[Freeipa-devel] [PATCH] 240 Fix LDAP effective rights control with python-ldap 2.4.x

Jan Cholasta jcholast at redhat.com
Wed Mar 21 09:16:53 UTC 2012 

On 21.3.2012 09:57, Martin Kosek wrote:
> Test instructions are attached to the ticket.
> ---
> The new version of python-ldap changed the way it created LDAPv3
> extended controls. The API used in 2.4.x can no longer be used
> because it does not send the bind DN with effective rights
> control and LDAP server thus rejects it.
>
> This patch implements the new API in a backward compatible way
> so that it works both with python-ldap versions 2.3.x and 2.4.x.
>
> https://fedorahosted.org/freeipa/ticket/2565
>

IMO it would be nicer to handle things on module import rather than on 
each get effective rights request:

@@ -42,7 +42,6 @@ import ldap as _ldap
  from ldap.ldapobject import SimpleLDAPObject
  import ldap.filter as _ldap_filter
  import ldap.sasl as _ldap_sasl
-from ldap.controls import LDAPControl
  # for backward compatibility
  from ldap.functions import explode_dn
  from ipalib.dn import DN
@@ -56,6 +55,14 @@ from ipalib.crud import CrudBackend
  from ipalib.encoder import Encoder, encode_args, decode_retval
  from ipalib.request import context

+try:
+    from ldap.controls.simple import GetEffectiveRightsControl
+except ImportError:
+    from ldap.controls import LDAPControl
+    class GetEffectiveRightsControl(LDAPControl):
+        def __init__(critical, value):
+            super(GetEffectiveRightsControl, 
self).__init__('1.3.6.1.4.1.42.2.27.9.5.2', critical, value)
+
  # Group Member types
  MEMBERS_ALL = 0
  MEMBERS_DIRECT = 1
@@ -871,7 +878,7 @@ class ldap2(CrudBackend, Encoder):
          """
          principal = getattr(context, 'principal')
          (binddn, attrs) = self.find_entry_by_attr("krbprincipalname", 
principal, "krbPrincipalAux")
-        sctrl = [LDAPControl("1.3.6.1.4.1.42.2.27.9.5.2", True, "dn: " 
+ binddn.encode('UTF-8'))]
+        sctrl = [GetEffectiveRightsControl(True, "dn: " + 
binddn.encode('UTF-8'))]
          self.conn.set_option(_ldap.OPT_SERVER_CONTROLS, sctrl)
          (dn, attrs) = self.get_entry(dn, entry_attrs)
          # remove the control so subsequent operations don't include GER

Honza

-- 
Jan Cholasta

More information about the Freeipa-devel mailing list