[Freeipa-devel] [PATCH] 0033 Check all LDAP servers during IPA discovery

Alexander Bokovoy abokovoy at redhat.com
Wed Dec 7 12:42:25 UTC 2011


On Fri, 02 Dec 2011, Rob Crittenden wrote:
> Alexander Bokovoy wrote:
> >Hi,
> >
> >This is patch proposal, I haven't checked it with multiple servers
> >setup yet.
> >
> >When discovering IPA LDAP servers through DNS records, look through all
> >servers found until first success. A master might be not available or
> >denied access due to anonymous binds disabled, for example, but
> >replica may succeed.
> >
> >Ticket #1827
> >https://fedorahosted.org/freeipa/ticket/1827
> 
> Needs a rebase.
> 
> This works fine but I wonder if someone specifies --server on the
> command-line if we should try only that server and fail if we can't
> connect. I can see someone using that so they can specify which
> server the client uses.
Rebase attached.

If --server is specified, DNS discovery is bypassed in search() and 
self.server will have the value of --server. That means the code I 
changed will still work as parse_items() accepts a single item as 
well.
-- 
/ Alexander Bokovoy
-------------- next part --------------
>From bc441d8e6bc1e0007c4a6395f0a382980b8de36f Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy at redhat.com>
Date: Wed, 7 Dec 2011 14:40:46 +0200
Subject: [PATCH] Check through all LDAP servers in the domain during IPA
 discovery

When discovering IPA LDAP servers through DNS records, look through all
servers found until first success. A master might be not available or
denied access but replica may succeed.

Ticket #1827
https://fedorahosted.org/freeipa/ticket/1827
---
 ipa-client/ipaclient/ipadiscovery.py |   34 +++++++++++++++++++++++++---------
 1 files changed, 25 insertions(+), 9 deletions(-)

diff --git a/ipa-client/ipaclient/ipadiscovery.py b/ipa-client/ipaclient/ipadiscovery.py
index 94a04f39e70f6edf3874c036462c457f85f56c12..40fafbabfeccf1f90adb36a86dc5cfd0ae297329 100644
--- a/ipa-client/ipaclient/ipadiscovery.py
+++ b/ipa-client/ipaclient/ipadiscovery.py
@@ -25,7 +25,7 @@ import tempfile
 import ldap
 from ldap import LDAPError
 from ipapython.ipautil import run, CalledProcessError, valid_ip, get_ipa_basedn, \
-                              realm_to_suffix, format_netloc
+                              realm_to_suffix, format_netloc, parse_items
 
 
 NOT_FQDN = -1
@@ -170,19 +170,35 @@ class IPADiscovery:
         self.kdc = krbret[1]
 
         root_logger.debug("[ipacheckldap]")
-        # check ldap now
-        ldapret = self.ipacheckldap(self.server, self.realm)
+        # We may have received multiple servers corresponding to the domain
+        # Iterate through all of those to check if it is IPA LDAP server
+        servers = parse_items(self.server)
+        ldapret = [NOT_IPA_SERVER]
+        ldapaccess = True
+        for server in servers:
+            # check ldap now
+            ldapret = self.ipacheckldap(server, self.realm)
 
-        if ldapret[0] == 0:
-            self.server = ldapret[1]
-            self.realm = ldapret[2]
+            if ldapret[0] == 0:
+                self.server = ldapret[1]
+                self.realm = ldapret[2]
+                break
 
-        if ldapret[0] == NO_ACCESS_TO_LDAP and self.realm is None:
+            if ldapret[0] == NO_ACCESS_TO_LDAP:
+                ldapaccess = False
+
+        # If one of LDAP servers checked rejects access (may be anonymous
+        # bind is disabled), assume realm and basedn generated off domain.
+        # Note that in case ldapret[0] == 0 and ldapaccess == False (one of
+        # servers didn't provide access but another one succeeded), self.realm
+        # will be set already to a proper value above, self.basdn will be 
+        # initialized during the LDAP check itself and we'll skip these two checks.
+        if not ldapaccess and self.realm is None:
             # Assume realm is the same as domain.upper()
             self.realm = self.domain.upper()
             root_logger.debug("Assuming realm is the same as domain: %s" % self.realm)
 
-        if ldapret[0] == NO_ACCESS_TO_LDAP and self.basedn is None:
+        if not ldapaccess and self.basedn is None:
             # Generate suffix from realm
             self.basedn = realm_to_suffix(self.realm)
             root_logger.debug("Generate basedn from realm: %s" % self.basedn)
@@ -200,7 +216,7 @@ class IPADiscovery:
         Errno is an error number:
             0 means all ok
             1 means we could not check the info in LDAP (may happend when
-                anonymous binds are siabled)
+                anonymous binds are disabled)
             2 means the server is certainly not an IPA server
         """
 
-- 
1.7.7.3



More information about the Freeipa-devel mailing list