[Freeipa-devel] [PATCH] #1881 client install when anonymous access is prevented

Rich Megginson rmeggins at redhat.com
Thu Sep 29 16:15:59 UTC 2011


On 09/29/2011 10:11 AM, Simo Sorce wrote:
> On Thu, 2011-09-29 at 17:56 +0200, Martin Kosek wrote:
>> On Thu, 2011-09-29 at 11:44 -0400, Simo Sorce wrote:
>>> On Thu, 2011-09-29 at 17:41 +0200, Martin Kosek wrote:
>>>> On Wed, 2011-09-28 at 18:43 -0400, Simo Sorce wrote:
>>>>> This patch allows ipa-client-install to successfully complete if
>>>>> anonymous access is not allowed on the LDAP server.
>>>>>
>>>>> I have tested this by changing the value of
>>>>> nsslapd-allow-anonymous-access from 'on' to 'rootdse' in cn=config
>>>>> See NOTE about this option.
>>>>>
>>>>> This patch warns the user that full verification of the LDAP server was
>>>>> not possible and may even assume realm is domain.upper() if DNS
>>>>> discovery is not possible.
>>>>>
>>>>> With these caveats the installation on a DNS compliant domain works fine
>>>>> against a IPA server with anonynous access to LDAP disabled with this
>>>>> patch.
>>>>>
>>>>> Fixes #1881
>>>>>
>>>>> Simo.
>>>>>
>>>>>
>>>>> NOTE: Setting rootdse nsslapd-allow-anonymous-access is standards
>>>>> compliant as it still allows access anonymously to the rootdse entry.
>>>>> Setting this option to 'off' prevents access even to rootdse and is not
>>>>> a good idea (the client doesn't know what auth methods are avilable to
>>>>> authenticate w/o access to rootdse)
>>>> NACK. The approach looks good, but I found several errors:
>>>>
>>>> 1) IPA discovery for servers with anonymous access _allowed_ is broken
>>>> because of the following lines:
>>>>
>>>>
>>>> +        if ldapret[0] == 0:
>>>> +            self.server = ldapret[0]<<<  This should be ldapret[1]
>>>> +            self.realm = ldapret[1]<<<<  This should be ldapret[2]
>>>> ...
>>> Ouch I swear I was sure I changed those lines ...
>>>
>>>> @@ -259,24 +268,29 @@ class IPADiscovery:
>>>>                       if trealm == r:
>>>>                           return [thost, trealm]<<<<<  This should be [0, thost, trealm]
>>>>                   # must match or something is very wrong
>>>> -                return []
>>>> +                return [REALM_NOT_FOUND]
>>>>
>>>>
>>>> 2) If anonymous access is forbidden, IPA base DN cannot be searched
>>>> since we can't read it's contents and check that it belongs to IPA. If
>>>> you apply my patch 130, you will see this error:
>>>>
>>>> # ipa-client-install --server vm-103.idm.lab.bos.redhat.com --domain idm.lab.bos.redhat.com -p admin -w kokos123
>>>> Warning: Anonymous access to the LDAP server is disabled.
>>>> Proceeding without strict verification.
>>>> Note: This is not an error if anonymous access has been explicitly restricted.
>>>> DNS domain '' is not configured for automatic KDC address lookup.
>>>> KDC address will be set to fixed value.
>>>>
>>>> Discovery was successful!
>>>> Hostname: vm-050.idm.lab.bos.redhat.com
>>>> Realm:
>>>> DNS Domain: idm.lab.bos.redhat.com
>>>> IPA Server: vm-103.idm.lab.bos.redhat.com
>>>> Traceback (most recent call last):
>>>>    File "/usr/sbin/ipa-client-install", line 1148, in<module>
>>>>      sys.exit(main())
>>>>    File "/usr/sbin/ipa-client-install", line 1137, in main
>>>>      rval = install(options, env, fstore, statestore)
>>>>    File "/usr/sbin/ipa-client-install", line 866, in install
>>>>      print "BaseDN: "+cli_basedn
>>>> TypeError: cannot concatenate 'str' and 'NoneType' objects
>>>>
>>>>
>>>> We will have to add user a possibility to pass base DN for IPA since we
>>>> cannot check it ourselves. Something like --basedn=BASEDN. I can do it
>>>> in a scope of my patch after you fix 1) if you don't feel comfortable
>>>> hacking ipa-client-install.
>>> The basedn comes from rootdse, that one can be searched. (if you set the
>>> option in DS to off and din't read my note, you got what you deserve :-)
>>>
>>> Simo.
>>>
>> I read every word of it :-) My point was that you can have more
>> databases (basedns, suffixes) configured on the server and when the
>> anonymous access is disabled we cannot check which one is for IPA.
>> That's what my patch 130 fixes. Before it, we just took the first
>> suffix.
> Ok, in that case we can compare the suffix with the realm.
> It is 100% guaranteed that suffix and realm must match as we create the
> suffix out of the realm.
> Can you add code to check against REALM if anonymous is turned on ?
>
> In case REALM is missing (DNS discovery failed) we have 2 options, use
> domain.upper() or require a --relam= option to be passed by the user,
> what do you think ?
>
> We should really add a defaultNamingContext field in rootdse, maybe we
> should open a ticket about that so we do not have to dance around this
> issue ?
We probably should do this anyway - note that openldap (and AD too?) 
support publishing the default naming context in the root DSE.
But you'll still need a way to discover this in older servers.
> Simo.
>




More information about the Freeipa-devel mailing list