[Freeipa-devel] [PATCH] 200 Ease zonemgr restrictions
Martin Kosek
mkosek at redhat.com
Mon Feb 20 12:44:44 UTC 2012
On Tue, 2012-01-24 at 09:21 -0500, Rob Crittenden wrote:
> Martin Kosek wrote:
> > On Mon, 2012-01-23 at 15:46 -0500, Rob Crittenden wrote:
> >> Martin Kosek wrote:
> >>> Admin e-mail validator currently requires an email to be in
> >>> a second-level domain (hostmaster at example.com). This is too
> >>> restrictive. Top level domain e-mails (hostmaster at testrelm)
> >>> should also be allowed.
> >>>
> >>> This patch also fixes default zonemgr value in help texts and man
> >>> pages.
> >>>
> >>> https://fedorahosted.org/freeipa/ticket/2272
> >>
> >> This fixes the problem of single component domain installation but it
> >> does seem to really weaken the checking.
> >>
> >> For example, if you install with your domain as example.com you can set
> >> the zonemgr e-mail to hostmaster at example.
> >>
> >> I don't want to make this too complex, just wanted another opinion.
> >>
> >> rob
> >
> > Good point. But if we want to allow top-level domain e-mails we'd need
> > to allow e-mails like hostmaster at example. How would this situation be
> > different from hostmaster at testrelm ? (This was the reported failing
> > e-mail). Both e-mails are syntactically OK.
> >
> > Martin
> >
>
> The complex part I had in mind was comparing the domain in the e-mail
> addr with the configured domain.
>
> We need to be able to support when IPA is itself a subdomain but the
> hostmaster is in the primary: domain=sub.example.com,
> hostmaster at example.com.
>
> It might also point somewhere else entirely, hostmaster at hosted.com.
>
> Maybe we ensure that the e-mail address domain is equal to or a part of
> the configured domain OR the domain is already resolvable?
>
> So move right to left matching as it goes. Of course this would allow
> hostmaster at com but we may just have to live with it.
>
> rob
I think this would make it too complex. IMO, the zonemgr validator
should just check if the e-mail address is syntactically correct (which
hostmaster at testrelm or hostmaster at example. are) so that bind-dyndb-ldap
plugin accepts the zone SOA record and we report errors only when
zonemgr syntax error are detected.
Trying to resolve the domain is too strict and may be harmful if for
example the FreeIPA server serving such domain is down. My motivation is
to keep the validation simple and prevent problems when adding a new
zone.
I am attaching a rebased patch for ipa-2-2.
Martin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mkosek-200-2-ease-zonemgr-restrictions.patch
Type: text/x-patch
Size: 5936 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20120220/4f351c67/attachment.bin>
More information about the Freeipa-devel
mailing list