[Freeipa-devel] right way to connect to DS with Directory Manager creds from the test

Oleg Fayans ofayans at redhat.com
Fri Jul 17 15:03:05 UTC 2015


Hi everybody,

What is the right way to connect to the Directory Server using Directory 
Manager credentials from the autotest?
I need to execute something like
ldapsearch -D "cn=Directory Manager" -w '<directory_manager_password>' 
-b "cn=IPA Topology Configuration,cn=plugins,cn=config"
form the python code.

A quick look through the code showed that the following method is 
generally used to connect to ldap:

self.ldapuri = 'ldap://%s' % ipautil.format_netloc(api.env.host)
self.conn = ldap2(api, ldap_uri=self.ldapuri)
self.conn.connect()

(See ipatests/test_ipaserver/test_ldap.py)
But this is an anonymous access.

The existing solution to use the kerberos ticket cache to login as admin:
self.ccache = paths.TMP_KRB5CC % os.getuid()
self.conn.connect(ccache='FILE:%s' % self.ccache)
(ipatests/test_ipaserver/test_ldap.py:test_GSSAPI)
has two drawbacks:
1. It would never work if directory manager has different password than 
admin
2. It does not work anyway, because kerberos is configured to store the 
cache not in the
FILE:/tmp/krb5cc_%{uid}file (as the test expects), but rather in 
KEYRING:persistent:%{uid}:%{gid}

Thank you in advance.

-- 
Oleg Fayans
Quality Engineer
FreeIPA team
RedHat.




More information about the Freeipa-devel mailing list