IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

DNSSEC: Make sure that current key state in LDAP matches key state in BIND

Browse Source 
We have to explicitly specify "none" value to prevent dnssec-keyfromlabel
utility from using current time for keys without "publish" and "activate"
timestamps.

Previously this lead to situation where key was in (intermediate) state
"generated" in OpenDNSSEC but BIND started to use this key for signing.

https://fedorahosted.org/freeipa/ticket/5348

Reviewed-By: Martin Basti <mbasti@redhat.com>
This commit is contained in:
Petr Spacek 2015-11-26 15:19:03 +01:00 committed by Martin Basti
parent 9ff1c0ac29
commit 21e6cc6863
1 changed files with 5 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
ipapython/dnssec/bindmgr.py
View File

@ -55,6 +55,8 @@ class BINDMgr(object):
return dt.strftime(time_bindfmt) return dt.strftime(time_bindfmt)
def dates2params(self, ldap_attrs): def dates2params(self, ldap_attrs):
"""Convert LDAP timestamps to list of parameters suitable
for dnssec-keyfromlabel utility"""
attr2param = {'idnsseckeypublish': '-P', attr2param = {'idnsseckeypublish': '-P',
'idnsseckeyactivate': '-A', 'idnsseckeyactivate': '-A',
'idnsseckeyinactive': '-I', 'idnsseckeyinactive': '-I',
@ -62,10 +64,12 @@ class BINDMgr(object):
params = [] params = []
for attr, param in attr2param.items(): for attr, param in attr2param.items():
params.append(param)
if attr in ldap_attrs: if attr in ldap_attrs:
params.append(param)
assert len(ldap_attrs[attr]) == 1, 'Timestamp %s is expected to be single-valued' % attr assert len(ldap_attrs[attr]) == 1, 'Timestamp %s is expected to be single-valued' % attr
params.append(self.time_ldap2bindfmt(ldap_attrs[attr][0])) params.append(self.time_ldap2bindfmt(ldap_attrs[attr][0]))
else:
params.append('none')
return params return params