) except errors.NotFound: @@ -470,7 +470,7 @@ def main(): # Add the CIFS and host principals to the 'adtrust agents' group # as 389-ds only operates with GroupOfNames, we have to use # the principal's proper dn as defined in self.cifs_agent - service.add_principals_to_group(smb.admin_conn, agents_dn, "member", + service.add_principals_to_group(api.Backend.ldap2, agents_dn, "member", [x[1] for x in new_agents]) print(""" WARNING: you MUST restart (e.g. ipactl restart) the following IPA masters in order diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py index cab5a72..632052a 100644 --- a/ipaserver/install/adtrustinstance.py +++ b/ipaserver/install/adtrustinstance.py @@ -200,7 +200,7 @@ def __add_admin_sids(self): admin_group_dn = DN(('cn', 'admins'), api.env.container_group, self.suffix) try: - dom_entry = self.admin_conn.get_entry(self.smb_dom_dn) + dom_entry = api.Backend.ldap2.get_entry(self.smb_dom_dn) except errors.NotFound: self.print_msg("Samba domain object not found") return @@ -211,13 +211,13 @@ def __add_admin_sids(self): return try: - admin_entry = self.admin_conn.get_entry(admin_dn) + admin_entry = api.Backend.ldap2.get_entry(admin_dn) except errors.NotFound: self.print_msg("IPA admin object not found") return try: - admin_group_entry = self.admin_conn.get_entry(admin_group_dn) + admin_group_entry = api.Backend.ldap2.get_entry(admin_group_dn) except errors.NotFound: self.print_msg("IPA admin group object not found") return @@ -226,9 +226,10 @@ def __add_admin_sids(self): self.print_msg("Admin SID already set, nothing to do") else: try: - self.admin_conn.modify_s(admin_dn, \ - [(ldap.MOD_ADD, "objectclass", self.OBJC_USER), \ - (ldap.MOD_ADD, self.ATTR_SID, dom_sid + "-500")]) + api.Backend.ldap2.modify_s( + admin_dn, + [(ldap.MOD_ADD, "objectclass", self.OBJC_USER), + (ldap.MOD_ADD, self.ATTR_SID, dom_sid + "-500")]) except Exception: self.print_msg("Failed to modify IPA admin object") @@ -236,9 +237,10 @@ def __add_admin_sids(self): self.print_msg("Admin group SID already set, nothing to do") else: try: - self.admin_conn.modify_s(admin_group_dn, \ - [(ldap.MOD_ADD, "objectclass", self.OBJC_GROUP), \ - (ldap.MOD_ADD, self.ATTR_SID, dom_sid + "-512")]) + api.Backend.ldap2.modify_s( + admin_group_dn, + [(ldap.MOD_ADD, "objectclass", self.OBJC_GROUP), + (ldap.MOD_ADD, self.ATTR_SID, dom_sid + "-512")]) except Exception: self.print_msg("Failed to modify IPA admin group object") @@ -247,7 +249,7 @@ def __add_default_trust_view(self): api.env.container_views, self.suffix) try: - self.admin_conn.get_entry(default_view_dn) + api.Backend.ldap2.get_entry(default_view_dn) except errors.NotFound: try: self._ldap_mod('default-trust-view.ldif', self.sub_dict) @@ -260,7 +262,7 @@ def __add_default_trust_view(self): # _ldap_mod does not return useful error codes, so we must check again # if the default trust view was created properly. try: - self.admin_conn.get_entry(default_view_dn) + api.Backend.ldap2.get_entry(default_view_dn) except errors.NotFound: self.print_msg("Failed to add Default Trust View.") @@ -276,7 +278,7 @@ def __add_fallback_group(self): server. """ try: - dom_entry = self.admin_conn.get_entry(self.smb_dom_dn) + dom_entry = api.Backend.ldap2.get_entry(self.smb_dom_dn) except errors.NotFound: self.print_msg("Samba domain object not found") return @@ -288,7 +290,7 @@ def __add_fallback_group(self): fb_group_dn = DN(('cn', self.FALLBACK_GROUP_NAME), api.env.container_group, self.suffix) try: - self.admin_conn.get_entry(fb_group_dn) + api.Backend.ldap2.get_entry(fb_group_dn) except errors.NotFound: try: self._ldap_mod('default-smb-group.ldif', self.sub_dict) @@ -299,14 +301,14 @@ def __add_fallback_group(self): # _ldap_mod does not return useful error codes, so we must check again # if the fallback group was created properly. try: - self.admin_conn.get_entry(fb_group_dn) + api.Backend.ldap2.get_entry(fb_group_dn) except errors.NotFound: self.print_msg("Failed to add fallback group.") return try: mod = [(ldap.MOD_ADD, self.ATTR_FALLBACK_GROUP, fb_group_dn)] - self.admin_conn.modify_s(self.smb_dom_dn, mod) + api.Backend.ldap2.modify_s(self.smb_dom_dn, mod) except Exception: self.print_msg("Failed to add fallback group to domain object") @@ -319,7 +321,7 @@ def __add_rid_bases(self): try: # Get the ranges - ranges = self.admin_conn.get_entries( + ranges = api.Backend.ldap2.get_entries( DN(api.env.container_ranges, self.suffix), ldap.SCOPE_ONELEVEL, "(objectclass=ipaDomainIDRange)") @@ -354,7 +356,7 @@ def __add_rid_bases(self): # If the RID bases would cause overlap with some other range, # this will be detected by ipa-range-check DS plugin try: - self.admin_conn.modify_s(local_range.dn, + api.Backend.ldap2.modify_s(local_range.dn, [(ldap.MOD_ADD, "ipaBaseRID", str(self.rid_base)), (ldap.MOD_ADD, "ipaSecondaryBaseRID", @@ -376,7 +378,7 @@ def __reset_netbios_name(self): self.print_msg("Reset NetBIOS domain name") try: - self.admin_conn.modify_s(self.smb_dom_dn, + api.Backend.ldap2.modify_s(self.smb_dom_dn, [(ldap.MOD_REPLACE, self.ATTR_FLAT_NAME, self.netbios_name)]) except ldap.LDAPError: @@ -385,7 +387,7 @@ def __reset_netbios_name(self): def __create_samba_domain_object(self): try: - self.admin_conn.get_entry(self.smb_dom_dn) + api.Backend.ldap2.get_entry(self.smb_dom_dn) if self.reset_netbios_name: self.__reset_netbios_name() else : @@ -398,7 +400,7 @@ def __create_samba_domain_object(self): DN(('cn', 'ad'), self.trust_dn), \ DN(api.env.container_cifsdomains, self.suffix)): try: - self.admin_conn.get_entry(new_dn) + api.Backend.ldap2.get_entry(new_dn) except errors.NotFound: try: name = new_dn[1].attr @@ -406,11 +408,11 @@ def __create_samba_domain_object(self): self.print_msg('Cannot extract RDN attribute value from "%s": %s' % \ (new_dn, e)) return - entry = self.admin_conn.make_entry( + entry = api.Backend.ldap2.make_entry( new_dn, objectclass=['nsContainer'], cn=[name]) - self.admin_conn.add_entry(entry) + api.Backend.ldap2.add_entry(entry) - entry = self.admin_conn.make_entry( + entry = api.Backend.ldap2.make_entry( self.smb_dom_dn, { 'objectclass': [self.OBJC_DOMAIN, "nsContainer"], @@ -421,7 +423,7 @@ def __create_samba_domain_object(self): } ) #TODO: which MAY attributes do we want to set ? - self.admin_conn.add_entry(entry) + api.Backend.ldap2.add_entry(entry) def __write_smb_conf(self): conf_fd = open(self.smb_conf, "w") @@ -439,7 +441,7 @@ def __add_plugin_conf(self, name, plugin_cn, ldif_file): try: plugin_dn = DN(('cn', plugin_cn), ('cn', 'plugins'), ('cn', 'config')) - self.admin_conn.get_entry(plugin_dn) + api.Backend.ldap2.get_entry(plugin_dn) self.print_msg('%s plugin already configured, nothing to do' % name) except errors.NotFound: try: @@ -477,7 +479,7 @@ def __add_sids(self): # Wait for the task to complete task_dn = DN('cn=sidgen,cn=ipa-sidgen-task,cn=tasks,cn=config') - wait_for_task(self.admin_conn, task_dn) + wait_for_task(api.Backend.ldap2, task_dn) except Exception as e: root_logger.warning("Exception occured during SID generation: {0}" @@ -491,11 +493,11 @@ def __add_s4u2proxy_target(self): targets_dn = DN(('cn', 'ipa-cifs-delegation-targets'), ('cn', 's4u2proxy'), ('cn', 'etc'), self.suffix) try: - current = self.admin_conn.get_entry(targets_dn) + current = api.Backend.ldap2.get_entry(targets_dn) members = current.get('memberPrincipal', []) if not(self.principal in members): current["memberPrincipal"] = members + [self.principal] - self.admin_conn.update_entry(current) + api.Backend.ldap2.update_entry(current) else: self.print_msg('cifs principal already targeted, nothing to do.') except errors.NotFound: @@ -524,8 +526,9 @@ def __setup_group_membership(self): # Add the CIFS and host principals to the 'adtrust agents' group # as 389-ds only operates with GroupOfNames, we have to use # the principal's proper dn as defined in self.cifs_agent - service.add_principals_to_group(self.admin_conn, self.smb_dn, "member", - [self.cifs_agent, self.host_princ]) + service.add_principals_to_group( + api.Backend.ldap2, self.smb_dn, "member", + [self.cifs_agent, self.host_princ]) def __setup_principal(self): try: @@ -662,7 +665,7 @@ def __check_replica(self): try: cifs_services = DN(api.env.container_service, self.suffix) # Search for cifs services which also belong to adtrust agents, these are our DCs - res = self.admin_conn.get_entries(cifs_services, + res = api.Backend.ldap2.get_entries(cifs_services, ldap.SCOPE_ONELEVEL, "(&(krbprincipalname=cifs/*@%s)(memberof=%s))" % (self.realm, str(self.smb_dn))) if len(res) > 1: @@ -686,11 +689,11 @@ def __enable_compat_tree(self): lookup_nsswitch_name = "schema-compat-lookup-nsswitch" for config in (("cn=users", "user"), ("cn=groups", "group")): entry_dn = DN(config[0], compat_plugin_dn) - current = self.admin_conn.get_entry(entry_dn) + current = api.Backend.ldap2.get_entry(entry_dn) lookup_nsswitch = current.get(lookup_nsswitch_name, []) if not(config[1] in lookup_nsswitch): current[lookup_nsswitch_name] = [config[1]] - self.admin_conn.update_entry(current) + api.Backend.ldap2.update_entry(current) except Exception as e: root_logger.critical("Enabling nsswitch support in slapi-nis failed with error '%s'" % e) @@ -767,14 +770,14 @@ def setup(self, fqdn, realm_name, netbios_name, self.__setup_sub_dict() def find_local_id_range(self): - if self.admin_conn.get_entries( + if api.Backend.ldap2.get_entries( DN(api.env.container_ranges, self.suffix), ldap.SCOPE_ONELEVEL, "(objectclass=ipaDomainIDRange)"): return try: - entry = self.admin_conn.get_entry( + entry = api.Backend.ldap2.get_entry( DN(('cn', 'admins'), api.env.container_group, self.suffix)) except errors.NotFound: raise ValueError("No local ID range and no admins group found.\n" \ @@ -791,13 +794,13 @@ def find_local_id_range(self): "(gidNumber<=%d)(gidNumner>=%d)))" % \ ((base_id - 1), (base_id + id_range_size), (base_id - 1), (base_id + id_range_size)) - if self.admin_conn.get_entries(DN(('cn', 'accounts'), self.suffix), + if api.Backend.ldap2.get_entries(DN(('cn', 'accounts'), self.suffix), ldap.SCOPE_SUBTREE, id_filter): raise ValueError("There are objects with IDs out of the expected" \ "range.\nAdd local ID range manually and try " \ "again!") - entry = self.admin_conn.make_entry( + entry = api.Backend.ldap2.make_entry( DN( ('cn', ('%s_id_range' % self.realm)), api.env.container_ranges, self.suffix), @@ -806,7 +809,7 @@ def find_local_id_range(self): ipaBaseID=[str(base_id)], ipaIDRangeSize=[str(id_range_size)], ) - self.admin_conn.add_entry(entry) + api.Backend.ldap2.add_entry(entry) def create_instance(self): self.step("stopping smbd", self.__stop) diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py index 179eb68..f2ece57 100644 --- a/ipaserver/install/bindinstance.py +++ b/ipaserver/install/bindinstance.py @@ -846,10 +846,10 @@ def __add_self(self): self.__add_master_records(self.fqdn, self.ip_addresses) def __add_others(self): - entries = self.admin_conn.get_entries( + entries = api.Backend.ldap2.get_entries( DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'), self.suffix), - self.admin_conn.SCOPE_ONELEVEL, None, ['dn']) + api.Backend.ldap2.SCOPE_ONELEVEL, None, ['dn']) for entry in entries: fqdn = entry.dn[0]['cn'] @@ -888,7 +888,7 @@ def __setup_principal(self): mod = [(ldap.MOD_ADD, 'member', dns_principal)] try: - self.admin_conn.modify_s(dns_group, mod) + api.Backend.ldap2.modify_s(dns_group, mod) except ldap.TYPE_OR_VALUE_EXISTS: pass except Exception as e: @@ -903,7 +903,7 @@ def __setup_principal(self): (ldap.MOD_REPLACE, 'nsIdleTimeout', '-1'), (ldap.MOD_REPLACE, 'nsLookThroughLimit', '-1')] try: - self.admin_conn.modify_s(dns_principal, mod) + api.Backend.ldap2.modify_s(dns_principal, mod) except Exception as e: root_logger.critical("Could not set principal's %s LDAP limits: %s" \ % (dns_principal, str(e))) @@ -933,7 +933,7 @@ def __setup_named_conf(self): ) def __setup_server_configuration(self): - ensure_dnsserver_container_exists(self.admin_conn, self.api) + ensure_dnsserver_container_exists(api.Backend.ldap2, self.api) try: self.api.Command.dnsserver_add( self.fqdn, idnssoamname=DNSName(self.fqdn).make_absolute(), diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index c7a117d..26755ee 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -1100,8 +1100,8 @@ def is_renewal_master(self, fqdn=None): ('cn', 'etc'), api.env.basedn) renewal_filter = '(ipaConfigString=caRenewalMaster)' try: - self.admin_conn.get_entries(base_dn=dn, filter=renewal_filter, - attrs_list=[]) + api.Backend.ldap2.get_entries(base_dn=dn, filter=renewal_filter, + attrs_list=[]) except errors.NotFound: return False @@ -1115,13 +1115,13 @@ def set_renewal_master(self, fqdn=None): api.env.basedn) filter = '(&(cn=CA)(ipaConfigString=caRenewalMaster))' try: - entries = self.admin_conn.get_entries( + entries = api.Backend.ldap2.get_entries( base_dn=base_dn, filter=filter, attrs_list=['ipaConfigString']) except errors.NotFound: entries = [] dn = DN(('cn', 'CA'), ('cn', fqdn), base_dn) - master_entry = self.admin_conn.get_entry(dn, ['ipaConfigString']) + master_entry = api.Backend.ldap2.get_entry(dn, ['ipaConfigString']) for entry in entries: if master_entry is not None and entry.dn == master_entry.dn: @@ -1130,11 +1130,11 @@ def set_renewal_master(self, fqdn=None): entry['ipaConfigString'] = [x for x in entry['ipaConfigString'] if x.lower() != 'carenewalmaster'] - self.admin_conn.update_entry(entry) + api.Backend.ldap2.update_entry(entry) if master_entry is not None: master_entry['ipaConfigString'].append('caRenewalMaster') - self.admin_conn.update_entry(master_entry) + api.Backend.ldap2.update_entry(master_entry) @staticmethod def update_cert_config(nickname, cert): @@ -1173,25 +1173,25 @@ def __create_ds_db(self): # replication dn = DN(('cn', str(suffix)), ('cn', 'mapping tree'), ('cn', 'config')) - entry = self.admin_conn.make_entry( + entry = api.Backend.ldap2.make_entry( dn, objectclass=["top", "extensibleObject", "nsMappingTree"], cn=[suffix], ) entry['nsslapd-state'] = ['Backend'] entry['nsslapd-backend'] = [backend] - self.admin_conn.add_entry(entry) + api.Backend.ldap2.add_entry(entry) # database dn = DN(('cn', 'ipaca'), ('cn', 'ldbm database'), ('cn', 'plugins'), ('cn', 'config')) - entry = self.admin_conn.make_entry( + entry = api.Backend.ldap2.make_entry( dn, objectclass=["top", "extensibleObject", "nsBackendInstance"], cn=[backend], ) entry['nsslapd-suffix'] = [suffix] - self.admin_conn.add_entry(entry) + api.Backend.ldap2.add_entry(entry) def __setup_replication(self): @@ -1268,7 +1268,7 @@ def __setup_lightweight_ca_key_retrieval_custodia(self): def __add_lightweight_ca_tracking_requests(self): try: - lwcas = self.admin_conn.get_entries( + lwcas = api.Backend.ldap2.get_entries( base_dn=api.env.basedn, filter='(objectclass=ipaca)', attrs_list=['cn', 'ipacaid'], diff --git a/ipaserver/install/dnskeysyncinstance.py b/ipaserver/install/dnskeysyncinstance.py index 74a657d..9771a9d 100644 --- a/ipaserver/install/dnskeysyncinstance.py +++ b/ipaserver/install/dnskeysyncinstance.py @@ -266,7 +266,7 @@ def __setup_replica_keys(self): keylabel = replica_keylabel_template % DNSName(self.fqdn).\ make_absolute().canonicalize().ToASCII() - ldap = self.admin_conn + ldap = api.Backend.ldap2 dn_base = DN(('cn', 'keys'), ('cn', 'sec'), ('cn', 'dns'), api.env.basedn) with open(paths.DNSSEC_SOFTHSM_PIN, "r") as f: @@ -413,7 +413,7 @@ def __setup_principal(self): mod = [(ldap.MOD_ADD, 'member', dnssynckey_principal_dn)] try: - self.admin_conn.modify_s(dns_group, mod) + api.Backend.ldap2.modify_s(dns_group, mod) except ldap.TYPE_OR_VALUE_EXISTS: pass except Exception as e: @@ -429,7 +429,7 @@ def __setup_principal(self): (ldap.MOD_REPLACE, 'nsIdleTimeout', '-1'), (ldap.MOD_REPLACE, 'nsLookThroughLimit', '-1')] try: - self.admin_conn.modify_s(dnssynckey_principal_dn, mod) + api.Backend.ldap2.modify_s(dnssynckey_principal_dn, mod) except Exception as e: self.logger.critical("Could not set principal's %s LDAP limits: %s" % (dnssynckey_principal_dn, str(e))) diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py index 5d25e42..2cc62dc 100644 --- a/ipaserver/install/dogtaginstance.py +++ b/ipaserver/install/dogtaginstance.py @@ -30,7 +30,7 @@ from pki.client import PKIConnection import pki.system -from ipalib import errors +from ipalib import api, errors from ipaplatform import services from ipaplatform.constants import constants @@ -421,12 +421,12 @@ def handle_setup_error(self, e): def __add_admin_to_group(self, group): dn = DN(('cn', group), ('ou', 'groups'), ('o', 'ipaca')) - entry = self.admin_conn.get_entry(dn) + entry = api.Backend.ldap2.get_entry(dn) members = entry.get('uniqueMember', []) members.append(self.admin_dn) mod = [(ldap.MOD_REPLACE, 'uniqueMember', members)] try: - self.admin_conn.modify_s(dn, mod) + api.Backend.ldap2.modify_s(dn, mod) except ldap.TYPE_OR_VALUE_EXISTS: # already there pass @@ -439,12 +439,12 @@ def setup_admin(self): # remove user if left-over exists try: - entry = self.admin_conn.delete_entry(self.admin_dn) + entry = api.Backend.ldap2.delete_entry(self.admin_dn) except errors.NotFound: pass # add user - entry = self.admin_conn.make_entry( + entry = api.Backend.ldap2.make_entry( self.admin_dn, objectclass=["top", "person", "organizationalPerson", "inetOrgPerson", "cmsuser"], @@ -456,7 +456,7 @@ def setup_admin(self): userPassword=[self.admin_password], userstate=['1'] ) - self.admin_conn.add_entry(entry) + api.Backend.ldap2.add_entry(entry) for group in self.admin_groups: self.__add_admin_to_group(group) @@ -472,7 +472,7 @@ def __remove_admin_from_group(self, group): dn = DN(('cn', group), ('ou', 'groups'), ('o', 'ipaca')) mod = [(ldap.MOD_DELETE, 'uniqueMember', self.admin_dn)] try: - self.admin_conn.modify_s(dn, mod) + api.Backend.ldap2.modify_s(dn, mod) except ldap.NO_SUCH_ATTRIBUTE: # already removed pass @@ -480,7 +480,7 @@ def __remove_admin_from_group(self, group): def teardown_admin(self): for group in self.admin_groups: self.__remove_admin_from_group(group) - self.admin_conn.delete_entry(self.admin_dn) + api.Backend.ldap2.delete_entry(self.admin_dn) def _use_ldaps_during_spawn(self, config, ds_cacert=paths.IPA_CA_CRT): config.set(self.subsystem, "pki_ds_ldaps_port", "636") diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index a604010..542abb4 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -434,13 +434,13 @@ def __configure_sasl_mappings(self): # they may conflict. try: - res = self.admin_conn.get_entries( + res = api.Backend.ldap2.get_entries( DN(('cn', 'mapping'), ('cn', 'sasl'), ('cn', 'config')), - self.admin_conn.SCOPE_ONELEVEL, + api.Backend.ldap2.SCOPE_ONELEVEL, "(objectclass=nsSaslMapping)") for r in res: try: - self.admin_conn.delete_entry(r) + api.Backend.ldap2.delete_entry(r) except Exception as e: root_logger.critical( "Error during SASL mapping removal: %s", e) @@ -449,7 +449,7 @@ def __configure_sasl_mappings(self): root_logger.critical("Error while enumerating SASL mappings %s", e) raise - entry = self.admin_conn.make_entry( + entry = api.Backend.ldap2.make_entry( DN( ('cn', 'Full Principal'), ('cn', 'mapping'), ('cn', 'sasl'), ('cn', 'config')), @@ -460,9 +460,9 @@ def __configure_sasl_mappings(self): nsSaslMapFilterTemplate=['(krbPrincipalName=\\1@\\2)'], nsSaslMapPriority=['10'], ) - self.admin_conn.add_entry(entry) + api.Backend.ldap2.add_entry(entry) - entry = self.admin_conn.make_entry( + entry = api.Backend.ldap2.make_entry( DN( ('cn', 'Name Only'), ('cn', 'mapping'), ('cn', 'sasl'), ('cn', 'config')), @@ -473,7 +473,7 @@ def __configure_sasl_mappings(self): nsSaslMapFilterTemplate=['(krbPrincipalName=&@%s)' % self.realm], nsSaslMapPriority=['10'], ) - self.admin_conn.add_entry(entry) + api.Backend.ldap2.add_entry(entry) def __update_schema(self): # FIXME: https://fedorahosted.org/389/ticket/47490 @@ -1119,7 +1119,7 @@ def add_sidgen_plugin(self, suffix): """ dn = DN('cn=IPA SIDGEN,cn=plugins,cn=config') try: - self.admin_conn.get_entry(dn) + api.Backend.ldap2.get_entry(dn) except errors.NotFound: self._ldap_mod('ipa-sidgen-conf.ldif', dict(SUFFIX=suffix)) else: @@ -1137,7 +1137,7 @@ def add_extdom_plugin(self, suffix): """ dn = DN('cn=ipa_extdom_extop,cn=plugins,cn=config') try: - self.admin_conn.get_entry(dn) + api.Backend.ldap2.get_entry(dn) except errors.NotFound: self._ldap_mod('ipa-extdom-extop-conf.ldif', dict(SUFFIX=suffix)) else: diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index 4e8107e..cd16743 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -416,7 +416,8 @@ def enable_kdcproxy(self): attr_name = 'kdcProxyEnabled' try: - entry = self.admin_conn.get_entry(entry_name, ['ipaConfigString']) + entry = api.Backend.ldap2.get_entry( + entry_name, ['ipaConfigString']) except errors.NotFound: pass else: @@ -427,7 +428,7 @@ def enable_kdcproxy(self): entry.setdefault('ipaConfigString', []).append(attr_name) try: - self.admin_conn.update_entry(entry) + api.Backend.ldap2.update_entry(entry) except errors.EmptyModlist: root_logger.debug("service KDCPROXY already enabled") return @@ -438,7 +439,7 @@ def enable_kdcproxy(self): root_logger.debug("service KDCPROXY enabled") return - entry = self.admin_conn.make_entry( + entry = api.Backend.ldap2.make_entry( entry_name, objectclass=["nsContainer", "ipaConfigObject"], cn=['KDC'], @@ -446,7 +447,7 @@ def enable_kdcproxy(self): ) try: - self.admin_conn.add_entry(entry) + api.Backend.ldap2.add_entry(entry) except errors.DuplicateEntry: root_logger.debug("failed to add service KDCPROXY entry") raise diff --git a/ipaserver/install/kra.py b/ipaserver/install/kra.py index 58a6a73..e7e11dd 100644 --- a/ipaserver/install/kra.py +++ b/ipaserver/install/kra.py @@ -131,9 +131,10 @@ def uninstall(standalone): if standalone: try: - kra.admin_conn.delete_entry(DN(('cn', 'KRA'), ('cn', api.env.host), - ('cn', 'masters'), ('cn', 'ipa'), - ('cn', 'etc'), api.env.basedn)) + api.Backend.ldap2.delete_entry( + DN(('cn', 'KRA'), ('cn', api.env.host), + ('cn', 'masters'), ('cn', 'ipa'), + ('cn', 'etc'), api.env.basedn)) except errors.NotFound: pass diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py index b7ae38f..6f38380 100644 --- a/ipaserver/install/krbinstance.py +++ b/ipaserver/install/krbinstance.py @@ -30,6 +30,7 @@ from ipaserver.install import installutils from ipapython import ipautil from ipapython import kernel_keyring +from ipalib import api from ipalib.constants import CACERT from ipapython.ipa_log_manager import root_logger from ipapython.dn import DN @@ -79,14 +80,14 @@ def move_service_to_host(self, principal): """ service_dn = DN(('krbprincipalname', principal), self.get_realm_suffix()) - service_entry = self.admin_conn.get_entry(service_dn) - self.admin_conn.delete_entry(service_entry) + service_entry = api.Backend.ldap2.get_entry(service_dn) + api.Backend.ldap2.delete_entry(service_entry) # Create a host entry for this master host_dn = DN( ('fqdn', self.fqdn), ('cn', 'computers'), ('cn', 'accounts'), self.suffix) - host_entry = self.admin_conn.make_entry( + host_entry = api.Backend.ldap2.make_entry( host_dn, objectclass=[ 'top', 'ipaobject', 'nshost', 'ipahost', 'ipaservice', @@ -108,7 +109,7 @@ def move_service_to_host(self, principal): 'krbpasswordexpiration'] if 'krbticketflags' in service_entry: host_entry['krbticketflags'] = service_entry['krbticketflags'] - self.admin_conn.add_entry(host_entry) + api.Backend.ldap2.add_entry(host_entry) # Add the host to the ipaserver host group ld = ldapupdate.LDAPUpdate(ldapi=True) @@ -362,9 +363,9 @@ def __add_anonymous_pkinit_principal(self): # Create the special anonymous principal installutils.kadmin_addprinc(princ_realm) dn = DN(('krbprincipalname', princ_realm), self.get_realm_suffix()) - entry = self.admin_conn.get_entry(dn) + entry = api.Backend.ldap2.get_entry(dn) entry['nsAccountlock'] = ['TRUE'] - self.admin_conn.update_entry(entry) + api.Backend.ldap2.update_entry(entry) def __convert_to_gssapi_replication(self): repl = replication.ReplicationManager(self.realm, diff --git a/ipaserver/install/odsexporterinstance.py b/ipaserver/install/odsexporterinstance.py index 7caf27a..59f27f5 100644 --- a/ipaserver/install/odsexporterinstance.py +++ b/ipaserver/install/odsexporterinstance.py @@ -112,7 +112,7 @@ def __setup_principal(self): mod = [(ldap.MOD_ADD, 'member', dns_exporter_principal_dn)] try: - self.admin_conn.modify_s(dns_group, mod) + api.Backend.ldap2.modify_s(dns_group, mod) except ldap.TYPE_OR_VALUE_EXISTS: pass except Exception as e: @@ -127,7 +127,7 @@ def __setup_principal(self): (ldap.MOD_REPLACE, 'nsIdleTimeout', '-1'), (ldap.MOD_REPLACE, 'nsLookThroughLimit', '-1')] try: - self.admin_conn.modify_s(dns_exporter_principal_dn, mod) + api.Backend.ldap2.modify_s(dns_exporter_principal_dn, mod) except Exception as e: root_logger.critical("Could not set principal's %s LDAP limits: %s" % (dns_exporter_principal_dn, str(e))) diff --git a/ipaserver/install/opendnssecinstance.py b/ipaserver/install/opendnssecinstance.py index 7f3269f..ea6cb51 100644 --- a/ipaserver/install/opendnssecinstance.py +++ b/ipaserver/install/opendnssecinstance.py @@ -82,7 +82,7 @@ def __init__(self, fstore=None): suffix = ipautil.dn_attribute_property('_suffix') def get_masters(self): - return get_dnssec_key_masters(self.admin_conn) + return get_dnssec_key_masters(api.Backend.ldap2) def create_instance(self, fqdn, realm_name, generate_master_key=True, kasp_db_file=None): @@ -145,7 +145,7 @@ def __enable(self): dn = DN(('cn', 'DNSSEC'), ('cn', self.fqdn), api.env.container_masters, api.env.basedn) try: - entry = self.admin_conn.get_entry(dn, ['ipaConfigString']) + entry = api.Backend.ldap2.get_entry(dn, ['ipaConfigString']) except errors.NotFound as e: root_logger.error( "DNSSEC service entry not found in the LDAP (%s)", e) @@ -153,7 +153,7 @@ def __enable(self): config = entry.setdefault('ipaConfigString', []) if KEYMASTER not in config: config.append(KEYMASTER) - self.admin_conn.update_entry(entry) + api.Backend.ldap2.update_entry(entry) def __setup_conf_files(self): if not self.fstore.has_file(paths.OPENDNSSEC_CONF_FILE): diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py index 62bd499..bdb8e56 100644 --- a/ipaserver/install/service.py +++ b/ipaserver/install/service.py @@ -170,13 +170,6 @@ def __init__(self, service_name, service_desc=None, sstore=None, self.promote = False @property - def admin_conn(self): - """ - alias for api.Backend.ldap2 - """ - return api.Backend.ldap2 - - @property def principal(self): if any(attr is None for attr in (self.realm, self.fqdn, self.service_prefix)): @@ -209,7 +202,7 @@ def _ldap_mod(self, ldif, sub_dict=None, raise_on_err=True, # As we always connect to the local host, # use URI of admin connection if not ldap_uri: - ldap_uri = self.admin_conn.ldap_uri + ldap_uri = api.Backend.ldap2.ldap_uri args += ["-H", ldap_uri] @@ -246,21 +239,21 @@ def move_service(self, principal): dn = DN(('krbprincipalname', principal), ('cn', self.realm), ('cn', 'kerberos'), self.suffix) try: - entry = self.admin_conn.get_entry(dn) + entry = api.Backend.ldap2.get_entry(dn) except errors.NotFound: # There is no service in the wrong location, nothing to do. # This can happen when installing a replica return None newdn = DN(('krbprincipalname', principal), ('cn', 'services'), ('cn', 'accounts'), self.suffix) hostdn = DN(('fqdn', self.fqdn), ('cn', 'computers'), ('cn', 'accounts'), self.suffix) - self.admin_conn.delete_entry(entry) + api.Backend.ldap2.delete_entry(entry) entry.dn = newdn classes = entry.get("objectclass") classes = classes + ["ipaobject", "ipaservice", "pkiuser"] entry["objectclass"] = list(set(classes)) entry["ipauniqueid"] = ['autogenerate'] entry["managedby"] = [hostdn] - self.admin_conn.add_entry(entry) + api.Backend.ldap2.add_entry(entry) return newdn def add_simple_service(self, principal): @@ -271,7 +264,7 @@ def add_simple_service(self, principal): """ dn = DN(('krbprincipalname', principal), ('cn', 'services'), ('cn', 'accounts'), self.suffix) hostdn = DN(('fqdn', self.fqdn), ('cn', 'computers'), ('cn', 'accounts'), self.suffix) - entry = self.admin_conn.make_entry( + entry = api.Backend.ldap2.make_entry( dn, objectclass=[ "krbprincipal", "krbprincipalaux", "krbticketpolicyaux", @@ -280,7 +273,7 @@ def add_simple_service(self, principal): ipauniqueid=['autogenerate'], managedby=[hostdn], ) - self.admin_conn.add_entry(entry) + api.Backend.ldap2.add_entry(entry) return dn def add_cert_to_service(self): @@ -291,16 +284,16 @@ def add_cert_to_service(self): """ dn = DN(('krbprincipalname', self.principal), ('cn', 'services'), ('cn', 'accounts'), self.suffix) - entry = self.admin_conn.get_entry(dn) + entry = api.Backend.ldap2.get_entry(dn) entry.setdefault('userCertificate', []).append(self.dercert) try: - self.admin_conn.update_entry(entry) + api.Backend.ldap2.update_entry(entry) except Exception as e: root_logger.critical("Could not add certificate to service %s entry: %s" % (self.principal, str(e))) def import_ca_certs(self, db, ca_is_configured, conn=None): if conn is None: - conn = self.admin_conn + conn = api.Backend.ldap2 try: ca_certs = certstore.get_ca_certs_nss( @@ -453,7 +446,8 @@ def ldap_enable(self, name, fqdn, dm_password=None, ldap_suffix='', # enable disabled service try: - entry = self.admin_conn.get_entry(entry_name, ['ipaConfigString']) + entry = api.Backend.ldap2.get_entry( + entry_name, ['ipaConfigString']) except errors.NotFound: pass else: @@ -465,7 +459,7 @@ def ldap_enable(self, name, fqdn, dm_password=None, ldap_suffix='', entry.setdefault('ipaConfigString', []).append(u'enabledService') try: - self.admin_conn.update_entry(entry) + api.Backend.ldap2.update_entry(entry) except errors.EmptyModlist: root_logger.debug("service %s startup entry already enabled", name) return @@ -477,7 +471,7 @@ def ldap_enable(self, name, fqdn, dm_password=None, ldap_suffix='', return order = SERVICE_LIST[name][1] - entry = self.admin_conn.make_entry( + entry = api.Backend.ldap2.make_entry( entry_name, objectclass=["nsContainer", "ipaConfigObject"], cn=[name], @@ -486,7 +480,7 @@ def ldap_enable(self, name, fqdn, dm_password=None, ldap_suffix='', ) try: - self.admin_conn.add_entry(entry) + api.Backend.ldap2.add_entry(entry) except (errors.DuplicateEntry) as e: root_logger.debug("failed to add service %s startup entry", name) raise e @@ -497,13 +491,13 @@ def ldap_disable(self, name, fqdn, ldap_suffix): entry_dn = DN(('cn', name), ('cn', fqdn), ('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'), ldap_suffix) search_kw = {'ipaConfigString': u'enabledService'} - filter = self.admin_conn.make_filter(search_kw) + filter = api.Backend.ldap2.make_filter(search_kw) try: - entries, _truncated = self.admin_conn.find_entries( + entries, _truncated = api.Backend.ldap2.find_entries( filter=filter, attrs_list=['ipaConfigString'], base_dn=entry_dn, - scope=self.admin_conn.SCOPE_BASE) + scope=api.Backend.ldap2.SCOPE_BASE) except errors.NotFound: root_logger.debug("service %s startup entry already disabled", name) return @@ -518,7 +512,7 @@ def ldap_disable(self, name, fqdn, ldap_suffix): break try: - self.admin_conn.update_entry(entry) + api.Backend.ldap2.update_entry(entry) except errors.EmptyModlist: pass except: @@ -531,7 +525,7 @@ def ldap_remove_service_container(self, name, fqdn, ldap_suffix): entry_dn = DN(('cn', name), ('cn', fqdn), ('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'), ldap_suffix) try: - self.admin_conn.delete_entry(entry_dn) + api.Backend.ldap2.delete_entry(entry_dn) except errors.NotFound: root_logger.debug("service %s container already removed", name) else: From 89bd31a2e94f7150c12bc4d722768b9337cb560a Mon Sep 17 00:00:00 2001 From: Tomas Krizek <tkri...@redhat.com> Date: Wed, 9 Nov 2016 12:23:36 +0100 Subject: [PATCH 2/3] upgrade: ldap conn management Clean up unnecessary starts/stops of DS and unnescessary attributes. If the DS is running, establish an LDAP connection and properly close it. https://fedorahosted.org/freeipa/ticket/6461 --- ipaserver/install/ipa_server_upgrade.py | 3 --- ipaserver/install/server/upgrade.py | 26 ++++++++------------------ ipaserver/install/upgradeinstance.py | 2 +- 3 files changed, 9 insertions(+), 22 deletions(-) diff --git a/ipaserver/install/ipa_server_upgrade.py b/ipaserver/install/ipa_server_upgrade.py index f03f95a..c384704 100644 --- a/ipaserver/install/ipa_server_upgrade.py +++ b/ipaserver/install/ipa_server_upgrade.py @@ -40,7 +40,6 @@ def run(self): api.bootstrap(in_server=True, context='updates') api.finalize() - api.Backend.ldap2.connect() try: server.upgrade_check(self.options) @@ -48,8 +47,6 @@ def run(self): except RuntimeError as e: raise admintool.ScriptError(str(e)) - api.Backend.ldap2.disconnect() - def handle_error(self, exception): if not isinstance(exception, SystemExit): # do not log this message when ipa is not installed diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index 5f61015..e3470d5 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -25,7 +25,6 @@ from ipaplatform import services from ipaplatform.tasks import tasks from ipapython import ipautil, sysrestore, version, certdb -from ipapython import ipaldap from ipapython.ipa_log_manager import root_logger from ipapython import certmonger from ipapython import dnsutil @@ -1606,9 +1605,6 @@ def upgrade_configuration(): remove_ds_ra_cert(subject_base) ds.start(ds_serverid) - # Force enabling plugins via LDAPI and external bind - ds.ldapi = True - ds.autobind = ipaldap.AUTOBIND_ENABLED ds.fqdn = fqdn ds.realm = api.env.realm ds.suffix = ipautil.realm_to_suffix(api.env.realm) @@ -1616,14 +1612,8 @@ def upgrade_configuration(): ds_enable_sidgen_extdom_plugins(ds) - # Now 389-ds is available, run the remaining http tasks if not http.is_kdcproxy_configured(): root_logger.info('[Enabling KDC Proxy]') - if http.admin_conn is None: - # 389-ds needs to be running - ds.start() - http.ldapi = True - http.suffix = ipautil.realm_to_suffix(api.env.realm) httpinstance.create_kdcproxy_user() http.create_kdcproxy_conf() http.enable_kdcproxy() @@ -1645,12 +1635,8 @@ def upgrade_configuration(): ) for service, ldap_name in simple_service_list: - service.ldapi = True try: if not service.is_configured(): - # 389-ds needs to be running to create the instances - # because we record the new service in cn=masters. - ds.start() service.create_instance(ldap_name, fqdn, ipautil.realm_to_suffix(api.env.realm), realm=api.env.realm) @@ -1661,7 +1647,6 @@ def upgrade_configuration(): if bindinstance.named_conf_exists(): dnskeysyncd = dnskeysyncinstance.DNSKeySyncInstance(fstore) if not dnskeysyncd.is_configured(): - ds.start() dnskeysyncd.create_instance(fqdn, api.env.realm) dnskeysyncd.start_dnskeysyncd() @@ -1749,9 +1734,7 @@ def upgrade_configuration(): set_sssd_domain_option('ipa_server_mode', 'True') - if ds_running and not ds.is_running(): - ds.start(ds_serverid) - elif not ds_running and ds.is_running(): + if not ds_running: ds.stop(ds_serverid) if ca.is_configured(): @@ -1796,6 +1779,10 @@ def upgrade(): paths.EXTERNAL_SCHEMA_DIR)) data_upgrade = IPAUpgrade(realm, schema_files=schema_files) + ds_running = data_upgrade.is_running() + if ds_running: + api.Backend.ldap2.connect() + try: data_upgrade.create_instance() except BadSyntax: @@ -1808,6 +1795,9 @@ def upgrade(): root_logger.info('Update complete') else: root_logger.info('Update complete, no data were modified') + finally: + if ds_running: + api.Backend.ldap2.disconnect() # store new data version after upgrade installutils.store_version() diff --git a/ipaserver/install/upgradeinstance.py b/ipaserver/install/upgradeinstance.py index 0d6013f..59d17ca 100644 --- a/ipaserver/install/upgradeinstance.py +++ b/ipaserver/install/upgradeinstance.py @@ -96,8 +96,8 @@ def __start(self): def __stop_instance(self): """Stop only the main DS instance""" - super(IPAUpgrade, self).stop(self.serverid) api.Backend.ldap2.disconnect() + super(IPAUpgrade, self).stop(self.serverid) def create_instance(self): ds_running = super(IPAUpgrade, self).is_running() From 4bff79933488d24b628c8a349a6679041469cc52 Mon Sep 17 00:00:00 2001 From: Tomas Krizek <tkri...@redhat.com> Date: Mon, 21 Nov 2016 10:37:22 +0100 Subject: [PATCH 3/3] upgrade: do not explicitly set principal for services After installer refactoring, principal is a property of service. https://fedorahosted.org/freeipa/ticket/6392 --- ipaserver/install/server/upgrade.py | 2 -- 1 file changed, 2 deletions(-) diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index e3470d5..ea547a2 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -1588,7 +1588,6 @@ def upgrade_configuration(): http = httpinstance.HTTPInstance(fstore) http.fqdn = fqdn http.realm = api.env.realm - http.principal = "HTTP/%s@%s" % (http.fqdn, http.realm) http.configure_selinux_for_httpd() http.change_mod_nss_port_from_http() @@ -1608,7 +1607,6 @@ def upgrade_configuration(): ds.fqdn = fqdn ds.realm = api.env.realm ds.suffix = ipautil.realm_to_suffix(api.env.realm) - ds.principal = "ldap/%s@%s" % (ds.fqdn, ds.realm) ds_enable_sidgen_extdom_plugins(ds)
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
