From 60e38ecc7ff6b983f4f3af0a66c08eb3a3fda22d Mon Sep 17 00:00:00 2001 From: Tomas Krizek Date: Nov 07 2016 10:34:03 +0000 Subject: ipaldap: merge external_bind into LDAPClient * Rename do_external_bind to external_bind * Remove user_name argument in external_bind() and always set it to effective user name https://fedorahosted.org/freeipa/ticket/6461 Reviewed-By: Martin Basti Reviewed-By: Jan Cholasta --- diff --git a/install/tools/ipactl b/install/tools/ipactl index 42bd73e..3542093 100755 --- a/install/tools/ipactl +++ b/install/tools/ipactl @@ -166,7 +166,7 @@ def get_config(dirsrv): (host, port) = lurl.hostport.split(':') wait_for_open_ports(host, [int(port)], timeout=api.env.startup_timeout) con = IPAdmin(ldap_uri=api.env.ldap_uri) - con.do_external_bind() + con.external_bind() res = con.get_entries( base, filter=srcfilter, diff --git a/ipapython/ipaldap.py b/ipapython/ipaldap.py index c4f8c7c..4016a65 100644 --- a/ipapython/ipaldap.py +++ b/ipapython/ipaldap.py @@ -1084,11 +1084,11 @@ class LDAPClient(object): self.conn.simple_bind_s( bind_dn, bind_password, server_controls, client_controls) - def external_bind(self, user_name, server_controls=None, - client_controls=None): + def external_bind(self, server_controls=None, client_controls=None): """ Perform SASL bind operation using the SASL EXTERNAL mechanism. """ + user_name = pwd.getpwuid(os.geteuid()).pw_name with self.error_handler(): auth_tokens = ldap.sasl.external(user_name) self._flush_schema() @@ -1634,9 +1634,6 @@ class IPAdmin(LDAPClient): def do_sasl_gssapi_bind(self): self.gssapi_bind() - def do_external_bind(self, user_name=None): - self.external_bind(user_name) - def do_bind(self, dm_password="", autobind=AUTOBIND_AUTO): if dm_password: self.simple_bind(bind_dn=DIRMAN_DN, bind_password=dm_password) @@ -1644,8 +1641,7 @@ class IPAdmin(LDAPClient): if autobind != AUTOBIND_DISABLED and os.getegid() == 0 and self.ldapi: try: # autobind - pw_name = pwd.getpwuid(os.geteuid()).pw_name - self.do_external_bind(pw_name) + self.external_bind() return except errors.NotFound: if autobind == AUTOBIND_ENABLED: diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py index d682745..1677d57 100644 --- a/ipaserver/install/dogtaginstance.py +++ b/ipaserver/install/dogtaginstance.py @@ -398,7 +398,7 @@ class DogtagInstance(service.Service): try: conn = ipaldap.IPAdmin(self.fqdn, ldapi=True, realm=self.realm) - conn.do_external_bind('root') + conn.external_bind() entry_attrs = conn.get_entry(self.admin_dn, ['usercertificate']) admin_cert = entry_attrs.get('usercertificate')[0] diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index c18a8f3..7ffc5f6 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -169,7 +169,7 @@ def create_ds_user(): def get_domain_level(api=api): conn = ipaldap.IPAdmin(ldapi=True, realm=api.env.realm) - conn.do_external_bind('root') + conn.external_bind() dn = DN(('cn', 'Domain Level'), ('cn', 'ipa'), ('cn', 'etc'), api.env.basedn) @@ -417,7 +417,7 @@ class DsInstance(service.Service): # Always connect to self over ldapi conn = ipaldap.IPAdmin(self.fqdn, ldapi=True, realm=self.realm) - conn.do_external_bind('root') + conn.external_bind() repl = replication.ReplicationManager(self.realm, self.fqdn, self.dm_password, conn=conn) @@ -1258,7 +1258,7 @@ class DsInstance(service.Service): # Connect to self over ldapi as Directory Manager and configure SSL conn = ipaldap.IPAdmin(self.fqdn, ldapi=True, realm=self.realm) - conn.do_external_bind('root') + conn.external_bind() mod = [(ldap.MOD_REPLACE, "nsSSLClientAuth", "allowed"), (ldap.MOD_REPLACE, "nsSSL3Ciphers", "default"), diff --git a/ipaserver/install/ipa_backup.py b/ipaserver/install/ipa_backup.py index 0ebcc35..def5e58 100644 --- a/ipaserver/install/ipa_backup.py +++ b/ipaserver/install/ipa_backup.py @@ -362,8 +362,7 @@ class Backup(admintool.AdminTool): realm=api.env.realm) try: - pw_name = pwd.getpwuid(os.geteuid()).pw_name - self._conn.do_external_bind(pw_name) + self._conn.external_bind() except Exception as e: self.log.error("Unable to bind to LDAP server %s: %s" % (self._conn.host, e)) diff --git a/ipaserver/install/ipa_restore.py b/ipaserver/install/ipa_restore.py index ae0b28f..ea69cc7 100644 --- a/ipaserver/install/ipa_restore.py +++ b/ipaserver/install/ipa_restore.py @@ -441,8 +441,7 @@ class Restore(admintool.AdminTool): realm=api.env.realm) try: - pw_name = pwd.getpwuid(os.geteuid()).pw_name - self._conn.do_external_bind(pw_name) + self._conn.external_bind() except Exception as e: raise admintool.ScriptError('Unable to bind to LDAP server: %s' % e) diff --git a/ipaserver/install/ldapupdate.py b/ipaserver/install/ldapupdate.py index 5f8eb79..759341b 100644 --- a/ipaserver/install/ldapupdate.py +++ b/ipaserver/install/ldapupdate.py @@ -51,7 +51,7 @@ UPDATES_DIR=paths.UPDATES_DIR UPDATE_SEARCH_TIME_LIMIT = 30 # seconds -def connect(ldapi=False, realm=None, fqdn=None, dm_password=None, pw_name=None): +def connect(ldapi=False, realm=None, fqdn=None, dm_password=None): """Create a connection for updates""" if ldapi: conn = ipaldap.IPAdmin(ldapi=True, realm=realm, decode_attrs=False) @@ -64,7 +64,7 @@ def connect(ldapi=False, realm=None, fqdn=None, dm_password=None, pw_name=None): elif os.getegid() == 0: try: # autobind - conn.do_external_bind(pw_name) + conn.external_bind() except errors.NotFound: # Fall back conn.do_sasl_gssapi_bind() diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py index 5e1b113..1a0deb4 100644 --- a/ipaserver/install/replication.py +++ b/ipaserver/install/replication.py @@ -1740,7 +1740,7 @@ class CAReplicationManager(ReplicationManager): def __init__(self, realm, hostname): # Always connect to self over ldapi conn = ipaldap.IPAdmin(hostname, ldapi=True, realm=realm) - conn.do_external_bind('root') + conn.external_bind() super(CAReplicationManager, self).__init__( realm, hostname, None, port=DEFAULT_PORT, conn=conn) self.db_suffix = DN(('o', 'ipaca')) diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py index 0015a8c..68af0a3 100644 --- a/ipaserver/install/server/install.py +++ b/ipaserver/install/server/install.py @@ -6,7 +6,6 @@ from __future__ import print_function import os import pickle -import pwd import random import shutil import sys @@ -991,7 +990,7 @@ def uninstall_check(installer): ldapi=True, realm=api.env.realm ) - conn.do_external_bind(pwd.getpwuid(os.geteuid()).pw_name) + conn.external_bind() api.Backend.ldap2.connect(autobind=True) domain_level = dsinstance.get_domain_level(api) except Exception: diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py index 1b90573..9d7c8cc 100644 --- a/ipaserver/plugins/ldap2.py +++ b/ipaserver/plugins/ldap2.py @@ -28,7 +28,6 @@ Backend plugin for LDAP. # everything except the CrudBackend methods, where dn is part of the entry dict. import os -import pwd import ldap as _ldap @@ -181,9 +180,7 @@ class ldap2(CrudBackend, LDAPClient): client_controls=clientctrls) elif autobind != AUTOBIND_DISABLED and os.getegid() == 0 and ldapi: try: - pw_name = pwd.getpwuid(os.geteuid()).pw_name - client.external_bind(pw_name, - server_controls=serverctrls, + client.external_bind(server_controls=serverctrls, client_controls=clientctrls) except errors.NotFound: if autobind == AUTOBIND_ENABLED: