Hello,
This patch addresses ticket https://fedorahosted.org/freeipa/ticket/3895.
--
Regards,
Ana Krivokapic
Associate Software Engineer
FreeIPA team
Red Hat Inc.
From 3bd13d7424a05d3900c13c911bf58899baa8d429 Mon Sep 17 00:00:00 2001
From: Ana Krivokapic
Date: Tue, 5 Nov 2013 18:38:55 +0100
Subject: [PATCH] Use EXTERNAL auth mechanism in ldapmodify
Default to using the EXTERNAL authorization mechanism in calls to ldapmodify
https://fedorahosted.org/freeipa/ticket/3895
---
ipaserver/install/service.py | 20 ++--
1 file changed, 10 insertions(+), 10 deletions(-)
diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py
index 4a244abb9135ae4c712abcb27456bc2436728215..0d7a664561fdf2b02353dd7284392e250f61a9f2 100644
--- a/ipaserver/install/service.py
+++ b/ipaserver/install/service.py
@@ -121,17 +121,15 @@ def ldap_connect(self):
self.admin_conn = conn
-
def ldap_disconnect(self):
self.admin_conn.unbind()
self.admin_conn = None
-def _ldap_mod(self, ldif, sub_dict = None):
-
+def _ldap_mod(self, ldif, sub_dict=None):
pw_name = None
fd = None
path = ipautil.SHARE_DIR + ldif
-nologlist=[]
+nologlist = []
if sub_dict is not None:
txt = ipautil.template_file(path, sub_dict)
@@ -139,9 +137,9 @@ def _ldap_mod(self, ldif, sub_dict = None):
path = fd.name
# do not log passwords
-if sub_dict.has_key('PASSWORD'):
+if 'PASSWORD' in sub_dict:
nologlist.append(sub_dict['PASSWORD'])
-if sub_dict.has_key('RANDOM_PASSWORD'):
+if 'RANDOM_PASSWORD' in sub_dict:
nologlist.append(sub_dict['RANDOM_PASSWORD'])
args = ["/usr/bin/ldapmodify", "-v", "-f", path]
@@ -152,16 +150,18 @@ def _ldap_mod(self, ldif, sub_dict = None):
self.ldap_connect()
args += ["-H", self.admin_conn.ldap_uri]
-auth_parms = []
+# If DM password is available, use it
if self.dm_password:
[pw_fd, pw_name] = tempfile.mkstemp()
os.write(pw_fd, self.dm_password)
os.close(pw_fd)
auth_parms = ["-x", "-D", "cn=Directory Manager", "-y", pw_name]
+# Use GSSAPI auth when not using DM password or not being root
+elif os.getegid() != 0:
+auth_parms = ["-Y", "GSSAPI"]
+# Default to EXTERNAL auth mechanism
else:
-# always try GSSAPI auth when not using DM password or not being root
-if os.getegid() != 0:
-auth_parms = ["-Y", "GSSAPI"]
+auth_parms = ["-Y", "EXTERNAL"]
args += auth_parms
--
1.8.3.1
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel