On 03/06/15 16:17, Fraser Tweedale wrote:
On Tue, Jun 02, 2015 at 06:37:42PM +0200, Martin Basti wrote:
On 02/06/15 14:11, Fraser Tweedale wrote:
On Mon, Jun 01, 2015 at 05:22:28PM +1000, Fraser Tweedale wrote:
On Mon, Jun 01, 2015 at 05:10:58PM +1000, Fraser Tweedale wrote:
On Fri, May 29, 2015 at 01:03:46PM +0200, Martin Kosek wrote:
On 05/29/2015 11:21 AM, Martin Basti wrote:
On 29/05/15 06:17, Fraser Tweedale wrote:
On Thu, May 28, 2015 at 02:42:53PM +0200, Martin Basti wrote:
On 28/05/15 11:48, Martin Basti wrote:
On 27/05/15 16:04, Fraser Tweedale wrote:
Hello all,

Fresh certificate management patchset; Changelog:

- Now depends on patch freeipa-ftweedal-0014 for correct
cert-request behaviour with host and service principals.

- Updated Dogtag dependency to 10.2.4-1.  Should should be in
f22 soon, but for f22 right now or for f21, please grab from my
copr: https://copr.fedoraproject.org/coprs/ftweedal/freeipa/

   Martin^1 could you please add to the quasi-official freeipa
   copr?  SRPM lives at
   https://frase.id.au/pki-core-10.2.4-1.fc21.src.rpm.

- cert-request now verifies that for user principals, CSR CN
matches uid and, DN emailAddress and SAN rfc822Name match user's
email address, if either of those is present.

- Fixed one or two other sneaky little bugs.

On Wed, May 27, 2015 at 01:59:30AM +1000, Fraser Tweedale wrote:
Hi all,

Please find attached the latest certificate management
patchset, which introduces the `caacl' plugin and various fixes
and improvement to earlier patches.

One important change to earlier patches is reverting the name
of the default profile to 'caIPAserviceCert' and using the
existing instance of this profile on upgrade (but not install)
in case it has been modified.

Other notes:

- Still have changes in ipa-server-install (fewer lines now,
though)

- Still have the ugly import hack.  It is not a high priority
for me, i.e. I think it should wait until after alpha

- Still need to update 'service' and 'host' plugins to support
multiple certificates.  (The userCertificate attribute schema
itself is multi-valued, so there are no schema issues here)

- The TODOs in [1]; mostly certprofile CLI conveniences and
supporting multiple profiles for hosts and services (which
requires changes to framework only, not schema).  [1]:
http://idm.etherpad.corp.redhat.com/rhel72-cert-mgmt-progress

Happy reviewing!  I am pleased with the initial cut of the
caacl plugin but I'm sure you will find some things to be fixed
:)

Cheers, Fraser
[root@vm-093 ~]#  ipa-replica-prepare vm-094.example.com
--ip-address 10.34.78.94 Directory Manager (existing master)
password:

Preparing replica for vm-094.example.com from vm-093.example.com
Creating SSL certificate for the Directory Server not well-formed
(invalid token): line 2, column 14

I cannot create replica file.  It work on the upgraded server,
but it doesn't work on the newly installed server.  I'm not sure
if this causes your patches which modifies the ca-installer, or
the newer version of dogtag.

Or if there was any other changes in master, I will continue to
investigate with new RPM from master branch.

Martin^2

ipa-replica-prepare works for: * master branch * master branch +
pki-ca 10.2.4-1

So something in your patches is breaking it

Martin^2

Martin, master + my patches with pki 10.2.4-1 is working for me on
f21 and f22.  Can you provide ipa-replica-prepare --debug output and
Dogtag debug log?  ( /var/log/pki/pki-tomcat/ca/debug )

Thanks,
Fraser
I can not reproduce it today. And I already recycled the VMs from yesterday. :-(

In that case I would suggest ACKing&pushing the patch and fixing the bug if
it comes again. The tree may now be a bit unstable, given the number of
patches going in.

My main motivation here is to unblock Fraser.

Thanks,
Martin
Rebased patchset attached; no other changes.
Heads up: I just discovered I have introduced a bug with
ipa-replica-install, when it is spawning the CA instance.  I think
replication it only causes issues with ``--setup-ca``.

I will try and sort it out tomorrow or later tonight (I have to head
out for a few hours now, though); and I'm not suggesting it should
block the push but it's something to be aware of.

Cheers,
Fraser

New patchset attached ; haven't gotten to the bottom of the
ipa-replica-install issue mentioned above, but it fixes an upgrade
bug.

The change is:

diff --git a/ipaserver/install/server/upgrade.py 
b/ipaserver/install/server/upgrade.py
index c288282..c5f4d37 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -316,7 +316,7 @@ def ca_enable_ldap_profile_subsystem(ca):
                  caconfig.CS_CFG_PATH,
                  directive,
                  separator='=')
-            if value == 'ProfileSubsystem':
+            if value == 'com.netscape.cmscore.profile.ProfileSubsystem':
                  needs_update = True
                  break
      except OSError, e:
@@ -328,7 +328,7 @@ def ca_enable_ldap_profile_subsystem(ca):
          installutils.set_directive(
              caconfig.CS_CFG_PATH,
              directive,
-            'LDAPProfileSubsystem',
+            'com.netscape.cmscore.profile.LDAPProfileSubsystem',
              quotes=False,
              separator='=')

Cheers,
Fraser


Thank you,

1)
ipa-getcert request  (getcert -c IPA)
doesnt work,

Request ID '20150602145845':
     status: CA_REJECTED
     ca-error: Server at https://vm-137.example.com/ipa/xml denied our
request, giving up: 3007 (RPC failed at server.  'profile_id' is required).

2)
Error from rpm install
Unexpected error - see /var/log/ipaupgrade.log for details:
SkipPluginModule: dogtag not selected as RA plugin

Just for record as known issue, this will be fixed later in a new patch.

3)
+        Str('profile_id', validate_profile_id,
+            label=_("Profile ID"),
+            doc=_("Certificate Profile to use"),
+        )
Please mark this param as optional. ('profile_id?')
This will fix issue 1, but 1 will need a option to specify profile_id

Also move API related change from patch 9 to patch 11 + increment VERSION

4)
* Maybe I do everything wrong :)

  I'm not able to create certificate stored in FILE, via ipa-getcert request.
I'm getting error:
status: CA_UNREACHABLE
     ca-error: Server at https://vm-137.example.com/ipa/xml failed request,
will retry: 4001 (RPC failed at server. vm-137.example....@example.com: host
not found).

or error:
Request ID '20150602154115':
     status: CA_REJECTED
     ca-error: Server at https://vm-137.example.com/ipa/xml denied our
request, giving up: 2100 (RPC failed at server.  Insufficient access: not
allowed to perform this command).
(I'm root and kinited as admin)

Maybe additional ACI is required for cert_request as it is VirtualCommand


--
Martin Basti

Thanks for report.  Attached patchset should fix the certmonger
issues, and also makes cert-request --profile-id argument optional.

The changes were fixup'd into the appropriate patches but the
combined diff follows.  (Note that the API.txt and VERSION changes
you recommended were executed but are missing from this diff.)

Thanks,
Fraser

diff --git a/ipalib/plugins/caacl.py b/ipalib/plugins/caacl.py
index c09df86..a9dde86 100644
--- a/ipalib/plugins/caacl.py
+++ b/ipalib/plugins/caacl.py
@@ -12,7 +12,7 @@ from ipalib.plugins.baseldap import (
      LDAPUpdate, LDAPRetrieve, LDAPAddMember, LDAPRemoveMember,
      pkey_to_value)
  from ipalib.plugins.certprofile import validate_profile_id
-from ipalib.plugins.service import normalize_principal
+from ipalib.plugins.service import normalize_principal, split_any_principal
  from ipalib import _, ngettext
  from ipapython.dn import DN
@@ -69,7 +69,7 @@ def _acl_make_request(principal_type, principal, ca_ref, profile_id):
          groups = user_obj.get('memberof_group', [])
          groups += user_obj.get('memberofindirect_group', [])
      elif principal_type == 'host':
-        hostname = principal[5:]
+        service, hostname, realm = split_any_principal(principal)
          host_obj = api.Command.host_show(hostname)['result']
          groups = host_obj.get('memberof_hostgroup', [])
          groups += host_obj.get('memberofindirect_hostgroup', [])
diff --git a/ipalib/plugins/cert.py b/ipalib/plugins/cert.py
index 70ae610..1878e5a 100644
--- a/ipalib/plugins/cert.py
+++ b/ipalib/plugins/cert.py
@@ -247,7 +247,7 @@ class cert_request(VirtualCommand):
              default=False,
              autofill=True
          ),
-        Str('profile_id', validate_profile_id,
+        Str('profile_id?', validate_profile_id,
              label=_("Profile ID"),
              doc=_("Certificate Profile to use"),
          )
@@ -346,7 +346,14 @@ class cert_request(VirtualCommand):
          bind_principal = split_any_principal(getattr(context, 'principal'))
          bind_service, bind_name, bind_realm = bind_principal
- if bind_principal != principal:
+        if bind_service is None:
+            bind_principal_type = USER
+        elif bind_service == 'host':
+            bind_principal_type = HOST
+        else:
+            bind_principal_type = SERVICE
+
+        if bind_principal != principal and bind_principal_type != HOST:
              # Can the bound principal request certs for another principal?
              self.check_access()
@@ -359,7 +366,7 @@ class cert_request(VirtualCommand):
                  error=_("Failure decoding Certificate Signing Request: %s") % 
e)
# host principals may bypass allowed ext check
-        if bind_service != 'host':
+        if bind_principal_type != HOST:
              for ext in extensions:
                  operation = self._allowed_extensions.get(ext)
                  if operation:
diff --git a/ipapython/dogtag.py b/ipapython/dogtag.py
index 659751e..53085f7 100644
--- a/ipapython/dogtag.py
+++ b/ipapython/dogtag.py
@@ -47,7 +47,7 @@ INCLUDED_PROFILES = {
      (u'caIPAserviceCert', u'Standard profile for network services', True),
      }
-DEFAULT_PROFILE = 'caIPAserviceCert'
+DEFAULT_PROFILE = u'caIPAserviceCert'
class Dogtag10Constants(object):
      DOGTAG_VERSION = 10

Should the user certificates behave in the same way as host and service certificates, i.e should be revoked after user-del or user-mod operation??
If yes it would be an additional patch.

Please move API.txt fragment from patch 9 to patch 11
With this change ACK for patches 1-11, to unblock testing. For patches 12-13 I need more time.

--
Martin Basti

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to