[Freeipa-devel] [PATCH] #1881 client install when anonymous access is prevented

Martin Kosek mkosek at redhat.com
Thu Sep 29 15:41:08 UTC 2011


On Wed, 2011-09-28 at 18:43 -0400, Simo Sorce wrote:
> This patch allows ipa-client-install to successfully complete if
> anonymous access is not allowed on the LDAP server.
> 
> I have tested this by changing the value of
> nsslapd-allow-anonymous-access from 'on' to 'rootdse' in cn=config
> See NOTE about this option.
> 
> This patch warns the user that full verification of the LDAP server was
> not possible and may even assume realm is domain.upper() if DNS
> discovery is not possible.
> 
> With these caveats the installation on a DNS compliant domain works fine
> against a IPA server with anonynous access to LDAP disabled with this
> patch.
> 
> Fixes #1881
> 
> Simo.
> 
> 
> NOTE: Setting rootdse nsslapd-allow-anonymous-access is standards
> compliant as it still allows access anonymously to the rootdse entry.
> Setting this option to 'off' prevents access even to rootdse and is not
> a good idea (the client doesn't know what auth methods are avilable to
> authenticate w/o access to rootdse)

NACK. The approach looks good, but I found several errors:

1) IPA discovery for servers with anonymous access _allowed_ is broken
because of the following lines:


+        if ldapret[0] == 0:
+            self.server = ldapret[0] <<< This should be ldapret[1]
+            self.realm = ldapret[1] <<<< This should be ldapret[2]
...
@@ -259,24 +268,29 @@ class IPADiscovery:
                     if trealm == r:
                         return [thost, trealm]  <<<<< This should be [0, thost, trealm]
                 # must match or something is very wrong
-                return []
+                return [REALM_NOT_FOUND]


2) If anonymous access is forbidden, IPA base DN cannot be searched
since we can't read it's contents and check that it belongs to IPA. If
you apply my patch 130, you will see this error:

# ipa-client-install --server vm-103.idm.lab.bos.redhat.com --domain idm.lab.bos.redhat.com -p admin -w kokos123 
Warning: Anonymous access to the LDAP server is disabled.
Proceeding without strict verification.
Note: This is not an error if anonymous access has been explicitly restricted.
DNS domain '' is not configured for automatic KDC address lookup.
KDC address will be set to fixed value.

Discovery was successful!
Hostname: vm-050.idm.lab.bos.redhat.com
Realm: 
DNS Domain: idm.lab.bos.redhat.com
IPA Server: vm-103.idm.lab.bos.redhat.com
Traceback (most recent call last):
  File "/usr/sbin/ipa-client-install", line 1148, in <module>
    sys.exit(main())
  File "/usr/sbin/ipa-client-install", line 1137, in main
    rval = install(options, env, fstore, statestore)
  File "/usr/sbin/ipa-client-install", line 866, in install
    print "BaseDN: "+cli_basedn
TypeError: cannot concatenate 'str' and 'NoneType' objects


We will have to add user a possibility to pass base DN for IPA since we
cannot check it ourselves. Something like --basedn=BASEDN. I can do it
in a scope of my patch after you fix 1) if you don't feel comfortable
hacking ipa-client-install.

Martin




More information about the Freeipa-devel mailing list