ipa-getkeytab enhancements #202
Conversation
| @@ -712,6 +717,8 @@ int main(int argc, const char *argv[]) | |||
| _("LDAP DN"), _("DN to bind as if not using kerberos") }, | |||
| { "bindpw", 'w', POPT_ARG_STRING, &bindpw, 0, | |||
| _("LDAP password"), _("password to use if not using kerberos") }, | |||
| { "cacert", 'c', POPT_ARG_STRING, &ca_cert_file, 0, | |||
| _("Path to the IPA CA certificate"), _("IPA CA certificate")}, | |||
There was a problem hiding this comment.
indentation does not follow the style of the rest of the code here
| int port = 0; | ||
| char *scheme = NULL; | ||
|
|
||
| if (!mech) { |
There was a problem hiding this comment.
I do not understand why you are using the mech to determine the URI scheme, these are unrelated things.
There was a problem hiding this comment.
That is probably some leftover from previous incarnations of the patch. If I manage to make StartTLS work this may actually be irrelevant since we may use ldap://$FQDN and have secure connection.
| else { | ||
| return 1; | ||
| } | ||
| url_len = snprintf(url,0,"%s://%s:%d",scheme,servername,port) +1; |
There was a problem hiding this comment.
please just use asprintf() in here.
| ret = ipa_server_to_uri(server, sasl_mech, &ldap_uri); | ||
| if (ret) { | ||
| fprintf(stderr, _("Incompatible combination of server name and " | ||
| "SASL bind mechanism\n")); |
There was a problem hiding this comment.
This error message looks wrong.
ipa_server_to_uri() currently fails only if the mechanism is not recognized (but that one is checked earlier already), or if string allocation fails.
| @@ -837,7 +931,7 @@ int main(int argc, const char *argv[]) | |||
| exit(4); | |||
| } | |||
|
|
|||
| if (NULL == bindpw) { | |||
| if (NULL == bindpw && strncmp(sasl_mech, LDAP_SASL_GSSAPI, 79) == 0) { | |||
| int rc = LDAP_SUCCESS; | ||
| char *startswith_ldap = NULL; | ||
|
|
||
| startswith_ldap = strstr("ldap://", ldap_uri); |
There was a problem hiding this comment.
ldap:// can be only at the start of the string, please use strncmp(ldap_uri, "ldap://", 7)
martbab
force-pushed
the
getkeytab-enhancements
branch
from
10a844a
to
3598470
Compare
|
Thank you for review @simo5 . I have fixed the issues and reworked the LDAP initialization and binding logic a bit to clean it up. It produced green tests for me. I have also updated the command man page as I missed that during initial work. |
martbab
force-pushed
the
getkeytab-enhancements
branch
from
3598470
to
35e2e2a
Compare
|
Bump for review, this is prerequisite to further installer refactoring work. |
| } | ||
| sprintf(url,"%s://%s:%d",scheme,servername,port); | ||
| int rc = ldap_initialize(ld, url); | ||
| url_len = asprintf(&url,"%s://%s:%d",scheme,servername,port); |
|
|
||
| free(url); | ||
| return rc; | ||
| if (url_len == -1){ |
| int tls_hard = LDAP_OPT_X_TLS_HARD; | ||
| int tls_demand = LDAP_OPT_X_TLS_DEMAND; | ||
| char *ldap = "ldap://"; | ||
| char *ldaps = "ldaps://"; |
There was a problem hiding this comment.
there is no need to use an actual variable, beside these would have to be defined as const char as the strings are constant.
Use defines:
#define SCHEMA_LDAP "ldap://"
#define SCHEMA_LDAPS "ldaps://"
Then for lenght you can use sizeof(SCHEMA_LDAP) -1
| return ret; | ||
| } | ||
|
|
| @@ -221,21 +274,26 @@ static int ipa_ldap_bind(const char *server_name, krb5_principal bind_princ, | |||
| &bv, NULL, NULL, NULL); | |||
| if (ret != LDAP_SUCCESS) { | |||
| fprintf(stderr, _("Simple bind failed\n")); | |||
| goto done; | |||
There was a problem hiding this comment.
This looks wrong, if bind fails we should get out
| fprintf(stderr, _("Cannot specify server and LDAP uri " | ||
| "simultaneously.\n")); | ||
| if (!quiet) | ||
| poptPrintUsage(pc, stderr, 0); |
| The LDAP password to use when not binding with Kerberos. \fB\-D\fR and \fB\-w\fR can not be used together with \fB\-Y\fR. | ||
| .TP | ||
| \fB\-\-cacert\fR | ||
| The path to IPA CA certificate used to validate LDAPS/STARTTLS connection. |
There was a problem hiding this comment.
-> path to 'the' IPA CA certificate
-> connections (plural)
| Defaults to /etc/ipa/ca.crt | ||
| .TP | ||
| \fB\-H, \-\-ldapuri\fR | ||
| LDAP URI. If ldap:// is specified, STARTTLS session is initiated by default. Can not be used with \fB\-s\fR. |
| LDAP URI. If ldap:// is specified, STARTTLS session is initiated by default. Can not be used with \fB\-s\fR. | ||
| .TP | ||
| \fB\-Y, \-\-mech\fR | ||
| SASL mechanism to use if fB\-D\fR and \fB\-w\fR are not used. Choose between GSSAPI and EXTERNAL. |
There was a problem hiding this comment.
-> s/Choose between GSSAPI and/Use either GSSAPI or/
| ssl = LDAP_OPT_X_TLS_HARD;; | ||
| ret = ldap_set_option(ld, LDAP_OPT_X_TLS, &ssl); | ||
| } | ||
| else if (strncmp(ldap_uri, ldaps, strlen(ldaps)) == 0) { |
There was a problem hiding this comment.
} else if,
don't go to a new line wth the else
martbab
force-pushed
the
getkeytab-enhancements
branch
from
35e2e2a
to
17e5c73
Compare
|
Another bump for review. |
| } | ||
| sprintf(url,"%s://%s:%d",scheme,servername,port); | ||
| int rc = ldap_initialize(ld, url); | ||
| url_len = asprintf(&url,"%s%s:%d", SCHEMA_LDAP, servername, port); |
martbab
force-pushed
the
getkeytab-enhancements
branch
from
17e5c73
to
05f9275
Compare
|
Done. |
get rid of hardcoded CA cert path and allow the caller to use supplied custom paths instead https://fedorahosted.org/freeipa/ticket/6409
ipa-getkeytab command was augmented in a way that allows more flexible
selection of bind mechanisms:
* -H <LDAP_URI> option was added to specify full LDAP uri. By default the
URI will be constructed from retrieved server name as is done now.
Specifying this options precludes use of -s.
* -Y <EXTERNAL|GSSAPI> specifes SASL bind mechanism if no bind DN
was given (which implies simple bind)
This allows the command to be used also locally via LDAPI, eliminating the
need to provide any credentials at all as root (e.g. in installers)
https://fedorahosted.org/freeipa/ticket/6409
The test suite is now leveraging host/service tracker objects as test case fixture, removing much of ad-hoc setup/teardown. https://fedorahosted.org/freeipa/ticket/6409
All new retrieval methods are covered including testing for excluded option combinations. https://fedorahosted.org/freeipa/ticket/6409
martbab
force-pushed
the
getkeytab-enhancements
branch
from
05f9275
to
5dad135
Compare
This PR implements '-H' and '-Y' options mentioned in
https://fedorahosted.org/freeipa/ticket/6409 along with the ability to specify
CA cert on the command line (which proved useful during the work on installer
refactoring).
Since my C skills are not at the level I would like them to be it would be nice
if you point out even the tiniest mistakes, risky code or non-idiomatic usage.
Also the test case
test_retrieval_using_plain_ldapfails due to unsuccesfulsimple bind. I wanted to implement StartTLS for simple binds over ldap://, but
I get the following errors in dirsrv error log:
I guess there is something fishy with the way I initialize the StartTLS
session. I would appreciate your help with it.