[Freeipa-devel] [PATCH] 200 Ease zonemgr restrictions

Rob Crittenden rcritten at redhat.com
Mon Feb 20 14:27:18 UTC 2012 

Simo Sorce wrote:
> On Mon, 2012-02-20 at 13:44 +0100, Martin Kosek wrote:
>> On Tue, 2012-01-24 at 09:21 -0500, Rob Crittenden wrote:
>>> Martin Kosek wrote:
>>>> On Mon, 2012-01-23 at 15:46 -0500, Rob Crittenden wrote:
>>>>> Martin Kosek wrote:
>>>>>> Admin e-mail validator currently requires an email to be in
>>>>>> a second-level domain (hostmaster at example.com). This is too
>>>>>> restrictive. Top level domain e-mails (hostmaster at testrelm)
>>>>>> should also be allowed.
>>>>>>
>>>>>> This patch also fixes default zonemgr value in help texts and man
>>>>>> pages.
>>>>>>
>>>>>> https://fedorahosted.org/freeipa/ticket/2272
>>>>>
>>>>> This fixes the problem of single component domain installation but it
>>>>> does seem to really weaken the checking.
>>>>>
>>>>> For example, if you install with your domain as example.com you can set
>>>>> the zonemgr e-mail to hostmaster at example.
>>>>>
>>>>> I don't want to make this too complex, just wanted another opinion.
>>>>>
>>>>> rob
>>>>
>>>> Good point. But if we want to allow top-level domain e-mails we'd need
>>>> to allow e-mails like hostmaster at example. How would this situation be
>>>> different from hostmaster at testrelm ? (This was the reported failing
>>>> e-mail). Both e-mails are syntactically OK.
>>>>
>>>> Martin
>>>>
>>>
>>> The complex part I had in mind was comparing the domain in the e-mail
>>> addr with the configured domain.
>>>
>>> We need to be able to support when IPA is itself a subdomain but the
>>> hostmaster is in the primary: domain=sub.example.com,
>>> hostmaster at example.com.
>>>
>>> It might also point somewhere else entirely, hostmaster at hosted.com.
>>>
>>> Maybe we ensure that the e-mail address domain is equal to or a part of
>>> the configured domain OR the domain is already resolvable?
>>>
>>> So move right to left matching as it goes. Of course this would allow
>>> hostmaster at com but we may just have to live with it.
>>>
>>> rob
>>
>> I think this would make it too complex. IMO, the zonemgr validator
>> should just check if the e-mail address is syntactically correct (which
>> hostmaster at testrelm or hostmaster at example. are) so that bind-dyndb-ldap
>> plugin accepts the zone SOA record and we report errors only when
>> zonemgr syntax error are detected.
>>
>> Trying to resolve the domain is too strict and may be harmful if for
>> example the FreeIPA server serving such domain is down. My motivation is
>> to keep the validation simple and prevent problems when adding a new
>> zone.
>
> +1
>
>> I am attaching a rebased patch for ipa-2-2.
>
>

Ok, that's fine. ACK.

rob

More information about the Freeipa-devel mailing list