https://fedorahosted.org/freeipa/ticket/5290
Patches attached.
From a8ee0440a363e11b82878609a4a0204039ce5b7e Mon Sep 17 00:00:00 2001 From: Martin Basti <mba...@redhat.com> Date: Tue, 13 Oct 2015 14:08:35 +0200 Subject: [PATCH 1/2] DNSSEC: Remove service containers from LDAP after uninstalling The service containers are no needed there after uninstall anymore. Removing these service also allows to detect if DNSSEC master is installed on any replica for any user. https://fedorahosted.org/freeipa/ticket/5290 --- ipaserver/install/dns.py | 3 +++ ipaserver/install/service.py | 13 +++++++++++++ 2 files changed, 16 insertions(+) diff --git a/ipaserver/install/dns.py b/ipaserver/install/dns.py index 1253b9bd0ed9ce1bfdc4f04e6fd1e3c4aabec064..600ff5be7a80741de38e9ba8e8ff4dafe24996ee 100644 --- a/ipaserver/install/dns.py +++ b/ipaserver/install/dns.py @@ -72,10 +72,13 @@ def _disable_dnssec(): ods.ldap_connect() ods.ldap_disable('DNSSEC', api.env.host, api.env.basedn) + ods.ldap_remove_service_container('DNSSEC', api.env.host, api.env.basedn) ods_exporter.ldap_connect() ods_exporter.ldap_disable('DNSKeyExporter', api.env.host, api.env.basedn) ods_exporter.remove_service() + ods_exporter.ldap_remove_service_container('DNSKeyExporter', api.env.host, + api.env.basedn) ods.ldap_disconnect() ods_exporter.ldap_disconnect() diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py index ac65f7b092e68b05579457677b6ec60fa30a0c7b..c1092e98fddffc8c3990bb9e18ccb2ab1207f8dc 100644 --- a/ipaserver/install/service.py +++ b/ipaserver/install/service.py @@ -518,6 +518,19 @@ class Service(object): root_logger.debug("service %s startup entry disabled", name) + def ldap_remove_service_container(self, name, fqdn, ldap_suffix): + if not self.admin_conn: + self.ldap_connect() + + entry_dn = DN(('cn', name), ('cn', fqdn), ('cn', 'masters'), + ('cn', 'ipa'), ('cn', 'etc'), ldap_suffix) + try: + self.admin_conn.delete_entry(entry_dn) + except errors.NotFound: + root_logger.debug("service %s container already removed", name) + else: + root_logger.debug("service %s container sucessfully removed", name) + class SimpleServiceInstance(Service): def create_instance(self, gensvc_name=None, fqdn=None, dm_password=None, ldap_suffix=None, realm=None): -- 2.4.3
From 271a9f5a0aa729c993939140183147ebac2b303f Mon Sep 17 00:00:00 2001 From: Martin Basti <mba...@redhat.com> Date: Tue, 13 Oct 2015 10:48:10 +0200 Subject: [PATCH 2/2] DNSSEC: warn user if DNSSEC key master is not installed Warning user that DNSSEC key master is not installed when commands dnszone-add, dnszone-mod, dnszone-show when option dnssec=true https://fedorahosted.org/freeipa/ticket/5290 --- ipalib/messages.py | 12 ++++++++++ ipalib/plugins/dns.py | 39 +++++++++++++++++++++++++++++++++ ipaserver/install/opendnssecinstance.py | 5 +++++ 3 files changed, 56 insertions(+) diff --git a/ipalib/messages.py b/ipalib/messages.py index 3b982f4737b0bf58940aaa1ca94b7ddb6137987b..a53989b01a67cda404ac57aaaf3bc3a385146d7c 100644 --- a/ipalib/messages.py +++ b/ipalib/messages.py @@ -276,6 +276,18 @@ class KerberosTXTRecordDeletionFailure(PublicMessage): "Please remove the record manually." ) +class DNSSECMasterNotInstalled(PublicMessage): + """ + **13013** Used when a DNSSEC is not installed on system (no DNSSEC + master server is installed). + """ + + errno = 13013 + type = "warning" + format = _( + "No DNSSEC key master is installed. DNSSEC zone signing will not work " + "until the DNSSEC key master is installed." + ) def iter_messages(variables, base): """Return a tuple with all subclasses diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py index 84086f4c77d02922f237937d58031cc42d55410e..aefdedca630ce74e37513e1a38ee5451d56d8249 100644 --- a/ipalib/plugins/dns.py +++ b/ipalib/plugins/dns.py @@ -1593,6 +1593,33 @@ def dns_container_exists(ldap): return False return True + +def dnssec_installed(ldap): + """ + * Method opendnssecinstance.get_dnssec_key_masters() CANNOT be used in the + dns plugin, or any plugin accessible for common users! * + Why?: The content of service container is not readable for common users. + + This method only try to find if a DNSSEC service container exists on any + replica. What means that DNSSEC key master is installed. + :param ldap: ldap connection + :return: True if DNSSEC was installed, otherwise False + """ + dn = DN(api.env.container_masters, api.env.basedn) + + filter_attrs = { + u'cn': u'DNSSEC', + u'objectclass': u'ipaConfigObject', + } + only_masters_f = ldap.make_filter(filter_attrs, rules=ldap.MATCH_ALL) + + try: + ldap.find_entries(filter=only_masters_f, base_dn=dn) + except errors.NotFound: + return False + return True + + def default_zone_update_policy(zone): if zone.is_reverse(): return get_dns_reverse_zone_update_policy(api.env.realm, zone.ToASCII()) @@ -2657,6 +2684,15 @@ class dnszone(DNSZoneBase): _add_warning_fw_zone_is_not_effective(result, fwzone, options['version']) + def _warning_dnssec_master_is_not_installed(self, result, **options): + dnssec_enabled = result['result'].get("idnssecinlinesigning", False) + if dnssec_enabled and not dnssec_installed(self.api.Backend.ldap2): + messages.add_message( + options['version'], + result, + messages.DNSSECMasterNotInstalled() + ) + @register() class dnszone_add(DNSZoneBase_add): @@ -2727,6 +2763,7 @@ class dnszone_add(DNSZoneBase_add): self.obj._warning_forwarding(result, **options) self.obj._warning_name_server_option(result, context, **options) self.obj._warning_fw_zone_is_not_effective(result, *keys, **options) + self.obj._warning_dnssec_master_is_not_installed(result, **options) return result def post_callback(self, ldap, dn, entry_attrs, *keys, **options): @@ -2816,6 +2853,7 @@ class dnszone_mod(DNSZoneBase_mod): result = super(dnszone_mod, self).execute(*keys, **options) self.obj._warning_forwarding(result, **options) self.obj._warning_name_server_option(result, context, **options) + self.obj._warning_dnssec_master_is_not_installed(result, **options) return result def post_callback(self, ldap, dn, entry_attrs, *keys, **options): @@ -2873,6 +2911,7 @@ class dnszone_show(DNSZoneBase_show): def execute(self, *keys, **options): result = super(dnszone_show, self).execute(*keys, **options) self.obj._warning_forwarding(result, **options) + self.obj._warning_dnssec_master_is_not_installed(result, **options) return result def post_callback(self, ldap, dn, entry_attrs, *keys, **options): diff --git a/ipaserver/install/opendnssecinstance.py b/ipaserver/install/opendnssecinstance.py index c92818f1a14f0f3f01eb042e96ca8a4c20a3df62..a060e358478663bb37603128c0681883d3aac307 100644 --- a/ipaserver/install/opendnssecinstance.py +++ b/ipaserver/install/opendnssecinstance.py @@ -27,10 +27,15 @@ softhsm_slot = 0 def get_dnssec_key_masters(conn): """ + This method can be used only for admin connections, common users do not + have permission to access content of service containers. :return: list of active dnssec key masters """ assert conn is not None + # please check ipalib/dns.py:dnssec_installed() method too, if you do + # any modifications here + dn = DN(api.env.container_masters, api.env.basedn) filter_attrs = { -- 2.4.3
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
