[Freeipa-devel] [freeipa PR#492][synchronized] [WIP] config: remove meaningless defaults
URL: https://github.com/freeipa/freeipa/pull/492 Author: HonzaCholasta Title: #492: [WIP] config: remove meaningless defaults Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/492/head:pr492 git checkout pr492 From a6ac65697b212a02e3032d34bcc847a56d757afa Mon Sep 17 00:00:00 2001 From: Jan CholastaDate: Thu, 23 Feb 2017 09:44:04 + Subject: [PATCH 1/6] user, migration: use LDAPClient for ad-hoc LDAP connections Use LDAPClient instead of ldap2 for ad-hoc remote LDAP connections in the user_status and migrate-ds plugins. --- ipaserver/plugins/migration.py | 15 +-- ipaserver/plugins/user.py | 12 +--- 2 files changed, 10 insertions(+), 17 deletions(-) diff --git a/ipaserver/plugins/migration.py b/ipaserver/plugins/migration.py index 72abd14..e8d102a 100644 --- a/ipaserver/plugins/migration.py +++ b/ipaserver/plugins/migration.py @@ -28,13 +28,9 @@ from ipalib.cli import to_cli from ipalib.plugable import Registry from .user import NO_UPG_MAGIC -if api.env.in_server and api.env.context in ['lite', 'server']: -try: -from ipaserver.plugins.ldap2 import ldap2 -except Exception as e: -raise e from ipalib import _ from ipapython.dn import DN +from ipapython.ipaldap import LDAPClient from ipapython.ipautil import write_tmp_file from ipapython.kerberos import Principal import datetime @@ -885,8 +881,6 @@ def execute(self, ldapuri, bindpw, **options): return dict(result={}, failed={}, enabled=False, compat=True) # connect to DS -ds_ldap = ldap2(self.api, ldap_uri=ldapuri) - cacert = None if options.get('cacertfile') is not None: # store CA cert into file @@ -894,12 +888,13 @@ def execute(self, ldapuri, bindpw, **options): cacert = tmp_ca_cert_f.name # start TLS connection -ds_ldap.connect(bind_dn=options['binddn'], bind_pw=bindpw, -cacert=cacert) +ds_ldap = LDAPClient(ldapuri, cacert=cacert) +ds_ldap.simple_bind(options['binddn'], bindpw) tmp_ca_cert_f.close() else: -ds_ldap.connect(bind_dn=options['binddn'], bind_pw=bindpw) +ds_ldap = LDAPClient(ldapuri, cacert=cacert) +ds_ldap.simple_bind(options['binddn'], bindpw) # check whether the compat plugin is enabled if not options.get('compat'): diff --git a/ipaserver/plugins/user.py b/ipaserver/plugins/user.py index 2d29dfb..afaa828 100644 --- a/ipaserver/plugins/user.py +++ b/ipaserver/plugins/user.py @@ -21,7 +21,7 @@ import time from time import gmtime, strftime import posixpath -import os + import six from ipalib import api @@ -63,12 +63,10 @@ from ipalib import output from ipaplatform.paths import paths from ipapython.dn import DN +from ipapython.ipaldap import LDAPClient from ipapython.ipautil import ipa_generate_password, TMP_PWD_ENTROPY_BITS from ipalib.capabilities import client_has_capability -if api.env.in_server: -from ipaserver.plugins.ldap2 import ldap2 - if six.PY3: unicode = str @@ -1124,9 +1122,9 @@ def execute(self, *keys, **options): if host == api.env.host: other_ldap = self.obj.backend else: -other_ldap = ldap2(self.api, ldap_uri='ldap://%s' % host) try: -other_ldap.connect(ccache=os.environ['KRB5CCNAME']) +other_ldap = LDAPClient(ldap_uri='ldap://%s' % host) +other_ldap.gssapi_bind() except Exception as e: self.error("user_status: Connecting to %s failed with %s" % (host, str(e))) newresult = {'dn': dn} @@ -1171,7 +1169,7 @@ def execute(self, *keys, **options): count += 1 if host != api.env.host: -other_ldap.disconnect() +other_ldap.close() return dict(result=entries, count=count, From ceacb79493bd1ffa0c048a58bf97a9f161081a79 Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Thu, 23 Feb 2017 09:52:51 + Subject: [PATCH 2/6] {ca,kra}instance: drop redundant URI argument from ad-hoc ldap2 connections Use the default LDAP URI from api.env.ldap_uri instead of specifying a custom URI in the argument, as the custom URI is always the same as the default URI. --- ipaserver/install/cainstance.py | 19 +-- ipaserver/install/krainstance.py | 4 +--- 2 files changed, 6 insertions(+), 17 deletions(-) diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 0991883..b3aeec6 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -726,9 +726,7 @@ def __create_ca_agent(self): cert_data =
[Freeipa-devel] [freeipa PR#492][synchronized] [WIP] config: remove meaningless defaults
URL: https://github.com/freeipa/freeipa/pull/492 Author: HonzaCholasta Title: #492: [WIP] config: remove meaningless defaults Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/492/head:pr492 git checkout pr492 From f054783ed7f632f6f676fe2d3fec1c486163e956 Mon Sep 17 00:00:00 2001 From: Jan CholastaDate: Thu, 23 Feb 2017 09:44:04 + Subject: [PATCH 1/6] user, migration: use LDAPClient for ad-hoc LDAP connections Use LDAPClient instead of ldap2 for ad-hoc remote LDAP connections in the user_status and migrate-ds plugins. --- ipaserver/plugins/migration.py | 15 +-- ipaserver/plugins/user.py | 11 --- 2 files changed, 9 insertions(+), 17 deletions(-) diff --git a/ipaserver/plugins/migration.py b/ipaserver/plugins/migration.py index 72abd14..e8d102a 100644 --- a/ipaserver/plugins/migration.py +++ b/ipaserver/plugins/migration.py @@ -28,13 +28,9 @@ from ipalib.cli import to_cli from ipalib.plugable import Registry from .user import NO_UPG_MAGIC -if api.env.in_server and api.env.context in ['lite', 'server']: -try: -from ipaserver.plugins.ldap2 import ldap2 -except Exception as e: -raise e from ipalib import _ from ipapython.dn import DN +from ipapython.ipaldap import LDAPClient from ipapython.ipautil import write_tmp_file from ipapython.kerberos import Principal import datetime @@ -885,8 +881,6 @@ def execute(self, ldapuri, bindpw, **options): return dict(result={}, failed={}, enabled=False, compat=True) # connect to DS -ds_ldap = ldap2(self.api, ldap_uri=ldapuri) - cacert = None if options.get('cacertfile') is not None: # store CA cert into file @@ -894,12 +888,13 @@ def execute(self, ldapuri, bindpw, **options): cacert = tmp_ca_cert_f.name # start TLS connection -ds_ldap.connect(bind_dn=options['binddn'], bind_pw=bindpw, -cacert=cacert) +ds_ldap = LDAPClient(ldapuri, cacert=cacert) +ds_ldap.simple_bind(options['binddn'], bindpw) tmp_ca_cert_f.close() else: -ds_ldap.connect(bind_dn=options['binddn'], bind_pw=bindpw) +ds_ldap = LDAPClient(ldapuri, cacert=cacert) +ds_ldap.simple_bind(options['binddn'], bindpw) # check whether the compat plugin is enabled if not options.get('compat'): diff --git a/ipaserver/plugins/user.py b/ipaserver/plugins/user.py index 88171cf..4c4b7d3 100644 --- a/ipaserver/plugins/user.py +++ b/ipaserver/plugins/user.py @@ -21,7 +21,6 @@ import time from time import gmtime, strftime import posixpath -import os import six @@ -62,12 +61,10 @@ from ipalib import output from ipaplatform.paths import paths from ipapython.dn import DN +from ipapython.ipaldap import LDAPClient from ipapython.ipautil import ipa_generate_password, TMP_PWD_ENTROPY_BITS from ipalib.capabilities import client_has_capability -if api.env.in_server: -from ipaserver.plugins.ldap2 import ldap2 - if six.PY3: unicode = str @@ -1115,9 +1112,9 @@ def execute(self, *keys, **options): if host == api.env.host: other_ldap = self.obj.backend else: -other_ldap = ldap2(self.api, ldap_uri='ldap://%s' % host) try: -other_ldap.connect(ccache=os.environ['KRB5CCNAME']) +other_ldap = LDAPClient(ldap_uri='ldap://%s' % host) +other_ldap.gssapi_bind() except Exception as e: self.error("user_status: Connecting to %s failed with %s" % (host, str(e))) newresult = {'dn': dn} @@ -1162,7 +1159,7 @@ def execute(self, *keys, **options): count += 1 if host != api.env.host: -other_ldap.disconnect() +other_ldap.close() return dict(result=entries, count=count, From 6ea9124b9bec0abd30236082d692f12e2b2fec1f Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Thu, 23 Feb 2017 09:52:51 + Subject: [PATCH 2/6] {ca,kra}instance: drop redundant URI argument from ad-hoc ldap2 connections Use the default URI from api.env.ldap_uri, as it is the same as the URI provided using the argument. --- ipaserver/install/cainstance.py | 19 +-- ipaserver/install/krainstance.py | 4 +--- 2 files changed, 6 insertions(+), 17 deletions(-) diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 6e3f995..e464263 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -706,9 +706,7 @@ def __create_ca_agent(self): cert = x509.load_certificate(cert_data, x509.DER) # connect to CA database -server_id =
[Freeipa-devel] [freeipa PR#492][synchronized] [WIP] config: remove meaningless defaults
URL: https://github.com/freeipa/freeipa/pull/492 Author: HonzaCholasta Title: #492: [WIP] config: remove meaningless defaults Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/492/head:pr492 git checkout pr492 From a5bfc0b734466ea5a8a9447fd1a916fa85462922 Mon Sep 17 00:00:00 2001 From: Jan CholastaDate: Thu, 23 Feb 2017 09:44:04 + Subject: [PATCH 1/6] user, migration: use LDAPClient for ad-hoc LDAP connections Use LDAPClient instead of ldap2 for ad-hoc remote LDAP connections in the user_status and migrate-ds plugins. --- ipaserver/plugins/migration.py | 15 +-- ipaserver/plugins/user.py | 11 --- 2 files changed, 9 insertions(+), 17 deletions(-) diff --git a/ipaserver/plugins/migration.py b/ipaserver/plugins/migration.py index 72abd14..e8d102a 100644 --- a/ipaserver/plugins/migration.py +++ b/ipaserver/plugins/migration.py @@ -28,13 +28,9 @@ from ipalib.cli import to_cli from ipalib.plugable import Registry from .user import NO_UPG_MAGIC -if api.env.in_server and api.env.context in ['lite', 'server']: -try: -from ipaserver.plugins.ldap2 import ldap2 -except Exception as e: -raise e from ipalib import _ from ipapython.dn import DN +from ipapython.ipaldap import LDAPClient from ipapython.ipautil import write_tmp_file from ipapython.kerberos import Principal import datetime @@ -885,8 +881,6 @@ def execute(self, ldapuri, bindpw, **options): return dict(result={}, failed={}, enabled=False, compat=True) # connect to DS -ds_ldap = ldap2(self.api, ldap_uri=ldapuri) - cacert = None if options.get('cacertfile') is not None: # store CA cert into file @@ -894,12 +888,13 @@ def execute(self, ldapuri, bindpw, **options): cacert = tmp_ca_cert_f.name # start TLS connection -ds_ldap.connect(bind_dn=options['binddn'], bind_pw=bindpw, -cacert=cacert) +ds_ldap = LDAPClient(ldapuri, cacert=cacert) +ds_ldap.simple_bind(options['binddn'], bindpw) tmp_ca_cert_f.close() else: -ds_ldap.connect(bind_dn=options['binddn'], bind_pw=bindpw) +ds_ldap = LDAPClient(ldapuri, cacert=cacert) +ds_ldap.simple_bind(options['binddn'], bindpw) # check whether the compat plugin is enabled if not options.get('compat'): diff --git a/ipaserver/plugins/user.py b/ipaserver/plugins/user.py index 88171cf..4c4b7d3 100644 --- a/ipaserver/plugins/user.py +++ b/ipaserver/plugins/user.py @@ -21,7 +21,6 @@ import time from time import gmtime, strftime import posixpath -import os import six @@ -62,12 +61,10 @@ from ipalib import output from ipaplatform.paths import paths from ipapython.dn import DN +from ipapython.ipaldap import LDAPClient from ipapython.ipautil import ipa_generate_password, TMP_PWD_ENTROPY_BITS from ipalib.capabilities import client_has_capability -if api.env.in_server: -from ipaserver.plugins.ldap2 import ldap2 - if six.PY3: unicode = str @@ -1115,9 +1112,9 @@ def execute(self, *keys, **options): if host == api.env.host: other_ldap = self.obj.backend else: -other_ldap = ldap2(self.api, ldap_uri='ldap://%s' % host) try: -other_ldap.connect(ccache=os.environ['KRB5CCNAME']) +other_ldap = LDAPClient(ldap_uri='ldap://%s' % host) +other_ldap.gssapi_bind() except Exception as e: self.error("user_status: Connecting to %s failed with %s" % (host, str(e))) newresult = {'dn': dn} @@ -1162,7 +1159,7 @@ def execute(self, *keys, **options): count += 1 if host != api.env.host: -other_ldap.disconnect() +other_ldap.close() return dict(result=entries, count=count, From f77a3d6f811c20e46b6a61e4e8a20b1e447b0ed5 Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Thu, 23 Feb 2017 09:52:51 + Subject: [PATCH 2/6] {ca,kra}instance: drop redundant URI argument from ad-hoc ldap2 connections Use the default URI from api.env.ldap_uri, as it is the same as the URI provided using the argument. --- ipaserver/install/cainstance.py | 19 +-- ipaserver/install/krainstance.py | 4 +--- 2 files changed, 6 insertions(+), 17 deletions(-) diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 3c86b91..b79b432 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -703,9 +703,7 @@ def __create_ca_agent(self): cert = x509.load_certificate(cert_data, x509.DER) # connect to CA database -server_id =