On 02/06/15 16:03, Jan Cholasta wrote:
Dne 2.6.2015 v 12:36 Martin Basti napsal(a):
On 02/06/15 11:42, Fraser Tweedale wrote:
On Mon, Jun 01, 2015 at 02:50:45PM +0200, Martin Basti wrote:
On 01/06/15 06:40, Fraser Tweedale wrote:
New version of patch; ``{host,service}-show --out=FILE`` now writes
all certs to FILE. Rebased on latest master.
Thanks,
Fraser
On Thu, May 28, 2015 at 09:18:04PM +1000, Fraser Tweedale wrote:
Updated patch attached. Notably restores/adds revocation behaviour
to host-mod and service-mod.
Thanks,
Fraser
On Wed, May 27, 2015 at 06:12:50PM +0200, Martin Basti wrote:
On 27/05/15 15:53, Fraser Tweedale wrote:
This patch adds supports for multiple user / host
certificates. No
schema change is needed ('usercertificate' attribute is already
multi-value). The revoke-previous-cert behaviour of host-mod and
user-mod has been removed but revocation behaviour of -del and
-disable is preserved.
The latest profiles/caacl patchset (0001..0013 v5) depends on this
patch for correct cert-request behaviour.
There is one design question (or maybe more, let me know): the
`--out=FILENAME' option to {host,service} show saves ONE
certificate
to the named file. I propose to either:
a) write all certs, suffixing suggested filename with either a
sequential numerical index, e.g. "cert.pem" becomes
"cert.pem.1", "cert.pem.2", and so on; or
b) as above, but suffix with serial number and, if there are
different issues, some issuer-identifying information.
Let me know your thoughts.
Thanks,
Fraser
Is there a possible way how to store certificates into one file?
I read about possibilities to have multiple certs in one .pem
file, but I'm
not cert guru :)
I personally vote for serial number in case there are multiple
certificates,
if ^ is no possible.
1)
+ if len(certs) > 0:
please use only,
if certs:
2)
You need to re-generate API/ACI.txt in this patch
3)
syntax error:
+ for dercert in certs_der
4)
command
ipa user-mod ca_user --certificate=<ceritifcate>
removes the current certificate from the LDAP, by design.
Should be the old certificate(s) revoked? You removed that part in
the code.
only the --addattr='usercertificate=<cert>' appends new value there
--
Martin Basti
My objections/proposed solutions in attached patch.
* VERSION
* In the previous version normalized values was stored in LDAP, so I
added
it back. (I dont know why there is no normalization in param
settings, but
normalization for every certificate is done in callback. I will file a
ticket for this)
* IMO only normalized certificates should be compared in the old
certificates detection
I incorporated your suggested changes in new patch (attached).
There were no proposed changes to the other patchset (0001..0013)
since rebase.
Thanks,
Fraser
Thank you,
ACK
Martin^2
Pushed to master: 7f7c247bb5a4b0030d531f4f14c156162e808212
Regression found.
Patch to fix the issue is attached.
--
Martin Basti
From 6b489fc6a04b60a38e768009558fe1d9b1164b45 Mon Sep 17 00:00:00 2001
From: Martin Basti <mba...@redhat.com>
Date: Wed, 3 Jun 2015 13:11:58 +0200
Subject: [PATCH] Fix: regression in host and service plugin
Test failures:
* wrong error message
* mod operation always delete usercertificates
https://fedorahosted.org/freeipa/ticket/4238
---
ipalib/plugins/host.py | 10 +++++++---
ipalib/plugins/service.py | 11 +++++++----
2 files changed, 14 insertions(+), 7 deletions(-)
diff --git a/ipalib/plugins/host.py b/ipalib/plugins/host.py
index 9ad087e26250d86b15fbe723a98cca278ef29adf..e81dca94e124b080a3d68a3b1cfd079710e30336 100644
--- a/ipalib/plugins/host.py
+++ b/ipalib/plugins/host.py
@@ -871,8 +871,11 @@ class host_mod(LDAPUpdate):
x509.verify_cert_subject(ldap, keys[-1], cert)
# revoke removed certificates
- if self.api.Command.ca_is_enabled()['result']:
- entry_attrs_old = ldap.get_entry(dn, ['usercertificate'])
+ if certs and self.api.Command.ca_is_enabled()['result']:
+ try:
+ entry_attrs_old = ldap.get_entry(dn, ['usercertificate'])
+ except errors.NotFound:
+ self.obj.handle_not_found(*keys)
old_certs = entry_attrs_old.get('usercertificate', [])
old_certs_der = map(x509.normalize_certificate, old_certs)
removed_certs_der = set(old_certs_der) - set(certs_der)
@@ -899,7 +902,8 @@ class host_mod(LDAPUpdate):
nsprerr.args[1])
else:
raise nsprerr
- entry_attrs['usercertificate'] = certs_der
+ if certs:
+ entry_attrs['usercertificate'] = certs_der
if options.get('random'):
entry_attrs['userpassword'] = ipa_generate_password(characters=host_pwd_chars)
diff --git a/ipalib/plugins/service.py b/ipalib/plugins/service.py
index c290344cf6c14155ec1b103525ff8642a7a8e2af..d8bd03523089cd8446377d6b0c85bc318e69b809 100644
--- a/ipalib/plugins/service.py
+++ b/ipalib/plugins/service.py
@@ -602,10 +602,12 @@ class service_mod(LDAPUpdate):
certs_der = map(x509.normalize_certificate, certs)
for dercert in certs_der:
x509.verify_cert_subject(ldap, hostname, dercert)
-
# revoke removed certificates
- if self.api.Command.ca_is_enabled()['result']:
- entry_attrs_old = ldap.get_entry(dn, ['usercertificate'])
+ if certs and self.api.Command.ca_is_enabled()['result']:
+ try:
+ entry_attrs_old = ldap.get_entry(dn, ['usercertificate'])
+ except errors.NotFound:
+ self.obj.handle_not_found(*keys)
old_certs = entry_attrs_old.get('usercertificate', [])
old_certs_der = map(x509.normalize_certificate, old_certs)
removed_certs_der = set(old_certs_der) - set(certs_der)
@@ -632,7 +634,8 @@ class service_mod(LDAPUpdate):
nsprerr.args[1])
else:
raise nsprerr
- entry_attrs['usercertificate'] = certs_der
+ if certs:
+ entry_attrs['usercertificate'] = certs_der
update_krbticketflags(ldap, entry_attrs, attrs_list, options, True)
--
2.1.0
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code