[Freeipa-devel] [freeipa PR#1007][closed] py3: minor fixes
URL: https://github.com/freeipa/freeipa/pull/1007 Author: stlaz Title: #1007: py3: minor fixes Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/1007/head:pr1007 git checkout pr1007 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#1008][closed] Fix ipa-server-upgrade: This entry already exists
URL: https://github.com/freeipa/freeipa/pull/1008 Author: flo-renaud Title: #1008: Fix ipa-server-upgrade: This entry already exists Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/1008/head:pr1008 git checkout pr1008 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#1015][closed] prci: add caless tests
URL: https://github.com/freeipa/freeipa/pull/1015 Author: tomaskrizek Title: #1015: prci: add caless tests Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/1015/head:pr1015 git checkout pr1015 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#1016][closed] [ipa-4-5] prci: add caless tests
URL: https://github.com/freeipa/freeipa/pull/1016 Author: tomaskrizek Title: #1016: [ipa-4-5] prci: add caless tests Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/1016/head:pr1016 git checkout pr1016 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#993][closed] certmonger: remove temporary workaround
URL: https://github.com/freeipa/freeipa/pull/993 Author: stlaz Title: #993: certmonger: remove temporary workaround Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/993/head:pr993 git checkout pr993 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#988][closed] component: Certificate renewal
URL: https://github.com/freeipa/freeipa/pull/988 Author: flo-renaud Title: #988: component: Certificate renewal Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/988/head:pr988 git checkout pr988 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#945][closed] DNS update: reduce timeout for CA records
URL: https://github.com/freeipa/freeipa/pull/945 Author: MartinBasti Title: #945: DNS update: reduce timeout for CA records Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/945/head:pr945 git checkout pr945 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#1017][opened] Backport PR 945 to ipa-4-5
URL: https://github.com/freeipa/freeipa/pull/1017
Author: stlaz
Title: #1017: Backport PR 945 to ipa-4-5
Action: opened
PR body:
"""
This PR was opened automatically because PR #945 was pushed to master and
backport to ipa-4-5 is required.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1017/head:pr1017
git checkout pr1017
From 69f644985af4f0950a3b75cb106480620f19457e Mon Sep 17 00:00:00 2001
From: Martin Basti
Date: Fri, 28 Jul 2017 15:43:16 +0200
Subject: [PATCH] DNS update: reduce timeout for CA records
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Timeout 120 seconds is quite long and it makes uninstallation too long
for. Given that this is non critical operation and may be executed
manually later, waiting 120 seconds is too much. Usually waiting longer
will not help at all to resolve missing record.
30 seconds is long enough 🕯
https://pagure.io/freeipa/issue/6176
---
ipaserver/dns_data_management.py | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/ipaserver/dns_data_management.py b/ipaserver/dns_data_management.py
index d4dc42e473..2008ba6e7d 100644
--- a/ipaserver/dns_data_management.py
+++ b/ipaserver/dns_data_management.py
@@ -52,6 +52,8 @@
(DNSName("_ntp._udp"), 123),
)
+CA_RECORDS_DNS_TIMEOUT = 30 # timeout in seconds
+
class IPADomainIsNotManagedByIPAError(Exception):
pass
@@ -131,7 +133,7 @@ def __add_ca_records_from_hostname(self, zone_obj, hostname):
assert isinstance(hostname, DNSName) and hostname.is_absolute()
r_name = DNSName('ipa-ca') + self.domain_abs
rrsets = []
-end_time = time() + 120 # timeout in seconds
+end_time = time() + CA_RECORDS_DNS_TIMEOUT
while time() < end_time:
try:
rrsets = resolve_rrsets(hostname, (rdatatype.A, rdatatype.))
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#915][closed] [master only] Move tmpfiles.d configuration handling back to spec file
URL: https://github.com/freeipa/freeipa/pull/915 Author: martbab Title: #915: [master only] Move tmpfiles.d configuration handling back to spec file Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/915/head:pr915 git checkout pr915 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#1018][opened] Python3: Fix winsync replication agreement
URL: https://github.com/freeipa/freeipa/pull/1018
Author: flo-renaud
Title: #1018: Python3: Fix winsync replication agreement
Action: opened
PR body:
"""
When configuring a winsync replication agreement, the tool performs a search
on AD for defaultNamingContext. The entry contains the value as a bytes, it
needs to be decoded otherwise subsequent calls to
DN(WIN_USER_CONTAINER, self.ad_suffix) will fail.
https://pagure.io/freeipa/issue/4985
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1018/head:pr1018
git checkout pr1018
From 4dbbceaa2af57660c6170a35d39ef867ac7f8e82 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud
Date: Wed, 30 Aug 2017 13:50:12 +0200
Subject: [PATCH] Python3: Fix winsync replication agreement
When configuring a winsync replication agreement, the tool performs a search
on AD for defaultNamingContext. The entry contains the value as a bytes, it
needs to be decoded otherwise subsequent calls to
DN(WIN_USER_CONTAINER, self.ad_suffix) will fail.
https://pagure.io/freeipa/issue/4985
---
ipaserver/install/replication.py | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py
index 516372f9dc..8aae90c0a9 100644
--- a/ipaserver/install/replication.py
+++ b/ipaserver/install/replication.py
@@ -1089,7 +1089,8 @@ def setup_winsync_replication(self,
['defaultNamingContext'])
for dn,entry in res:
if dn == "":
-self.ad_suffix = entry['defaultNamingContext'][0]
+ad_suffix = entry['defaultNamingContext'][0]
+self.ad_suffix = ad_suffix.decode('utf-8')
logger.info("AD Suffix is: %s", self.ad_suffix)
if self.ad_suffix == "":
raise RuntimeError("Failed to lookup AD's Ldap suffix")
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#989][closed] Removing part of circular dependency of ipalib in ipaplatform
URL: https://github.com/freeipa/freeipa/pull/989 Author: felipevolpone Title: #989: Removing part of circular dependency of ipalib in ipaplatform Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/989/head:pr989 git checkout pr989 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#1017][closed] Backport PR 945 to ipa-4-5
URL: https://github.com/freeipa/freeipa/pull/1017 Author: stlaz Title: #1017: Backport PR 945 to ipa-4-5 Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/1017/head:pr1017 git checkout pr1017 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#999][closed] dnssec: fix localhsm.py utility script
URL: https://github.com/freeipa/freeipa/pull/999 Author: tomaskrizek Title: #999: dnssec: fix localhsm.py utility script Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/999/head:pr999 git checkout pr999 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#1019][opened] Backport PR 999 to ipa-4-5
URL: https://github.com/freeipa/freeipa/pull/1019
Author: tomaskrizek
Title: #1019: Backport PR 999 to ipa-4-5
Action: opened
PR body:
"""
This PR was opened automatically because PR #999 was pushed to master and
backport to ipa-4-5 is required.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1019/head:pr1019
git checkout pr1019
From 6cc6561b6276c8a33d2f32ea55426db60839bc73 Mon Sep 17 00:00:00 2001
From: Tomas Krizek
Date: Wed, 23 Aug 2017 16:53:31 +0200
Subject: [PATCH] dnssec: fix localhsm.py utility script
See e6b2ed6b68589ff7ee39b95559836af54f39e2de for details.
Fixes https://pagure.io/freeipa/issue/7116
Signed-off-by: Tomas Krizek
---
ipaserver/dnssec/localhsm.py | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/ipaserver/dnssec/localhsm.py b/ipaserver/dnssec/localhsm.py
index 12b40cc8da..34105018ca 100755
--- a/ipaserver/dnssec/localhsm.py
+++ b/ipaserver/dnssec/localhsm.py
@@ -11,13 +11,14 @@
import os
from pprint import pprint
+from ipalib.constants import SOFTHSM_DNSSEC_TOKEN_LABEL
from ipaplatform.paths import paths
-
from ipaserver import p11helper as _ipap11helper
from ipaserver.dnssec.abshsm import (attrs_name2id, attrs_id2name, AbstractHSM,
keytype_id2name, keytype_name2id,
ldap2p11helper_api_params)
+
private_key_api_params = set(["label", "id", "data", "unwrapping_key",
"wrapping_mech", "key_type", "cka_always_authenticate", "cka_copyable",
"cka_decrypt", "cka_derive", "cka_extractable", "cka_modifiable",
@@ -190,7 +191,7 @@ def import_private_key(self, source, data, unwrapping_key):
if __name__ == '__main__':
if 'SOFTHSM2_CONF' not in os.environ:
os.environ['SOFTHSM2_CONF'] = paths.DNSSEC_SOFTHSM2_CONF
-localhsm = LocalHSM(paths.LIBSOFTHSM2_SO, 0,
+localhsm = LocalHSM(paths.LIBSOFTHSM2_SO, SOFTHSM_DNSSEC_TOKEN_LABEL,
open(paths.DNSSEC_SOFTHSM_PIN).read())
print('replica public keys: CKA_WRAP = TRUE')
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#628][closed] WebUI: Remove offline version of WebUI
URL: https://github.com/freeipa/freeipa/pull/628 Author: pvomacka Title: #628: WebUI: Remove offline version of WebUI Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/628/head:pr628 git checkout pr628 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#1021][opened] Backport PR 988 to ipa-4-5
URL: https://github.com/freeipa/freeipa/pull/1021
Author: flo-renaud
Title: #1021: Backport PR 988 to ipa-4-5
Action: opened
PR body:
"""
Fix Certificate renewal (with ext ca)
Fix certificate renewal scripts that use IPACertificate object:
- renew_ca_cert adds the C flag to the trust flags and needs to
be adapted to IPACertificate object
- ipa-cacert-manage: fix python3 encoding issue
https://pagure.io/freeipa/issue/7106
Reviewed-By: Fraser Tweedale
Reviewed-By: Stanislav Laznicka
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1021/head:pr1021
git checkout pr1021
From 50e54be5fcb378cca0b9d675095e969587775a4a Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud
Date: Fri, 18 Aug 2017 18:02:57 +0200
Subject: [PATCH] Backport PR 988 to ipa-4-5 Fix Certificate renewal (with ext
ca)
Fix certificate renewal scripts that use IPACertificate object:
- renew_ca_cert adds the C flag to the trust flags and needs to
be adapted to IPACertificate object
- ipa-cacert-manage: fix python3 encoding issue
https://pagure.io/freeipa/issue/7106
Reviewed-By: Fraser Tweedale
Reviewed-By: Stanislav Laznicka
---
install/restart_scripts/renew_ca_cert | 7 ++-
ipaserver/install/ipa_cacert_manage.py | 2 +-
2 files changed, 7 insertions(+), 2 deletions(-)
diff --git a/install/restart_scripts/renew_ca_cert b/install/restart_scripts/renew_ca_cert
index bb31defc0e..3bbf003bad 100644
--- a/install/restart_scripts/renew_ca_cert
+++ b/install/restart_scripts/renew_ca_cert
@@ -35,6 +35,7 @@ from ipaserver.install import certs, cainstance, installutils
from ipaserver.plugins.ldap2 import ldap2
from ipaplatform import services
from ipaplatform.paths import paths
+from ipapython.certdb import TrustFlags
def _main():
@@ -180,7 +181,11 @@ def _main():
# Pass Dogtag's self-tests
for ca_nick in db.find_root_cert(nickname)[-2:-1]:
ca_flags = dict(cc[1:] for cc in ca_certs)[ca_nick]
-db.trust_root_cert(ca_nick, 'C' + ca_flags)
+usages = ca_flags.usages or set()
+ca_flags_modified = TrustFlags(ca_flags.has_key,
+True, True,
+usages | {x509.EKU_SERVER_AUTH})
+db.trust_root_cert(ca_nick, ca_flags_modified)
finally:
if conn is not None and conn.isconnected():
conn.disconnect()
diff --git a/ipaserver/install/ipa_cacert_manage.py b/ipaserver/install/ipa_cacert_manage.py
index e88e8b63ae..fcbf09155a 100644
--- a/ipaserver/install/ipa_cacert_manage.py
+++ b/ipaserver/install/ipa_cacert_manage.py
@@ -218,7 +218,7 @@ def renew_external_step_2(self, ca, old_cert_der):
cert_file, ca_file = installutils.load_external_cert(
options.external_cert_files, DN(old_cert_obj.subject))
-with open(cert_file.name) as f:
+with open(cert_file.name, 'rb') as f:
new_cert_data = f.read()
new_cert_der = x509.normalize_certificate(new_cert_data)
new_cert_obj = x509.load_certificate(new_cert_der, x509.DER)
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#1022][opened] Backport PR 989 to ipa-4-5
URL: https://github.com/freeipa/freeipa/pull/1022
Author: felipevolpone
Title: #1022: Backport PR 989 to ipa-4-5
Action: opened
PR body:
"""
This PR was opened automatically because PR #989 was pushed to master and
backport to ipa-4-5 is required.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1022/head:pr1022
git checkout pr1022
From 3c0f36477fe45d695b48259a06b8d35c7e7fffe0 Mon Sep 17 00:00:00 2001
From: Felipe Volpone
Date: Wed, 30 Aug 2017 14:13:38 -0300
Subject: [PATCH] Removing part of circular dependency of ipalib in ipaplaform
After commit cac3475, ipa-backup is broken due to circular
dependencies. This fixes it, removing circular dependency
of ipalib. The ipalib.constants.IPAAPI_USER is now passed
as parameter to the function that use it.
https://pagure.io/freeipa/issue/7108
---
ipaplatform/base/tasks.py | 2 +-
ipaplatform/redhat/tasks.py| 11 ---
ipaserver/install/httpinstance.py | 3 ++-
ipaserver/install/server/install.py| 6 +++---
ipaserver/install/server/replicainstall.py | 2 +-
ipaserver/install/server/upgrade.py| 3 ++-
6 files changed, 13 insertions(+), 14 deletions(-)
diff --git a/ipaplatform/base/tasks.py b/ipaplatform/base/tasks.py
index 3358b7d257..1ec93e053f 100644
--- a/ipaplatform/base/tasks.py
+++ b/ipaplatform/base/tasks.py
@@ -203,7 +203,7 @@ def configure_tmpfiles(self):
"""Configure tmpfiles to be created at boot"""
raise NotImplementedError()
-def create_tmpfiles_dirs(self):
+def create_tmpfiles_dirs(self, ipaapi_user):
"""Create run dirs for the install phase"""
raise NotImplementedError()
diff --git a/ipaplatform/redhat/tasks.py b/ipaplatform/redhat/tasks.py
index 07efebab97..560f83d1c3 100644
--- a/ipaplatform/redhat/tasks.py
+++ b/ipaplatform/redhat/tasks.py
@@ -50,9 +50,6 @@
from ipaplatform.redhat.authconfig import RedHatAuthConfig
from ipaplatform.base.tasks import BaseTaskNamespace
-# pylint: disable=ipa-forbidden-import
-from ipalib.constants import IPAAPI_USER
-# pylint: enable=ipa-forbidden-import
_ffi = FFI()
_ffi.cdef("""
@@ -460,7 +457,7 @@ def configure_httpd_service_ipa_conf(self):
ipautil.run([paths.SYSTEMCTL, "--system", "daemon-reload"],
raiseonerr=False)
-def configure_http_gssproxy_conf(self):
+def configure_http_gssproxy_conf(self, ipaapi_user):
ipautil.copy_template_file(
os.path.join(paths.USR_SHARE_IPA_DIR, 'gssproxy.conf.template'),
paths.GSSPROXY_CONF,
@@ -468,7 +465,7 @@ def configure_http_gssproxy_conf(self):
HTTP_KEYTAB=paths.HTTP_KEYTAB,
HTTP_CCACHE=paths.HTTP_CCACHE,
HTTPD_USER=constants.HTTPD_USER,
-IPAAPI_USER=IPAAPI_USER,
+IPAAPI_USER=ipaapi_user,
)
)
@@ -523,9 +520,9 @@ def _create_tmpfiles_dir(self, name, mode, uid, gid):
os.chmod(name, mode)
os.chown(name, uid, gid)
-def create_tmpfiles_dirs(self):
+def create_tmpfiles_dirs(self, ipaapi_user):
parent = os.path.dirname(paths.IPA_CCACHES)
-pent = pwd.getpwnam(IPAAPI_USER)
+pent = pwd.getpwnam(ipaapi_user)
self._create_tmpfiles_dir(parent, 0o711, 0, 0)
self._create_tmpfiles_dir(paths.IPA_CCACHES, 0o770,
pent.pw_uid, pent.pw_gid)
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index f637b97db8..50a1069ce0 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -46,6 +46,7 @@
import ipapython.errors
from ipaserver.install import sysupgrade
from ipalib import api
+from ipalib.constants import IPAAPI_USER
from ipaplatform.constants import constants
from ipaplatform.tasks import tasks
from ipaplatform.paths import paths
@@ -238,7 +239,7 @@ def __configure_http(self):
os.chmod(target_fname, 0o644)
def configure_gssproxy(self):
-tasks.configure_http_gssproxy_conf()
+tasks.configure_http_gssproxy_conf(IPAAPI_USER)
services.knownservices.gssproxy.restart()
def change_mod_nss_port_from_http(self):
diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
index dced253e7f..97cbc6d8c8 100644
--- a/ipaserver/install/server/install.py
+++ b/ipaserver/install/server/install.py
@@ -24,7 +24,7 @@
from ipaplatform.paths import paths
from ipaplatform.tasks import tasks
from ipalib import api, errors, x509
-from ipalib.constants import DOMAIN_LEVEL_0
+from ipalib.constants import DOMAIN_LEVEL_0, IPAAPI_USER
from ipalib.util import (
validate_domain_name,
no_matching_interface_for_ip_address_warning,
@@ -721,7 +721,7 @@ def install(installer):
update_hosts_file(ip_addresses, host_name, fstore)
# Make sure tmpfiles dir exist before installing c
