diff options
author | Petr Spacek <pspacek@redhat.com> | 2015-11-26 15:19:03 +0100 |
---|---|---|
committer | Martin Basti <mbasti@redhat.com> | 2016-01-07 14:13:23 +0100 |
commit | 21e6cc6863a0bf7d832cf04dedfc3a2bdd22a78f (patch) | |
tree | ae98896cbb102970a502db6f3c99307c8ce2dcaf /ipapython/dnssec | |
parent | 9ff1c0ac297cba8c0d5a87f6ecfa7d41169476c0 (diff) | |
download | freeipa-21e6cc6863a0bf7d832cf04dedfc3a2bdd22a78f.tar.gz freeipa-21e6cc6863a0bf7d832cf04dedfc3a2bdd22a78f.tar.xz freeipa-21e6cc6863a0bf7d832cf04dedfc3a2bdd22a78f.zip |
DNSSEC: Make sure that current key state in LDAP matches key state in BIND
We have to explicitly specify "none" value to prevent dnssec-keyfromlabel
utility from using current time for keys without "publish" and "activate"
timestamps.
Previously this lead to situation where key was in (intermediate) state
"generated" in OpenDNSSEC but BIND started to use this key for signing.
https://fedorahosted.org/freeipa/ticket/5348
Reviewed-By: Martin Basti <mbasti@redhat.com>
Diffstat (limited to 'ipapython/dnssec')
-rw-r--r-- | ipapython/dnssec/bindmgr.py | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/ipapython/dnssec/bindmgr.py b/ipapython/dnssec/bindmgr.py index 6bf509d4f..e92afff97 100644 --- a/ipapython/dnssec/bindmgr.py +++ b/ipapython/dnssec/bindmgr.py @@ -55,6 +55,8 @@ class BINDMgr(object): return dt.strftime(time_bindfmt) def dates2params(self, ldap_attrs): + """Convert LDAP timestamps to list of parameters suitable + for dnssec-keyfromlabel utility""" attr2param = {'idnsseckeypublish': '-P', 'idnsseckeyactivate': '-A', 'idnsseckeyinactive': '-I', @@ -62,10 +64,12 @@ class BINDMgr(object): params = [] for attr, param in attr2param.items(): + params.append(param) if attr in ldap_attrs: - params.append(param) assert len(ldap_attrs[attr]) == 1, 'Timestamp %s is expected to be single-valued' % attr params.append(self.time_ldap2bindfmt(ldap_attrs[attr][0])) + else: + params.append('none') return params |