def create_connection(self, ccache=None, bind_dn=None, bind_pw='', cacert=None, autobind=AUTOBIND_AUTO, serverctrls=None, clientctrls=None, time_limit=_missing, size_limit=_missing): """ Connect to LDAP server. Keyword arguments: ldapuri -- the LDAP server to connect to ccache -- Kerberos ccache name bind_dn -- dn used to bind to the server bind_pw -- password used to bind to the server debug_level -- LDAP debug level option cacert -- TLS CA certificate filename autobind - autobind as the current user time_limit, size_limit -- maximum time and size limit for LDAP possible options: - value - sets the given value - None - reads value from ipaconfig - _missing - keeps previously configured settings (unlimited set by default in constructor) Extends backend.Connectible.create_connection. """ if bind_dn is None: bind_dn = DN(('cn', 'directory manager')) assert isinstance(bind_dn, DN) if cacert is None: cacert = paths.IPA_CA_CRT if time_limit is not _missing: object.__setattr__(self, 'time_limit', time_limit) if size_limit is not _missing: object.__setattr__(self, 'size_limit', size_limit) client = LDAPClient(self.ldap_uri, force_schema_updates=self._force_schema_updates, cacert=cacert) conn = client._conn with client.error_handler(): minssf = conn.get_option(_ldap.OPT_X_SASL_SSF_MIN) maxssf = conn.get_option(_ldap.OPT_X_SASL_SSF_MAX) # Always connect with at least an SSF of 56, confidentiality # This also protects us from a broken ldap.conf if minssf < 56: minssf = 56 conn.set_option(_ldap.OPT_X_SASL_SSF_MIN, minssf) if maxssf < minssf: conn.set_option(_ldap.OPT_X_SASL_SSF_MAX, minssf) ldapi = self.ldap_uri.startswith('ldapi://') if bind_pw: client.simple_bind(bind_dn, bind_pw, server_controls=serverctrls, client_controls=clientctrls) elif autobind != AUTOBIND_DISABLED and os.getegid() == 0 and ldapi: try: client.external_bind(server_controls=serverctrls, client_controls=clientctrls) except errors.NotFound: if autobind == AUTOBIND_ENABLED: # autobind was required and failed, raise # exception that it failed raise else: if ldapi: with client.error_handler(): conn.set_option(_ldap.OPT_HOST_NAME, self.api.env.host) if ccache is None: os.environ.pop('KRB5CCNAME', None) else: os.environ['KRB5CCNAME'] = ccache principal = krb_utils.get_principal(ccache_name=ccache) client.gssapi_bind(server_controls=serverctrls, client_controls=clientctrls) setattr(context, 'principal', principal) return conn
def create_connection(self, ccache=None, bind_dn=None, bind_pw='', tls_cacertfile=None, tls_certfile=None, tls_keyfile=None, debug_level=0, autobind=AUTOBIND_AUTO, serverctrls=None, clientctrls=None, time_limit=None, size_limit=None): """ Connect to LDAP server. Keyword arguments: ldapuri -- the LDAP server to connect to ccache -- Kerberos ccache name bind_dn -- dn used to bind to the server bind_pw -- password used to bind to the server debug_level -- LDAP debug level option tls_cacertfile -- TLS CA certificate filename tls_certfile -- TLS certificate filename tls_keyfile - TLS bind key filename autobind - autobind as the current user Extends backend.Connectible.create_connection. """ if bind_dn is None: bind_dn = DN() assert isinstance(bind_dn, DN) if tls_cacertfile is not None: _ldap.set_option(_ldap.OPT_X_TLS_CACERTFILE, tls_cacertfile) if tls_certfile is not None: _ldap.set_option(_ldap.OPT_X_TLS_CERTFILE, tls_certfile) if tls_keyfile is not None: _ldap.set_option(_ldap.OPT_X_TLS_KEYFILE, tls_keyfile) if time_limit is not None: self.time_limit = time_limit if size_limit is not None: self.size_limit = size_limit if debug_level: _ldap.set_option(_ldap.OPT_DEBUG_LEVEL, debug_level) client = LDAPClient(self.ldap_uri, force_schema_updates=self._force_schema_updates) conn = client._conn with client.error_handler(): minssf = conn.get_option(_ldap.OPT_X_SASL_SSF_MIN) maxssf = conn.get_option(_ldap.OPT_X_SASL_SSF_MAX) # Always connect with at least an SSF of 56, confidentiality # This also protects us from a broken ldap.conf if minssf < 56: minssf = 56 conn.set_option(_ldap.OPT_X_SASL_SSF_MIN, minssf) if maxssf < minssf: conn.set_option(_ldap.OPT_X_SASL_SSF_MAX, minssf) ldapi = self.ldap_uri.startswith('ldapi://') if bind_pw: client.simple_bind(bind_dn, bind_pw, server_controls=serverctrls, client_controls=clientctrls) elif autobind != AUTOBIND_DISABLED and os.getegid() == 0 and ldapi: try: pw_name = pwd.getpwuid(os.geteuid()).pw_name client.external_bind(pw_name, server_controls=serverctrls, client_controls=clientctrls) except errors.NotFound: if autobind == AUTOBIND_ENABLED: # autobind was required and failed, raise # exception that it failed raise else: if ldapi: with client.error_handler(): conn.set_option(_ldap.OPT_HOST_NAME, self.api.env.host) if ccache is None: os.environ.pop('KRB5CCNAME', None) else: os.environ['KRB5CCNAME'] = ccache principal = krb_utils.get_principal(ccache_name=ccache) client.gssapi_bind(server_controls=serverctrls, client_controls=clientctrls) setattr(context, 'principal', principal) return conn
def create_connection( self, ccache=None, bind_dn=None, bind_pw='', cacert=None, autobind=AUTOBIND_AUTO, serverctrls=None, clientctrls=None, time_limit=_missing, size_limit=_missing): """ Connect to LDAP server. Keyword arguments: ldapuri -- the LDAP server to connect to ccache -- Kerberos ccache name bind_dn -- dn used to bind to the server bind_pw -- password used to bind to the server debug_level -- LDAP debug level option cacert -- TLS CA certificate filename autobind - autobind as the current user time_limit, size_limit -- maximum time and size limit for LDAP possible options: - value - sets the given value - None - reads value from ipaconfig - _missing - keeps previously configured settings (unlimited set by default in constructor) Extends backend.Connectible.create_connection. """ if bind_dn is None: bind_dn = DN(('cn', 'directory manager')) assert isinstance(bind_dn, DN) if cacert is None: cacert = constants.CACERT if time_limit is not _missing: self.time_limit = time_limit if size_limit is not _missing: self.size_limit = size_limit client = LDAPClient(self.ldap_uri, force_schema_updates=self._force_schema_updates, cacert=cacert) conn = client._conn with client.error_handler(): minssf = conn.get_option(_ldap.OPT_X_SASL_SSF_MIN) maxssf = conn.get_option(_ldap.OPT_X_SASL_SSF_MAX) # Always connect with at least an SSF of 56, confidentiality # This also protects us from a broken ldap.conf if minssf < 56: minssf = 56 conn.set_option(_ldap.OPT_X_SASL_SSF_MIN, minssf) if maxssf < minssf: conn.set_option(_ldap.OPT_X_SASL_SSF_MAX, minssf) ldapi = self.ldap_uri.startswith('ldapi://') if bind_pw: client.simple_bind(bind_dn, bind_pw, server_controls=serverctrls, client_controls=clientctrls) elif autobind != AUTOBIND_DISABLED and os.getegid() == 0 and ldapi: try: client.external_bind(server_controls=serverctrls, client_controls=clientctrls) except errors.NotFound: if autobind == AUTOBIND_ENABLED: # autobind was required and failed, raise # exception that it failed raise else: if ldapi: with client.error_handler(): conn.set_option(_ldap.OPT_HOST_NAME, self.api.env.host) if ccache is None: os.environ.pop('KRB5CCNAME', None) else: os.environ['KRB5CCNAME'] = ccache principal = krb_utils.get_principal(ccache_name=ccache) client.gssapi_bind(server_controls=serverctrls, client_controls=clientctrls) setattr(context, 'principal', principal) return conn