[Freeipa-devel] [freeipa PR#1007][closed] py3: minor fixes
URL: https://github.com/freeipa/freeipa/pull/1007 Author: stlaz Title: #1007: py3: minor fixes Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/1007/head:pr1007 git checkout pr1007 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#1008][closed] Fix ipa-server-upgrade: This entry already exists
URL: https://github.com/freeipa/freeipa/pull/1008 Author: flo-renaud Title: #1008: Fix ipa-server-upgrade: This entry already exists Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/1008/head:pr1008 git checkout pr1008 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#1015][closed] prci: add caless tests
URL: https://github.com/freeipa/freeipa/pull/1015 Author: tomaskrizek Title: #1015: prci: add caless tests Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/1015/head:pr1015 git checkout pr1015 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#1016][closed] [ipa-4-5] prci: add caless tests
URL: https://github.com/freeipa/freeipa/pull/1016 Author: tomaskrizek Title: #1016: [ipa-4-5] prci: add caless tests Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/1016/head:pr1016 git checkout pr1016 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#993][closed] certmonger: remove temporary workaround
URL: https://github.com/freeipa/freeipa/pull/993 Author: stlaz Title: #993: certmonger: remove temporary workaround Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/993/head:pr993 git checkout pr993 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#988][closed] component: Certificate renewal
URL: https://github.com/freeipa/freeipa/pull/988 Author: flo-renaud Title: #988: component: Certificate renewal Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/988/head:pr988 git checkout pr988 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#945][closed] DNS update: reduce timeout for CA records
URL: https://github.com/freeipa/freeipa/pull/945 Author: MartinBasti Title: #945: DNS update: reduce timeout for CA records Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/945/head:pr945 git checkout pr945 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#1017][opened] Backport PR 945 to ipa-4-5
URL: https://github.com/freeipa/freeipa/pull/1017 Author: stlaz Title: #1017: Backport PR 945 to ipa-4-5 Action: opened PR body: """ This PR was opened automatically because PR #945 was pushed to master and backport to ipa-4-5 is required. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/1017/head:pr1017 git checkout pr1017 From 69f644985af4f0950a3b75cb106480620f19457e Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Fri, 28 Jul 2017 15:43:16 +0200 Subject: [PATCH] DNS update: reduce timeout for CA records MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Timeout 120 seconds is quite long and it makes uninstallation too long for. Given that this is non critical operation and may be executed manually later, waiting 120 seconds is too much. Usually waiting longer will not help at all to resolve missing record. 30 seconds is long enough 🕯 https://pagure.io/freeipa/issue/6176 --- ipaserver/dns_data_management.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/ipaserver/dns_data_management.py b/ipaserver/dns_data_management.py index d4dc42e473..2008ba6e7d 100644 --- a/ipaserver/dns_data_management.py +++ b/ipaserver/dns_data_management.py @@ -52,6 +52,8 @@ (DNSName("_ntp._udp"), 123), ) +CA_RECORDS_DNS_TIMEOUT = 30 # timeout in seconds + class IPADomainIsNotManagedByIPAError(Exception): pass @@ -131,7 +133,7 @@ def __add_ca_records_from_hostname(self, zone_obj, hostname): assert isinstance(hostname, DNSName) and hostname.is_absolute() r_name = DNSName('ipa-ca') + self.domain_abs rrsets = [] -end_time = time() + 120 # timeout in seconds +end_time = time() + CA_RECORDS_DNS_TIMEOUT while time() < end_time: try: rrsets = resolve_rrsets(hostname, (rdatatype.A, rdatatype.)) ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#915][closed] [master only] Move tmpfiles.d configuration handling back to spec file
URL: https://github.com/freeipa/freeipa/pull/915 Author: martbab Title: #915: [master only] Move tmpfiles.d configuration handling back to spec file Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/915/head:pr915 git checkout pr915 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#1018][opened] Python3: Fix winsync replication agreement
URL: https://github.com/freeipa/freeipa/pull/1018 Author: flo-renaud Title: #1018: Python3: Fix winsync replication agreement Action: opened PR body: """ When configuring a winsync replication agreement, the tool performs a search on AD for defaultNamingContext. The entry contains the value as a bytes, it needs to be decoded otherwise subsequent calls to DN(WIN_USER_CONTAINER, self.ad_suffix) will fail. https://pagure.io/freeipa/issue/4985 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/1018/head:pr1018 git checkout pr1018 From 4dbbceaa2af57660c6170a35d39ef867ac7f8e82 Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud Date: Wed, 30 Aug 2017 13:50:12 +0200 Subject: [PATCH] Python3: Fix winsync replication agreement When configuring a winsync replication agreement, the tool performs a search on AD for defaultNamingContext. The entry contains the value as a bytes, it needs to be decoded otherwise subsequent calls to DN(WIN_USER_CONTAINER, self.ad_suffix) will fail. https://pagure.io/freeipa/issue/4985 --- ipaserver/install/replication.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py index 516372f9dc..8aae90c0a9 100644 --- a/ipaserver/install/replication.py +++ b/ipaserver/install/replication.py @@ -1089,7 +1089,8 @@ def setup_winsync_replication(self, ['defaultNamingContext']) for dn,entry in res: if dn == "": -self.ad_suffix = entry['defaultNamingContext'][0] +ad_suffix = entry['defaultNamingContext'][0] +self.ad_suffix = ad_suffix.decode('utf-8') logger.info("AD Suffix is: %s", self.ad_suffix) if self.ad_suffix == "": raise RuntimeError("Failed to lookup AD's Ldap suffix") ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#989][closed] Removing part of circular dependency of ipalib in ipaplatform
URL: https://github.com/freeipa/freeipa/pull/989 Author: felipevolpone Title: #989: Removing part of circular dependency of ipalib in ipaplatform Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/989/head:pr989 git checkout pr989 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#1017][closed] Backport PR 945 to ipa-4-5
URL: https://github.com/freeipa/freeipa/pull/1017 Author: stlaz Title: #1017: Backport PR 945 to ipa-4-5 Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/1017/head:pr1017 git checkout pr1017 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#999][closed] dnssec: fix localhsm.py utility script
URL: https://github.com/freeipa/freeipa/pull/999 Author: tomaskrizek Title: #999: dnssec: fix localhsm.py utility script Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/999/head:pr999 git checkout pr999 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#1019][opened] Backport PR 999 to ipa-4-5
URL: https://github.com/freeipa/freeipa/pull/1019 Author: tomaskrizek Title: #1019: Backport PR 999 to ipa-4-5 Action: opened PR body: """ This PR was opened automatically because PR #999 was pushed to master and backport to ipa-4-5 is required. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/1019/head:pr1019 git checkout pr1019 From 6cc6561b6276c8a33d2f32ea55426db60839bc73 Mon Sep 17 00:00:00 2001 From: Tomas Krizek Date: Wed, 23 Aug 2017 16:53:31 +0200 Subject: [PATCH] dnssec: fix localhsm.py utility script See e6b2ed6b68589ff7ee39b95559836af54f39e2de for details. Fixes https://pagure.io/freeipa/issue/7116 Signed-off-by: Tomas Krizek --- ipaserver/dnssec/localhsm.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/ipaserver/dnssec/localhsm.py b/ipaserver/dnssec/localhsm.py index 12b40cc8da..34105018ca 100755 --- a/ipaserver/dnssec/localhsm.py +++ b/ipaserver/dnssec/localhsm.py @@ -11,13 +11,14 @@ import os from pprint import pprint +from ipalib.constants import SOFTHSM_DNSSEC_TOKEN_LABEL from ipaplatform.paths import paths - from ipaserver import p11helper as _ipap11helper from ipaserver.dnssec.abshsm import (attrs_name2id, attrs_id2name, AbstractHSM, keytype_id2name, keytype_name2id, ldap2p11helper_api_params) + private_key_api_params = set(["label", "id", "data", "unwrapping_key", "wrapping_mech", "key_type", "cka_always_authenticate", "cka_copyable", "cka_decrypt", "cka_derive", "cka_extractable", "cka_modifiable", @@ -190,7 +191,7 @@ def import_private_key(self, source, data, unwrapping_key): if __name__ == '__main__': if 'SOFTHSM2_CONF' not in os.environ: os.environ['SOFTHSM2_CONF'] = paths.DNSSEC_SOFTHSM2_CONF -localhsm = LocalHSM(paths.LIBSOFTHSM2_SO, 0, +localhsm = LocalHSM(paths.LIBSOFTHSM2_SO, SOFTHSM_DNSSEC_TOKEN_LABEL, open(paths.DNSSEC_SOFTHSM_PIN).read()) print('replica public keys: CKA_WRAP = TRUE') ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#628][closed] WebUI: Remove offline version of WebUI
URL: https://github.com/freeipa/freeipa/pull/628 Author: pvomacka Title: #628: WebUI: Remove offline version of WebUI Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/628/head:pr628 git checkout pr628 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#1021][opened] Backport PR 988 to ipa-4-5
URL: https://github.com/freeipa/freeipa/pull/1021 Author: flo-renaud Title: #1021: Backport PR 988 to ipa-4-5 Action: opened PR body: """ Fix Certificate renewal (with ext ca) Fix certificate renewal scripts that use IPACertificate object: - renew_ca_cert adds the C flag to the trust flags and needs to be adapted to IPACertificate object - ipa-cacert-manage: fix python3 encoding issue https://pagure.io/freeipa/issue/7106 Reviewed-By: Fraser Tweedale Reviewed-By: Stanislav Laznicka """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/1021/head:pr1021 git checkout pr1021 From 50e54be5fcb378cca0b9d675095e969587775a4a Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud Date: Fri, 18 Aug 2017 18:02:57 +0200 Subject: [PATCH] Backport PR 988 to ipa-4-5 Fix Certificate renewal (with ext ca) Fix certificate renewal scripts that use IPACertificate object: - renew_ca_cert adds the C flag to the trust flags and needs to be adapted to IPACertificate object - ipa-cacert-manage: fix python3 encoding issue https://pagure.io/freeipa/issue/7106 Reviewed-By: Fraser Tweedale Reviewed-By: Stanislav Laznicka --- install/restart_scripts/renew_ca_cert | 7 ++- ipaserver/install/ipa_cacert_manage.py | 2 +- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/install/restart_scripts/renew_ca_cert b/install/restart_scripts/renew_ca_cert index bb31defc0e..3bbf003bad 100644 --- a/install/restart_scripts/renew_ca_cert +++ b/install/restart_scripts/renew_ca_cert @@ -35,6 +35,7 @@ from ipaserver.install import certs, cainstance, installutils from ipaserver.plugins.ldap2 import ldap2 from ipaplatform import services from ipaplatform.paths import paths +from ipapython.certdb import TrustFlags def _main(): @@ -180,7 +181,11 @@ def _main(): # Pass Dogtag's self-tests for ca_nick in db.find_root_cert(nickname)[-2:-1]: ca_flags = dict(cc[1:] for cc in ca_certs)[ca_nick] -db.trust_root_cert(ca_nick, 'C' + ca_flags) +usages = ca_flags.usages or set() +ca_flags_modified = TrustFlags(ca_flags.has_key, +True, True, +usages | {x509.EKU_SERVER_AUTH}) +db.trust_root_cert(ca_nick, ca_flags_modified) finally: if conn is not None and conn.isconnected(): conn.disconnect() diff --git a/ipaserver/install/ipa_cacert_manage.py b/ipaserver/install/ipa_cacert_manage.py index e88e8b63ae..fcbf09155a 100644 --- a/ipaserver/install/ipa_cacert_manage.py +++ b/ipaserver/install/ipa_cacert_manage.py @@ -218,7 +218,7 @@ def renew_external_step_2(self, ca, old_cert_der): cert_file, ca_file = installutils.load_external_cert( options.external_cert_files, DN(old_cert_obj.subject)) -with open(cert_file.name) as f: +with open(cert_file.name, 'rb') as f: new_cert_data = f.read() new_cert_der = x509.normalize_certificate(new_cert_data) new_cert_obj = x509.load_certificate(new_cert_der, x509.DER) ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#1022][opened] Backport PR 989 to ipa-4-5
URL: https://github.com/freeipa/freeipa/pull/1022 Author: felipevolpone Title: #1022: Backport PR 989 to ipa-4-5 Action: opened PR body: """ This PR was opened automatically because PR #989 was pushed to master and backport to ipa-4-5 is required. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/1022/head:pr1022 git checkout pr1022 From 3c0f36477fe45d695b48259a06b8d35c7e7fffe0 Mon Sep 17 00:00:00 2001 From: Felipe Volpone Date: Wed, 30 Aug 2017 14:13:38 -0300 Subject: [PATCH] Removing part of circular dependency of ipalib in ipaplaform After commit cac3475, ipa-backup is broken due to circular dependencies. This fixes it, removing circular dependency of ipalib. The ipalib.constants.IPAAPI_USER is now passed as parameter to the function that use it. https://pagure.io/freeipa/issue/7108 --- ipaplatform/base/tasks.py | 2 +- ipaplatform/redhat/tasks.py| 11 --- ipaserver/install/httpinstance.py | 3 ++- ipaserver/install/server/install.py| 6 +++--- ipaserver/install/server/replicainstall.py | 2 +- ipaserver/install/server/upgrade.py| 3 ++- 6 files changed, 13 insertions(+), 14 deletions(-) diff --git a/ipaplatform/base/tasks.py b/ipaplatform/base/tasks.py index 3358b7d257..1ec93e053f 100644 --- a/ipaplatform/base/tasks.py +++ b/ipaplatform/base/tasks.py @@ -203,7 +203,7 @@ def configure_tmpfiles(self): """Configure tmpfiles to be created at boot""" raise NotImplementedError() -def create_tmpfiles_dirs(self): +def create_tmpfiles_dirs(self, ipaapi_user): """Create run dirs for the install phase""" raise NotImplementedError() diff --git a/ipaplatform/redhat/tasks.py b/ipaplatform/redhat/tasks.py index 07efebab97..560f83d1c3 100644 --- a/ipaplatform/redhat/tasks.py +++ b/ipaplatform/redhat/tasks.py @@ -50,9 +50,6 @@ from ipaplatform.redhat.authconfig import RedHatAuthConfig from ipaplatform.base.tasks import BaseTaskNamespace -# pylint: disable=ipa-forbidden-import -from ipalib.constants import IPAAPI_USER -# pylint: enable=ipa-forbidden-import _ffi = FFI() _ffi.cdef(""" @@ -460,7 +457,7 @@ def configure_httpd_service_ipa_conf(self): ipautil.run([paths.SYSTEMCTL, "--system", "daemon-reload"], raiseonerr=False) -def configure_http_gssproxy_conf(self): +def configure_http_gssproxy_conf(self, ipaapi_user): ipautil.copy_template_file( os.path.join(paths.USR_SHARE_IPA_DIR, 'gssproxy.conf.template'), paths.GSSPROXY_CONF, @@ -468,7 +465,7 @@ def configure_http_gssproxy_conf(self): HTTP_KEYTAB=paths.HTTP_KEYTAB, HTTP_CCACHE=paths.HTTP_CCACHE, HTTPD_USER=constants.HTTPD_USER, -IPAAPI_USER=IPAAPI_USER, +IPAAPI_USER=ipaapi_user, ) ) @@ -523,9 +520,9 @@ def _create_tmpfiles_dir(self, name, mode, uid, gid): os.chmod(name, mode) os.chown(name, uid, gid) -def create_tmpfiles_dirs(self): +def create_tmpfiles_dirs(self, ipaapi_user): parent = os.path.dirname(paths.IPA_CCACHES) -pent = pwd.getpwnam(IPAAPI_USER) +pent = pwd.getpwnam(ipaapi_user) self._create_tmpfiles_dir(parent, 0o711, 0, 0) self._create_tmpfiles_dir(paths.IPA_CCACHES, 0o770, pent.pw_uid, pent.pw_gid) diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index f637b97db8..50a1069ce0 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -46,6 +46,7 @@ import ipapython.errors from ipaserver.install import sysupgrade from ipalib import api +from ipalib.constants import IPAAPI_USER from ipaplatform.constants import constants from ipaplatform.tasks import tasks from ipaplatform.paths import paths @@ -238,7 +239,7 @@ def __configure_http(self): os.chmod(target_fname, 0o644) def configure_gssproxy(self): -tasks.configure_http_gssproxy_conf() +tasks.configure_http_gssproxy_conf(IPAAPI_USER) services.knownservices.gssproxy.restart() def change_mod_nss_port_from_http(self): diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py index dced253e7f..97cbc6d8c8 100644 --- a/ipaserver/install/server/install.py +++ b/ipaserver/install/server/install.py @@ -24,7 +24,7 @@ from ipaplatform.paths import paths from ipaplatform.tasks import tasks from ipalib import api, errors, x509 -from ipalib.constants import DOMAIN_LEVEL_0 +from ipalib.constants import DOMAIN_LEVEL_0, IPAAPI_USER from ipalib.util import ( validate_domain_name, no_matching_interface_for_ip_address_warning, @@ -721,7 +721,7 @@ def install(installer): update_hosts_file(ip_addresses, host_name, fstore) # Make sure tmpfiles dir exist before installing c