[Freeipa-devel] [PATCH 0086] Migrate OTP import script to python-cryptography
Martin Babinsky
mbabinsk at redhat.com
Tue Sep 29 10:00:05 UTC 2015
On 09/25/2015 07:05 PM, Nathaniel McCallum wrote:
> On Fri, 2015-09-25 at 18:29 +0200, Martin Babinsky wrote:
>> On 09/25/2015 04:53 PM, Nathaniel McCallum wrote:
>>> On Mon, 2015-08-31 at 11:08 -0400, Nathaniel McCallum wrote:
>>>> https://fedorahosted.org/freeipa/ticket/5192
>>>> --
>>>> Manage your subscription for the Freeipa-devel mailing list:
>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>>>> Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Cod
>>>> e
>>>
>>> Attached patch rebases the previous patch for master.
>>>
>>> Nathaniel
>>>
>>>
>>>
>> Hi Nathaniel,
>>
>> pylint is not happy with your patches:
>>
>> """
>> ************* Module ipaserver.install.ipa_otptoken_import
>> ipaserver/install/ipa_otptoken_import.py:189:
>> [E1120(no-value-for-parameter), PBKDF2KeyDerivation.__init__] No
>> value
>> for argument 'backend' in constructor call)
>> ipaserver/install/ipa_otptoken_import.py:235:
>> [E1120(no-value-for-parameter), XMLDecryptor.__call__] No value for
>> argument 'backend' in constructor call)
>> """
>>
>> This is probably the reason for 2 of the otptoken_import tests to
>> fail
>> with TypeError, see http://fpaste.org/271526/31985721/
>
> Fixed.
>
Nathaniel,
I still get two failing tests (see http://fpaste.org/272526/14435143/).
I also noticed some other issues with OTP importing code, but those are
probably beyond the scope of your patch:
ipa-otptoken-import prints the following error when attempting to add
token to IPA:
Error adding token: no context.ldap2_140453224789456 in thread 'MainThread'
This is caused by incorrect creation of ldap2 connection in the 'run()'
method of 'ipa_otptoken_import.py'. I think we should connect to LDAP
directly using api.Backend.ldap2:
@@ -510,9 +510,8 @@ class OTPTokenImport(admintool.AdminTool):
api.bootstrap(in_server=True)
api.finalize()
- conn = ldap2(api)
try:
- conn.connect()
+ api.Backend.ldap2.connect()
except (gssapi.exceptions.GSSError, errors.ACIError):
raise admintool.ScriptError("Unable to connect to LDAP!
Did you kinit?")
@@ -527,7 +526,7 @@ class OTPTokenImport(admintool.AdminTool):
self.log.info("Added token: %s", keypkg.id)
keypkg.remove()
finally:
- conn.disconnect()
+ api.Backend.ldap2.disconnect()
# Write out the XML file without the tokens that succeeded.
self.doc.save(self.output)
However, this approach doesn't work when 'ipa-otptoken-import' is run as
root on IPA master: in this case ldap2 connects using autobind and does
not set principal in the context. This causes the logic which guesses
the token owner in 'otptoken_add' to explode violently
(http://fpaste.org/272543/35164611/).
Should I file a separate ticket for this issue?
--
Martin^3 Babinsky
More information about the Freeipa-devel
mailing list