From 24baccbd6ac8a19ba52619a3cc59366220c4ca1f Mon Sep 17 00:00:00 2001 From: Tomas Krizek Date: Nov 07 2016 10:34:03 +0000 Subject: dsinstance: enable ldapi and autobind in ds * enable ldapi and root autobind early during the ds installation * perform these changes using simple_bind with dm_password https://fedorahosted.org/freeipa/ticket/6461 Reviewed-By: Martin Basti Reviewed-By: Jan Cholasta --- diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index 0c42bda..a11f295 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -258,6 +258,8 @@ class DsInstance(service.Service): self.step("creating directory server user", create_ds_user) self.step("creating directory server instance", self.__create_instance) + self.step("enabling ldapi", self.__enable_ldapi) + self.step("configure autobind for root", self.__root_autobind) self.step("updating configuration in dse.ldif", self.__update_dse_ldif) self.step("restarting directory server", self.__restart_instance) self.step("adding default schema", self.__add_default_schemas) @@ -265,7 +267,6 @@ class DsInstance(service.Service): self.step("enabling winsync plugin", self.__add_winsync_module) self.step("configuring replication version plugin", self.__config_version_module) self.step("enabling IPA enrollment plugin", self.__add_enrollment_module) - self.step("enabling ldapi", self.__enable_ldapi) self.step("configuring uniqueness plugin", self.__set_unique_attrs) self.step("configuring uuid plugin", self.__config_uuid_module) self.step("configuring modrdn plugin", self.__config_modrdn_module) @@ -278,7 +279,6 @@ class DsInstance(service.Service): if enable_ssl: self.step("configuring ssl for ds instance", self.__enable_ssl) self.step("configuring certmap.conf", self.__certmap_conf) - self.step("configure autobind for root", self.__root_autobind) self.step("configure new location for managed entries", self.__repoint_managed_entries) self.step("configure dirsrv ccache", self.configure_dirsrv_ccache) self.step("enabling SASL mapping fallback", @@ -890,7 +890,9 @@ class DsInstance(service.Service): ) def __enable_ldapi(self): - self._ldap_mod("ldapi.ldif", self.sub_dict) + self._ldap_mod("ldapi.ldif", self.sub_dict, + ldap_uri="ldap://localhost", + dm_password=self.dm_password) def __enable_sasl_mapping_fallback(self): self._ldap_mod("sasl-mapping-fallback.ldif", self.sub_dict) @@ -1064,7 +1066,9 @@ class DsInstance(service.Service): self.tune_nofile(8192) def __root_autobind(self): - self._ldap_mod("root-autobind.ldif") + self._ldap_mod("root-autobind.ldif", + ldap_uri="ldap://localhost", + dm_password=self.dm_password) def __add_sudo_binduser(self): self._ldap_mod("sudobind.ldif", self.sub_dict) diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py index ae985dc..91137dd 100644 --- a/ipaserver/install/service.py +++ b/ipaserver/install/service.py @@ -22,6 +22,7 @@ import os import socket import datetime import traceback +import tempfile from ipapython import ipautil, sysrestore from ipapython.dn import DN @@ -170,7 +171,8 @@ class Service(object): """close the api.Backend.ldap2 connection""" api.Backend.ldap2.disconnect() - def _ldap_mod(self, ldif, sub_dict=None, raise_on_err=True): + def _ldap_mod(self, ldif, sub_dict=None, raise_on_err=True, + ldap_uri=None, dm_password=None): pw_name = None fd = None path = ipautil.SHARE_DIR + ldif @@ -191,12 +193,20 @@ class Service(object): # As we always connect to the local host, # use URI of admin connection - if not self.admin_conn: - self.ldap_connect() - args += ["-H", self.admin_conn.ldap_uri] + if not ldap_uri: + if not self.admin_conn: + self.ldap_connect() + ldap_uri = self.admin_conn.ldap_uri + + args += ["-H", ldap_uri] + if dm_password: + [pw_fd, pw_name] = tempfile.mkstemp() + os.write(pw_fd, dm_password) + os.close(pw_fd) + auth_parms = ["-x", "-D", "cn=Directory Manager", "-y", pw_name] # Use GSSAPI auth when not using DM password or not being root - if os.getegid() != 0: + elif os.getegid() != 0: auth_parms = ["-Y", "GSSAPI"] # Default to EXTERNAL auth mechanism else: @@ -215,9 +225,6 @@ class Service(object): if pw_name: os.remove(pw_name) - if fd is not None: - fd.close() - def move_service(self, principal): """ Used to move a principal entry created by kadmin.local from