FreeIPA monkeypatch to get PTR records from DNS (instead of LDAP)

cert_hack_ptr_from_dns.py

from dns import resolver, reversename
from dns.exception import DNSException

from ipapython import dnsutil
import ipaserver.plugins.cert


def _ip_ptr_records_dns(ip):
    """
    Look up PTR record(s) for IP address.

    :return: a ``set`` of IP addresses, possibly empty.

    """
    rname = dnsutil.DNSName(reversename.from_address(ip))
    try:
        answer = resolver.resolve(rname, 'PTR')
    except DNSException:
        ptrs = set()
    else:
        ptrs = {r.to_text() for r in answer.rrset}
    return ptrs


_ip_ptr_records_ldap = ipaserver.plugins.cert._ip_ptr_records
ipaserver.plugins.cert._ip_ptr_records = _ip_ptr_records_dns

FreeIPA PTR-from-DNS monkeypatch

FreeIPA CA API supports issuing SSL certificates with an IP address in subjectAltName.
But the server-side validation is done in such way that the PTR records associated with the
claimed IP address must be stored in FreeIPA's LDAP database. I.e. it doesn't trust DNS.

But in some cases, most notably when the administrator doesn't control the DNS reverse zone
(and thus can't or won't store it on the IPA server), there is no other option but to trust the DNS.

This monkeypatch overrides part of the FreeIPA's logic and makes it retrieve PTR records from the
configured DNS servers instead of the LDAP database.

Installation

Copy this file to FreeIPA server plugins directory (e.g. /usr/lib/python3.9/site-packages/ipaserver/plugins/).

WARNING: This is a dirty hack and it can stop working at any time (e.g. on IPA upgrade) and even break your IPA
server. Use at your own risk.