Re: [Freeipa-devel] [PATCH] 0033 Check all LDAP servers during IPA discovery
Alexander Bokovoy wrote: On Fri, 02 Dec 2011, Rob Crittenden wrote: Alexander Bokovoy wrote: Hi, This is patch proposal, I haven't checked it with multiple servers setup yet. When discovering IPA LDAP servers through DNS records, look through all servers found until first success. A master might be not available or denied access due to anonymous binds disabled, for example, but replica may succeed. Ticket #1827 https://fedorahosted.org/freeipa/ticket/1827 Needs a rebase. This works fine but I wonder if someone specifies --server on the command-line if we should try only that server and fail if we can't connect. I can see someone using that so they can specify which server the client uses. Rebase attached. If --server is specified, DNS discovery is bypassed in search() and self.server will have the value of --server. That means the code I changed will still work as parse_items() accepts a single item as well. I don't see the --server code included in the patch. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0033 Check all LDAP servers during IPA discovery
On Fri, 09 Dec 2011, Rob Crittenden wrote: Alexander Bokovoy wrote: On Fri, 02 Dec 2011, Rob Crittenden wrote: Alexander Bokovoy wrote: Hi, This is patch proposal, I haven't checked it with multiple servers setup yet. When discovering IPA LDAP servers through DNS records, look through all servers found until first success. A master might be not available or denied access due to anonymous binds disabled, for example, but replica may succeed. Ticket #1827 https://fedorahosted.org/freeipa/ticket/1827 Needs a rebase. This works fine but I wonder if someone specifies --server on the command-line if we should try only that server and fail if we can't connect. I can see someone using that so they can specify which server the client uses. Rebase attached. If --server is specified, DNS discovery is bypassed in search() and self.server will have the value of --server. That means the code I changed will still work as parse_items() accepts a single item as well. I don't see the --server code included in the patch. Because it is not needed. search() method gets value of --server option passed as server named argument. If it is not None, the whole discovery is avoided and that value is assigned to self.server. self.server is then parsed via parse_items() and iterated over -- with a single iteration in the case --server is specified. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0033 Check all LDAP servers during IPA discovery
Alexander Bokovoy wrote: On Fri, 09 Dec 2011, Rob Crittenden wrote: Alexander Bokovoy wrote: On Fri, 02 Dec 2011, Rob Crittenden wrote: Alexander Bokovoy wrote: Hi, This is patch proposal, I haven't checked it with multiple servers setup yet. When discovering IPA LDAP servers through DNS records, look through all servers found until first success. A master might be not available or denied access due to anonymous binds disabled, for example, but replica may succeed. Ticket #1827 https://fedorahosted.org/freeipa/ticket/1827 Needs a rebase. This works fine but I wonder if someone specifies --server on the command-line if we should try only that server and fail if we can't connect. I can see someone using that so they can specify which server the client uses. Rebase attached. If --server is specified, DNS discovery is bypassed in search() and self.server will have the value of --server. That means the code I changed will still work as parse_items() accepts a single item as well. I don't see the --server code included in the patch. Because it is not needed. search() method gets value of --server option passed as server named argument. If it is not None, the whole discovery is avoided and that value is assigned to self.server. self.server is then parsed via parse_items() and iterated over -- with a single iteration in the case --server is specified. Ah, right you are. Works great, pushed to master. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0033 Check all LDAP servers during IPA discovery
On Fri, 02 Dec 2011, Rob Crittenden wrote: Alexander Bokovoy wrote: Hi, This is patch proposal, I haven't checked it with multiple servers setup yet. When discovering IPA LDAP servers through DNS records, look through all servers found until first success. A master might be not available or denied access due to anonymous binds disabled, for example, but replica may succeed. Ticket #1827 https://fedorahosted.org/freeipa/ticket/1827 Needs a rebase. This works fine but I wonder if someone specifies --server on the command-line if we should try only that server and fail if we can't connect. I can see someone using that so they can specify which server the client uses. Rebase attached. If --server is specified, DNS discovery is bypassed in search() and self.server will have the value of --server. That means the code I changed will still work as parse_items() accepts a single item as well. -- / Alexander Bokovoy From bc441d8e6bc1e0007c4a6395f0a382980b8de36f Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy aboko...@redhat.com Date: Wed, 7 Dec 2011 14:40:46 +0200 Subject: [PATCH] Check through all LDAP servers in the domain during IPA discovery When discovering IPA LDAP servers through DNS records, look through all servers found until first success. A master might be not available or denied access but replica may succeed. Ticket #1827 https://fedorahosted.org/freeipa/ticket/1827 --- ipa-client/ipaclient/ipadiscovery.py | 34 +- 1 files changed, 25 insertions(+), 9 deletions(-) diff --git a/ipa-client/ipaclient/ipadiscovery.py b/ipa-client/ipaclient/ipadiscovery.py index 94a04f39e70f6edf3874c036462c457f85f56c12..40fafbabfeccf1f90adb36a86dc5cfd0ae297329 100644 --- a/ipa-client/ipaclient/ipadiscovery.py +++ b/ipa-client/ipaclient/ipadiscovery.py @@ -25,7 +25,7 @@ import tempfile import ldap from ldap import LDAPError from ipapython.ipautil import run, CalledProcessError, valid_ip, get_ipa_basedn, \ - realm_to_suffix, format_netloc + realm_to_suffix, format_netloc, parse_items NOT_FQDN = -1 @@ -170,19 +170,35 @@ class IPADiscovery: self.kdc = krbret[1] root_logger.debug([ipacheckldap]) -# check ldap now -ldapret = self.ipacheckldap(self.server, self.realm) +# We may have received multiple servers corresponding to the domain +# Iterate through all of those to check if it is IPA LDAP server +servers = parse_items(self.server) +ldapret = [NOT_IPA_SERVER] +ldapaccess = True +for server in servers: +# check ldap now +ldapret = self.ipacheckldap(server, self.realm) -if ldapret[0] == 0: -self.server = ldapret[1] -self.realm = ldapret[2] +if ldapret[0] == 0: +self.server = ldapret[1] +self.realm = ldapret[2] +break -if ldapret[0] == NO_ACCESS_TO_LDAP and self.realm is None: +if ldapret[0] == NO_ACCESS_TO_LDAP: +ldapaccess = False + +# If one of LDAP servers checked rejects access (may be anonymous +# bind is disabled), assume realm and basedn generated off domain. +# Note that in case ldapret[0] == 0 and ldapaccess == False (one of +# servers didn't provide access but another one succeeded), self.realm +# will be set already to a proper value above, self.basdn will be +# initialized during the LDAP check itself and we'll skip these two checks. +if not ldapaccess and self.realm is None: # Assume realm is the same as domain.upper() self.realm = self.domain.upper() root_logger.debug(Assuming realm is the same as domain: %s % self.realm) -if ldapret[0] == NO_ACCESS_TO_LDAP and self.basedn is None: +if not ldapaccess and self.basedn is None: # Generate suffix from realm self.basedn = realm_to_suffix(self.realm) root_logger.debug(Generate basedn from realm: %s % self.basedn) @@ -200,7 +216,7 @@ class IPADiscovery: Errno is an error number: 0 means all ok 1 means we could not check the info in LDAP (may happend when -anonymous binds are siabled) +anonymous binds are disabled) 2 means the server is certainly not an IPA server -- 1.7.7.3 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0033 Check all LDAP servers during IPA discovery
Alexander Bokovoy wrote: Hi, This is patch proposal, I haven't checked it with multiple servers setup yet. When discovering IPA LDAP servers through DNS records, look through all servers found until first success. A master might be not available or denied access due to anonymous binds disabled, for example, but replica may succeed. Ticket #1827 https://fedorahosted.org/freeipa/ticket/1827 Needs a rebase. This works fine but I wonder if someone specifies --server on the command-line if we should try only that server and fail if we can't connect. I can see someone using that so they can specify which server the client uses. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
