[Freeipa-devel] [PATCH] 200 Ease zonemgr restrictions
Simo Sorce
simo at redhat.com
Mon Feb 20 12:58:37 UTC 2012
On Mon, 2012-02-20 at 13:44 +0100, Martin Kosek wrote:
> On Tue, 2012-01-24 at 09:21 -0500, Rob Crittenden wrote:
> > Martin Kosek wrote:
> > > On Mon, 2012-01-23 at 15:46 -0500, Rob Crittenden wrote:
> > >> Martin Kosek wrote:
> > >>> Admin e-mail validator currently requires an email to be in
> > >>> a second-level domain (hostmaster at example.com). This is too
> > >>> restrictive. Top level domain e-mails (hostmaster at testrelm)
> > >>> should also be allowed.
> > >>>
> > >>> This patch also fixes default zonemgr value in help texts and man
> > >>> pages.
> > >>>
> > >>> https://fedorahosted.org/freeipa/ticket/2272
> > >>
> > >> This fixes the problem of single component domain installation but it
> > >> does seem to really weaken the checking.
> > >>
> > >> For example, if you install with your domain as example.com you can set
> > >> the zonemgr e-mail to hostmaster at example.
> > >>
> > >> I don't want to make this too complex, just wanted another opinion.
> > >>
> > >> rob
> > >
> > > Good point. But if we want to allow top-level domain e-mails we'd need
> > > to allow e-mails like hostmaster at example. How would this situation be
> > > different from hostmaster at testrelm ? (This was the reported failing
> > > e-mail). Both e-mails are syntactically OK.
> > >
> > > Martin
> > >
> >
> > The complex part I had in mind was comparing the domain in the e-mail
> > addr with the configured domain.
> >
> > We need to be able to support when IPA is itself a subdomain but the
> > hostmaster is in the primary: domain=sub.example.com,
> > hostmaster at example.com.
> >
> > It might also point somewhere else entirely, hostmaster at hosted.com.
> >
> > Maybe we ensure that the e-mail address domain is equal to or a part of
> > the configured domain OR the domain is already resolvable?
> >
> > So move right to left matching as it goes. Of course this would allow
> > hostmaster at com but we may just have to live with it.
> >
> > rob
>
> I think this would make it too complex. IMO, the zonemgr validator
> should just check if the e-mail address is syntactically correct (which
> hostmaster at testrelm or hostmaster at example. are) so that bind-dyndb-ldap
> plugin accepts the zone SOA record and we report errors only when
> zonemgr syntax error are detected.
>
> Trying to resolve the domain is too strict and may be harmful if for
> example the FreeIPA server serving such domain is down. My motivation is
> to keep the validation simple and prevent problems when adding a new
> zone.
+1
> I am attaching a rebased patch for ipa-2-2.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list