[Freeipa-devel] [PATCHES] 0191-0195 Use ipaldap in the client installer & password migration

[Jan Cholasta]

On 6.3.2013 16:29, Petr Viktorin wrote:
> Hello,
> These patches move ipaldap to ipapython, and make the client installer
> use it. Also password migration web-app is made to use ipaldap; they
> both called a shared a utility function that is converted to use ipaldap.
>
> This should fix https://fedorahosted.org/freeipa/ticket/3446
> (freeipa-client-install KeyError in 'namingcontexts') and similar errors.
>
> https://fedorahosted.org/freeipa/ticket/3487
>

Patch 191:

The patch is missing the ipapython/ipaldap.py file.

I think it should go into ipalib instead of ipapython. <rant> It doesn't 
make sense to keep ipapython and ipalib separate if they depend on each 
other. We should either merge them or clean up the mess by removing 
ipalib imports from ipapython. I'm not saying we should do it now, just 
please don't add new modules to ipapython which import from ipalib. </rant>

Also I am not very fond of the "ipa" prefix in "ipaldap". The module 
lives in the namespace of our own package, so there's no need for it to 
have such a prefix, is there?

Patch 193:

+            scope=conn.SCOPE_BASE,
+            filter='objectclass=pkiCA',
+            attrs_list=[ca_cert_attr],

Can we use a proper filter here please?

+    :param conn: Bound LDAPConnection that will be used for searching

LDAPClient

Patch 194:

-                ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, True)

and

-                lh.set_option(ldap.OPT_X_TLS_DEMAND, True)

Is removing these options safe?

Honza

-- 
Jan Cholasta