[Freeipa-devel] [PATCH] 18 Use TLS for ipadiscovery during ipa client install
Rob Crittenden
rcritten at redhat.com
Mon Feb 21 21:09:52 UTC 2011
JR Aquino wrote:
> On 2/21/11 11:18 AM, "JR Aquino"<JR.Aquino at citrix.com> wrote:
>
>> On 2/21/11 10:46 AM, "Jan Zeleny"<jzeleny at redhat.com> wrote:
>>
>>> Rob Crittenden<rcritten at redhat.com> wrote:
>>>> JR Aquino wrote:
>>>>> On 2/17/11 9:46 AM, "Jan Zeleny"<jzeleny at redhat.com> wrote:
>>>>>> JR Aquino<JR.Aquino at citrix.com> wrote:
>>>>>>> Lets try now. Attached is the corrected patch.
>>>>>>>
>>>>>>> There were several spots in ipa-client-install where the server
>>>> could
>>>>>>> be defined and it was getting missed.
>>>>>>> I have omitted any change to ipa-client-install and instead just
>>>>>>> focused on ipadiscovery.py
>>>>>>>
>>>>>>> ipadiscovery.py now performs its own fetch of the CACert just to be
>>>>>>> sure.
>>>>>>>
>>>>>>> Regarding TLS vs LDAPS.
>>>>>>>
>>>>>>> LDAP over SSL was common in LDAP Version 2 (LDAPv2) but it was
>>>> never
>>>>>>> standardized in any formal specification. This usage has been
>>>>>>> deprecated along with LDAPv2, which was officially retired in 2003.
>>>>>>>
>>>>>>> LDAPS is still supported, but considered deprecated in favor of TLS
>>>> as
>>>>>>> defined in RFC2830.
>>>>>>>
>>>>>>> On 2/17/11 2:01 AM, "Jan Zelený"<jzeleny at redhat.com> wrote:
>>>>>>>> JR Aquino<JR.Aquino at citrix.com> wrote:
>>>>>>>>> This patch addresses the need to utilize TLS when using the
>>>>>>>>> ipa-client-install tool. It addresses ticket:
>>>>>>>>> https://fedorahosted.org/freeipa/ticket/974
>>>>>>>>
>>>>>>>> Nack, running ipa-client-install returned this error:
>>>>>>>>
>>>>>>>> # ipa-client-install
>>>>>>>> Retrieving CA from None failed.
>>>>>>>> Command '/usr/bin/wget -O /etc/ipa/ca.crt
>>>>>>>
>>>>>>> http://None/ipa/config/ca.crt'
>>>>>>>
>>>>>>>> returned non-zero exit status 4
>>>>>>>>
>>>>>>>>
>>>>>>>> One more question - shouldn't you use ldaps directly to connect to
>>>> the
>>>>>>>> server?
>>>>>>>> Jan
>>>>>>
>>>>>> Sorry, I have to Nack it again, the patch seems incoplete, since it
>>>> is
>>>>>> only
>>>>>> adding some cacert fetching code to IPADiscovery.
>>>>>>
>>>>>> Jan
>>>>>
>>>>> Please ignore previous patches for #18. Attached is the replacement
>>>> all
>>>>> inclusive patch for this ticket.
>>>>>
>>>>>
>>>>> Per Rob:
>>>>> ipadiscovery should not attempt to create the /etc/ipa/ca.crt rather,
>>>> it
>>>>> should populate a tempdir with the temp cert for the initial
>>>> discovery
>>>>> bind.
>>>>>
>>>>> Attached is the full patch to provide both TLS and the safer wget of
>>>> the
>>>>> ca.crt to a temporary directory created by tempfile.mkdtemp()
>>>>>
>>>>> Please verify that ipa-client-install from a separate machine
>>>> functions
>>>>> as expected against a FreeIPA server who is set to "nsslapd-minssf:
>>>> 56"
>>>>
>>>> It looks ok except for the try/except around the tempfile. If it fails
>>>> all heck is gonna break loose. We should raise a RuntimeError in that
>>>> case.
>>>>
>>>> rob
>>>
>>> Agreed, I had moreless the same comment prepared.
>>
>> Correction made, patch attached.
>>
>> except OSError, e:
>> raise RuntimeError("Creating temporary directory failed: %s" %
>> str(e))
>
> In the spirt of consistency, I have corrected a section further down where
> sys.exit is called instead of raising the exception.
>
> I have also broken out the removal of the temp files in a finally clause.
>
> Please review, and confirm that it meets with your approval.
>
>
ack, pushed to master
More information about the Freeipa-devel
mailing list