[Freeipa-devel] [PATCH 0086] Migrate OTP import script to python-cryptography

[Martin Babinsky]

On 09/25/2015 07:05 PM, Nathaniel McCallum wrote:
> On Fri, 2015-09-25 at 18:29 +0200, Martin Babinsky wrote:
>> On 09/25/2015 04:53 PM, Nathaniel McCallum wrote:
>>> On Mon, 2015-08-31 at 11:08 -0400, Nathaniel McCallum wrote:
>>>> https://fedorahosted.org/freeipa/ticket/5192
>>>> --
>>>> Manage your subscription for the Freeipa-devel mailing list:
>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>>>> Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Cod
>>>> e
>>>
>>> Attached patch rebases the previous patch for master.
>>>
>>> Nathaniel
>>>
>>>
>>>
>> Hi Nathaniel,
>>
>> pylint is not happy with your patches:
>>
>> """
>> ************* Module ipaserver.install.ipa_otptoken_import
>> ipaserver/install/ipa_otptoken_import.py:189:
>> [E1120(no-value-for-parameter), PBKDF2KeyDerivation.__init__] No
>> value
>> for argument 'backend' in constructor call)
>> ipaserver/install/ipa_otptoken_import.py:235:
>> [E1120(no-value-for-parameter), XMLDecryptor.__call__] No value for
>> argument 'backend' in constructor call)
>> """
>>
>> This is probably the reason for 2 of the otptoken_import tests to
>> fail
>> with TypeError, see http://fpaste.org/271526/31985721/
>
> Fixed.
>

Nathaniel,

I still get two failing tests (see http://fpaste.org/272526/14435143/).

I also noticed some other issues with OTP importing code, but those are 
probably beyond the scope of your patch:

ipa-otptoken-import prints the following error when attempting to add 
token to IPA:

Error adding token: no context.ldap2_140453224789456 in thread 'MainThread'

This is caused by incorrect creation of ldap2 connection in the 'run()' 
method of 'ipa_otptoken_import.py'. I think we should connect to LDAP 
directly using api.Backend.ldap2:

@@ -510,9 +510,8 @@ class OTPTokenImport(admintool.AdminTool):
          api.bootstrap(in_server=True)
          api.finalize()

-        conn = ldap2(api)
          try:
-            conn.connect()
+            api.Backend.ldap2.connect()
          except (gssapi.exceptions.GSSError, errors.ACIError):
              raise admintool.ScriptError("Unable to connect to LDAP! 
Did you kinit?")

@@ -527,7 +526,7 @@ class OTPTokenImport(admintool.AdminTool):
                      self.log.info("Added token: %s", keypkg.id)
                      keypkg.remove()
          finally:
-            conn.disconnect()
+            api.Backend.ldap2.disconnect()

          # Write out the XML file without the tokens that succeeded.
          self.doc.save(self.output)

However, this approach doesn't work when 'ipa-otptoken-import' is run as 
root on IPA master: in this case ldap2 connects using autobind and does 
not set principal in the context. This causes the logic which guesses 
the token owner in 'otptoken_add' to explode violently 
(http://fpaste.org/272543/35164611/).

Should I file a separate ticket for this issue?

-- 
Martin^3 Babinsky