Bug 813376 - ipa-ldap-updater plugin fix_replica_memberof.py requires root
ipa-ldap-updater plugin fix_replica_memberof.py requires root
Status: CLOSED DUPLICATE of bug 813373
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: ipa (Show other bugs)
6.3
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Rob Crittenden
IDM QE LIST
:
Depends On: 813373
Blocks:
  Show dependency treegraph
 
Reported: 2012-04-17 11:31 EDT by Dmitri Pal
Modified: 2012-06-11 12:49 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Updating the Identity Management LDAP configuration via the ipa-ldap-updater fails with a traceback error when executed by a non-root user due to the SASL EXTERNAL bind requiring root privileges. To work around this issue, run the aforementioned command as the root user.
Story Points: ---
Clone Of: 813373
Environment:
Last Closed: 2012-06-11 12:49:20 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Dmitri Pal 2012-04-17 11:31:24 EDT
This is the bug to track a tech note for 6.3.

"Run the updates as root for now".

+++ This bug was initially created as a clone of Bug #813373 +++

This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/2621

It always does a SASL EXTERNAL bind which requires root:

{{{
$ ipa-ldap-updater 
Directory Manager password: 

ipa         : INFO     PRE_UPDATE
Traceback (most recent call last):
  File "/usr/sbin/ipa-ldap-updater", line 160, in <module>
    sys.exit(main())
  File "/usr/sbin/ipa-ldap-updater", line 140, in main
    modified = ld.update(files)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 792, in update
    updates = api.Backend.updateclient.update(PRE_UPDATE, self.dm_password, self.ldapi, self.live_run)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/plugins/updateclient.py", line 135, in update
    (restart, apply_now, res) = self.run(update.name, **kw)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/plugins/updateclient.py", line 165, in run
    return self.Updater[method](**kw) #pylint: disable=E1101
  File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 1398, in __call__
    return self.execute(**options)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/plugins/fix_replica_memberof.py", line 44, in execute
    conn.do_external_bind(pwd.getpwuid(os.geteuid()).pw_name)
  File "/usr/lib/python2.7/site-packages/ipaserver/ipaldap.py", line 387, in do_external_bind
    self.__bind_with_wait(self.sasl_interactive_bind_s, timeout, '', auth_tokens)
  File "/usr/lib/python2.7/site-packages/ipaserver/ipaldap.py", line 347, in __bind_with_wait
    bind_func(*args, **kwargs)
  File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 227, in sasl_interactive_bind_s
    return self._ldap_call(self._l.sasl_interactive_bind_s,who,auth,EncodeControlTuples(serverctrls),EncodeControlTuples(clientctrls),sasl_flags)
  File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 96, in _ldap_call
    result = func(*args,**kwargs)
ldap.INAPPROPRIATE_AUTH: {'info': 'SASL EXTERNAL bind requires an SSL connection', 'desc': 'Inappropriate authentication'}
}}}
Comment 3 Martin Prpic 2012-04-17 11:44:21 EDT
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Updating the Identity Management LDAP configuration via the ipa-ldap-updater fails with a traceback error when executed by a non-root user due to the SASL EXTERNAL bind requiring root privileges. To work around this issue, run the aforementioned command as the root user.
Comment 4 Jenny Galipeau 2012-06-11 12:49:20 EDT

*** This bug has been marked as a duplicate of bug 813373 ***

Note You need to log in before you can comment on or make changes to this bug.