Allow ipa-ldap-updater to wait for dirsrv service on systemd setups

freeipa-2.1.4-connection-failure-recovery.patch

@@ -0,0 +1,95 @@
+From 859d28ce9d4b0f356122b576eab397ed7a066745 Mon Sep 17 00:00:00 2001
+From: Martin Kosek <mkosek@redhat.com>
+Date: Thu, 8 Dec 2011 14:52:49 +0100
+Subject: [PATCH 4/6] Add connection failure recovery to IPAdmin
+
+Recover from connection failures in IPAdmin LDAP bind functions and
+rather try reconnect in scope of a given timeout instead of giving
+up after the first failed connection.
+
+The recovery fixes ipa-ldap-updater on F-16 which always failed
+because of a missing dirsrv socket.
+
+https://fedorahosted.org/freeipa/ticket/2175
+---
+ ipaserver/ipaldap.py |   35 +++++++++++++++++++++++++++++------
+ 1 files changed, 29 insertions(+), 6 deletions(-)
+
+diff --git a/ipaserver/ipaldap.py b/ipaserver/ipaldap.py
+index 74cfbfda911facbf6f3bddf5972b3f035a9cfde0..1820e690b10c820efcd3217801bde6b685bbf20b 100644
+--- a/ipaserver/ipaldap.py
++++ b/ipaserver/ipaldap.py
+@@ -30,14 +30,17 @@ import cStringIO
+ import time
+ import struct
+ import ldap.sasl
++import ldapurl
+ from ldap.controls import LDAPControl,DecodeControlTuples,EncodeControlTuples
+ from ldap.ldapobject import SimpleLDAPObject
+ from ipaserver import ipautil
++from ipaserver.install import installutils
+ from ipalib import errors
+ from ipapython.ipautil import format_netloc
+ 
+ # Global variable to define SASL auth
+ SASL_AUTH = ldap.sasl.sasl({},'GSSAPI')
++DEFAULT_TIMEOUT = 10
+ 
+ class Entry:
+     """
+@@ -330,6 +333,26 @@ class IPAdmin(SimpleLDAPObject):
+         except ldap.LDAPError, e:
+             raise errors.DatabaseError(desc=desc,info=info)
+ 
++    def __wait_for_connection(self, timeout):
++        lurl = ldapurl.LDAPUrl(self._uri)
++        if lurl.urlscheme == 'ldapi':
++            installutils.wait_for_open_socket(lurl.hostport, timeout)
++        else:
++            (host,port) = lurl.hostport.split(':')
++            installutils.wait_for_open_ports(host, int(port), timeout)
++
++    def __bind_with_wait(self, bind_func, timeout, *args, **kwargs):
++        try:
++            bind_func(*args, **kwargs)
++        except (ldap.CONNECT_ERROR, ldap.SERVER_DOWN), e:
++            if not timeout:
++                raise e
++            try:
++                self.__wait_for_connection(timeout)
++            except:
++                raise e
++            bind_func(*args, **kwargs)
++
+     def toLDAPURL(self):
+         return "ldap://%s/" % format_netloc(self.host, self.port)
+ 
+@@ -346,19 +369,19 @@ class IPAdmin(SimpleLDAPObject):
+         except ldap.LDAPError, e:
+             self.__handle_errors(e, **{})
+ 
+-    def do_simple_bind(self, binddn="cn=directory manager", bindpw=""):
++    def do_simple_bind(self, binddn="cn=directory manager", bindpw="", timeout=DEFAULT_TIMEOUT):
+         self.binddn = binddn
+         self.bindpwd = bindpw
+-        self.simple_bind_s(binddn, bindpw)
++        self.__bind_with_wait(self.simple_bind_s, timeout, binddn, bindpw)
+         self.__lateinit()
+ 
+-    def do_sasl_gssapi_bind(self):
+-        self.sasl_interactive_bind_s('', SASL_AUTH)
++    def do_sasl_gssapi_bind(self, timeout=DEFAULT_TIMEOUT):
++        self.__bind_with_wait(self.sasl_interactive_bind_s, timeout, '', SASL_AUTH)
+         self.__lateinit()
+ 
+-    def do_external_bind(self, user_name=None):
++    def do_external_bind(self, user_name=None, timeout=DEFAULT_TIMEOUT):
+         auth_tokens = ldap.sasl.external(user_name)
+-        self.sasl_interactive_bind_s("", auth_tokens)
++        self.__bind_with_wait(self.sasl_interactive_bind_s, timeout, '', auth_tokens)
+         self.__lateinit()
+ 
+     def getEntry(self,*args):
+-- 
+1.7.7.4
+

freeipa-2.1.4-fix-pylint-f16.patch

@@ -0,0 +1,88 @@
+From d27b23d4315d24e62d83ddf0012b347ffad36e9c Mon Sep 17 00:00:00 2001
+From: Rob Crittenden <rcritten@redhat.com>
+Date: Thu, 8 Dec 2011 16:11:22 -0500
+Subject: [PATCH 6/6] Fix some pylint issues found in F-16
+
+* Using default_attributes rather than what would be defined in output
+  is the preferred mechanism for determining what attributes to
+  retrieve.
+
+* Replace some add_s() calls with addEntry()
+---
+ doc/examples/examples.py         |    9 +++++++--
+ ipaserver/install/krbinstance.py |    4 ++--
+ ipaserver/install/service.py     |    2 +-
+ 3 files changed, 10 insertions(+), 5 deletions(-)
+
+diff --git a/doc/examples/examples.py b/doc/examples/examples.py
+index a969c898bcf8a6829b83898bd2d68400ae939ff3..7053e589a1a058d7742b51cbceaf683971555621 100644
+--- a/doc/examples/examples.py
++++ b/doc/examples/examples.py
+@@ -314,6 +314,11 @@ class exuser(Object):
+         ),
+     )
+ 
++    # You may not want to return all attributes in the entry by default.
++    # Use default_attributes to limit the list of returned values. The
++    # caller can set all to True to return all attributes.
++    default_attributes = ['uid', 'givenname', 'sn']
++
+ # register the object, uncomment this line if you want to try it out
+ #api.register(exuser)
+ 
+@@ -352,7 +357,7 @@ class exuser_show(Method):
+         if options.get('all', False):
+             attrs_list = ['*']
+         else:
+-            attrs_list = [p.name for p in self.output_params()]
++            attrs_list = self.obj.default_attributes
+ 
+         (dn, entry_attrs) = ldap.get_entry(dn, attrs_list)
+         entry_attrs['dn'] = dn
+@@ -398,7 +403,7 @@ class exuser_find(Method):
+         if options.get('all', False):
+             attrs_list = ['*']
+         else:
+-            attrs_list = [p.name for p in self.output_params()]
++            attrs_list = self.obj.default_attributes
+ 
+         # perform the search
+         (entries, truncated) = ldap.find_entries(
+diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
+index ce70c231dfb7e7b6b59c0496721cced0d09f1604..df6fc5a6ea6fbc4d9c207122dbb3c1ce1f5b4f50 100644
+--- a/ipaserver/install/krbinstance.py
++++ b/ipaserver/install/krbinstance.py
+@@ -284,7 +284,7 @@ class KrbInstance(service.Service):
+         entry.setValues("nsSaslMapFilterTemplate", '(krbPrincipalName=\\1@\\2)')
+ 
+         try:
+-            self.admin_conn.add_s(entry)
++            self.admin_conn.addEntry(entry)
+         except ldap.ALREADY_EXISTS:
+             logging.critical("failed to add Full Principal Sasl mapping")
+             raise e
+@@ -297,7 +297,7 @@ class KrbInstance(service.Service):
+         entry.setValues("nsSaslMapFilterTemplate", '(krbPrincipalName=&@%s)' % self.realm)
+ 
+         try:
+-            self.admin_conn.add_s(entry)
++            self.admin_conn.addEntry(entry)
+         except ldap.ALREADY_EXISTS:
+             logging.critical("failed to add Name Only Sasl mapping")
+             raise e
+diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py
+index 2fd15d8f8010114914549871fc5d0a228561fe1c..9fcc095b64f1abc121f1960d7c7ec15dbe53821f 100644
+--- a/ipaserver/install/service.py
++++ b/ipaserver/install/service.py
+@@ -287,7 +287,7 @@ class Service(object):
+                         "enabledService", "startOrder " + str(order))
+ 
+         try:
+-            conn.add_s(entry)
++            conn.addEntry(entry)
+         except ldap.ALREADY_EXISTS, e:
+             logging.critical("failed to add %s Service startup entry" % name)
+             raise e
+-- 
+1.7.7.4
+

freeipa.spec

@@ -14,7 +14,7 @@ distutils.sysconfig import get_python_lib; print(get_python_lib(1))")}
 
 Name:           freeipa
 Version:        2.1.4
-Release:        1%{?dist}
+Release:        2%{?dist}
 Summary:        The Identity, Policy and Audit system
 
 Group:          System Environment/Base
@@ -22,6 +22,8 @@ License:        GPLv3+
 URL:            http://www.freeipa.org/
 Source0:        freeipa-%{version}.tar.gz
 Source1:        freeipa-systemd-upgrade
+Patch0:         freeipa-2.1.4-connection-failure-recovery.patch
+Patch1:         freeipa-2.1.4-fix-pylint-f16.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
 %if ! %{ONLY_CLIENT}
@@ -216,6 +218,8 @@ package.
 %prep
 %setup -n freeipa-%{version} -q
 cp %{SOURCE1} init/systemd/
+%patch0 -p1
+%patch1 -p1
 
 %build
 export CFLAGS="$CFLAGS %{optflags}"
@@ -537,6 +541,12 @@ fi
 %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/default.conf
 
 %changelog
+* Sun Dec 11 2011 Alexander Bokovoy <abokovoy@redhat.com> - 2.1.4-2
+- Allow longer dirsrv startup with systemd:
+  - IPAdmin class will wait until dirsrv instance is available up to 10 seconds
+  - Helps with restarts during upgrade for ipa-ldap-updater
+- Fix pylint warnings from F16 and Rawhide
+
 * Tue Dec  6 2011 Rob Crittenden <rcritten@redhat.com> - 2.1.4-1
 - Update to upstream 2.1.4 (CVE-2011-3636)