[Freeipa-devel] [PATCH 0473-0476]DNS Locations: Prologue
Martin Basti
mbasti at redhat.com
Wed May 18 10:43:43 UTC 2016
On 12.05.2016 16:16, Martin Basti wrote:
>
>
>
> On 12.05.2016 11:01, Martin Basti wrote:
>>
>>
>> On 11.05.2016 09:41, Martin Basti wrote:
>>>
>>>
>>> On 10.05.2016 18:56, Petr Spacek wrote:
>>>> On 10.5.2016 15:38, Petr Spacek wrote:
>>>>> On 10.5.2016 15:26, Martin Basti wrote:
>>>>>>
>>>>>> On 10.05.2016 15:23, Petr Spacek wrote:
>>>>>>> On 10.5.2016 14:44, Martin Basti wrote:
>>>>>>>> On 10.05.2016 14:33, Petr Spacek wrote:
>>>>>>>>> On 6.5.2016 10:20, Martin Basti wrote:
>>>>>>>>>> https://fedorahosted.org/freeipa/ticket/2008
>>>>>>>>>>
>>>>>>>>>> Patches attached.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> freeipa-mbasti-0473-DNS-Locations-Always-create-DNS-related-privileges.patch
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> From 9a936740da7cdacec150acc92a45041a98ce7cb3 Mon Sep 17
>>>>>>>>>> 00:00:00 2001
>>>>>>>>>> From: Martin Basti <mbasti at redhat.com>
>>>>>>>>>> Date: Wed, 4 May 2016 17:33:52 +0200
>>>>>>>>>> Subject: [PATCH 1/4] DNS Locations: Always create DNS related
>>>>>>>>>> privileges
>>>>>>>>>>
>>>>>>>>>> DNS privileges are important for handling DNS locations which
>>>>>>>>>> can be
>>>>>>>>>> created without DNS servers in IPA topology. We will also
>>>>>>>>>> need this
>>>>>>>>>> privileges presented for future feature 'External DNS support'
>>>>>>>>> Seems reasonable, ACK.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>> freeipa-mbasti-0474-DNS-Locations-add-new-attributes-and-objectclasses.patch
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> From a7766da5fd1a72884308d4206c9cde262f5c8d35 Mon Sep 17
>>>>>>>>>> 00:00:00 2001
>>>>>>>>>> From: Martin Basti <mbasti at redhat.com>
>>>>>>>>>> Date: Thu, 5 May 2016 11:12:00 +0200
>>>>>>>>>> Subject: [PATCH 2/4] DNS Locations: add new attributes and
>>>>>>>>>> objectclasses
>>>>>>>>>>
>>>>>>>>>> http://www.freeipa.org/page/V4/DNS_Location_Mechanism
>>>>>>>>>>
>>>>>>>>>> https://fedorahosted.org/freeipa/ticket/2008
>>>>>>>>>> ---
>>>>>>>>>> install/share/60ipadns.ldif | 4 ++++
>>>>>>>>>> 1 file changed, 4 insertions(+)
>>>>>>>>>>
>>>>>>>>>> diff --git a/install/share/60ipadns.ldif
>>>>>>>>>> b/install/share/60ipadns.ldif
>>>>>>>>>> index
>>>>>>>>>> e0ed0ab869cea0478d9640bb509c6267abed1a01..31c2f71f8566d04a05709f1359b20e6fa51921ce
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> 100644
>>>>>>>>>> --- a/install/share/60ipadns.ldif
>>>>>>>>>> +++ b/install/share/60ipadns.ldif
>>>>>>>>>> @@ -70,9 +70,13 @@ attributeTypes: (
>>>>>>>>>> 2.16.840.1.113730.3.8.5.25 NAME
>>>>>>>>>> 'idnsSecKeyRevoke' DESC 'DNSKE
>>>>>>>>>> attributeTypes: ( 2.16.840.1.113730.3.8.5.26 NAME
>>>>>>>>>> 'idnsSecKeySep' DESC
>>>>>>>>>> 'DNSKEY SEP flag (equivalent to bit 15): RFC 4035' EQUALITY
>>>>>>>>>> booleanMatch
>>>>>>>>>> SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN
>>>>>>>>>> 'IPA v4.1' )
>>>>>>>>>> attributeTypes: ( 2.16.840.1.113730.3.8.5.27 NAME
>>>>>>>>>> 'idnsSecAlgorithm' DESC
>>>>>>>>>> 'DNSKEY algorithm: string used as mnemonic' EQUALITY
>>>>>>>>>> caseIgnoreIA5Match
>>>>>>>>>> SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX
>>>>>>>>>> 1.3.6.1.4.1.1466.115.121.1.26
>>>>>>>>>> SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
>>>>>>>>>> attributeTypes: ( 2.16.840.1.113730.3.8.5.28 NAME
>>>>>>>>>> 'idnsSecKeyRef' DESC
>>>>>>>>>> 'PKCS#11 URI of the key' EQUALITY caseExactMatch SINGLE-VALUE
>>>>>>>>>> SYNTAX
>>>>>>>>>> 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.1' )
>>>>>>>>>> +attributeTypes: ( 2.16.840.1.113730.3.8.5.32 NAME
>>>>>>>>>> 'ipaLocation' DESC
>>>>>>>>>> 'Reference to IPA location' EQUALITY distinguishedNameMatch
>>>>>>>>>> SYNTAX
>>>>>>>>>> 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE X-ORIGIN 'IPA v4.4' )
>>>>>>>>>> +attributeTypes: ( 2.16.840.1.113730.3.8.5.33 NAME
>>>>>>>>>> 'ipaLocationWeight' DESC
>>>>>>>>>> 'Weight for the server in IPA location' EQUALITY integerMatch
>>>>>>>>>> SYNTAX
>>>>>>>>>> 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v4.4' )
>>>>>>>>>> objectClasses: ( 2.16.840.1.113730.3.8.6.0 NAME
>>>>>>>>>> 'idnsRecord' DESC 'dns
>>>>>>>>>> Record, usually a host' SUP top STRUCTURAL MUST idnsName MAY
>>>>>>>>>> ( cn $
>>>>>>>>>> idnsAllowDynUpdate $ dNSTTL $ dNSClass $ aRecord $ aAAARecord
>>>>>>>>>> $ a6Record $
>>>>>>>>>> nSRecord $ cNAMERecord $ pTRRecord $ sRVRecord $ tXTRecord $
>>>>>>>>>> mXRecord $
>>>>>>>>>> mDRecord $ hInfoRecord $ mInfoRecord $ aFSDBRecord $
>>>>>>>>>> SigRecord $ KeyRecord
>>>>>>>>>> $ LocRecord $ nXTRecord $ nAPTRRecord $ kXRecord $ certRecord
>>>>>>>>>> $ dNameRecord
>>>>>>>>>> $ dSRecord $ sSHFPRecord $ rRSIGRecord $ nSECRecord $
>>>>>>>>>> DLVRecord $
>>>>>>>>>> TLSARecord $ UnknownRecord $ RPRecord $ APLRecord $
>>>>>>>>>> IPSECKEYRecord $
>>>>>>>>>> DHCIDRecord $ HIPRecord $ SPFRecord ) )
>>>>>>>>>> objectClasses: ( 2.16.840.1.113730.3.8.6.1 NAME
>>>>>>>>>> 'idnsZone' DESC 'Zone
>>>>>>>>>> class' SUP idnsRecord STRUCTURAL MUST ( idnsZoneActive $
>>>>>>>>>> idnsSOAmName $
>>>>>>>>>> idnsSOArName $ idnsSOAserial $ idnsSOArefresh $ idnsSOAretry $
>>>>>>>>>> idnsSOAexpire $ idnsSOAminimum ) MAY ( idnsUpdatePolicy $
>>>>>>>>>> idnsAllowQuery $
>>>>>>>>>> idnsAllowTransfer $ idnsAllowSyncPTR $ idnsForwardPolicy $
>>>>>>>>>> idnsForwarders $
>>>>>>>>>> idnsSecInlineSigning $ nSEC3PARAMRecord ) )
>>>>>>>>>> objectClasses: ( 2.16.840.1.113730.3.8.6.2 NAME
>>>>>>>>>> 'idnsConfigObject' DESC
>>>>>>>>>> 'DNS global config options' STRUCTURAL MAY ( idnsForwardPolicy $
>>>>>>>>>> idnsForwarders $ idnsAllowSyncPTR $ idnsZoneRefresh $
>>>>>>>>>> idnsPersistentSearch ) )
>>>>>>>>>> objectClasses: ( 2.16.840.1.113730.3.8.12.18 NAME
>>>>>>>>>> 'ipaDNSZone' SUP top
>>>>>>>>>> AUXILIARY MUST idnsName MAY managedBy X-ORIGIN 'IPA v3' )
>>>>>>>>>> objectClasses: ( 2.16.840.1.113730.3.8.6.3 NAME
>>>>>>>>>> 'idnsForwardZone' DESC
>>>>>>>>>> 'Forward Zone class' SUP top STRUCTURAL MUST ( idnsName $
>>>>>>>>>> idnsZoneActive )
>>>>>>>>>> MAY ( idnsForwarders $ idnsForwardPolicy ) )
>>>>>>>>>> objectClasses: ( 2.16.840.1.113730.3.8.6.4 NAME
>>>>>>>>>> 'idnsSecKey' DESC 'DNSSEC
>>>>>>>>>> key metadata' STRUCTURAL MUST ( idnsSecKeyRef $
>>>>>>>>>> idnsSecKeyCreated $
>>>>>>>>>> idnsSecAlgorithm ) MAY ( idnsSecKeyPublish $
>>>>>>>>>> idnsSecKeyActivate $
>>>>>>>>>> idnsSecKeyInactive $ idnsSecKeyDelete $ idnsSecKeyZone $
>>>>>>>>>> idnsSecKeyRevoke $
>>>>>>>>>> idnsSecKeySep $ cn ) X-ORIGIN 'IPA v4.1' )
>>>>>>>>>> +objectClasses: ( 2.16.840.1.113730.3.8.6.7 NAME
>>>>>>>>>> 'ipaLocationObject' DESC
>>>>>>>>>> 'Object for storing IPA server location' AUXILIARY MUST (
>>>>>>>>>> idnsName ) MAY (
>>>>>>>>>> description ) X-ORIGIN 'IPA v4.4' )
>>>>>>>>> Why is it AUXILIARY? AFAIK it should be STRUCTURAL because
>>>>>>>>> there will not be
>>>>>>>>> any other object class on the location object (at least not in
>>>>>>>>> the
>>>>>>>>> beginning).
>>>>>>>>>
>>>>>>>>>> +objectClasses: ( 2.16.840.1.113730.3.8.6.8 NAME
>>>>>>>>>> 'ipaLocationMember' DESC
>>>>>>>>>> 'Member object of IPA location' AUXILIARY MAY ( ipaLocation $
>>>>>>>>>> ipaLocationWeight ) X-ORIGIN 'IPA v4.4' )
>>>>>>>>> Conditional ACK if you fix ipaLocationObject.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>> freeipa-mbasti-0475-DNS-Locations-Add-location-commands.patch
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> From 407b935ecd6df0ed98c6df6d45a575229ef3cd09 Mon Sep 17
>>>>>>>>>> 00:00:00 2001
>>>>>>>>>> From: Martin Basti <mbasti at redhat.com>
>>>>>>>>>> Date: Thu, 5 May 2016 11:13:07 +0200
>>>>>>>>>> Subject: [PATCH 3/4] DNS Locations: Add location-* commands
>>>>>>>>>>
>>>>>>>>>> Added location-{add,mod,del,find,show} commands. Command are
>>>>>>>>>> just
>>>>>>>>>> prototypes and does not provide any information about server
>>>>>>>>>> (will be
>>>>>>>>>> done later)
>>>>>>>>>>
>>>>>>>>>> http://www.freeipa.org/page/V4/DNS_Location_Mechanism
>>>>>>>>>>
>>>>>>>>>> https://fedorahosted.org/freeipa/ticket/2008
>>>>>>>>>> ---
>>>>>>>>>> ACI.txt | 8 ++
>>>>>>>>>> API.txt | 59 ++++++++++++++
>>>>>>>>>> VERSION | 4 +-
>>>>>>>>>> install/share/bootstrap-template.ldif | 6 ++
>>>>>>>>>> install/updates/37-locations.update | 4 +
>>>>>>>>>> install/updates/Makefile.am | 1 +
>>>>>>>>>> ipalib/constants.py | 1 +
>>>>>>>>>> ipalib/plugins/location.py | 142
>>>>>>>>>> +++++++++++++++++++++++++++++++++-
>>>>>>>>>> 8 files changed, 222 insertions(+), 3 deletions(-)
>>>>>>>>> [...]
>>>>>>>>>
>>>>>>>>>> diff --git a/VERSION b/VERSION
>>>>>>>>>> index
>>>>>>>>>> aedebd185821d42fa48608f4c5fdf9ff510ace3f..7e3def151e9986454509a580515b9d34dc220a60
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> 100644
>>>>>>>>>> --- a/VERSION
>>>>>>>>>> +++ b/VERSION
>>>>>>>>>> @@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000
>>>>>>>>>> # #
>>>>>>>>>> ########################################################
>>>>>>>>>> IPA_API_VERSION_MAJOR=2
>>>>>>>>>> -IPA_API_VERSION_MINOR=165
>>>>>>>>>> -# Last change: mbasti - limit ipamaxusernamelength value to 255
>>>>>>>>>> +IPA_API_VERSION_MINOR=166
>>>>>>>>>> +# Last change: mbasti - location-* commands
>>>>>>>>> Needs rebase.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>> diff --git a/install/share/bootstrap-template.ldif
>>>>>>>>>> b/install/share/bootstrap-template.ldif
>>>>>>>>>> index
>>>>>>>>>> 628a8e2e0f5483b9f6f565b0c7d11eb000a5912d..83be4399508a905f8eae7e2f59140a6b4051b661
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> 100644
>>>>>>>>>> --- a/install/share/bootstrap-template.ldif
>>>>>>>>>> +++ b/install/share/bootstrap-template.ldif
>>>>>>>>>> @@ -119,6 +119,12 @@ objectClass: nsContainer
>>>>>>>>>> objectClass: top
>>>>>>>>>> cn: etc
>>>>>>>>>> +dn: cn=locations,cn=etc,$SUFFIX
>>>>>>>>>> +changetype: add
>>>>>>>>>> +objectClass: nsContainer
>>>>>>>>>> +objectClass: top
>>>>>>>>>> +cn: locations
>>>>>>>>>> +
>>>>>>>>>> dn: cn=sysaccounts,cn=etc,$SUFFIX
>>>>>>>>>> changetype: add
>>>>>>>>>> objectClass: nsContainer
>>>>>>>>>> diff --git a/install/updates/37-locations.update
>>>>>>>>>> b/install/updates/37-locations.update
>>>>>>>>>> index
>>>>>>>>>> e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..cf47e6d6296af830a76aad2c9b9f5a6ea5d9f3a1
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> 100644
>>>>>>>>>> --- a/install/updates/37-locations.update
>>>>>>>>>> +++ b/install/updates/37-locations.update
>>>>>>>>>> @@ -0,0 +1,4 @@
>>>>>>>>>> +dn: cn=locations,cn=etc,$SUFFIX
>>>>>>>>>> +default: objectClass: nsContainer
>>>>>>>>>> +default: objectClass: top
>>>>>>>>>> +default: cn: locations
>>>>>>>>> Ok.
>>>>>>>>>
>>>>>>>>> [...]
>>>>>>>>>
>>>>>>>>>> diff --git a/ipalib/plugins/location.py
>>>>>>>>>> b/ipalib/plugins/location.py
>>>>>>>>>> index
>>>>>>>>>> 8090bb1637c4d826b9a746a82b98ece903e321cc..d52d2baeb8bfb2fddeac40b281268622d47c6aeb
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> 100644
>>>>>>>>>> --- a/ipalib/plugins/location.py
>>>>>>>>>> +++ b/ipalib/plugins/location.py
>>>>>>>>> [...]
>>>>>>>>>> +__doc__ = _("""
>>>>>>>>>> +IPA locations
>>>>>>>>>> +""") + _("""
>>>>>>>>>> +Manipulate with DNS locations
>>>>>>>>> IMHO "with" should be omited. [...]
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>> + at register()
>>>>>>>>>> +class location(LDAPObject):
>>>>>>>>>> + """
>>>>>>>>>> + IPA locations
>>>>>>>>>> + """
>>>>>>>>> [...]
>>>>>>>>>
>>>>>>>>>> + permission_filter_objectclasses = ['ipaLocationObject']
>>>>>>>>>> + managed_permissions = {
>>>>>>>>>> + 'System: Read IPA Locations': {
>>>>>>>>>> + 'ipapermright': {'read', 'search', 'compare'},
>>>>>>>>>> + 'ipapermdefaultattr': {
>>>>>>>>>> + 'objectclass', 'idnsname', 'description',
>>>>>>>>>> + },
>>>>>>>>>> + 'default_privileges': {'DNS Administrators'},
>>>>>>>>>> + },
>>>>>>>>>> + 'System: Add IPA Locations': {
>>>>>>>>>> + 'ipapermright': {'add'},
>>>>>>>>>> + 'default_privileges': {'DNS Administrators'},
>>>>>>>>>> + },
>>>>>>>>>> + 'System: Remove IPA Locations': {
>>>>>>>>>> + 'ipapermright': {'delete'},
>>>>>>>>>> + 'default_privileges': {'DNS Administrators'},
>>>>>>>>>> + },
>>>>>>>>>> + 'System: Modify IPA Locations': {
>>>>>>>>>> + 'ipapermright': {'write'},
>>>>>>>>>> + 'ipapermdefaultattr': {
>>>>>>>>>> + 'description',
>>>>>>>>>> + },
>>>>>>>>>> + 'default_privileges': {'DNS Administrators'},
>>>>>>>>>> + },
>>>>>>>>>> + }
>>>>>>>>> Sounds reasonable. ACI does not allow renaming location but
>>>>>>>>> IMHO this is
>>>>>>>>> okay.
>>>>>>>>> Less renames we support the better.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>> +
>>>>>>>>>> + takes_params = (
>>>>>>>>>> + DNSNameParam(
>>>>>>>>>> + 'idnsname',
>>>>>>>>>> + cli_name='name',
>>>>>>>>>> + primary_key=True,
>>>>>>>>>> + label=_('Location name'),
>>>>>>>>>> + doc=_('IPA location name'),
>>>>>>>>>> + # dns name must be relative, we will put it into
>>>>>>>>>> middle of
>>>>>>>>>> + # location domain name for location records
>>>>>>>>>> + only_relative=True,
>>>>>>>>>> + ),
>>>>>>>>> Okay. We need to make sure that relative names with multiple
>>>>>>>>> labels work -
>>>>>>>>> but
>>>>>>>>> this should automagically work as long as we are handling DNS
>>>>>>>>> names using
>>>>>>>>> proper data types (not as strings).
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>> + Str(
>>>>>>>>>> + 'description?',
>>>>>>>>>> + label=_('Description'),
>>>>>>>>>> + doc=_('IPA Location description'),
>>>>>>>>>> + ),
>>>>>>>>> After discussion with Honza we will keep description as
>>>>>>>>> single-value in the
>>>>>>>>> IPA framework and ignore that description attribute is
>>>>>>>>> multi-value in LDAP.
>>>>>>>>> This is done for consitency with mistakes from the past.
>>>>>>>>>
>>>>>>>>> [...]
>>>>>>>>>
>>>>>>>>>> + at register()
>>>>>>>>>> +class location_mod(LDAPUpdate):
>>>>>>>>>> + __doc__ = _('Modify information about an IPA location .')
>>>>>>>>> This should say 'Modify description' because nothing else can
>>>>>>>>> be modified.
>>>>>>>>> More specific text would hopefully stop some people from
>>>>>>>>> looking for rename
>>>>>>>>> options.
>>>>>>>> I disagree, this is general description about the modify
>>>>>>>> command, see
>>>>>>>> privilege-add it is the same as I made. I can see in future
>>>>>>>> that we will
>>>>>>>> forgot to update description of command if we add something new
>>>>>>>> there.
>>>>>>> This is really an invalid argument.
>>>>>>>
>>>>>>> "We must not touch XYZ because its documentation might become
>>>>>>> obsolete in
>>>>>>> future if we forget to update it!" :-)
>>>>>>>
>>>>>> How about inconsistency with description of older commands? I
>>>>>> don't think that
>>>>>> command description should describe attributes that are allowed
>>>>>> to change.
>>>>>> Allowed attributes are shown in --help output
>>>>> I do not agree but push whatever variant you like, it costed too
>>>>> much already.
>>>> NACK anyway. ipa-dns-install screams if you install a server
>>>> without DNS and
>>>> run ipa-dns-install later on:
>>>>
>>>> The log contains this:
>>>>
>>>> add objectClass:
>>>> top
>>>> groupofnames
>>>> nestedgroup
>>>> add cn:
>>>> DNS Administrators
>>>> add description:
>>>> DNS Administrators
>>>> adding new entry "cn=DNS
>>>> Administrators,cn=privileges,cn=pbac,dc=dom-033,dc=abc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com"
>>>>
>>>>
>>>>
>>>> 2016-05-10T16:53:05Z DEBUG stderr=ldap_initialize(
>>>> ldapi://%2Fvar%2Frun%2Fslapd-DOM-033-ABC-IDM-LAB-ENG-BRQ-REDHAT-COM.socket/??base
>>>>
>>>> )
>>>> SASL/EXTERNAL authentication started
>>>> SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
>>>> SASL SSF: 0
>>>> ldap_add: Already exists (68)
>>>>
>>>> 2016-05-10T16:53:05Z CRITICAL Failed to load dns.ldif: Command
>>>> '/usr/bin/ldapmodify -v -f /tmp/tmpMvWMaT -H
>>>> ldapi://%2fvar%2frun%2fslapd-DOM-033-ABC-IDM-LAB-ENG-BRQ-REDHAT-COM.socket
>>>> -Y
>>>> EXTERNAL' returned non-zero exit status 68
>>>>
>>> Well I cannot reproduce it, this should be resolved by patch 473
>>>
>>
>> Updated patches attached
>>
>> I found that IDNA did not work with previous version, fixed + IDNA
>> tests added
>>
>>
> Fixed here, I sent wrong patches before
>
>
>
>
More patches added, all patches are available here:
https://github.com/bastiak/freeipa/tree/DNS-locations
Martin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20160518/a24bcd74/attachment.htm>
More information about the Freeipa-devel
mailing list