Issue #4953: Migration UI Does Not Work When Anonymous Bind is Disabled - freeipa

freeipa

#4953 Migration UI Does Not Work When Anonymous Bind is Disabled

Closed: Fixed None Opened 9 years ago by rangerrick.

I have migrated users from an old/broken FreeIPA server using Martin Kosek's recommendations here: http://news.gmane.org/find-root.php?message_id=550810EF.2030705%40redhat.com

My servers are on the public internet, so for obvious reasons I immediately disabled anonymous bind.

Now, everything is working except that the migration UI (at https://server/ipa/migration/) does not work when anonymous bind is disabled. I get the following message in HTTPD's error_log:

[Tue Mar 17 11:57:13.169949 2015] [:error] [pid 13589] ipa: ERROR: migration unable to get base dn

[Tue Mar 17 11:57:30.729802 2015] [:error] [pid 13588] ipa: ERROR: migration context search failed: Insufficient access: Inappropriate authentication: Anonymous access is not allowed.

FreeIPA version is ipa-server-4.1.0-18.el7.centos.x86_64

mkosek commented 9 years ago

Thanks for report. I think this should not be a difficult fix. My initial suggestion from the thread:

I am CCing Peter Vobornik for the UI part. I think you are right. I quickly
checked the code, it indeed does an anonymous search and it also does not use
the CA certificate for TLS authentication when LDAPI is not available.

IMO, a ticket creation is due, to use IPA API object to get the basedn that is
read in the anonymous connection and to also use TLS when LDAPI is not available.

pvoborni commented 9 years ago

Quick workaround, if one does not want to wait for the fix:

Replace in /usr/share/ipa/migration/migration.py

def get_base_dn(ldap_uri):
    """
    Retrieve LDAP server base DN.
    """
    try:
        conn = IPAdmin(ldap_uri=ldap_uri)
        conn.do_simple_bind(DN(), '')
        base_dn = get_ipa_basedn(conn)
    except Exception, e:
        root_logger.error('migration context search failed: %s' % e)
        return ''
    finally:
        conn.unbind()

    return base_dn

with (with your base dn)

def get_base_dn(ldap_uri):
    return DN("dc=example,dc=com")

pvoborni commented 9 years ago

Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1205264

pvoborni commented 9 years ago

4.1.4 was released, moving to new milestone

pvoborni commented 8 years ago

master:

e5d179b migration: Use api.env variables.

ipa-4-2:

6587782 migration: Use api.env variables.

pvoborni commented 8 years ago

ipa-4-1:

e40a6bc migration: Use api.env variables.

Metadata Update from @rangerrick:
- Issue assigned to someone
- Issue set to the milestone: FreeIPA 4.1.5

7 years ago

Metadata

Assignee

someone

Tags

None

Blocking

None

Depending on

None

Priority

low

Milestone

FreeIPA 4.1.5

None

affects_doc

None

source

None

knownissue

None

type

defect

blockedby

None

test_case

None

component

Migration

blocking

None

on_review

keywords

None

test_coverage

None

reviewer

None

external_tracker

None

rhbz

https://bugzilla.redhat.com/show_bug.cgi?id=1205264

tester

None

changelog

None

design

None

freeipa

Source Code

#4953 Migration UI Does Not Work When Anonymous Bind is Disabled Closed: Fixed None Opened 9 years ago by rangerrick.

Metadata

#4953 Migration UI Does Not Work When Anonymous Bind is Disabled

Closed: Fixed None Opened 9 years ago by rangerrick.