Re: [Freeipa-devel] [PATCH] 1101 set httpd ccache
On 05/07/2013 08:04 PM, Rob Crittenden wrote: Simo Sorce wrote: On Tue, 2013-05-07 at 18:34 +0200, Martin Kosek wrote: On 05/07/2013 04:41 PM, Rob Crittenden wrote: See the commit message for all the gory details but the bottom line is that mod_auth_kerb doesn't work with DIR ccache which is the default in the latest krb5 builds. rob Looks OK (just reading it). This fixes just new server install. What about upgrades? Won't updated FreeIPA servers' mod_auth_kerb crash too? Indeed we need to fix on upgrade too. Yes, it was an oversight when I did the commit. Updated patch to include the one-liner upgrade call. rob ACK, works like a charm. Pushed to master. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0147] Improve error logging for zones with idnsAllowDynUpdate == FALSE.
On 04/16/2013 12:44 PM, Petr Spacek wrote: Hello, Improve error logging for zones with idnsAllowDynUpdate == FALSE. Zones with dynamic updates disabled are re-configured with empty update policy string, so the update is refused by BIND and an error is logged. ACK. The patch looks reasonable. (I didn't do functional test) Regards, Tomas Hozza ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0148] Explicitly return SERVFAIL if PTR synchronization is misconfigured.
On 04/16/2013 12:45 PM, Petr Spacek wrote:
Hello,
Explicitly return SERVFAIL if PTR synchronization is misconfigured.
SERVFAIL will be returned if PTR synchronization is enabled
in forward zone but reverse zone has dynamic updates disabled.
What the patch does little bit differs from what the commit
message says. Explanation follows:
Snip from ldap_helper.c (starting line 2959):
/* Get attribute idnsAllowDynUpdate for reverse zone or use default. */
dns_name_free(zone_name, mctx);
dns_name_init(zone_name, NULL);
CHECK(dn_to_dnsname(mctx, owner_zone_dn_ptr, zone_name, NULL));
zone_settings = NULL;
result = zr_get_zone_settings(ldap_inst-zone_register, zone_name,
zone_settings);
if (result != ISC_R_SUCCESS) {
if (result == ISC_R_NOTFOUND)
log_debug(3, active zone '%s' not found, zone_dn);
goto cleanup;
^
You replaced this goto with CLEANUP_WITH(DNS_R_SERVFAIL) but
the check if dynamic updates in reverse zone are enabled
is done in the following IF statement
}
CHECK(setting_get_bool(dyn_update, zone_settings, zone_dyn_update));
if (!zone_dyn_update) {
log_debug(3, dynamic update is not allowed in zone
'%s', zone_dn);
CLEANUP_WITH(ISC_R_NOPERM);
}
The patch modifies the plugin to explicitly return SERVFAIL if there was
some error while getting settings of PTR zone (the zone does not exist,
etc).
Maybe it would be good to explicitly return SERVFAIL also if dynamic
updates in PTR zone are disabled and modify the commit message to
better express what this patch does.
Regards,
Tomas Hozza
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0027 Prompt for nameserver IP address in dnszone-add
Hello,
On 7.5.2013 19:50, Ana Krivokapic wrote:
Prompt for nameserver IP address in dnszone-add
https://fedorahosted.org/freeipa/ticket/3603
[...]
diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py
index
3ad03402d5a3b66b0f64545ff8812e9201258d6e..0ee24b1bba6b499336b61d48ad5786df2ca05826
100644
--- a/ipalib/plugins/dns.py
+++ b/ipalib/plugins/dns.py
@@ -1781,6 +1781,8 @@ class dnszone_add(LDAPCreate):
),
Str('ip_address?', _validate_ipaddr,
doc=_('Add forward record for nameserver located in the created
zone'),
+label=_('Nameserver IP address'),
+alwaysask=True,
),
)
If I understood correctly, IPA CLI will ask for IP address always - right? The
problem is that IP address is explicitly required only if the name of the name
server belongs to the new zone.
There are three different cases:
new zone = example.com.
a) NS = ns.example.com. (i.e. absolute name)
= IP address is required because NS is defined inside the new zone
b) NS = ns (i.e. relative name)
= IP address is required because NS is defined inside the new zone
c) NS = ns.example.net.
= IP address is not required because NS is defined outside the new zone
I didn't do functional test, so I'm sorry if I missed the some important piece
of the patch :-)
--
Petr Spacek
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0027 Prompt for nameserver IP address in dnszone-add
On 05/09/2013 12:35 PM, Petr Spacek wrote:
Hello,
On 7.5.2013 19:50, Ana Krivokapic wrote:
Prompt for nameserver IP address in dnszone-add
https://fedorahosted.org/freeipa/ticket/3603
[...]
diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py
index
3ad03402d5a3b66b0f64545ff8812e9201258d6e..0ee24b1bba6b499336b61d48ad5786df2ca05826
100644
--- a/ipalib/plugins/dns.py
+++ b/ipalib/plugins/dns.py
@@ -1781,6 +1781,8 @@ class dnszone_add(LDAPCreate):
),
Str('ip_address?', _validate_ipaddr,
doc=_('Add forward record for nameserver located in the
created zone'),
+label=_('Nameserver IP address'),
+alwaysask=True,
),
)
If I understood correctly, IPA CLI will ask for IP address always -
right? The problem is that IP address is explicitly required only if
the name of the name server belongs to the new zone.
Yes, it will always ask for the IP address, but it is not a required
option - you can leave it blank and press [enter]. The same applies for
web UI, you can just leave it blank.
There are three different cases:
new zone = example.com.
a) NS = ns.example.com. (i.e. absolute name)
= IP address is required because NS is defined inside the new zone
b) NS = ns (i.e. relative name)
= IP address is required because NS is defined inside the new zone
c) NS = ns.example.net.
= IP address is not required because NS is defined outside the new zone
I didn't do functional test, so I'm sorry if I missed the some
important piece of the patch :-)
--
Regards,
Ana Krivokapic
Associate Software Engineer
FreeIPA team
Red Hat Inc.
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0027 Prompt for nameserver IP address in dnszone-add
On 9.5.2013 12:44, Ana Krivokapic wrote:
On 05/09/2013 12:35 PM, Petr Spacek wrote:
Hello,
On 7.5.2013 19:50, Ana Krivokapic wrote:
Prompt for nameserver IP address in dnszone-add
https://fedorahosted.org/freeipa/ticket/3603
[...]
diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py
index
3ad03402d5a3b66b0f64545ff8812e9201258d6e..0ee24b1bba6b499336b61d48ad5786df2ca05826
100644
--- a/ipalib/plugins/dns.py
+++ b/ipalib/plugins/dns.py
@@ -1781,6 +1781,8 @@ class dnszone_add(LDAPCreate):
),
Str('ip_address?', _validate_ipaddr,
doc=_('Add forward record for nameserver located in the
created zone'),
+label=_('Nameserver IP address'),
+alwaysask=True,
),
)
If I understood correctly, IPA CLI will ask for IP address always -
right? The problem is that IP address is explicitly required only if
the name of the name server belongs to the new zone.
Yes, it will always ask for the IP address, but it is not a required
option - you can leave it blank and press [enter]. The same applies for
web UI, you can just leave it blank.
Unfortunately, the IP address is required for cases a) and b) and can't be
specified in case c).
There are three different cases:
new zone = example.com.
a) NS = ns.example.com. (i.e. absolute name)
= IP address is required because NS is defined inside the new zone
b) NS = ns (i.e. relative name)
= IP address is required because NS is defined inside the new zone
c) NS = ns.example.net.
= IP address is not required because NS is defined outside the new zone
I didn't do functional test, so I'm sorry if I missed the some
important piece of the patch :-)
--
Petr^2 Spacek
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0027 Prompt for nameserver IP address in dnszone-add
On 05/07/2013 07:50 PM, Ana Krivokapic wrote: Prompt for nameserver IP address in dnszone-add https://fedorahosted.org/freeipa/ticket/3603 See Petr Špaček's mail for normal zones. Also when adding a reverse zone we should not ask: $ ipa dnszone-add --name-from-ip=80.142.15.0/24 --name-server=`hostname`. Zone name [15.142.80.in-addr.arpa.]: Administrator e-mail address [hostmaster.15.142.80.in-addr.arpa.]: [Nameserver IP address]: 1.2.3.4 ipa: ERROR: invalid 'ip_address': Nameserver DNS record is created for for forward zones only The Web UI also asks for the NS IP address for reverse zones and fails when it's given. (Also, looking at the output above, asking for the zone name isn't useful for reverse zones, but I guess that's a different usability issue.) I think the easiest way to selectively ask in CLI is a custom interactive_prompt_callback (or we could have a separate dnszone-add-reverse command). As for the UI I don't know. The question is, do we want to go that far for this bug? -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0149] Clean up PTR record synchronization code and make it more robust
On 04/18/2013 11:04 AM, Petr Spacek wrote: Hello, Clean up PTR record synchronization code and make it more robust. PTR record synchronization was split to smaller functions. Input validation, error handling and logging was improved significantly. ACK. The patch looks OK! Regards, Tomas Hozza ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0142] Improve LDAP error logging
On 7.5.2013 09:36, Tomas Hozza wrote:
On 04/09/2013 03:27 PM, Petr Spacek wrote:
Hello,
Improve LDAP error logging.
Diagnostic error message is logged when it is available.
Plugin with this patch produces messages like:
LDAP error: Server is unwilling to perform: Minimum SSF not met.: bind
to LDAP server failed
intead of
bind to LDAP server failed: Server is unwilling to perform
Second example is:
LDAP error: Object class violation: attribute mgrecord not allowed
: while modifying(add) entry 'idnsName=pspacek,
idnsname=example.com,cn=dns,dc=e,dc=test'
instead of
:-D
snip
diff --git a/src/log.h b/src/log.h
snip
+#define LOG_LDAP_ERR_PREFIX LDAP error:
+#define log_ldap_error(ld, desc, ...)
\
+ do {
\
+ int err;
\
+ char *errmsg = NULL;
\
+ char *diagmsg = NULL;
\
+ if (ldap_get_option(ld, LDAP_OPT_RESULT_CODE, err)
\
+ == LDAP_OPT_SUCCESS) {
\
+ errmsg = ldap_err2string(err);
\
Getting error msg for the first time here.
+ if (ldap_get_option(ld,
LDAP_OPT_DIAGNOSTIC_MESSAGE, diagmsg) \
+ == LDAP_OPT_SUCCESS diagmsg != NULL)
{ \
+ errmsg = ldap_err2string(err);
\
Again getting error msg with the same err. Maybe a copy-paste error?
+ log_error(LOG_LDAP_ERR_PREFIX %s:
%s: desc,\
+ errmsg, diagmsg,
##__VA_ARGS__);\
+ ldap_memfree(diagmsg);
\
+ } else
\
Revised version of the patch is attached. Thank you for catching it.
--
Petr Spacek
From 0e4785ed024f67a220c13242a5b071509d25a960 Mon Sep 17 00:00:00 2001
From: Petr Spacek pspa...@redhat.com
Date: Tue, 9 Apr 2013 15:19:36 +0200
Subject: [PATCH] Improve LDAP error logging.
Diagnostic error message is logged when it is available.
Signed-off-by: Petr Spacek pspa...@redhat.com
---
src/ldap_entry.c | 2 +-
src/ldap_helper.c | 11 +--
src/log.h | 32 +++-
3 files changed, 29 insertions(+), 16 deletions(-)
diff --git a/src/ldap_entry.c b/src/ldap_entry.c
index 3e82b39d31c7ed13255de61d0763800b4d01efef..2a2c7b5291d446c248389ca37b4b51405b213aad 100644
--- a/src/ldap_entry.c
+++ b/src/ldap_entry.c
@@ -217,7 +217,7 @@ ldap_entry_create(isc_mem_t *mctx, LDAP *ld, LDAPMessage *ldap_entry,
entry-dn = ldap_get_dn(ld, ldap_entry);
if (entry-dn == NULL) {
- log_ldap_error(ld);
+ log_ldap_error(ld, unable to get entry DN);
CLEANUP_WITH(ISC_R_FAILURE);
}
diff --git a/src/ldap_helper.c b/src/ldap_helper.c
index 385bc4710e9c431904ab99b2405b34c69ea8775d..e86060b0ca4ee2b5646324ae82770947c150b5ae 100644
--- a/src/ldap_helper.c
+++ b/src/ldap_helper.c
@@ -2412,8 +2412,7 @@ force_reconnect:
}
if (ret != LDAP_SUCCESS) {
- log_error(bind to LDAP server failed: %s,
- ldap_err2string(ret));
+ log_ldap_error(ldap_conn-handle, bind to LDAP server failed);
/*
* Clean the connection handle.
@@ -2475,12 +2474,13 @@ handle_connection_error(ldap_instance_t *ldap_inst, ldap_connection_t *ldap_conn
break;
case LDAP_INVALID_DN_SYNTAX:
case LDAP_INVALID_SYNTAX:
- log_bug(Invalid syntax in handle_connection_error indicates a bug);
+ log_ldap_error(ldap_conn-handle, invalid syntax in
+ handle_connection_error indicates a bug);
result = ISC_R_UNEXPECTEDTOKEN;
break;
default:
/* Try to reconnect on other errors. */
- log_error(LDAP error: %s, ldap_err2string(err_code));
+ log_ldap_error(ldap_conn-handle, connection error);
reconnect:
if (ldap_conn-tries == 0)
log_error(connection to the LDAP server was lost);
@@ -2579,8 +2579,7 @@ ldap_modify_do(ldap_instance_t *ldap_inst, const char *dn, LDAPMod **mods,
operation_str = adding;
}
- log_debug(2, error(%s) %s entry %s, ldap_err2string(err_code),
- operation_str, dn);
+ log_ldap_error(ldap_conn-handle, while %s entry '%s', operation_str, dn);
/* do not error out if we are trying to delete an
* unexisting attribute */
diff --git a/src/log.h b/src/log.h
index 312f24322fd0c6f9943c6beb810ac0bcd8f3896c..3325455fcbf4253b0250749561667468c76fabe4 100644
--- a/src/log.h
+++ b/src/log.h
@@ -55,15 +55,29 @@
Re: [Freeipa-devel] [PATCH 0150] Do not delete whole node during PTR record synchronization.
On 04/18/2013 04:58 PM, Petr Spacek wrote: Hello, Do not delete whole node during PTR record synchronization. https://fedorahosted.org/bind-dyndb-ldap/ticket/115 ACK. The patch looks good. Regards, Tomas Hozza ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 404 Do not add ipa-ca records on CA-less installs
This should get to 3.2 GA.
--
ipa-dns-install crashed when it was run on a CA-less server.
https://fedorahosted.org/freeipa/ticket/3617
From 6d06a7e562694efeea55bbc937a71e058dacd7d1 Mon Sep 17 00:00:00 2001
From: Martin Kosek mko...@redhat.com
Date: Thu, 9 May 2013 14:04:13 +0200
Subject: [PATCH] Do not add ipa-ca records on CA-less installs
ipa-dns-install crashed when it was run on a CA-less server.
https://fedorahosted.org/freeipa/ticket/3617
---
ipaserver/install/bindinstance.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py
index 6694f010987f0fbf05b93774722117b64b1ef393..5a2450e615cb7d0236721f533c22aeb64b94fe9b 100644
--- a/ipaserver/install/bindinstance.py
+++ b/ipaserver/install/bindinstance.py
@@ -733,7 +733,7 @@ def __add_ipa_ca_record(self):
self.__add_ipa_ca_records(self.fqdn, [self.ip_address],
self.ca_configured)
-if self.first_instance:
+if self.first_instance and self.ca_configured:
ldap = api.Backend.ldap2
entries = ldap.get_entries(
DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'),
--
1.8.1.4
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0027 Prompt for nameserver IP address in dnszone-add
On 05/09/2013 12:45 PM, Petr Viktorin wrote: On 05/07/2013 07:50 PM, Ana Krivokapic wrote: Prompt for nameserver IP address in dnszone-add https://fedorahosted.org/freeipa/ticket/3603 See Petr Špaček's mail for normal zones. Also when adding a reverse zone we should not ask: $ ipa dnszone-add --name-from-ip=80.142.15.0/24 --name-server=`hostname`. Zone name [15.142.80.in-addr.arpa.]: Administrator e-mail address [hostmaster.15.142.80.in-addr.arpa.]: [Nameserver IP address]: 1.2.3.4 ipa: ERROR: invalid 'ip_address': Nameserver DNS record is created for for forward zones only The Web UI also asks for the NS IP address for reverse zones and fails when it's given. (Also, looking at the output above, asking for the zone name isn't useful for reverse zones, but I guess that's a different usability issue.) I think the easiest way to selectively ask in CLI is a custom interactive_prompt_callback (or we could have a separate dnszone-add-reverse command). As for the UI I don't know. The question is, do we want to go that far for this bug? I do not like the alwaysask approach. I think it rather complicates things. I think we will indeed need to do the interactive_prompt_callback and in case when we detect the following cases (as per Petr Spacek's mail): new zone = example.com. a) NS = ns.example.com. (i.e. absolute name) = IP address is required because NS is defined inside the new zone b) NS = ns (i.e. relative name) = IP address is required because NS is defined inside the new zone we need to ask for IP address. As in this case, this is really not an option, but a required parameter. If possible, the same logic would be great to have for the UI. When deciding the question above, you can take advantage of get_name_in_zone function which will also work with cases like ipa dnszone-add example.com --name-server=@ --ip-address 10.16.78.47 Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0151] Disallow all zone transfers/queries if transfer/query policy configuration failed
On 04/19/2013 12:44 PM, Petr Spacek wrote: Hello, Disallow all zone transfers/queries if transfer/query policy configuration failed. Without this patch the old policy stays in effect if re-configuration with the new policy failed. https://fedorahosted.org/bind-dyndb-ldap/ticket/116 ACK. Patch looks OK! Regards, Tomas Hozza ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 404 Do not add ipa-ca records on CA-less installs
On 05/09/2013 02:06 PM, Martin Kosek wrote: This should get to 3.2 GA. -- ipa-dns-install crashed when it was run on a CA-less server. https://fedorahosted.org/freeipa/ticket/3617 This solves the issue, ACK -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0148] Explicitly return SERVFAIL if PTR synchronization is misconfigured.
On 9.5.2013 10:59, Tomas Hozza wrote:
On 04/16/2013 12:45 PM, Petr Spacek wrote:
Hello,
Explicitly return SERVFAIL if PTR synchronization is misconfigured.
SERVFAIL will be returned if PTR synchronization is enabled
in forward zone but reverse zone has dynamic updates disabled.
What the patch does little bit differs from what the commit
message says. Explanation follows:
Snip from ldap_helper.c (starting line 2959):
/* Get attribute idnsAllowDynUpdate for reverse zone or use default. */
dns_name_free(zone_name, mctx);
dns_name_init(zone_name, NULL);
CHECK(dn_to_dnsname(mctx, owner_zone_dn_ptr, zone_name, NULL));
zone_settings = NULL;
result = zr_get_zone_settings(ldap_inst-zone_register, zone_name,
zone_settings);
if (result != ISC_R_SUCCESS) {
if (result == ISC_R_NOTFOUND)
log_debug(3, active zone '%s' not found, zone_dn);
goto cleanup;
^
You replaced this goto with CLEANUP_WITH(DNS_R_SERVFAIL) but
the check if dynamic updates in reverse zone are enabled
is done in the following IF statement
}
CHECK(setting_get_bool(dyn_update, zone_settings, zone_dyn_update));
if (!zone_dyn_update) {
log_debug(3, dynamic update is not allowed in zone
'%s', zone_dn);
CLEANUP_WITH(ISC_R_NOPERM);
}
The patch modifies the plugin to explicitly return SERVFAIL if there was
some error while getting settings of PTR zone (the zone does not exist,
etc).
Maybe it would be good to explicitly return SERVFAIL also if dynamic
updates in PTR zone are disabled and modify the commit message to
better express what this patch does.
You are right. Revised patch is attached.
--
Petr^2 Spacek
From c7f6f7283ea289c74b69c25da1bcff8e3ad61ef2 Mon Sep 17 00:00:00 2001
From: Petr Spacek pspa...@redhat.com
Date: Tue, 16 Apr 2013 16:10:09 +0200
Subject: [PATCH] Clean up PTR record synchronization code and make it more
robust.
PTR record synchronization was split to smaller functions.
Input validation, error handling and logging was improved
significantly.
Signed-off-by: Petr Spacek pspa...@redhat.com
---
src/ldap_helper.c | 507 --
1 file changed, 342 insertions(+), 165 deletions(-)
diff --git a/src/ldap_helper.c b/src/ldap_helper.c
index af630e53dde36c3eec4d1a286cb096bcd8f3b0ca..52d706a8ee36aabb1b05bb83bdc42d85225d7104 100644
--- a/src/ldap_helper.c
+++ b/src/ldap_helper.c
@@ -2830,35 +2830,360 @@ cleanup:
#undef SET_LDAP_MOD
}
+
+#define SYNCPTR_PREFPTR record synchronization
+#define SYNCPTR_FMTPRE SYNCPTR_PREF (%s) for A/ '%s'
+#define SYNCPTR_FMTPOST ldap_modop_str(mod_op), a_name_str
+
+static const char *
+ldap_modop_str(unsigned int mod_op) {
+ static const char add[] = addition;
+ static const char del[] = deletion;
+
+ switch (mod_op) {
+ case LDAP_MOD_ADD:
+ return add;
+
+ case LDAP_MOD_DELETE:
+ return del;
+
+ default:
+ INSIST(unsupported LDAP mod_op == NULL);
+ return NULL;
+ }
+}
+
+static void
+append_trailing_dot(char *str, unsigned int size) {
+ unsigned int length = strlen(str);
+ if (str[length] != '.') {
+ REQUIRE(length + 1 size);
+ str[length] = '.';
+ str[length+1] = '\0';
+ }
+}
+
+static isc_result_t
+ldap_find_ptr(ldap_instance_t *ldap_inst, const char *ip_str,
+ dns_name_t *ptr_name, ld_string_t *ptr_dn,
+ dns_name_t *zone_name) {
+ isc_result_t result;
+ isc_mem_t *mctx = ldap_inst-mctx;
+
+ in_addr_t ip;
+
+ /* Get string with IP address from change request
+ * and convert it to in_addr structure. */
+ if ((ip = inet_addr(ip_str)) == 0) {
+ log_bug(SYNCPTR_PREF could not convert IP address
+ from string '%s', ip_str);
+ CLEANUP_WITH(ISC_R_UNEXPECTED);
+ }
+
+ /* Use internal net address representation. */
+ isc_netaddr_t isc_ip;
+ /* Only copy data to isc_ip stucture. */
+ isc_netaddr_fromin(isc_ip,(struct in_addr *) ip);
+
+ /*
+ * Convert IP address to PTR record.
+ *
+ * @example
+ * 192.168.0.1 - 1.0.168.192.in-addr.arpa
+ *
+ * @todo Check if it works for IPv6 correctly.
+ */
+ CHECK(dns_byaddr_createptrname2(isc_ip, 0, ptr_name));
+
+ /* Get LDAP entry indentifier. */
+ CHECK(dnsname_to_dn(ldap_inst-zone_register, ptr_name, ptr_dn));
+
+ /*
+ * @example
+ * owner_dn_ptr = idnsName=100.0.168, idnsname=192.in-addr.arpa,cn=dns,$SUFFIX
+ * owner_zone_dn_ptr = idnsname=192.in-addr.arpa,cn=dns,$SUFFIX
+ */
+ char *owner_zone_dn_ptr = strstr(str_buf(ptr_dn),, ) + 1;
+
+ /* Get attribute idnsAllowDynUpdate for reverse zone or use default. */
+ CHECK(dn_to_dnsname(mctx, owner_zone_dn_ptr, zone_name, NULL));
+
+cleanup:
+ return result;
+}
+
+/**
+ * Check if PTR record's value in LDAP == name of the modified A/ record.
+ * Update will be refused if the PTR name contains multiple PTR records or
+ * if the value in LDAP != expected name.
+ *
+ * @param[in] a_name Name of modified A/ record.
+ * @param[in] a_name_str Name of modified A/
Re: [Freeipa-devel] [PATCH] 404 Do not add ipa-ca records on CA-less installs
On 05/09/2013 02:39 PM, Petr Viktorin wrote: On 05/09/2013 02:06 PM, Martin Kosek wrote: This should get to 3.2 GA. -- ipa-dns-install crashed when it was run on a CA-less server. https://fedorahosted.org/freeipa/ticket/3617 This solves the issue, ACK Thanks. Pushed to master. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0148] Explicitly return SERVFAIL if PTR synchronization is misconfigured.
On 9.5.2013 14:53, Petr Spacek wrote:
On 9.5.2013 10:59, Tomas Hozza wrote:
On 04/16/2013 12:45 PM, Petr Spacek wrote:
Hello,
Explicitly return SERVFAIL if PTR synchronization is misconfigured.
SERVFAIL will be returned if PTR synchronization is enabled
in forward zone but reverse zone has dynamic updates disabled.
What the patch does little bit differs from what the commit
message says. Explanation follows:
Snip from ldap_helper.c (starting line 2959):
/* Get attribute idnsAllowDynUpdate for reverse zone or use default. */
dns_name_free(zone_name, mctx);
dns_name_init(zone_name, NULL);
CHECK(dn_to_dnsname(mctx, owner_zone_dn_ptr, zone_name, NULL));
zone_settings = NULL;
result = zr_get_zone_settings(ldap_inst-zone_register, zone_name,
zone_settings);
if (result != ISC_R_SUCCESS) {
if (result == ISC_R_NOTFOUND)
log_debug(3, active zone '%s' not found, zone_dn);
goto cleanup;
^
You replaced this goto with CLEANUP_WITH(DNS_R_SERVFAIL) but
the check if dynamic updates in reverse zone are enabled
is done in the following IF statement
}
CHECK(setting_get_bool(dyn_update, zone_settings, zone_dyn_update));
if (!zone_dyn_update) {
log_debug(3, dynamic update is not allowed in zone
'%s', zone_dn);
CLEANUP_WITH(ISC_R_NOPERM);
}
The patch modifies the plugin to explicitly return SERVFAIL if there was
some error while getting settings of PTR zone (the zone does not exist,
etc).
Maybe it would be good to explicitly return SERVFAIL also if dynamic
updates in PTR zone are disabled and modify the commit message to
better express what this patch does.
You are right. Revised patch is attached.
I sent a bad patch by mistake...
--
Petr^2 Spacek
From 04b48143f592541d3c98e06229987e36dbaf6ec8 Mon Sep 17 00:00:00 2001
From: Petr Spacek pspa...@redhat.com
Date: Tue, 16 Apr 2013 11:00:04 +0200
Subject: [PATCH] Explicitly return SERVFAIL if PTR synchronization is
misconfigured.
SERVFAIL will be returned if PTR synchronization is enabled
in forward zone but the reverse zone is not managed by plugin
or if the reverse zone has dynamic updates disabled.
Signed-off-by: Petr Spacek pspa...@redhat.com
---
src/ldap_helper.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/ldap_helper.c b/src/ldap_helper.c
index d6061f247db625326ce09e75b1c7ca5c1f259ba5..af630e53dde36c3eec4d1a286cb096bcd8f3b0ca 100644
--- a/src/ldap_helper.c
+++ b/src/ldap_helper.c
@@ -2990,14 +2990,14 @@ modify_ldap_common(dns_name_t *owner, ldap_instance_t *ldap_inst,
if (result != ISC_R_SUCCESS) {
if (result == ISC_R_NOTFOUND)
log_debug(3, active zone '%s' not found, zone_dn);
- goto cleanup;
+ CLEANUP_WITH(DNS_R_SERVFAIL);
}
CHECK(setting_get_bool(dyn_update, zone_settings, zone_dyn_update));
if (!zone_dyn_update) {
log_error(dynamic update is not allowed in zone
'%s', zone_dn);
- CLEANUP_WITH(ISC_R_NOPERM);
+ CLEANUP_WITH(DNS_R_SERVFAIL);
}
/*
--
1.7.11.7
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 404 Do not add ipa-ca records on CA-less installs
On 9.5.2013 15:14, Martin Kosek wrote: On 05/09/2013 02:39 PM, Petr Viktorin wrote: On 05/09/2013 02:06 PM, Martin Kosek wrote: This should get to 3.2 GA. -- ipa-dns-install crashed when it was run on a CA-less server. https://fedorahosted.org/freeipa/ticket/3617 This solves the issue, ACK Thanks. Pushed to master. Martin Sorry for this, but NACK. With this patch ipa-ca records are not created for existing masters unless ipa-dns-install is run on a replica which has CA configured. You should instead put the ldap.get_entries() call in a try/except block and ignore the NotFound exception which causes the crash. You can test it by installing IPA without --setup-dns and without --external-ca on server1 and then installing a replica with --setup-dns and without --setup-ca on server2. After this, ipa-ca record for server1 should be created. Honza -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 404 Do not add ipa-ca records on CA-less installs
On 05/09/2013 05:44 PM, Jan Cholasta wrote:
On 9.5.2013 15:14, Martin Kosek wrote:
On 05/09/2013 02:39 PM, Petr Viktorin wrote:
On 05/09/2013 02:06 PM, Martin Kosek wrote:
This should get to 3.2 GA.
--
ipa-dns-install crashed when it was run on a CA-less server.
https://fedorahosted.org/freeipa/ticket/3617
This solves the issue, ACK
Thanks. Pushed to master.
Martin
Sorry for this, but NACK. With this patch ipa-ca records are not created for
existing masters unless ipa-dns-install is run on a replica which has CA
configured. You should instead put the ldap.get_entries() call in a try/except
block and ignore the NotFound exception which causes the crash.
You can test it by installing IPA without --setup-dns and without
--external-ca
on server1 and then installing a replica with --setup-dns and without
--setup-ca on server2. After this, ipa-ca record for server1 should be
created.
Honza
Sending updated patch, please review if you can.
Martin
From 146d904ec797108f16b73f59ea31554c91cb8957 Mon Sep 17 00:00:00 2001
From: Martin Kosek mko...@redhat.com
Date: Thu, 9 May 2013 17:50:15 +0200
Subject: [PATCH] Fix ipa-ca DNS name creation
Previous fix (6d06a7e) did not work properly on a CA-less replica
with CA-powered master.
https://fedorahosted.org/freeipa/ticket/3617
---
ipaserver/install/bindinstance.py | 16 ++--
1 file changed, 10 insertions(+), 6 deletions(-)
diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py
index 5a2450e615cb7d0236721f533c22aeb64b94fe9b..ac86e9e7d5713172772b7868233cfa7da91a9fab 100644
--- a/ipaserver/install/bindinstance.py
+++ b/ipaserver/install/bindinstance.py
@@ -733,13 +733,17 @@ def __add_ipa_ca_record(self):
self.__add_ipa_ca_records(self.fqdn, [self.ip_address],
self.ca_configured)
-if self.first_instance and self.ca_configured:
+if self.first_instance:
ldap = api.Backend.ldap2
-entries = ldap.get_entries(
-DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'),
- api.env.basedn),
-ldap.SCOPE_SUBTREE, '((objectClass=ipaConfigObject)(cn=CA))',
-['dn'])
+try:
+entries = ldap.get_entries(
+DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'),
+ api.env.basedn),
+ldap.SCOPE_SUBTREE, '((objectClass=ipaConfigObject)(cn=CA))',
+['dn'])
+except errors.NotFound:
+root_logger.debug('No server with CA found')
+entries = []
for entry in entries:
fqdn = entry.dn[1]['cn']
--
1.8.1.4
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 404 Do not add ipa-ca records on CA-less installs
On 9.5.2013 17:57, Martin Kosek wrote: On 05/09/2013 05:44 PM, Jan Cholasta wrote: Sorry for this, but NACK. With this patch ipa-ca records are not created for existing masters unless ipa-dns-install is run on a replica which has CA configured. You should instead put the ldap.get_entries() call in a try/except block and ignore the NotFound exception which causes the crash. You can test it by installing IPA without --setup-dns and without --external-ca on server1 and then installing a replica with --setup-dns and without --setup-ca on server2. After this, ipa-ca record for server1 should be created. Honza Sending updated patch, please review if you can. Martin Looks good to me, ACK! -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 0221 Update translations from Transifex
Hello, It's almost time to release, so let's merge the current state of translations. Since last release, there has been significant activity in Spanish, French, and Ukrainian. Thanks to all translators! The patch is again quite large, so I have not attached it. Please download it from here: https://github.com/encukou/freeipa/commit/09b6702905a9eaa2d590166060a02b4ab6f88992.patch install/po/bn_IN.po | 20 +- install/po/ca.po| 12 +- install/po/cs.po| 12 +- install/po/de.po| 14 +- install/po/es.po| 1386 +-- install/po/eu.po| 18 +- install/po/fr.po| 1341 +++-- install/po/id.po| 27 +- install/po/ipa.pot | 680 + install/po/ja.po| 14 +- install/po/kn.po| 35 +- install/po/nl.po| 12 +- install/po/pl.po| 37 +- install/po/ru.po| 39 +- install/po/tg.po| 12 +- install/po/uk.po| 587 -- install/po/zh_CN.po | 24 +- 17 files changed, 3615 insertions(+), 655 deletions(-) -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0027 Prompt for nameserver IP address in dnszone-add
On 05/09/2013 02:10 PM, Martin Kosek wrote:
On 05/09/2013 12:45 PM, Petr Viktorin wrote:
On 05/07/2013 07:50 PM, Ana Krivokapic wrote:
Prompt for nameserver IP address in dnszone-add
https://fedorahosted.org/freeipa/ticket/3603
See Petr Špaček's mail for normal zones.
Also when adding a reverse zone we should not ask:
$ ipa dnszone-add --name-from-ip=80.142.15.0/24 --name-server=`hostname`.
Zone name [15.142.80.in-addr.arpa.]:
Administrator e-mail address [hostmaster.15.142.80.in-addr.arpa.]:
[Nameserver IP address]: 1.2.3.4
ipa: ERROR: invalid 'ip_address': Nameserver DNS record is created for for
forward zones only
The Web UI also asks for the NS IP address for reverse zones and fails when
it's given.
(Also, looking at the output above, asking for the zone name isn't useful for
reverse zones, but I guess that's a different usability issue.)
I think the easiest way to selectively ask in CLI is a custom
interactive_prompt_callback (or we could have a separate dnszone-add-reverse
command). As for the UI I don't know.
The question is, do we want to go that far for this bug?
I do not like the alwaysask approach. I think it rather complicates things.
I think we will indeed need to do the interactive_prompt_callback and in case
when we detect the following cases (as per Petr Spacek's mail):
new zone = example.com.
a) NS = ns.example.com. (i.e. absolute name)
= IP address is required because NS is defined inside the new zone
b) NS = ns (i.e. relative name)
= IP address is required because NS is defined inside the new zone
we need to ask for IP address. As in this case, this is really not an option,
but a required parameter. If possible, the same logic would be great to have
for the UI.
When deciding the question above, you can take advantage of get_name_in_zone
function which will also work with cases like
ipa dnszone-add example.com --name-server=@ --ip-address 10.16.78.47
Martin
Thanks all for the reviews. I addressed all comments in the attached
updated patch.
--
Regards,
Ana Krivokapic
Associate Software Engineer
FreeIPA team
Red Hat Inc.
From d76e10e2e1d0474d5ff5815660bd2cd11a6d4199 Mon Sep 17 00:00:00 2001
From: Ana Krivokapic akriv...@redhat.com
Date: Thu, 9 May 2013 18:47:12 +0200
Subject: [PATCH] Prompt for nameserver IP address in dnszone-add
Prompt for nameserver IP address in interactive mode of dnszone-add.
Add a corresponding field to dnszone creation dialog in the web UI.
This parameter is required if and only if:
* New zone is a forward zone
* Nameserver is defined inside the new zone
https://fedorahosted.org/freeipa/ticket/3603
---
install/ui/src/freeipa/dns.js | 52 +
install/ui/test/data/ipa_init_commands.json | 11 ++
ipalib/plugins/dns.py | 23 -
3 files changed, 85 insertions(+), 1 deletion(-)
diff --git a/install/ui/src/freeipa/dns.js b/install/ui/src/freeipa/dns.js
index 5024e8b768ea46c86eb4db5901e71b02866432ff..25c3340b4df6be974342926e2bd13ce1b7c3b11f 100644
--- a/install/ui/src/freeipa/dns.js
+++ b/install/ui/src/freeipa/dns.js
@@ -300,6 +300,11 @@ return {
fields: [
'idnssoamname',
{
+name: 'ip_address',
+validators: [ 'ip_address' ],
+metadata: '@mc-opt:dnszone_add:ip_address'
+},
+{
name: 'idnssoarname',
required: false
},
@@ -576,11 +581,58 @@ IPA.dnszone_adder_dialog = function(spec) {
var that = IPA.entity_adder_dialog(spec);
+var init = function() {
+var zone_w = that.fields.get_field('idnsname').widget;
+var reverse_zone_w = that.fields.get_field('name_from_ip').widget;
+var ns_w = that.fields.get_field('idnssoamname').widget;
+
+zone_w.value_changed.attach(that.check_ns_ip);
+reverse_zone_w.value_changed.attach(that.check_ns_ip);
+ns_w.value_changed.attach(that.check_ns_ip);
+};
+
+that.check_ns_ip = function() {
+var ip_address_f = that.fields.get_field('ip_address');
+var zone_w = that.fields.get_field('idnsname').widget;
+var ns_w = that.fields.get_field('idnssoamname').widget;
+
+var zone = $('input', zone_w.container).val();
+var ns = $('input', ns_w.container).val();
+
+var zone_is_reverse = zone_w.input.prop('disabled');
+var relative_ns = true;
+var ns_in_zone = false;
+
+if (ns ns[ns.length-1] === '.') {
+relative_ns = false;
+ns = ns.slice(0, -1);
+}
+
+if (zone zone[zone.length-1] === '.') {
+zone = zone.slice(0, -1);
+}
+
+if (ns zone ns.indexOf(zone, ns.length - zone.length) !== -1) {
+ns_in_zone = true;
+}
+
+if (!zone_is_reverse (relative_ns ||
Re: [Freeipa-devel] [PATCH] 404 Do not add ipa-ca records on CA-less installs
Jan Cholasta wrote: On 9.5.2013 17:57, Martin Kosek wrote: On 05/09/2013 05:44 PM, Jan Cholasta wrote: Sorry for this, but NACK. With this patch ipa-ca records are not created for existing masters unless ipa-dns-install is run on a replica which has CA configured. You should instead put the ldap.get_entries() call in a try/except block and ignore the NotFound exception which causes the crash. You can test it by installing IPA without --setup-dns and without --external-ca on server1 and then installing a replica with --setup-dns and without --setup-ca on server2. After this, ipa-ca record for server1 should be created. Honza Sending updated patch, please review if you can. Martin Looks good to me, ACK! pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
