Re: [Freeipa-devel] [PATCH] 85 Add --no-ssh option to ipa-client-install to disable OpenSSH client configuration
Dne 12.9.2012 15:53, Jan Cholasta napsal(a): Hi, this patch fixes https://fedorahosted.org/freeipa/ticket/3070. If both --no-ssh and --no-sshd are specified, do not configure the SSH service in SSSD. Honza Note: This patch can be only applied on top of freeipa-jcholast-84-add-ssh-service-to-sssd-conf.patch Honza -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 1054 new default SELinux user map user
On 09/13/2012 12:28 PM, Jakub Hrozek wrote: On Tue, Sep 11, 2012 at 11:19:59AM -0400, Rob Crittenden wrote: Jakub Hrozek wrote: On Mon, Sep 10, 2012 at 05:38:47PM -0400, Rob Crittenden wrote: We've decided to change the default SELinux user map user to the OS default which is unconfined_u. It would be too drastic to go from one extreme to another. rob How does one set an empty default that the SSSD would treat as don't create any login file whatsoever ? Patch updated to support that. rob Ack, works as advertised. Pushed to master, ipa-3-0. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0078 ipa-client-install: Obtain host TGT from one specific KDC
On 09/12/2012 06:02 PM, Petr Viktorin wrote: On 09/12/2012 04:04 PM, Martin Kosek wrote: On 09/12/2012 02:58 PM, Jan Cholasta wrote: Dne 12.9.2012 14:09, Petr Viktorin napsal(a): On 09/12/2012 01:20 PM, Petr Viktorin wrote: On 09/11/2012 10:39 PM, Rob Crittenden wrote: Petr Viktorin wrote: When installing the client, we need to take extra case to only contact the one server we're installing against. Otherwise, in the real world, we might hit a server that hasn't replicated info about the client yet. This patch fixes a bug where kinit attempted to contact a KDC that didn't have the host principal yet. To reproduce: - Install a master and replica - Change the Kerberos DNS entries to only point to the replica: for REC_NAME in '_kerberos-master._tcp' '_kerberos-master._udp' '_kerberos._tcp' '_kerberos._udp' '_kpasswd._tcp' '_kpasswd._udp'; do ipa dnsrecord-mod $DOMAIN $REC_NAME --srv-rec=0 100 88 $REPLICA_HOSTNAME done ipa dnsrecord-mod $DOMAIN _ldap._tcp --srv-rec=0 100 389 $MASTER_HOSTNAME ipa dnsrecord-find $DOMAIN # check - Sever communication between the hosts to disable replication: (on master) iptables -A INPUT -j DROP -p all --source $REPLICA_IP - On client machine, put master as nameserver in /etc/resolv.conf install client This will fail without the patch. Thanks to Petr Spacek, Simo, and Scott for helping to reproduce and explain the bug. I learned a lot. https://fedorahosted.org/freeipa/ticket/2982 ACK, pushed to master and ipa-3-0 rob The patch broke server installs. Please revert it if you're having trouble while I look into it. I messed up and removed the kinit call entirely when installing on master. Attaching a fix. Works for me, ACK. Honza When the server installation is complete, I was surprised to see I have now host credentials in my CCACHE: # ipa-server-install --setup-dns ... == Setup complete Next steps: 1. You must make sure these network ports are open: TCP Ports: * 80, 443: HTTP/HTTPS * 389, 636: LDAP/LDAPS * 88, 464: kerberos * 53: bind UDP Ports: * 88, 464: kerberos * 53: bind * 123: ntp 2. You can now obtain a kerberos ticket using the command: 'kinit admin' This ticket will allow you to use the IPA tools (e.g., ipa user-add) and the web user interface. Be sure to back up the CA certificate stored in /root/cacert.p12 This file is required to create replicas. The password for this file is the Directory Manager password # klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: host/vm-086.idm.lab.bos.redhat@idm.lab.bos.redhat.com Valid starting ExpiresService principal 09/12/12 09:28:24 09/13/12 09:28:24 krbtgt/idm.lab.bos.redhat@idm.lab.bos.redhat.com 09/12/12 09:28:24 09/13/12 09:28:24 HTTP/vm-086.idm.lab.bos.redhat@idm.lab.bos.redhat.com 09/12/12 09:28:26 09/13/12 09:28:24 DNS/vm-086.idm.lab.bos.redhat@idm.lab.bos.redhat.com I don't think this is an expected behavior, installer should use a CCACHE separate from user's default. Martin I need to slow down. Thanks for the catch. Attaching another fix. Yup, this fixes it. ACK. Pushed to master, ipa-3-0. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 84 Add the SSH service to SSSD config file before trying to activate it
On 09/12/2012 03:09 PM, Jan Cholasta wrote: Hi, this patch fixes https://fedorahosted.org/freeipa/ticket/3069. Users no longer have to configure SSH in sssd.conf manually if the file exists prior to running ipa-client-install. Honza ACK. Pushed to master, ipa-3-0. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 85 Add --no-ssh option to ipa-client-install to disable OpenSSH client configuration
On 09/12/2012 03:53 PM, Jan Cholasta wrote: Hi, this patch fixes https://fedorahosted.org/freeipa/ticket/3070. If both --no-ssh and --no-sshd are specified, do not configure the SSH service in SSSD. Honza ACK. Pushed to master, ipa-3-0. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH 0061] Add missing DNS view attach/detach to LDAP instance management code
Hello, Add missing DNS view attach/detach to LDAP instance management code. This fixes race condition in BIND shutdown after SIGINT: - failing assert caused by use-after-free in dns_zt_find(): (((zt) != ((void *)0)) (((const isc__magic_t *)(zt))-magic == ((('Z') 24 | ('T') 16 | ('b') 8 | ('l') Petr^2 Spacek From cc612198a0b7d662557a7c4f71732135e8f43025 Mon Sep 17 00:00:00 2001 From: Petr Spacek pspa...@redhat.com Date: Thu, 13 Sep 2012 13:08:36 +0200 Subject: [PATCH] Add missing DNS view attach/detach to LDAP instance management code. This fixes race condition in BIND shutdown after SIGINT: - failing assert caused by use-after-free in dns_zt_find(): (((zt) != ((void *)0)) (((const isc__magic_t *)(zt))-magic == ((('Z') 24 | ('T') 16 | ('b') 8 | ('l') Signed-off-by: Petr Spacek pspa...@redhat.com --- src/ldap_helper.c | 9 - 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/src/ldap_helper.c b/src/ldap_helper.c index 3b49de809738fef18cae10c38fd3d9c33eef5141..658b960f50b461fa602edf51e955f3bdd4769e1d 100644 --- a/src/ldap_helper.c +++ b/src/ldap_helper.c @@ -333,6 +333,7 @@ new_ldap_instance(isc_mem_t *mctx, const char *db_name, unsigned int i; isc_result_t result; ldap_instance_t *ldap_inst; + dns_view_t *view = NULL; ld_string_t *auth_method_str = NULL; setting_t ldap_settings[] = { { uri, no_default_string }, @@ -369,10 +370,9 @@ new_ldap_instance(isc_mem_t *mctx, const char *db_name, isc_mem_attach(mctx, ldap_inst-mctx); ldap_inst-db_name = db_name; - ldap_inst-view = dns_dyndb_get_view(dyndb_args); + view = dns_dyndb_get_view(dyndb_args); + dns_view_attach(view, ldap_inst-view); ldap_inst-zmgr = dns_dyndb_get_zonemgr(dyndb_args); - /* commented out for now, cause named to hang */ - //dns_view_attach(view, ldap_inst-view); CHECK(zr_create(mctx, ldap_inst-zone_register)); @@ -616,8 +616,7 @@ destroy_ldap_instance(ldap_instance_t **ldap_instp) str_destroy(ldap_inst-fake_mname); str_destroy(ldap_inst-ldap_hostname); - /* commented out for now, causes named to hang */ - //dns_view_detach(ldap_inst-view); + dns_view_detach(ldap_inst-view); DESTROYLOCK(ldap_inst-kinit_lock); -- 1.7.11.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH 0060] Fix zone delete in ldap_zone_delete2()
Hello, Fix zone delete in ldap_zone_delete2(). This fixes two race conditions during BIND reload: - failing assert in destroy_ldap_connection() DESTROYLOCK: ((pthread_mutex_destroy(ldap_conn-lock) == 0) ? 0 : 34) == 0 - use-after-free in call: ldap_cache_enabled(cache=0xdededededededede) Petr^2 Spacek From dc017b4d7250289eb5938262dbb43632126f9329 Mon Sep 17 00:00:00 2001 From: Petr Spacek pspa...@redhat.com Date: Thu, 13 Sep 2012 13:02:19 +0200 Subject: [PATCH] Fix zone delete in ldap_zone_delete2(). This fixes two race conditions during BIND reload: - failing assert in destroy_ldap_connection() DESTROYLOCK: ((pthread_mutex_destroy(ldap_conn-lock) == 0) ? 0 : 34) == 0 - use-after-free in call: ldap_cache_enabled(cache=0xdededededededede) Signed-off-by: Petr Spacek pspa...@redhat.com --- src/ldap_helper.c | 64 +-- 1 file changed, 48 insertions(+), 16 deletions(-) diff --git a/src/ldap_helper.c b/src/ldap_helper.c index 67a64b79159983c83cb1bfc73c4b02a9bce986a7..3b49de809738fef18cae10c38fd3d9c33eef5141 100644 --- a/src/ldap_helper.c +++ b/src/ldap_helper.c @@ -517,45 +517,68 @@ destroy_ldap_instance(ldap_instance_t **ldap_instp) ldap_instance_t *ldap_inst; dns_rbtnodechain_t chain; dns_rbt_t *rbt; - isc_result_t result; + isc_result_t result = ISC_R_SUCCESS; + const char *db_name; REQUIRE(ldap_instp != NULL *ldap_instp != NULL); ldap_inst = *ldap_instp; + db_name = ldap_inst-db_name; /* points to DB instance: outside ldap_inst */ /* * Unregister all zones already registered in BIND. * * NOTE: This should be probably done in zone_register.c */ - dns_rbtnodechain_init(chain, ldap_inst-mctx); rbt = zr_get_rbt(ldap_inst-zone_register); /* Potentially ISC_R_NOSPACE can occur. Destroy codepath has no way to * return errors, so kill BIND. * DNS_R_NAMETOOLONG should never happen, because all names were checked * while loading. */ - result = dns_rbtnodechain_first(chain, rbt, NULL, NULL); - RUNTIME_CHECK(result == ISC_R_SUCCESS || result == DNS_R_NEWORIGIN - || result == ISC_R_NOTFOUND); + dns_rbtnodechain_init(chain, ldap_inst-mctx); while (result != ISC_R_NOMORE result != ISC_R_NOTFOUND) { dns_fixedname_t name; + dns_fixedname_t origin; + dns_fixedname_t concat; dns_fixedname_init(name); - result = dns_rbtnodechain_current(chain, NULL, - dns_fixedname_name(name), - NULL); -RUNTIME_CHECK(result == ISC_R_SUCCESS); + dns_fixedname_init(origin); + dns_fixedname_init(concat); + + dns_rbtnodechain_reset(chain); + result = dns_rbtnodechain_first(chain, rbt, NULL, NULL); + RUNTIME_CHECK(result == ISC_R_SUCCESS || result == DNS_R_NEWORIGIN || + result == ISC_R_NOTFOUND); + + /* Search for first zone in zone register and omit auxiliary nodes. */ + while (result != ISC_R_NOMORE result != ISC_R_NOTFOUND) { + dns_rbtnode_t *node = NULL; + + result = dns_rbtnodechain_current(chain, dns_fixedname_name(name), + dns_fixedname_name(origin), node); + RUNTIME_CHECK(result == ISC_R_SUCCESS); + + if (node-data != NULL) { /* Auxiliary nodes have data == NULL. */ +result = dns_name_concatenate(dns_fixedname_name(name), + dns_fixedname_name(origin), + dns_fixedname_name(concat), + NULL); +RUNTIME_CHECK(result == ISC_R_SUCCESS); +break; + } + + result = dns_rbtnodechain_next(chain, NULL, NULL); + RUNTIME_CHECK(result == ISC_R_SUCCESS || result == DNS_R_NEWORIGIN || + result == ISC_R_NOMORE); + } + if (result == ISC_R_NOMORE || result == ISC_R_NOTFOUND) + break; result = ldap_delete_zone2(ldap_inst, - dns_fixedname_name(name), + dns_fixedname_name(concat), ISC_TRUE); -RUNTIME_CHECK(result == ISC_R_SUCCESS); - - result = dns_rbtnodechain_next(chain, NULL, NULL); - RUNTIME_CHECK(result == ISC_R_SUCCESS || - result == DNS_R_NEWORIGIN || - result == ISC_R_NOMORE); + RUNTIME_CHECK(result == ISC_R_SUCCESS); } dns_rbtnodechain_invalidate(chain); @@ -606,6 +629,7 @@ destroy_ldap_instance(ldap_instance_t **ldap_instp) isc_mem_putanddetach(ldap_inst-mctx, ldap_inst, sizeof(ldap_instance_t)); *ldap_instp = NULL; + log_debug(1, LDAP instance '%s' destroyed, db_name); } static isc_result_t @@ -776,7 +800,10 @@ ldap_delete_zone2(ldap_instance_t *inst, dns_name_t *name, isc_boolean_t lock) isc_boolean_t freeze = ISC_FALSE; dns_zone_t *zone = NULL; dns_zone_t *foundzone = NULL; + char zone_name_char[DNS_NAME_FORMATSIZE]; + dns_name_format(name, zone_name_char, DNS_NAME_FORMATSIZE); + log_debug(1, deleting zone '%s', zone_name_char); if (lock) { result = isc_task_beginexclusive(inst-task); RUNTIME_CHECK(result == ISC_R_SUCCESS || @@ -790,6 +817,7 @@ ldap_delete_zone2(ldap_instance_t *inst, dns_name_t *name, isc_boolean_t lock) result = zr_get_zone_ptr(inst-zone_register, name, zone);
Re: [Freeipa-devel] [PATCH] 302 Stricter IP network validator in dnszone-add command
On 09/05/2012 01:02 PM, Jan Cholasta wrote: Dne 5.9.2012 12:48, Martin Kosek napsal(a): On 09/05/2012 12:36 PM, Jan Cholasta wrote: Dne 5.9.2012 12:22, Petr Spacek napsal(a): On 09/05/2012 11:30 AM, Jan Cholasta wrote: Dne 5.9.2012 10:04, Martin Kosek napsal(a): We allowed IP addresses without network specification which lead to unexpected results when the zone was being created. We should rather strictly require the prefix/netmask specifying the IP network that the reverse zone should be created for. This is already done in Web UI. A unit test exercising this new validation was added. https://fedorahosted.org/freeipa/ticket/2461 I don't like this much. I would suggest using CheckedIPAddress and not forcing the user to enter the prefix length instead. CheckedIPAddress uses a sensible default prefix length if one is not specified (class-based for IPv4, /64 for IPv6) as opposed to IPNetwork (/32 for IPv4, /128 for IPv6 - this causes the erroneous reverse zones to be created as described in the ticket). Hello, I don't like automatic netmask guessing. I have met class-based guessing in Windows (XP?) and I was forced to overwrite default mask all the time ... If there was no guessing, you would have to write the netmask anyway, so I don't see any harm in guessing here. IMHO there is no sensible default prefix in real world. I sitting on network with /23 prefix right now. Also, I have never seen 10.x network with /8 prefix. While this might be true for IPv4 in some cases, /64 is perfectly sensible for IPv6. Also, I have never seen 192.168.x.x network with non-/24 prefix. Honza While this may be true for 192.168.x.x, it does not apply for 10.x.x.x networks as Petr already pointed out. I don't think that there will be many people expecting that a reverse zone of 10.0.0.0/24 would be created. And they would be correct, because the default prefix length for a class A network is /8, not /24. And since FreeIPA is mainly deployed to internal networks, I assume this will be the case of most users. Martin OK, but what about IPv6? Correct me if I'm wrong, but the prefix length is going to be /64 99% of the time for IPv6. The installer uses /24 for IPv4 addresses and /64 for IPv6 addresses, maybe this should be used as a default here as well. Honza In the end, I choose a more liberal approach and instead of defining a more stricter validator for IPv4 only I rather used approach already implemented in the installers, i.e. default length of network prefix is 24 for IPv4 and 64 for IPv6. Updated patch attached. Martin From 0a12edd4b3ef6763ffdb10fe996ba667b528df6d Mon Sep 17 00:00:00 2001 From: Martin Kosek mko...@redhat.com Date: Wed, 5 Sep 2012 09:56:27 +0200 Subject: [PATCH] Use default reverse zone consistently When a new reverse zone is to be generated based on an IP address without a network prefix length, we need to use some default value. While netaddr library default ones (32b for IPv4 and 128b for IPv6) are not very sensible we should use the defaults already applied in installers. That is 24b for IPv6 and 64 for IPv6. https://fedorahosted.org/freeipa/ticket/2461 --- install/tools/ipa-dns-install | 2 +- install/tools/ipa-replica-install | 2 +- install/tools/ipa-server-install | 2 +- ipalib/plugins/dns.py | 11 ++- ipalib/util.py| 18 ++ ipaserver/install/bindinstance.py | 20 ++-- 6 files changed, 33 insertions(+), 22 deletions(-) diff --git a/install/tools/ipa-dns-install b/install/tools/ipa-dns-install index d4795f72e03eed1b460a3751fc5596ac6da70900..84d1bdc2eb5729896ecb62f65feb11122aacf77d 100755 --- a/install/tools/ipa-dns-install +++ b/install/tools/ipa-dns-install @@ -213,7 +213,7 @@ def main(): else: reverse_zone = bindinstance.find_reverse_zone(ip) if reverse_zone is None and not options.no_reverse: -reverse_zone = bindinstance.get_reverse_zone_default(ip) +reverse_zone = util.get_reverse_zone_default(ip) if not options.unattended and bindinstance.create_reverse(): reverse_zone = bindinstance.read_reverse_zone(reverse_zone, ip) diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install index 267a70d8b60d96de9a9bde83b15c81ae59da1a96..57a8de16344821ad142a820d7c84a4b31a1fe274 100755 --- a/install/tools/ipa-replica-install +++ b/install/tools/ipa-replica-install @@ -222,7 +222,7 @@ def install_bind(config, options): else: reverse_zone = bindinstance.find_reverse_zone(config.ip) if reverse_zone is None and not options.no_reverse: -reverse_zone = bindinstance.get_reverse_zone_default(config.ip) +reverse_zone = util.get_reverse_zone_default(config.ip) if not options.unattended and bindinstance.create_reverse(): reverse_zone = bindinstance.read_reverse_zone(reverse_zone,
[Freeipa-devel] [PATCH] 309 Fix addattr internal error
When ADD command is being executed and a single-value object attribute is being set with both option and addattr IPA ends up in an internal error. Make better value sanitizing job in this case and let IPA throw a user-friendly error. Unit test exercising this situation is added. https://fedorahosted.org/freeipa/ticket/2429 From 4c040e30b4ad366648b87e6989b42731845d1b9e Mon Sep 17 00:00:00 2001 From: Martin Kosek mko...@redhat.com Date: Thu, 13 Sep 2012 15:51:51 +0200 Subject: [PATCH] Fix addattr internal error When ADD command is being executed and a single-value object attribute is being set with both option and addattr IPA ends up in an internal error. Make better value sanitizing job in this case and let IPA throw a user-friendly error. Unit test exercising this situation is added. https://fedorahosted.org/freeipa/ticket/2429 --- ipalib/plugins/baseldap.py | 10 +- tests/test_xmlrpc/test_attr.py | 10 ++ 2 files changed, 19 insertions(+), 1 deletion(-) diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py index 6a054ffd801b159769bc2ce2871cb03afeba5c3d..b050b626a93f4dee2e5e2d9b0f819eff9c6caaf9 100644 --- a/ipalib/plugins/baseldap.py +++ b/ipalib/plugins/baseldap.py @@ -882,7 +882,15 @@ last, after all sets and adds.), entry_attrs[attr] = val for attr in direct_add: -entry_attrs.setdefault(attr, []).extend(adddict[attr]) +try: +val = entry_attrs[attr] +except KeyError: +val = [] +else: +if not isinstance(val, (list, tuple)): +val = [val] +val.extend(adddict[attr]) +entry_attrs[attr] = val for attr in direct_del: for delval in deldict[attr]: diff --git a/tests/test_xmlrpc/test_attr.py b/tests/test_xmlrpc/test_attr.py index f5353e1b217fec96e18353923a11b509224a9083..39320875bd5edd4fd6022ed66ce1a8b87ccc8e92 100644 --- a/tests/test_xmlrpc/test_attr.py +++ b/tests/test_xmlrpc/test_attr.py @@ -37,6 +37,16 @@ class test_attr(Declarative): tests = [ dict( +desc='Try to add user %r with single-value attribute set via ' + 'option and --addattr' % user1, +command=( +'user_add', [user1], dict(givenname=u'Test', sn=u'User1', +addattr=u'sn=User2') +), +expected=errors.OnlyOneValueAllowed(attr='sn'), +), + +dict( desc='Create %r' % user1, command=( 'user_add', [user1], dict(givenname=u'Test', sn=u'User1', -- 1.7.11.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 213 JSON serialization of long type
On 09/11/2012 05:11 PM, Petr Vobornik wrote: Numbers of long type were incorrectly serialized to JSON as empty strings when using json_serialize function. It caused problem in serialization of metadata for Web UI. This patch is fixing it. Discovered after Cast DNS SOA serial maximum boundary to long ACK. Pushed to master, ipa-3-0. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 305-308 Expand Referential Integrity checks
Martin Kosek wrote: To test, add sudo commands, hosts or users to a sudo rule or hbac rule and then rename or delete the linked object. After the update, the links should be amended. - Many attributes in IPA (e.g. manager, memberuser, managedby, ...) are used to store DNs of linked objects in IPA (users, hosts, sudo commands, etc.). However, when the linked objects is deleted or renamed, the attribute pointing to it stays with the objects and thus may create a dangling link causing issues in client software reading the data. Directory Server has a plugin to enforce referential integrity (RI) by checking DEL and MODRDN operations and updating affected links. It was already used for manager and secretary attributes and should be expanded for the missing attributes to avoid dangling links. As a prerequisite, all attributes checked for RI must have pres and eq indexes to avoid performance issues. The following indexes have been added: * manager (pres index only) * secretary (pres index only) * memberHost * memberUser * sourcehost * memberservice * managedby * memberallowcmd * memberdenycmd * ipasudorunas * ipasudorunasgroup Referential Integrity plugin was updated to check all these attributes. Note: this update will only fix RI on one master as RI plugin does not check replicated operations. https://fedorahosted.org/freeipa/ticket/2866 These patches look good but I'd like to see some tests associated with the referential integrity changes in patch 308. I'm not sure we need a test for every single combination where RI comes into play but at least testing that the original sequence (sudorule/sudocmd) works as expected. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 1056 sudorule cn uniqueness
A sudorule dn uses ipaUniqueId as the cn so we have to do a search to ensure uniqueness. This leaves us vulnerable to a race. Configure the uniqueness plugin to ensure no dups. rob From 7f9250d6efe73a56f364173ce730bcddb112aac2 Mon Sep 17 00:00:00 2001 From: Rob Crittenden rcrit...@redhat.com Date: Thu, 13 Sep 2012 15:11:57 -0400 Subject: [PATCH] Add uniqueness plugin configuration for sudorule cn We do a search looking for duplicate values but this leaves open the possibility that two adds are happening at the same time so both searches return NotFound therefore we get two entries with the same cn value. https://fedorahosted.org/freeipa/ticket/3017 --- install/share/unique-attributes.ldif | 17 + install/updates/10-uniqueness.update | 17 + install/updates/Makefile.am | 1 + 3 files changed, 35 insertions(+) create mode 100644 install/updates/10-uniqueness.update diff --git a/install/share/unique-attributes.ldif b/install/share/unique-attributes.ldif index 4537e7468ad69891565ccd51f7b67e9db8889857..4549ad4d62fff66c58ab2f6d263002b3e7c02675 100644 --- a/install/share/unique-attributes.ldif +++ b/install/share/unique-attributes.ldif @@ -70,6 +70,23 @@ nsslapd-pluginVersion: 1.1.0 nsslapd-pluginVendor: Fedora Project nsslapd-pluginDescription: Enforce unique attribute values +dn: cn=sudorule name uniqueness,cn=plugins,cn=config +changetype: add +objectClass: top +objectClass: nsSlapdPlugin +objectClass: extensibleObject +cn: sudorule name uniqueness +nsslapd-pluginPath: libattr-unique-plugin +nsslapd-pluginInitfunc: NSUniqueAttr_Init +nsslapd-pluginType: preoperation +nsslapd-pluginEnabled: on +nsslapd-pluginarg0: cn +nsslapd-pluginarg1: cn=sudorules,cn=sudo,$SUFFIX +nsslapd-plugin-depends-on-type: database +nsslapd-pluginId: NSUniqueAttr +nsslapd-pluginVersion: 1.1.0 +nsslapd-pluginVendor: Fedora Project + #dn: cn=uid uniqueness,cn=plugins,cn=config #objectClass: top #objectClass: nsSlapdPlugin diff --git a/install/updates/10-uniqueness.update b/install/updates/10-uniqueness.update new file mode 100644 index ..33bd2fc09e12f52200de83b245b89e26ebf8af8e --- /dev/null +++ b/install/updates/10-uniqueness.update @@ -0,0 +1,17 @@ +dn: cn=sudorule name uniqueness,cn=plugins,cn=config +default:objectClass: top +default:objectClass: nsSlapdPlugin +default:objectClass: extensibleObject +default:cn: sudorule name uniqueness +default:nsslapd-pluginDescription: Enforce unique attribute values +default:nsslapd-pluginPath: libattr-unique-plugin +default:nsslapd-pluginInitfunc: NSUniqueAttr_Init +default:nsslapd-pluginType: preoperation +default:nsslapd-pluginEnabled: on +default:nsslapd-pluginarg0: cn +default:nsslapd-pluginarg1: cn=sudorules,cn=sudo,$SUFFIX +default:nsslapd-plugin-depends-on-type: database +default:nsslapd-pluginId: NSUniqueAttr +default:nsslapd-pluginVersion: 1.1.0 +default:nsslapd-pluginVendor: Fedora Project + diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am index 9e068966530d897fe18802c9dfa13406aeb3b010..54e57ef3e441e5f2f4ce0a6af97d6856506df8f8 100644 --- a/install/updates/Makefile.am +++ b/install/updates/Makefile.am @@ -11,6 +11,7 @@ app_DATA =\ 10-sudo.update \ 10-ssh.update \ 10-bind-schema.update \ + 10-uniqueness.update \ 19-managed-entries.update \ 20-aci.update \ 20-dna.update \ -- 1.7.11.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0079 Update the pot file (translation source)
Petr Viktorin wrote: Transifex is watching our repository, so pushing this patch will update the translations on the site. ACK, pushed to master and ipa-3-0 rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0077 Check direct/reverse hostname/address resolution in ipa-replica-install
Petr Viktorin wrote: On 09/11/2012 11:05 PM, Rob Crittenden wrote: Petr Viktorin wrote: On 09/04/2012 07:44 PM, Rob Crittenden wrote: Petr Viktorin wrote: https://fedorahosted.org/freeipa/ticket/2845 Shouldn't this also call verify_fqdn() on the local hostname and not just the master? I think this would eventually fail in the conncheck but what if that was skipped? rob A few lines above there is a call to get_host_name, which will call verify_fqdn. I double-checked this, it fails in conncheck. Here are my steps: # ipa-server-install --setup-dns # ipa-replica-prepare replica.example.com --ip-address=192.168.100.2 # ipa host-del replica.example.com On replica, set DNS to IPA master, with hostname in /etc/hosts. # ipa-replica-install ... The verify_fqdn() passes because the resolver uses /etc/hosts. The conncheck fails: Execute check on remote master Check connection from master to remote replica 'replica.example.com': Remote master check failed with following error message(s): Could not chdir to home directory /home/admin: No such file or directory Port check failed! Unable to resolve host name 'replica.example.com' Connection check failed! Please fix your network settings according to error messages above. If the check results are not valid it can be skipped with --skip-conncheck parameter. The DNS test happens much further after this, and I get why, I just don't see how useful it is unless the --skip-conncheck is used. For the record, it's because we need to check if the host has DNS installed. We need a LDAP connection to check this. ipa-replica-install ~rcrit/replica-info-replica.example.com.gpg --skip-conncheck Directory Manager (existing master) password: ipa : ERRORCould not resolve hostname replica.example.com using DNS. Clients may not function properly. Please check your DNS setup. (Note that this check queries IPA DNS directly and ignores /etc/hosts.) Continue? [no]: So I guess, what are the intentions here? It is certainly better than before. rob If the replica is in the master's /etc/hosts, but not in DNS, the conncheck will succeed. This check explicitly queries IPA records only and ignores /etc/hosts so it'll notice this case and warn. Ok, like I said, this is better than we have. Just one nit then you get an ack: +# If remote host has DNS, check forward/reverse resolution +try: +entry = conn.find_entries(u'cn=dns', base_dn=DN(api.env.basedn)) +except errors.NotFound: u'cn=dns' should be str(constants.container_dns). rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel