[Freeipa-devel] right way to connect to DS with Directory Manager creds from the test
Martin Basti
mbasti at redhat.com
Fri Jul 17 15:19:00 UTC 2015
On 17/07/15 17:03, Oleg Fayans wrote:
> Hi everybody,
>
> What is the right way to connect to the Directory Server using
> Directory Manager credentials from the autotest?
> I need to execute something like
> ldapsearch -D "cn=Directory Manager" -w '<directory_manager_password>'
> -b "cn=IPA Topology Configuration,cn=plugins,cn=config"
> form the python code.
>
> A quick look through the code showed that the following method is
> generally used to connect to ldap:
>
> self.ldapuri = 'ldap://%s' % ipautil.format_netloc(api.env.host)
> self.conn = ldap2(api, ldap_uri=self.ldapuri)
> self.conn.connect()
>
> (See ipatests/test_ipaserver/test_ldap.py)
> But this is an anonymous access.
>
> The existing solution to use the kerberos ticket cache to login as admin:
> self.ccache = paths.TMP_KRB5CC % os.getuid()
> self.conn.connect(ccache='FILE:%s' % self.ccache)
> (ipatests/test_ipaserver/test_ldap.py:test_GSSAPI)
> has two drawbacks:
> 1. It would never work if directory manager has different password
> than admin
> 2. It does not work anyway, because kerberos is configured to store
> the cache not in the
> FILE:/tmp/krb5cc_%{uid}file (as the test expects), but rather in
> KEYRING:persistent:%{uid}:%{gid}
>
> Thank you in advance.
>
You can use IPAdmin class in ipaldap
conn = ipaldap.IPAdmin(host=api.env.host)
conn.do_simple_bind(bindpw=password) # directory manager is default
user there
entry = conn.get_entry(...)
Martin Basti
More information about the Freeipa-devel
mailing list