Use -H option for OpenLDAP client tools as -h and -p are deprecated now
Resolves: rhbz#2050921 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
This commit is contained in:
Alexander Bokovoy
parent
de337079bd
commit
95b29321ec
164
freeipa-openldap-updates.patch
Normal file
164
freeipa-openldap-updates.patch
Normal file
@ -0,0 +1,164 @@
|
||||
From d9f92dabda1492a4c6a95603ab7cfd66a8cc84b4 Mon Sep 17 00:00:00 2001
|
||||
From: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
Date: Mon, 7 Feb 2022 08:42:40 +0200
|
||||
Subject: [PATCH 1/2] OpenLDAP 2.6+: use only -H option to specify LDAP url
|
||||
|
||||
OpenLDAP 2.6+ finally deprecated -h and -p options in all its command
|
||||
line tools. They are not allowed anymore and cause ldap* tools to stop
|
||||
hard with 'unknown option' error.
|
||||
|
||||
Fix this by always using -H url option instead. Deriving default value
|
||||
for -H url from the configuration file still works, it is only -h and -p
|
||||
that were deprecated.
|
||||
|
||||
See also: https://bugs.openldap.org/show_bug.cgi?id=8618
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/9106
|
||||
|
||||
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
||||
---
|
||||
ipaclient/remote_plugins/2_114/sudorule.py | 4 +++-
|
||||
ipaclient/remote_plugins/2_156/sudorule.py | 4 +++-
|
||||
ipaclient/remote_plugins/2_164/sudorule.py | 4 +++-
|
||||
ipaclient/remote_plugins/2_49/sudorule.py | 4 +++-
|
||||
ipaserver/install/dsinstance.py | 2 +-
|
||||
ipaserver/plugins/sudorule.py | 2 +-
|
||||
ipatests/pytest_ipa/integration/tasks.py | 3 +--
|
||||
7 files changed, 15 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/ipaclient/remote_plugins/2_114/sudorule.py b/ipaclient/remote_plugins/2_114/sudorule.py
|
||||
index 4b020738f..48a107ff9 100644
|
||||
--- a/ipaclient/remote_plugins/2_114/sudorule.py
|
||||
+++ b/ipaclient/remote_plugins/2_114/sudorule.py
|
||||
@@ -41,7 +41,9 @@ IPA provides a designated binddn to use with Sudo located at:
|
||||
uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
|
||||
|
||||
To enable the binddn run the following command to set the password:
|
||||
-LDAPTLS_CACERT=/etc/ipa/ca.crt /usr/bin/ldappasswd -S -W -h ipa.example.com -ZZ -D "cn=Directory Manager" uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
|
||||
+LDAPTLS_CACERT=/etc/ipa/ca.crt /usr/bin/ldappasswd -S -W \\
|
||||
+ -H ldap://ipa.example.com -ZZ -D "cn=Directory Manager" \\
|
||||
+ uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
|
||||
|
||||
EXAMPLES:
|
||||
|
||||
diff --git a/ipaclient/remote_plugins/2_156/sudorule.py b/ipaclient/remote_plugins/2_156/sudorule.py
|
||||
index d475e68a6..04b3a3e10 100644
|
||||
--- a/ipaclient/remote_plugins/2_156/sudorule.py
|
||||
+++ b/ipaclient/remote_plugins/2_156/sudorule.py
|
||||
@@ -41,7 +41,9 @@ IPA provides a designated binddn to use with Sudo located at:
|
||||
uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
|
||||
|
||||
To enable the binddn run the following command to set the password:
|
||||
-LDAPTLS_CACERT=/etc/ipa/ca.crt /usr/bin/ldappasswd -S -W -h ipa.example.com -ZZ -D "cn=Directory Manager" uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
|
||||
+LDAPTLS_CACERT=/etc/ipa/ca.crt /usr/bin/ldappasswd -S -W \\
|
||||
+ -H ldap://ipa.example.com -ZZ -D "cn=Directory Manager" \\
|
||||
+ uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
|
||||
|
||||
EXAMPLES:
|
||||
|
||||
diff --git a/ipaclient/remote_plugins/2_164/sudorule.py b/ipaclient/remote_plugins/2_164/sudorule.py
|
||||
index d475e68a6..04b3a3e10 100644
|
||||
--- a/ipaclient/remote_plugins/2_164/sudorule.py
|
||||
+++ b/ipaclient/remote_plugins/2_164/sudorule.py
|
||||
@@ -41,7 +41,9 @@ IPA provides a designated binddn to use with Sudo located at:
|
||||
uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
|
||||
|
||||
To enable the binddn run the following command to set the password:
|
||||
-LDAPTLS_CACERT=/etc/ipa/ca.crt /usr/bin/ldappasswd -S -W -h ipa.example.com -ZZ -D "cn=Directory Manager" uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
|
||||
+LDAPTLS_CACERT=/etc/ipa/ca.crt /usr/bin/ldappasswd -S -W \\
|
||||
+ -H ldap://ipa.example.com -ZZ -D "cn=Directory Manager" \\
|
||||
+ uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
|
||||
|
||||
EXAMPLES:
|
||||
|
||||
diff --git a/ipaclient/remote_plugins/2_49/sudorule.py b/ipaclient/remote_plugins/2_49/sudorule.py
|
||||
index 912a0b1ef..44f8ae7fe 100644
|
||||
--- a/ipaclient/remote_plugins/2_49/sudorule.py
|
||||
+++ b/ipaclient/remote_plugins/2_49/sudorule.py
|
||||
@@ -41,7 +41,9 @@ IPA provides a designated binddn to use with Sudo located at:
|
||||
uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
|
||||
|
||||
To enable the binddn run the following command to set the password:
|
||||
-LDAPTLS_CACERT=/etc/ipa/ca.crt /usr/bin/ldappasswd -S -W -h ipa.example.com -ZZ -D "cn=Directory Manager" uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
|
||||
+LDAPTLS_CACERT=/etc/ipa/ca.crt /usr/bin/ldappasswd -S -W \\
|
||||
+ -H ldap://ipa.example.com -ZZ -D "cn=Directory Manager" \\
|
||||
+ uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
|
||||
|
||||
For more information, see the IPA Documentation to Sudo.
|
||||
""")
|
||||
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
|
||||
index ac9e131bb..04d26452d 100644
|
||||
--- a/ipaserver/install/dsinstance.py
|
||||
+++ b/ipaserver/install/dsinstance.py
|
||||
@@ -1040,7 +1040,7 @@ class DsInstance(service.Service):
|
||||
admpwdfile.write(password)
|
||||
admpwdfile.flush()
|
||||
|
||||
- args = [paths.LDAPPASSWD, "-h", self.fqdn,
|
||||
+ args = [paths.LDAPPASSWD, "-H", "ldap://{}".format(self.fqdn),
|
||||
"-ZZ", "-x", "-D", str(DN(('cn', 'Directory Manager'))),
|
||||
"-y", dmpwdfile.name, "-T", admpwdfile.name,
|
||||
str(DN(('uid', 'admin'), ('cn', 'users'), ('cn', 'accounts'), self.suffix))]
|
||||
diff --git a/ipaserver/plugins/sudorule.py b/ipaserver/plugins/sudorule.py
|
||||
index 688065715..8528b6328 100644
|
||||
--- a/ipaserver/plugins/sudorule.py
|
||||
+++ b/ipaserver/plugins/sudorule.py
|
||||
@@ -66,7 +66,7 @@ uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
|
||||
""") + _("""
|
||||
To enable the binddn run the following command to set the password:
|
||||
LDAPTLS_CACERT=/etc/ipa/ca.crt /usr/bin/ldappasswd -S -W \
|
||||
--h ipa.example.com -ZZ -D "cn=Directory Manager" \
|
||||
+-H ldap://ipa.example.com -ZZ -D "cn=Directory Manager" \
|
||||
uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
|
||||
""") + _("""
|
||||
EXAMPLES:
|
||||
diff --git a/ipatests/pytest_ipa/integration/tasks.py b/ipatests/pytest_ipa/integration/tasks.py
|
||||
index 836d140d4..7e1b7c24d 100755
|
||||
--- a/ipatests/pytest_ipa/integration/tasks.py
|
||||
+++ b/ipatests/pytest_ipa/integration/tasks.py
|
||||
@@ -2086,8 +2086,7 @@ def ldapsearch_dm(host, base, ldap_args, scope='sub', **kwargs):
|
||||
args = [
|
||||
'ldapsearch',
|
||||
'-x', '-ZZ',
|
||||
- '-h', host.hostname,
|
||||
- '-p', '389',
|
||||
+ '-H', "ldap://{}".format(host.hostname),
|
||||
'-D', str(host.config.dirman_dn),
|
||||
'-w', host.config.dirman_password,
|
||||
'-s', scope,
|
||||
--
|
||||
2.34.1
|
||||
|
||||
|
||||
From fd5b2a3748c187df67c61b35f28d2e57c1298e32 Mon Sep 17 00:00:00 2001
|
||||
From: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
Date: Mon, 7 Feb 2022 08:45:52 +0200
|
||||
Subject: [PATCH 2/2] pylint: workaround incorrect pylint detection of a local
|
||||
function
|
||||
|
||||
pylint 2.9 thinks that __add_principal is a class-level method that is
|
||||
unused. It is a local function inside one of class methods and is used
|
||||
directly inside that method.
|
||||
|
||||
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
||||
---
|
||||
ipaserver/install/dsinstance.py | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
|
||||
index 04d26452d..57fc4870f 100644
|
||||
--- a/ipaserver/install/dsinstance.py
|
||||
+++ b/ipaserver/install/dsinstance.py
|
||||
@@ -993,6 +993,7 @@ class DsInstance(service.Service):
|
||||
|
||||
def __setup_s4u2proxy(self):
|
||||
|
||||
+ # pylint: disable=unused-private-member
|
||||
def __add_principal(last_cn, principal, self):
|
||||
dn = DN(('cn', last_cn), ('cn', 's4u2proxy'),
|
||||
('cn', 'etc'), self.suffix)
|
||||
--
|
||||
2.34.1
|
||||
|
||||
@ -196,7 +196,7 @@
|
||||
|
||||
Name: %{package_name}
|
||||
Version: %{IPA_VERSION}
|
||||
Release: 2%{?rc_version:.%rc_version}%{?dist}.1
|
||||
Release: 3%{?rc_version:.%rc_version}%{?dist}
|
||||
Summary: The Identity, Policy and Audit system
|
||||
|
||||
License: GPLv3+
|
||||
@ -208,6 +208,7 @@ Source1: https://releases.pagure.org/freeipa/freeipa-%{version}%{?rc_vers
|
||||
%endif
|
||||
|
||||
Patch0001: freeipa-openldap-2.6.patch
|
||||
Patch0002: freeipa-openldap-updates.patch
|
||||
|
||||
# RHEL spec file only: START: Change branding to IPA and Identity Management
|
||||
# Moved branding logos and background to redhat-logos-ipa-80.4:
|
||||
@ -1705,6 +1706,10 @@ fi
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Mon Feb 07 2022 Alexander Bokovoy <abokovoy@redhat.com> - 4.9.8-3
|
||||
- Use -H option for OpenLDAP client tools as -h and -p are deprecated now
|
||||
- Resolves: rhbz#2050921
|
||||
|
||||
* Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 4.9.8-2.1
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user