Re: [Freeipa-devel] [PATCH] 769 enable SSL hostname checking
On Thu, 2011-05-19 at 22:36 -0400, Rob Crittenden wrote: Martin Kosek wrote: On Mon, 2011-04-11 at 17:05 -0400, Rob Crittenden wrote: Enable 389-ds SSL host checking by defauilt Enforce that the remote hostname matches the remote SSL server certificate when 389-ds operates as an SSL client. Also add an update file to turn this off for existing installations. ticket 1069 rob NACK. 10-config.update fails to upgrade existing installation: # ipa-ldap-updater --upgrade Upgrading IPA: [1/8]: stopping directory server [2/8]: saving configuration [3/8]: disabling listeners [4/8]: starting directory server [5/8]: upgrading server ERROR:root:Update failed: Server is unwilling to perform: Deleting attributes is not allowed [6/8]: stopping directory server [7/8]: restoring configuration [8/8]: starting directory server done configuring dirsrv. Martin Updated patch attached. I had to make the ldap updater do REPLACE operations. I went ahead and made this code similar to the code in ldap2.py for consistency. rob ACK. Both LDAP upgrade and a fresh installation work fine. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Ticket #1107 - firewall troubles
On 05/19/2011 10:41 PM, Simo Sorce wrote: On Thu, 2011-05-19 at 21:54 +0200, Martin Kosek wrote: Hello, I am working on ticket #1107 and I am looking for some ideas hot to deal with it. The problem is that when we are installing a replica and have firewall on, the installation may fail or (even worse) hang. There question is how to deal with this situation since we cannot test if the ports are not blocked locally. It must be done from the remote master. I discussed this with Rob and I see two solutions here: 1) Don't complicate this and limit our user handholding (my favorite) - just tell him what ports he should open before proceeding with the installation. If he doesn't, the installation will fail later. The problem is when the installation hangs - its hard to detect. This is the easy way. 2) Implement and register a mod_wsgi application on a master server and let it test remotely if the ports on the replica are open. We would have to open and listen them in ipa-replica-install as we cannot tell if port is not-yet-opened or firewalled just from the network error code. If the application would report a firewalled port, we would throw an error in the ipa-replica-install. However, as Rob pointed out, it would open a possible security hole as we would basically behave as port scanner. It may also create SELinux issues as I think apache is not allowed to contact random ports normally. Any opinions, suggestions, ideas on this? I think a much better solution is to create a simple program pair one for the master and one for the wannabe replica. The one on the replica opens all relevant ports. The one to be run on the master tries to connect to all these ports. Each side will report port,service name,success/failure Bonus points if we create the replica program so that it can use admin credentials to ssh into the master and run the master side automatically properly merging the output of that side. And even more bonus points if we write a simple SELinux policy that only allows the listening program to just bind to the set of ports and nothing else. signature.asc Description: OpenPGP digital signature ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Ticket #1107 - firewall troubles
On Thu, 2011-05-19 at 16:41 -0400, Simo Sorce wrote: On Thu, 2011-05-19 at 21:54 +0200, Martin Kosek wrote: Hello, I am working on ticket #1107 and I am looking for some ideas hot to deal with it. The problem is that when we are installing a replica and have firewall on, the installation may fail or (even worse) hang. There question is how to deal with this situation since we cannot test if the ports are not blocked locally. It must be done from the remote master. I discussed this with Rob and I see two solutions here: 1) Don't complicate this and limit our user handholding (my favorite) - just tell him what ports he should open before proceeding with the installation. If he doesn't, the installation will fail later. The problem is when the installation hangs - its hard to detect. This is the easy way. 2) Implement and register a mod_wsgi application on a master server and let it test remotely if the ports on the replica are open. We would have to open and listen them in ipa-replica-install as we cannot tell if port is not-yet-opened or firewalled just from the network error code. If the application would report a firewalled port, we would throw an error in the ipa-replica-install. However, as Rob pointed out, it would open a possible security hole as we would basically behave as port scanner. It may also create SELinux issues as I think apache is not allowed to contact random ports normally. Any opinions, suggestions, ideas on this? I think a much better solution is to create a simple program pair one for the master and one for the wannabe replica. The one on the replica opens all relevant ports. The one to be run on the master tries to connect to all these ports. Each side will report port,service name,success/failure So you are saying this program would be optional and user could run it if he would be unsure if firewall setting is OK? Like running for example: $ ipa-replica-check-connection --on-replica on the replica which would listen on our set of ports (and as Jakub said, it may be secured by SELinux policy) and then he would run $ ipa-replica-check-connection --on-master on the master server which would test the ports and print a result. Bonus points if we create the replica program so that it can use admin credentials to ssh into the master and run the master side automatically properly merging the output of that side. I am not sure if we can count on having admin credentials for ssh or even ssh connection at all. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Ticket #1107 - firewall troubles
On Thu, 2011-05-19 at 18:32 -0400, Dmitri Pal wrote: On 05/19/2011 04:41 PM, Simo Sorce wrote: On Thu, 2011-05-19 at 21:54 +0200, Martin Kosek wrote: Hello, I am working on ticket #1107 and I am looking for some ideas hot to deal with it. The problem is that when we are installing a replica and have firewall on, the installation may fail or (even worse) hang. There question is how to deal with this situation since we cannot test if the ports are not blocked locally. It must be done from the remote master. I discussed this with Rob and I see two solutions here: 1) Don't complicate this and limit our user handholding (my favorite) - just tell him what ports he should open before proceeding with the installation. If he doesn't, the installation will fail later. The problem is when the installation hangs - its hard to detect. This is the easy way. 2) Implement and register a mod_wsgi application on a master server and let it test remotely if the ports on the replica are open. We would have to open and listen them in ipa-replica-install as we cannot tell if port is not-yet-opened or firewalled just from the network error code. If the application would report a firewalled port, we would throw an error in the ipa-replica-install. However, as Rob pointed out, it would open a possible security hole as we would basically behave as port scanner. It may also create SELinux issues as I think apache is not allowed to contact random ports normally. Any opinions, suggestions, ideas on this? I think a much better solution is to create a simple program pair one for the master and one for the wannabe replica. The one on the replica opens all relevant ports. The one to be run on the master tries to connect to all these ports. Each side will report port,service name,success/failure Bonus points if we create the replica program so that it can use admin credentials to ssh into the master and run the master side automatically properly merging the output of that side. Simo. I think Simo has a point but it is too much for now. IMO it is Ok to fail and report a meaningful error message on either side. Installation hanging is what we should address here in the scope of 2.1. I am thinking about implementing a watchdog for this critical installation step (`/usr/bin/pkisilent ConfigureCA`), where replica is known to hang. We could set a safe timeout, say 5-10 minutes for the pkisilent process and if it doesn't finish in given time, we would kill the process and inform the user + ask him to check the if the ports are opened. The list of our ports to check could be printed to user almost every time the installation fails so that he would have a hint where to investigate. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 786 Configure Managed Entries on replicas.
JR Aquino wrote: On May 18, 2011, at 2:52 PM, Rob Crittenden wrote: Rob Crittenden wrote: The Managed Entries plugin configurations weren't being created on replica installs. The templates were there but the cn=config portions were not. This patch adds them as updates. The template portion will be added in the initial replication. ticket 1222 To test: Install a master Install a replica On replica: kinit On replica: ipa user-add --first=timmy --last=test ttest On replica: ipa group-show ttest On master: ipa group-show ttest rob Updated patch attached. This requires jraquino patch 28 to work as expected. rob freeipa-rcrit-786-2-replica.patch NACK This patch is not applying to Master? error: patch failed: install/updates/Makefile.am:8 error: install/updates/Makefile.am: patch does not apply Rebased, it depended on my patch 769. rob freeipa-rcrit-786-3-replica.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 783 get group info when showing user
Rob Crittenden wrote: Adam Young wrote: On 05/13/2011 04:10 PM, Rob Crittenden wrote: The UI team had asked that we provide some group info (GID, description) when showing users. This ads a special call to group_find to get this information. It is returned as a list of dicts. ticket 107 rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel I wonder if this is the wrong abstraction. As we discussed today, we need to do many of these types of cross referential searches. Bascially, we need to be able to filter on 'member' and 'memberof' type relationships. So if we did a group_find --member_user=ayoung it would return all groups that I am a member of. This would work across the board for association facets That works now, as specified in the ticket. I was under the impression this was rejected which is why I embedded it into user-show. What you suggested works now with: ipa group-find --users=ayoung memberof doesn't exist in the group, you have to look at the end entity. rob So what shall I do with this? Dump the patch and re-assign the ticket to the UI? rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 067 A new flag to disable creation of UPG
Martin Kosek wrote: On Mon, 2011-05-16 at 22:12 -0400, Rob Crittenden wrote: Martin Kosek wrote: This patch is based on old Pavel's patch. I am considering applying the patch for master branch only as it changes an API (adds a new flag) and is a sort of new-functionality-ish. -- Automatic creation may of User Private Groups (UPG) may not be wanted at all times. This patch adds a new flag --noprivate to ipa user-add command to disable it. https://fedorahosted.org/freeipa/ticket/1131 Nack, setattr and addattr are removed from API.txt. I'm guessing it's a side-effect of some change here. The approach generally looks good. rob You are right, this was a side-effect in user.py. I fixed the problem, updated patch is attached. Martin This looks good, just a couple of requests: 1. Bump the minor API version since we are adding a new flag 2. Add a self-test for not creating a private group rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 24 Add sudorule and hbacrule to memberof AND indirectmemberof attributes
JR Aquino wrote: On May 10, 2011, at 8:14 PM, Adam Young wrote: On 05/10/2011 11:07 PM, Adam Young wrote: On 05/10/2011 04:38 PM, JR Aquino wrote: On Apr 22, 2011, at 12:53 PM, Rob Crittenden wrote: JR Aquino wrote: On Apr 12, 2011, at 9:45 AM, JR Aquino wrote: Add HBAC Rule and Sudo Rule to users as indirect member attributes to simplify the auditing of users for their indirect membership to their authorization rights. An Administrator should have the ability to quickly identify the rights a user will have in the system. For example. With the patch added, my user show looks like this: # ipa user-show tester --all dn: uid=builder,cn=users,cn=accounts,dc=example,dc=com User login: tester First name: Tester Last name: Engineering Full name: Tester Engineering Display name: Tester Engineering Initials: TE Home directory: /home/tester GECOS field: Tester Engineering Login shell: /bin/sh Kerberos principal: tes...@example.com UID: 1829800388 GID: 1829800388 Account disabled: False Member of groups: ipausers, auto-dev-deploy-tools, build-integration ipauniqueid: 72fa22c6-6085-11e0-9629-0023aefe4ec0 krbpwdpolicyreference: cn=global_policy,cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com memberofindirect_HBAC rule: development memberofindirect_Sudo Rule: AUTO-dev-deploy-tools_DEPLOY, AUTO-dev-deploy-tools_ZENOSS, build-integration mepmanagedentry: cn=tester,cn=groups,cn=accounts,dc=example,dc=com objectclass: top, person, organizationalperson, inetorgperson, inetuser, posixaccount freeipa-jraquino-0024-Add-sudorule-and-hbacrule-to-indirectmemberof-attrib.patch___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel OPPS, forgot to have PATCH in the subject. I think you need this as well, right? -'memberof': ['group', 'netgroup', 'role'], +'memberof': ['group', 'netgroup', 'role', 'sudorule', 'hbacrule'], Some scope change. Added memberof and memberofindirect Added to user.py host.py group.py hostgroup.py When using the --all flag it is now very clear to the administrator what authorization rules these objects are directly or indirectly a memberof. xmlrpc tests check out Please review ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel The reason that this shows up in the UI is that it is generating additional memberof attributes. It has nothing to do with the memberofindirect: You are also going to want need modify the sudo rule and HBAC rule to use the serial associator on some facets. It looks like group at least has things backwards. The group.js file I think needs a rule like this: association_facet({ name: 'memberof_sudorule', associator: IPA.serial_associator }). THis is because the API is for adding multiple groups to the sudo rule, but the default behaviour is for adding multipleother entity tothis entity. The above comment is regarding ticket: https://fedorahosted.org/freeipa/ticket/1218 which is dependent on this patch and ticket 1170 As for Patch 24 and ticket 1170, are there any other questions or does this look ready to go? Nack, this adds some additional API that isn't in API.txt. It would be nice to add test cases for this as well, perhaps in the sudo and hbac tests (create a rule, add a user to it, make sure when showing the user you can see the rule). rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0014 Search Box Style
On 05/17/2011 01:22 PM, Kyle Baker wrote: Please review and ACK. Kyle Baker Visual Designer Desk - 978 392 3116 IRC - kylebaker ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel NACK. Needs rebase. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 160 Development page for DataTables.
Works well on a liver server, but didn't work with my static checkout. The keystroke filtering is very nice, and would be useful. The number of results returned can be changed with the additional parameter. Sorting can be done on the client side if needs be. array.sort(/sortfunction/) where the sortfunction parameter would be able to compare two rows based on the specified field. I'd like to disable the sorting feature until less than 200 results are returned, so as not to give the impression that we are doing server side sorting. On 05/20/2011 12:32 AM, Endi Sukma Dewata wrote: NOTE: This patch is intended for development only. It should not be committed into IPA repository. An HTML page has been created to explore DataTables integration strategy into IPA WebUI. To use the page, open dataTables.html either in static mode or with live server. Select one of the entities from the list, it will show the entries in a table. The IPA command is shown underneath the table. Below it is a list of parameters generated by DataTables that can be used to specify the search filter, pagination, and sorting on the IPA command. Current status: - Search filter works in live mode. Each keystroke in the search filter field will trigger an IPA command that uses the specified filter. The content of the table will be updated immediately. - Pagination can be configured by selecting the number of entries shown per page, but the content is unchanged because there is no server support. - Sorting order can be changed by clicking the column header, but the content is unchanged because there is no server support. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 161 Fixed Ajax error handling.
The IPA.command has been modified not to insert a title into the error object thrown by Ajax operation because the object could be immutable. Ticket #1240 -- Endi S. Dewata From 316c242aef50468002fce0659d2bae584ba12519 Mon Sep 17 00:00:00 2001 From: Endi S. Dewata edew...@redhat.com Date: Fri, 20 May 2011 11:27:58 -0500 Subject: [PATCH] Fixed Ajax error handling. The IPA.command has been modified not to insert a title into the error object thrown by Ajax operation because the object could be immutable. Ticket #1240 --- install/ui/associate.js |1 - install/ui/details.js |1 - install/ui/dns.js |1 - install/ui/hbac.js |1 - install/ui/ipa.js | 14 +- install/ui/search.js|1 - install/ui/webui.js |1 - install/ui/widget.js|1 - 8 files changed, 5 insertions(+), 16 deletions(-) diff --git a/install/ui/associate.js b/install/ui/associate.js index 9d04b0c85821a09de67a2a754b1c13bb823438bc..371705ece4f25be46326c5006103d2143af19f57 100644 --- a/install/ui/associate.js +++ b/install/ui/associate.js @@ -1020,7 +1020,6 @@ IPA.association_facet = function (spec) { function on_error(xhr, text_status, error_thrown) { var summary = $('span[name=summary]', that.table.tfoot).empty(); summary.append('pError: '+error_thrown.name+'/p'); -summary.append('p'+error_thrown.title+'/p'); summary.append('p'+error_thrown.message+'/p'); } diff --git a/install/ui/details.js b/install/ui/details.js index e8033b30609bc557b1f6a19b15b1986b354c4fa8..cd9c0528c68573078d9880b1259fe797b976175c 100644 --- a/install/ui/details.js +++ b/install/ui/details.js @@ -618,7 +618,6 @@ IPA.details_facet = function(spec) { command.on_error = function(xhr, text_status, error_thrown) { var details = $('.details', that.container).empty(); details.append('pError: '+error_thrown.name+'/p'); -details.append('p'+error_thrown.title+'/p'); details.append('p'+error_thrown.message+'/p'); }; diff --git a/install/ui/dns.js b/install/ui/dns.js index e62459afb227863f41c514a37be86364aeee05b3..58196cb4e52ada14bc59530db31f560181d1506d 100644 --- a/install/ui/dns.js +++ b/install/ui/dns.js @@ -475,7 +475,6 @@ IPA.records_facet = function(spec) { function on_error(xhr, text_status, error_thrown) { var summary = $('span[name=summary]', that.table.tfoot).empty(); summary.append('pError: '+error_thrown.name+'/p'); -summary.append('p'+error_thrown.title+'/p'); summary.append('p'+error_thrown.message+'/p'); } diff --git a/install/ui/hbac.js b/install/ui/hbac.js index 2b5e665455846df260b40587c458bc422282fc7d..e077dea10b970ea28b68c07cd8a4017517f11f19 100644 --- a/install/ui/hbac.js +++ b/install/ui/hbac.js @@ -998,7 +998,6 @@ IPA.hbacrule_accesstime_widget = function (spec) { function on_error(xhr, text_status, error_thrown) { var summary = $('span[name=summary]', that.table.tfoot).empty(); summary.append('pError: '+error_thrown.name+'/p'); -summary.append('p'+error_thrown.title+'/p'); summary.append('p'+error_thrown.message+'/p'); } diff --git a/install/ui/ipa.js b/install/ui/ipa.js index c21c16ec6aa21110ef15610e60bd5caa43d7ceb8..665740a7ef14f11638e9a091b6f57265d90ff9c0 100644 --- a/install/ui/ipa.js +++ b/install/ui/ipa.js @@ -306,7 +306,7 @@ IPA.command = function(spec) { IPA.error_dialog.dialog({ modal: true, -title: error_thrown.title, +title: error_thrown.name, width: 400, buttons: buttons, close: function() { @@ -341,10 +341,6 @@ IPA.command = function(spec) { } } -if (!error_thrown.title) { -error_thrown.title = 'AJAX Error: '+error_thrown.name; -} - if (that.retry) { dialog_open.call(this, xhr, text_status, error_thrown); @@ -358,7 +354,7 @@ IPA.command = function(spec) { if (!data) { IPA.hide_activity_icon(); var error_thrown = { -title: 'HTTP Error '+xhr.status, +name: 'HTTP Error '+xhr.status, url: this.url, message: data ? xhr.statusText : No response }; @@ -367,7 +363,7 @@ IPA.command = function(spec) { } else if (data.error) { // error_handler() calls IPA.hide_activity_icon() error_handler.call(this, xhr, text_status, /* error_thrown */ { -title: 'IPA Error '+data.error.code, +name: 'IPA Error '+data.error.code, message: data.error.message }); @@ -469,7 +465,7 @@ IPA.batch_command = function (spec) {
Re: [Freeipa-devel] [PATCH] 160 Development page for DataTables.
On 5/20/2011 11:10 AM, Adam Young wrote: Works well on a liver server, but didn't work with my static checkout. The filter wouldn't work with static checkout because it expects the server to return filtered data, but you should still be able to view the contents for different entities. The keystroke filtering is very nice, and would be useful. I'm not sure this is a good thing because it will trigger many unnecessary queries. It might be better if we can use some kind of time delay (e.g. 1 second after the last keystroke). The number of results returned can be changed with the additional parameter. Do you mean the sizelimit? Without the ability to specify the starting index (i.e. pagination) it's usage will be rather limited. Sorting can be done on the client side if needs be. array.sort(/sortfunction/) where the sortfunction parameter would be able to compare two rows based on the specified field. I'd like to disable the sorting feature until less than 200 results are returned, so as not to give the impression that we are doing server side sorting. Client-side sorting will only work if the client has the entire data. If the data is only partially returned (because of pagination or truncation), the client can only sort that subset of data, not the entire database, which is probably not what people would expect. -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 159 Fixed problem disabling HBAC and SUDO rules.
On 05/18/2011 01:51 PM, Endi Sukma Dewata wrote: The method names for disabling HBAC and SUDO rules have been fixed. Ticket #1237. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 161 Fixed Ajax error handling.
On 05/20/2011 01:12 PM, Endi Sukma Dewata wrote: The IPA.command has been modified not to insert a title into the error object thrown by Ajax operation because the object could be immutable. Ticket #1240 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. Pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 18 Parse netmasks in IP addresses passed to server install
On 10.5.2011 20:06, Jan Cholasta wrote: Parse netmasks in IP addresses passed to server install. ticket 1212 Patch updated. TODO: Write unit test for ipapython.ipautil.CheckedIPAddress TODO: Clean unreachable code paths off of ipa-server-install (?) TODO: Workarounds for netaddr bugs (?) -- Jan Cholasta From 778ea5b4177bd6dc5e8866e6c84adbc104095b1a Mon Sep 17 00:00:00 2001 From: Jan Cholasta jchol...@redhat.com Date: Fri, 20 May 2011 20:19:25 +0200 Subject: [PATCH] Parse netmasks in IP addresses passed to server install. ticket 1212 --- freeipa.spec.in |1 + install/tools/ipa-dns-install |9 +++-- install/tools/ipa-replica-install |4 ++- install/tools/ipa-replica-prepare | 11 +++--- install/tools/ipa-server-install | 36 ++--- ipapython/config.py | 13 +++- ipapython/ipautil.py | 63 + ipaserver/install/installutils.py | 39 ++ 8 files changed, 126 insertions(+), 50 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index b936616..fba2f31 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -188,6 +188,7 @@ Requires: python-kerberos = 1.1-3 %endif Requires: authconfig Requires: gnupg +Requires: iproute Requires: pyOpenSSL Requires: python-nss = 0.11 Requires: python-lxml diff --git a/install/tools/ipa-dns-install b/install/tools/ipa-dns-install index aac85bf..491585b 100755 --- a/install/tools/ipa-dns-install +++ b/install/tools/ipa-dns-install @@ -37,9 +37,10 @@ def parse_options(): sensitive=True, help=admin password) parser.add_option(-d, --debug, dest=debug, action=store_true, default=False, help=print debugging information) -parser.add_option(--ip-address, dest=ip_address, help=Master Server IP Address) +parser.add_option(--ip-address, dest=ip_address, + type=ipnet, help=Master Server IP Address) parser.add_option(--forwarder, dest=forwarders, action=append, - help=Add a DNS forwarder) + type=ipaddr, help=Add a DNS forwarder) parser.add_option(--no-forwarders, dest=no_forwarders, action=store_true, default=False, help=Do not add any DNS forwarders, use root servers instead) parser.add_option(--no-reverse, dest=no_reverse, @@ -130,12 +131,14 @@ def main(): if options.ip_address: ip_address = options.ip_address else: -ip_address = resolve_host(api.env.host) +hostaddr = resolve_host(api.env.host) +ip_address = hostaddr and ipautil.CheckedIPAddress(hostaddr) if not ip_address or not verify_ip_address(ip_address): if options.unattended: sys.exit(Unable to resolve IP address for host name) else: ip_address = read_ip_address(api.env.host, fstore) +ip_address = str(ip_address) logging.debug(will use ip_address: %s\n, ip_address) if options.no_forwarders: diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install index 49df7fe..2b7c8ca 100755 --- a/install/tools/ipa-replica-install +++ b/install/tools/ipa-replica-install @@ -63,7 +63,7 @@ def parse_options(): parser.add_option(--setup-dns, dest=setup_dns, action=store_true, default=False, help=configure bind with our zone) parser.add_option(--forwarder, dest=forwarders, action=append, - help=Add a DNS forwarder) + type=ipaddr, help=Add a DNS forwarder) parser.add_option(--no-forwarders, dest=no_forwarders, action=store_true, default=False, help=Do not add any DNS forwarders, use root servers instead) parser.add_option(--no-reverse, dest=no_reverse, action=store_true, @@ -285,6 +285,8 @@ def install_bind(config, options): ip_address = resolve_host(config.host_name) if not ip_address: sys.exit(Unable to resolve IP address for host name) +ip = installutils.parse_ip_address(ip_address) +ip_address = str(ip) create_reverse = True if options.unattended: diff --git a/install/tools/ipa-replica-prepare b/install/tools/ipa-replica-prepare index e912235..04a6478 100755 --- a/install/tools/ipa-replica-prepare +++ b/install/tools/ipa-replica-prepare @@ -53,7 +53,7 @@ def parse_options(): parser.add_option(-p, --password, dest=password, help=Directory Manager (existing master) password) parser.add_option(--ip-address, dest=ip_address, - help=Add A and PTR records of the future replica) + type=ipnet, help=Add A and PTR records of the future replica) parser.add_option(--ca, dest=ca_file, default=/root/cacert.p12, help=Location of CA PKCS#12 file, default /root/cacert.p12) parser.add_option(--no-pkinit, dest=setup_pkinit, action=store_false, @@ -425,10 +425,11 @@
Re: [Freeipa-devel] [PATCH] 19 Do stricter checking of IP addressed passed to server install
On 18.5.2011 10:51, Martin Kosek wrote: On Mon, 2011-05-16 at 19:15 +0200, Jan Cholasta wrote: On 16.5.2011 17:26, Martin Kosek wrote: On Tue, 2011-05-10 at 20:11 +0200, Jan Cholasta wrote: Split from patch 3, requires patch 18. https://fedorahosted.org/freeipa/ticket/1213 Honza I tested all patches (3.6, 18, 19), but I think some work still needs to be done: 1) What about adding /sbin/ip package to Requires in spec? I thought there was an agreement to do it. Will do. Ok. 2) When I run `ipa-server-install --ip-address=$ADDR`, and $ADDR is invalid address (e.g. $ADDR==foo), loopback address (e.g. $ADDR==127.0.0.1) or just another that the local address (e.g. $ADDR==123.123.123.123) the installer always fails with the hostname resolves to an IP address that is different from the one provided on the command line. I think we may want a different error message in those 3 cases - it should be easy to do it now, with the improved IP handling. It looks like the print statements from verify_ip_address doesn't actually print anything to the user. Will look onto that. Ok. 3) When I pass netmask to ipa-server-install --ip-address=$ADDR, the installation always fails with the above message. Even though I took the addr+netmask from /sbin/ip address output. Works for me. Please make sure you've added your hostname to /etc/hosts. I think I had. But I will recheck when you send a fix. 4) I miss IP address checks in --ip-address and --forwarder parameters of ipa-dns-install script. I can pass invalid or local addresses to these parameters. This breaks Bind configuration. --ip-address is checked, but --forwarder is not. Will fix that. Ok, I will recheck both of them when you do. 5) I think we may want to check also for local address in #ipa host-add $HOST --ip-address=127.0.0.1 6) I couldn't add IP address with netmask in host module: # ipa host-add $HOST --ip-address=10.16.78.102/22 ipa: ERROR: invalid 'ip_address': invalid IP address The patches are for the installer, as are the tickets they fix, so these issues are out of scope. A new ticket should be opened for them. You touched this parameter in your patches, that's why I tested it. I created a new ticket for it: https://fedorahosted.org/freeipa/ticket/1234 Ticket 1234, yey :-) 7) Why is the _ParsedIPAddress named with a leading underscore? It's not really an internal use since it is returned by new IP handling functions and used in other modules. _ParsedIPAddress is not for public use. The fact that object of this class is returned by parse_ip_address doesn't really matter - this is Python, not C++ or Java. Hm, snappy... And I was wondering why my /usr/bin/java doesn't want to run FreeIPA, now I know - it's because its Python. Martin Patch updated. Requires patch 18.1 Honza -- Jan Cholasta From 3f9fbc8dbf8d6981fb7c20a554a78f94ba12d36a Mon Sep 17 00:00:00 2001 From: Jan Cholasta jchol...@redhat.com Date: Fri, 20 May 2011 20:21:11 +0200 Subject: [PATCH] Do stricter checking of IP addressed passed to server install. ticket 1213 --- ipapython/ipautil.py | 11 +++ 1 files changed, 11 insertions(+), 0 deletions(-) diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py index 2ad9240..c77a93c 100644 --- a/ipapython/ipautil.py +++ b/ipapython/ipautil.py @@ -93,6 +93,12 @@ class CheckedIPAddress(netaddr.IPAddress): raise ValueError(unsupported IP version) if addr.is_loopback(): raise ValueError(cannot use loopback IP address) +if addr.is_reserved() or addr in netaddr.ip.IPV4_6TO4: +raise ValueError(cannot use IANA reserved IP address) +if addr.is_link_local(): +raise ValueError(cannot use link-local IP address) +if addr.is_multicast(): +raise ValueError(cannot use multicast IP address) if match_local: if addr.version == 4: @@ -119,6 +125,11 @@ class CheckedIPAddress(netaddr.IPAddress): elif addr.version == 6: net = netaddr.IPNetwork(str(addr) + '/64') +if addr == net.network: +raise ValueError(cannot use IP network address) +if addr.version == 4 and addr == net.broadcast: +raise ValueError(cannot use broadcast IP address) + super(CheckedIPAddress, self).__init__(addr) self.prefixlen = net.prefixlen self.interface = iface -- 1.7.4.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel