[Freeipa-devel] [PATCH] 240 Fix LDAP effective rights control with python-ldap 2.4.x
Rob Crittenden
rcritten at redhat.com
Thu Mar 22 22:04:12 UTC 2012
Martin Kosek wrote:
> On Wed, 2012-03-21 at 10:16 +0100, Jan Cholasta wrote:
>> On 21.3.2012 09:57, Martin Kosek wrote:
>>> Test instructions are attached to the ticket.
>>> ---
>>> The new version of python-ldap changed the way it created LDAPv3
>>> extended controls. The API used in 2.4.x can no longer be used
>>> because it does not send the bind DN with effective rights
>>> control and LDAP server thus rejects it.
>>>
>>> This patch implements the new API in a backward compatible way
>>> so that it works both with python-ldap versions 2.3.x and 2.4.x.
>>>
>>> https://fedorahosted.org/freeipa/ticket/2565
>>>
>>
>> IMO it would be nicer to handle things on module import rather than on
>> each get effective rights request:
>>
>> @@ -42,7 +42,6 @@ import ldap as _ldap
>> from ldap.ldapobject import SimpleLDAPObject
>> import ldap.filter as _ldap_filter
>> import ldap.sasl as _ldap_sasl
>> -from ldap.controls import LDAPControl
>> # for backward compatibility
>> from ldap.functions import explode_dn
>> from ipalib.dn import DN
>> @@ -56,6 +55,14 @@ from ipalib.crud import CrudBackend
>> from ipalib.encoder import Encoder, encode_args, decode_retval
>> from ipalib.request import context
>>
>> +try:
>> + from ldap.controls.simple import GetEffectiveRightsControl
>> +except ImportError:
>> + from ldap.controls import LDAPControl
>> + class GetEffectiveRightsControl(LDAPControl):
>> + def __init__(critical, value):
>> + super(GetEffectiveRightsControl,
>> self).__init__('1.3.6.1.4.1.42.2.27.9.5.2', critical, value)
>> +
>> # Group Member types
>> MEMBERS_ALL = 0
>> MEMBERS_DIRECT = 1
>> @@ -871,7 +878,7 @@ class ldap2(CrudBackend, Encoder):
>> """
>> principal = getattr(context, 'principal')
>> (binddn, attrs) = self.find_entry_by_attr("krbprincipalname",
>> principal, "krbPrincipalAux")
>> - sctrl = [LDAPControl("1.3.6.1.4.1.42.2.27.9.5.2", True, "dn: "
>> + binddn.encode('UTF-8'))]
>> + sctrl = [GetEffectiveRightsControl(True, "dn: " +
>> binddn.encode('UTF-8'))]
>> self.conn.set_option(_ldap.OPT_SERVER_CONTROLS, sctrl)
>> (dn, attrs) = self.get_entry(dn, entry_attrs)
>> # remove the control so subsequent operations don't include GER
>>
>> Honza
>>
>
> I agree, this approach is better. I updated the patch based on your
> input. It just needed some more love as LDAPControl is an old-style
> Python class and I also silenced pylint when python-ldap 2.3.x is
> installed.
>
> Martin
ACK, pushed to master and ipa-2-2
More information about the Freeipa-devel
mailing list