On Fri, 27 Jun 2014, Petr Spacek wrote:
On 27.6.2014 12:04, Alexander Bokovoy wrote:
diff --git a/ipalib/parameters.py b/ipalib/parameters.py
index 1dff13c..09fed28 100644
--- a/ipalib/parameters.py
+++ b/ipalib/parameters.py
@@ -1965,12 +1965,15 @@ class DNSNameParam(Param):
             #compare if IDN normalized and original domain match
             #there is N:1 mapping between unicode and IDNA names
             #user should use normalized names to avoid mistakes
-            normalized_domain_name = encodings.idna.nameprep(value)
-            if value != normalized_domain_name:
-                error = _("domain name '%(domain)s' and normalized domain name"
-                          " '%(normalized)s' do not match. Please use only"
-                          " normalized domains") % {'domain': value,
-                          'normalized': normalized_domain_name}
+            labels = value.split('.')

NACK. This is going to break with IDNA2003 as there are four different dots. The whole DNS refactoring was about eliminating all places where DNS names are threaded as strings separated by ASCII dots.
IDNA implementation in FreeIPA git master right now is wrong with
regards to nameprep use -- encodings.idna.nameprep(), as well as other
functions in encodings.idna should be applied to labels, not to the
whole DNS name.

Give me a way to split a name to labels properly and we can work on.

I would like to hear reasons against fixing ipa-adtrust-install (in the other part of thread).
As I said, 'fixing' ipa-adtrust-install is considered a hack. Current
IDNA support is broken anyway, *it* needs to be fixed, not a long
standing convention to name DNS records in Active Directory
implementations (which Samba AD DC setup shares as well).

/ Alexander Bokovoy

Freeipa-devel mailing list

Reply via email to