diff --git a/freeipa-2.1.4-connection-failure-recovery.patch b/freeipa-2.1.4-connection-failure-recovery.patch new file mode 100644 index 0000000..98c7d95 --- /dev/null +++ b/freeipa-2.1.4-connection-failure-recovery.patch @@ -0,0 +1,95 @@ +From 859d28ce9d4b0f356122b576eab397ed7a066745 Mon Sep 17 00:00:00 2001 +From: Martin Kosek +Date: Thu, 8 Dec 2011 14:52:49 +0100 +Subject: [PATCH 4/6] Add connection failure recovery to IPAdmin + +Recover from connection failures in IPAdmin LDAP bind functions and +rather try reconnect in scope of a given timeout instead of giving +up after the first failed connection. + +The recovery fixes ipa-ldap-updater on F-16 which always failed +because of a missing dirsrv socket. + +https://fedorahosted.org/freeipa/ticket/2175 +--- + ipaserver/ipaldap.py | 35 +++++++++++++++++++++++++++++------ + 1 files changed, 29 insertions(+), 6 deletions(-) + +diff --git a/ipaserver/ipaldap.py b/ipaserver/ipaldap.py +index 74cfbfda911facbf6f3bddf5972b3f035a9cfde0..1820e690b10c820efcd3217801bde6b685bbf20b 100644 +--- a/ipaserver/ipaldap.py ++++ b/ipaserver/ipaldap.py +@@ -30,14 +30,17 @@ import cStringIO + import time + import struct + import ldap.sasl ++import ldapurl + from ldap.controls import LDAPControl,DecodeControlTuples,EncodeControlTuples + from ldap.ldapobject import SimpleLDAPObject + from ipaserver import ipautil ++from ipaserver.install import installutils + from ipalib import errors + from ipapython.ipautil import format_netloc + + # Global variable to define SASL auth + SASL_AUTH = ldap.sasl.sasl({},'GSSAPI') ++DEFAULT_TIMEOUT = 10 + + class Entry: + """ +@@ -330,6 +333,26 @@ class IPAdmin(SimpleLDAPObject): + except ldap.LDAPError, e: + raise errors.DatabaseError(desc=desc,info=info) + ++ def __wait_for_connection(self, timeout): ++ lurl = ldapurl.LDAPUrl(self._uri) ++ if lurl.urlscheme == 'ldapi': ++ installutils.wait_for_open_socket(lurl.hostport, timeout) ++ else: ++ (host,port) = lurl.hostport.split(':') ++ installutils.wait_for_open_ports(host, int(port), timeout) ++ ++ def __bind_with_wait(self, bind_func, timeout, *args, **kwargs): ++ try: ++ bind_func(*args, **kwargs) ++ except (ldap.CONNECT_ERROR, ldap.SERVER_DOWN), e: ++ if not timeout: ++ raise e ++ try: ++ self.__wait_for_connection(timeout) ++ except: ++ raise e ++ bind_func(*args, **kwargs) ++ + def toLDAPURL(self): + return "ldap://%s/" % format_netloc(self.host, self.port) + +@@ -346,19 +369,19 @@ class IPAdmin(SimpleLDAPObject): + except ldap.LDAPError, e: + self.__handle_errors(e, **{}) + +- def do_simple_bind(self, binddn="cn=directory manager", bindpw=""): ++ def do_simple_bind(self, binddn="cn=directory manager", bindpw="", timeout=DEFAULT_TIMEOUT): + self.binddn = binddn + self.bindpwd = bindpw +- self.simple_bind_s(binddn, bindpw) ++ self.__bind_with_wait(self.simple_bind_s, timeout, binddn, bindpw) + self.__lateinit() + +- def do_sasl_gssapi_bind(self): +- self.sasl_interactive_bind_s('', SASL_AUTH) ++ def do_sasl_gssapi_bind(self, timeout=DEFAULT_TIMEOUT): ++ self.__bind_with_wait(self.sasl_interactive_bind_s, timeout, '', SASL_AUTH) + self.__lateinit() + +- def do_external_bind(self, user_name=None): ++ def do_external_bind(self, user_name=None, timeout=DEFAULT_TIMEOUT): + auth_tokens = ldap.sasl.external(user_name) +- self.sasl_interactive_bind_s("", auth_tokens) ++ self.__bind_with_wait(self.sasl_interactive_bind_s, timeout, '', auth_tokens) + self.__lateinit() + + def getEntry(self,*args): +-- +1.7.7.4 + diff --git a/freeipa-2.1.4-fix-pylint-f16.patch b/freeipa-2.1.4-fix-pylint-f16.patch new file mode 100644 index 0000000..06d24c6 --- /dev/null +++ b/freeipa-2.1.4-fix-pylint-f16.patch @@ -0,0 +1,88 @@ +From d27b23d4315d24e62d83ddf0012b347ffad36e9c Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Thu, 8 Dec 2011 16:11:22 -0500 +Subject: [PATCH 6/6] Fix some pylint issues found in F-16 + +* Using default_attributes rather than what would be defined in output + is the preferred mechanism for determining what attributes to + retrieve. + +* Replace some add_s() calls with addEntry() +--- + doc/examples/examples.py | 9 +++++++-- + ipaserver/install/krbinstance.py | 4 ++-- + ipaserver/install/service.py | 2 +- + 3 files changed, 10 insertions(+), 5 deletions(-) + +diff --git a/doc/examples/examples.py b/doc/examples/examples.py +index a969c898bcf8a6829b83898bd2d68400ae939ff3..7053e589a1a058d7742b51cbceaf683971555621 100644 +--- a/doc/examples/examples.py ++++ b/doc/examples/examples.py +@@ -314,6 +314,11 @@ class exuser(Object): + ), + ) + ++ # You may not want to return all attributes in the entry by default. ++ # Use default_attributes to limit the list of returned values. The ++ # caller can set all to True to return all attributes. ++ default_attributes = ['uid', 'givenname', 'sn'] ++ + # register the object, uncomment this line if you want to try it out + #api.register(exuser) + +@@ -352,7 +357,7 @@ class exuser_show(Method): + if options.get('all', False): + attrs_list = ['*'] + else: +- attrs_list = [p.name for p in self.output_params()] ++ attrs_list = self.obj.default_attributes + + (dn, entry_attrs) = ldap.get_entry(dn, attrs_list) + entry_attrs['dn'] = dn +@@ -398,7 +403,7 @@ class exuser_find(Method): + if options.get('all', False): + attrs_list = ['*'] + else: +- attrs_list = [p.name for p in self.output_params()] ++ attrs_list = self.obj.default_attributes + + # perform the search + (entries, truncated) = ldap.find_entries( +diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py +index ce70c231dfb7e7b6b59c0496721cced0d09f1604..df6fc5a6ea6fbc4d9c207122dbb3c1ce1f5b4f50 100644 +--- a/ipaserver/install/krbinstance.py ++++ b/ipaserver/install/krbinstance.py +@@ -284,7 +284,7 @@ class KrbInstance(service.Service): + entry.setValues("nsSaslMapFilterTemplate", '(krbPrincipalName=\\1@\\2)') + + try: +- self.admin_conn.add_s(entry) ++ self.admin_conn.addEntry(entry) + except ldap.ALREADY_EXISTS: + logging.critical("failed to add Full Principal Sasl mapping") + raise e +@@ -297,7 +297,7 @@ class KrbInstance(service.Service): + entry.setValues("nsSaslMapFilterTemplate", '(krbPrincipalName=&@%s)' % self.realm) + + try: +- self.admin_conn.add_s(entry) ++ self.admin_conn.addEntry(entry) + except ldap.ALREADY_EXISTS: + logging.critical("failed to add Name Only Sasl mapping") + raise e +diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py +index 2fd15d8f8010114914549871fc5d0a228561fe1c..9fcc095b64f1abc121f1960d7c7ec15dbe53821f 100644 +--- a/ipaserver/install/service.py ++++ b/ipaserver/install/service.py +@@ -287,7 +287,7 @@ class Service(object): + "enabledService", "startOrder " + str(order)) + + try: +- conn.add_s(entry) ++ conn.addEntry(entry) + except ldap.ALREADY_EXISTS, e: + logging.critical("failed to add %s Service startup entry" % name) + raise e +-- +1.7.7.4 + diff --git a/freeipa.spec b/freeipa.spec index 781a291..77ab0ce 100644 --- a/freeipa.spec +++ b/freeipa.spec @@ -14,7 +14,7 @@ distutils.sysconfig import get_python_lib; print(get_python_lib(1))")} Name: freeipa Version: 2.1.4 -Release: 1%{?dist} +Release: 2%{?dist} Summary: The Identity, Policy and Audit system Group: System Environment/Base @@ -22,6 +22,8 @@ License: GPLv3+ URL: http://www.freeipa.org/ Source0: freeipa-%{version}.tar.gz Source1: freeipa-systemd-upgrade +Patch0: freeipa-2.1.4-connection-failure-recovery.patch +Patch1: freeipa-2.1.4-fix-pylint-f16.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) %if ! %{ONLY_CLIENT} @@ -216,6 +218,8 @@ package. %prep %setup -n freeipa-%{version} -q cp %{SOURCE1} init/systemd/ +%patch0 -p1 +%patch1 -p1 %build export CFLAGS="$CFLAGS %{optflags}" @@ -537,6 +541,12 @@ fi %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/default.conf %changelog +* Sun Dec 11 2011 Alexander Bokovoy - 2.1.4-2 +- Allow longer dirsrv startup with systemd: + - IPAdmin class will wait until dirsrv instance is available up to 10 seconds + - Helps with restarts during upgrade for ipa-ldap-updater +- Fix pylint warnings from F16 and Rawhide + * Tue Dec 6 2011 Rob Crittenden - 2.1.4-1 - Update to upstream 2.1.4 (CVE-2011-3636)