1 file changed, 65 insertions(+), 39 deletions(-)
New commits:
commit cd9fd5dc5efd417a093d3e2e22aedac1f7433efa
Author: Mark Reynolds <mreynolds@redhat.com>
Date: Wed Jun 29 14:44:55 2016 -0400
Ticket 48213 - Admin server registration requires anonymous binds
Bug Description: When installing a local DS/AS and registering the
server with a remote admin server, the setup process
does an anonymous bind to start things off, regardless
if a full DN was provided as the admin id. If
anonymous access is disabled on the remote
configuration DS then the registration process fails.
Fix Description: If a DN was provided, not an rdn value, then attempt to
bind with this user first. Only if an rdn value is
provided will an anonymous bind be performed.
https://fedorahosted.org/389/ticket/48213
Reviewed by: nhosoi(Thanks!)
diff --git a/admserv/newinst/src/AdminUtil.pm.in b/admserv/newinst/src/AdminUtil.pm.in
index d370f9e..3ded348 100644
--- a/admserv/newinst/src/AdminUtil.pm.in
+++ b/admserv/newinst/src/AdminUtil.pm.in
@@ -157,6 +157,8 @@ sub getConfigDSConn {
my $configdir = shift;
my $errs = shift; # for output errs - an array ref
my $certdir;
+ my $errstr = "Success";
+ my $conn;
if (!$url or !$id) {
my $admConf = getAdmConf($configdir);
@@ -180,36 +182,61 @@ sub getConfigDSConn {
$certdir = getCertDir($configdir);
}
- # first try anon bind
- # 3 is LDAPv3 - 1 means use nspr
- debug(3, "Attempting connection to " . $h->{host} . ":" . $h->{port} . " certdir $certdir configdir $configdir\n");
- my $conn = new Mozilla::LDAP::Conn($h->{host}, $h->{port}, "", "",
- $certdir);
-
- my $errstr = "Success";
- if ($conn) {
- $errstr = $conn->getErrorString();
- }
- if (!$conn or ($errstr ne "Success")) {
+ if ($id =~ /=/){
+ #
+ # We have a bind DN so try it first, as anonymous access could be
+ # disabled on the config DS.
+ #
+ debug(3, "Attempting connection to " . $h->{host} . ":" . $h->{port} .
+ " bind DN ($id) certdir $certdir configdir $configdir\n");
+ $conn = new Mozilla::LDAP::Conn($h->{host}, $h->{port}, $id, $pwd, $certdir);
if ($conn) {
- $conn->close();
- $conn = 0;
+ $errstr = $conn->getErrorString();
}
- if ($certdir) {
- push @{$errs}, 'configds_open_error_ssl', $url,
- ($errstr eq "Success") ? 'unknown error' : $errstr,
- $h->{host}, $h->{port}, $h->{host}, $h->{host}, $certdir, $h->{host}, $h->{port};
- } else {
- push @{$errs}, 'configds_open_error', $url,
- ($errstr eq "Success") ? 'unknown error' : $errstr,
- $h->{host}, $h->{port}, $h->{host}, $h->{host}, $h->{host}, $h->{port};
+ if (!$conn or ($errstr ne "Success")) {
+ if ($conn) {
+ $conn->close();
+ $conn = 0;
+ }
+ if ($certdir) {
+ push @{$errs}, 'configds_open_error_ssl', $url,
+ ($errstr eq "Success") ? 'unknown error' : $errstr,
+ $h->{host}, $h->{port}, $h->{host}, $h->{host}, $certdir, $h->{host}, $h->{port};
+ } else {
+ push @{$errs}, 'configds_open_error', $url,
+ ($errstr eq "Success") ? 'unknown error' : $errstr,
+ $h->{host}, $h->{port}, $h->{host}, $h->{host}, $h->{host}, $h->{port};
+ }
+ return $conn;
+ }
+ } else {
+ #
+ # We must attempt an anonymous bind to find the entry
+ #
+ debug(3, "Attempting connection to " . $h->{host} . ":" . $h->{port} .
+ " bind DN(anonymous) certdir $certdir configdir $configdir\n");
+ $conn = new Mozilla::LDAP::Conn($h->{host}, $h->{port}, "", "", $certdir);
+ if ($conn) {
+ $errstr = $conn->getErrorString();
+ }
+ if (!$conn or ($errstr ne "Success")) {
+ if ($conn) {
+ $conn->close();
+ $conn = 0;
+ }
+ if ($certdir) {
+ push @{$errs}, 'configds_open_error_ssl', $url,
+ ($errstr eq "Success") ? 'unknown error' : $errstr,
+ $h->{host}, $h->{port}, $h->{host}, $h->{host}, $certdir, $h->{host}, $h->{port};
+ } else {
+ push @{$errs}, 'configds_open_error', $url,
+ ($errstr eq "Success") ? 'unknown error' : $errstr,
+ $h->{host}, $h->{port}, $h->{host}, $h->{host}, $h->{host}, $h->{port};
+ }
+ return $conn;
}
-
- return $conn;
- }
- # if $id is not a dn, look up the dn
- if ($id !~ /=/) {
+ # Search for the entry - we assume it starts with uid
my $ent = $conn->search($h->{dn}, "sub", "(uid=$id)", 1, 'dn');
$errstr = $conn->getErrorString();
if (!$ent or ($errstr ne "Success")) {
@@ -218,23 +245,22 @@ sub getConfigDSConn {
push @{$errs}, 'configds_finddn_error', $id, $url, (($errstr eq "Success") ? 'unknown error' : $errstr);
return $conn;
}
+ # Now bind as the entry
$id = $ent->getDN();
- }
-
- if (!$conn->simpleAuth($id, $pwd)) {
- $errstr = $conn->getErrorString();
- $conn->close();
- $conn = 0;
- if ($errstr =~ /constraint/i) {
- push @{$errs}, 'configds_bindretry_error', $id, $url;
- } else {
- push @{$errs}, 'configds_bind_error', $id, $url, (($errstr eq "Success") ? 'unknown error' : $errstr);
+ if (!$conn->simpleAuth($id, $pwd)) {
+ $errstr = $conn->getErrorString();
+ $conn->close();
+ $conn = 0;
+ if ($errstr =~ /constraint/i) {
+ push @{$errs}, 'configds_bindretry_error', $id, $url;
+ } else {
+ push @{$errs}, 'configds_bind_error', $id, $url, (($errstr eq "Success") ? 'unknown error' : $errstr);
+ }
+ return $conn;
}
- return $conn;
}
-
+ # store the binddn and password for later use
$conn->setDefaultRebindProc($id, $pwd, LDAP_AUTH_SIMPLE);
- # store the binddn for later use
$conn->{adminbinddn} = $id;
return $conn;
--
389-commits mailing list
389-commits@lists.fedoraproject.org
https://lists.fedoraproject.org/admin/lists/389-commits@lists.fedoraproject.org
No comments:
Post a Comment