[Freeipa-devel] [PATCH] #1881 client install when anonymous access is prevented
Martin Kosek
mkosek at redhat.com
Thu Sep 29 15:56:14 UTC 2011
On Thu, 2011-09-29 at 11:44 -0400, Simo Sorce wrote:
> On Thu, 2011-09-29 at 17:41 +0200, Martin Kosek wrote:
> > On Wed, 2011-09-28 at 18:43 -0400, Simo Sorce wrote:
> > > This patch allows ipa-client-install to successfully complete if
> > > anonymous access is not allowed on the LDAP server.
> > >
> > > I have tested this by changing the value of
> > > nsslapd-allow-anonymous-access from 'on' to 'rootdse' in cn=config
> > > See NOTE about this option.
> > >
> > > This patch warns the user that full verification of the LDAP server was
> > > not possible and may even assume realm is domain.upper() if DNS
> > > discovery is not possible.
> > >
> > > With these caveats the installation on a DNS compliant domain works fine
> > > against a IPA server with anonynous access to LDAP disabled with this
> > > patch.
> > >
> > > Fixes #1881
> > >
> > > Simo.
> > >
> > >
> > > NOTE: Setting rootdse nsslapd-allow-anonymous-access is standards
> > > compliant as it still allows access anonymously to the rootdse entry.
> > > Setting this option to 'off' prevents access even to rootdse and is not
> > > a good idea (the client doesn't know what auth methods are avilable to
> > > authenticate w/o access to rootdse)
> >
> > NACK. The approach looks good, but I found several errors:
> >
> > 1) IPA discovery for servers with anonymous access _allowed_ is broken
> > because of the following lines:
> >
> >
> > + if ldapret[0] == 0:
> > + self.server = ldapret[0] <<< This should be ldapret[1]
> > + self.realm = ldapret[1] <<<< This should be ldapret[2]
> > ...
>
> Ouch I swear I was sure I changed those lines ...
>
> > @@ -259,24 +268,29 @@ class IPADiscovery:
> > if trealm == r:
> > return [thost, trealm] <<<<< This should be [0, thost, trealm]
> > # must match or something is very wrong
> > - return []
> > + return [REALM_NOT_FOUND]
> >
> >
> > 2) If anonymous access is forbidden, IPA base DN cannot be searched
> > since we can't read it's contents and check that it belongs to IPA. If
> > you apply my patch 130, you will see this error:
> >
> > # ipa-client-install --server vm-103.idm.lab.bos.redhat.com --domain idm.lab.bos.redhat.com -p admin -w kokos123
> > Warning: Anonymous access to the LDAP server is disabled.
> > Proceeding without strict verification.
> > Note: This is not an error if anonymous access has been explicitly restricted.
> > DNS domain '' is not configured for automatic KDC address lookup.
> > KDC address will be set to fixed value.
> >
> > Discovery was successful!
> > Hostname: vm-050.idm.lab.bos.redhat.com
> > Realm:
> > DNS Domain: idm.lab.bos.redhat.com
> > IPA Server: vm-103.idm.lab.bos.redhat.com
> > Traceback (most recent call last):
> > File "/usr/sbin/ipa-client-install", line 1148, in <module>
> > sys.exit(main())
> > File "/usr/sbin/ipa-client-install", line 1137, in main
> > rval = install(options, env, fstore, statestore)
> > File "/usr/sbin/ipa-client-install", line 866, in install
> > print "BaseDN: "+cli_basedn
> > TypeError: cannot concatenate 'str' and 'NoneType' objects
> >
> >
> > We will have to add user a possibility to pass base DN for IPA since we
> > cannot check it ourselves. Something like --basedn=BASEDN. I can do it
> > in a scope of my patch after you fix 1) if you don't feel comfortable
> > hacking ipa-client-install.
>
> The basedn comes from rootdse, that one can be searched. (if you set the
> option in DS to off and din't read my note, you got what you deserve :-)
>
> Simo.
>
I read every word of it :-) My point was that you can have more
databases (basedns, suffixes) configured on the server and when the
anonymous access is disabled we cannot check which one is for IPA.
That's what my patch 130 fixes. Before it, we just took the first
suffix.
Martin
More information about the Freeipa-devel
mailing list