Hello,
DNSSEC: Detect invalid master keys in LDAP.
--
Petr^2 Spacek
From 280c5a51dd5d048fda5eb0e349df93d795d60662 Mon Sep 17 00:00:00 2001
From: Petr Spacek <pspa...@redhat.com>
Date: Fri, 26 Jun 2015 16:04:00 +0200
Subject: [PATCH] DNSSEC: Detect invalid master keys in LDAP.
---
daemons/dnssec/ipa-dnskeysync-replica | 2 ++
1 file changed, 2 insertions(+)
diff --git a/daemons/dnssec/ipa-dnskeysync-replica b/daemons/dnssec/ipa-dnskeysync-replica
index c2c4c2725a9c46db4db04894a326ddf40e254eab..c5f8131a1f18dafe45cdd62d52cf01194e352d3d 100755
--- a/daemons/dnssec/ipa-dnskeysync-replica
+++ b/daemons/dnssec/ipa-dnskeysync-replica
@@ -74,6 +74,7 @@ def ldap2replica_master_keys_sync(log, ldapkeydb, localhsm):
log.debug("new master keys in LDAP HSM: %s", hex_set(new_keys))
for mkey_id in new_keys:
mkey_ldap = ldapkeydb.master_keys[mkey_id]
+ assert mkey_ldap.wrapped_entries, "Master key 0x%s in LDAP is missing key material referenced by ipaSecretKeyRefObject attribute" % hexlify(mkey_id)
for wrapped_ldap in mkey_ldap.wrapped_entries:
unwrapping_key = find_unwrapping_key(log, localhsm,
wrapped_ldap.single_value['ipaWrappingKey'])
@@ -140,6 +141,7 @@ log.setLevel(level=logging.DEBUG)
PRINCIPAL = str('%s/%s' % (DAEMONNAME, ipalib.api.env.host))
log.debug('Kerberos principal: %s', PRINCIPAL)
ccache_filename = os.path.join(WORKDIR, 'ipa-dnskeysync-replica.ccache')
+ipautil.run(['id'])
ipautil.kinit_keytab(PRINCIPAL, paths.IPA_DNSKEYSYNCD_KEYTAB, ccache_filename)
os.environ['KRB5CCNAME'] = ccache_filename
log.debug('Got TGT')
--
2.1.0
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
