On Thu, 2011-09-29 at 10:15 -0600, Rich Megginson wrote: > On 09/29/2011 10:11 AM, Simo Sorce wrote: > > On Thu, 2011-09-29 at 17:56 +0200, Martin Kosek wrote: > >> On Thu, 2011-09-29 at 11:44 -0400, Simo Sorce wrote: > >>> On Thu, 2011-09-29 at 17:41 +0200, Martin Kosek wrote: > >>>> On Wed, 2011-09-28 at 18:43 -0400, Simo Sorce wrote: > >>>>> This patch allows ipa-client-install to successfully complete if > >>>>> anonymous access is not allowed on the LDAP server. > >>>>> > >>>>> I have tested this by changing the value of > >>>>> nsslapd-allow-anonymous-access from 'on' to 'rootdse' in cn=config > >>>>> See NOTE about this option. > >>>>> > >>>>> This patch warns the user that full verification of the LDAP server was > >>>>> not possible and may even assume realm is domain.upper() if DNS > >>>>> discovery is not possible. > >>>>> > >>>>> With these caveats the installation on a DNS compliant domain works fine > >>>>> against a IPA server with anonynous access to LDAP disabled with this > >>>>> patch. > >>>>> > >>>>> Fixes #1881 > >>>>> > >>>>> Simo. > >>>>> > >>>>> > >>>>> NOTE: Setting rootdse nsslapd-allow-anonymous-access is standards > >>>>> compliant as it still allows access anonymously to the rootdse entry. > >>>>> Setting this option to 'off' prevents access even to rootdse and is not > >>>>> a good idea (the client doesn't know what auth methods are avilable to > >>>>> authenticate w/o access to rootdse) > >>>> NACK. The approach looks good, but I found several errors: > >>>> > >>>> 1) IPA discovery for servers with anonymous access _allowed_ is broken > >>>> because of the following lines: > >>>> > >>>> > >>>> + if ldapret[0] == 0: > >>>> + self.server = ldapret[0]<<< This should be ldapret[1] > >>>> + self.realm = ldapret[1]<<<< This should be ldapret[2] > >>>> ... > >>> Ouch I swear I was sure I changed those lines ... > >>> > >>>> @@ -259,24 +268,29 @@ class IPADiscovery: > >>>> if trealm == r: > >>>> return [thost, trealm]<<<<< This should be > >>>> [0, thost, trealm] > >>>> # must match or something is very wrong > >>>> - return [] > >>>> + return [REALM_NOT_FOUND] > >>>> > >>>> > >>>> 2) If anonymous access is forbidden, IPA base DN cannot be searched > >>>> since we can't read it's contents and check that it belongs to IPA. If > >>>> you apply my patch 130, you will see this error: > >>>> > >>>> # ipa-client-install --server vm-103.idm.lab.bos.redhat.com --domain > >>>> idm.lab.bos.redhat.com -p admin -w kokos123 > >>>> Warning: Anonymous access to the LDAP server is disabled. > >>>> Proceeding without strict verification. > >>>> Note: This is not an error if anonymous access has been explicitly > >>>> restricted. > >>>> DNS domain '' is not configured for automatic KDC address lookup. > >>>> KDC address will be set to fixed value. > >>>> > >>>> Discovery was successful! > >>>> Hostname: vm-050.idm.lab.bos.redhat.com > >>>> Realm: > >>>> DNS Domain: idm.lab.bos.redhat.com > >>>> IPA Server: vm-103.idm.lab.bos.redhat.com > >>>> Traceback (most recent call last): > >>>> File "/usr/sbin/ipa-client-install", line 1148, in<module> > >>>> sys.exit(main()) > >>>> File "/usr/sbin/ipa-client-install", line 1137, in main > >>>> rval = install(options, env, fstore, statestore) > >>>> File "/usr/sbin/ipa-client-install", line 866, in install > >>>> print "BaseDN: "+cli_basedn > >>>> TypeError: cannot concatenate 'str' and 'NoneType' objects > >>>> > >>>> > >>>> We will have to add user a possibility to pass base DN for IPA since we > >>>> cannot check it ourselves. Something like --basedn=BASEDN. I can do it > >>>> in a scope of my patch after you fix 1) if you don't feel comfortable > >>>> hacking ipa-client-install. > >>> The basedn comes from rootdse, that one can be searched. (if you set the > >>> option in DS to off and din't read my note, you got what you deserve :-) > >>> > >>> Simo. > >>> > >> I read every word of it :-) My point was that you can have more > >> databases (basedns, suffixes) configured on the server and when the > >> anonymous access is disabled we cannot check which one is for IPA. > >> That's what my patch 130 fixes. Before it, we just took the first > >> suffix. > > Ok, in that case we can compare the suffix with the realm. > > It is 100% guaranteed that suffix and realm must match as we create the > > suffix out of the realm. > > Can you add code to check against REALM if anonymous is turned on ? > > > > In case REALM is missing (DNS discovery failed) we have 2 options, use > > domain.upper() or require a --relam= option to be passed by the user, > > what do you think ? > > > > We should really add a defaultNamingContext field in rootdse, maybe we > > should open a ticket about that so we do not have to dance around this > > issue ? > We probably should do this anyway - note that openldap (and AD too?) > support publishing the default naming context in the root DSE. > But you'll still need a way to discover this in older servers.
Yes we can have fallbacks for older servers (the current code). But having it will makes life easier. Do you need a bugzilla ? Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-devel mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-devel
