From 922062eb559d1bb82a9d787763aacb31c0cf9b8d Mon Sep 17 00:00:00 2001 From: Tomas Krizek Date: Nov 07 2016 10:34:03 +0000 Subject: install tools: ldap conn management * ipca-ca-install: Use a single ldap connection for the entire script. Connecting with ccache in promote is not needed. * ipa-cacert-manage: Always connect to ldap, since renew and install are the only options and renew seems to need ldap connection even for self signed certificates. * ipa-compat-manage: Use one ldap connection for the entire script. Replaced try-finally with proper disconnect, code block reindented. * ipa-csreplica-manage: Properly establish and close the ldap connection. * ipa-dns-install: Proper connect, disconnect to ldap. * ipa-kra-install: Proper connect/disconnect for install and uninstall. * ipa-ldap-update: Proper connect and disconnect to ldap. * ipa-nis-manage: Proper connect/disconnect for ldap. Try-finally removed and code block reindented. * ipa-replica-manage: Proper connect/disconnect to ldap. * ipa-replica-prepare: Connect added to validate_options(), where api is initialized and disconnected added at the end of run. Reconnect in ask_for_options() to validate directory manager password. * ipa-server-certinstall: Use api.Backend.ldap2 for ldap connections. * ipa-server-upgrade: Connect to and disconnect from api.Backend.ldap2. https://fedorahosted.org/freeipa/ticket/6461 Reviewed-By: Martin Basti Reviewed-By: Jan Cholasta --- diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install index 2d24948..079773d 100755 --- a/install/tools/ipa-ca-install +++ b/install/tools/ipa-ca-install @@ -33,7 +33,6 @@ from ipaserver.install import cainstance, custodiainstance, service from ipapython import version from ipalib import api from ipalib.constants import DOMAIN_LEVEL_0 -from ipapython.dn import DN from ipapython.config import IPAOptionParser from ipapython.ipa_log_manager import root_logger, standard_logging_setup from ipaplatform.paths import paths @@ -156,17 +155,13 @@ def install_replica(safe_options, options, filename): REPLICA_INFO_TOP_DIR = config.top_dir config.setup_ca = True - conn = api.Backend.ldap2 - conn.connect(bind_dn=DN(('cn', 'Directory Manager')), - bind_pw=dirman_password) - if config.subject_base is None: - attrs = conn.get_ipa_config() + attrs = api.Backend.ldap2.get_ipa_config() config.subject_base = attrs.get('ipacertificatesubjectbase')[0] if config.master_host_name is None: config.ca_host_name = \ - service.find_providing_server('CA', conn, api.env.ca_host) + service.find_providing_server('CA', api.Backend.ldap2, api.env.ca_host) config.master_host_name = config.ca_host_name else: config.ca_host_name = config.master_host_name @@ -216,9 +211,6 @@ def install_master(safe_options, options): if dm_password is None: sys.exit("Directory Manager password required") - api.Backend.ldap2.connect(bind_dn=DN(('cn', 'Directory Manager')), - bind_pw=dm_password) - config = api.Command['config_show']()['result'] subject_base = config['ipacertificatesubjectbase'][0] @@ -262,10 +254,7 @@ def promote(safe_options, options, filename): paths.KRB5_KEYTAB, ccache) - conn = api.Backend.ldap2 - conn.connect(ccache=ccache) - ca_host = service.find_providing_server('CA', conn) - conn.disconnect() + ca_host = service.find_providing_server('CA', api.Backend.ldap2) if ca_host is None: install_master(safe_options, options) else: @@ -294,6 +283,7 @@ def main(): # functional dogtag backend plugins during CA install api.bootstrap(in_server=True, ra_plugin='dogtag') api.finalize() + api.Backend.ldap2.connect() domain_level = dsinstance.get_domain_level(api) if domain_level > DOMAIN_LEVEL_0: @@ -305,6 +295,8 @@ def main(): ipautil.run(['ipactl', 'start', '--ignore-service-failures'], raiseonerr=False) + api.Backend.ldap2.disconnect() + fail_message = ''' Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. diff --git a/install/tools/ipa-compat-manage b/install/tools/ipa-compat-manage index 178cef9..905495f 100755 --- a/install/tools/ipa-compat-manage +++ b/install/tools/ipa-compat-manage @@ -28,7 +28,6 @@ try: from ipapython import ipautil, config from ipaserver.install import installutils from ipaserver.install.ldapupdate import LDAPUpdate - from ipaserver.plugins.ldap2 import ldap2 from ipalib import api, errors from ipapython.ipa_log_manager import standard_logging_setup from ipapython.dn import DN @@ -69,14 +68,14 @@ def get_dirman_password(): return password -def get_entry(dn, conn): +def get_entry(dn): """ Return the entry for the given DN. If the entry is not found return None. """ entry = None try: - entry = conn.get_entry(dn) + entry = api.Backend.ldap2.get_entry(dn) except errors.NotFound: pass return entry @@ -105,98 +104,85 @@ def main(): api.bootstrap(context='cli', in_server=True, debug=options.debug) api.finalize() + api.Backend.ldap2.connect() - conn = None - try: + if args[0] == "status": + entry = None + try: + entry = get_entry(compat_dn) + if entry is not None and entry.get('nsslapd-pluginenabled', [''])[0].lower() == 'on': + print("Plugin Enabled") + else: + print("Plugin Disabled") + except errors.LDAPError as lde: + print("An error occurred while talking to the server.") + print(lde) + + if args[0] == "enable": + entry = None try: - conn = ldap2(api) - conn.connect( - bind_dn=DN(('cn', 'directory manager')), bind_pw=dirman_password - ) + entry = get_entry(compat_dn) + if entry is not None and entry.get('nsslapd-pluginenabled', [''])[0].lower() == 'on': + print("Plugin already Enabled") + retval = 2 + else: + print("Enabling plugin") + + if entry is None: + ld = LDAPUpdate(dm_password=dirman_password, sub_dict={}) + if not ld.update(files): + print("Updating Directory Server failed.") + retval = 1 + else: + entry['nsslapd-pluginenabled'] = ['on'] + api.Backend.ldap2.update_entry(entry) except errors.ExecutionError as lde: - sys.exit("An error occurred while connecting to the server.\n%s\n" % str(lde)) - except errors.ACIError as e: - sys.exit("Authentication failed: %s" % e.info) + print("An error occurred while talking to the server.") + print(lde) + retval = 1 - if args[0] == "status": - entry = None - try: - entry = get_entry(compat_dn, conn) - if entry is not None and entry.get('nsslapd-pluginenabled', [''])[0].lower() == 'on': - print("Plugin Enabled") - else: - print("Plugin Disabled") - except errors.LDAPError as lde: - print("An error occurred while talking to the server.") - print(lde) + elif args[0] == "disable": + entry = None + try: + entry = get_entry(nis_config_dn) + # We can't disable schema compat if the NIS plugin is enabled + if entry is not None and entry.get('nsslapd-pluginenabled', [''])[0].lower() == 'on': + print("The NIS plugin is configured, cannot disable compatibility.", file=sys.stderr) + print("Run 'ipa-nis-manage disable' first.", file=sys.stderr) + retval = 2 + except errors.ExecutionError as lde: + print("An error occurred while talking to the server.") + print(lde) + retval = 1 - if args[0] == "enable": + if retval == 0: entry = None try: - entry = get_entry(compat_dn, conn) - if entry is not None and entry.get('nsslapd-pluginenabled', [''])[0].lower() == 'on': - print("Plugin already Enabled") + entry = get_entry(compat_dn) + if entry is None or entry.get('nsslapd-pluginenabled', [''])[0].lower() == 'off': + print("Plugin is already disabled") retval = 2 else: - print("Enabling plugin") - - if entry is None: - ld = LDAPUpdate(dm_password=dirman_password, sub_dict={}) - if not ld.update(files): - print("Updating Directory Server failed.") - retval = 1 - else: - entry['nsslapd-pluginenabled'] = ['on'] - conn.update_entry(entry) - except errors.ExecutionError as lde: + print("Disabling plugin") + + entry['nsslapd-pluginenabled'] = ['off'] + api.Backend.ldap2.update_entry(entry) + except errors.DatabaseError as dbe: print("An error occurred while talking to the server.") - print(lde) + print(dbe) retval = 1 - - elif args[0] == "disable": - entry = None - try: - entry = get_entry(nis_config_dn, conn) - # We can't disable schema compat if the NIS plugin is enabled - if entry is not None and entry.get('nsslapd-pluginenabled', [''])[0].lower() == 'on': - print("The NIS plugin is configured, cannot disable compatibility.", file=sys.stderr) - print("Run 'ipa-nis-manage disable' first.", file=sys.stderr) - retval = 2 except errors.ExecutionError as lde: print("An error occurred while talking to the server.") print(lde) retval = 1 - if retval == 0: - entry = None - try: - entry = get_entry(compat_dn, conn) - if entry is None or entry.get('nsslapd-pluginenabled', [''])[0].lower() == 'off': - print("Plugin is already disabled") - retval = 2 - else: - print("Disabling plugin") - - entry['nsslapd-pluginenabled'] = ['off'] - conn.update_entry(entry) - except errors.DatabaseError as dbe: - print("An error occurred while talking to the server.") - print(dbe) - retval = 1 - except errors.ExecutionError as lde: - print("An error occurred while talking to the server.") - print(lde) - retval = 1 - - else: - retval = 1 + else: + retval = 1 - if retval == 0: - print("This setting will not take effect until you restart Directory Server.") + if retval == 0: + print("This setting will not take effect until you restart Directory Server.") - finally: - if conn and conn.isconnected(): - conn.disconnect() + api.Backend.ldap2.disconnect() return retval diff --git a/install/tools/ipa-csreplica-manage b/install/tools/ipa-csreplica-manage index 85b55d1..fd384d6 100755 --- a/install/tools/ipa-csreplica-manage +++ b/install/tools/ipa-csreplica-manage @@ -439,8 +439,7 @@ def main(): options.dirman_passwd = dirman_passwd - api.Backend.ldap2.connect(bind_dn=DN(('cn', 'Directory Manager')), - bind_pw=options.dirman_passwd) + api.Backend.ldap2.connect(bind_pw=options.dirman_passwd) if args[0] == "list": replica = None @@ -485,6 +484,8 @@ def main(): replica = args[1] set_renewal_master(realm, replica) + api.Backend.ldap2.disconnect() + try: main() except KeyboardInterrupt: diff --git a/install/tools/ipa-dns-install b/install/tools/ipa-dns-install index 05bd315..99a1399 100755 --- a/install/tools/ipa-dns-install +++ b/install/tools/ipa-dns-install @@ -140,8 +140,7 @@ def main(): ) api.bootstrap(**cfg) api.finalize() - - api.Backend.ldap2.connect(autobind=True) + api.Backend.ldap2.connect() options.setup_ca = None # must be None to enable autodetection @@ -159,6 +158,8 @@ def main(): ipautil.run(['ipactl', 'start', '--ignore-service-failures'], raiseonerr=False) + api.Backend.ldap2.disconnect() + return 0 if __name__ == '__main__': diff --git a/install/tools/ipa-managed-entries b/install/tools/ipa-managed-entries index 691811e..5761020 100755 --- a/install/tools/ipa-managed-entries +++ b/install/tools/ipa-managed-entries @@ -24,10 +24,9 @@ import re import sys from optparse import OptionParser -from ipapython import config, ipaldap +from ipapython import config from ipaserver.install import installutils from ipalib import api, errors -from ipalib.constants import CACERT from ipapython.ipa_log_manager import root_logger, standard_logging_setup from ipapython.dn import DN @@ -73,9 +72,9 @@ def main(): sys.exit("Unrecognized action [" + args[0] + "]") standard_logging_setup(None, debug=options.debug) - host = installutils.get_fqdn() api.bootstrap(context='cli', debug=options.debug) api.finalize() + api.Backend.ldap2.connect(bind_pw=options.dirman_password) managed_entry_definitions_dn = DN( ('cn', 'Definitions'), @@ -84,39 +83,14 @@ def main(): api.env.basedn ) - conn = None - try: - filter = '(objectClass=extensibleObject)' - ldap_uri = ipaldap.get_ldap_uri(host, 636, cacert=CACERT) - conn = ipaldap.LDAPClient(ldap_uri, cacert=CACERT) - - if options.dirman_password: - try: - conn.simple_bind(bind_dn=ipaldap.DIRMAN_DN, - bind_password=options.dirman_password) - except errors.ACIError: - sys.exit("Invalid credentials") - else: - conn.gssapi_bind() - except errors.ACIError: - dirman_password = get_dirman_password() - if dirman_password is None: - sys.exit("Directory Manager password required") - try: - conn.simple_bind(bind_dn=ipaldap.DIRMAN_DN, - bind_password=dirman_password) - except errors.ACIError: - sys.exit("Invalid credentials") - except errors.ExecutionError as lde: - sys.exit("An error occurred while connecting to the server.\n%s\n" % - str(lde)) + filter = '(objectClass=extensibleObject)' if options.list_managed_entries: # List available Managed Entry Plugins managed_entries = None try: - entries = conn.get_entries( - managed_entry_definitions_dn, conn.SCOPE_SUBTREE, filter) + entries = api.Backend.ldap2.get_entries( + managed_entry_definitions_dn, api.Backend.ldap2.SCOPE_SUBTREE, filter) except Exception as e: root_logger.debug("Search for managed entries failed: %s" % str(e)) sys.exit("Unable to find managed entries at %s" % managed_entry_definitions_dn) @@ -135,7 +109,7 @@ def main(): disabled = True try: - entry = conn.get_entry(def_dn) + entry = api.Backend.ldap2.get_entry(def_dn) disable_attr = '(objectclass=disable)' try: org_filter = entry.single_value.get('originfilter') @@ -165,7 +139,7 @@ def main(): enable_attr = org_filter.replace(disable_attr, '') #enable_attr = {'originfilter': enable_attr} entry['originfilter'] = [enable_attr] - conn.update_entry(entry) + api.Backend.ldap2.update_entry(entry) print("Enabling Plugin") retval = 0 except errors.NotFound: @@ -189,7 +163,7 @@ def main(): else: disable_attr = '(&%s(%s))' % (disable_attr, org_filter) entry['originfilter'] = [disable_attr] - conn.update_entry(entry) + api.Backend.ldap2.update_entry(entry) print("Disabling Plugin") except errors.NotFound: print("Plugin is already disabled") @@ -206,6 +180,8 @@ def main(): else: retval = 1 + api.Backend.ldap2.disconnect() + return retval if __name__ == '__main__': diff --git a/install/tools/ipa-nis-manage b/install/tools/ipa-nis-manage index 64de9e8..b72e273 100755 --- a/install/tools/ipa-nis-manage +++ b/install/tools/ipa-nis-manage @@ -29,7 +29,6 @@ try: from ipapython import ipautil, config from ipaserver.install import installutils from ipaserver.install.ldapupdate import LDAPUpdate - from ipaserver.plugins.ldap2 import ldap2 from ipalib import api, errors from ipapython.ipa_log_manager import standard_logging_setup from ipapython.dn import DN @@ -71,14 +70,14 @@ def get_dirman_password(): return password -def get_entry(dn, conn): +def get_entry(dn): """ Return the entry for the given DN. If the entry is not found return None. """ entry = None try: - entry = conn.get_entry(dn) + entry = api.Backend.ldap2.get_entry(dn) except errors.NotFound: pass return entry @@ -118,100 +117,87 @@ def main(): api.bootstrap(context='cli', debug=options.debug, in_server=True) api.finalize() + api.Backend.ldap2.connect(bind_pw=dirman_password) - conn = None - try: + if args[0] == "enable": + compat = get_entry(compat_dn) + if compat is None or compat.get('nsslapd-pluginenabled', [''])[0].lower() == 'off': + sys.exit("The compat plugin needs to be enabled: ipa-compat-manage enable") + entry = None try: - conn = ldap2(api) - conn.connect( - bind_dn=DN(('cn', 'directory manager')), bind_pw=dirman_password - ) + entry = get_entry(nis_config_dn) except errors.ExecutionError as lde: - sys.exit("An error occurred while connecting to the server: %s" % str(lde)) - except errors.AuthorizationError: - sys.exit("Incorrect password") + print("An error occurred while talking to the server.") + print(lde) + retval = 1 - if args[0] == "enable": - compat = get_entry(compat_dn, conn) - if compat is None or compat.get('nsslapd-pluginenabled', [''])[0].lower() == 'off': - sys.exit("The compat plugin needs to be enabled: ipa-compat-manage enable") - entry = None - try: - entry = get_entry(nis_config_dn, conn) - except errors.ExecutionError as lde: - print("An error occurred while talking to the server.") - print(lde) - retval = 1 + # Enable either the portmap or rpcbind service + portmap = services.knownservices.portmap + rpcbind = services.knownservices.rpcbind - # Enable either the portmap or rpcbind service - portmap = services.knownservices.portmap - rpcbind = services.knownservices.rpcbind - - if portmap.is_installed(): - portmap.enable() - servicemsg = portmap.service_name - elif rpcbind.is_installed(): - rpcbind.enable() - servicemsg = rpcbind.service_name - else: - print("Unable to enable either %s or %s" % (portmap.service_name, rpcbind.service_name)) - retval = 3 - - # The cn=config entry for the plugin may already exist but it - # could be turned off, handle both cases. - if entry is None: - print("Enabling plugin") - ld = LDAPUpdate(dm_password=dirman_password, sub_dict={}, ldapi=True) - if ld.update(files) != True: - retval = 1 - elif entry.get('nsslapd-pluginenabled', [''])[0].lower() == 'off': - print("Enabling plugin") - # Already configured, just enable the plugin - entry['nsslapd-pluginenabled'] = ['on'] - conn.update_entry(entry) - else: - print("Plugin already Enabled") - retval = 2 - - elif args[0] == "disable": - try: - entry = conn.get_entry(nis_config_dn, ['nsslapd-pluginenabled']) - entry['nsslapd-pluginenabled'] = ['off'] - conn.update_entry(entry) - except (errors.NotFound, errors.EmptyModlist): - print("Plugin is already disabled") - retval = 2 - except errors.LDAPError as lde: - print("An error occurred while talking to the server.") - print(lde) + if portmap.is_installed(): + portmap.enable() + servicemsg = portmap.service_name + elif rpcbind.is_installed(): + rpcbind.enable() + servicemsg = rpcbind.service_name + else: + print("Unable to enable either %s or %s" % (portmap.service_name, rpcbind.service_name)) + retval = 3 + + # The cn=config entry for the plugin may already exist but it + # could be turned off, handle both cases. + if entry is None: + print("Enabling plugin") + ld = LDAPUpdate(dm_password=dirman_password, sub_dict={}, ldapi=True) + if ld.update(files) != True: retval = 1 + elif entry.get('nsslapd-pluginenabled', [''])[0].lower() == 'off': + print("Enabling plugin") + # Already configured, just enable the plugin + entry['nsslapd-pluginenabled'] = ['on'] + api.Backend.ldap2.update_entry(entry) + else: + print("Plugin already Enabled") + retval = 2 - elif args[0] == "status": - nis_entry = get_entry(nis_config_dn, conn) - enabled = (nis_entry and - nis_entry.get( - 'nsslapd-pluginenabled', '')[0].lower() == "on") - if enabled: - print("Plugin is enabled") - retval = 0 - else: - print("Plugin is not enabled") - retval = 4 + elif args[0] == "disable": + try: + entry = api.Backend.ldap2.get_entry(nis_config_dn, ['nsslapd-pluginenabled']) + entry['nsslapd-pluginenabled'] = ['off'] + api.Backend.ldap2.update_entry(entry) + except (errors.NotFound, errors.EmptyModlist): + print("Plugin is already disabled") + retval = 2 + except errors.LDAPError as lde: + print("An error occurred while talking to the server.") + print(lde) + retval = 1 + elif args[0] == "status": + nis_entry = get_entry(nis_config_dn) + enabled = (nis_entry and + nis_entry.get( + 'nsslapd-pluginenabled', '')[0].lower() == "on") + if enabled: + print("Plugin is enabled") + retval = 0 else: - retval = 1 + print("Plugin is not enabled") + retval = 4 - if retval == 0: - if args[0] in {"enable", "disable"}: - print("This setting will not take effect until you restart " - "Directory Server.") + else: + retval = 1 + + if retval == 0: + if args[0] in {"enable", "disable"}: + print("This setting will not take effect until you restart " + "Directory Server.") - if args[0] == "enable": - print("The %s service may need to be started." % servicemsg) + if args[0] == "enable": + print("The %s service may need to be started." % servicemsg) - finally: - if conn and conn.isconnected(): - conn.disconnect() + api.Backend.ldap2.disconnect() return retval diff --git a/install/tools/ipa-replica-manage b/install/tools/ipa-replica-manage index 945d421..48a28bd 100755 --- a/install/tools/ipa-replica-manage +++ b/install/tools/ipa-replica-manage @@ -1537,11 +1537,7 @@ def main(options, args): options.dirman_passwd = dirman_passwd # Initialize the LDAP connection - if options.dirman_passwd: - api.Backend.ldap2.connect(bind_dn=DN(('cn', 'Directory Manager')), - bind_pw=options.dirman_passwd) - else: - api.Backend.ldap2.connect() + api.Backend.ldap2.connect(bind_pw=options.dirman_passwd) if args[0] == "list": replica = None @@ -1611,6 +1607,8 @@ def main(options, args): set_DNA_range(args[1], args[2], realm, dirman_passwd, next_range=True, nolookup=options.nolookup) + api.Backend.ldap2.disconnect() + try: options, args = parse_options() main(options, args) diff --git a/ipaserver/install/ipa_cacert_manage.py b/ipaserver/install/ipa_cacert_manage.py index 859c254..af08ba6 100644 --- a/ipaserver/install/ipa_cacert_manage.py +++ b/ipaserver/install/ipa_cacert_manage.py @@ -96,14 +96,11 @@ class CACertManage(admintool.AdminTool): def run(self): command = self.command - options = self.options api.bootstrap(in_server=True) api.finalize() - if ((command == 'renew' and options.external_cert_files) or - command == 'install'): - self.ldap_connect() + self.ldap_connect() try: if command == 'renew': @@ -111,8 +108,7 @@ class CACertManage(admintool.AdminTool): elif command == 'install': rc = self.install() finally: - if api.Backend.ldap2.isconnected(): - api.Backend.ldap2.disconnect() + api.Backend.ldap2.disconnect() return rc @@ -132,8 +128,7 @@ class CACertManage(admintool.AdminTool): raise admintool.ScriptError( "Directory Manager password required") - api.Backend.ldap2.connect(bind_dn=DN(('cn', 'Directory Manager')), bind_pw=password) - + api.Backend.ldap2.connect(bind_pw=password) def renew(self): ca = cainstance.CAInstance(api.env.realm, certs.NSS_DIR) diff --git a/ipaserver/install/ipa_kra_install.py b/ipaserver/install/ipa_kra_install.py index 8801e30..4f24d58 100644 --- a/ipaserver/install/ipa_kra_install.py +++ b/ipaserver/install/ipa_kra_install.py @@ -28,7 +28,6 @@ from ipalib.constants import DOMAIN_LEVEL_0 from ipaplatform.paths import paths from ipapython import admintool from ipapython import ipautil -from ipapython.dn import DN from ipaserver.install import service from ipaserver.install import cainstance from ipaserver.install import krainstance @@ -106,7 +105,9 @@ class KRAUninstaller(KRAInstall): def run(self): super(KRAUninstaller, self).run() + api.Backend.ldap2.connect() kra.uninstall(True) + api.Backend.ldap2.disconnect() class KRAInstaller(KRAInstall): @@ -181,9 +182,7 @@ class KRAInstaller(KRAInstall): self.options.dm_password = self.options.password self.options.setup_ca = False - conn = api.Backend.ldap2 - conn.connect(bind_dn=DN(('cn', 'Directory Manager')), - bind_pw=self.options.password) + api.Backend.ldap2.connect() config = None if self.installing_replica: @@ -204,12 +203,12 @@ class KRAInstaller(KRAInstall): self.options) if config.subject_base is None: - attrs = conn.get_ipa_config() + attrs = api.Backend.ldap2.get_ipa_config() config.subject_base = attrs.get('ipacertificatesubjectbase')[0] if config.master_host_name is None: - config.kra_host_name = \ - service.find_providing_server('KRA', conn, api.env.ca_host) + config.kra_host_name = service.find_providing_server( + 'KRA', api.Backend.ldap2, api.env.ca_host) config.master_host_name = config.kra_host_name else: config.kra_host_name = config.master_host_name @@ -226,3 +225,5 @@ class KRAInstaller(KRAInstall): except: self.log.error(dedent(self.FAIL_MESSAGE)) raise + + api.Backend.ldap2.disconnect() diff --git a/ipaserver/install/ipa_ldap_updater.py b/ipaserver/install/ipa_ldap_updater.py index 8b64826..e6e6b5a 100644 --- a/ipaserver/install/ipa_ldap_updater.py +++ b/ipaserver/install/ipa_ldap_updater.py @@ -101,6 +101,7 @@ class LDAPUpdater_Upgrade(LDAPUpdater): def run(self): super(LDAPUpdater_Upgrade, self).run() + api.Backend.ldap2.connect() options = self.options realm = api.env.realm @@ -120,12 +121,15 @@ class LDAPUpdater_Upgrade(LDAPUpdater): else: self.log.info('Update complete, no data were modified') + api.Backend.ldap2.disconnect() + class LDAPUpdater_NonUpgrade(LDAPUpdater): log_file_name = paths.IPAUPGRADE_LOG def run(self): super(LDAPUpdater_NonUpgrade, self).run() + api.Backend.ldap2.connect() options = self.options modified = False @@ -148,3 +152,5 @@ class LDAPUpdater_NonUpgrade(LDAPUpdater): self.log.info('Update complete') else: self.log.info('Update complete, no data were modified') + + api.Backend.ldap2.disconnect() diff --git a/ipaserver/install/ipa_replica_prepare.py b/ipaserver/install/ipa_replica_prepare.py index 00e971c..e6699d8 100644 --- a/ipaserver/install/ipa_replica_prepare.py +++ b/ipaserver/install/ipa_replica_prepare.py @@ -34,7 +34,6 @@ from six.moves.configparser import SafeConfigParser from ipaserver.install import certs, installutils, bindinstance, dsinstance from ipaserver.install.replication import enable_replication_version_checking -from ipaserver.plugins.ldap2 import ldap2 from ipaserver.install.bindinstance import ( add_zone, add_fwd_rr, add_ptr_rr, dns_container_exists) from ipapython import ipautil, admintool @@ -180,6 +179,8 @@ class ReplicaPrepare(admintool.AdminTool): api.bootstrap(in_server=True) api.finalize() + # Connect to LDAP, connection is closed at the end of run() + api.Backend.ldap2.connect() self.check_for_supported_domain_level() @@ -215,21 +216,18 @@ class ReplicaPrepare(admintool.AdminTool): "Directory Manager password required") # Try out the password & get the subject base + api.Backend.ldap2.disconnect() try: - conn = api.Backend.ldap2 - conn.connect(bind_dn=DN(('cn', 'directory manager')), - bind_pw=self.dirman_password) + api.Backend.ldap2.connect(bind_pw=self.dirman_password) - entry_attrs = conn.get_ipa_config() + entry_attrs = api.Backend.ldap2.get_ipa_config() self.subject_base = entry_attrs.get( 'ipacertificatesubjectbase', [None])[0] ca_enabled = api.Command.ca_is_enabled()['result'] - - conn.disconnect() except errors.ACIError: raise admintool.ScriptError("The password provided is incorrect " - "for LDAP server %s" % api.env.host) + "for LDAP server %s" % api.env.host) except errors.LDAPError: raise admintool.ScriptError( "Unable to connect to LDAP server %s" % api.env.host) @@ -279,13 +277,6 @@ class ReplicaPrepare(admintool.AdminTool): "record manually and then omit --ip-address option.") raise admintool.ScriptError("Cannot add DNS record") - disconnect = False - if not api.Backend.ldap2.isconnected(): - api.Backend.ldap2.connect( - bind_dn=DN(('cn', 'Directory Manager')), - bind_pw=self.dirman_password) - disconnect = True - options.reverse_zones = bindinstance.check_reverse_zones( options.ip_addresses, options.reverse_zones, options, False, True) @@ -297,9 +288,6 @@ class ReplicaPrepare(admintool.AdminTool): "--ip-address option." % zone) raise admintool.ScriptError("Cannot add DNS record") - if disconnect: - api.Backend.ldap2.disconnect() - self.http_pin = self.dirsrv_pin = self.pkinit_pin = None if options.http_cert_files: @@ -387,6 +375,9 @@ class ReplicaPrepare(admintool.AdminTool): if options.wait_for_dns: self.wait_for_dns() + # Close LDAP connection that was opened in validate_options() + api.Backend.ldap2.disconnect() + def copy_ds_certificate(self): options = self.options @@ -498,11 +489,6 @@ class ReplicaPrepare(admintool.AdminTool): self.log.info("Adding DNS records for %s", self.replica_fqdn) name, domain = self.replica_fqdn.split(".", 1) - if not api.Backend.ldap2.isconnected(): - api.Backend.ldap2.connect( - bind_dn=DN(('cn', 'Directory Manager')), - bind_pw=self.dirman_password) - for reverse_zone in options.reverse_zones: self.log.info("Adding reverse zone %s", reverse_zone) add_zone(reverse_zone) @@ -658,14 +644,8 @@ class ReplicaPrepare(admintool.AdminTool): os.remove(agent_name) def update_pki_admin_password(self): - ldap = ldap2(api) - ldap.connect( - bind_dn=DN(('cn', 'directory manager')), - bind_pw=self.dirman_password - ) dn = DN('uid=admin', 'ou=people', 'o=ipaca') - ldap.modify_password(dn, self.dirman_password) - ldap.disconnect() + api.Backend.ldap2.modify_password(dn, self.dirman_password) def regenerate_ca_file(self, ca_file): dm_pwd_fd = ipautil.write_tmp_file(self.dirman_password) diff --git a/ipaserver/install/ipa_server_certinstall.py b/ipaserver/install/ipa_server_certinstall.py index 7bc39e3..3c30876 100644 --- a/ipaserver/install/ipa_server_certinstall.py +++ b/ipaserver/install/ipa_server_certinstall.py @@ -101,10 +101,7 @@ class ServerCertInstall(admintool.AdminTool): def run(self): api.bootstrap(in_server=True) api.finalize() - - conn = api.Backend.ldap2 - conn.connect(bind_dn=DN(('cn', 'directory manager')), - bind_pw=self.options.dirman_password) + api.Backend.ldap2.connect(bind_pw=self.options.dirman_password) if self.options.dirsrv: self.install_dirsrv_cert() @@ -112,7 +109,7 @@ class ServerCertInstall(admintool.AdminTool): if self.options.http: self.install_http_cert() - conn.disconnect() + api.Backend.ldap2.disconnect() def install_dirsrv_cert(self): serverid = installutils.realm_to_serverid(api.env.realm) diff --git a/ipaserver/install/ipa_server_upgrade.py b/ipaserver/install/ipa_server_upgrade.py index c384704..f03f95a 100644 --- a/ipaserver/install/ipa_server_upgrade.py +++ b/ipaserver/install/ipa_server_upgrade.py @@ -40,6 +40,7 @@ class ServerUpgrade(admintool.AdminTool): api.bootstrap(in_server=True, context='updates') api.finalize() + api.Backend.ldap2.connect() try: server.upgrade_check(self.options) @@ -47,6 +48,8 @@ class ServerUpgrade(admintool.AdminTool): except RuntimeError as e: raise admintool.ScriptError(str(e)) + api.Backend.ldap2.disconnect() + def handle_error(self, exception): if not isinstance(exception, SystemExit): # do not log this message when ipa is not installed