#4953 Migration UI Does Not Work When Anonymous Bind is Disabled
Closed: Fixed None Opened 4 years ago by rangerrick.

I have migrated users from an old/broken FreeIPA server using Martin Kosek's recommendations here: http://news.gmane.org/find-root.php?message_id=550810EF.2030705%40redhat.com

My servers are on the public internet, so for obvious reasons I immediately disabled anonymous bind.

Now, everything is working except that the migration UI (at https://server/ipa/migration/) does not work when anonymous bind is disabled. I get the following message in HTTPD's error_log:

[Tue Mar 17 11:57:13.169949 2015] [:error] [pid 13589] ipa: ERROR: migration unable to get base dn

[Tue Mar 17 11:57:30.729802 2015] [:error] [pid 13588] ipa: ERROR: migration context search failed: Insufficient access: Inappropriate authentication: Anonymous access is not allowed.

FreeIPA version is ipa-server-4.1.0-18.el7.centos.x86_64


Thanks for report. I think this should not be a difficult fix. My initial suggestion from the thread:

I am CCing Peter Vobornik for the UI part. I think you are right. I quickly
checked the code, it indeed does an anonymous search and it also does not use
the CA certificate for TLS authentication when LDAPI is not available.

IMO, a ticket creation is due, to use IPA API object to get the basedn that is
read in the anonymous connection and to also use TLS when LDAPI is not available.

Quick workaround, if one does not want to wait for the fix:

Replace in /usr/share/ipa/migration/migration.py

def get_base_dn(ldap_uri):
    """
    Retrieve LDAP server base DN.
    """
    try:
        conn = IPAdmin(ldap_uri=ldap_uri)
        conn.do_simple_bind(DN(), '')
        base_dn = get_ipa_basedn(conn)
    except Exception, e:
        root_logger.error('migration context search failed: %s' % e)
        return ''
    finally:
        conn.unbind()

    return base_dn

with (with your base dn)

def get_base_dn(ldap_uri):
    return DN("dc=example,dc=com")

4.1.4 was released, moving to new milestone

master:

  • e5d179b migration: Use api.env variables.

ipa-4-2:

  • 6587782 migration: Use api.env variables.

ipa-4-1:

  • e40a6bc migration: Use api.env variables.

Metadata Update from @rangerrick:
- Issue assigned to someone
- Issue set to the milestone: FreeIPA 4.1.5

2 years ago

Login to comment on this ticket.

Metadata