From 112c4b745651beea993a8f87529a5eecfdb31062 Mon Sep 17 00:00:00 2001
From: Martin Kosek <mkosek@redhat.com>
Date: Mar 22 2012 04:55:33 +0000
Subject: Fix LDAP effective rights control with python-ldap 2.4.x


The new version of python-ldap changed the way it created LDAPv3
extended controls. The API used in 2.4.x can no longer be used
because it does not send the bind DN with effective rights
control and LDAP server thus rejects it.

This patch implements the new API in a backward compatible way
so that it works both with python-ldap versions 2.3.x and 2.4.x.

https://fedorahosted.org/freeipa/ticket/2565

---

diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py
index 178386c..61341b0 100644
--- a/ipaserver/plugins/ldap2.py
+++ b/ipaserver/plugins/ldap2.py
@@ -42,7 +42,19 @@ import ldap as _ldap
 from ldap.ldapobject import SimpleLDAPObject
 import ldap.filter as _ldap_filter
 import ldap.sasl as _ldap_sasl
-from ldap.controls import LDAPControl
+try:
+    from ldap.controls.simple import GetEffectiveRightsControl #pylint: disable=F0401,E0611
+except ImportError:
+    """
+    python-ldap 2.4.x introduced a new API for effective rights control, which
+    needs to be used or otherwise bind dn is not passed correctly. The following
+    class is created for backward compatibility with python-ldap 2.3.x.
+    Relevant BZ: https://bugzilla.redhat.com/show_bug.cgi?id=802675
+    """
+    from ldap.controls import LDAPControl
+    class GetEffectiveRightsControl(LDAPControl):
+        def __init__(self, criticality, authzId=None):
+            LDAPControl.__init__(self, '1.3.6.1.4.1.42.2.27.9.5.2', criticality, authzId)
 # for backward compatibility
 from ldap.functions import explode_dn
 from ipalib.dn import DN
@@ -874,7 +886,7 @@ class ldap2(CrudBackend, Encoder):
         """
         principal = getattr(context, 'principal')
         (binddn, attrs) = self.find_entry_by_attr("krbprincipalname", principal, "krbPrincipalAux")
-        sctrl = [LDAPControl("1.3.6.1.4.1.42.2.27.9.5.2", True, "dn: " + binddn.encode('UTF-8'))]
+        sctrl = [GetEffectiveRightsControl(True, "dn: " + binddn.encode('UTF-8'))]
         self.conn.set_option(_ldap.OPT_SERVER_CONTROLS, sctrl)
         (dn, attrs) = self.get_entry(dn, entry_attrs)
         # remove the control so subsequent operations don't include GER