On Thu, 2011-09-29 at 17:56 +0200, Martin Kosek wrote: > On Thu, 2011-09-29 at 11:44 -0400, Simo Sorce wrote: > > On Thu, 2011-09-29 at 17:41 +0200, Martin Kosek wrote: > > > On Wed, 2011-09-28 at 18:43 -0400, Simo Sorce wrote: > > > > This patch allows ipa-client-install to successfully complete if > > > > anonymous access is not allowed on the LDAP server. > > > > > > > > I have tested this by changing the value of > > > > nsslapd-allow-anonymous-access from 'on' to 'rootdse' in cn=config > > > > See NOTE about this option. > > > > > > > > This patch warns the user that full verification of the LDAP server was > > > > not possible and may even assume realm is domain.upper() if DNS > > > > discovery is not possible. > > > > > > > > With these caveats the installation on a DNS compliant domain works fine > > > > against a IPA server with anonynous access to LDAP disabled with this > > > > patch. > > > > > > > > Fixes #1881 > > > > > > > > Simo. > > > > > > > > > > > > NOTE: Setting rootdse nsslapd-allow-anonymous-access is standards > > > > compliant as it still allows access anonymously to the rootdse entry. > > > > Setting this option to 'off' prevents access even to rootdse and is not > > > > a good idea (the client doesn't know what auth methods are avilable to > > > > authenticate w/o access to rootdse) > > > > > > NACK. The approach looks good, but I found several errors: > > > > > > 1) IPA discovery for servers with anonymous access _allowed_ is broken > > > because of the following lines: > > > > > > > > > + if ldapret[0] == 0: > > > + self.server = ldapret[0] <<< This should be ldapret[1] > > > + self.realm = ldapret[1] <<<< This should be ldapret[2] > > > ... > > > > Ouch I swear I was sure I changed those lines ... > > > > > @@ -259,24 +268,29 @@ class IPADiscovery: > > > if trealm == r: > > > return [thost, trealm] <<<<< This should be [0, > > > thost, trealm] > > > # must match or something is very wrong > > > - return [] > > > + return [REALM_NOT_FOUND] > > > > > > > > > 2) If anonymous access is forbidden, IPA base DN cannot be searched > > > since we can't read it's contents and check that it belongs to IPA. If > > > you apply my patch 130, you will see this error: > > > > > > # ipa-client-install --server vm-103.idm.lab.bos.redhat.com --domain > > > idm.lab.bos.redhat.com -p admin -w kokos123 > > > Warning: Anonymous access to the LDAP server is disabled. > > > Proceeding without strict verification. > > > Note: This is not an error if anonymous access has been explicitly > > > restricted. > > > DNS domain '' is not configured for automatic KDC address lookup. > > > KDC address will be set to fixed value. > > > > > > Discovery was successful! > > > Hostname: vm-050.idm.lab.bos.redhat.com > > > Realm: > > > DNS Domain: idm.lab.bos.redhat.com > > > IPA Server: vm-103.idm.lab.bos.redhat.com > > > Traceback (most recent call last): > > > File "/usr/sbin/ipa-client-install", line 1148, in <module> > > > sys.exit(main()) > > > File "/usr/sbin/ipa-client-install", line 1137, in main > > > rval = install(options, env, fstore, statestore) > > > File "/usr/sbin/ipa-client-install", line 866, in install > > > print "BaseDN: "+cli_basedn > > > TypeError: cannot concatenate 'str' and 'NoneType' objects > > > > > > > > > We will have to add user a possibility to pass base DN for IPA since we > > > cannot check it ourselves. Something like --basedn=BASEDN. I can do it > > > in a scope of my patch after you fix 1) if you don't feel comfortable > > > hacking ipa-client-install. > > > > The basedn comes from rootdse, that one can be searched. (if you set the > > option in DS to off and din't read my note, you got what you deserve :-) > > > > Simo. > > > > I read every word of it :-) My point was that you can have more > databases (basedns, suffixes) configured on the server and when the > anonymous access is disabled we cannot check which one is for IPA. > That's what my patch 130 fixes. Before it, we just took the first > suffix.
Ok, in that case we can compare the suffix with the realm. It is 100% guaranteed that suffix and realm must match as we create the suffix out of the realm. Can you add code to check against REALM if anonymous is turned on ? In case REALM is missing (DNS discovery failed) we have 2 options, use domain.upper() or require a --relam= option to be passed by the user, what do you think ? We should really add a defaultNamingContext field in rootdse, maybe we should open a ticket about that so we do not have to dance around this issue ? Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel