[Freeipa-devel] [PATCH 0086] Migrate OTP import script to python-cryptography

Thu Jan 7 17:17:58 UTC 2016


On 29.09.2015 12:00, Martin Babinsky wrote:
> On 09/25/2015 07:05 PM, Nathaniel McCallum wrote:
>> On Fri, 2015-09-25 at 18:29 +0200, Martin Babinsky wrote:
>>> On 09/25/2015 04:53 PM, Nathaniel McCallum wrote:
>>>> On Mon, 2015-08-31 at 11:08 -0400, Nathaniel McCallum wrote:
>>>>> https://fedorahosted.org/freeipa/ticket/5192
>>>>> -- 
>>>>> Manage your subscription for the Freeipa-devel mailing list:
>>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>>>>> Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Cod
>>>>> e
>>>>
>>>> Attached patch rebases the previous patch for master.
>>>>
>>>> Nathaniel
>>>>
>>>>
>>>>
>>> Hi Nathaniel,
>>>
>>> pylint is not happy with your patches:
>>>
>>> """
>>> ************* Module ipaserver.install.ipa_otptoken_import
>>> ipaserver/install/ipa_otptoken_import.py:189:
>>> [E1120(no-value-for-parameter), PBKDF2KeyDerivation.__init__] No
>>> value
>>> for argument 'backend' in constructor call)
>>> ipaserver/install/ipa_otptoken_import.py:235:
>>> [E1120(no-value-for-parameter), XMLDecryptor.__call__] No value for
>>> argument 'backend' in constructor call)
>>> """
>>>
>>> This is probably the reason for 2 of the otptoken_import tests to
>>> fail
>>> with TypeError, see http://fpaste.org/271526/31985721/
>>
>> Fixed.
>>
>
> Nathaniel,
>
> I still get two failing tests (see http://fpaste.org/272526/14435143/).
>
> I also noticed some other issues with OTP importing code, but those 
> are probably beyond the scope of your patch:
>
> ipa-otptoken-import prints the following error when attempting to add 
> token to IPA:
>
> Error adding token: no context.ldap2_140453224789456 in thread 
> 'MainThread'
>
> This is caused by incorrect creation of ldap2 connection in the 
> 'run()' method of 'ipa_otptoken_import.py'. I think we should connect 
> to LDAP directly using api.Backend.ldap2:
>
> @@ -510,9 +510,8 @@ class OTPTokenImport(admintool.AdminTool):
>          api.bootstrap(in_server=True)
>          api.finalize()
>
> -        conn = ldap2(api)
>          try:
> -            conn.connect()
> +            api.Backend.ldap2.connect()
>          except (gssapi.exceptions.GSSError, errors.ACIError):
>              raise admintool.ScriptError("Unable to connect to LDAP! 
> Did you kinit?")
>
> @@ -527,7 +526,7 @@ class OTPTokenImport(admintool.AdminTool):
>                      self.log.info("Added token: %s", keypkg.id)
>                      keypkg.remove()
>          finally:
> -            conn.disconnect()
> +            api.Backend.ldap2.disconnect()
>
>          # Write out the XML file without the tokens that succeeded.
>          self.doc.save(self.output)
>
> However, this approach doesn't work when 'ipa-otptoken-import' is run 
> as root on IPA master: in this case ldap2 connects using autobind and 
> does not set principal in the context. This causes the logic which 
> guesses the token owner in 'otptoken_add' to explode violently 
> (http://fpaste.org/272543/35164611/).
>
> Should I file a separate ticket for this issue?
>
bump, these thread seems to be unfinished