[Freeipa-devel] [freeipa PR#214][synchronized] ipaldap: remove do_bind from LDAPClient

2016-11-11 Thread tomaskrizek 
   URL: https://github.com/freeipa/freeipa/pull/214
Author: tomaskrizek
 Title: #214: ipaldap: remove do_bind from LDAPClient
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/214/head:pr214
git checkout pr214
From b84b17f9be13fd3b4bda99892d9da32b15493547 Mon Sep 17 00:00:00 2001
From: Tomas Krizek 
Date: Fri, 11 Nov 2016 12:45:11 +0100
Subject: [PATCH] dns: check if container exists using ldapi

Previously an adhoc connection was established for checking if
dns(sec) container exists. A simple or external bind was used.
Instead, always connect with ldapi through api.Backend.ldap2.

https://fedorahosted.org/freeipa/ticket/6461
---
 install/tools/ipa-csreplica-manage |  3 +--
 install/tools/ipa-replica-manage   |  3 +--
 ipaserver/install/bindinstance.py  | 23 ---
 ipaserver/install/ca.py|  3 +--
 ipaserver/install/dnskeysyncinstance.py| 28 +---
 ipaserver/install/ipa_replica_prepare.py   |  9 ++---
 ipaserver/install/server/replicainstall.py |  4 +---
 7 files changed, 15 insertions(+), 58 deletions(-)

diff --git a/install/tools/ipa-csreplica-manage b/install/tools/ipa-csreplica-manage
index fd384d6..532e353 100755
--- a/install/tools/ipa-csreplica-manage
+++ b/install/tools/ipa-csreplica-manage
@@ -281,8 +281,7 @@ def del_master(realm, hostname, options):
 
 # 7. And clean up the removed replica DNS entries if any.
 try:
-if bindinstance.dns_container_exists(options.host, api.env.basedn,
- dm_password=options.dirman_passwd):
+if bindinstance.dns_container_exists(api.env.basedn):
 bind = bindinstance.BindInstance()
 bind.update_system_records()
 except Exception as e:
diff --git a/install/tools/ipa-replica-manage b/install/tools/ipa-replica-manage
index 48a28bd..68d9a92 100755
--- a/install/tools/ipa-replica-manage
+++ b/install/tools/ipa-replica-manage
@@ -903,8 +903,7 @@ def ensure_last_services(conn, hostname, masters, options):
 
 def cleanup_server_dns_entries(realm, hostname, suffix, options):
 try:
-if bindinstance.dns_container_exists(options.host, suffix,
- dm_password=options.dirman_passwd):
+if bindinstance.dns_container_exists(suffix):
 bindinstance.remove_master_dns_records(hostname, realm)
 dnskeysyncinstance.remove_replica_public_keys(hostname)
 except Exception as e:
diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py
index d32ced7..179eb68 100644
--- a/ipaserver/install/bindinstance.py
+++ b/ipaserver/install/bindinstance.py
@@ -39,7 +39,7 @@
 from ipaserver.install import installutils
 from ipaserver.install import service
 from ipaserver.install import sysupgrade
-from ipapython import ipautil, ipaldap
+from ipapython import ipautil
 from ipapython import dnsutil
 from ipapython.dnsutil import DNSName
 from ipapython.ipa_log_manager import root_logger
@@ -58,7 +58,6 @@
  zone_is_reverse, validate_dnssec_global_forwarder,
  DNSSECSignatureMissingError, EDNS0UnsupportedError,
  UnresolvableRecordError)
-from ipalib.constants import CACERT
 
 if six.PY3:
 unicode = str
@@ -229,26 +228,13 @@ def named_conf_add_include(path):
 f.write(named_conf_include_template % {'path': path})
 
 
-def dns_container_exists(fqdn, suffix, dm_password=None, ldapi=False,
- realm=None):
+def dns_container_exists(suffix):
 """
 Test whether the dns container exists.
 """
 assert isinstance(suffix, DN)
-try:
-# At install time we may need to use LDAPI to avoid chicken/egg
-# issues with SSL certs and truting CAs
-ldap_uri = ipaldap.get_ldap_uri(fqdn, 636, ldapi=ldapi, realm=realm,
-cacert=CACERT)
-conn = ipaldap.LDAPClient(ldap_uri, cacert=CACERT)
-conn.simple_bind(ipaldap.DIRMAN_DN, dm_password)
-except ldap.SERVER_DOWN:
-raise RuntimeError('LDAP server on %s is not responding. Is IPA installed?' % fqdn)
-
-ret = conn.entry_exists(DN(('cn', 'dns'), suffix))
-conn.unbind()
+return api.Backend.ldap2.entry_exists(DN(('cn', 'dns'), suffix))
 
-return ret
 
 def dns_zone_exists(name, api=api):
 try:
@@ -656,8 +642,7 @@ def setup(self, fqdn, ip_addresses, realm_name, domain_name, forwarders,
 else:
 self.zonemgr = normalize_zonemgr(zonemgr)
 
-self.first_instance = not dns_container_exists(
-self.fqdn, self.suffix, realm=self.realm, ldapi=True)
+self.first_instance = not dns_container_exists(self.suffix)
 
 self.__setup_sub_dict()
 
diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py
index

[Freeipa-devel] [freeipa PR#214][synchronized] ipaldap: remove do_bind from LDAPClient

2016-11-11 Thread tomaskrizek 
   URL: https://github.com/freeipa/freeipa/pull/214
Author: tomaskrizek
 Title: #214: ipaldap: remove do_bind from LDAPClient
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/214/head:pr214
git checkout pr214
From 71baccaead4ae3438102f596d73c1c3ca9201995 Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Tue, 8 Nov 2016 08:30:08 +0100
Subject: [PATCH] install: migrate client install to the new class hierarchy

Migrate ipa-client-install from the custom script to the new installer
class hierarchy classes.

https://fedorahosted.org/freeipa/ticket/6392

Reviewed-By: Martin Basti 
---
 client/ipa-client-install  | 230 +
 install/tools/ipa-csreplica-manage |   3 +-
 install/tools/ipa-replica-manage   |   3 +-
 ipaclient/install/client.py| 127 +++-
 ipaclient/install/ipa_client_install.py|  66 +
 ipaserver/install/bindinstance.py  |  23 +--
 ipaserver/install/ca.py|   3 +-
 ipaserver/install/dnskeysyncinstance.py|  28 +---
 ipaserver/install/ipa_replica_prepare.py   |   9 +-
 ipaserver/install/server/replicainstall.py |   4 +-
 10 files changed, 209 insertions(+), 287 deletions(-)
 create mode 100644 ipaclient/install/ipa_client_install.py

diff --git a/client/ipa-client-install b/client/ipa-client-install
index 9ce2697..2771184 100755
--- a/client/ipa-client-install
+++ b/client/ipa-client-install
@@ -19,232 +19,6 @@
 # along with this program.  If not, see .
 #
 
-from __future__ import print_function
+from ipaclient.install import ipa_client_install
 
-import sys
-import os
-
-from optparse import SUPPRESS_HELP, OptionGroup, OptionValueError
-
-from ipaclient.install import client
-from ipapython.ipa_log_manager import standard_logging_setup, root_logger
-from ipaplatform.paths import paths
-from ipapython import version
-from ipapython.admintool import ScriptError
-from ipapython.config import IPAOptionParser
-from ipalib import x509
-from ipalib.util import normalize_hostname, validate_domain_name
-
-
-def parse_options():
-def validate_ca_cert_file_option(option, opt, value, parser):
-if not os.path.exists(value):
-raise OptionValueError("%s option '%s' does not exist" % (opt, value))
-if not os.path.isfile(value):
-raise OptionValueError("%s option '%s' is not a file" % (opt, value))
-if not os.path.isabs(value):
-raise OptionValueError("%s option '%s' is not an absolute file path" % (opt, value))
-
-try:
-x509.load_certificate_from_file(value)
-except Exception:
-raise OptionValueError("%s option '%s' is not a valid certificate file" % (opt, value))
-
-parser.values.ca_cert_file = value
-
-def kinit_attempts_callback(option, opt, value, parser):
-if value < 1:
-raise OptionValueError(
-"Option %s expects an integer greater than 0."
-% opt)
-
-parser.values.kinit_attempts = value
-
-parser = IPAOptionParser(version=version.VERSION)
-
-basic_group = OptionGroup(parser, "basic options")
-basic_group.add_option("--domain", dest="domain", help="domain name")
-basic_group.add_option("--server", dest="server", help="FQDN of IPA server", action="append")
-basic_group.add_option("--realm", dest="realm_name", help="realm name")
-basic_group.add_option("--fixed-primary", dest="primary", action="store_true",
-  default=False, help="Configure sssd to use fixed server as primary IPA server")
-basic_group.add_option("-p", "--principal", dest="principal",
-  help="principal to use to join the IPA realm")
-basic_group.add_option("-w", "--password", dest="password", sensitive=True,
-  help="password to join the IPA realm (assumes bulk "
-   "password unless principal is also set)")
-basic_group.add_option("-k", "--keytab", dest="keytab",
-  help="path to backed up keytab from previous enrollment")
-basic_group.add_option("-W", dest="prompt_password", action="store_true",
-  default=False,
-  help="Prompt for a password to join the IPA realm")
-basic_group.add_option("--mkhomedir", dest="mkhomedir",
-  action="store_true", default=False,
-  help="create home directories for users on their first login")
-basic_group.add_option("", "--hostname", dest="hostname",
-  help="The hostname of this machine (FQDN). If specified, the hostname will be set and "
-   "the system configuration will be updated to persist over reboot. "
-   "By default the result of getfqdn() call from "

[Freeipa-devel] [freeipa PR#214][synchronized] ipaldap: remove do_bind from LDAPClient

2016-11-11 Thread tomaskrizek 
   URL: https://github.com/freeipa/freeipa/pull/214
Author: tomaskrizek
 Title: #214: ipaldap: remove do_bind from LDAPClient
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/214/head:pr214
git checkout pr214
From f2386f6679f98ff73462f09a9c8b41983cde2604 Mon Sep 17 00:00:00 2001
From: Tomas Krizek 
Date: Fri, 11 Nov 2016 12:45:11 +0100
Subject: [PATCH] dns: check if container exists using ldapi

Previously an adhoc connection was established for checking if
dns(sec) container exists. A simple or external bind was used.
Instead, always connect with ldapi through api.Backend.ldap2.

https://fedorahosted.org/freeipa/ticket/6461
---
 install/tools/ipa-csreplica-manage |  3 +--
 install/tools/ipa-replica-manage   |  3 +--
 ipaserver/install/bindinstance.py  | 23 ---
 ipaserver/install/ca.py|  2 +-
 ipaserver/install/dnskeysyncinstance.py| 28 +---
 ipaserver/install/ipa_replica_prepare.py   |  9 ++---
 ipaserver/install/server/replicainstall.py |  4 +---
 7 files changed, 15 insertions(+), 57 deletions(-)

diff --git a/install/tools/ipa-csreplica-manage b/install/tools/ipa-csreplica-manage
index fd384d6..532e353 100755
--- a/install/tools/ipa-csreplica-manage
+++ b/install/tools/ipa-csreplica-manage
@@ -281,8 +281,7 @@ def del_master(realm, hostname, options):
 
 # 7. And clean up the removed replica DNS entries if any.
 try:
-if bindinstance.dns_container_exists(options.host, api.env.basedn,
- dm_password=options.dirman_passwd):
+if bindinstance.dns_container_exists(api.env.basedn):
 bind = bindinstance.BindInstance()
 bind.update_system_records()
 except Exception as e:
diff --git a/install/tools/ipa-replica-manage b/install/tools/ipa-replica-manage
index 48a28bd..68d9a92 100755
--- a/install/tools/ipa-replica-manage
+++ b/install/tools/ipa-replica-manage
@@ -903,8 +903,7 @@ def ensure_last_services(conn, hostname, masters, options):
 
 def cleanup_server_dns_entries(realm, hostname, suffix, options):
 try:
-if bindinstance.dns_container_exists(options.host, suffix,
- dm_password=options.dirman_passwd):
+if bindinstance.dns_container_exists(suffix):
 bindinstance.remove_master_dns_records(hostname, realm)
 dnskeysyncinstance.remove_replica_public_keys(hostname)
 except Exception as e:
diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py
index d32ced7..179eb68 100644
--- a/ipaserver/install/bindinstance.py
+++ b/ipaserver/install/bindinstance.py
@@ -39,7 +39,7 @@
 from ipaserver.install import installutils
 from ipaserver.install import service
 from ipaserver.install import sysupgrade
-from ipapython import ipautil, ipaldap
+from ipapython import ipautil
 from ipapython import dnsutil
 from ipapython.dnsutil import DNSName
 from ipapython.ipa_log_manager import root_logger
@@ -58,7 +58,6 @@
  zone_is_reverse, validate_dnssec_global_forwarder,
  DNSSECSignatureMissingError, EDNS0UnsupportedError,
  UnresolvableRecordError)
-from ipalib.constants import CACERT
 
 if six.PY3:
 unicode = str
@@ -229,26 +228,13 @@ def named_conf_add_include(path):
 f.write(named_conf_include_template % {'path': path})
 
 
-def dns_container_exists(fqdn, suffix, dm_password=None, ldapi=False,
- realm=None):
+def dns_container_exists(suffix):
 """
 Test whether the dns container exists.
 """
 assert isinstance(suffix, DN)
-try:
-# At install time we may need to use LDAPI to avoid chicken/egg
-# issues with SSL certs and truting CAs
-ldap_uri = ipaldap.get_ldap_uri(fqdn, 636, ldapi=ldapi, realm=realm,
-cacert=CACERT)
-conn = ipaldap.LDAPClient(ldap_uri, cacert=CACERT)
-conn.simple_bind(ipaldap.DIRMAN_DN, dm_password)
-except ldap.SERVER_DOWN:
-raise RuntimeError('LDAP server on %s is not responding. Is IPA installed?' % fqdn)
-
-ret = conn.entry_exists(DN(('cn', 'dns'), suffix))
-conn.unbind()
+return api.Backend.ldap2.entry_exists(DN(('cn', 'dns'), suffix))
 
-return ret
 
 def dns_zone_exists(name, api=api):
 try:
@@ -656,8 +642,7 @@ def setup(self, fqdn, ip_addresses, realm_name, domain_name, forwarders,
 else:
 self.zonemgr = normalize_zonemgr(zonemgr)
 
-self.first_instance = not dns_container_exists(
-self.fqdn, self.suffix, realm=self.realm, ldapi=True)
+self.first_instance = not dns_container_exists(self.suffix)
 
 self.__setup_sub_dict()
 
diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py
index

[Freeipa-devel] [freeipa PR#214][synchronized] ipaldap: remove do_bind from LDAPClient

2016-11-11 Thread tomaskrizek 
   URL: https://github.com/freeipa/freeipa/pull/214
Author: tomaskrizek
 Title: #214: ipaldap: remove do_bind from LDAPClient
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/214/head:pr214
git checkout pr214
From f27333f7a60a41599a3a1b68a54ca3eea9945353 Mon Sep 17 00:00:00 2001
From: Tomas Krizek 
Date: Tue, 8 Nov 2016 12:16:09 +0100
Subject: [PATCH 1/2] ipaldap: remove do_bind from LDAPClient

Remove do_bind() method that was a relict used in IPAdmin. Replace
its uses with simple / external binds.

https://fedorahosted.org/freeipa/ticket/6461
---
 install/tools/ipa-httpd-kdcproxy|  2 +-
 ipapython/ipaldap.py| 20 
 ipaserver/install/bindinstance.py   |  2 +-
 ipaserver/install/dnskeysyncinstance.py |  3 +--
 4 files changed, 3 insertions(+), 24 deletions(-)

diff --git a/install/tools/ipa-httpd-kdcproxy b/install/tools/ipa-httpd-kdcproxy
index 20674c2..329565c 100755
--- a/install/tools/ipa-httpd-kdcproxy
+++ b/install/tools/ipa-httpd-kdcproxy
@@ -79,7 +79,7 @@ class KDCProxyConfig(object):
 self.log.debug('ldap_uri: %s', self.ldap_uri)
 try:
 self.con = LDAPClient(self.ldap_uri)
-self.con.do_bind()
+self.con.external_bind()
 except (errors.NetworkError, socket.timeout) as e:
 msg = 'Unable to connect to dirsrv: %s' % e
 raise CheckError(msg)
diff --git a/ipapython/ipaldap.py b/ipapython/ipaldap.py
index 2994c01..ed5c804 100644
--- a/ipapython/ipaldap.py
+++ b/ipapython/ipaldap.py
@@ -749,26 +749,6 @@ def __init__(self, ldap_uri, start_tls=False, force_schema_updates=False,
 def __str__(self):
 return self.ldap_uri
 
-def do_bind(self, dm_password="", autobind=AUTOBIND_AUTO):
-if dm_password:
-self.simple_bind(bind_dn=DIRMAN_DN,
- bind_password=dm_password)
-return
-if (autobind != AUTOBIND_DISABLED and os.getegid() == 0 and
-self._protocol == 'ldapi'):
-try:
-# autobind
-self.external_bind()
-return
-except errors.NotFound:
-if autobind == AUTOBIND_ENABLED:
-# autobind was required and failed, raise
-# exception that it failed
-raise
-
-# fall back
-self.gssapi_bind()
-
 def modify_s(self, dn, modlist):
 # FIXME: for backwards compatibility only
 assert isinstance(dn, DN)
diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py
index 7d6f3ba..9810246 100644
--- a/ipaserver/install/bindinstance.py
+++ b/ipaserver/install/bindinstance.py
@@ -241,7 +241,7 @@ def dns_container_exists(fqdn, suffix, dm_password=None, ldapi=False,
 ldap_uri = ipaldap.get_ldap_uri(fqdn, 636, ldapi=ldapi, realm=realm,
 cacert=CACERT)
 conn = ipaldap.LDAPClient(ldap_uri, cacert=CACERT)
-conn.do_bind(dm_password)
+conn.simple_bind(ipaldap.DIRMAN_DN, dm_password)
 except ldap.SERVER_DOWN:
 raise RuntimeError('LDAP server on %s is not responding. Is IPA installed?' % fqdn)
 
diff --git a/ipaserver/install/dnskeysyncinstance.py b/ipaserver/install/dnskeysyncinstance.py
index a6c1013..bc2477b 100644
--- a/ipaserver/install/dnskeysyncinstance.py
+++ b/ipaserver/install/dnskeysyncinstance.py
@@ -44,8 +44,7 @@ def dnssec_container_exists(fqdn, suffix, dm_password=None, ldapi=False,
 ldap_uri = ipaldap.get_ldap_uri(fqdn, 636, ldapi=ldapi, realm=realm,
 cacert=CACERT)
 conn = ipaldap.LDAPClient(ldap_uri, cacert=CACERT)
-
-conn.do_bind(dm_password)
+conn.simple_bind(ipaldap.DIRMAN_DN, dm_password)
 except ldap.SERVER_DOWN:
 raise RuntimeError('LDAP server on %s is not responding. Is IPA installed?' % fqdn)
 

From 0c761653179e91c0da6e25aaf6c5e4aca68f349d Mon Sep 17 00:00:00 2001
From: Tomas Krizek 
Date: Fri, 11 Nov 2016 12:45:11 +0100
Subject: [PATCH 2/2] dns: check if container exists using ldapi

Previously an adhoc connection was established for checking if
dns(sec) container exists. A simple or external bind was used.
Instead, always connect with ldapi through api.Backend.ldap2.

https://fedorahosted.org/freeipa/ticket/6461
---
 install/tools/ipa-ca-install   |  3 +--
 install/tools/ipa-csreplica-manage |  3 +--
 install/tools/ipa-replica-manage   |  3 +--
 ipaserver/install/bindinstance.py  | 23 ---
 ipaserver/install/ca.py|  2 +-
 ipaserver/install/dnskeysyncinstance.py| 28 +---
 ipaserver/install/ipa_replica_prepare.py   |  9 ++---
 ipaserver/install/server/replicainstall.py |  4 +---
 8 files