Bug 813376 - ipa-ldap-updater plugin fix_replica_memberof.py requires root
Summary: ipa-ldap-updater plugin fix_replica_memberof.py requires root
Keywords:
Status: CLOSED DUPLICATE of bug 813373
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: ipa
Version: 6.3
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Rob Crittenden
QA Contact: IDM QE LIST
URL:
Whiteboard:
Depends On: 813373
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-04-17 15:31 UTC by Dmitri Pal
Modified: 2012-06-11 16:49 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Updating the Identity Management LDAP configuration via the ipa-ldap-updater fails with a traceback error when executed by a non-root user due to the SASL EXTERNAL bind requiring root privileges. To work around this issue, run the aforementioned command as the root user.
Clone Of: 813373
Environment:
Last Closed: 2012-06-11 16:49:20 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Dmitri Pal 2012-04-17 15:31:24 UTC 
This is the bug to track a tech note for 6.3.

"Run the updates as root for now".

+++ This bug was initially created as a clone of Bug #813373 +++

This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/2621

It always does a SASL EXTERNAL bind which requires root:

{{{
$ ipa-ldap-updater 
Directory Manager password: 

ipa         : INFO     PRE_UPDATE
Traceback (most recent call last):
  File "/usr/sbin/ipa-ldap-updater", line 160, in <module>
    sys.exit(main())
  File "/usr/sbin/ipa-ldap-updater", line 140, in main
    modified = ld.update(files)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 792, in update
    updates = api.Backend.updateclient.update(PRE_UPDATE, self.dm_password, self.ldapi, self.live_run)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/plugins/updateclient.py", line 135, in update
    (restart, apply_now, res) = self.run(update.name, **kw)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/plugins/updateclient.py", line 165, in run
    return self.Updater[method](**kw) #pylint: disable=E1101
  File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 1398, in __call__
    return self.execute(**options)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/plugins/fix_replica_memberof.py", line 44, in execute
    conn.do_external_bind(pwd.getpwuid(os.geteuid()).pw_name)
  File "/usr/lib/python2.7/site-packages/ipaserver/ipaldap.py", line 387, in do_external_bind
    self.__bind_with_wait(self.sasl_interactive_bind_s, timeout, '', auth_tokens)
  File "/usr/lib/python2.7/site-packages/ipaserver/ipaldap.py", line 347, in __bind_with_wait
    bind_func(*args, **kwargs)
  File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 227, in sasl_interactive_bind_s
    return self._ldap_call(self._l.sasl_interactive_bind_s,who,auth,EncodeControlTuples(serverctrls),EncodeControlTuples(clientctrls),sasl_flags)
  File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 96, in _ldap_call
    result = func(*args,**kwargs)
ldap.INAPPROPRIATE_AUTH: {'info': 'SASL EXTERNAL bind requires an SSL connection', 'desc': 'Inappropriate authentication'}
}}}
Comment 3 Martin Prpič 2012-04-17 15:44:21 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Updating the Identity Management LDAP configuration via the ipa-ldap-updater fails with a traceback error when executed by a non-root user due to the SASL EXTERNAL bind requiring root privileges. To work around this issue, run the aforementioned command as the root user.
Comment 4 Jenny Severance 2012-06-11 16:49:20 UTC 

*** This bug has been marked as a duplicate of bug 813373 ***
Note You need to log in before you can comment on or make changes to this bug.