Re: [Freeipa-devel] [PATCH] [DOC] Add note about additional nameservers in resolv.conf
On 27.3.2014 00:40, Gabe Alford wrote: All, Please review patch for https://fedorahosted.org/freeipa/ticket/3085 Added note that 'nameserver 127.0.0.1' is added to resolv.conf, that it is recommended to add more replicas to resolv.conf, and the max nameservers allowed in resolv.conf. Thank you for the patch! Conditional ACK, please remove trailing whitespaces before push. -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] [DOC] Add note about additional nameservers in resolv.conf
On 03/27/2014 09:42 AM, Petr Spacek wrote: On 27.3.2014 00:40, Gabe Alford wrote: All, Please review patch for https://fedorahosted.org/freeipa/ticket/3085 Added note that 'nameserver 127.0.0.1' is added to resolv.conf, that it is recommended to add more replicas to resolv.conf, and the max nameservers allowed in resolv.conf. Thank you for the patch! Conditional ACK, please remove trailing whitespaces before push. Thanks! Pushed to docs master: a2f5d7ed8fe49e8ad1cfbf29ddfe563de235e8ac -- PetrĀ³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] [DOC] Add note about additional nameservers in resolv.conf
On Wed, 2014-03-26 at 17:40 -0600, Gabe Alford wrote: All, Please review patch for https://fedorahosted.org/freeipa/ticket/3085 Added note that 'nameserver 127.0.0.1' is added to resolv.conf, that it is recommended to add more replicas to resolv.conf, and the max nameservers allowed in resolv.conf. Actually, my ipa-server-install puts into /etc/resolv.conf its ip address itself not localhost After fresh install: #cat /etc/resolv.conf search example.com nameserver 10.*.*.* thanks, Gabe ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel -- Martin^2 Basti ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] [DOC] Add note about additional nameservers in resolv.conf
On 27.3.2014 10:23, Martin Basti wrote: On Wed, 2014-03-26 at 17:40 -0600, Gabe Alford wrote: All, Please review patch for https://fedorahosted.org/freeipa/ticket/3085 Added note that 'nameserver 127.0.0.1' is added to resolv.conf, that it is recommended to add more replicas to resolv.conf, and the max nameservers allowed in resolv.conf. Actually, my ipa-server-install puts into /etc/resolv.conf its ip address itself not localhost After fresh install: #cat /etc/resolv.conf search example.com nameserver 10.*.*.* IMHO /etc/resolv.conf was overwritten by DHCPd (when IPA installation was finished). -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] [DOC] Add note about additional nameservers in resolv.conf
On Thu, 2014-03-27 at 10:33 +0100, Petr Spacek wrote: On 27.3.2014 10:23, Martin Basti wrote: On Wed, 2014-03-26 at 17:40 -0600, Gabe Alford wrote: All, Please review patch for https://fedorahosted.org/freeipa/ticket/3085 Added note that 'nameserver 127.0.0.1' is added to resolv.conf, that it is recommended to add more replicas to resolv.conf, and the max nameservers allowed in resolv.conf. Actually, my ipa-server-install puts into /etc/resolv.conf its ip address itself not localhost After fresh install: #cat /etc/resolv.conf search example.com nameserver 10.*.*.* IMHO /etc/resolv.conf was overwritten by DHCPd (when IPA installation was finished). I inspect ipa-server-install source code and installation adds to resolv.conf a real server address. DHCP leave note in resolv.conf when generate it. -- Martin^2 Basti ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] [DOC] Review section on NetworkManager
On Wed, Mar 26, 2014 at 05:30:13PM -0600, Gabe Alford wrote: All, Please review this patch for https://fedorahosted.org/freeipa/ticket/4156 Added links to documentation on configuring NetworkManager. Thank you for the patch. ACK. -- Jan Pazdziora Principal Software Engineer, Identity Management Engineering, Red Hat ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] FreeIPA 3.3.5
Hello all! I think we are close to releasing next bugfixing version on FreeIPA 3.3.5. We have a lot of bug fixes to offer, especially in the AD Trust area. I wrote the changelog to our wiki, fixes or suggestions welcome: http://www.freeipa.org/page/Releases/3.3.5 I have just one last concern though, the remaining PKI clone installation issue I found: https://fedorahosted.org/pki/ticket/933 Do we want to release before this ticket is closed or wait? Question is if fixing Dogtag 10 based clone installation is enough to allow us to release or not. Matthew (CCed), do we have any ETA when the fix would be available? -- Martin Kosek mko...@redhat.com Supervisor, Software Engineering - Identity Management Team Red Hat Inc. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 561 webui: make navigation module independent on app module
On 26.3.2014 15:36, Misnyovszki Adam wrote: On Wed, 19 Mar 2014 16:02:19 +0100 Petr Vobornik pvobo...@redhat.com wrote: When some module used 'freeipa/navigation' it pulled the entire Web UI because navigation depended on app. This patch splits the app into two modules: app and app_container. App specifies the entities which are part of final application. app_container module represents the application boot classes. Navigation now depends on app_container. Hi, tests ran as expected, and it works, so ACK. Note: there are two typos in copyright, app.js:5(./), app_container.js:1(space before comment), should be corrected before push. Thanks Adam Typos in comments fixed. Pushed to master: e7bfac1e63360993aea2be91082ca69c478f3cf1 -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0158] Extend ipa-range-check DS plugin to handle range types
The updated version handles the ret variable properly. It also makes
sure the memory is properly freed.
On 03/18/2014 04:45 PM, Alexander Bokovoy wrote:
On Tue, 18 Mar 2014, Tomas Babej wrote:
On 03/18/2014 09:19 AM, Alexander Bokovoy wrote:
On Mon, 17 Mar 2014, Tomas Babej wrote:
Hi,
The ipa-range-check plugin used to determine the range type depending
on the value of the attributes such as RID or secondary RID base. This
approached caused variety of issues since the portfolio of ID range
types expanded.
The patch makes sure the following rules are implemented:
* No ID range pair can overlap on base ranges, with exception
of two ipa-ad-trust-posix ranges belonging to the same forest
* For any ID range pair of ranges belonging to the same domain:
* Both ID ranges must be of the same type
* For ranges of ipa-ad-trust type or ipa-local type:
* Primary RID ranges can not overlap
* For ranges of ipa-local type:
* Primary and secondary RID ranges can not overlap
* Secondary RID ranges cannot overlap
For the implementation part, the plugin was extended with a domain ID
to forest root domain ID mapping derivation capabilities.
https://fedorahosted.org/freeipa/ticket/4137
Test coverage coming soon!
I don't really like that you are using a list here. The list is built
and then destroyed in preop callback every time we process the range
object, so it is one-off operation. Now, when you fetch trust domain
objects to build the list, why can't you use an array directly?
Given that all you need the list for is to map domain to a trust (if
any) and trust name is the name of the root level domain, you can
simply
make an array of a struct (name, root) where root is a and index to the
same array or -1 if this is the root domain itself.
I don't see much benefit of using array over linked list in this case.
In both cases, we would need to build the data container, and it would
be one-off operation (once for the ADD/MOD operation).
Additionaly, using linked list, I can only pass around the pointer to
the head of the list, instead of passing around the array and it's
size.
If you make a {NULL, NULL} entry as the last one, no need to pass array
size. But anyway...
I reworked the part of the patch that fetches the data from the LDAP as
we discussed. Instead of performing multiple LDAP searches, we do a
single extra search per operation.
See comments below.
+static struct domain_info* build_domain_to_forest_root_map(struct
domain_info *head,
+ struct
ipa_range_check_ctx *ctx){
+
+Slapi_PBlock *trusted_domain_search_pb = NULL;
+Slapi_Entry **trusted_domain_entries = NULL;
+Slapi_DN *base_dn = NULL;
+Slapi_RDN *rdn = NULL;
+
+int search_result;
+int ret;
+
+/* Set the base DN for the search to cn=ad, cn=trusts, $SUFFIX */
+base_dn = slapi_sdn_new_dn_byref(ctx-base_dn);
+if (base_dn == NULL) {
+LOG_FATAL(Failed to convert base DN.\n);
+ret = LDAP_OPERATIONS_ERROR;
+goto done;
+}
+
+rdn = slapi_rdn_new();
+if (rdn == NULL) {
+LOG_FATAL(Failed to obtain RDN struct.\n);
+ret = LDAP_OPERATIONS_ERROR;
+goto done;
+}
+
+slapi_rdn_add(rdn, cn, trusts);
+slapi_sdn_add_rdn(base_dn, rdn);
+slapi_rdn_done(rdn);
+
+slapi_rdn_add(rdn, cn, ad);
+slapi_sdn_add_rdn(base_dn, rdn);
+slapi_rdn_done(rdn);
given that slapi_search_internal_set_pb() wants 'const char *base', why
not use asprintf() instead?
Here is what we do in ipa-kdb:
ret = asprintf(base, cn=ad,cn=trusts,%s, ipactx-base);
if (ret == -1) {
ret = ENOMEM;
goto done;
}
That's enough, IMHO. 389-ds internally will anyway create new sdn
explicitly from a string you've passed.
+
+/* Allocate a new parameter block */
+trusted_domain_search_pb = slapi_pblock_new();
+if (trusted_domain_search_pb == NULL) {
+LOG_FATAL(Failed to create new pblock.\n);
+ret = LDAP_OPERATIONS_ERROR;
in done: label you don't deal with 'ret' at all. Do you need it?
+//goto done;
is it goto or not?
+}
+
+/* Search for all the root domains, note the LDAP_SCOPE_ONELEVEL */
+slapi_search_internal_set_pb(trusted_domain_search_pb,
+ slapi_sdn_get_dn(base_dn),
here just use 'base_dn'.
+ LDAP_SCOPE_SUBTREE, DOMAIN_ID_FILTER,
+ NULL, 0, NULL, NULL,
ctx-plugin_id, 0);
+
+ret = slapi_search_internal_pb(trusted_domain_search_pb);
+if (ret != 0) {
+LOG_FATAL(Starting internal search failed.\n);
+goto done;
make sure you are consistent with 'ret' -- either handling it or not,
and if overriding with LDAP_OPERATIONS_ERROR, make sure it is overridden
everywhere.
+}
+
[Freeipa-devel] [PATCH 0161] ipa-range-check: Fix memory leaks when freeing range object
Hi,
When cleaning the range_info struct, simple free of the struct
is not enough, we have to free contents of char pointers in the
struct as well.
https://fedorahosted.org/freeipa/ticket/4276
--
Tomas Babej
Associate Software Engineer | Red Hat | Identity Management
RHCE | Brno Site | IRC: tbabej | freeipa.org
From 4752dd7cf5470e4da709ce0f31b9f8d408b79737 Mon Sep 17 00:00:00 2001
From: Tomas Babej tba...@redhat.com
Date: Thu, 27 Mar 2014 13:03:33 +0100
Subject: [PATCH] ipa-range-check: Fix memory leaks when freeing range object
When cleaning the range_info struct, simple free of the struct
is not enough, we have to free contents of char pointers in the
struct as well.
https://fedorahosted.org/freeipa/ticket/4276
---
.../ipa-slapi-plugins/ipa-range-check/ipa_range_check.c | 17 +
1 file changed, 13 insertions(+), 4 deletions(-)
diff --git a/daemons/ipa-slapi-plugins/ipa-range-check/ipa_range_check.c b/daemons/ipa-slapi-plugins/ipa-range-check/ipa_range_check.c
index 0ef33e5869bbcb4f721394ce35e2338095bf5d36..c877a7dc445b31b3de085aa66028d7652df6b9cc 100644
--- a/daemons/ipa-slapi-plugins/ipa-range-check/ipa_range_check.c
+++ b/daemons/ipa-slapi-plugins/ipa-range-check/ipa_range_check.c
@@ -96,6 +96,15 @@ struct domain_info {
struct domain_info *next;
};
+static void free_range_info(struct range_info *range) {
+if (range != NULL) {
+slapi_ch_free_string((range-name));
+slapi_ch_free_string((range-domain_id));
+slapi_ch_free_string((range-forest_root_id));
+slapi_ch_free_string((range-id_range_type));
+free(range);
+}
+}
static void free_domain_info(struct domain_info *info) {
if (info != NULL) {
@@ -323,7 +332,7 @@ static int slapi_entry_to_range_info(struct domain_info *domain_info_head,
done:
if (ret != 0) {
-free(range);
+free_range_info(range);
}
return ret;
@@ -598,7 +607,7 @@ static int ipa_range_check_pre_op(Slapi_PBlock *pb, int modtype)
}
ranges_valid = check_ranges(new_range, old_range);
-free(old_range);
+free_range_info(old_range);
old_range = NULL;
if (ranges_valid != 0) {
ret = LDAP_CONSTRAINT_VIOLATION;
@@ -638,8 +647,8 @@ done:
slapi_free_search_results_internal(search_pb);
slapi_pblock_destroy(search_pb);
slapi_sdn_free(dn);
-free(old_range);
-free(new_range);
+free_range_info(old_range);
+free_range_info(new_range);
if (free_entry) {
slapi_entry_free(entry);
}
--
1.8.5.3
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0015] Add wait_for_dns option to default.conf
On 02/20/2014 03:56 PM, Martin Basti wrote:
On Thu, 2014-02-20 at 14:36 +0100, Petr Spacek wrote:
On 19.2.2014 17:55, Martin Basti wrote:
On Wed, 2014-02-19 at 17:10 +0100, Petr Spacek wrote:
On 19.2.2014 15:11, Petr Spacek wrote:
On 18.2.2014 17:34, Nathaniel McCallum wrote:
On Tue, 2014-02-18 at 17:06 +0100, Petr Viktorin wrote:
On 02/18/2014 04:45 PM, Petr Spacek wrote:
Hello,
Add wait_for_dns option to default.conf.
This option makes record changes in DNS tree synchronous.
IPA calls will wait until new data are visible over DNS protocol.
It is intended only for testing - it should prevent tests from
failing if there is bigger delay between change in LDAP and DNS.
I would recommend value like 10 seconds.
Here are a few Python nitpicks you requested.
Thank you very much. This new version solves problems you found + adds
proper
handling for real DNS timeouts.
It seems to me like a more general TimeoutError would be useful in a
broader context. DNSTimeout seems overly narrow to me, unless I'm
missing something.
I would like to keep them separate. DNSTimeout shouldn't be handled at all
because it means that your DNS server or database is dead or broken in
some
interesting way.
I assume that generic TimeoutError could be interpreted as 'try it
again'/'failover' or something like that.
Maybe the DNSTimeout is not the best name, I'm open to suggestions.
I have sent the old version with new name, gggrrr.
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Tests failed:
test_dns[92]: dnsrecord_add: Add A record to u'ns2' in zone
u'zone3.test' ... ok
File /usr/lib/python2.7/site-packages/nose/case.py, line 197, in
runTest
self.test(*self.arg)
File /root/freeipa/ipatests/test_xmlrpc/xmlrpc_test.py, line 291, in
lambda
func = lambda: self.check(nice, **test)
File /root/freeipa/ipatests/test_xmlrpc/xmlrpc_test.py, line 309, in
check
self.check_output(nice, cmd, args, options, expected, extra_check)
File /root/freeipa/ipatests/test_xmlrpc/xmlrpc_test.py, line 348, in
check_output
got = api.Command[cmd](*args, **options)
File /root/freeipa/ipalib/frontend.py, line 436, in __call__
ret = self.run(*args, **options)
File /root/freeipa/ipalib/frontend.py, line 761, in run
return self.forward(*args, **options)
File /root/freeipa/ipalib/frontend.py, line 782, in forward
return self.Backend.rpcclient.forward(self.name, *args, **kw)
File /root/freeipa/ipalib/rpc.py, line 836, in forward
return self._call_command(command, params)
File /root/freeipa/ipalib/rpc.py, line 813, in _call_command
return command(*params)
File /root/freeipa/ipalib/rpc.py, line 951, in _call
return self.__request(name, args)
File /root/freeipa/ipalib/rpc.py, line 945, in __request
raise error_class(message=error['message'])
DNSTimeout: DNS query timeout: Expected {_kerberos.zone2.test. 86400 IN
TXT IDM.LAB.ENG.BRQ.REDHAT.COM} got {SERVFAIL}
==
ERROR: test_dns[51]: dnsrecord_add: Add NS+DNAME record to u'zone2.test'
zone record using dnsrecord_add
--
Traceback (most recent call last):
File /usr/lib/python2.7/site-packages/nose/case.py, line 197, in
runTest
self.test(*self.arg)
File /root/freeipa/ipatests/test_xmlrpc/xmlrpc_test.py, line 291, in
lambda
func = lambda: self.check(nice, **test)
File /root/freeipa/ipatests/test_xmlrpc/xmlrpc_test.py, line 309, in
check
self.check_output(nice, cmd, args, options, expected, extra_check)
File /root/freeipa/ipatests/test_xmlrpc/xmlrpc_test.py, line 348, in
check_output
got = api.Command[cmd](*args, **options)
File /root/freeipa/ipalib/frontend.py, line 436, in __call__
ret = self.run(*args, **options)
File /root/freeipa/ipalib/frontend.py, line 761, in run
return self.forward(*args, **options)
File /root/freeipa/ipalib/frontend.py, line 782, in forward
return self.Backend.rpcclient.forward(self.name, *args, **kw)
File /root/freeipa/ipalib/rpc.py, line 836, in forward
return self._call_command(command, params)
File /root/freeipa/ipalib/rpc.py, line 813, in _call_command
return command(*params)
File /root/freeipa/ipalib/rpc.py, line 951, in _call
return self.__request(name, args)
File /root/freeipa/ipalib/rpc.py, line 945, in __request
raise error_class(message=error['message'])
DNSTimeout: DNS query timeout: Expected {zone2.test. 86400 IN NS
ns1.dnszone.test.
zone2.test. 86400 IN NS ns1.zone2.test.} got {SERVFAIL}
configuration was: wait_for_dns=10
All tests passed without wait_for_dns option.
Sometimes at first run, I get only error and testing is interrupted.
I hope I covered all
Re: [Freeipa-devel] [PATCH] 562-563 webui: move RPC code from IPA module to its own module
On Wed, 19 Mar 2014 16:02:29 +0100 Petr Vobornik pvobo...@redhat.com wrote: depends on path #561(make navigation module independent on app module) [PATCH] 562 webui: move RPC code from IPA module to its own module - moves RPC code from ipa.js to it's own module - part of ongoing effort where the ultimate goal is to get rid of ipa.js and IPA namespace [PATCH] 563 webui: replace IPA.command usage with rpc.command Replace all IPA.command, IPA.batch_command and IPA.concurrent_command usages by equivalents from rpc module. ACK Greets Adam ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0034] Deny LDAP binds for user accounts with expired principal
On 01/07/2014 01:47 PM, Tomas Babej wrote:
On 01/07/2014 07:23 AM, Alexander Bokovoy wrote:
On Mon, 06 Jan 2014, Tomas Babej wrote:
On 01/06/2014 12:16 PM, Tomas Babej wrote:
On 04/15/2013 12:43 PM, Tomas Babej wrote:
On 04/08/2013 03:55 PM, Martin Kosek wrote:
On 04/01/2013 09:52 PM, Rob Crittenden wrote:
Tomas Babej wrote:
On 02/12/2013 06:23 PM, Simo Sorce wrote:
On Tue, 2013-02-12 at 18:03 +0100, Tomas Babej wrote:
On 02/12/2013 05:50 PM, Tomas Babej wrote:
Hi,
This patch adds a check for krbprincipalexpiration attribute to
pre_bind operation
in ipa-pwd-extop dirsrv plugin. If the principal is expired,
auth is
denied and LDAP_INVALID_CREDENTIALS along with the error
message is
sent back to the client. Since krbprincipalexpiration
attribute is
not
mandatory, if there is no value set, the check is passed.
https://fedorahosted.org/freeipa/ticket/3305
Comments inline.
@@ -1166,6 +1173,29 @@ static int ipapwd_pre_bind(Slapi_PBlock
*pb)
goto done;
}
+/* check the krbPrincipalExpiration attribute is present */
+ret = slapi_entry_attr_find(entry, krbPrincipalExpiration,
attr);
+if (!ret) {
ret is not a boolean so probably better ti use (ret != 0)
+/* if it is, check whether the principal has not
expired */
+
+principal_expire = slapi_entry_attr_get_charptr(entry,
+ krbprincipalexpiration);
+memset(expire_tm, 0, sizeof (expire_tm));
+
+if (strptime(principal_expire, %Y%m%d%H%M%SZ,
expire_tm)){
style issue missing space between ) and {
+expire_time = mktime(expire_tm);
+/* this might have overflown on 32-bit system */
This comment does not help to point out what you want to put in
evidence.
if there is an overflow what is the consequence ? Or does it
mean the
next condition is taking that into account ?
Yeah, this was rather ill-worded. Replaced by a rather verbose
comment that hopefully clears things out.
+if (current_time expire_time expire_time 0){
style issue missing space between ) and {
+LOG_FATAL(kerberos principal has expired in
user
entry: %s\n,
+ dn);
I think a better phrasing would be: The kerberos principal on
%s is
expired\n
+errMesg = Kerberos principal has expired.;
s/has/is/
The rest looks good to me.
Simo.
Styling issues fixed and updated patch attached :)
Small nit, the expiration error should probably use 'in' not 'on'.
I'm not sure LDAP_INVALID_CREDENTIALS is the right return code. This
implies
that the password is wrong. I think that LDAP_UNWILLING_TO_PERFORM
is probably
more correct here. It is what we return on other policy failures.
rob
Additional findings:
1) Lets not try to get current_time every time, but only when its
needed (i.e.
krbPrincipalExpiration is set) - AFAIK, it is not so cheap operation:
+/* get current time*/
+current_time = time(NULL);
2) Why using slapi_entry_attr_get_charptr and thus let 389-ds find
the
attribute again when we already have a pointer for the attribute?
Would
slapi_attr_first_value following slapi_entry_attr_find be faster
approach?
+ret = slapi_entry_attr_find(entry, krbPrincipalExpiration,
attr);
+if (ret != 0) {
+/* if it is, check whether the principal has not expired */
+
+principal_expire = slapi_entry_attr_get_charptr(entry,
+ krbprincipalexpiration);
This way, we would not create a copy of this attribute value - we do
not need a
copy, we just do check against it.
3) Shouldn't we return -1 in the end when the auth fails? We do that
in other
pre_callbacks. Otherwise we just return 0 (success):
+if (auth_failed){
+slapi_send_ldap_result(pb, LDAP_INVALID_CREDENTIALS, NULL,
errMesg,
+ 0, NULL);
+}
+
return 0;
Martin
Thank you both for the review. I updated and retested the patch, with
your suggestions incorporated.
Tomas
I rebased the patch on top of current master.
Bumping, since this is planned as part of 3.4 (and there were some
requests for this feature).
Tomas
I updated the commit message to reflect better what the current version
of the patch implements.
Tomas
From a93d1ec3ca8c7b6e8e754b474257695ba9018e07 Mon Sep 17 00:00:00 2001
From: Tomas Babej tba...@redhat.com
Date: Mon, 6 Jan 2014 12:11:24 +0100
Subject: [PATCH] ipa-pwd-extop: Deny LDAP binds for user accounts
with expired
principal
Adds a check for krbprincipalexpiration attribute to pre_bind operation
in ipa-pwd-extop dirsrv plugin. If the principal is expired, auth is
denied and LDAP_UNWILLING_TO_PERFORM along with the error message is
sent back to the client. Since krbprincipalexpiration attribute is not
mandatory, if there is no value set, the check is passed.
https://fedorahosted.org/freeipa/ticket/3305
---
Re: [Freeipa-devel] [PATCH] 562-563 webui: move RPC code from IPA module to its own module
On 27.3.2014 14:38, Misnyovszki Adam wrote: On Wed, 19 Mar 2014 16:02:29 +0100 Petr Vobornik pvobo...@redhat.com wrote: depends on path #561(make navigation module independent on app module) [PATCH] 562 webui: move RPC code from IPA module to its own module - moves RPC code from ipa.js to it's own module - part of ongoing effort where the ultimate goal is to get rid of ipa.js and IPA namespace [PATCH] 563 webui: replace IPA.command usage with rpc.command Replace all IPA.command, IPA.batch_command and IPA.concurrent_command usages by equivalents from rpc module. ACK Greets Adam Pushed to master: * d5cf0b273ad511d6cb99fbcb900eff528fe172df webui: move RPC code from IPA module to its own module * 06a7a1b3cb277284448dd8344940395f0b29cd70 webui: replace IPA.command usage with rpc.command -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0034] Deny LDAP binds for user accounts with expired principal
this need rebasing due to OTP patches, however comments inline.
On Tue, 2014-01-07 at 13:47 +0100, Tomas Babej wrote:
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
index
ef37b5e173359f9404b241c12d8a6dc6e77da128..df74a671c219f9b4aaa407f2ebd68f41669817b4
100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
@@ -1389,13 +1389,17 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb)
Slapi_Value *value = NULL;
Slapi_Attr *attr = NULL;
struct tm expire_tm;
+time_t current_time;
+time_t expire_time;
char *errMesg = Internal operations error\n; /* error message
*/
char *expire = NULL; /* passwordExpirationTime attribute value */
+char *principal_expire = NULL; /* krbPrincipalExpiration
attribute value */
char *dn = NULL; /* bind DN */
Slapi_Value *objectclass;
int method; /* authentication method */
int ret = 0;
char *principal = NULL;
+bool auth_failed = false;
LOG_TRACE(=\n);
@@ -1422,7 +1426,7 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb)
const char *attrs_list[] = {SLAPI_USERPWD_ATTR,
krbprincipalkey, uid,
krbprincipalname, objectclass,
passwordexpirationtime,
passwordhistory,
-NULL};
+krbprincipalexpiration, NULL};
/* retrieve user entry */
ret = ipapwd_getEntry(dn, entry, (char **) attrs_list);
@@ -1438,6 +1442,39 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb)
goto done;
}
+/* check the krbPrincipalExpiration attribute is present */
+ret = slapi_entry_attr_find(entry, krbPrincipalExpiration,
attr);
+if (ret == 0) {
+ret = slapi_attr_first_value(attr, value);
+
+if (ret == 0) {
+/* if it is, check whether the principal has not expired
*/
+principal_expire = slapi_value_get_string(value);
Why not just use a simpler condition from the start of this very nested
sequence of checks ?
Like:
/* check the krbPrincipalExpiration attribute is present */
principal_expire = slapi_entry_attr_get_charptr(entry,
krbPrincipalExpiration)
if (principal_expire) {
memset(...
I do not see the value of digging through the attr with that many calls.
+memset(expire_tm, 0, sizeof (expire_tm));
+
+if (strptime(principal_expire, %Y%m%d%H%M%SZ,
expire_tm)) {
+expire_time = mktime(expire_tm);
+
+/* get current time */
+current_time = time(NULL);
+
+/* mktime returns -1 if the tm struct cannot be
represented as
+ * as calendar time (seconds since the Epoch). This
might
+ * happen with tm structs that are ill-formated or on
32-bit
+ * platforms with dates that would cause overflow
+ * (year 2038 and later).
+ * In such cases, skip the expiration check. */
+
+if (current_time expire_time expire_time 0) {
+LOG_FATAL(kerberos principal in %s is expired
\n, dn);
+errMesg = Kerberos principal is expired.;
This message is sent back to the client, perhaps we should say: Account
is expired, it seem to me a more understandable error for a casual
user/admin.
+auth_failed = true;
Technically no auth was performed also I am not sure why we need a
boolean ?
Just set rc = LDAP_UNWILLING_TO_PERFORM ?
+goto done;
+}
+}
+}
+}
+
/* we aren't interested in host principals */
objectclass = slapi_value_new_string(ipaHost);
if ((slapi_entry_attr_has_syntax_value(entry,
SLAPI_ATTR_OBJECTCLASS, objectclass)) == 1) {
@@ -1560,6 +1597,12 @@ done:
slapi_entry_free(entry);
free_ipapwd_krbcfg(krbcfg);
+if (auth_failed){
+slapi_send_ldap_result(pb, LDAP_UNWILLING_TO_PERFORM, NULL,
errMesg,
and here:
if (rc != LDAP_SUCCESS) {
slapi_send_ldap_result(pb, rc, NULL, errMesg, 0, NULL);
+ 0, NULL);
+return -1;
+}
+
return 0;
}
HTH,
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH][RFC] 7 automember rebuild nowait feature added
On Wed, 26 Mar 2014 13:15:55 +0100
Petr Viktorin pvikt...@redhat.com wrote:
On 03/25/2014 03:36 PM, Misnyovszki Adam wrote:
On Mon, 24 Mar 2014 17:06:41 +0100
Martin Kosek mko...@redhat.com wrote:
On 03/24/2014 11:42 AM, Misnyovszki Adam wrote:
On Fri, 21 Mar 2014 13:06:21 +0100
Petr Viktorin pvikt...@redhat.com wrote:
On 03/21/2014 12:58 PM, Martin Kosek wrote:
On 03/21/2014 12:38 PM, Petr Viktorin wrote:
On 03/21/2014 12:00 PM, Misnyovszki Adam wrote:
On Fri, 21 Mar 2014 10:33:00 +0100
Petr Viktorin pvikt...@redhat.com wrote:
On 03/21/2014 10:29 AM, Petr Viktorin wrote:
On 03/20/2014 04:22 PM, Misnyovszki Adam wrote:
On Thu, 20 Mar 2014 14:19:51 +0100
Misnyovszki Adam amisn...@redhat.com wrote:
On Fri, 14 Mar 2014 13:26:15 -0400
Rob Crittenden rcrit...@redhat.com wrote:
Misnyovszki Adam wrote:
Hi,
automember-rebuild uses asynchronous 389 task, and
returned success even if the task didn't run. This patch
fixes this issue adding a --nowait parameter to 'ipa
automember-rebuild', defaulting to False, thus when the
script runs without it, it waits for the
'nstaskexitcode' attribute, which means the task has
finished, according to
http://directory.fedoraproject.org/wiki/Task_Invocation_Via_LDAP#Implementation.
Old usage can be enabled using --nowait.
https://fedorahosted.org/freeipa/ticket/4239
Request for comments:
- Should I add a parameter to specify the polling time?
(now 1ms)
- Should I add a parameter to specify the maximum
polling number? Now if something fails about creating
the task, it polls forever.
- Obviously, if these parameters should be added, there
should be a reasonable default for them (~
Required=False, Default=X).
I don't think you need a polling time, esp since this is
hidden from the user, but I think that is probably too
short and you may end up hammering the LDAP server.
I also wonder if there should be some maximum wait time.
I don't like loops that can never exit. I'm at a loss for
what that time should be though. And we'd need to spell
out that we gave up waiting, not that the task
necessarily failed. So rather than having a polling time
option, rename nowait into wait_for=20, so wait for 20
seconds. Or something like that.
I'd suggest using get_entry since you already know the
full DN and there is only ever one. It would make this
much more readable.
I wonder if some top-level documentation should be added
to flesh this out some more. This does, for example,
return False in one case. The meaning for that should be
spelled out.
rob
Hi,
personally I would keep --no-wait, with a delay of 1
seconds, and a maximum waiting time for 60 seconds.
Questions is, do we need to parameterize with other
parameters(wait-for to the maximum time, and/or poll-delay
for the delay time, both not required), or it is not a
case which worth to develop? Greets
Adam
Hi,
here are the corrections Petr asked, also the other patch
conatins the plugin registration refactor.
Thanks!
You forgot an alternate summary for the --no-wait case.
(Make sure to output the DN in this case, so it's possible
to poll for it.)
Instead of `task['nstaskexitcode'][0]` please use
`task.single_value['nstaskexitcode']`.
There's one more `task['nstaskexitcode'][0]`. (Perhaps putting
it in a variable would be better?)
Here:
raise errors.DatabaseError(
desc=_(Automember rebuild membership task
failed), info=_(nstaskexitcode = '%s' %
str(task['nstaskexitcode'][0])))
there's no need to call str() on %'s argument.
Also, use natural language (like Task exit code: %s),
otherwise there's no need to mark the message for
translation.
And one more thing: Please bump the minor version in the
VERSION file when API.txt changes.
Hi,
everything is corrected!
Greets
Adam
Sorry for dragging this so long, but:
The DN should not be a part of the summary, because that makes
it hard to parse when using the API. It should be returned as
a part of the result. To do that, you'd need to change the
output type:
has_output = output.standard_entry
has_output_params = (
DNParam(
'dn',
label=_('Task automember'),
doc=_('DN of the started task'),
),
)
and provide a dict in result, instead of True. (And with
--no-wait, add the dn to that dict.)
Do really want to use 'dn' for the DNParam? dn is already used
for standard entry DN when --all is used, right?
automembertaskdn may be better.
Well, I think DN of the added entry is exactly what this is.
Also, Task automember label sounds strange to me, would
Automember task DN be better?
I meant Task DN, sorry for the thinko.
One more thing, which came to my mind after reviewing the code for
myself once again, if
Re: [Freeipa-devel] [PATCH]Extending user plugin with employeenumber field
On Wed, 26 Mar 2014 14:07:50 +0100
Misnyovszki Adam amisn...@redhat.com wrote:
On Tue, 25 Mar 2014 18:26:53 +0100
Misnyovszki Adam amisn...@redhat.com wrote:
On Tue, 25 Mar 2014 14:31:15 +0100
Petr Vobornik pvobo...@redhat.com wrote:
On 21.3.2014 11:00, Misnyovszki Adam wrote:
On Fri, 21 Mar 2014 10:13:55 +0100
Misnyovszki Adam amisn...@redhat.com wrote:
On Fri, 21 Feb 2014 16:06:27 +0100
Petr Vobornik pvobo...@redhat.com wrote:
On 21.2.2014 15:45, Adam Misnyovszki wrote:
Hi,
According to http://tools.ietf.org/html/rfc2798 ipa client
and web ui extended with employeenumber field.
https://fedorahosted.org/freeipa/ticket/4165
Question is, that should we extend user with other fields
which are in the RFC, (carLicense, departmentNumber,
employeeType, etc) if we already touched this code?
Thanks
Adam
+Int('employeenumber?',
+label=_('Employee ID'),
+minvalue=1,
+),
Why Int and different label? IMO it should be Str and
'Employee Number'
2.4. Employee Number
Numeric or alphanumeric identifier assigned to a person,
typically based on order of hire or association with an
organization. Single valued.
( 2.16.840.1.113730.3.1.3
NAME 'employeeNumber'
DESC 'numerically identifies an employee within an
organization' EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE )
Hi,
fixed, also some other fields added. Note, that according to
the rfc,
licence plate field should be multivalue, should I cange
that(it is an existing field).
yes
Also, should I write test cases(especially for
preferredlanguage)?
Testing new functionality helps.
Greets
Adam
self NACK,
VERSION bump because API change
It requires another rebase.
Greets
Adam
1) Is there a reason to have label 'Employee ID' instead of
'Employee Number' which is in RFC 2798?
+label=_('Employee ID'),
2) Department number seems to be multivalued as well:
( 2.16.840.1.113730.3.1.2
NAME 'departmentNumber'
DESC 'identifies a department within an organization'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
3) The regex for preferredlanguage:
+pattern='^[a-zA-Z]{1,8}[-[a-zA-Z]{1,8}]?$',
doesn't match the expression in RFC 2068. It's only part of it.
Accept-Language = Accept-Language :
1#( language-range [ ; q =
qvalue ] )
language-range = ( ( 1*8ALPHA *( - 1*8ALPHA ) ) |
* )
http://tools.ietf.org/html/rfc2068#section-14.4
RFC 2798 ( http://tools.ietf.org/html/rfc2798#section-2.7 ) says
that you should omit only the `Accept-Language :` sequence.
See the updates in the attached patch.
Greets
Adam
The preferredLanguage regex pattern and error message has been
modified to comply with RFC, according to conversation with Petr.
Thanks
Adam
The regex pattern corrected, unit tests added for preferredlanguage.
Greets
AdamFrom 06c07fa11fe2fbdf92e0d51333a5265de38a0bdb Mon Sep 17 00:00:00 2001
From: Adam Misnyovszki amisn...@redhat.com
Date: Thu, 27 Mar 2014 16:26:08 +0100
Subject: [PATCH] Extending user plugin with inetOrgPerson fields
According to http://tools.ietf.org/html/rfc2798 ipa client
and web ui extended with inetOrgPerson fields:
- employeenumber
- employeetype
- preferredlanguage
- departmentnumber
carlicenseplate is now multivalued
https://fedorahosted.org/freeipa/ticket/4165
---
API.txt | 24 ++---
VERSION | 4 +-
install/ui/src/freeipa/user.js | 10 +++-
ipalib/plugins/user.py | 17 +-
ipatests/test_xmlrpc/test_user_plugin.py | 92
5 files changed, 136 insertions(+), 11 deletions(-)
diff --git a/API.txt b/API.txt
index 326b051e79cb914a2ff2ea603084d7d741f2aa70..14dde56832793f8dd9fa6795a5ba79d0a2431d51 100644
--- a/API.txt
+++ b/API.txt
@@ -3791,13 +3791,16 @@ output: Entry('result', type 'dict', Gettext('A dictionary representing an LDA
output: Output('summary', (type 'unicode', type 'NoneType'), None)
output: Output('value', type 'unicode', None)
command: user_add
-args: 1,39,3
+args: 1,43,3
arg: Str('uid', attribute=True, cli_name='login', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', primary_key=True, required=True)
option: Str('addattr*', cli_name='addattr', exclude='webui')
option: Flag('all', autofill=True, cli_name='all', default=False,
Re: [Freeipa-devel] [PATCH 0015] Add wait_for_dns option to default.conf
On 27.3.2014 13:15, Martin Kosek wrote:
On 02/20/2014 03:56 PM, Martin Basti wrote:
On Thu, 2014-02-20 at 14:36 +0100, Petr Spacek wrote:
On 19.2.2014 17:55, Martin Basti wrote:
On Wed, 2014-02-19 at 17:10 +0100, Petr Spacek wrote:
On 19.2.2014 15:11, Petr Spacek wrote:
On 18.2.2014 17:34, Nathaniel McCallum wrote:
On Tue, 2014-02-18 at 17:06 +0100, Petr Viktorin wrote:
On 02/18/2014 04:45 PM, Petr Spacek wrote:
Hello,
Add wait_for_dns option to default.conf.
This option makes record changes in DNS tree synchronous.
IPA calls will wait until new data are visible over DNS protocol.
It is intended only for testing - it should prevent tests from
failing if there is bigger delay between change in LDAP and DNS.
I would recommend value like 10 seconds.
Here are a few Python nitpicks you requested.
Thank you very much. This new version solves problems you found + adds proper
handling for real DNS timeouts.
It seems to me like a more general TimeoutError would be useful in a
broader context. DNSTimeout seems overly narrow to me, unless I'm
missing something.
I would like to keep them separate. DNSTimeout shouldn't be handled at all
because it means that your DNS server or database is dead or broken in some
interesting way.
I assume that generic TimeoutError could be interpreted as 'try it
again'/'failover' or something like that.
Maybe the DNSTimeout is not the best name, I'm open to suggestions.
I have sent the old version with new name, gggrrr.
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Tests failed:
test_dns[92]: dnsrecord_add: Add A record to u'ns2' in zone
u'zone3.test' ... ok
File /usr/lib/python2.7/site-packages/nose/case.py, line 197, in
runTest
self.test(*self.arg)
File /root/freeipa/ipatests/test_xmlrpc/xmlrpc_test.py, line 291, in
lambda
func = lambda: self.check(nice, **test)
File /root/freeipa/ipatests/test_xmlrpc/xmlrpc_test.py, line 309, in
check
self.check_output(nice, cmd, args, options, expected, extra_check)
File /root/freeipa/ipatests/test_xmlrpc/xmlrpc_test.py, line 348, in
check_output
got = api.Command[cmd](*args, **options)
File /root/freeipa/ipalib/frontend.py, line 436, in __call__
ret = self.run(*args, **options)
File /root/freeipa/ipalib/frontend.py, line 761, in run
return self.forward(*args, **options)
File /root/freeipa/ipalib/frontend.py, line 782, in forward
return self.Backend.rpcclient.forward(self.name, *args, **kw)
File /root/freeipa/ipalib/rpc.py, line 836, in forward
return self._call_command(command, params)
File /root/freeipa/ipalib/rpc.py, line 813, in _call_command
return command(*params)
File /root/freeipa/ipalib/rpc.py, line 951, in _call
return self.__request(name, args)
File /root/freeipa/ipalib/rpc.py, line 945, in __request
raise error_class(message=error['message'])
DNSTimeout: DNS query timeout: Expected {_kerberos.zone2.test. 86400 IN
TXT IDM.LAB.ENG.BRQ.REDHAT.COM} got {SERVFAIL}
==
ERROR: test_dns[51]: dnsrecord_add: Add NS+DNAME record to u'zone2.test'
zone record using dnsrecord_add
--
Traceback (most recent call last):
File /usr/lib/python2.7/site-packages/nose/case.py, line 197, in
runTest
self.test(*self.arg)
File /root/freeipa/ipatests/test_xmlrpc/xmlrpc_test.py, line 291, in
lambda
func = lambda: self.check(nice, **test)
File /root/freeipa/ipatests/test_xmlrpc/xmlrpc_test.py, line 309, in
check
self.check_output(nice, cmd, args, options, expected, extra_check)
File /root/freeipa/ipatests/test_xmlrpc/xmlrpc_test.py, line 348, in
check_output
got = api.Command[cmd](*args, **options)
File /root/freeipa/ipalib/frontend.py, line 436, in __call__
ret = self.run(*args, **options)
File /root/freeipa/ipalib/frontend.py, line 761, in run
return self.forward(*args, **options)
File /root/freeipa/ipalib/frontend.py, line 782, in forward
return self.Backend.rpcclient.forward(self.name, *args, **kw)
File /root/freeipa/ipalib/rpc.py, line 836, in forward
return self._call_command(command, params)
File /root/freeipa/ipalib/rpc.py, line 813, in _call_command
return command(*params)
File /root/freeipa/ipalib/rpc.py, line 951, in _call
return self.__request(name, args)
File /root/freeipa/ipalib/rpc.py, line 945, in __request
raise error_class(message=error['message'])
DNSTimeout: DNS query timeout: Expected {zone2.test. 86400 IN NS
ns1.dnszone.test.
zone2.test. 86400 IN NS ns1.zone2.test.} got {SERVFAIL}
configuration was: wait_for_dns=10
All tests passed without wait_for_dns option.
Sometimes at first run, I get only error and testing is interrupted.
I hope I covered all corner
[Freeipa-devel] Fwd: Re: FreeIPA 3.3.5
Re-sending since I am now subscribed to this list. Original Message Subject:Re: FreeIPA 3.3.5 Date: Thu, 27 Mar 2014 14:27:32 -0700 From: Matthew Harmsen mharm...@redhat.com To: Martin Kosek mko...@redhat.com, freeipa-devel@redhat.com On 03/27/14 04:45, Martin Kosek wrote: Hello all! I think we are close to releasing next bugfixing version on FreeIPA 3.3.5. We have a lot of bug fixes to offer, especially in the AD Trust area. I wrote the changelog to our wiki, fixes or suggestions welcome: http://www.freeipa.org/page/Releases/3.3.5 I have just one last concern though, the remaining PKI clone installation issue I found: https://fedorahosted.org/pki/ticket/933 Do we want to release before this ticket is closed or wait? Question is if fixing Dogtag 10 based clone installation is enough to allow us to release or not. Matthew (CCed), do we have any ETA when the fix would be available? Ticket #933 is next on my list, but I must replicate the issue first, and then come up with a patch. My best guess is that I would not have anything before sometime next week. This issue only involves replicating a FreeIPA system which is using Dogtag 9 (e. g. - RHEL 6, Fedora 17) to a Free IPA system using Dogtag 10.1 (e. g. - Fedora 20 - the change was made in pki-core-10.1.1.fc20). Regardless of your decision, this issue will be the next bug fixed, and it is planned to be included in the next build (e. g. - pki-core-10.1.2.fc20). -- Matt ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] [DOC] Add note about additional nameservers in resolv.conf
I believe that Martin is right about the server installer no longer putting 127.0.0.1 in the resolv.conf. Here is a mod patch to address Martin's concern if the note needs to be changed to show a real IP address. Gabe On Thu, Mar 27, 2014 at 4:14 AM, Martin Basti mba...@redhat.com wrote: On Thu, 2014-03-27 at 10:33 +0100, Petr Spacek wrote: On 27.3.2014 10:23, Martin Basti wrote: On Wed, 2014-03-26 at 17:40 -0600, Gabe Alford wrote: All, Please review patch for https://fedorahosted.org/freeipa/ticket/3085 Added note that 'nameserver 127.0.0.1' is added to resolv.conf, that it is recommended to add more replicas to resolv.conf, and the max nameservers allowed in resolv.conf. Actually, my ipa-server-install puts into /etc/resolv.conf its ip address itself not localhost After fresh install: #cat /etc/resolv.conf search example.com nameserver 10.*.*.* IMHO /etc/resolv.conf was overwritten by DHCPd (when IPA installation was finished). I inspect ipa-server-install source code and installation adds to resolv.conf a real server address. DHCP leave note in resolv.conf when generate it. -- Martin^2 Basti From 7cc26ca67d93532c45757210352ab7b6332c78c7 Mon Sep 17 00:00:00 2001 From: Gabe redhatri...@gmail.com Date: Thu, 27 Mar 2014 18:55:38 -0600 Subject: [PATCH] [DOC] Update resolv.conf nameserver note to reflect real IP address - Added example of real IP address as the installer inserts a real IP address into resolv.conf. --- src/user_guide/en-US/DNS.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/user_guide/en-US/DNS.xml b/src/user_guide/en-US/DNS.xml index ab120e80efcf1ff41e0f774dba8b357818e6cb2a..54663ed806e2ab1db1bf2d30482908acb4618f96 100644 --- a/src/user_guide/en-US/DNS.xml +++ b/src/user_guide/en-US/DNS.xml @@ -69,8 +69,8 @@ When DNS is configured either by the option--setup-dns/option option during the intial IPA; install or the commandipa-dns-install/command command after the intial IPA; setup, the IPA; server installer creates -filename/etc/resolv.conf/filename with the following line: -screennameserver 127.0.0.1/screen +filename/etc/resolv.conf/filename with the IPA; server's IP address. For example: +screennameserver 192.168.1.1/screen /para /listitem listitem -- 1.9.0 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
