On 23/11/15 10:09, Jan Cholasta wrote:
On 23.11.2015 08:53, David Kupka wrote:
On 20/11/15 08:29, Jan Cholasta wrote:
On 19.11.2015 17:28, David Kupka wrote:
https://fedorahosted.org/freeipa/ticket/5468
ipa-cacert-manage is not the only code which uses ldap2 this way.
It would be better to find the root cause of this rather than working
around it.
The root cause is that some scripts are creating custom connection to
LDAP and using api which is not connected to LDAP.
As we discussed personally ipa-cacert-manage and ipa-otptoken-import
have this issue.
Updated patch and new one for ipa-otptoken-import attached.
The patches do not apply on ipa-4-2.
You're right, rebased patches attached.
--
David Kupka
From 3525252cf6efc8a8f0328f0c6696bf558767a3c1 Mon Sep 17 00:00:00 2001
From: David Kupka <dku...@redhat.com>
Date: Mon, 23 Nov 2015 06:38:17 +0000
Subject: [PATCH] ipa-cacert-renew: Fix connection to ldap.
https://fedorahosted.org/freeipa/ticket/5468
---
ipaserver/install/ipa_cacert_manage.py | 32 ++++++++++++++------------------
1 file changed, 14 insertions(+), 18 deletions(-)
diff --git a/ipaserver/install/ipa_cacert_manage.py b/ipaserver/install/ipa_cacert_manage.py
index 01ec805fc2094326d119827b4358c143f45f3ec4..8790b7066d7641864f8d83c6339cd0a73c620be0 100644
--- a/ipaserver/install/ipa_cacert_manage.py
+++ b/ipaserver/install/ipa_cacert_manage.py
@@ -105,9 +105,7 @@ class CACertManage(admintool.AdminTool):
if ((command == 'renew' and options.external_cert_files) or
command == 'install'):
- self.conn = self.ldap_connect()
- else:
- self.conn = None
+ self.ldap_connect()
try:
if command == 'renew':
@@ -115,23 +113,21 @@ class CACertManage(admintool.AdminTool):
elif command == 'install':
rc = self.install()
finally:
- if self.conn is not None:
- self.conn.disconnect()
+ if api.Backend.ldap2.isconnected():
+ api.Backend.ldap2.disconnect()
return rc
def ldap_connect(self):
- conn = ldap2(api)
-
password = self.options.password
if not password:
try:
ccache = krbV.default_context().default_ccache()
- conn.connect(ccache=ccache)
+ api.Backend.ldap2.connect(ccache=ccache)
except (krbV.Krb5Error, errors.ACIError):
pass
else:
- return conn
+ return
password = installutils.read_password(
"Directory Manager", confirm=False, validate=False)
@@ -139,9 +135,8 @@ class CACertManage(admintool.AdminTool):
raise admintool.ScriptError(
"Directory Manager password required")
- conn.connect(bind_dn=DN(('cn', 'Directory Manager')), bind_pw=password)
+ api.Backend.ldap2.connect(bind_dn=DN(('cn', 'Directory Manager')), bind_pw=password)
- return conn
def renew(self):
ca = cainstance.CAInstance(api.env.realm, certs.NSS_DIR)
@@ -202,9 +197,10 @@ class CACertManage(admintool.AdminTool):
"--external-cert-file=/path/to/external_ca_certificate")
def renew_external_step_2(self, ca, old_cert):
- print "Importing the renewed CA certificate, please wait"
+ print("Importing the renewed CA certificate, please wait")
options = self.options
+ conn = api.Backend.ldap2
cert_file, ca_file = installutils.load_external_cert(
options.external_cert_files, x509.subject_base())
@@ -273,21 +269,21 @@ class CACertManage(admintool.AdminTool):
except RuntimeError:
break
certstore.put_ca_cert_nss(
- self.conn, api.env.basedn, ca_cert, nickname, ',,')
+ conn, api.env.basedn, ca_cert, nickname, ',,')
dn = DN(('cn', self.cert_nickname), ('cn', 'ca_renewal'),
('cn', 'ipa'), ('cn', 'etc'), api.env.basedn)
try:
- entry = self.conn.get_entry(dn, ['usercertificate'])
+ entry = conn.get_entry(dn, ['usercertificate'])
entry['usercertificate'] = [cert]
- self.conn.update_entry(entry)
+ conn.update_entry(entry)
except errors.NotFound:
- entry = self.conn.make_entry(
+ entry = conn.make_entry(
dn,
objectclass=['top', 'pkiuser', 'nscontainer'],
cn=[self.cert_nickname],
usercertificate=[cert])
- self.conn.add_entry(entry)
+ conn.add_entry(entry)
except errors.EmptyModlist:
pass
@@ -362,7 +358,7 @@ class CACertManage(admintool.AdminTool):
try:
certstore.put_ca_cert_nss(
- self.conn, api.env.basedn, cert, nickname, trust_flags)
+ api.Backend.ldap2, api.env.basedn, cert, nickname, trust_flags)
except ValueError, e:
raise admintool.ScriptError(
"Failed to install the certificate: %s" % e)
--
2.4.3
From 3d59089865aefec94326716504bef08d2bda414a Mon Sep 17 00:00:00 2001
From: David Kupka <dku...@redhat.com>
Date: Mon, 23 Nov 2015 07:48:40 +0000
Subject: [PATCH] ipa-otptoken-import: Fix connection to ldap.
https://fedorahosted.org/freeipa/ticket/5475
---
ipaserver/install/ipa_otptoken_import.py | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/ipaserver/install/ipa_otptoken_import.py b/ipaserver/install/ipa_otptoken_import.py
index 386ca4273c413d9f6a121956d0db3f0c44fe5c24..9be44cfe677a7d33ce3ec7725e23fdbf8141190a 100644
--- a/ipaserver/install/ipa_otptoken_import.py
+++ b/ipaserver/install/ipa_otptoken_import.py
@@ -507,10 +507,9 @@ class OTPTokenImport(admintool.AdminTool):
api.bootstrap(in_server=True)
api.finalize()
- conn = ldap2(api)
try:
ccache = krbV.default_context().default_ccache()
- conn.connect(ccache=ccache)
+ api.Backend.ldap2.connect(ccache=ccache)
except (krbV.Krb5Error, errors.ACIError):
raise admintool.ScriptError("Unable to connect to LDAP! Did you kinit?")
@@ -525,7 +524,7 @@ class OTPTokenImport(admintool.AdminTool):
self.log.info("Added token: %s", keypkg.id)
keypkg.remove()
finally:
- conn.disconnect()
+ api.Backend.ldap2.disconnect()
# Write out the XML file without the tokens that succeeded.
self.doc.save(self.output)
--
2.4.3
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code