Re: [Freeipa-devel] [PATCH 0057] Do not use anonymous bind in migration UI.
On 07/17/2015 10:31 AM, Petr Vobornik wrote: On 07/17/2015 07:18 AM, Alexander Bokovoy wrote: On Fri, 17 Jul 2015, Jan Cholasta wrote: Dne 16.7.2015 v 12:16 David Kupka napsal(a): On 15/07/15 16:04, David Kupka wrote: On 15/07/15 15:34, Jan Cholasta wrote: Dne 15.7.2015 v 15:21 David Kupka napsal(a): https://fedorahosted.org/freeipa/ticket/4953 To test this patch: 1. Migrate users from LDAP or other FreeIPA server (https://www.freeipa.org/page/Howto/Migration) 2. Disable anonymous bind to Directory Server (https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/disabling-anon-binds.html) 3. Go to FreeIPA migration page (ipa.example.com/ipa/migration/) and enter name and password of one of the migrated users. Without this patch you will get an error page. NACK, you are calling do_bind with wrong arguments. Updated patch attached. With Honza, we've found better solution. Instead of binding to the LDAP just to get base DN we can instantiate api and use api.env.basedn variable. In the same time we can use api.anv.ldap_uri instead of searching filesystem for ldapi socket. Patch attached. LGTM, but since I had a part in this, I'd like someone else (Petr?) to ACK this. I went through the code and I think it is also a better approach than it was before, so ACK. ACK as well. Pushed to: master: e5d179b5b96bba5048a05135693acc5507d38163 ipa-4-2: 65877820b821884ac3b539e7f64e12c2cb3dd34f Also tested and pushed to 4-1 (ticket is in 4-1) e40a6bc0824020af6ae9d95f444c69a09457cb24 -- Petr Vobornik -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0057] Do not use anonymous bind in migration UI.
On 07/17/2015 07:18 AM, Alexander Bokovoy wrote: On Fri, 17 Jul 2015, Jan Cholasta wrote: Dne 16.7.2015 v 12:16 David Kupka napsal(a): On 15/07/15 16:04, David Kupka wrote: On 15/07/15 15:34, Jan Cholasta wrote: Dne 15.7.2015 v 15:21 David Kupka napsal(a): https://fedorahosted.org/freeipa/ticket/4953 To test this patch: 1. Migrate users from LDAP or other FreeIPA server (https://www.freeipa.org/page/Howto/Migration) 2. Disable anonymous bind to Directory Server (https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/disabling-anon-binds.html) 3. Go to FreeIPA migration page (ipa.example.com/ipa/migration/) and enter name and password of one of the migrated users. Without this patch you will get an error page. NACK, you are calling do_bind with wrong arguments. Updated patch attached. With Honza, we've found better solution. Instead of binding to the LDAP just to get base DN we can instantiate api and use api.env.basedn variable. In the same time we can use api.anv.ldap_uri instead of searching filesystem for ldapi socket. Patch attached. LGTM, but since I had a part in this, I'd like someone else (Petr?) to ACK this. I went through the code and I think it is also a better approach than it was before, so ACK. ACK as well. Pushed to: master: e5d179b5b96bba5048a05135693acc5507d38163 ipa-4-2: 65877820b821884ac3b539e7f64e12c2cb3dd34f -- Petr Vobornik -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0057] Do not use anonymous bind in migration UI.
On 15/07/15 16:04, David Kupka wrote:
On 15/07/15 15:34, Jan Cholasta wrote:
Dne 15.7.2015 v 15:21 David Kupka napsal(a):
https://fedorahosted.org/freeipa/ticket/4953
To test this patch:
1. Migrate users from LDAP or other FreeIPA server
(https://www.freeipa.org/page/Howto/Migration)
2. Disable anonymous bind to Directory Server
(https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/disabling-anon-binds.html)
3. Go to FreeIPA migration page (ipa.example.com/ipa/migration/) and
enter name and password of one of the migrated users.
Without this patch you will get an error page.
NACK, you are calling do_bind with wrong arguments.
Updated patch attached.
With Honza, we've found better solution. Instead of binding to the LDAP
just to get base DN we can instantiate api and use api.env.basedn
variable. In the same time we can use api.anv.ldap_uri instead of
searching filesystem for ldapi socket.
Patch attached.
--
David Kupka
From 3fa339547c580ea8dac13fd529bd8adecec0c3dc Mon Sep 17 00:00:00 2001
From: David Kupka dku...@redhat.com
Date: Thu, 16 Jul 2015 10:15:36 +0200
Subject: [PATCH] migration: Use api.env variables.
Use api.env.basedn instead of anonymously accessing LDAP to get base DN.
Use api.env.basedn instead of searching filesystem for ldapi socket.
https://fedorahosted.org/freeipa/ticket/4953
---
install/migration/migration.py | 33 +
1 file changed, 5 insertions(+), 28 deletions(-)
diff --git a/install/migration/migration.py b/install/migration/migration.py
index b629b1c9ff7bd58f1ea64e4c2b2433428a939f28..8c440175a0358b01acba227ea3179318af50fa32 100644
--- a/install/migration/migration.py
+++ b/install/migration/migration.py
@@ -22,14 +22,13 @@ Password migration script
import cgi
import errno
-import glob
from wsgiref.util import request_uri
from ipapython.ipa_log_manager import root_logger
from ipapython.ipautil import get_ipa_basedn
from ipapython.dn import DN
from ipapython.ipaldap import IPAdmin
-from ipalib import errors
+from ipalib import errors, create_api
from ipaplatform.paths import paths
@@ -45,23 +44,6 @@ def get_ui_url(environ):
return full_url[:index] + /ipa/ui
-def get_base_dn(ldap_uri):
-
-Retrieve LDAP server base DN.
-
-try:
-conn = IPAdmin(ldap_uri=ldap_uri)
-conn.do_simple_bind(DN(), '')
-base_dn = get_ipa_basedn(conn)
-except Exception, e:
-root_logger.error('migration context search failed: %s' % e)
-return ''
-finally:
-conn.unbind()
-
-return base_dn
-
-
def bind(ldap_uri, base_dn, username, password):
if not base_dn:
root_logger.error('migration unable to get base dn')
@@ -90,16 +72,11 @@ def application(environ, start_response):
if not form_data.has_key('username') or not form_data.has_key('password'):
return wsgi_redirect(start_response, 'invalid.html')
-slapd_sockets = glob.glob(paths.ALL_SLAPD_INSTANCE_SOCKETS)
-if slapd_sockets:
-ldap_uri = 'ldapi://%s' % slapd_sockets[0].replace('/', '%2f')
-else:
-ldap_uri = 'ldaps://localhost:636'
-
-base_dn = get_base_dn(ldap_uri)
-
+# API object only for configuration, finalize() not needed
+api = create_api(mode=None)
+api.bootstrap(context='server', in_server=True)
try:
-bind(ldap_uri, base_dn,
+bind(api.env.ldap_uri, api.env.basedn,
form_data['username'].value, form_data['password'].value)
except IOError as err:
if err.errno == errno.EPERM:
--
2.4.3
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0057] Do not use anonymous bind in migration UI.
Dne 16.7.2015 v 12:16 David Kupka napsal(a): On 15/07/15 16:04, David Kupka wrote: On 15/07/15 15:34, Jan Cholasta wrote: Dne 15.7.2015 v 15:21 David Kupka napsal(a): https://fedorahosted.org/freeipa/ticket/4953 To test this patch: 1. Migrate users from LDAP or other FreeIPA server (https://www.freeipa.org/page/Howto/Migration) 2. Disable anonymous bind to Directory Server (https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/disabling-anon-binds.html) 3. Go to FreeIPA migration page (ipa.example.com/ipa/migration/) and enter name and password of one of the migrated users. Without this patch you will get an error page. NACK, you are calling do_bind with wrong arguments. Updated patch attached. With Honza, we've found better solution. Instead of binding to the LDAP just to get base DN we can instantiate api and use api.env.basedn variable. In the same time we can use api.anv.ldap_uri instead of searching filesystem for ldapi socket. Patch attached. LGTM, but since I had a part in this, I'd like someone else (Petr?) to ACK this. -- Jan Cholasta -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0057] Do not use anonymous bind in migration UI.
On Fri, 17 Jul 2015, Jan Cholasta wrote: Dne 16.7.2015 v 12:16 David Kupka napsal(a): On 15/07/15 16:04, David Kupka wrote: On 15/07/15 15:34, Jan Cholasta wrote: Dne 15.7.2015 v 15:21 David Kupka napsal(a): https://fedorahosted.org/freeipa/ticket/4953 To test this patch: 1. Migrate users from LDAP or other FreeIPA server (https://www.freeipa.org/page/Howto/Migration) 2. Disable anonymous bind to Directory Server (https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/disabling-anon-binds.html) 3. Go to FreeIPA migration page (ipa.example.com/ipa/migration/) and enter name and password of one of the migrated users. Without this patch you will get an error page. NACK, you are calling do_bind with wrong arguments. Updated patch attached. With Honza, we've found better solution. Instead of binding to the LDAP just to get base DN we can instantiate api and use api.env.basedn variable. In the same time we can use api.anv.ldap_uri instead of searching filesystem for ldapi socket. Patch attached. LGTM, but since I had a part in this, I'd like someone else (Petr?) to ACK this. I went through the code and I think it is also a better approach than it was before, so ACK. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0057] Do not use anonymous bind in migration UI.
On 15/07/15 15:34, Jan Cholasta wrote:
Dne 15.7.2015 v 15:21 David Kupka napsal(a):
https://fedorahosted.org/freeipa/ticket/4953
To test this patch:
1. Migrate users from LDAP or other FreeIPA server
(https://www.freeipa.org/page/Howto/Migration)
2. Disable anonymous bind to Directory Server
(https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/disabling-anon-binds.html)
3. Go to FreeIPA migration page (ipa.example.com/ipa/migration/) and
enter name and password of one of the migrated users.
Without this patch you will get an error page.
NACK, you are calling do_bind with wrong arguments.
Updated patch attached.
--
David Kupka
From 43d8cc79283e9cbead102bd1415ad4107f65df11 Mon Sep 17 00:00:00 2001
From: David Kupka dku...@redhat.com
Date: Wed, 15 Jul 2015 14:55:28 +0200
Subject: [PATCH] Do not use anonymous bind in migration UI.
https://fedorahosted.org/freeipa/ticket/4953
---
install/migration/migration.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/install/migration/migration.py b/install/migration/migration.py
index b629b1c9ff7bd58f1ea64e4c2b2433428a939f28..4e92794e3bb386bbd9dd80e7123bfb63f2fa8dc4 100644
--- a/install/migration/migration.py
+++ b/install/migration/migration.py
@@ -51,7 +51,7 @@ def get_base_dn(ldap_uri):
try:
conn = IPAdmin(ldap_uri=ldap_uri)
-conn.do_simple_bind(DN(), '')
+conn.do_bind()
base_dn = get_ipa_basedn(conn)
except Exception, e:
root_logger.error('migration context search failed: %s' % e)
--
2.4.3
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0057] Do not use anonymous bind in migration UI.
Dne 15.7.2015 v 15:21 David Kupka napsal(a): https://fedorahosted.org/freeipa/ticket/4953 To test this patch: 1. Migrate users from LDAP or other FreeIPA server (https://www.freeipa.org/page/Howto/Migration) 2. Disable anonymous bind to Directory Server (https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/disabling-anon-binds.html) 3. Go to FreeIPA migration page (ipa.example.com/ipa/migration/) and enter name and password of one of the migrated users. Without this patch you will get an error page. NACK, you are calling do_bind with wrong arguments. -- Jan Cholasta -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH 0057] Do not use anonymous bind in migration UI.
https://fedorahosted.org/freeipa/ticket/4953
To test this patch:
1. Migrate users from LDAP or other FreeIPA server
(https://www.freeipa.org/page/Howto/Migration)
2. Disable anonymous bind to Directory Server
(https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/disabling-anon-binds.html)
3. Go to FreeIPA migration page (ipa.example.com/ipa/migration/) and
enter name and password of one of the migrated users.
Without this patch you will get an error page.
--
David Kupka
From a9c50987842a08eb6928bd662a1db57b85d4b3cd Mon Sep 17 00:00:00 2001
From: David Kupka dku...@redhat.com
Date: Wed, 15 Jul 2015 14:55:28 +0200
Subject: [PATCH] Do not use anonymous bind in migration UI.
https://fedorahosted.org/freeipa/ticket/4953
---
install/migration/migration.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/install/migration/migration.py b/install/migration/migration.py
index b629b1c9ff7bd58f1ea64e4c2b2433428a939f28..ec660ba5329193675826cd8ce292034fd33744b5 100644
--- a/install/migration/migration.py
+++ b/install/migration/migration.py
@@ -51,7 +51,7 @@ def get_base_dn(ldap_uri):
try:
conn = IPAdmin(ldap_uri=ldap_uri)
-conn.do_simple_bind(DN(), '')
+conn.do_bind(DN(), '')
base_dn = get_ipa_basedn(conn)
except Exception, e:
root_logger.error('migration context search failed: %s' % e)
--
2.4.3
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
