[Freeipa-devel] [freeipa PR#492][synchronized] [WIP] config: remove meaningless defaults

2017-03-08 Thread HonzaCholasta 
   URL: https://github.com/freeipa/freeipa/pull/492
Author: HonzaCholasta
 Title: #492: [WIP] config: remove meaningless defaults
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/492/head:pr492
git checkout pr492
From a6ac65697b212a02e3032d34bcc847a56d757afa Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Thu, 23 Feb 2017 09:44:04 +
Subject: [PATCH 1/6] user, migration: use LDAPClient for ad-hoc LDAP
 connections

Use LDAPClient instead of ldap2 for ad-hoc remote LDAP connections in the
user_status and migrate-ds plugins.
---
 ipaserver/plugins/migration.py | 15 +--
 ipaserver/plugins/user.py  | 12 +---
 2 files changed, 10 insertions(+), 17 deletions(-)

diff --git a/ipaserver/plugins/migration.py b/ipaserver/plugins/migration.py
index 72abd14..e8d102a 100644
--- a/ipaserver/plugins/migration.py
+++ b/ipaserver/plugins/migration.py
@@ -28,13 +28,9 @@
 from ipalib.cli import to_cli
 from ipalib.plugable import Registry
 from .user import NO_UPG_MAGIC
-if api.env.in_server and api.env.context in ['lite', 'server']:
-try:
-from ipaserver.plugins.ldap2 import ldap2
-except Exception as e:
-raise e
 from ipalib import _
 from ipapython.dn import DN
+from ipapython.ipaldap import LDAPClient
 from ipapython.ipautil import write_tmp_file
 from ipapython.kerberos import Principal
 import datetime
@@ -885,8 +881,6 @@ def execute(self, ldapuri, bindpw, **options):
 return dict(result={}, failed={}, enabled=False, compat=True)
 
 # connect to DS
-ds_ldap = ldap2(self.api, ldap_uri=ldapuri)
-
 cacert = None
 if options.get('cacertfile') is not None:
 # store CA cert into file
@@ -894,12 +888,13 @@ def execute(self, ldapuri, bindpw, **options):
 cacert = tmp_ca_cert_f.name
 
 # start TLS connection
-ds_ldap.connect(bind_dn=options['binddn'], bind_pw=bindpw,
-cacert=cacert)
+ds_ldap = LDAPClient(ldapuri, cacert=cacert)
+ds_ldap.simple_bind(options['binddn'], bindpw)
 
 tmp_ca_cert_f.close()
 else:
-ds_ldap.connect(bind_dn=options['binddn'], bind_pw=bindpw)
+ds_ldap = LDAPClient(ldapuri, cacert=cacert)
+ds_ldap.simple_bind(options['binddn'], bindpw)
 
 # check whether the compat plugin is enabled
 if not options.get('compat'):
diff --git a/ipaserver/plugins/user.py b/ipaserver/plugins/user.py
index 2d29dfb..afaa828 100644
--- a/ipaserver/plugins/user.py
+++ b/ipaserver/plugins/user.py
@@ -21,7 +21,7 @@
 import time
 from time import gmtime, strftime
 import posixpath
-import os
+
 import six
 
 from ipalib import api
@@ -63,12 +63,10 @@
 from ipalib import output
 from ipaplatform.paths import paths
 from ipapython.dn import DN
+from ipapython.ipaldap import LDAPClient
 from ipapython.ipautil import ipa_generate_password, TMP_PWD_ENTROPY_BITS
 from ipalib.capabilities import client_has_capability
 
-if api.env.in_server:
-from ipaserver.plugins.ldap2 import ldap2
-
 if six.PY3:
 unicode = str
 
@@ -1124,9 +1122,9 @@ def execute(self, *keys, **options):
 if host == api.env.host:
 other_ldap = self.obj.backend
 else:
-other_ldap = ldap2(self.api, ldap_uri='ldap://%s' % host)
 try:
-other_ldap.connect(ccache=os.environ['KRB5CCNAME'])
+other_ldap = LDAPClient(ldap_uri='ldap://%s' % host)
+other_ldap.gssapi_bind()
 except Exception as e:
 self.error("user_status: Connecting to %s failed with %s" % (host, str(e)))
 newresult = {'dn': dn}
@@ -1171,7 +1169,7 @@ def execute(self, *keys, **options):
 count += 1
 
 if host != api.env.host:
-other_ldap.disconnect()
+other_ldap.close()
 
 return dict(result=entries,
 count=count,

From ceacb79493bd1ffa0c048a58bf97a9f161081a79 Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Thu, 23 Feb 2017 09:52:51 +
Subject: [PATCH 2/6] {ca,kra}instance: drop redundant URI argument from ad-hoc
 ldap2 connections

Use the default LDAP URI from api.env.ldap_uri instead of specifying a
custom URI in the argument, as the custom URI is always the same as the
default URI.
---
 ipaserver/install/cainstance.py  | 19 +--
 ipaserver/install/krainstance.py |  4 +---
 2 files changed, 6 insertions(+), 17 deletions(-)

diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 0991883..b3aeec6 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -726,9 +726,7 @@ def __create_ca_agent(self):
 cert_data =

[Freeipa-devel] [freeipa PR#492][synchronized] [WIP] config: remove meaningless defaults

2017-02-26 Thread HonzaCholasta 
   URL: https://github.com/freeipa/freeipa/pull/492
Author: HonzaCholasta
 Title: #492: [WIP] config: remove meaningless defaults
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/492/head:pr492
git checkout pr492
From f054783ed7f632f6f676fe2d3fec1c486163e956 Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Thu, 23 Feb 2017 09:44:04 +
Subject: [PATCH 1/6] user, migration: use LDAPClient for ad-hoc LDAP
 connections

Use LDAPClient instead of ldap2 for ad-hoc remote LDAP connections in the
user_status and migrate-ds plugins.
---
 ipaserver/plugins/migration.py | 15 +--
 ipaserver/plugins/user.py  | 11 ---
 2 files changed, 9 insertions(+), 17 deletions(-)

diff --git a/ipaserver/plugins/migration.py b/ipaserver/plugins/migration.py
index 72abd14..e8d102a 100644
--- a/ipaserver/plugins/migration.py
+++ b/ipaserver/plugins/migration.py
@@ -28,13 +28,9 @@
 from ipalib.cli import to_cli
 from ipalib.plugable import Registry
 from .user import NO_UPG_MAGIC
-if api.env.in_server and api.env.context in ['lite', 'server']:
-try:
-from ipaserver.plugins.ldap2 import ldap2
-except Exception as e:
-raise e
 from ipalib import _
 from ipapython.dn import DN
+from ipapython.ipaldap import LDAPClient
 from ipapython.ipautil import write_tmp_file
 from ipapython.kerberos import Principal
 import datetime
@@ -885,8 +881,6 @@ def execute(self, ldapuri, bindpw, **options):
 return dict(result={}, failed={}, enabled=False, compat=True)
 
 # connect to DS
-ds_ldap = ldap2(self.api, ldap_uri=ldapuri)
-
 cacert = None
 if options.get('cacertfile') is not None:
 # store CA cert into file
@@ -894,12 +888,13 @@ def execute(self, ldapuri, bindpw, **options):
 cacert = tmp_ca_cert_f.name
 
 # start TLS connection
-ds_ldap.connect(bind_dn=options['binddn'], bind_pw=bindpw,
-cacert=cacert)
+ds_ldap = LDAPClient(ldapuri, cacert=cacert)
+ds_ldap.simple_bind(options['binddn'], bindpw)
 
 tmp_ca_cert_f.close()
 else:
-ds_ldap.connect(bind_dn=options['binddn'], bind_pw=bindpw)
+ds_ldap = LDAPClient(ldapuri, cacert=cacert)
+ds_ldap.simple_bind(options['binddn'], bindpw)
 
 # check whether the compat plugin is enabled
 if not options.get('compat'):
diff --git a/ipaserver/plugins/user.py b/ipaserver/plugins/user.py
index 88171cf..4c4b7d3 100644
--- a/ipaserver/plugins/user.py
+++ b/ipaserver/plugins/user.py
@@ -21,7 +21,6 @@
 import time
 from time import gmtime, strftime
 import posixpath
-import os
 
 import six
 
@@ -62,12 +61,10 @@
 from ipalib import output
 from ipaplatform.paths import paths
 from ipapython.dn import DN
+from ipapython.ipaldap import LDAPClient
 from ipapython.ipautil import ipa_generate_password, TMP_PWD_ENTROPY_BITS
 from ipalib.capabilities import client_has_capability
 
-if api.env.in_server:
-from ipaserver.plugins.ldap2 import ldap2
-
 if six.PY3:
 unicode = str
 
@@ -1115,9 +1112,9 @@ def execute(self, *keys, **options):
 if host == api.env.host:
 other_ldap = self.obj.backend
 else:
-other_ldap = ldap2(self.api, ldap_uri='ldap://%s' % host)
 try:
-other_ldap.connect(ccache=os.environ['KRB5CCNAME'])
+other_ldap = LDAPClient(ldap_uri='ldap://%s' % host)
+other_ldap.gssapi_bind()
 except Exception as e:
 self.error("user_status: Connecting to %s failed with %s" % (host, str(e)))
 newresult = {'dn': dn}
@@ -1162,7 +1159,7 @@ def execute(self, *keys, **options):
 count += 1
 
 if host != api.env.host:
-other_ldap.disconnect()
+other_ldap.close()
 
 return dict(result=entries,
 count=count,

From 6ea9124b9bec0abd30236082d692f12e2b2fec1f Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Thu, 23 Feb 2017 09:52:51 +
Subject: [PATCH 2/6] {ca,kra}instance: drop redundant URI argument from ad-hoc
 ldap2 connections

Use the default URI from api.env.ldap_uri, as it is the same as the URI
provided using the argument.
---
 ipaserver/install/cainstance.py  | 19 +--
 ipaserver/install/krainstance.py |  4 +---
 2 files changed, 6 insertions(+), 17 deletions(-)

diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 6e3f995..e464263 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -706,9 +706,7 @@ def __create_ca_agent(self):
 cert = x509.load_certificate(cert_data, x509.DER)
 
 # connect to CA database
-server_id =

[Freeipa-devel] [freeipa PR#492][synchronized] [WIP] config: remove meaningless defaults

2017-02-23 Thread HonzaCholasta 
   URL: https://github.com/freeipa/freeipa/pull/492
Author: HonzaCholasta
 Title: #492: [WIP] config: remove meaningless defaults
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/492/head:pr492
git checkout pr492
From a5bfc0b734466ea5a8a9447fd1a916fa85462922 Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Thu, 23 Feb 2017 09:44:04 +
Subject: [PATCH 1/6] user, migration: use LDAPClient for ad-hoc LDAP
 connections

Use LDAPClient instead of ldap2 for ad-hoc remote LDAP connections in the
user_status and migrate-ds plugins.
---
 ipaserver/plugins/migration.py | 15 +--
 ipaserver/plugins/user.py  | 11 ---
 2 files changed, 9 insertions(+), 17 deletions(-)

diff --git a/ipaserver/plugins/migration.py b/ipaserver/plugins/migration.py
index 72abd14..e8d102a 100644
--- a/ipaserver/plugins/migration.py
+++ b/ipaserver/plugins/migration.py
@@ -28,13 +28,9 @@
 from ipalib.cli import to_cli
 from ipalib.plugable import Registry
 from .user import NO_UPG_MAGIC
-if api.env.in_server and api.env.context in ['lite', 'server']:
-try:
-from ipaserver.plugins.ldap2 import ldap2
-except Exception as e:
-raise e
 from ipalib import _
 from ipapython.dn import DN
+from ipapython.ipaldap import LDAPClient
 from ipapython.ipautil import write_tmp_file
 from ipapython.kerberos import Principal
 import datetime
@@ -885,8 +881,6 @@ def execute(self, ldapuri, bindpw, **options):
 return dict(result={}, failed={}, enabled=False, compat=True)
 
 # connect to DS
-ds_ldap = ldap2(self.api, ldap_uri=ldapuri)
-
 cacert = None
 if options.get('cacertfile') is not None:
 # store CA cert into file
@@ -894,12 +888,13 @@ def execute(self, ldapuri, bindpw, **options):
 cacert = tmp_ca_cert_f.name
 
 # start TLS connection
-ds_ldap.connect(bind_dn=options['binddn'], bind_pw=bindpw,
-cacert=cacert)
+ds_ldap = LDAPClient(ldapuri, cacert=cacert)
+ds_ldap.simple_bind(options['binddn'], bindpw)
 
 tmp_ca_cert_f.close()
 else:
-ds_ldap.connect(bind_dn=options['binddn'], bind_pw=bindpw)
+ds_ldap = LDAPClient(ldapuri, cacert=cacert)
+ds_ldap.simple_bind(options['binddn'], bindpw)
 
 # check whether the compat plugin is enabled
 if not options.get('compat'):
diff --git a/ipaserver/plugins/user.py b/ipaserver/plugins/user.py
index 88171cf..4c4b7d3 100644
--- a/ipaserver/plugins/user.py
+++ b/ipaserver/plugins/user.py
@@ -21,7 +21,6 @@
 import time
 from time import gmtime, strftime
 import posixpath
-import os
 
 import six
 
@@ -62,12 +61,10 @@
 from ipalib import output
 from ipaplatform.paths import paths
 from ipapython.dn import DN
+from ipapython.ipaldap import LDAPClient
 from ipapython.ipautil import ipa_generate_password, TMP_PWD_ENTROPY_BITS
 from ipalib.capabilities import client_has_capability
 
-if api.env.in_server:
-from ipaserver.plugins.ldap2 import ldap2
-
 if six.PY3:
 unicode = str
 
@@ -1115,9 +1112,9 @@ def execute(self, *keys, **options):
 if host == api.env.host:
 other_ldap = self.obj.backend
 else:
-other_ldap = ldap2(self.api, ldap_uri='ldap://%s' % host)
 try:
-other_ldap.connect(ccache=os.environ['KRB5CCNAME'])
+other_ldap = LDAPClient(ldap_uri='ldap://%s' % host)
+other_ldap.gssapi_bind()
 except Exception as e:
 self.error("user_status: Connecting to %s failed with %s" % (host, str(e)))
 newresult = {'dn': dn}
@@ -1162,7 +1159,7 @@ def execute(self, *keys, **options):
 count += 1
 
 if host != api.env.host:
-other_ldap.disconnect()
+other_ldap.close()
 
 return dict(result=entries,
 count=count,

From f77a3d6f811c20e46b6a61e4e8a20b1e447b0ed5 Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Thu, 23 Feb 2017 09:52:51 +
Subject: [PATCH 2/6] {ca,kra}instance: drop redundant URI argument from ad-hoc
 ldap2 connections

Use the default URI from api.env.ldap_uri, as it is the same as the URI
provided using the argument.
---
 ipaserver/install/cainstance.py  | 19 +--
 ipaserver/install/krainstance.py |  4 +---
 2 files changed, 6 insertions(+), 17 deletions(-)

diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 3c86b91..b79b432 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -703,9 +703,7 @@ def __create_ca_agent(self):
 cert = x509.load_certificate(cert_data, x509.DER)
 
 # connect to CA database
-server_id =