[Freeipa-devel] [PATCH] #1881 client install when anonymous access is prevented
Simo Sorce
simo at redhat.com
Thu Sep 29 15:44:21 UTC 2011
On Thu, 2011-09-29 at 17:41 +0200, Martin Kosek wrote:
> On Wed, 2011-09-28 at 18:43 -0400, Simo Sorce wrote:
> > This patch allows ipa-client-install to successfully complete if
> > anonymous access is not allowed on the LDAP server.
> >
> > I have tested this by changing the value of
> > nsslapd-allow-anonymous-access from 'on' to 'rootdse' in cn=config
> > See NOTE about this option.
> >
> > This patch warns the user that full verification of the LDAP server was
> > not possible and may even assume realm is domain.upper() if DNS
> > discovery is not possible.
> >
> > With these caveats the installation on a DNS compliant domain works fine
> > against a IPA server with anonynous access to LDAP disabled with this
> > patch.
> >
> > Fixes #1881
> >
> > Simo.
> >
> >
> > NOTE: Setting rootdse nsslapd-allow-anonymous-access is standards
> > compliant as it still allows access anonymously to the rootdse entry.
> > Setting this option to 'off' prevents access even to rootdse and is not
> > a good idea (the client doesn't know what auth methods are avilable to
> > authenticate w/o access to rootdse)
>
> NACK. The approach looks good, but I found several errors:
>
> 1) IPA discovery for servers with anonymous access _allowed_ is broken
> because of the following lines:
>
>
> + if ldapret[0] == 0:
> + self.server = ldapret[0] <<< This should be ldapret[1]
> + self.realm = ldapret[1] <<<< This should be ldapret[2]
> ...
Ouch I swear I was sure I changed those lines ...
> @@ -259,24 +268,29 @@ class IPADiscovery:
> if trealm == r:
> return [thost, trealm] <<<<< This should be [0, thost, trealm]
> # must match or something is very wrong
> - return []
> + return [REALM_NOT_FOUND]
>
>
> 2) If anonymous access is forbidden, IPA base DN cannot be searched
> since we can't read it's contents and check that it belongs to IPA. If
> you apply my patch 130, you will see this error:
>
> # ipa-client-install --server vm-103.idm.lab.bos.redhat.com --domain idm.lab.bos.redhat.com -p admin -w kokos123
> Warning: Anonymous access to the LDAP server is disabled.
> Proceeding without strict verification.
> Note: This is not an error if anonymous access has been explicitly restricted.
> DNS domain '' is not configured for automatic KDC address lookup.
> KDC address will be set to fixed value.
>
> Discovery was successful!
> Hostname: vm-050.idm.lab.bos.redhat.com
> Realm:
> DNS Domain: idm.lab.bos.redhat.com
> IPA Server: vm-103.idm.lab.bos.redhat.com
> Traceback (most recent call last):
> File "/usr/sbin/ipa-client-install", line 1148, in <module>
> sys.exit(main())
> File "/usr/sbin/ipa-client-install", line 1137, in main
> rval = install(options, env, fstore, statestore)
> File "/usr/sbin/ipa-client-install", line 866, in install
> print "BaseDN: "+cli_basedn
> TypeError: cannot concatenate 'str' and 'NoneType' objects
>
>
> We will have to add user a possibility to pass base DN for IPA since we
> cannot check it ourselves. Something like --basedn=BASEDN. I can do it
> in a scope of my patch after you fix 1) if you don't feel comfortable
> hacking ipa-client-install.
The basedn comes from rootdse, that one can be searched. (if you set the
option in DS to off and din't read my note, you got what you deserve :-)
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list