ipa-client-install runs anonymous search in non-rootdse space which
may raise UNWILLING_TO_PERFORM error. This case was only covered for
BIND, but not for the actual LDAP queries.
https://fedorahosted.org/freeipa/ticket/4459
--
Martin Kosek mko...@redhat.com
Supervisor, Software Engineering - Identity Management Team
Red Hat Inc.
From 08d0a5f2bc7874943021258fedc71e9f6cfb76ba Mon Sep 17 00:00:00 2001
From: Martin Kosek mko...@redhat.com
Date: Thu, 24 Jul 2014 09:57:54 +0200
Subject: [PATCH] Do not crash client basedn discovery when SSF not met
ipa-client-install runs anonymous search in non-rootdse space which
may raise UNWILLING_TO_PERFORM error. This case was only covered for
BIND, but not for the actual LDAP queries.
https://fedorahosted.org/freeipa/ticket/4459
---
ipa-client/ipaclient/ipadiscovery.py | 8
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/ipa-client/ipaclient/ipadiscovery.py b/ipa-client/ipaclient/ipadiscovery.py
index 1e084dba197380d25f4ed9cad08d34cecb922c0b..0532f618e81d215c4416f62f81af2add48c7dc8e 100644
--- a/ipa-client/ipaclient/ipadiscovery.py
+++ b/ipa-client/ipaclient/ipadiscovery.py
@@ -335,6 +335,10 @@ def ipacheckldap(self, thost, trealm, ca_cert_path=None):
no_schema=True, decode_attrs=False)
try:
lh.do_simple_bind(DN(), '')
+
+# get IPA base DN
+root_logger.debug(Search LDAP server for IPA base DN)
+basedn = get_ipa_basedn(lh)
except errors.ACIError:
root_logger.debug(LDAP Error: Anonymous access not allowed)
return [NO_ACCESS_TO_LDAP]
@@ -350,10 +354,6 @@ def ipacheckldap(self, thost, trealm, ca_cert_path=None):
else:
return [UNKNOWN_ERROR]
-# get IPA base DN
-root_logger.debug(Search LDAP server for IPA base DN)
-basedn = get_ipa_basedn(lh)
-
if basedn is None:
root_logger.debug(The server is not an IPA server)
return [NOT_IPA_SERVER]
--
1.9.3
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel