Bug #2765
puppetrun --no-fqdn configuration option is effectively always set
| Status: | Closed | Start: | 10/31/2009 | |
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assignee: | - | % Done: | 0% |
|
| Category: | SSL | |||
| Target version: | 0.25.2 | |||
| Affected version: | 0.25.1 | Branch: | http://github.com/MarkusQ/puppet/tree/ticket/0.25.x/2765 | |
| Keywords: | puppetrun ldap fqdn no-fqdn certificates certificate-names | |||
| Votes: | 0 |
Description
puppetrun as of 0.25.1 always uses the cn= value of the dn: as the entire node’s hostname.
Earlier versions (I checked 0.23.2) of puppetrun would default to building a fqdn using the cn= and dc= fields on the dn:. Puppetrun could be instructed to only use the cn= value for the hostname by using the configuration option —no-fqdn.
The ability to construct the fqdn using the dc= fields is important when managing subdomains. Take for instance the following two dn:’s,
dn: cn=alpha,ou=Hosts,dc=sub1,dc=example,dc=com dn: cn=alpha,ou=Hosts,dc=sub2,dc=example,dc=com
With the current logic in puppetrun, these two different dn:’s would evaluate to ‘alpha’ which is a bit ambiguous. The work-around is to put the fqdn into the cn= field. However, this breaks other uses of ldap.
I tried to add this functionality back into puppetrun. Be advised that I do not speak ruby at all. Take the following diff’s as a proof of concept and nothing more.
--- /usr/lib64/ruby/site_ruby/1.8/puppet/indirector/node/ldap.rb 2009-10-30 17:43:20.000000000 -0700
+++ ldap.rb 2009-10-30 17:42:52.000000000 -0700
@@ -55,7 +55,7 @@
end
infos = []
- ldapsearch(filter) { |entry| infos << entry2hash(entry) }
+ ldapsearch(filter) { |entry| infos << entry2hash(entry, request.options[:fqdn]) }
return infos.collect do |info|
info2node(info[:name], info)
@@ -78,9 +78,15 @@
end
# Convert the found entry into a simple hash.
- def entry2hash(entry)
+ def entry2hash(entry, fqdn = true)
result = {}
- result[:name] = entry.dn.split(',')[0].split("=")[1]
+
+ if fqdn
+ result[:name] = entry.dn.sub("cn=",'').sub(/ou=hosts,/i, '').gsub(",dc=",".")
+ else
+ result[:name] = entry.dn.split(',')[0].split("=")[1]
+ end
+
result[:parent] = get_parent_from_entry(entry) if parent_attribute
result[:classes] = get_classes_from_entry(entry)
result[:stacked] = get_stacked_values_from_entry(entry)
--- /usr/lib64/ruby/site_ruby/1.8/puppet/application/puppetrun.rb 2009-10-30 17:43:19.000000000 -0700
+++ puppetrun.rb 2009-10-30 17:43:07.000000000 -0700
@@ -176,12 +176,12 @@
if Puppet[:node_terminus] == "ldap" and (options[:all] or @classes)
if options[:all]
- @hosts = Puppet::Node.search("whatever").collect { |node| node.name }
+ @hosts = Puppet::Node.search("whatever", :fqdn => options[:fqdn]).collect { |node| node.name }
puts "all: %s" % @hosts.join(", ")
else
@hosts = []
@classes.each do |klass|
- list = Puppet::Node.search("whatever", :class => klass).collect { |node| node.name }
+ list = Puppet::Node.search("whatever", :fqdn => options[:fqdn], :class => klass).collect { |node| node.name }
puts "%s: %s" % [klass, list.join(", ")]
@hosts += list
History
Updated by James Turnbull 10 months ago
- Category set to plumbing
- Status changed from Unreviewed to Accepted
- Assignee set to Markus Roberts
- Target version set to 0.25.2
Updated by Markus Roberts 10 months ago
- Category changed from plumbing to SSL
- Keywords changed from puppetrun ldap fqdn no-fqdn to puppetrun ldap fqdn no-fqdn certificates certificate-names
There is a reasonably high risk of introducing regressions here.
Updated by Mr Paxos 10 months ago
Markus Roberts wrote:
There is a reasonably high risk of introducing regressions here.
Agreed. I believe reinstating the choice to use fqdn or not is worth the risk.
The logic I posted originally expected the DN to have a certain form. To be more robust, I’ve included a proof of concept in perl (as I don’t speak ruby well enough, yet) for building the fqdn:
use strict;
use warnings;
my $dn = "cn=myhost,ou=Hosts,dc=sub1,dc=example,dc=com";
my $fqdn = 1;
my $name;
if ($dn =~ /cn\s*=\s*([^,\s]+)/i) {
$name = $1;
} else {
# no cn in DN, bad
}
if ($fqdn) {
while ($dn =~ s/dc\s*=\s*([^,\s]+)//i) {
$name .= '.' . $1;
}
}
print "host = $name\n";
Updated by Markus Roberts 10 months ago
- Assignee changed from Markus Roberts to Bruce Williams
Updated by Luke Kanies 9 months ago
I’m a bit confused on the behaviour you’re looking for here – do you want the FQDN to take the ‘dc’ fields into account, or do you specifically want to be able to use the unqualified name (i.e., just the CN) when doing a query? Which behaviour existed in 0.23.2, and how is it different now?
Updated by Mr Paxos 9 months ago
If you specify —no-fqdn, then the hostname should only be the CN. If the —no-fqdn option is not specified, the hostname should be assembled by concatenating the CN with all the DN’s.
Earlier versions of puppetrun had this functionality. 0.25.1 seems to operate as if —no-fqdn is always set.
Updated by Luke Kanies 9 months ago
- Subject changed from puppetrun --no-fqdn configuration option seems broken to puppetrun --no-fqdn configuration option is effectively always set
So you’re basically saying it always searches for the short name, rather than allowing you to pick, right?
That should be relatively easy to fix, I think.
Updated by Markus Roberts 9 months ago
- Assignee changed from Bruce Williams to Markus Roberts
Updated by Markus Roberts 9 months ago
- Status changed from Accepted to Ready for Testing
- Branch set to http://github.com/MarkusQ/puppet/tree/ticket/0.25.x/2765
Updated by Markus Roberts 9 months ago
- Assignee deleted (
Markus Roberts)
Updated by James Turnbull 9 months ago
- Status changed from Ready for Testing to Closed
Pushed in commit:“813cb58815f1f8f987ad64f7c7bfb640fbcdfa81” in branch 0.25.x