[Freeipa-devel] [PATCH] #1881 client install when anonymous access is prevented

Simo Sorce simo at redhat.com
Thu Sep 29 16:11:52 UTC 2011 

On Thu, 2011-09-29 at 17:56 +0200, Martin Kosek wrote:
> On Thu, 2011-09-29 at 11:44 -0400, Simo Sorce wrote:
> > On Thu, 2011-09-29 at 17:41 +0200, Martin Kosek wrote:
> > > On Wed, 2011-09-28 at 18:43 -0400, Simo Sorce wrote:
> > > > This patch allows ipa-client-install to successfully complete if
> > > > anonymous access is not allowed on the LDAP server.
> > > > 
> > > > I have tested this by changing the value of
> > > > nsslapd-allow-anonymous-access from 'on' to 'rootdse' in cn=config
> > > > See NOTE about this option.
> > > > 
> > > > This patch warns the user that full verification of the LDAP server was
> > > > not possible and may even assume realm is domain.upper() if DNS
> > > > discovery is not possible.
> > > > 
> > > > With these caveats the installation on a DNS compliant domain works fine
> > > > against a IPA server with anonynous access to LDAP disabled with this
> > > > patch.
> > > > 
> > > > Fixes #1881
> > > > 
> > > > Simo.
> > > > 
> > > > 
> > > > NOTE: Setting rootdse nsslapd-allow-anonymous-access is standards
> > > > compliant as it still allows access anonymously to the rootdse entry.
> > > > Setting this option to 'off' prevents access even to rootdse and is not
> > > > a good idea (the client doesn't know what auth methods are avilable to
> > > > authenticate w/o access to rootdse)
> > > 
> > > NACK. The approach looks good, but I found several errors:
> > > 
> > > 1) IPA discovery for servers with anonymous access _allowed_ is broken
> > > because of the following lines:
> > > 
> > > 
> > > +        if ldapret[0] == 0:
> > > +            self.server = ldapret[0] <<< This should be ldapret[1]
> > > +            self.realm = ldapret[1] <<<< This should be ldapret[2]
> > > ...
> > 
> > Ouch I swear I was sure I changed those lines ...
> > 
> > > @@ -259,24 +268,29 @@ class IPADiscovery:
> > >                      if trealm == r:
> > >                          return [thost, trealm]  <<<<< This should be [0, thost, trealm]
> > >                  # must match or something is very wrong
> > > -                return []
> > > +                return [REALM_NOT_FOUND]
> > > 
> > > 
> > > 2) If anonymous access is forbidden, IPA base DN cannot be searched
> > > since we can't read it's contents and check that it belongs to IPA. If
> > > you apply my patch 130, you will see this error:
> > > 
> > > # ipa-client-install --server vm-103.idm.lab.bos.redhat.com --domain idm.lab.bos.redhat.com -p admin -w kokos123 
> > > Warning: Anonymous access to the LDAP server is disabled.
> > > Proceeding without strict verification.
> > > Note: This is not an error if anonymous access has been explicitly restricted.
> > > DNS domain '' is not configured for automatic KDC address lookup.
> > > KDC address will be set to fixed value.
> > > 
> > > Discovery was successful!
> > > Hostname: vm-050.idm.lab.bos.redhat.com
> > > Realm: 
> > > DNS Domain: idm.lab.bos.redhat.com
> > > IPA Server: vm-103.idm.lab.bos.redhat.com
> > > Traceback (most recent call last):
> > >   File "/usr/sbin/ipa-client-install", line 1148, in <module>
> > >     sys.exit(main())
> > >   File "/usr/sbin/ipa-client-install", line 1137, in main
> > >     rval = install(options, env, fstore, statestore)
> > >   File "/usr/sbin/ipa-client-install", line 866, in install
> > >     print "BaseDN: "+cli_basedn
> > > TypeError: cannot concatenate 'str' and 'NoneType' objects
> > > 
> > > 
> > > We will have to add user a possibility to pass base DN for IPA since we
> > > cannot check it ourselves. Something like --basedn=BASEDN. I can do it
> > > in a scope of my patch after you fix 1) if you don't feel comfortable
> > > hacking ipa-client-install.
> > 
> > The basedn comes from rootdse, that one can be searched. (if you set the
> > option in DS to off and din't read my note, you got what you deserve :-)
> > 
> > Simo.
> > 
> 
> I read every word of it :-) My point was that you can have more
> databases (basedns, suffixes) configured on the server and when the
> anonymous access is disabled we cannot check which one is for IPA.
> That's what my patch 130 fixes. Before it, we just took the first
> suffix.

Ok, in that case we can compare the suffix with the realm.
It is 100% guaranteed that suffix and realm must match as we create the
suffix out of the realm.
Can you add code to check against REALM if anonymous is turned on ?

In case REALM is missing (DNS discovery failed) we have 2 options, use
domain.upper() or require a --relam= option to be passed by the user,
what do you think ?

We should really add a defaultNamingContext field in rootdse, maybe we
should open a ticket about that so we do not have to dance around this
issue ?

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

More information about the Freeipa-devel mailing list