URL: https://github.com/freeipa/freeipa/pull/223 Author: tomaskrizek Title: #223: LDAP refactoring: remove admin_conn Action: opened
PR body: """ This first commit removes the admin_conn alias for api.Backend.ldap2 that was previously used in services. When trying to get rid of it, I found some legacy code in ipa-server-upgrade. The second commit improves ldap connection management in upgrade and removes useless start and stops of directory server at random places. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/223/head:pr223 git checkout pr223
From 989c669a6801b6658399eb4dc37d72b6f8627acc Mon Sep 17 00:00:00 2001 From: Tomas Krizek <tkri...@redhat.com> Date: Wed, 9 Nov 2016 12:53:14 +0100 Subject: [PATCH 1/2] services: replace admin_conn with api.Backend.ldap2 Since service.admin_conn is only an alias to api.Backend.ldap2, replace it everywhere with the explicit api.Backend.ldap2 instead. https://fedorahosted.org/freeipa/ticket/6461 --- install/tools/ipa-adtrust-install | 6 +-- ipaserver/install/adtrustinstance.py | 79 +++++++++++++++++--------------- ipaserver/install/bindinstance.py | 10 ++-- ipaserver/install/cainstance.py | 22 ++++----- ipaserver/install/dnskeysyncinstance.py | 6 +-- ipaserver/install/dogtaginstance.py | 16 +++---- ipaserver/install/dsinstance.py | 24 +++++----- ipaserver/install/httpinstance.py | 9 ++-- ipaserver/install/kra.py | 7 +-- ipaserver/install/krbinstance.py | 13 +++--- ipaserver/install/odsexporterinstance.py | 4 +- ipaserver/install/opendnssecinstance.py | 6 +-- ipaserver/install/service.py | 44 ++++++++---------- 13 files changed, 123 insertions(+), 123 deletions(-) diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install index 8eed519..8b75d5c 100755 --- a/install/tools/ipa-adtrust-install +++ b/install/tools/ipa-adtrust-install @@ -411,7 +411,7 @@ def main(): try: # Search only masters which have support for domain levels # because only these masters will have SSSD recent enough to support AD trust agents - entries_m, _truncated = smb.admin_conn.find_entries( + entries_m, _truncated = api.Backend.ldap2.find_entries( filter="(&(objectclass=ipaSupportedDomainLevelConfig)(ipaMaxDomainLevel=*)(ipaMinDomainLevel=*))", base_dn=masters_dn, attrs_list=['cn'], scope=ldap.SCOPE_ONELEVEL) except errors.NotFound: @@ -421,7 +421,7 @@ def main(): print(unicode(e)) try: - entries_a, _truncated = smb.admin_conn.find_entries( + entries_a, _truncated = api.Backend.ldap2.find_entries( filter="", base_dn=agents_dn, attrs_list=['member'], scope=ldap.SCOPE_BASE) except errors.NotFound: @@ -470,7 +470,7 @@ def main(): # Add the CIFS and host principals to the 'adtrust agents' group # as 389-ds only operates with GroupOfNames, we have to use # the principal's proper dn as defined in self.cifs_agent - service.add_principals_to_group(smb.admin_conn, agents_dn, "member", + service.add_principals_to_group(api.Backend.ldap2, agents_dn, "member", [x[1] for x in new_agents]) print(""" WARNING: you MUST restart (e.g. ipactl restart) the following IPA masters in order diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py index 7ccd302..2757037 100644 --- a/ipaserver/install/adtrustinstance.py +++ b/ipaserver/install/adtrustinstance.py @@ -207,7 +207,7 @@ def __add_admin_sids(self): admin_group_dn = DN(('cn', 'admins'), api.env.container_group, self.suffix) try: - dom_entry = self.admin_conn.get_entry(self.smb_dom_dn) + dom_entry = api.Backend.ldap2.get_entry(self.smb_dom_dn) except errors.NotFound: self.print_msg("Samba domain object not found") return @@ -218,13 +218,13 @@ def __add_admin_sids(self): return try: - admin_entry = self.admin_conn.get_entry(admin_dn) + admin_entry = api.Backend.ldap2.get_entry(admin_dn) except errors.NotFound: self.print_msg("IPA admin object not found") return try: - admin_group_entry = self.admin_conn.get_entry(admin_group_dn) + admin_group_entry = api.Backend.ldap2.get_entry(admin_group_dn) except errors.NotFound: self.print_msg("IPA admin group object not found") return @@ -233,9 +233,10 @@ def __add_admin_sids(self): self.print_msg("Admin SID already set, nothing to do") else: try: - self.admin_conn.modify_s(admin_dn, \ - [(ldap.MOD_ADD, "objectclass", self.OBJC_USER), \ - (ldap.MOD_ADD, self.ATTR_SID, dom_sid + "-500")]) + api.Backend.ldap2.modify_s( + admin_dn, + [(ldap.MOD_ADD, "objectclass", self.OBJC_USER), + (ldap.MOD_ADD, self.ATTR_SID, dom_sid + "-500")]) except Exception: self.print_msg("Failed to modify IPA admin object") @@ -243,9 +244,10 @@ def __add_admin_sids(self): self.print_msg("Admin group SID already set, nothing to do") else: try: - self.admin_conn.modify_s(admin_group_dn, \ - [(ldap.MOD_ADD, "objectclass", self.OBJC_GROUP), \ - (ldap.MOD_ADD, self.ATTR_SID, dom_sid + "-512")]) + api.Backend.ldap2.modify_s( + admin_group_dn, + [(ldap.MOD_ADD, "objectclass", self.OBJC_GROUP), + (ldap.MOD_ADD, self.ATTR_SID, dom_sid + "-512")]) except Exception: self.print_msg("Failed to modify IPA admin group object") @@ -254,7 +256,7 @@ def __add_default_trust_view(self): api.env.container_views, self.suffix) try: - self.admin_conn.get_entry(default_view_dn) + api.Backend.ldap2.get_entry(default_view_dn) except errors.NotFound: try: self._ldap_mod('default-trust-view.ldif', self.sub_dict) @@ -267,7 +269,7 @@ def __add_default_trust_view(self): # _ldap_mod does not return useful error codes, so we must check again # if the default trust view was created properly. try: - self.admin_conn.get_entry(default_view_dn) + api.Backend.ldap2.get_entry(default_view_dn) except errors.NotFound: self.print_msg("Failed to add Default Trust View.") @@ -283,7 +285,7 @@ def __add_fallback_group(self): server. """ try: - dom_entry = self.admin_conn.get_entry(self.smb_dom_dn) + dom_entry = api.Backend.ldap2.get_entry(self.smb_dom_dn) except errors.NotFound: self.print_msg("Samba domain object not found") return @@ -295,7 +297,7 @@ def __add_fallback_group(self): fb_group_dn = DN(('cn', self.FALLBACK_GROUP_NAME), api.env.container_group, self.suffix) try: - self.admin_conn.get_entry(fb_group_dn) + api.Backend.ldap2.get_entry(fb_group_dn) except errors.NotFound: try: self._ldap_mod('default-smb-group.ldif', self.sub_dict) @@ -306,14 +308,14 @@ def __add_fallback_group(self): # _ldap_mod does not return useful error codes, so we must check again # if the fallback group was created properly. try: - self.admin_conn.get_entry(fb_group_dn) + api.Backend.ldap2.get_entry(fb_group_dn) except errors.NotFound: self.print_msg("Failed to add fallback group.") return try: mod = [(ldap.MOD_ADD, self.ATTR_FALLBACK_GROUP, fb_group_dn)] - self.admin_conn.modify_s(self.smb_dom_dn, mod) + api.Backend.ldap2.modify_s(self.smb_dom_dn, mod) except Exception: self.print_msg("Failed to add fallback group to domain object") @@ -326,7 +328,7 @@ def __add_rid_bases(self): try: # Get the ranges - ranges = self.admin_conn.get_entries( + ranges = api.Backend.ldap2.get_entries( DN(api.env.container_ranges, self.suffix), ldap.SCOPE_ONELEVEL, "(objectclass=ipaDomainIDRange)") @@ -361,7 +363,7 @@ def __add_rid_bases(self): # If the RID bases would cause overlap with some other range, # this will be detected by ipa-range-check DS plugin try: - self.admin_conn.modify_s(local_range.dn, + api.Backend.ldap2.modify_s(local_range.dn, [(ldap.MOD_ADD, "ipaBaseRID", str(self.rid_base)), (ldap.MOD_ADD, "ipaSecondaryBaseRID", @@ -383,7 +385,7 @@ def __reset_netbios_name(self): self.print_msg("Reset NetBIOS domain name") try: - self.admin_conn.modify_s(self.smb_dom_dn, + api.Backend.ldap2.modify_s(self.smb_dom_dn, [(ldap.MOD_REPLACE, self.ATTR_FLAT_NAME, self.netbios_name)]) except ldap.LDAPError: @@ -392,7 +394,7 @@ def __reset_netbios_name(self): def __create_samba_domain_object(self): try: - self.admin_conn.get_entry(self.smb_dom_dn) + api.Backend.ldap2.get_entry(self.smb_dom_dn) if self.reset_netbios_name: self.__reset_netbios_name() else : @@ -405,7 +407,7 @@ def __create_samba_domain_object(self): DN(('cn', 'ad'), self.trust_dn), \ DN(api.env.container_cifsdomains, self.suffix)): try: - self.admin_conn.get_entry(new_dn) + api.Backend.ldap2.get_entry(new_dn) except errors.NotFound: try: name = new_dn[1].attr @@ -413,11 +415,11 @@ def __create_samba_domain_object(self): self.print_msg('Cannot extract RDN attribute value from "%s": %s' % \ (new_dn, e)) return - entry = self.admin_conn.make_entry( + entry = api.Backend.ldap2.make_entry( new_dn, objectclass=['nsContainer'], cn=[name]) - self.admin_conn.add_entry(entry) + api.Backend.ldap2.add_entry(entry) - entry = self.admin_conn.make_entry( + entry = api.Backend.ldap2.make_entry( self.smb_dom_dn, { 'objectclass': [self.OBJC_DOMAIN, "nsContainer"], @@ -428,7 +430,7 @@ def __create_samba_domain_object(self): } ) #TODO: which MAY attributes do we want to set ? - self.admin_conn.add_entry(entry) + api.Backend.ldap2.add_entry(entry) def __write_smb_conf(self): conf_fd = open(self.smb_conf, "w") @@ -446,7 +448,7 @@ def __add_plugin_conf(self, name, plugin_cn, ldif_file): try: plugin_dn = DN(('cn', plugin_cn), ('cn', 'plugins'), ('cn', 'config')) - self.admin_conn.get_entry(plugin_dn) + api.Backend.ldap2.get_entry(plugin_dn) self.print_msg('%s plugin already configured, nothing to do' % name) except errors.NotFound: try: @@ -484,7 +486,7 @@ def __add_sids(self): # Wait for the task to complete task_dn = DN('cn=sidgen,cn=ipa-sidgen-task,cn=tasks,cn=config') - wait_for_task(self.admin_conn, task_dn) + wait_for_task(api.Backend.ldap2, task_dn) except Exception as e: root_logger.warning("Exception occured during SID generation: {0}" @@ -498,11 +500,11 @@ def __add_s4u2proxy_target(self): targets_dn = DN(('cn', 'ipa-cifs-delegation-targets'), ('cn', 's4u2proxy'), ('cn', 'etc'), self.suffix) try: - current = self.admin_conn.get_entry(targets_dn) + current = api.Backend.ldap2.get_entry(targets_dn) members = current.get('memberPrincipal', []) if not(self.cifs_principal in members): current["memberPrincipal"] = members + [self.cifs_principal] - self.admin_conn.update_entry(current) + api.Backend.ldap2.update_entry(current) else: self.print_msg('cifs principal already targeted, nothing to do.') except errors.NotFound: @@ -531,8 +533,9 @@ def __setup_group_membership(self): # Add the CIFS and host principals to the 'adtrust agents' group # as 389-ds only operates with GroupOfNames, we have to use # the principal's proper dn as defined in self.cifs_agent - service.add_principals_to_group(self.admin_conn, self.smb_dn, "member", - [self.cifs_agent, self.host_princ]) + service.add_principals_to_group( + api.Backend.ldap2, self.smb_dn, "member", + [self.cifs_agent, self.host_princ]) def __setup_principal(self): try: @@ -669,7 +672,7 @@ def __check_replica(self): try: cifs_services = DN(api.env.container_service, self.suffix) # Search for cifs services which also belong to adtrust agents, these are our DCs - res = self.admin_conn.get_entries(cifs_services, + res = api.Backend.ldap2.get_entries(cifs_services, ldap.SCOPE_ONELEVEL, "(&(krbprincipalname=cifs/*@%s)(memberof=%s))" % (self.realm, str(self.smb_dn))) if len(res) > 1: @@ -693,11 +696,11 @@ def __enable_compat_tree(self): lookup_nsswitch_name = "schema-compat-lookup-nsswitch" for config in (("cn=users", "user"), ("cn=groups", "group")): entry_dn = DN(config[0], compat_plugin_dn) - current = self.admin_conn.get_entry(entry_dn) + current = api.Backend.ldap2.get_entry(entry_dn) lookup_nsswitch = current.get(lookup_nsswitch_name, []) if not(config[1] in lookup_nsswitch): current[lookup_nsswitch_name] = [config[1]] - self.admin_conn.update_entry(current) + api.Backend.ldap2.update_entry(current) except Exception as e: root_logger.critical("Enabling nsswitch support in slapi-nis failed with error '%s'" % e) @@ -774,14 +777,14 @@ def setup(self, fqdn, realm_name, netbios_name, self.__setup_sub_dict() def find_local_id_range(self): - if self.admin_conn.get_entries( + if api.Backend.ldap2.get_entries( DN(api.env.container_ranges, self.suffix), ldap.SCOPE_ONELEVEL, "(objectclass=ipaDomainIDRange)"): return try: - entry = self.admin_conn.get_entry( + entry = api.Backend.ldap2.get_entry( DN(('cn', 'admins'), api.env.container_group, self.suffix)) except errors.NotFound: raise ValueError("No local ID range and no admins group found.\n" \ @@ -798,13 +801,13 @@ def find_local_id_range(self): "(gidNumber<=%d)(gidNumner>=%d)))" % \ ((base_id - 1), (base_id + id_range_size), (base_id - 1), (base_id + id_range_size)) - if self.admin_conn.get_entries(DN(('cn', 'accounts'), self.suffix), + if api.Backend.ldap2.get_entries(DN(('cn', 'accounts'), self.suffix), ldap.SCOPE_SUBTREE, id_filter): raise ValueError("There are objects with IDs out of the expected" \ "range.\nAdd local ID range manually and try " \ "again!") - entry = self.admin_conn.make_entry( + entry = api.Backend.ldap2.make_entry( DN( ('cn', ('%s_id_range' % self.realm)), api.env.container_ranges, self.suffix), @@ -813,7 +816,7 @@ def find_local_id_range(self): ipaBaseID=[str(base_id)], ipaIDRangeSize=[str(id_range_size)], ) - self.admin_conn.add_entry(entry) + api.Backend.ldap2.add_entry(entry) def create_instance(self): self.step("stopping smbd", self.__stop) diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py index 7d6f3ba..8f118ad 100644 --- a/ipaserver/install/bindinstance.py +++ b/ipaserver/install/bindinstance.py @@ -864,10 +864,10 @@ def __add_self(self): self.__add_master_records(self.fqdn, self.ip_addresses) def __add_others(self): - entries = self.admin_conn.get_entries( + entries = api.Backend.ldap2.get_entries( DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'), self.suffix), - self.admin_conn.SCOPE_ONELEVEL, None, ['dn']) + api.Backend.ldap2.SCOPE_ONELEVEL, None, ['dn']) for entry in entries: fqdn = entry.dn[0]['cn'] @@ -907,7 +907,7 @@ def __setup_principal(self): mod = [(ldap.MOD_ADD, 'member', dns_principal)] try: - self.admin_conn.modify_s(dns_group, mod) + api.Backend.ldap2.modify_s(dns_group, mod) except ldap.TYPE_OR_VALUE_EXISTS: pass except Exception as e: @@ -922,7 +922,7 @@ def __setup_principal(self): (ldap.MOD_REPLACE, 'nsIdleTimeout', '-1'), (ldap.MOD_REPLACE, 'nsLookThroughLimit', '-1')] try: - self.admin_conn.modify_s(dns_principal, mod) + api.Backend.ldap2.modify_s(dns_principal, mod) except Exception as e: root_logger.critical("Could not set principal's %s LDAP limits: %s" \ % (dns_principal, str(e))) @@ -952,7 +952,7 @@ def __setup_named_conf(self): ) def __setup_server_configuration(self): - ensure_dnsserver_container_exists(self.admin_conn, self.api) + ensure_dnsserver_container_exists(api.Backend.ldap2, self.api) try: self.api.Command.dnsserver_add( self.fqdn, idnssoamname=DNSName(self.fqdn).make_absolute(), diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 1b7acef..178f130 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -1196,8 +1196,8 @@ def is_renewal_master(self, fqdn=None): ('cn', 'etc'), api.env.basedn) renewal_filter = '(ipaConfigString=caRenewalMaster)' try: - self.admin_conn.get_entries(base_dn=dn, filter=renewal_filter, - attrs_list=[]) + api.Backend.ldap2.get_entries(base_dn=dn, filter=renewal_filter, + attrs_list=[]) except errors.NotFound: return False @@ -1211,13 +1211,13 @@ def set_renewal_master(self, fqdn=None): api.env.basedn) filter = '(&(cn=CA)(ipaConfigString=caRenewalMaster))' try: - entries = self.admin_conn.get_entries( + entries = api.Backend.ldap2.get_entries( base_dn=base_dn, filter=filter, attrs_list=['ipaConfigString']) except errors.NotFound: entries = [] dn = DN(('cn', 'CA'), ('cn', fqdn), base_dn) - master_entry = self.admin_conn.get_entry(dn, ['ipaConfigString']) + master_entry = api.Backend.ldap2.get_entry(dn, ['ipaConfigString']) for entry in entries: if master_entry is not None and entry.dn == master_entry.dn: @@ -1226,11 +1226,11 @@ def set_renewal_master(self, fqdn=None): entry['ipaConfigString'] = [x for x in entry['ipaConfigString'] if x.lower() != 'carenewalmaster'] - self.admin_conn.update_entry(entry) + api.Backend.ldap2.update_entry(entry) if master_entry is not None: master_entry['ipaConfigString'].append('caRenewalMaster') - self.admin_conn.update_entry(master_entry) + api.Backend.ldap2.update_entry(master_entry) @staticmethod def update_cert_config(nickname, cert): @@ -1269,25 +1269,25 @@ def __create_ds_db(self): # replication dn = DN(('cn', str(suffix)), ('cn', 'mapping tree'), ('cn', 'config')) - entry = self.admin_conn.make_entry( + entry = api.Backend.ldap2.make_entry( dn, objectclass=["top", "extensibleObject", "nsMappingTree"], cn=[suffix], ) entry['nsslapd-state'] = ['Backend'] entry['nsslapd-backend'] = [backend] - self.admin_conn.add_entry(entry) + api.Backend.ldap2.add_entry(entry) # database dn = DN(('cn', 'ipaca'), ('cn', 'ldbm database'), ('cn', 'plugins'), ('cn', 'config')) - entry = self.admin_conn.make_entry( + entry = api.Backend.ldap2.make_entry( dn, objectclass=["top", "extensibleObject", "nsBackendInstance"], cn=[backend], ) entry['nsslapd-suffix'] = [suffix] - self.admin_conn.add_entry(entry) + api.Backend.ldap2.add_entry(entry) def __setup_replication(self): @@ -1450,7 +1450,7 @@ def __setup_lightweight_ca_key_retrieval_custodia(self): def __add_lightweight_ca_tracking_requests(self): try: - lwcas = self.admin_conn.get_entries( + lwcas = api.Backend.ldap2.get_entries( base_dn=api.env.basedn, filter='(objectclass=ipaca)', attrs_list=['cn', 'ipacaid'], diff --git a/ipaserver/install/dnskeysyncinstance.py b/ipaserver/install/dnskeysyncinstance.py index a6c1013..0387bbc 100644 --- a/ipaserver/install/dnskeysyncinstance.py +++ b/ipaserver/install/dnskeysyncinstance.py @@ -286,7 +286,7 @@ def __setup_replica_keys(self): keylabel = replica_keylabel_template % DNSName(self.fqdn).\ make_absolute().canonicalize().ToASCII() - ldap = self.admin_conn + ldap = api.Backend.ldap2 dn_base = DN(('cn', 'keys'), ('cn', 'sec'), ('cn', 'dns'), api.env.basedn) with open(paths.DNSSEC_SOFTHSM_PIN, "r") as f: @@ -434,7 +434,7 @@ def __setup_principal(self): mod = [(ldap.MOD_ADD, 'member', dnssynckey_principal_dn)] try: - self.admin_conn.modify_s(dns_group, mod) + api.Backend.ldap2.modify_s(dns_group, mod) except ldap.TYPE_OR_VALUE_EXISTS: pass except Exception as e: @@ -450,7 +450,7 @@ def __setup_principal(self): (ldap.MOD_REPLACE, 'nsIdleTimeout', '-1'), (ldap.MOD_REPLACE, 'nsLookThroughLimit', '-1')] try: - self.admin_conn.modify_s(dnssynckey_principal_dn, mod) + api.Backend.ldap2.modify_s(dnssynckey_principal_dn, mod) except Exception as e: self.logger.critical("Could not set principal's %s LDAP limits: %s" % (dnssynckey_principal_dn, str(e))) diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py index 2890b4b..4c51396 100644 --- a/ipaserver/install/dogtaginstance.py +++ b/ipaserver/install/dogtaginstance.py @@ -30,7 +30,7 @@ from pki.client import PKIConnection import pki.system -from ipalib import errors +from ipalib import api, errors from ipaplatform import services from ipaplatform.constants import constants @@ -419,12 +419,12 @@ def handle_setup_error(self, e): def __add_admin_to_group(self, group): dn = DN(('cn', group), ('ou', 'groups'), ('o', 'ipaca')) - entry = self.admin_conn.get_entry(dn) + entry = api.Backend.ldap2.get_entry(dn) members = entry.get('uniqueMember', []) members.append(self.admin_dn) mod = [(ldap.MOD_REPLACE, 'uniqueMember', members)] try: - self.admin_conn.modify_s(dn, mod) + api.Backend.ldap2.modify_s(dn, mod) except ldap.TYPE_OR_VALUE_EXISTS: # already there pass @@ -437,12 +437,12 @@ def setup_admin(self): # remove user if left-over exists try: - entry = self.admin_conn.delete_entry(self.admin_dn) + entry = api.Backend.ldap2.delete_entry(self.admin_dn) except errors.NotFound: pass # add user - entry = self.admin_conn.make_entry( + entry = api.Backend.ldap2.make_entry( self.admin_dn, objectclass=["top", "person", "organizationalPerson", "inetOrgPerson", "cmsuser"], @@ -454,7 +454,7 @@ def setup_admin(self): userPassword=[self.admin_password], userstate=['1'] ) - self.admin_conn.add_entry(entry) + api.Backend.ldap2.add_entry(entry) for group in self.admin_groups: self.__add_admin_to_group(group) @@ -470,7 +470,7 @@ def __remove_admin_from_group(self, group): dn = DN(('cn', group), ('ou', 'groups'), ('o', 'ipaca')) mod = [(ldap.MOD_DELETE, 'uniqueMember', self.admin_dn)] try: - self.admin_conn.modify_s(dn, mod) + api.Backend.ldap2.modify_s(dn, mod) except ldap.NO_SUCH_ATTRIBUTE: # already removed pass @@ -478,7 +478,7 @@ def __remove_admin_from_group(self, group): def teardown_admin(self): for group in self.admin_groups: self.__remove_admin_from_group(group) - self.admin_conn.delete_entry(self.admin_dn) + api.Backend.ldap2.delete_entry(self.admin_dn) def _use_ldaps_during_spawn(self, config, ds_cacert=paths.IPA_CA_CRT): config.set(self.subsystem, "pki_ds_ldaps_port", "636") diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index d27eba1..0521652 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -433,13 +433,13 @@ def __configure_sasl_mappings(self): # they may conflict. try: - res = self.admin_conn.get_entries( + res = api.Backend.ldap2.get_entries( DN(('cn', 'mapping'), ('cn', 'sasl'), ('cn', 'config')), - self.admin_conn.SCOPE_ONELEVEL, + api.Backend.ldap2.SCOPE_ONELEVEL, "(objectclass=nsSaslMapping)") for r in res: try: - self.admin_conn.delete_entry(r) + api.Backend.ldap2.delete_entry(r) except Exception as e: root_logger.critical( "Error during SASL mapping removal: %s", e) @@ -448,7 +448,7 @@ def __configure_sasl_mappings(self): root_logger.critical("Error while enumerating SASL mappings %s", e) raise - entry = self.admin_conn.make_entry( + entry = api.Backend.ldap2.make_entry( DN( ('cn', 'Full Principal'), ('cn', 'mapping'), ('cn', 'sasl'), ('cn', 'config')), @@ -459,9 +459,9 @@ def __configure_sasl_mappings(self): nsSaslMapFilterTemplate=['(krbPrincipalName=\\1@\\2)'], nsSaslMapPriority=['10'], ) - self.admin_conn.add_entry(entry) + api.Backend.ldap2.add_entry(entry) - entry = self.admin_conn.make_entry( + entry = api.Backend.ldap2.make_entry( DN( ('cn', 'Name Only'), ('cn', 'mapping'), ('cn', 'sasl'), ('cn', 'config')), @@ -472,7 +472,7 @@ def __configure_sasl_mappings(self): nsSaslMapFilterTemplate=['(krbPrincipalName=&@%s)' % self.realm], nsSaslMapPriority=['10'], ) - self.admin_conn.add_entry(entry) + api.Backend.ldap2.add_entry(entry) def __update_schema(self): # FIXME: https://fedorahosted.org/389/ticket/47490 @@ -1096,7 +1096,7 @@ def add_sidgen_plugin(self, suffix): """ dn = DN('cn=IPA SIDGEN,cn=plugins,cn=config') try: - self.admin_conn.get_entry(dn) + api.Backend.ldap2.get_entry(dn) except errors.NotFound: self._ldap_mod('ipa-sidgen-conf.ldif', dict(SUFFIX=suffix)) else: @@ -1114,7 +1114,7 @@ def add_extdom_plugin(self, suffix): """ dn = DN('cn=ipa_extdom_extop,cn=plugins,cn=config') try: - self.admin_conn.get_entry(dn) + api.Backend.ldap2.get_entry(dn) except errors.NotFound: self._ldap_mod('ipa-extdom-extop-conf.ldif', dict(SUFFIX=suffix)) else: @@ -1123,14 +1123,14 @@ def add_extdom_plugin(self, suffix): def replica_populate(self): dn = DN(('cn', 'default'), ('ou', 'profile'), self.suffix) try: - entry = self.admin_conn.get_entry(dn) + entry = api.Backend.ldap2.get_entry(dn) srvlist = entry.single_value.get('defaultServerList', '') srvlist = srvlist.split() if not self.fqdn in srvlist: srvlist.append(self.fqdn) attr = ' '.join(srvlist) mod = [(ldap.MOD_REPLACE, 'defaultServerList', attr)] - self.admin_conn.modify_s(dn, mod) + api.Backend.ldap2.modify_s(dn, mod) except errors.NotFound: pass except ldap.TYPE_OR_VALUE_EXISTS: @@ -1284,7 +1284,7 @@ def update_dna_shared_config(self, method="SASL/GSSAPI", protocol="LDAP"): ('cn', 'config')) dna_config_base = DN(('cn', 'posix IDs'), dna_plugin) - conn = self.admin_conn + conn = api.Backend.ldap2 # Check the plugin is enabled else it is useless to update # the shared entry diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index bd19621..a0cc671 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -386,7 +386,8 @@ def enable_kdcproxy(self): attr_name = 'kdcProxyEnabled' try: - entry = self.admin_conn.get_entry(entry_name, ['ipaConfigString']) + entry = api.Backend.ldap2.get_entry( + entry_name, ['ipaConfigString']) except errors.NotFound: pass else: @@ -397,7 +398,7 @@ def enable_kdcproxy(self): entry.setdefault('ipaConfigString', []).append(attr_name) try: - self.admin_conn.update_entry(entry) + api.Backend.ldap2.update_entry(entry) except errors.EmptyModlist: root_logger.debug("service KDCPROXY already enabled") return @@ -408,7 +409,7 @@ def enable_kdcproxy(self): root_logger.debug("service KDCPROXY enabled") return - entry = self.admin_conn.make_entry( + entry = api.Backend.ldap2.make_entry( entry_name, objectclass=["nsContainer", "ipaConfigObject"], cn=['KDC'], @@ -416,7 +417,7 @@ def enable_kdcproxy(self): ) try: - self.admin_conn.add_entry(entry) + api.Backend.ldap2.add_entry(entry) except errors.DuplicateEntry: root_logger.debug("failed to add service KDCPROXY entry") raise diff --git a/ipaserver/install/kra.py b/ipaserver/install/kra.py index 85ae57d..4c77e25 100644 --- a/ipaserver/install/kra.py +++ b/ipaserver/install/kra.py @@ -102,9 +102,10 @@ def uninstall(standalone): if standalone: try: - kra.admin_conn.delete_entry(DN(('cn', 'KRA'), ('cn', api.env.host), - ('cn', 'masters'), ('cn', 'ipa'), - ('cn', 'etc'), api.env.basedn)) + api.Backend.ldap2.delete_entry( + DN(('cn', 'KRA'), ('cn', api.env.host), + ('cn', 'masters'), ('cn', 'ipa'), + ('cn', 'etc'), api.env.basedn)) except errors.NotFound: pass diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py index c53657e..2bd385e 100644 --- a/ipaserver/install/krbinstance.py +++ b/ipaserver/install/krbinstance.py @@ -31,6 +31,7 @@ from ipapython import sysrestore from ipapython import ipautil from ipapython import kernel_keyring +from ipalib import api from ipalib.constants import CACERT from ipapython.ipa_log_manager import root_logger from ipapython.dn import DN @@ -81,14 +82,14 @@ def move_service_to_host(self, principal): """ service_dn = DN(('krbprincipalname', principal), self.get_realm_suffix()) - service_entry = self.admin_conn.get_entry(service_dn) - self.admin_conn.delete_entry(service_entry) + service_entry = api.Backend.ldap2.get_entry(service_dn) + api.Backend.ldap2.delete_entry(service_entry) # Create a host entry for this master host_dn = DN( ('fqdn', self.fqdn), ('cn', 'computers'), ('cn', 'accounts'), self.suffix) - host_entry = self.admin_conn.make_entry( + host_entry = api.Backend.ldap2.make_entry( host_dn, objectclass=[ 'top', 'ipaobject', 'nshost', 'ipahost', 'ipaservice', @@ -110,7 +111,7 @@ def move_service_to_host(self, principal): 'krbpasswordexpiration'] if 'krbticketflags' in service_entry: host_entry['krbticketflags'] = service_entry['krbticketflags'] - self.admin_conn.add_entry(host_entry) + api.Backend.ldap2.add_entry(host_entry) # Add the host to the ipaserver host group ld = ldapupdate.LDAPUpdate(ldapi=True) @@ -369,9 +370,9 @@ def __add_anonymous_pkinit_principal(self): # Create the special anonymous principal installutils.kadmin_addprinc(princ_realm) dn = DN(('krbprincipalname', princ_realm), self.get_realm_suffix()) - entry = self.admin_conn.get_entry(dn) + entry = api.Backend.ldap2.get_entry(dn) entry['nsAccountlock'] = ['TRUE'] - self.admin_conn.update_entry(entry) + api.Backend.ldap2.update_entry(entry) def __convert_to_gssapi_replication(self): repl = replication.ReplicationManager(self.realm, diff --git a/ipaserver/install/odsexporterinstance.py b/ipaserver/install/odsexporterinstance.py index f0d9034..a12f1fc 100644 --- a/ipaserver/install/odsexporterinstance.py +++ b/ipaserver/install/odsexporterinstance.py @@ -114,7 +114,7 @@ def __setup_principal(self): mod = [(ldap.MOD_ADD, 'member', dns_exporter_principal_dn)] try: - self.admin_conn.modify_s(dns_group, mod) + api.Backend.ldap2.modify_s(dns_group, mod) except ldap.TYPE_OR_VALUE_EXISTS: pass except Exception as e: @@ -129,7 +129,7 @@ def __setup_principal(self): (ldap.MOD_REPLACE, 'nsIdleTimeout', '-1'), (ldap.MOD_REPLACE, 'nsLookThroughLimit', '-1')] try: - self.admin_conn.modify_s(dns_exporter_principal_dn, mod) + api.Backend.ldap2.modify_s(dns_exporter_principal_dn, mod) except Exception as e: root_logger.critical("Could not set principal's %s LDAP limits: %s" % (dns_exporter_principal_dn, str(e))) diff --git a/ipaserver/install/opendnssecinstance.py b/ipaserver/install/opendnssecinstance.py index 7f3269f..ea6cb51 100644 --- a/ipaserver/install/opendnssecinstance.py +++ b/ipaserver/install/opendnssecinstance.py @@ -82,7 +82,7 @@ def __init__(self, fstore=None): suffix = ipautil.dn_attribute_property('_suffix') def get_masters(self): - return get_dnssec_key_masters(self.admin_conn) + return get_dnssec_key_masters(api.Backend.ldap2) def create_instance(self, fqdn, realm_name, generate_master_key=True, kasp_db_file=None): @@ -145,7 +145,7 @@ def __enable(self): dn = DN(('cn', 'DNSSEC'), ('cn', self.fqdn), api.env.container_masters, api.env.basedn) try: - entry = self.admin_conn.get_entry(dn, ['ipaConfigString']) + entry = api.Backend.ldap2.get_entry(dn, ['ipaConfigString']) except errors.NotFound as e: root_logger.error( "DNSSEC service entry not found in the LDAP (%s)", e) @@ -153,7 +153,7 @@ def __enable(self): config = entry.setdefault('ipaConfigString', []) if KEYMASTER not in config: config.append(KEYMASTER) - self.admin_conn.update_entry(entry) + api.Backend.ldap2.update_entry(entry) def __setup_conf_files(self): if not self.fstore.has_file(paths.OPENDNSSEC_CONF_FILE): diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py index c2b8e00..44b0041 100644 --- a/ipaserver/install/service.py +++ b/ipaserver/install/service.py @@ -149,13 +149,6 @@ def __init__(self, service_name, service_desc=None, sstore=None): self.principal = None self.dercert = None - @property - def admin_conn(self): - """ - alias for api.Backend.ldap2 - """ - return api.Backend.ldap2 - def _ldap_mod(self, ldif, sub_dict=None, raise_on_err=True, ldap_uri=None, dm_password=None): pw_name = None @@ -179,7 +172,7 @@ def _ldap_mod(self, ldif, sub_dict=None, raise_on_err=True, # As we always connect to the local host, # use URI of admin connection if not ldap_uri: - ldap_uri = self.admin_conn.ldap_uri + ldap_uri = api.Backend.ldap2.ldap_uri args += ["-H", ldap_uri] @@ -216,21 +209,21 @@ def move_service(self, principal): dn = DN(('krbprincipalname', principal), ('cn', self.realm), ('cn', 'kerberos'), self.suffix) try: - entry = self.admin_conn.get_entry(dn) + entry = api.Backend.ldap2.get_entry(dn) except errors.NotFound: # There is no service in the wrong location, nothing to do. # This can happen when installing a replica return None newdn = DN(('krbprincipalname', principal), ('cn', 'services'), ('cn', 'accounts'), self.suffix) hostdn = DN(('fqdn', self.fqdn), ('cn', 'computers'), ('cn', 'accounts'), self.suffix) - self.admin_conn.delete_entry(entry) + api.Backend.ldap2.delete_entry(entry) entry.dn = newdn classes = entry.get("objectclass") classes = classes + ["ipaobject", "ipaservice", "pkiuser"] entry["objectclass"] = list(set(classes)) entry["ipauniqueid"] = ['autogenerate'] entry["managedby"] = [hostdn] - self.admin_conn.add_entry(entry) + api.Backend.ldap2.add_entry(entry) return newdn def add_simple_service(self, principal): @@ -241,7 +234,7 @@ def add_simple_service(self, principal): """ dn = DN(('krbprincipalname', principal), ('cn', 'services'), ('cn', 'accounts'), self.suffix) hostdn = DN(('fqdn', self.fqdn), ('cn', 'computers'), ('cn', 'accounts'), self.suffix) - entry = self.admin_conn.make_entry( + entry = api.Backend.ldap2.make_entry( dn, objectclass=[ "krbprincipal", "krbprincipalaux", "krbticketpolicyaux", @@ -250,7 +243,7 @@ def add_simple_service(self, principal): ipauniqueid=['autogenerate'], managedby=[hostdn], ) - self.admin_conn.add_entry(entry) + api.Backend.ldap2.add_entry(entry) return dn def add_cert_to_service(self): @@ -261,16 +254,16 @@ def add_cert_to_service(self): """ dn = DN(('krbprincipalname', self.principal), ('cn', 'services'), ('cn', 'accounts'), self.suffix) - entry = self.admin_conn.get_entry(dn) + entry = api.Backend.ldap2.get_entry(dn) entry.setdefault('userCertificate', []).append(self.dercert) try: - self.admin_conn.update_entry(entry) + api.Backend.ldap2.update_entry(entry) except Exception as e: root_logger.critical("Could not add certificate to service %s entry: %s" % (self.principal, str(e))) def import_ca_certs(self, db, ca_is_configured, conn=None): if conn is None: - conn = self.admin_conn + conn = api.Backend.ldap2 try: ca_certs = certstore.get_ca_certs_nss( @@ -423,7 +416,8 @@ def ldap_enable(self, name, fqdn, dm_password=None, ldap_suffix='', # enable disabled service try: - entry = self.admin_conn.get_entry(entry_name, ['ipaConfigString']) + entry = api.Backend.ldap2.get_entry( + entry_name, ['ipaConfigString']) except errors.NotFound: pass else: @@ -435,7 +429,7 @@ def ldap_enable(self, name, fqdn, dm_password=None, ldap_suffix='', entry.setdefault('ipaConfigString', []).append(u'enabledService') try: - self.admin_conn.update_entry(entry) + api.Backend.ldap2.update_entry(entry) except errors.EmptyModlist: root_logger.debug("service %s startup entry already enabled", name) return @@ -447,7 +441,7 @@ def ldap_enable(self, name, fqdn, dm_password=None, ldap_suffix='', return order = SERVICE_LIST[name][1] - entry = self.admin_conn.make_entry( + entry = api.Backend.ldap2.make_entry( entry_name, objectclass=["nsContainer", "ipaConfigObject"], cn=[name], @@ -456,7 +450,7 @@ def ldap_enable(self, name, fqdn, dm_password=None, ldap_suffix='', ) try: - self.admin_conn.add_entry(entry) + api.Backend.ldap2.add_entry(entry) except (errors.DuplicateEntry) as e: root_logger.debug("failed to add service %s startup entry", name) raise e @@ -467,13 +461,13 @@ def ldap_disable(self, name, fqdn, ldap_suffix): entry_dn = DN(('cn', name), ('cn', fqdn), ('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'), ldap_suffix) search_kw = {'ipaConfigString': u'enabledService'} - filter = self.admin_conn.make_filter(search_kw) + filter = api.Backend.ldap2.make_filter(search_kw) try: - entries, _truncated = self.admin_conn.find_entries( + entries, _truncated = api.Backend.ldap2.find_entries( filter=filter, attrs_list=['ipaConfigString'], base_dn=entry_dn, - scope=self.admin_conn.SCOPE_BASE) + scope=api.Backend.ldap2.SCOPE_BASE) except errors.NotFound: root_logger.debug("service %s startup entry already disabled", name) return @@ -488,7 +482,7 @@ def ldap_disable(self, name, fqdn, ldap_suffix): break try: - self.admin_conn.update_entry(entry) + api.Backend.ldap2.update_entry(entry) except errors.EmptyModlist: pass except: @@ -501,7 +495,7 @@ def ldap_remove_service_container(self, name, fqdn, ldap_suffix): entry_dn = DN(('cn', name), ('cn', fqdn), ('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'), ldap_suffix) try: - self.admin_conn.delete_entry(entry_dn) + api.Backend.ldap2.delete_entry(entry_dn) except errors.NotFound: root_logger.debug("service %s container already removed", name) else: From 47adf27f4c5750c15ccdb7df5a24e69b243e46ee Mon Sep 17 00:00:00 2001 From: Tomas Krizek <tkri...@redhat.com> Date: Wed, 9 Nov 2016 12:23:36 +0100 Subject: [PATCH 2/2] upgrade: ldap conn management Establish a connection at the start of the upgrade. If ds is not running, start it. When the upgrade finishes, restore the ds to its previous state. Remove all other unneccessary starts/stops and checks for directory server state. https://fedorahosted.org/freeipa/ticket/6461 --- ipaserver/install/ipa_server_upgrade.py | 19 ++++++++++++++++--- ipaserver/install/server/upgrade.py | 25 ------------------------- 2 files changed, 16 insertions(+), 28 deletions(-) diff --git a/ipaserver/install/ipa_server_upgrade.py b/ipaserver/install/ipa_server_upgrade.py index f03f95a..3a58c5c 100644 --- a/ipaserver/install/ipa_server_upgrade.py +++ b/ipaserver/install/ipa_server_upgrade.py @@ -5,6 +5,7 @@ from ipalib import api from ipaplatform.paths import paths from ipapython import admintool +from ipaserver.install import dsinstance from ipaserver.install import installutils from ipaserver.install import server @@ -40,15 +41,27 @@ def run(self): api.bootstrap(in_server=True, context='updates') api.finalize() - api.Backend.ldap2.connect() + + # check if DS server is running + ds = dsinstance.DsInstance() + ds_running = ds.is_running() + ds_serverid = installutils.realm_to_serverid(api.env.realm) + if not ds_running: + ds.start(ds_serverid) # automatically connects api.Backend.ldap2 + else: + api.Backend.ldap2.connect() try: server.upgrade_check(self.options) server.upgrade() except RuntimeError as e: raise admintool.ScriptError(str(e)) - - api.Backend.ldap2.disconnect() + finally: + # restore previous ds state + if not ds_running: + ds.stop(ds_serverid) + else: + api.Backend.ldap2.disconnect() def handle_error(self, exception): if not isinstance(exception, SystemExit): diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index bea1276..a614f66 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -25,7 +25,6 @@ from ipaplatform import services from ipaplatform.tasks import tasks from ipapython import ipautil, sysrestore, version, certdb -from ipapython import ipaldap from ipapython.ipa_log_manager import root_logger from ipapython import certmonger from ipapython import dnsutil @@ -1508,11 +1507,6 @@ def upgrade_configuration(): ds_serverid = installutils.realm_to_serverid(api.env.realm) ds = dsinstance.DsInstance() - # start DS, CA will not start without running DS, and cause error - ds_running = ds.is_running() - if not ds_running: - ds.start(ds_serverid) - check_certs() auto_redirect = find_autoredirect(fqdn) @@ -1606,9 +1600,6 @@ def upgrade_configuration(): remove_ds_ra_cert(subject_base) ds.start(ds_serverid) - # Force enabling plugins via LDAPI and external bind - ds.ldapi = True - ds.autobind = ipaldap.AUTOBIND_ENABLED ds.fqdn = fqdn ds.realm = api.env.realm ds.suffix = ipautil.realm_to_suffix(api.env.realm) @@ -1617,14 +1608,8 @@ def upgrade_configuration(): ds_enable_sidgen_extdom_plugins(ds) ds.update_dna_shared_config() - # Now 389-ds is available, run the remaining http tasks if not http.is_kdcproxy_configured(): root_logger.info('[Enabling KDC Proxy]') - if http.admin_conn is None: - # 389-ds needs to be running - ds.start() - http.ldapi = True - http.suffix = ipautil.realm_to_suffix(api.env.realm) httpinstance.create_kdcproxy_user() http.create_kdcproxy_conf() http.enable_kdcproxy() @@ -1646,12 +1631,8 @@ def upgrade_configuration(): ) for service, ldap_name in simple_service_list: - service.ldapi = True try: if not service.is_configured(): - # 389-ds needs to be running to create the instances - # because we record the new service in cn=masters. - ds.start() service.create_instance(ldap_name, fqdn, ipautil.realm_to_suffix(api.env.realm), realm=api.env.realm) @@ -1662,7 +1643,6 @@ def upgrade_configuration(): if bindinstance.named_conf_exists(): dnskeysyncd = dnskeysyncinstance.DNSKeySyncInstance(fstore) if not dnskeysyncd.is_configured(): - ds.start() dnskeysyncd.create_instance(fqdn, api.env.realm) dnskeysyncd.start_dnskeysyncd() @@ -1750,11 +1730,6 @@ def upgrade_configuration(): set_sssd_domain_option('ipa_server_mode', 'True') - if ds_running and not ds.is_running(): - ds.start(ds_serverid) - elif not ds_running and ds.is_running(): - ds.stop(ds_serverid) - if ca.is_configured(): if ca_running and not ca.is_running(): ca.start('pki-tomcat')
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
