From 95b29321eccb63d9740d33b442e9e78ba6367934 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Mon, 7 Feb 2022 12:35:14 +0200
Subject: [PATCH] Use -H option for OpenLDAP client tools as -h and -p are
 deprecated now

Resolves: rhbz#2050921

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
---
 freeipa-openldap-updates.patch | 164 +++++++++++++++++++++++++++++++++
 freeipa.spec                   |   7 +-
 2 files changed, 170 insertions(+), 1 deletion(-)
 create mode 100644 freeipa-openldap-updates.patch

diff --git a/freeipa-openldap-updates.patch b/freeipa-openldap-updates.patch
new file mode 100644
index 0000000..f74eef1
--- /dev/null
+++ b/freeipa-openldap-updates.patch
@@ -0,0 +1,164 @@
+From d9f92dabda1492a4c6a95603ab7cfd66a8cc84b4 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Mon, 7 Feb 2022 08:42:40 +0200
+Subject: [PATCH 1/2] OpenLDAP 2.6+: use only -H option to specify LDAP url
+
+OpenLDAP 2.6+ finally deprecated -h and -p options in all its command
+line tools. They are not allowed anymore and cause ldap* tools to stop
+hard with 'unknown option' error.
+
+Fix this by always using -H url option instead. Deriving default value
+for -H url from the configuration file still works, it is only -h and -p
+that were deprecated.
+
+See also: https://bugs.openldap.org/show_bug.cgi?id=8618
+
+Fixes: https://pagure.io/freeipa/issue/9106
+
+Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
+---
+ ipaclient/remote_plugins/2_114/sudorule.py | 4 +++-
+ ipaclient/remote_plugins/2_156/sudorule.py | 4 +++-
+ ipaclient/remote_plugins/2_164/sudorule.py | 4 +++-
+ ipaclient/remote_plugins/2_49/sudorule.py  | 4 +++-
+ ipaserver/install/dsinstance.py            | 2 +-
+ ipaserver/plugins/sudorule.py              | 2 +-
+ ipatests/pytest_ipa/integration/tasks.py   | 3 +--
+ 7 files changed, 15 insertions(+), 8 deletions(-)
+
+diff --git a/ipaclient/remote_plugins/2_114/sudorule.py b/ipaclient/remote_plugins/2_114/sudorule.py
+index 4b020738f..48a107ff9 100644
+--- a/ipaclient/remote_plugins/2_114/sudorule.py
++++ b/ipaclient/remote_plugins/2_114/sudorule.py
+@@ -41,7 +41,9 @@ IPA provides a designated binddn to use with Sudo located at:
+ uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
+ 
+ To enable the binddn run the following command to set the password:
+-LDAPTLS_CACERT=/etc/ipa/ca.crt /usr/bin/ldappasswd -S -W -h ipa.example.com -ZZ -D "cn=Directory Manager" uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
++LDAPTLS_CACERT=/etc/ipa/ca.crt /usr/bin/ldappasswd -S -W \\
++    -H ldap://ipa.example.com -ZZ -D "cn=Directory Manager" \\
++    uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
+ 
+ EXAMPLES:
+ 
+diff --git a/ipaclient/remote_plugins/2_156/sudorule.py b/ipaclient/remote_plugins/2_156/sudorule.py
+index d475e68a6..04b3a3e10 100644
+--- a/ipaclient/remote_plugins/2_156/sudorule.py
++++ b/ipaclient/remote_plugins/2_156/sudorule.py
+@@ -41,7 +41,9 @@ IPA provides a designated binddn to use with Sudo located at:
+ uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
+ 
+ To enable the binddn run the following command to set the password:
+-LDAPTLS_CACERT=/etc/ipa/ca.crt /usr/bin/ldappasswd -S -W -h ipa.example.com -ZZ -D "cn=Directory Manager" uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
++LDAPTLS_CACERT=/etc/ipa/ca.crt /usr/bin/ldappasswd -S -W \\
++    -H ldap://ipa.example.com -ZZ -D "cn=Directory Manager" \\
++    uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
+ 
+ EXAMPLES:
+ 
+diff --git a/ipaclient/remote_plugins/2_164/sudorule.py b/ipaclient/remote_plugins/2_164/sudorule.py
+index d475e68a6..04b3a3e10 100644
+--- a/ipaclient/remote_plugins/2_164/sudorule.py
++++ b/ipaclient/remote_plugins/2_164/sudorule.py
+@@ -41,7 +41,9 @@ IPA provides a designated binddn to use with Sudo located at:
+ uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
+ 
+ To enable the binddn run the following command to set the password:
+-LDAPTLS_CACERT=/etc/ipa/ca.crt /usr/bin/ldappasswd -S -W -h ipa.example.com -ZZ -D "cn=Directory Manager" uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
++LDAPTLS_CACERT=/etc/ipa/ca.crt /usr/bin/ldappasswd -S -W \\
++    -H ldap://ipa.example.com -ZZ -D "cn=Directory Manager" \\
++    uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
+ 
+ EXAMPLES:
+ 
+diff --git a/ipaclient/remote_plugins/2_49/sudorule.py b/ipaclient/remote_plugins/2_49/sudorule.py
+index 912a0b1ef..44f8ae7fe 100644
+--- a/ipaclient/remote_plugins/2_49/sudorule.py
++++ b/ipaclient/remote_plugins/2_49/sudorule.py
+@@ -41,7 +41,9 @@ IPA provides a designated binddn to use with Sudo located at:
+ uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
+ 
+ To enable the binddn run the following command to set the password:
+-LDAPTLS_CACERT=/etc/ipa/ca.crt /usr/bin/ldappasswd -S -W -h ipa.example.com -ZZ -D "cn=Directory Manager" uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
++LDAPTLS_CACERT=/etc/ipa/ca.crt /usr/bin/ldappasswd -S -W \\
++    -H ldap://ipa.example.com -ZZ -D "cn=Directory Manager" \\
++    uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
+ 
+ For more information, see the IPA Documentation to Sudo.
+ """)
+diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
+index ac9e131bb..04d26452d 100644
+--- a/ipaserver/install/dsinstance.py
++++ b/ipaserver/install/dsinstance.py
+@@ -1040,7 +1040,7 @@ class DsInstance(service.Service):
+             admpwdfile.write(password)
+             admpwdfile.flush()
+ 
+-            args = [paths.LDAPPASSWD, "-h", self.fqdn,
++            args = [paths.LDAPPASSWD, "-H", "ldap://{}".format(self.fqdn),
+                     "-ZZ", "-x", "-D", str(DN(('cn', 'Directory Manager'))),
+                     "-y", dmpwdfile.name, "-T", admpwdfile.name,
+                     str(DN(('uid', 'admin'), ('cn', 'users'), ('cn', 'accounts'), self.suffix))]
+diff --git a/ipaserver/plugins/sudorule.py b/ipaserver/plugins/sudorule.py
+index 688065715..8528b6328 100644
+--- a/ipaserver/plugins/sudorule.py
++++ b/ipaserver/plugins/sudorule.py
+@@ -66,7 +66,7 @@ uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
+ """) + _("""
+ To enable the binddn run the following command to set the password:
+ LDAPTLS_CACERT=/etc/ipa/ca.crt /usr/bin/ldappasswd -S -W \
+--h ipa.example.com -ZZ -D "cn=Directory Manager" \
++-H ldap://ipa.example.com -ZZ -D "cn=Directory Manager" \
+ uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
+ """) + _("""
+ EXAMPLES:
+diff --git a/ipatests/pytest_ipa/integration/tasks.py b/ipatests/pytest_ipa/integration/tasks.py
+index 836d140d4..7e1b7c24d 100755
+--- a/ipatests/pytest_ipa/integration/tasks.py
++++ b/ipatests/pytest_ipa/integration/tasks.py
+@@ -2086,8 +2086,7 @@ def ldapsearch_dm(host, base, ldap_args, scope='sub', **kwargs):
+     args = [
+         'ldapsearch',
+         '-x', '-ZZ',
+-        '-h', host.hostname,
+-        '-p', '389',
++        '-H', "ldap://{}".format(host.hostname),
+         '-D', str(host.config.dirman_dn),
+         '-w', host.config.dirman_password,
+         '-s', scope,
+-- 
+2.34.1
+
+
+From fd5b2a3748c187df67c61b35f28d2e57c1298e32 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Mon, 7 Feb 2022 08:45:52 +0200
+Subject: [PATCH 2/2] pylint: workaround incorrect pylint detection of a local
+ function
+
+pylint 2.9 thinks that __add_principal is a class-level method that is
+unused. It is a local function inside one of class methods and is used
+directly inside that method.
+
+Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
+---
+ ipaserver/install/dsinstance.py | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
+index 04d26452d..57fc4870f 100644
+--- a/ipaserver/install/dsinstance.py
++++ b/ipaserver/install/dsinstance.py
+@@ -993,6 +993,7 @@ class DsInstance(service.Service):
+ 
+     def __setup_s4u2proxy(self):
+ 
++        # pylint: disable=unused-private-member
+         def __add_principal(last_cn, principal, self):
+             dn = DN(('cn', last_cn), ('cn', 's4u2proxy'),
+                     ('cn', 'etc'), self.suffix)
+-- 
+2.34.1
+
diff --git a/freeipa.spec b/freeipa.spec
index 67cc5ed..d8bcb8f 100644
--- a/freeipa.spec
+++ b/freeipa.spec
@@ -196,7 +196,7 @@
 
 Name:           %{package_name}
 Version:        %{IPA_VERSION}
-Release:        2%{?rc_version:.%rc_version}%{?dist}.1
+Release:        3%{?rc_version:.%rc_version}%{?dist}
 Summary:        The Identity, Policy and Audit system
 
 License:        GPLv3+
@@ -208,6 +208,7 @@ Source1:        https://releases.pagure.org/freeipa/freeipa-%{version}%{?rc_vers
 %endif
 
 Patch0001:      freeipa-openldap-2.6.patch
+Patch0002:      freeipa-openldap-updates.patch
 
 # RHEL spec file only: START: Change branding to IPA and Identity Management
 # Moved branding logos and background to redhat-logos-ipa-80.4:
@@ -1705,6 +1706,10 @@ fi
 %endif
 
 %changelog
+* Mon Feb 07 2022 Alexander Bokovoy <abokovoy@redhat.com> - 4.9.8-3
+- Use -H option for OpenLDAP client tools as -h and -p are deprecated now
+- Resolves: rhbz#2050921
+
 * Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 4.9.8-2.1
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild