From d9f92dabda1492a4c6a95603ab7cfd66a8cc84b4 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Mon, 7 Feb 2022 08:42:40 +0200
Subject: [PATCH 1/2] OpenLDAP 2.6+: use only -H option to specify LDAP url

OpenLDAP 2.6+ finally deprecated -h and -p options in all its command
line tools. They are not allowed anymore and cause ldap* tools to stop
hard with 'unknown option' error.

Fix this by always using -H url option instead. Deriving default value
for -H url from the configuration file still works, it is only -h and -p
that were deprecated.

See also: https://bugs.openldap.org/show_bug.cgi?id=8618

Fixes: https://pagure.io/freeipa/issue/9106

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
 ipaclient/remote_plugins/2_114/sudorule.py | 4 +++-
 ipaclient/remote_plugins/2_156/sudorule.py | 4 +++-
 ipaclient/remote_plugins/2_164/sudorule.py | 4 +++-
 ipaclient/remote_plugins/2_49/sudorule.py  | 4 +++-
 ipaserver/install/dsinstance.py            | 2 +-
 ipaserver/plugins/sudorule.py              | 2 +-
 ipatests/pytest_ipa/integration/tasks.py   | 3 +--
 7 files changed, 15 insertions(+), 8 deletions(-)

diff --git a/ipaclient/remote_plugins/2_114/sudorule.py b/ipaclient/remote_plugins/2_114/sudorule.py
index 4b020738f..48a107ff9 100644
--- a/ipaclient/remote_plugins/2_114/sudorule.py
+++ b/ipaclient/remote_plugins/2_114/sudorule.py
@@ -41,7 +41,9 @@ IPA provides a designated binddn to use with Sudo located at:
 uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
 
 To enable the binddn run the following command to set the password:
-LDAPTLS_CACERT=/etc/ipa/ca.crt /usr/bin/ldappasswd -S -W -h ipa.example.com -ZZ -D "cn=Directory Manager" uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
+LDAPTLS_CACERT=/etc/ipa/ca.crt /usr/bin/ldappasswd -S -W \\
+    -H ldap://ipa.example.com -ZZ -D "cn=Directory Manager" \\
+    uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
 
 EXAMPLES:
 
diff --git a/ipaclient/remote_plugins/2_156/sudorule.py b/ipaclient/remote_plugins/2_156/sudorule.py
index d475e68a6..04b3a3e10 100644
--- a/ipaclient/remote_plugins/2_156/sudorule.py
+++ b/ipaclient/remote_plugins/2_156/sudorule.py
@@ -41,7 +41,9 @@ IPA provides a designated binddn to use with Sudo located at:
 uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
 
 To enable the binddn run the following command to set the password:
-LDAPTLS_CACERT=/etc/ipa/ca.crt /usr/bin/ldappasswd -S -W -h ipa.example.com -ZZ -D "cn=Directory Manager" uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
+LDAPTLS_CACERT=/etc/ipa/ca.crt /usr/bin/ldappasswd -S -W \\
+    -H ldap://ipa.example.com -ZZ -D "cn=Directory Manager" \\
+    uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
 
 EXAMPLES:
 
diff --git a/ipaclient/remote_plugins/2_164/sudorule.py b/ipaclient/remote_plugins/2_164/sudorule.py
index d475e68a6..04b3a3e10 100644
--- a/ipaclient/remote_plugins/2_164/sudorule.py
+++ b/ipaclient/remote_plugins/2_164/sudorule.py
@@ -41,7 +41,9 @@ IPA provides a designated binddn to use with Sudo located at:
 uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
 
 To enable the binddn run the following command to set the password:
-LDAPTLS_CACERT=/etc/ipa/ca.crt /usr/bin/ldappasswd -S -W -h ipa.example.com -ZZ -D "cn=Directory Manager" uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
+LDAPTLS_CACERT=/etc/ipa/ca.crt /usr/bin/ldappasswd -S -W \\
+    -H ldap://ipa.example.com -ZZ -D "cn=Directory Manager" \\
+    uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
 
 EXAMPLES:
 
diff --git a/ipaclient/remote_plugins/2_49/sudorule.py b/ipaclient/remote_plugins/2_49/sudorule.py
index 912a0b1ef..44f8ae7fe 100644
--- a/ipaclient/remote_plugins/2_49/sudorule.py
+++ b/ipaclient/remote_plugins/2_49/sudorule.py
@@ -41,7 +41,9 @@ IPA provides a designated binddn to use with Sudo located at:
 uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
 
 To enable the binddn run the following command to set the password:
-LDAPTLS_CACERT=/etc/ipa/ca.crt /usr/bin/ldappasswd -S -W -h ipa.example.com -ZZ -D "cn=Directory Manager" uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
+LDAPTLS_CACERT=/etc/ipa/ca.crt /usr/bin/ldappasswd -S -W \\
+    -H ldap://ipa.example.com -ZZ -D "cn=Directory Manager" \\
+    uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
 
 For more information, see the IPA Documentation to Sudo.
 """)
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index ac9e131bb..04d26452d 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -1040,7 +1040,7 @@ class DsInstance(service.Service):
             admpwdfile.write(password)
             admpwdfile.flush()
 
-            args = [paths.LDAPPASSWD, "-h", self.fqdn,
+            args = [paths.LDAPPASSWD, "-H", "ldap://{}".format(self.fqdn),
                     "-ZZ", "-x", "-D", str(DN(('cn', 'Directory Manager'))),
                     "-y", dmpwdfile.name, "-T", admpwdfile.name,
                     str(DN(('uid', 'admin'), ('cn', 'users'), ('cn', 'accounts'), self.suffix))]
diff --git a/ipaserver/plugins/sudorule.py b/ipaserver/plugins/sudorule.py
index 688065715..8528b6328 100644
--- a/ipaserver/plugins/sudorule.py
+++ b/ipaserver/plugins/sudorule.py
@@ -66,7 +66,7 @@ uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
 """) + _("""
 To enable the binddn run the following command to set the password:
 LDAPTLS_CACERT=/etc/ipa/ca.crt /usr/bin/ldappasswd -S -W \
--h ipa.example.com -ZZ -D "cn=Directory Manager" \
+-H ldap://ipa.example.com -ZZ -D "cn=Directory Manager" \
 uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
 """) + _("""
 EXAMPLES:
diff --git a/ipatests/pytest_ipa/integration/tasks.py b/ipatests/pytest_ipa/integration/tasks.py
index 836d140d4..7e1b7c24d 100755
--- a/ipatests/pytest_ipa/integration/tasks.py
+++ b/ipatests/pytest_ipa/integration/tasks.py
@@ -2086,8 +2086,7 @@ def ldapsearch_dm(host, base, ldap_args, scope='sub', **kwargs):
     args = [
         'ldapsearch',
         '-x', '-ZZ',
-        '-h', host.hostname,
-        '-p', '389',
+        '-H', "ldap://{}".format(host.hostname),
         '-D', str(host.config.dirman_dn),
         '-w', host.config.dirman_password,
         '-s', scope,
-- 
2.34.1


From fd5b2a3748c187df67c61b35f28d2e57c1298e32 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Mon, 7 Feb 2022 08:45:52 +0200
Subject: [PATCH 2/2] pylint: workaround incorrect pylint detection of a local
 function

pylint 2.9 thinks that __add_principal is a class-level method that is
unused. It is a local function inside one of class methods and is used
directly inside that method.

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
 ipaserver/install/dsinstance.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 04d26452d..57fc4870f 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -993,6 +993,7 @@ class DsInstance(service.Service):
 
     def __setup_s4u2proxy(self):
 
+        # pylint: disable=unused-private-member
         def __add_principal(last_cn, principal, self):
             dn = DN(('cn', last_cn), ('cn', 's4u2proxy'),
                     ('cn', 'etc'), self.suffix)
-- 
2.34.1