[sysadmin-bin] IPA upgrade to release 4.1.0 removed read-only access through the unauthenticated bind of the root u

From: Andrea Veri <av src gnome org>
To: gnome-sysadmin gnome org,commits-list gnome org
Subject: [sysadmin-bin] IPA upgrade to release 4.1.0 removed read-only access through the unauthenticated bind of the root u
Date: Thu, 5 Mar 2015 14:38:49 +0000 (UTC)

commit 69434e072368a21eee15e366d3b186e9475ab43a
Author: Andrea Veri <av gnome org>
Date:   Thu Mar 5 15:31:39 2015 +0100

    IPA upgrade to release 4.1.0 removed read-only access through the unauthenticated bind of the root user
    
    With today's IPA upgrade to release 4.1.0 there is no way to setup
    an unauthenticated bind to the directory server by running the LDAP
    queries through the root user (seems just non-compat groups are affected).
    Make sure both create-auth and export-mail do bind as DM even if they're
    only performing read-only operations on the gnome.org tree.

 create-auth         |    4 +++-
 mail/export-mail.py |   10 ++++++++--
 2 files changed, 11 insertions(+), 3 deletions(-)
---
diff --git a/create-auth b/create-auth
index 9c73494..0bb8aa8 100755
--- a/create-auth
+++ b/create-auth
@@ -29,10 +29,12 @@ def get_md5sum_hash():
             user_md5sums [file] = m.hexdigest ()
     return user_md5sums
 
+execfile('/home/admin/bin/freeipa')
+
 ## first you must open a connection to the server
 try:
     l = ldap.open('view.gnome.org')
-    l.simple_bind("cn=Directory Manager")
+    l.simple_bind("cn=Directory Manager", ldap_password)
 except ldap.LDAPError, e:
     print >>sys.stderr, e
     sys.exit(1)
diff --git a/mail/export-mail.py b/mail/export-mail.py
index f55d450..5012c59 100755
--- a/mail/export-mail.py
+++ b/mail/export-mail.py
@@ -9,6 +9,8 @@ LDAP_URL='ldap://account.gnome.org/'
 LDAP_GROUP_BASE='cn=groups,cn=accounts,dc=gnome,dc=org'
 LDAP_USER_BASE='cn=users,cn=accounts,dc=gnome,dc=org'
 
+execfile('/home/admin/secret/freeipa')
+
 ALIASES = [
     ('/etc/gnome.org/cvs-mail/virtual',    'cvs.gnome.org', ('gnomecvs', 'gnomevcs')),
     ('/etc/gnome.org/svn-mail/virtual',    'svn.gnome.org', ('gnomecvs', 'gnomevcs')),
@@ -60,8 +62,12 @@ def fetch_group_members(group):
 
 if __name__ == '__main__':
     global l
-    l = ldap.initialize(LDAP_URL)
-    l.protocol_version = ldap.VERSION3
+    try:
+        l = ldap.open('account.gnome.org')
+        l.simple_bind("cn=Directory Manager", ldap_password)
+    except ldap.LDAPError, e:
+        print >>sys.stderr, e
+        sys.exit(1)
 
     for aliasfile, domain, groups in ALIASES:
         # group argument can be a tuple

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]