[Freeipa-devel] [PATCH] 200 Ease zonemgr restrictions
Martin Kosek
mkosek at redhat.com
Mon Feb 20 14:39:02 UTC 2012
On Mon, 2012-02-20 at 09:27 -0500, Rob Crittenden wrote:
> Simo Sorce wrote:
> > On Mon, 2012-02-20 at 13:44 +0100, Martin Kosek wrote:
> >> On Tue, 2012-01-24 at 09:21 -0500, Rob Crittenden wrote:
> >>> Martin Kosek wrote:
> >>>> On Mon, 2012-01-23 at 15:46 -0500, Rob Crittenden wrote:
> >>>>> Martin Kosek wrote:
> >>>>>> Admin e-mail validator currently requires an email to be in
> >>>>>> a second-level domain (hostmaster at example.com). This is too
> >>>>>> restrictive. Top level domain e-mails (hostmaster at testrelm)
> >>>>>> should also be allowed.
> >>>>>>
> >>>>>> This patch also fixes default zonemgr value in help texts and man
> >>>>>> pages.
> >>>>>>
> >>>>>> https://fedorahosted.org/freeipa/ticket/2272
> >>>>>
> >>>>> This fixes the problem of single component domain installation but it
> >>>>> does seem to really weaken the checking.
> >>>>>
> >>>>> For example, if you install with your domain as example.com you can set
> >>>>> the zonemgr e-mail to hostmaster at example.
> >>>>>
> >>>>> I don't want to make this too complex, just wanted another opinion.
> >>>>>
> >>>>> rob
> >>>>
> >>>> Good point. But if we want to allow top-level domain e-mails we'd need
> >>>> to allow e-mails like hostmaster at example. How would this situation be
> >>>> different from hostmaster at testrelm ? (This was the reported failing
> >>>> e-mail). Both e-mails are syntactically OK.
> >>>>
> >>>> Martin
> >>>>
> >>>
> >>> The complex part I had in mind was comparing the domain in the e-mail
> >>> addr with the configured domain.
> >>>
> >>> We need to be able to support when IPA is itself a subdomain but the
> >>> hostmaster is in the primary: domain=sub.example.com,
> >>> hostmaster at example.com.
> >>>
> >>> It might also point somewhere else entirely, hostmaster at hosted.com.
> >>>
> >>> Maybe we ensure that the e-mail address domain is equal to or a part of
> >>> the configured domain OR the domain is already resolvable?
> >>>
> >>> So move right to left matching as it goes. Of course this would allow
> >>> hostmaster at com but we may just have to live with it.
> >>>
> >>> rob
> >>
> >> I think this would make it too complex. IMO, the zonemgr validator
> >> should just check if the e-mail address is syntactically correct (which
> >> hostmaster at testrelm or hostmaster at example. are) so that bind-dyndb-ldap
> >> plugin accepts the zone SOA record and we report errors only when
> >> zonemgr syntax error are detected.
> >>
> >> Trying to resolve the domain is too strict and may be harmful if for
> >> example the FreeIPA server serving such domain is down. My motivation is
> >> to keep the validation simple and prevent problems when adding a new
> >> zone.
> >
> > +1
> >
> >> I am attaching a rebased patch for ipa-2-2.
> >
> >
>
> Ok, that's fine. ACK.
>
> rob
Thanks. Pushed to master, ipa-2-2.
Martin
More information about the Freeipa-devel
mailing list