This is added to make the 'existing' LDAP backend class more useful,
and to allow debuging of our OpenLDAP backend class with wireshark, by
forcing the traffic over loopback TCP, which is much easier to sniff.
Andrew Bartlett
ldap_backend_line = "# No LDAP backend"
if provision_backend.type is not "ldb":
ldap_backend_line = "# No LDAP backend"
if provision_backend.type is not "ldb":
- ldap_backend_line = "ldapBackend: %s" % provision_backend.ldapi_uri
+ ldap_backend_line = "ldapBackend: %s" % provision_backend.ldap_uri
samdb.transaction_start()
try:
samdb.transaction_start()
try:
dnspass=None, root=None, nobody=None, users=None,
wheel=None, backup=None, aci=None, serverrole=None,
dom_for_fun_level=None,
dnspass=None, root=None, nobody=None, users=None,
wheel=None, backup=None, aci=None, serverrole=None,
dom_for_fun_level=None,
- ldap_backend_extra_port=None, backend_type=None,
+ ldap_backend_extra_port=None, ldap_backend_forced_uri=None, backend_type=None,
sitename=None,
ol_mmr_urls=None, ol_olc=None,
setup_ds_path=None, slapd_path=None, nosync=False,
sitename=None,
ol_mmr_urls=None, ol_olc=None,
setup_ds_path=None, slapd_path=None, nosync=False,
if backend_type == "ldb":
provision_backend = LDBBackend(backend_type,
if backend_type == "ldb":
provision_backend = LDBBackend(backend_type,
- paths=paths, setup_path=setup_path,
- lp=lp, credentials=credentials,
- names=names,
- logger=logger)
+ paths=paths, setup_path=setup_path,
+ lp=lp, credentials=credentials,
+ names=names,
+ logger=logger)
elif backend_type == "existing":
provision_backend = ExistingBackend(backend_type,
elif backend_type == "existing":
provision_backend = ExistingBackend(backend_type,
- paths=paths, setup_path=setup_path,
- lp=lp, credentials=credentials,
- names=names,
- logger=logger,
- ldapi_url=ldapi_url)
+ paths=paths, setup_path=setup_path,
+ lp=lp, credentials=credentials,
+ names=names,
+ logger=logger,
+ ldap_backend_forced_uri=ldap_backend_forced_uri)
elif backend_type == "fedora-ds":
provision_backend = FDSBackend(backend_type,
elif backend_type == "fedora-ds":
provision_backend = FDSBackend(backend_type,
- paths=paths, setup_path=setup_path,
- lp=lp, credentials=credentials,
- names=names,
- logger=logger,
- domainsid=domainsid,
- schema=schema,
- hostname=hostname,
- ldapadminpass=ldapadminpass,
- slapd_path=slapd_path,
- ldap_backend_extra_port=ldap_backend_extra_port,
- ldap_dryrun_mode=ldap_dryrun_mode,
- root=root,
- setup_ds_path=setup_ds_path)
+ paths=paths, setup_path=setup_path,
+ lp=lp, credentials=credentials,
+ names=names,
+ logger=logger,
+ domainsid=domainsid,
+ schema=schema,
+ hostname=hostname,
+ ldapadminpass=ldapadminpass,
+ slapd_path=slapd_path,
+ ldap_backend_extra_port=ldap_backend_extra_port,
+ ldap_dryrun_mode=ldap_dryrun_mode,
+ root=root,
+ setup_ds_path=setup_ds_path,
+ ldap_backend_forced_uri=ldap_backend_forced_uri)
elif backend_type == "openldap":
provision_backend = OpenLDAPBackend(backend_type,
elif backend_type == "openldap":
provision_backend = OpenLDAPBackend(backend_type,
- paths=paths, setup_path=setup_path,
- lp=lp, credentials=credentials,
- names=names,
- logger=logger,
- domainsid=domainsid,
- schema=schema,
- hostname=hostname,
- ldapadminpass=ldapadminpass,
- slapd_path=slapd_path,
- ldap_backend_extra_port=ldap_backend_extra_port,
- ldap_dryrun_mode=ldap_dryrun_mode,
- ol_mmr_urls=ol_mmr_urls,
- nosync=nosync)
+ paths=paths, setup_path=setup_path,
+ lp=lp, credentials=credentials,
+ names=names,
+ logger=logger,
+ domainsid=domainsid,
+ schema=schema,
+ hostname=hostname,
+ ldapadminpass=ldapadminpass,
+ slapd_path=slapd_path,
+ ldap_backend_extra_port=ldap_backend_extra_port,
+ ldap_dryrun_mode=ldap_dryrun_mode,
+ ol_mmr_urls=ol_mmr_urls,
+ nosync=nosync,
+ ldap_backend_forced_uri=ldap_backend_forced_uri)
else:
raise ValueError("Unknown LDAP backend type selected")
else:
raise ValueError("Unknown LDAP backend type selected")
super(ExistingBackend, self).__init__(backend_type=backend_type,
paths=paths, setup_path=setup_path, lp=lp,
super(ExistingBackend, self).__init__(backend_type=backend_type,
paths=paths, setup_path=setup_path, lp=lp,
- credentials=credentials, names=names, logger=logger)
-
- self.ldapi_uri = ldapi_uri
+ credentials=credentials, names=names, logger=logger,
+ ldap_backend_forced_uri=ldap_backend_forced_uri)
def init(self):
# Check to see that this 'existing' LDAP backend in fact exists
def init(self):
# Check to see that this 'existing' LDAP backend in fact exists
class LDAPBackend(ProvisionBackend):
def __init__(self, backend_type, paths=None, setup_path=None, lp=None,
class LDAPBackend(ProvisionBackend):
def __init__(self, backend_type, paths=None, setup_path=None, lp=None,
- credentials=None, names=None, logger=None, domainsid=None,
- schema=None, hostname=None, ldapadminpass=None, slapd_path=None,
- ldap_backend_extra_port=None, ldap_dryrun_mode=False):
+ credentials=None, names=None, logger=None, domainsid=None,
+ schema=None, hostname=None, ldapadminpass=None, slapd_path=None,
+ ldap_backend_extra_port=None,
+ ldap_backend_forced_uri=None, ldap_dryrun_mode=False):
super(LDAPBackend, self).__init__(backend_type=backend_type,
paths=paths, setup_path=setup_path, lp=lp,
super(LDAPBackend, self).__init__(backend_type=backend_type,
paths=paths, setup_path=setup_path, lp=lp,
self.ldap_backend_extra_port = ldap_backend_extra_port
self.ldap_dryrun_mode = ldap_dryrun_mode
self.ldap_backend_extra_port = ldap_backend_extra_port
self.ldap_dryrun_mode = ldap_dryrun_mode
- self.ldapi_uri = "ldapi://%s" % urllib.quote(os.path.join(self.ldapdir, "ldapi"), safe="")
+ if ldap_backend_forced_uri is not None:
+ self.ldap_uri = ldap_backend_forced_uri
+ else:
+ self.ldap_uri = "ldapi://%s" % urllib.quote(os.path.join(self.ldapdir, "ldapi"), safe="")
if not os.path.exists(self.ldapdir):
os.mkdir(self.ldapdir)
if not os.path.exists(self.ldapdir):
os.mkdir(self.ldapdir)
def init(self):
from samba.provision import ProvisioningError
# we will shortly start slapd with ldapi for final provisioning. first
def init(self):
from samba.provision import ProvisioningError
# we will shortly start slapd with ldapi for final provisioning. first
- # check with ldapsearch -> rootDSE via self.ldapi_uri if another
+ # check with ldapsearch -> rootDSE via self.ldap_uri if another
# instance of slapd is already running
try:
# instance of slapd is already running
try:
- ldapi_db = Ldb(self.ldapi_uri)
+ ldapi_db = Ldb(self.ldap_uri)
ldapi_db.search(base="", scope=SCOPE_BASE,
expression="(objectClass=OpenLDAProotDSE)")
try:
ldapi_db.search(base="", scope=SCOPE_BASE,
expression="(objectClass=OpenLDAProotDSE)")
try:
p = f.read()
f.close()
self.logger.info("Check for slapd Process with PID: " + str(p) + " and terminate it manually.")
p = f.read()
f.close()
self.logger.info("Check for slapd Process with PID: " + str(p) + " and terminate it manually.")
- raise SlapdAlreadyRunning(self.ldapi_uri)
+ raise SlapdAlreadyRunning(self.ldap_uri)
except LdbError:
# XXX: We should never be catching all Ldb errors
pass
except LdbError:
# XXX: We should never be catching all Ldb errors
pass
while self.slapd.poll() is None:
# Wait until the socket appears
try:
while self.slapd.poll() is None:
# Wait until the socket appears
try:
- ldapi_db = Ldb(self.ldapi_uri, lp=self.lp, credentials=self.credentials)
+ ldapi_db = Ldb(self.ldap_uri, lp=self.lp, credentials=self.credentials)
ldapi_db.search(base="", scope=SCOPE_BASE,
expression="(objectClass=OpenLDAProotDSE)")
# If we have got here, then we must have a valid connection to the LDAP server!
ldapi_db.search(base="", scope=SCOPE_BASE,
expression="(objectClass=OpenLDAProotDSE)")
# If we have got here, then we must have a valid connection to the LDAP server!
credentials=None, names=None, logger=None, domainsid=None,
schema=None, hostname=None, ldapadminpass=None, slapd_path=None,
ldap_backend_extra_port=None, ldap_dryrun_mode=False,
credentials=None, names=None, logger=None, domainsid=None,
schema=None, hostname=None, ldapadminpass=None, slapd_path=None,
ldap_backend_extra_port=None, ldap_dryrun_mode=False,
- ol_mmr_urls=None, nosync=False):
+ ol_mmr_urls=None, nosync=False, ldap_backend_forced_uri=None):
super(OpenLDAPBackend, self).__init__( backend_type=backend_type,
paths=paths, setup_path=setup_path, lp=lp,
credentials=credentials, names=names, logger=logger,
domainsid=domainsid, schema=schema, hostname=hostname,
ldapadminpass=ldapadminpass, slapd_path=slapd_path,
ldap_backend_extra_port=ldap_backend_extra_port,
super(OpenLDAPBackend, self).__init__( backend_type=backend_type,
paths=paths, setup_path=setup_path, lp=lp,
credentials=credentials, names=names, logger=logger,
domainsid=domainsid, schema=schema, hostname=hostname,
ldapadminpass=ldapadminpass, slapd_path=slapd_path,
ldap_backend_extra_port=ldap_backend_extra_port,
+ ldap_backend_forced_uri=ldap_backend_forced_uri,
ldap_dryrun_mode=ldap_dryrun_mode)
self.ol_mmr_urls = ol_mmr_urls
ldap_dryrun_mode=ldap_dryrun_mode)
self.ol_mmr_urls = ol_mmr_urls
f.close()
# now we generate the needed strings to start slapd automatically,
f.close()
# now we generate the needed strings to start slapd automatically,
if self.ldap_backend_extra_port is not None:
# When we use MMR, we can't use 0.0.0.0 as it uses the name
# specified there as part of it's clue as to it's own name,
if self.ldap_backend_extra_port is not None:
# When we use MMR, we can't use 0.0.0.0 as it uses the name
# specified there as part of it's clue as to it's own name,
"-h"]
# copy this command so we have two version, one with -d0 and only
"-h"]
# copy this command so we have two version, one with -d0 and only
- # ldapi, and one with all the listen commands
+ # ldapi (or the forced ldap_uri), and one with all the listen commands
self.slapd_command = list(self.slapd_provision_command)
self.slapd_command = list(self.slapd_provision_command)
- self.slapd_provision_command.extend([self.ldapi_uri, "-d0"])
+ self.slapd_provision_command.extend([self.ldap_uri, "-d0"])
if server_port_string is not "":
uris = uris + " " + server_port_string
if server_port_string is not "":
uris = uris + " " + server_port_string
domainsid=domainsid, schema=schema, hostname=hostname,
ldapadminpass=ldapadminpass, slapd_path=slapd_path,
ldap_backend_extra_port=ldap_backend_extra_port,
domainsid=domainsid, schema=schema, hostname=hostname,
ldapadminpass=ldapadminpass, slapd_path=slapd_path,
ldap_backend_extra_port=ldap_backend_extra_port,
+ ldap_backend_forced_uri=ldap_backend_forced_uri,
ldap_dryrun_mode=ldap_dryrun_mode)
self.root = root
ldap_dryrun_mode=ldap_dryrun_mode)
self.root = root
raise ProvisioningError("ldif2db failed")
def post_setup(self):
raise ProvisioningError("ldif2db failed")
def post_setup(self):
- ldapi_db = Ldb(self.ldapi_uri, credentials=self.credentials)
+ ldapi_db = Ldb(self.ldap_uri, credentials=self.credentials)
# configure in-directory access control on Fedora DS via the aci
# attribute (over a direct ldapi:// socket)
# configure in-directory access control on Fedora DS via the aci
# attribute (over a direct ldapi:// socket)
help="do not add users or groups, just the structure")
parser.add_option("--ldap-backend-extra-port", type="int", metavar="LDAP-BACKEND-EXTRA-PORT",
help="Additional TCP port for LDAP backend server (to use for replication)")
help="do not add users or groups, just the structure")
parser.add_option("--ldap-backend-extra-port", type="int", metavar="LDAP-BACKEND-EXTRA-PORT",
help="Additional TCP port for LDAP backend server (to use for replication)")
+parser.add_option("--ldap-backend-forced-uri", type="string", metavar="LDAP-BACKEND-FORCED-URI",
+ help="Force the LDAP backend connection to be to a particular URI. Use this ONLY for 'existing' backends, or when debugging the interaction with the LDAP backend and you need to intercept the LDAP traffic")
parser.add_option("--ldap-backend-type", type="choice", metavar="LDAP-BACKEND-TYPE",
help="LDAP backend type (fedora-ds or openldap)",
choices=["fedora-ds", "openldap"])
parser.add_option("--ldap-backend-type", type="choice", metavar="LDAP-BACKEND-TYPE",
help="LDAP backend type (fedora-ds or openldap)",
choices=["fedora-ds", "openldap"])
+if opts.ldap_backend_type == "existing":
+ if opts.ldap_backend_forced_uri is not None:
+ logger.warn("You have specified to use an existing LDAP server as the backend, please make sure an LDAP server is running at %s" % opts.ldap_backend_forced_uri)
+ else:
+ logger.info("You have specified to use an existing LDAP server as the backend, please make sure an LDAP server is running at the default location")
+else:
+ if opts.ldap_backend_forced_uri is not None:
+ logger.warn("You have specified to use an fixed URI %s for connecting to your LDAP server backend. This is NOT RECOMMENDED, as our default communiation over ldapi:// is more secure and much less prone to unexpected failure or interaction" % opts.ldap_backend_forced_uri)
+
session = system_session()
try:
provision(setup_dir, logger,
session = system_session()
try:
provision(setup_dir, logger,
wheel=opts.wheel, users=opts.users,
serverrole=server_role, dom_for_fun_level=dom_for_fun_level,
ldap_backend_extra_port=opts.ldap_backend_extra_port,
wheel=opts.wheel, users=opts.users,
serverrole=server_role, dom_for_fun_level=dom_for_fun_level,
ldap_backend_extra_port=opts.ldap_backend_extra_port,
+ ldap_backend_forced_uri=opts.ldap_backend_forced_uri,
backend_type=opts.ldap_backend_type,
ldapadminpass=opts.ldapadminpass, ol_mmr_urls=opts.ol_mmr_urls,
slapd_path=opts.slapd_path, setup_ds_path=opts.setup_ds_path,
backend_type=opts.ldap_backend_type,
ldapadminpass=opts.ldapadminpass, ol_mmr_urls=opts.ol_mmr_urls,
slapd_path=opts.slapd_path, setup_ds_path=opts.setup_ds_path,