[Freeipa-devel] freeipa is broken in Rawhide due to python-ldap 2.4.6
Rob Crittenden
rcritten at redhat.com
Tue Jan 24 13:42:33 UTC 2012
Alexander Bokovoy wrote:
> Hi!
>
> Apparently, Rawhide has moved to python-ldap 2.4.6. This release
> breaks freeipa build as EncodeControlTuples is not exposed (neither
> exist) in 2.4 branch anymore. Thus, our make-lint fails.
>
> The build in Rawhide itself doesn't fail as can be seen by
> freeipa-2.1.4-4.fc17 because we don't run make-lint during build
> process. However, FreeIPA installation will fail as
> ipaserver/ipaldap.py tries to import the symbol which does not exist.
>
> The fix is simple but before applying it under one-liner rule can
> someone explain me what was the purpose of using these control tuples
> symbols? I've got through git history for the ipaserver/ipaldap.py
> down to its initial version and while symbols were introduced, they
> were never used.
>
> diff --git a/ipaserver/ipaldap.py b/ipaserver/ipaldap.py
> index 4dca604..f69ebe6 100644
> --- a/ipaserver/ipaldap.py
> +++ b/ipaserver/ipaldap.py
> @@ -32,7 +32,7 @@ import time
> import struct
> import ldap.sasl
> import ldapurl
> -from ldap.controls import LDAPControl,DecodeControlTuples,EncodeControlTuples
> +from ldap.controls import LDAPControl
> from ldap.ldapobject import SimpleLDAPObject
> from ipaserver import ipautil
> from ipalib import errors
>
This looks fine, ACK.
This dates back to 2007 when the project first started. We were having a
heck of a time getting delegated TGTs working so we came up with a
fallback mechanism using the LDAP proxy control.
Basically we would take the incoming principal, convert it into a DN,
bind to LDAP using a client cert issued to the server during install,
then execute this proxy control to "become" that user (and this code is
still available in ipaldap.py now). As it turned out we didn't need
these other two imports but they were never removed.
Fortunately we found the python GSSAPI code in the Apple calendar
project and were able to package that (though we've long suffered under
their horrible naming convention of calling it pyKerberos).
rob
More information about the Freeipa-devel
mailing list