def get_base_dn(ldap_uri): """ Retrieve LDAP server base DN. """ try: conn = IPAdmin(ldap_uri=ldap_uri) conn.do_simple_bind(DN(), '') base_dn = get_ipa_basedn(conn) except Exception, e: root_logger.error('migration context search failed: %s' % e) return ''
def get_base_dn(): """ Retrieve LDAP server base DN. """ global BASE_DN if BASE_DN: return BASE_DN try: conn = ldap.initialize(LDAP_URI) conn.simple_bind_s('', '') BASE_DN = get_ipa_basedn(conn) except ldap.LDAPError, e: root_logger.error('migration context search failed: %s' % e) return ''
def ipacheckldap(self, thost, trealm, ca_cert_path=None): """ Given a host and kerberos realm verify that it is an IPA LDAP server hosting the realm. Returns a list [errno, host, realm] or an empty list on error. Errno is an error number: 0 means all ok 1 means we could not check the info in LDAP (may happend when anonymous binds are disabled) 2 means the server is certainly not an IPA server """ lrealms = [] i = 0 #now verify the server is really an IPA server try: root_logger.debug("Init LDAP connection to: %s", thost) if ca_cert_path: lh = ipaldap.IPAdmin(thost, protocol='ldap', cacert=ca_cert_path, start_tls=True, no_schema=True, decode_attrs=False, demand_cert=True) else: lh = ipaldap.IPAdmin(thost, protocol='ldap', no_schema=True, decode_attrs=False) try: lh.do_simple_bind(DN(), '') # get IPA base DN root_logger.debug("Search LDAP server for IPA base DN") basedn = get_ipa_basedn(lh) except errors.ACIError: root_logger.debug("LDAP Error: Anonymous access not allowed") return [NO_ACCESS_TO_LDAP] except errors.DatabaseError, err: root_logger.error("Error checking LDAP: %s" % err.strerror) # We should only get UNWILLING_TO_PERFORM if the remote LDAP # server has minssf > 0 and we have attempted a non-TLS conn. if ca_cert_path is None: root_logger.debug( "Cannot connect to LDAP server. Check that minssf is " "not enabled") return [NO_TLS_LDAP] else: return [UNKNOWN_ERROR] if basedn is None: root_logger.debug("The server is not an IPA server") return [NOT_IPA_SERVER] self.basedn = basedn self.basedn_source = 'From IPA server %s' % lh.ldap_uri #search and return known realms root_logger.debug( "Search for (objectClass=krbRealmContainer) in %s (sub)", self.basedn) try: lret = lh.get_entries(DN(('cn', 'kerberos'), self.basedn), lh.SCOPE_SUBTREE, "(objectClass=krbRealmContainer)") except errors.NotFound: #something very wrong return [REALM_NOT_FOUND] for lres in lret: root_logger.debug("Found: %s", lres.dn) lrealms.append(lres.single_value['cn']) if trealm: for r in lrealms: if trealm == r: return [0, thost, trealm] # must match or something is very wrong root_logger.debug( "Realm %s does not match any realm in LDAP " "database", trealm) return [REALM_NOT_FOUND] else: if len(lrealms) != 1: #which one? we can't attach to a multi-realm server without DNS working root_logger.debug("Multiple realms found, cannot decide " "which realm is the right without " "working DNS") return [REALM_NOT_FOUND] else: return [0, thost, lrealms[0]] #we shouldn't get here return [UNKNOWN_ERROR]
def ipacheckldap(self, thost, trealm, ca_cert_path=None): """ Given a host and kerberos realm verify that it is an IPA LDAP server hosting the realm. Returns a list [errno, host, realm] or an empty list on error. Errno is an error number: 0 means all ok 1 means we could not check the info in LDAP (may happend when anonymous binds are disabled) 2 means the server is certainly not an IPA server """ lrealms = [] i = 0 #now verify the server is really an IPA server try: root_logger.debug("Init LDAP connection to: %s", thost) if ca_cert_path: lh = ipaldap.IPAdmin(thost, protocol='ldap', cacert=ca_cert_path, start_tls=True, no_schema=True, decode_attrs=False, demand_cert=True) else: lh = ipaldap.IPAdmin(thost, protocol='ldap', no_schema=True, decode_attrs=False) try: lh.do_simple_bind(DN(), '') except errors.ACIError: root_logger.debug("LDAP Error: Anonymous access not allowed") return [NO_ACCESS_TO_LDAP] except errors.DatabaseError, err: root_logger.error("Error checking LDAP: %s" % err.strerror) # We should only get UNWILLING_TO_PERFORM if the remote LDAP # server has minssf > 0 and we have attempted a non-TLS conn. if ca_cert_path is None: root_logger.debug( "Cannot connect to LDAP server. Check that minssf is " "not enabled") return [NO_TLS_LDAP] else: return [UNKNOWN_ERROR] # get IPA base DN root_logger.debug("Search LDAP server for IPA base DN") basedn = get_ipa_basedn(lh) if basedn is None: root_logger.debug("The server is not an IPA server") return [NOT_IPA_SERVER] self.basedn = basedn self.basedn_source = 'From IPA server %s' % lh.ldap_uri #search and return known realms root_logger.debug( "Search for (objectClass=krbRealmContainer) in %s (sub)", self.basedn) try: lret = lh.get_entries( DN(('cn', 'kerberos'), self.basedn), lh.SCOPE_SUBTREE, "(objectClass=krbRealmContainer)") except errors.NotFound: #something very wrong return [REALM_NOT_FOUND] for lres in lret: root_logger.debug("Found: %s", lres.dn) lrealms.append(lres.single_value['cn']) if trealm: for r in lrealms: if trealm == r: return [0, thost, trealm] # must match or something is very wrong return [REALM_NOT_FOUND] else: if len(lrealms) != 1: #which one? we can't attach to a multi-realm server without DNS working return [REALM_NOT_FOUND] else: return [0, thost, lrealms[0]] #we shouldn't get here return [UNKNOWN_ERROR]
def ipacheckldap(self, thost, trealm, ca_cert_path=None): """ Given a host and kerberos realm verify that it is an IPA LDAP server hosting the realm. Returns a list [errno, host, realm] or an empty list on error. Errno is an error number: 0 means all ok 1 means we could not check the info in LDAP (may happend when anonymous binds are disabled) 2 means the server is certainly not an IPA server """ lrealms = [] i = 0 #now verify the server is really an IPA server try: ldap_url = "ldap://" + format_netloc(thost, 389) root_logger.debug("Init LDAP connection with: %s", ldap_url) lh = ldap.initialize(ldap_url) if ca_cert_path: ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, True) ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, ca_cert_path) lh.set_option(ldap.OPT_X_TLS_DEMAND, True) lh.start_tls_s() lh.set_option(ldap.OPT_PROTOCOL_VERSION, 3) lh.simple_bind_s("", "") # get IPA base DN root_logger.debug("Search LDAP server for IPA base DN") basedn = get_ipa_basedn(lh) if basedn is None: root_logger.debug("The server is not an IPA server") return [NOT_IPA_SERVER] self.basedn = basedn self.basedn_source = 'From IPA server %s' % ldap_url #search and return known realms root_logger.debug( "Search for (objectClass=krbRealmContainer) in %s (sub)", self.basedn) lret = lh.search_s(str(DN(('cn', 'kerberos'), self.basedn)), ldap.SCOPE_SUBTREE, "(objectClass=krbRealmContainer)") if not lret: #something very wrong return [REALM_NOT_FOUND] for lres in lret: root_logger.debug("Found: %s", lres[0]) for lattr in lres[1]: if lattr.lower() == "cn": lrealms.append(lres[1][lattr][0]) if trealm: for r in lrealms: if trealm == r: return [0, thost, trealm] # must match or something is very wrong return [REALM_NOT_FOUND] else: if len(lrealms) != 1: #which one? we can't attach to a multi-realm server without DNS working return [REALM_NOT_FOUND] else: return [0, thost, lrealms[0]] #we shouldn't get here return [UNKNOWN_ERROR] except LDAPError, err: if isinstance(err, ldap.TIMEOUT): root_logger.debug("LDAP Error: timeout") return [NO_LDAP_SERVER] if isinstance(err, ldap.SERVER_DOWN): root_logger.debug("LDAP Error: server down") return [NO_LDAP_SERVER] if isinstance(err, ldap.INAPPROPRIATE_AUTH): root_logger.debug("LDAP Error: Anonymous access not allowed") return [NO_ACCESS_TO_LDAP] # We should only get UNWILLING_TO_PERFORM if the remote LDAP server # has minssf > 0 and we have attempted a non-TLS connection. if ca_cert_path is None and isinstance(err, ldap.UNWILLING_TO_PERFORM): root_logger.debug( "LDAP server returned UNWILLING_TO_PERFORM. This likely means that minssf is enabled" ) return [NO_TLS_LDAP] root_logger.error( "LDAP Error: %s: %s" % (err.args[0]['desc'], err.args[0].get('info', ''))) return [UNKNOWN_ERROR]
def ipacheckldap(self, thost, trealm, ca_cert_path=None): """ Given a host and kerberos realm verify that it is an IPA LDAP server hosting the realm. Returns a list [errno, host, realm] or an empty list on error. Errno is an error number: 0 means all ok 1 means we could not check the info in LDAP (may happend when anonymous binds are disabled) 2 means the server is certainly not an IPA server """ lrealms = [] i = 0 #now verify the server is really an IPA server try: ldap_url = "ldap://" + format_netloc(thost, 389) root_logger.debug("Init LDAP connection with: %s", ldap_url) lh = ldap.initialize(ldap_url) if ca_cert_path: ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, True) ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, ca_cert_path) lh.set_option(ldap.OPT_X_TLS_DEMAND, True) lh.start_tls_s() lh.set_option(ldap.OPT_PROTOCOL_VERSION, 3) lh.simple_bind_s("","") # get IPA base DN root_logger.debug("Search LDAP server for IPA base DN") basedn = get_ipa_basedn(lh) if basedn is None: root_logger.debug("The server is not an IPA server") return [NOT_IPA_SERVER] self.basedn = basedn self.basedn_source = 'From IPA server %s' % ldap_url #search and return known realms root_logger.debug( "Search for (objectClass=krbRealmContainer) in %s (sub)", self.basedn) lret = lh.search_s(str(DN(('cn', 'kerberos'), self.basedn)), ldap.SCOPE_SUBTREE, "(objectClass=krbRealmContainer)") if not lret: #something very wrong return [REALM_NOT_FOUND] for lres in lret: root_logger.debug("Found: %s", lres[0]) for lattr in lres[1]: if lattr.lower() == "cn": lrealms.append(lres[1][lattr][0]) if trealm: for r in lrealms: if trealm == r: return [0, thost, trealm] # must match or something is very wrong return [REALM_NOT_FOUND] else: if len(lrealms) != 1: #which one? we can't attach to a multi-realm server without DNS working return [REALM_NOT_FOUND] else: return [0, thost, lrealms[0]] #we shouldn't get here return [UNKNOWN_ERROR] except LDAPError, err: if isinstance(err, ldap.TIMEOUT): root_logger.debug("LDAP Error: timeout") return [NO_LDAP_SERVER] if isinstance(err, ldap.SERVER_DOWN): root_logger.debug("LDAP Error: server down") return [NO_LDAP_SERVER] if isinstance(err, ldap.INAPPROPRIATE_AUTH): root_logger.debug("LDAP Error: Anonymous access not allowed") return [NO_ACCESS_TO_LDAP] # We should only get UNWILLING_TO_PERFORM if the remote LDAP server # has minssf > 0 and we have attempted a non-TLS connection. if ca_cert_path is None and isinstance(err, ldap.UNWILLING_TO_PERFORM): root_logger.debug("LDAP server returned UNWILLING_TO_PERFORM. This likely means that minssf is enabled") return [NO_TLS_LDAP] root_logger.error("LDAP Error: %s: %s" % (err.args[0]['desc'], err.args[0].get('info', ''))) return [UNKNOWN_ERROR]