Re: [Freeipa-devel] [PATCH 0138] replica-install: Compare domain names as DNS names and not string
On 27.06.2016 14:03, Martin Basti wrote: On 27.06.2016 14:02, Petr Spacek wrote: On 27.6.2016 11:20, Petr Spacek wrote: On 27.6.2016 10:30, Martin Basti wrote: On 23.06.2016 18:32, Petr Spacek wrote: Hello, replica-install: Compare domain names as DNS names and not strings This fixes false possitive where user inputs "example.com" and "EXAMPLE.COM" were not considered equivalent and installation was wrongly refused. https://fedorahosted.org/freeipa/ticket/5976 NACK, client installer should normalize domain name as host-add does, because it will blow up in different places, we cannot compare this part as DNS name when other parts works with it as strings ipa.ipapython.install.cli.install_tool(Replica): ERROR Cannot promote this client to a replica. Local domain 'ipa.example.COM' does not match IPA domain 'ipa.example.com'. Okay, I will use the same validator as ipa-server-install and normalize it as you suggested. Here you go. I was not able to find a corner case which would break this. LGTM ACK Pushed to: master: 8b12ef50e1c016a5a025cf2a69271f769b585a03 ipa-4-3: 3d71c43504ea7837ea14bb9dd4a469c07337293f -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0138] replica-install: Compare domain names as DNS names and not string
On 27.06.2016 14:02, Petr Spacek wrote: On 27.6.2016 11:20, Petr Spacek wrote: On 27.6.2016 10:30, Martin Basti wrote: On 23.06.2016 18:32, Petr Spacek wrote: Hello, replica-install: Compare domain names as DNS names and not strings This fixes false possitive where user inputs "example.com" and "EXAMPLE.COM" were not considered equivalent and installation was wrongly refused. https://fedorahosted.org/freeipa/ticket/5976 NACK, client installer should normalize domain name as host-add does, because it will blow up in different places, we cannot compare this part as DNS name when other parts works with it as strings ipa.ipapython.install.cli.install_tool(Replica): ERRORCannot promote this client to a replica. Local domain 'ipa.example.COM' does not match IPA domain 'ipa.example.com'. Okay, I will use the same validator as ipa-server-install and normalize it as you suggested. Here you go. I was not able to find a corner case which would break this. LGTM -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0138] replica-install: Compare domain names as DNS names and not string
On 27.6.2016 11:20, Petr Spacek wrote: > On 27.6.2016 10:30, Martin Basti wrote: >> > >> > >> > On 23.06.2016 18:32, Petr Spacek wrote: >>> >> Hello, >>> >> >>> >> replica-install: Compare domain names as DNS names and not strings >>> >> >>> >> This fixes false possitive where user inputs "example.com" and >>> >> "EXAMPLE.COM" >>> >> were not considered equivalent and installation was wrongly refused. >>> >> >>> >> https://fedorahosted.org/freeipa/ticket/5976 >>> >> >> > >> > NACK, client installer should normalize domain name as host-add does, >> > because >> > it will blow up in different places, we cannot compare this part as DNS >> > name >> > when other parts works with it as strings >> > >> > ipa.ipapython.install.cli.install_tool(Replica): ERRORCannot promote >> > this >> > client to a replica. Local domain 'ipa.example.COM' does not match IPA >> > domain >> > 'ipa.example.com'. > Okay, I will use the same validator as ipa-server-install and normalize it as > you suggested. Here you go. I was not able to find a corner case which would break this. -- Petr^2 Spacek From b964f784519442361695695fbde36385066506e3 Mon Sep 17 00:00:00 2001 From: Petr Spacek Date: Mon, 27 Jun 2016 14:00:01 +0200 Subject: [PATCH] client: Share validator and domain name normalization with server install https://fedorahosted.org/freeipa/ticket/5976 --- client/ipa-client-install | 10 +- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/client/ipa-client-install b/client/ipa-client-install index 0a601b63118b0a3568066495837121c65e5df04f..2da2720d1f959b452a4895ebb23e0efadae2a7fc 100755 --- a/client/ipa-client-install +++ b/client/ipa-client-install @@ -54,7 +54,8 @@ try: from ipapython.config import IPAOptionParser from ipalib import api, errors from ipalib import x509, certstore -from ipalib.util import verify_host_resolvable +from ipalib.util import ( +normalize_hostname, validate_domain_name, verify_host_resolvable) from ipalib.constants import CACERT from ipapython.dn import DN from ipapython.ssh import SSHPublicKey @@ -230,6 +231,13 @@ def parse_options(): if (options.server and not options.domain): parser.error("--server cannot be used without providing --domain") +if options.domain: +try: +validate_domain_name(options.domain) +except ValueError as ex: +parser.error("invalid domain name: %s" % ex) +options.domain = normalize_hostname(options.domain) + if options.force_ntpd and not options.conf_ntp: parser.error("--force-ntpd cannot be used together with --no-ntp") -- 2.7.4 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0138] replica-install: Compare domain names as DNS names and not string
On 27.6.2016 10:30, Martin Basti wrote: > > > On 23.06.2016 18:32, Petr Spacek wrote: >> Hello, >> >> replica-install: Compare domain names as DNS names and not strings >> >> This fixes false possitive where user inputs "example.com" and "EXAMPLE.COM" >> were not considered equivalent and installation was wrongly refused. >> >> https://fedorahosted.org/freeipa/ticket/5976 >> > > NACK, client installer should normalize domain name as host-add does, because > it will blow up in different places, we cannot compare this part as DNS name > when other parts works with it as strings > > ipa.ipapython.install.cli.install_tool(Replica): ERRORCannot promote this > client to a replica. Local domain 'ipa.example.COM' does not match IPA domain > 'ipa.example.com'. Okay, I will use the same validator as ipa-server-install and normalize it as you suggested. -- Petr^2 Spacek -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0138] replica-install: Compare domain names as DNS names and not string
On 23.06.2016 18:32, Petr Spacek wrote: Hello, replica-install: Compare domain names as DNS names and not strings This fixes false possitive where user inputs "example.com" and "EXAMPLE.COM" were not considered equivalent and installation was wrongly refused. https://fedorahosted.org/freeipa/ticket/5976 NACK, client installer should normalize domain name as host-add does, because it will blow up in different places, we cannot compare this part as DNS name when other parts works with it as strings ipa.ipapython.install.cli.install_tool(Replica): ERRORCannot promote this client to a replica. Local domain 'ipa.example.COM' does not match IPA domain 'ipa.example.com'. Martin^2 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH 0138] replica-install: Compare domain names as DNS names and not string
Hello, replica-install: Compare domain names as DNS names and not strings This fixes false possitive where user inputs "example.com" and "EXAMPLE.COM" were not considered equivalent and installation was wrongly refused. https://fedorahosted.org/freeipa/ticket/5976 -- Petr^2 Spacek From 1eb9dddf141814e9b10aabf70d8970ae312db849 Mon Sep 17 00:00:00 2001 From: Petr Spacek Date: Thu, 23 Jun 2016 18:30:39 +0200 Subject: [PATCH] replica-install: Compare domain names as DNS names and not strings This fixes false possitive where user inputs "example.com" and "EXAMPLE.COM" were not considered equivalent and installation was wrongly refused. https://fedorahosted.org/freeipa/ticket/5976 --- ipaserver/install/server/replicainstall.py | 7 --- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py index 52b2ea5b0691cd99c6cb566af5a15af3b2dffb14..9b31f926e3be78017c7b178f099332910d34ba5c 100644 --- a/ipaserver/install/server/replicainstall.py +++ b/ipaserver/install/server/replicainstall.py @@ -6,7 +6,6 @@ from __future__ import print_function import collections import dns.exception as dnsexception -import dns.name as dnsname import dns.resolver as dnsresolver import dns.reversename as dnsreversename import os @@ -19,6 +18,7 @@ import six from ipapython import ipaldap, ipautil, sysrestore from ipapython.dn import DN +from ipapython.dnsutil import DNSName from ipapython.install.common import step from ipapython.install.core import Knob from ipapython.ipa_log_manager import root_logger @@ -304,7 +304,7 @@ def check_dns_resolution(host_name, dns_servers): address, host_name) no_errors = False else: -host_name_obj = dnsname.from_text(host_name) +host_name_obj = DNSName(host_name).make_absolute() if rrset: names = [r.target.to_text() for r in rrset] else: @@ -949,7 +949,8 @@ def promotion_check_ipa_domain(master_ldap_conn, basedn): domains=u', '.join(entry['associatedDomain']) )) -if entry['associatedDomain'][0] != api.env.domain: +if (DNSName(entry['associatedDomain'][0]) +!= DNSName.from_text(api.env.domain)): raise RuntimeError( "Cannot promote this client to a replica. Local domain " "'{local}' does not match IPA domain '{ipadomain}'. ".format( -- 2.7.4 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code