Re: [Freeipa-devel] [PATCH 0138] replica-install: Compare domain names as DNS names and not string
On 27.06.2016 14:03, Martin Basti wrote: On 27.06.2016 14:02, Petr Spacek wrote: On 27.6.2016 11:20, Petr Spacek wrote: On 27.6.2016 10:30, Martin Basti wrote: On 23.06.2016 18:32, Petr Spacek wrote: Hello, replica-install: Compare domain names as DNS names and not strings This fixes false possitive where user inputs "example.com" and "EXAMPLE.COM" were not considered equivalent and installation was wrongly refused. https://fedorahosted.org/freeipa/ticket/5976 NACK, client installer should normalize domain name as host-add does, because it will blow up in different places, we cannot compare this part as DNS name when other parts works with it as strings ipa.ipapython.install.cli.install_tool(Replica): ERROR Cannot promote this client to a replica. Local domain 'ipa.example.COM' does not match IPA domain 'ipa.example.com'. Okay, I will use the same validator as ipa-server-install and normalize it as you suggested. Here you go. I was not able to find a corner case which would break this. LGTM ACK Pushed to: master: 8b12ef50e1c016a5a025cf2a69271f769b585a03 ipa-4-3: 3d71c43504ea7837ea14bb9dd4a469c07337293f -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0138] replica-install: Compare domain names as DNS names and not string
On 27.06.2016 14:02, Petr Spacek wrote: On 27.6.2016 11:20, Petr Spacek wrote: On 27.6.2016 10:30, Martin Basti wrote: On 23.06.2016 18:32, Petr Spacek wrote: Hello, replica-install: Compare domain names as DNS names and not strings This fixes false possitive where user inputs "example.com" and "EXAMPLE.COM" were not considered equivalent and installation was wrongly refused. https://fedorahosted.org/freeipa/ticket/5976 NACK, client installer should normalize domain name as host-add does, because it will blow up in different places, we cannot compare this part as DNS name when other parts works with it as strings ipa.ipapython.install.cli.install_tool(Replica): ERRORCannot promote this client to a replica. Local domain 'ipa.example.COM' does not match IPA domain 'ipa.example.com'. Okay, I will use the same validator as ipa-server-install and normalize it as you suggested. Here you go. I was not able to find a corner case which would break this. LGTM -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0138] replica-install: Compare domain names as DNS names and not string
On 27.6.2016 11:20, Petr Spacek wrote:
> On 27.6.2016 10:30, Martin Basti wrote:
>> >
>> >
>> > On 23.06.2016 18:32, Petr Spacek wrote:
>>> >> Hello,
>>> >>
>>> >> replica-install: Compare domain names as DNS names and not strings
>>> >>
>>> >> This fixes false possitive where user inputs "example.com" and
>>> >> "EXAMPLE.COM"
>>> >> were not considered equivalent and installation was wrongly refused.
>>> >>
>>> >> https://fedorahosted.org/freeipa/ticket/5976
>>> >>
>> >
>> > NACK, client installer should normalize domain name as host-add does,
>> > because
>> > it will blow up in different places, we cannot compare this part as DNS
>> > name
>> > when other parts works with it as strings
>> >
>> > ipa.ipapython.install.cli.install_tool(Replica): ERRORCannot promote
>> > this
>> > client to a replica. Local domain 'ipa.example.COM' does not match IPA
>> > domain
>> > 'ipa.example.com'.
> Okay, I will use the same validator as ipa-server-install and normalize it as
> you suggested.
Here you go. I was not able to find a corner case which would break this.
--
Petr^2 Spacek
From b964f784519442361695695fbde36385066506e3 Mon Sep 17 00:00:00 2001
From: Petr Spacek
Date: Mon, 27 Jun 2016 14:00:01 +0200
Subject: [PATCH] client: Share validator and domain name normalization with
server install
https://fedorahosted.org/freeipa/ticket/5976
---
client/ipa-client-install | 10 +-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/client/ipa-client-install b/client/ipa-client-install
index 0a601b63118b0a3568066495837121c65e5df04f..2da2720d1f959b452a4895ebb23e0efadae2a7fc 100755
--- a/client/ipa-client-install
+++ b/client/ipa-client-install
@@ -54,7 +54,8 @@ try:
from ipapython.config import IPAOptionParser
from ipalib import api, errors
from ipalib import x509, certstore
-from ipalib.util import verify_host_resolvable
+from ipalib.util import (
+normalize_hostname, validate_domain_name, verify_host_resolvable)
from ipalib.constants import CACERT
from ipapython.dn import DN
from ipapython.ssh import SSHPublicKey
@@ -230,6 +231,13 @@ def parse_options():
if (options.server and not options.domain):
parser.error("--server cannot be used without providing --domain")
+if options.domain:
+try:
+validate_domain_name(options.domain)
+except ValueError as ex:
+parser.error("invalid domain name: %s" % ex)
+options.domain = normalize_hostname(options.domain)
+
if options.force_ntpd and not options.conf_ntp:
parser.error("--force-ntpd cannot be used together with --no-ntp")
--
2.7.4
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0138] replica-install: Compare domain names as DNS names and not string
On 27.6.2016 10:30, Martin Basti wrote: > > > On 23.06.2016 18:32, Petr Spacek wrote: >> Hello, >> >> replica-install: Compare domain names as DNS names and not strings >> >> This fixes false possitive where user inputs "example.com" and "EXAMPLE.COM" >> were not considered equivalent and installation was wrongly refused. >> >> https://fedorahosted.org/freeipa/ticket/5976 >> > > NACK, client installer should normalize domain name as host-add does, because > it will blow up in different places, we cannot compare this part as DNS name > when other parts works with it as strings > > ipa.ipapython.install.cli.install_tool(Replica): ERRORCannot promote this > client to a replica. Local domain 'ipa.example.COM' does not match IPA domain > 'ipa.example.com'. Okay, I will use the same validator as ipa-server-install and normalize it as you suggested. -- Petr^2 Spacek -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0138] replica-install: Compare domain names as DNS names and not string
On 23.06.2016 18:32, Petr Spacek wrote: Hello, replica-install: Compare domain names as DNS names and not strings This fixes false possitive where user inputs "example.com" and "EXAMPLE.COM" were not considered equivalent and installation was wrongly refused. https://fedorahosted.org/freeipa/ticket/5976 NACK, client installer should normalize domain name as host-add does, because it will blow up in different places, we cannot compare this part as DNS name when other parts works with it as strings ipa.ipapython.install.cli.install_tool(Replica): ERRORCannot promote this client to a replica. Local domain 'ipa.example.COM' does not match IPA domain 'ipa.example.com'. Martin^2 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH 0138] replica-install: Compare domain names as DNS names and not string
Hello,
replica-install: Compare domain names as DNS names and not strings
This fixes false possitive where user inputs "example.com" and "EXAMPLE.COM"
were not considered equivalent and installation was wrongly refused.
https://fedorahosted.org/freeipa/ticket/5976
--
Petr^2 Spacek
From 1eb9dddf141814e9b10aabf70d8970ae312db849 Mon Sep 17 00:00:00 2001
From: Petr Spacek
Date: Thu, 23 Jun 2016 18:30:39 +0200
Subject: [PATCH] replica-install: Compare domain names as DNS names and not
strings
This fixes false possitive where user inputs "example.com" and "EXAMPLE.COM"
were not considered equivalent and installation was wrongly refused.
https://fedorahosted.org/freeipa/ticket/5976
---
ipaserver/install/server/replicainstall.py | 7 ---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index 52b2ea5b0691cd99c6cb566af5a15af3b2dffb14..9b31f926e3be78017c7b178f099332910d34ba5c 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -6,7 +6,6 @@ from __future__ import print_function
import collections
import dns.exception as dnsexception
-import dns.name as dnsname
import dns.resolver as dnsresolver
import dns.reversename as dnsreversename
import os
@@ -19,6 +18,7 @@ import six
from ipapython import ipaldap, ipautil, sysrestore
from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
from ipapython.install.common import step
from ipapython.install.core import Knob
from ipapython.ipa_log_manager import root_logger
@@ -304,7 +304,7 @@ def check_dns_resolution(host_name, dns_servers):
address, host_name)
no_errors = False
else:
-host_name_obj = dnsname.from_text(host_name)
+host_name_obj = DNSName(host_name).make_absolute()
if rrset:
names = [r.target.to_text() for r in rrset]
else:
@@ -949,7 +949,8 @@ def promotion_check_ipa_domain(master_ldap_conn, basedn):
domains=u', '.join(entry['associatedDomain'])
))
-if entry['associatedDomain'][0] != api.env.domain:
+if (DNSName(entry['associatedDomain'][0])
+!= DNSName.from_text(api.env.domain)):
raise RuntimeError(
"Cannot promote this client to a replica. Local domain "
"'{local}' does not match IPA domain '{ipadomain}'. ".format(
--
2.7.4
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
