[Freeipa-devel] [PATCH] 240 Fix LDAP effective rights control with python-ldap 2.4.x

Martin Kosek mkosek at redhat.com
Wed Mar 21 09:49:07 UTC 2012 

On Wed, 2012-03-21 at 10:16 +0100, Jan Cholasta wrote:
> On 21.3.2012 09:57, Martin Kosek wrote:
> > Test instructions are attached to the ticket.
> > ---
> > The new version of python-ldap changed the way it created LDAPv3
> > extended controls. The API used in 2.4.x can no longer be used
> > because it does not send the bind DN with effective rights
> > control and LDAP server thus rejects it.
> >
> > This patch implements the new API in a backward compatible way
> > so that it works both with python-ldap versions 2.3.x and 2.4.x.
> >
> > https://fedorahosted.org/freeipa/ticket/2565
> >
> 
> IMO it would be nicer to handle things on module import rather than on 
> each get effective rights request:
> 
> @@ -42,7 +42,6 @@ import ldap as _ldap
>   from ldap.ldapobject import SimpleLDAPObject
>   import ldap.filter as _ldap_filter
>   import ldap.sasl as _ldap_sasl
> -from ldap.controls import LDAPControl
>   # for backward compatibility
>   from ldap.functions import explode_dn
>   from ipalib.dn import DN
> @@ -56,6 +55,14 @@ from ipalib.crud import CrudBackend
>   from ipalib.encoder import Encoder, encode_args, decode_retval
>   from ipalib.request import context
> 
> +try:
> +    from ldap.controls.simple import GetEffectiveRightsControl
> +except ImportError:
> +    from ldap.controls import LDAPControl
> +    class GetEffectiveRightsControl(LDAPControl):
> +        def __init__(critical, value):
> +            super(GetEffectiveRightsControl, 
> self).__init__('1.3.6.1.4.1.42.2.27.9.5.2', critical, value)
> +
>   # Group Member types
>   MEMBERS_ALL = 0
>   MEMBERS_DIRECT = 1
> @@ -871,7 +878,7 @@ class ldap2(CrudBackend, Encoder):
>           """
>           principal = getattr(context, 'principal')
>           (binddn, attrs) = self.find_entry_by_attr("krbprincipalname", 
> principal, "krbPrincipalAux")
> -        sctrl = [LDAPControl("1.3.6.1.4.1.42.2.27.9.5.2", True, "dn: " 
> + binddn.encode('UTF-8'))]
> +        sctrl = [GetEffectiveRightsControl(True, "dn: " + 
> binddn.encode('UTF-8'))]
>           self.conn.set_option(_ldap.OPT_SERVER_CONTROLS, sctrl)
>           (dn, attrs) = self.get_entry(dn, entry_attrs)
>           # remove the control so subsequent operations don't include GER
> 
> Honza
> 

I agree, this approach is better. I updated the patch based on your
input. It just needed some more love as LDAPControl is an old-style
Python class and I also silenced pylint when python-ldap 2.3.x is
installed.

Martin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mkosek-240-2-fix-ldap-ger.patch
Type: text/x-patch
Size: 2545 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20120321/d752b855/attachment.bin>

More information about the Freeipa-devel mailing list