def get_base_dn(ldap_uri):
"""
Retrieve LDAP server base DN.
"""
try:
conn = IPAdmin(ldap_uri=ldap_uri)
conn.do_simple_bind(DN(), '')
base_dn = get_ipa_basedn(conn)
except Exception, e:
root_logger.error('migration context search failed: %s' % e)
return ''
def get_base_dn(ldap_uri):
"""
Retrieve LDAP server base DN.
"""
try:
conn = IPAdmin(ldap_uri=ldap_uri)
conn.do_simple_bind(DN(), '')
base_dn = get_ipa_basedn(conn)
except Exception, e:
root_logger.error('migration context search failed: %s' % e)
return ''
def get_base_dn():
"""
Retrieve LDAP server base DN.
"""
global BASE_DN
if BASE_DN:
return BASE_DN
try:
conn = ldap.initialize(LDAP_URI)
conn.simple_bind_s('', '')
BASE_DN = get_ipa_basedn(conn)
except ldap.LDAPError, e:
root_logger.error('migration context search failed: %s' % e)
return ''
def ipacheckldap(self, thost, trealm, ca_cert_path=None):
"""
Given a host and kerberos realm verify that it is an IPA LDAP
server hosting the realm.
Returns a list [errno, host, realm] or an empty list on error.
Errno is an error number:
0 means all ok
1 means we could not check the info in LDAP (may happend when
anonymous binds are disabled)
2 means the server is certainly not an IPA server
"""
lrealms = []
i = 0
#now verify the server is really an IPA server
try:
root_logger.debug("Init LDAP connection to: %s", thost)
if ca_cert_path:
lh = ipaldap.IPAdmin(thost,
protocol='ldap',
cacert=ca_cert_path,
start_tls=True,
no_schema=True,
decode_attrs=False,
demand_cert=True)
else:
lh = ipaldap.IPAdmin(thost,
protocol='ldap',
no_schema=True,
decode_attrs=False)
try:
lh.do_simple_bind(DN(), '')
# get IPA base DN
root_logger.debug("Search LDAP server for IPA base DN")
basedn = get_ipa_basedn(lh)
except errors.ACIError:
root_logger.debug("LDAP Error: Anonymous access not allowed")
return [NO_ACCESS_TO_LDAP]
except errors.DatabaseError, err:
root_logger.error("Error checking LDAP: %s" % err.strerror)
# We should only get UNWILLING_TO_PERFORM if the remote LDAP
# server has minssf > 0 and we have attempted a non-TLS conn.
if ca_cert_path is None:
root_logger.debug(
"Cannot connect to LDAP server. Check that minssf is "
"not enabled")
return [NO_TLS_LDAP]
else:
return [UNKNOWN_ERROR]
if basedn is None:
root_logger.debug("The server is not an IPA server")
return [NOT_IPA_SERVER]
self.basedn = basedn
self.basedn_source = 'From IPA server %s' % lh.ldap_uri
#search and return known realms
root_logger.debug(
"Search for (objectClass=krbRealmContainer) in %s (sub)",
self.basedn)
try:
lret = lh.get_entries(DN(('cn', 'kerberos'),
self.basedn), lh.SCOPE_SUBTREE,
"(objectClass=krbRealmContainer)")
except errors.NotFound:
#something very wrong
return [REALM_NOT_FOUND]
for lres in lret:
root_logger.debug("Found: %s", lres.dn)
lrealms.append(lres.single_value['cn'])
if trealm:
for r in lrealms:
if trealm == r:
return [0, thost, trealm]
# must match or something is very wrong
root_logger.debug(
"Realm %s does not match any realm in LDAP "
"database", trealm)
return [REALM_NOT_FOUND]
else:
if len(lrealms) != 1:
#which one? we can't attach to a multi-realm server without DNS working
root_logger.debug("Multiple realms found, cannot decide "
"which realm is the right without "
"working DNS")
return [REALM_NOT_FOUND]
else:
return [0, thost, lrealms[0]]
#we shouldn't get here
return [UNKNOWN_ERROR]
def ipacheckldap(self, thost, trealm, ca_cert_path=None):
"""
Given a host and kerberos realm verify that it is an IPA LDAP
server hosting the realm.
Returns a list [errno, host, realm] or an empty list on error.
Errno is an error number:
0 means all ok
1 means we could not check the info in LDAP (may happend when
anonymous binds are disabled)
2 means the server is certainly not an IPA server
"""
lrealms = []
i = 0
#now verify the server is really an IPA server
try:
root_logger.debug("Init LDAP connection to: %s", thost)
if ca_cert_path:
lh = ipaldap.IPAdmin(thost, protocol='ldap',
cacert=ca_cert_path, start_tls=True,
no_schema=True, decode_attrs=False,
demand_cert=True)
else:
lh = ipaldap.IPAdmin(thost, protocol='ldap',
no_schema=True, decode_attrs=False)
try:
lh.do_simple_bind(DN(), '')
except errors.ACIError:
root_logger.debug("LDAP Error: Anonymous access not allowed")
return [NO_ACCESS_TO_LDAP]
except errors.DatabaseError, err:
root_logger.error("Error checking LDAP: %s" % err.strerror)
# We should only get UNWILLING_TO_PERFORM if the remote LDAP
# server has minssf > 0 and we have attempted a non-TLS conn.
if ca_cert_path is None:
root_logger.debug(
"Cannot connect to LDAP server. Check that minssf is "
"not enabled")
return [NO_TLS_LDAP]
else:
return [UNKNOWN_ERROR]
# get IPA base DN
root_logger.debug("Search LDAP server for IPA base DN")
basedn = get_ipa_basedn(lh)
if basedn is None:
root_logger.debug("The server is not an IPA server")
return [NOT_IPA_SERVER]
self.basedn = basedn
self.basedn_source = 'From IPA server %s' % lh.ldap_uri
#search and return known realms
root_logger.debug(
"Search for (objectClass=krbRealmContainer) in %s (sub)",
self.basedn)
try:
lret = lh.get_entries(
DN(('cn', 'kerberos'), self.basedn),
lh.SCOPE_SUBTREE, "(objectClass=krbRealmContainer)")
except errors.NotFound:
#something very wrong
return [REALM_NOT_FOUND]
for lres in lret:
root_logger.debug("Found: %s", lres.dn)
lrealms.append(lres.single_value['cn'])
if trealm:
for r in lrealms:
if trealm == r:
return [0, thost, trealm]
# must match or something is very wrong
return [REALM_NOT_FOUND]
else:
if len(lrealms) != 1:
#which one? we can't attach to a multi-realm server without DNS working
return [REALM_NOT_FOUND]
else:
return [0, thost, lrealms[0]]
#we shouldn't get here
return [UNKNOWN_ERROR]
def ipacheckldap(self, thost, trealm, ca_cert_path=None):
"""
Given a host and kerberos realm verify that it is an IPA LDAP
server hosting the realm.
Returns a list [errno, host, realm] or an empty list on error.
Errno is an error number:
0 means all ok
1 means we could not check the info in LDAP (may happend when
anonymous binds are disabled)
2 means the server is certainly not an IPA server
"""
lrealms = []
i = 0
#now verify the server is really an IPA server
try:
ldap_url = "ldap://" + format_netloc(thost, 389)
root_logger.debug("Init LDAP connection with: %s", ldap_url)
lh = ldap.initialize(ldap_url)
if ca_cert_path:
ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, True)
ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, ca_cert_path)
lh.set_option(ldap.OPT_X_TLS_DEMAND, True)
lh.start_tls_s()
lh.set_option(ldap.OPT_PROTOCOL_VERSION, 3)
lh.simple_bind_s("", "")
# get IPA base DN
root_logger.debug("Search LDAP server for IPA base DN")
basedn = get_ipa_basedn(lh)
if basedn is None:
root_logger.debug("The server is not an IPA server")
return [NOT_IPA_SERVER]
self.basedn = basedn
self.basedn_source = 'From IPA server %s' % ldap_url
#search and return known realms
root_logger.debug(
"Search for (objectClass=krbRealmContainer) in %s (sub)",
self.basedn)
lret = lh.search_s(str(DN(('cn', 'kerberos'),
self.basedn)), ldap.SCOPE_SUBTREE,
"(objectClass=krbRealmContainer)")
if not lret:
#something very wrong
return [REALM_NOT_FOUND]
for lres in lret:
root_logger.debug("Found: %s", lres[0])
for lattr in lres[1]:
if lattr.lower() == "cn":
lrealms.append(lres[1][lattr][0])
if trealm:
for r in lrealms:
if trealm == r:
return [0, thost, trealm]
# must match or something is very wrong
return [REALM_NOT_FOUND]
else:
if len(lrealms) != 1:
#which one? we can't attach to a multi-realm server without DNS working
return [REALM_NOT_FOUND]
else:
return [0, thost, lrealms[0]]
#we shouldn't get here
return [UNKNOWN_ERROR]
except LDAPError, err:
if isinstance(err, ldap.TIMEOUT):
root_logger.debug("LDAP Error: timeout")
return [NO_LDAP_SERVER]
if isinstance(err, ldap.SERVER_DOWN):
root_logger.debug("LDAP Error: server down")
return [NO_LDAP_SERVER]
if isinstance(err, ldap.INAPPROPRIATE_AUTH):
root_logger.debug("LDAP Error: Anonymous access not allowed")
return [NO_ACCESS_TO_LDAP]
# We should only get UNWILLING_TO_PERFORM if the remote LDAP server
# has minssf > 0 and we have attempted a non-TLS connection.
if ca_cert_path is None and isinstance(err,
ldap.UNWILLING_TO_PERFORM):
root_logger.debug(
"LDAP server returned UNWILLING_TO_PERFORM. This likely means that minssf is enabled"
)
return [NO_TLS_LDAP]
root_logger.error(
"LDAP Error: %s: %s" %
(err.args[0]['desc'], err.args[0].get('info', '')))
return [UNKNOWN_ERROR]
def ipacheckldap(self, thost, trealm, ca_cert_path=None):
"""
Given a host and kerberos realm verify that it is an IPA LDAP
server hosting the realm.
Returns a list [errno, host, realm] or an empty list on error.
Errno is an error number:
0 means all ok
1 means we could not check the info in LDAP (may happend when
anonymous binds are disabled)
2 means the server is certainly not an IPA server
"""
lrealms = []
i = 0
#now verify the server is really an IPA server
try:
ldap_url = "ldap://" + format_netloc(thost, 389)
root_logger.debug("Init LDAP connection with: %s", ldap_url)
lh = ldap.initialize(ldap_url)
if ca_cert_path:
ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, True)
ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, ca_cert_path)
lh.set_option(ldap.OPT_X_TLS_DEMAND, True)
lh.start_tls_s()
lh.set_option(ldap.OPT_PROTOCOL_VERSION, 3)
lh.simple_bind_s("","")
# get IPA base DN
root_logger.debug("Search LDAP server for IPA base DN")
basedn = get_ipa_basedn(lh)
if basedn is None:
root_logger.debug("The server is not an IPA server")
return [NOT_IPA_SERVER]
self.basedn = basedn
self.basedn_source = 'From IPA server %s' % ldap_url
#search and return known realms
root_logger.debug(
"Search for (objectClass=krbRealmContainer) in %s (sub)",
self.basedn)
lret = lh.search_s(str(DN(('cn', 'kerberos'), self.basedn)), ldap.SCOPE_SUBTREE, "(objectClass=krbRealmContainer)")
if not lret:
#something very wrong
return [REALM_NOT_FOUND]
for lres in lret:
root_logger.debug("Found: %s", lres[0])
for lattr in lres[1]:
if lattr.lower() == "cn":
lrealms.append(lres[1][lattr][0])
if trealm:
for r in lrealms:
if trealm == r:
return [0, thost, trealm]
# must match or something is very wrong
return [REALM_NOT_FOUND]
else:
if len(lrealms) != 1:
#which one? we can't attach to a multi-realm server without DNS working
return [REALM_NOT_FOUND]
else:
return [0, thost, lrealms[0]]
#we shouldn't get here
return [UNKNOWN_ERROR]
except LDAPError, err:
if isinstance(err, ldap.TIMEOUT):
root_logger.debug("LDAP Error: timeout")
return [NO_LDAP_SERVER]
if isinstance(err, ldap.SERVER_DOWN):
root_logger.debug("LDAP Error: server down")
return [NO_LDAP_SERVER]
if isinstance(err, ldap.INAPPROPRIATE_AUTH):
root_logger.debug("LDAP Error: Anonymous access not allowed")
return [NO_ACCESS_TO_LDAP]
# We should only get UNWILLING_TO_PERFORM if the remote LDAP server
# has minssf > 0 and we have attempted a non-TLS connection.
if ca_cert_path is None and isinstance(err, ldap.UNWILLING_TO_PERFORM):
root_logger.debug("LDAP server returned UNWILLING_TO_PERFORM. This likely means that minssf is enabled")
return [NO_TLS_LDAP]
root_logger.error("LDAP Error: %s: %s" %
(err.args[0]['desc'], err.args[0].get('info', '')))
return [UNKNOWN_ERROR]
