It always does a SASL EXTERNAL bind which requires root:
$ ipa-ldap-updater Directory Manager password: ipa : INFO PRE_UPDATE Traceback (most recent call last): File "/usr/sbin/ipa-ldap-updater", line 160, in <module> sys.exit(main()) File "/usr/sbin/ipa-ldap-updater", line 140, in main modified = ld.update(files) File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 792, in update updates = api.Backend.updateclient.update(PRE_UPDATE, self.dm_password, self.ldapi, self.live_run) File "/usr/lib/python2.7/site-packages/ipaserver/install/plugins/updateclient.py", line 135, in update (restart, apply_now, res) = self.run(update.name, **kw) File "/usr/lib/python2.7/site-packages/ipaserver/install/plugins/updateclient.py", line 165, in run return self.Updater[method](**kw) #pylint: disable=E1101 File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 1398, in __call__ return self.execute(**options) File "/usr/lib/python2.7/site-packages/ipaserver/install/plugins/fix_replica_memberof.py", line 44, in execute conn.do_external_bind(pwd.getpwuid(os.geteuid()).pw_name) File "/usr/lib/python2.7/site-packages/ipaserver/ipaldap.py", line 387, in do_external_bind self.__bind_with_wait(self.sasl_interactive_bind_s, timeout, '', auth_tokens) File "/usr/lib/python2.7/site-packages/ipaserver/ipaldap.py", line 347, in __bind_with_wait bind_func(*args, **kwargs) File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 227, in sasl_interactive_bind_s return self._ldap_call(self._l.sasl_interactive_bind_s,who,auth,EncodeControlTuples(serverctrls),EncodeControlTuples(clientctrls),sasl_flags) File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 96, in _ldap_call result = func(*args,**kwargs) ldap.INAPPROPRIATE_AUTH: {'info': 'SASL EXTERNAL bind requires an SSL connection', 'desc': 'Inappropriate authentication'}
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=813373
I'll take this.
master: 6f1baf8
Only allow root to run update plugins
Several plugins need restarting the DS (or they currently do an external bind). Rather than disabling plugins (possibly partially), refuse to run them when run as an unprivileged user.
This means running ipa-ldap-updater as non-root requires specifying a list of files, and omiting the --upgrade and --plugins options.
Metadata Update from @rcritten: - Issue assigned to pviktori - Issue set to the milestone: FreeIPA 3.0 Beta 1
Login to comment on this ticket.