[Freeipa-devel] [PATCH] 416 Use valid LDAP search base in migration plugin
One find_entry_by_attr call did not set a search base leading to LDAP search call with zero search base. This leads to false negative results from LDAP. Pushed to master, ipa-3-2 as a one-liner. Martin From b9afa0e5aa730260d75cd11649258686ac6adea8 Mon Sep 17 00:00:00 2001 From: Martin Kosek mko...@redhat.com Date: Fri, 26 Jul 2013 13:39:42 +0200 Subject: [PATCH] Use valid LDAP search base in migration plugin One find_entry_by_attr call did not set a search base leading to LDAP search call with zero search base. This leads to false negative results from LDAP. --- ipalib/plugins/migration.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ipalib/plugins/migration.py b/ipalib/plugins/migration.py index f57f0957e31be9ab92d6ddc855d4aec3456c1449..83bf40dbfa4cf2310b2501c28cf095299711331d 100644 --- a/ipalib/plugins/migration.py +++ b/ipalib/plugins/migration.py @@ -207,7 +207,8 @@ def _pre_migrate_user(ldap, pkey, dn, entry_attrs, failed, config, ctx, **kwargs principal = u'%s@%s' % (pkey, api.env.realm) try: ldap.find_entry_by_attr( -'krbprincipalname', principal, 'krbprincipalaux', [''] +'krbprincipalname', principal, 'krbprincipalaux', [''], +DN(api.env.container_user, api.env.basedn) ) except errors.NotFound: entry_attrs['krbprincipalname'] = principal -- 1.8.3.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 416 Use valid LDAP search base in migration plugin
On 07/26/2013 05:43 AM, Martin Kosek wrote: One find_entry_by_attr call did not set a search base leading to LDAP search call with zero search base. This leads to false negative results from LDAP. Pushed to master, ipa-3-2 as a one-liner. Does the migrate code correctly handle the search return? Before it was working fine when it got the err=32 - it just assumed the user did not already exist. With the correct search base, the search will return err=0, and will return no search entries, which migration should assume means the user does not already exist. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 416 Use valid LDAP search base in migration plugin
On 07/26/2013 04:04 PM, Rich Megginson wrote: On 07/26/2013 05:43 AM, Martin Kosek wrote: One find_entry_by_attr call did not set a search base leading to LDAP search call with zero search base. This leads to false negative results from LDAP. Pushed to master, ipa-3-2 as a one-liner. Does the migrate code correctly handle the search return? Before it was working fine when it got the err=32 - it just assumed the user did not already exist. With the correct search base, the search will return err=0, and will return no search entries, which migration should assume means the user does not already exist. Thanks for double-checking this Rich. But our LDAP library raised exception when LDAP returns no entry, I double checked this particular call I changed: conn.find_entry_by_attr('krbprincipalname', 'ad...@example.com', 'krbprincipalaux', [''], DN(api.env.container_user, api.env.basedn)) LDAPEntry(ipapython.dn.DN('uid=admin,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com'), {}) conn.find_entry_by_attr('krbprincipalname', 'doesnotex...@example.com', 'krbprincipalaux', [''], DN(api.env.container_user, api.env.basedn)) Traceback (most recent call last): File stdin, line 1, in module File /usr/lib/python2.7/site-packages/ipapython/ipaldap.py, line 1299, in find_entry_by_attr (entries, truncated) = self.find_entries(filter, attrs_list, base_dn) File /usr/lib/python2.7/site-packages/ipapython/ipaldap.py, line 1248, in find_entries raise errors.NotFound(reason='no such entry') ipalib.errors.NotFound: no such entry So the change should work correctly. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 416 Use valid LDAP search base in migration plugin
On 07/26/2013 09:28 AM, Martin Kosek wrote: On 07/26/2013 04:04 PM, Rich Megginson wrote: On 07/26/2013 05:43 AM, Martin Kosek wrote: One find_entry_by_attr call did not set a search base leading to LDAP search call with zero search base. This leads to false negative results from LDAP. Pushed to master, ipa-3-2 as a one-liner. Does the migrate code correctly handle the search return? Before it was working fine when it got the err=32 - it just assumed the user did not already exist. With the correct search base, the search will return err=0, and will return no search entries, which migration should assume means the user does not already exist. Thanks for double-checking this Rich. But our LDAP library raised exception when LDAP returns no entry, I double checked this particular call I changed: conn.find_entry_by_attr('krbprincipalname', 'ad...@example.com', 'krbprincipalaux', [''], DN(api.env.container_user, api.env.basedn)) LDAPEntry(ipapython.dn.DN('uid=admin,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com'), {}) conn.find_entry_by_attr('krbprincipalname', 'doesnotex...@example.com', 'krbprincipalaux', [''], DN(api.env.container_user, api.env.basedn)) Traceback (most recent call last): File stdin, line 1, in module File /usr/lib/python2.7/site-packages/ipapython/ipaldap.py, line 1299, in find_entry_by_attr (entries, truncated) = self.find_entries(filter, attrs_list, base_dn) File /usr/lib/python2.7/site-packages/ipapython/ipaldap.py, line 1248, in find_entries raise errors.NotFound(reason='no such entry') ipalib.errors.NotFound: no such entry So the change should work correctly. Martin ok - ack ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel