Bug 813376

Summary: ipa-ldap-updater plugin fix_replica_memberof.py requires root
Product: Red Hat Enterprise Linux 6 Reporter: Dmitri Pal <dpal>
Component: ipaAssignee: Rob Crittenden <rcritten>
Status: CLOSED DUPLICATE QA Contact: IDM QE LIST <seceng-idm-qe-list>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.3CC: jgalipea, mkosek
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Updating the Identity Management LDAP configuration via the ipa-ldap-updater fails with a traceback error when executed by a non-root user due to the SASL EXTERNAL bind requiring root privileges. To work around this issue, run the aforementioned command as the root user.
 Story Points: ---
Clone Of: 813373 Environment:
Last Closed: 2012-06-11 16:49:20 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 813373    
Bug Blocks:    

Description Dmitri Pal 2012-04-17 15:31:24 UTC 
This is the bug to track a tech note for 6.3.

"Run the updates as root for now".

+++ This bug was initially created as a clone of Bug #813373 +++

This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/2621

It always does a SASL EXTERNAL bind which requires root:

{{{
$ ipa-ldap-updater 
Directory Manager password: 

ipa         : INFO     PRE_UPDATE
Traceback (most recent call last):
  File "/usr/sbin/ipa-ldap-updater", line 160, in <module>
    sys.exit(main())
  File "/usr/sbin/ipa-ldap-updater", line 140, in main
    modified = ld.update(files)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 792, in update
    updates = api.Backend.updateclient.update(PRE_UPDATE, self.dm_password, self.ldapi, self.live_run)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/plugins/updateclient.py", line 135, in update
    (restart, apply_now, res) = self.run(update.name, **kw)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/plugins/updateclient.py", line 165, in run
    return self.Updater[method](**kw) #pylint: disable=E1101
  File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 1398, in __call__
    return self.execute(**options)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/plugins/fix_replica_memberof.py", line 44, in execute
    conn.do_external_bind(pwd.getpwuid(os.geteuid()).pw_name)
  File "/usr/lib/python2.7/site-packages/ipaserver/ipaldap.py", line 387, in do_external_bind
    self.__bind_with_wait(self.sasl_interactive_bind_s, timeout, '', auth_tokens)
  File "/usr/lib/python2.7/site-packages/ipaserver/ipaldap.py", line 347, in __bind_with_wait
    bind_func(*args, **kwargs)
  File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 227, in sasl_interactive_bind_s
    return self._ldap_call(self._l.sasl_interactive_bind_s,who,auth,EncodeControlTuples(serverctrls),EncodeControlTuples(clientctrls),sasl_flags)
  File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 96, in _ldap_call
    result = func(*args,**kwargs)
ldap.INAPPROPRIATE_AUTH: {'info': 'SASL EXTERNAL bind requires an SSL connection', 'desc': 'Inappropriate authentication'}
}}}
Comment 3 Martin Prpič 2012-04-17 15:44:21 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Updating the Identity Management LDAP configuration via the ipa-ldap-updater fails with a traceback error when executed by a non-root user due to the SASL EXTERNAL bind requiring root privileges. To work around this issue, run the aforementioned command as the root user.
Comment 4 Jenny Severance 2012-06-11 16:49:20 UTC 

*** This bug has been marked as a duplicate of bug 813373 ***