[Freeipa-devel] [PATCH] 0153 ipa-ldap-updater does not work with hardened LDAP configuration

Wed Jul 2 13:52:31 UTC 2014

When nsslapd-minssf is greater than 0, running as root
  ipa-ldap-updater [-l]
will fail even if we force use of autobind for root over LDAPI.

The reason for this is that schema updater doesn't get ldapi flag passed
and attempts to connect to LDAP port instead and for hardened
configurations using simple bind over LDAP is not enough.

Additionally, report properly previously unhandled LDAP exceptions.
https://fedorahosted.org/freeipa/ticket/3468

Note that the ticket is in 'Future releases' but we have this bug in 3.3
and in my view it is serious enough to fix it.
-- 
/ Alexander Bokovoy
-------------- next part --------------
>From 03c9f67bf7855a9507a9ccf219a3bfeb9bb3ad1f Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy at redhat.com>
Date: Wed, 2 Jul 2014 16:30:18 +0300
Subject: [PATCH] ipa-ldap-updater: make possible to use LDAPI with autobind in
 case of hardened LDAP configuration

When nsslapd-minssf is greater than 0, running as root
  ipa-ldap-updater [-l]
will fail even if we force use of autobind for root over LDAPI.

The reason for this is that schema updater doesn't get ldapi flag passed and
attempts to connect to LDAP port instead and for hardened configurations
using simple bind over LDAP is not enough.

Additionally, report properly previously unhandled LDAP exceptions.
https://fedorahosted.org/freeipa/ticket/3468
---
 ipapython/ipaldap.py                  | 4 ++++
 ipaserver/install/ipa_ldap_updater.py | 3 ++-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/ipapython/ipaldap.py b/ipapython/ipaldap.py
index 21706cf..c5bd08b 100644
--- a/ipapython/ipaldap.py
+++ b/ipapython/ipaldap.py
@@ -1200,6 +1200,10 @@ class LDAPClient(object):
             pass
         except ldap.CONNECT_ERROR:
             raise errors.DatabaseError(desc=desc, info=info)
+        except ldap.UNWILLING_TO_PERFORM:
+            raise errors.DatabaseError(desc=desc, info=info)
+        except ldap.AUTH_UNKNOWN:
+            raise errors.ACIError(info='%s (%s)' % (info,desc))
         except ldap.LDAPError, e:
             if 'NOT_ALLOWED_TO_DELEGATE' in info:
                 raise errors.ACIError(
diff --git a/ipaserver/install/ipa_ldap_updater.py b/ipaserver/install/ipa_ldap_updater.py
index fbbef14..18970ce 100644
--- a/ipaserver/install/ipa_ldap_updater.py
+++ b/ipaserver/install/ipa_ldap_updater.py
@@ -204,7 +204,8 @@ class LDAPUpdater_NonUpgrade(LDAPUpdater):
             modified = schemaupdate.update_schema(
                 options.schema_files,
                 dm_password=self.dirman_password,
-                live_run=not options.test) or modified
+                live_run=not options.test,
+                ldapi=options.ldapi) or modified
 
         if not self.files:
             self.files = ld.get_all_files(UPDATES_DIR)
-- 
1.9.3

