From cd9fd5dc5efd417a093d3e2e22aedac1f7433efa Mon Sep 17 00:00:00 2001 From: Mark Reynolds Date: Jun 30 2016 13:48:18 +0000 Subject: Ticket 48213 - Admin server registration requires anonymous binds Bug Description: When installing a local DS/AS and registering the server with a remote admin server, the setup process does an anonymous bind to start things off, regardless if a full DN was provided as the admin id. If anonymous access is disabled on the remote configuration DS then the registration process fails. Fix Description: If a DN was provided, not an rdn value, then attempt to bind with this user first. Only if an rdn value is provided will an anonymous bind be performed. https://fedorahosted.org/389/ticket/48213 Reviewed by: nhosoi(Thanks!) --- diff --git a/admserv/newinst/src/AdminUtil.pm.in b/admserv/newinst/src/AdminUtil.pm.in index d370f9e..3ded348 100644 --- a/admserv/newinst/src/AdminUtil.pm.in +++ b/admserv/newinst/src/AdminUtil.pm.in @@ -157,6 +157,8 @@ sub getConfigDSConn { my $configdir = shift; my $errs = shift; # for output errs - an array ref my $certdir; + my $errstr = "Success"; + my $conn; if (!$url or !$id) { my $admConf = getAdmConf($configdir); @@ -180,36 +182,61 @@ sub getConfigDSConn { $certdir = getCertDir($configdir); } - # first try anon bind - # 3 is LDAPv3 - 1 means use nspr - debug(3, "Attempting connection to " . $h->{host} . ":" . $h->{port} . " certdir $certdir configdir $configdir\n"); - my $conn = new Mozilla::LDAP::Conn($h->{host}, $h->{port}, "", "", - $certdir); - - my $errstr = "Success"; - if ($conn) { - $errstr = $conn->getErrorString(); - } - if (!$conn or ($errstr ne "Success")) { + if ($id =~ /=/){ + # + # We have a bind DN so try it first, as anonymous access could be + # disabled on the config DS. + # + debug(3, "Attempting connection to " . $h->{host} . ":" . $h->{port} . + " bind DN ($id) certdir $certdir configdir $configdir\n"); + $conn = new Mozilla::LDAP::Conn($h->{host}, $h->{port}, $id, $pwd, $certdir); if ($conn) { - $conn->close(); - $conn = 0; + $errstr = $conn->getErrorString(); } - if ($certdir) { - push @{$errs}, 'configds_open_error_ssl', $url, - ($errstr eq "Success") ? 'unknown error' : $errstr, - $h->{host}, $h->{port}, $h->{host}, $h->{host}, $certdir, $h->{host}, $h->{port}; - } else { - push @{$errs}, 'configds_open_error', $url, - ($errstr eq "Success") ? 'unknown error' : $errstr, - $h->{host}, $h->{port}, $h->{host}, $h->{host}, $h->{host}, $h->{port}; + if (!$conn or ($errstr ne "Success")) { + if ($conn) { + $conn->close(); + $conn = 0; + } + if ($certdir) { + push @{$errs}, 'configds_open_error_ssl', $url, + ($errstr eq "Success") ? 'unknown error' : $errstr, + $h->{host}, $h->{port}, $h->{host}, $h->{host}, $certdir, $h->{host}, $h->{port}; + } else { + push @{$errs}, 'configds_open_error', $url, + ($errstr eq "Success") ? 'unknown error' : $errstr, + $h->{host}, $h->{port}, $h->{host}, $h->{host}, $h->{host}, $h->{port}; + } + return $conn; + } + } else { + # + # We must attempt an anonymous bind to find the entry + # + debug(3, "Attempting connection to " . $h->{host} . ":" . $h->{port} . + " bind DN(anonymous) certdir $certdir configdir $configdir\n"); + $conn = new Mozilla::LDAP::Conn($h->{host}, $h->{port}, "", "", $certdir); + if ($conn) { + $errstr = $conn->getErrorString(); + } + if (!$conn or ($errstr ne "Success")) { + if ($conn) { + $conn->close(); + $conn = 0; + } + if ($certdir) { + push @{$errs}, 'configds_open_error_ssl', $url, + ($errstr eq "Success") ? 'unknown error' : $errstr, + $h->{host}, $h->{port}, $h->{host}, $h->{host}, $certdir, $h->{host}, $h->{port}; + } else { + push @{$errs}, 'configds_open_error', $url, + ($errstr eq "Success") ? 'unknown error' : $errstr, + $h->{host}, $h->{port}, $h->{host}, $h->{host}, $h->{host}, $h->{port}; + } + return $conn; } - - return $conn; - } - # if $id is not a dn, look up the dn - if ($id !~ /=/) { + # Search for the entry - we assume it starts with uid my $ent = $conn->search($h->{dn}, "sub", "(uid=$id)", 1, 'dn'); $errstr = $conn->getErrorString(); if (!$ent or ($errstr ne "Success")) { @@ -218,23 +245,22 @@ sub getConfigDSConn { push @{$errs}, 'configds_finddn_error', $id, $url, (($errstr eq "Success") ? 'unknown error' : $errstr); return $conn; } + # Now bind as the entry $id = $ent->getDN(); - } - - if (!$conn->simpleAuth($id, $pwd)) { - $errstr = $conn->getErrorString(); - $conn->close(); - $conn = 0; - if ($errstr =~ /constraint/i) { - push @{$errs}, 'configds_bindretry_error', $id, $url; - } else { - push @{$errs}, 'configds_bind_error', $id, $url, (($errstr eq "Success") ? 'unknown error' : $errstr); + if (!$conn->simpleAuth($id, $pwd)) { + $errstr = $conn->getErrorString(); + $conn->close(); + $conn = 0; + if ($errstr =~ /constraint/i) { + push @{$errs}, 'configds_bindretry_error', $id, $url; + } else { + push @{$errs}, 'configds_bind_error', $id, $url, (($errstr eq "Success") ? 'unknown error' : $errstr); + } + return $conn; } - return $conn; } - + # store the binddn and password for later use $conn->setDefaultRebindProc($id, $pwd, LDAP_AUTH_SIMPLE); - # store the binddn for later use $conn->{adminbinddn} = $id; return $conn;