[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

[HonzaCholasta]

  URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

HonzaCholasta commented:
"""
@simo5, I can't reproduce the bug anymore with the latest update.

Pylint found one trivial issue:
```
ipaserver/install/server/upgrade.py:83: [E0602(undefined-variable), 
uninstall_ipa_memcached] Undefined variable 'SimpleServiceInstance')
```
(It should be `service.SimpleServiceInstance`.)
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/314#issuecomment-272100308
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#179][synchronized] Fix for handling CalledProcessError in authconfig

[Akasurde]

   URL: https://github.com/freeipa/freeipa/pull/179
Author: Akasurde
 Title: #179: Fix for handling CalledProcessError in authconfig
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/179/head:pr179
git checkout pr179
From ddc7f2032eebbd88bc1d6da2d0bebab5c6c6c15f Mon Sep 17 00:00:00 2001
From: Abhijeet Kasurde 
Date: Mon, 24 Oct 2016 10:50:03 +0530
Subject: [PATCH] Fix for handling CalledProcessError in authconfig

NIS configuration error should be hidden from user
while running ipa-client-install

Fixes https://fedorahosted.org/freeipa/ticket/5244

Signed-off-by: Abhijeet Kasurde 
---
 ipaplatform/redhat/authconfig.py | 19 ---
 ipaplatform/redhat/paths.py  |  1 +
 2 files changed, 17 insertions(+), 3 deletions(-)

diff --git a/ipaplatform/redhat/authconfig.py b/ipaplatform/redhat/authconfig.py
index 7b06d58..a3bd46b 100644
--- a/ipaplatform/redhat/authconfig.py
+++ b/ipaplatform/redhat/authconfig.py
@@ -3,6 +3,7 @@
 #  Tomas Babej 
 #
 # Copyright (C) 2007-2014  Red Hat
+# Copyright (C) 2016  FreeIPA Contributors
 # see file 'COPYING' for use and warranty information
 #
 # This program is free software; you can redistribute it and/or modify
@@ -18,11 +19,14 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see .
 
+from ipaplatform.paths import paths
 from ipapython import ipautil
+from ipapython.admintool import ScriptError
 import os
 
 FILES_TO_NOT_BACKUP = ['passwd', 'group', 'shadow', 'gshadow']
 
+
 class RedHatAuthConfig(object):
 """
 AuthConfig class implements system-independent interface to configure
@@ -85,10 +89,16 @@ def execute(self, update=True):
 self.add_option("update")
 
 args = self.build_args()
-ipautil.run(["/usr/sbin/authconfig"] + args)
+try:
+ipautil.run([paths.AUTHCONFIG] + args)
+except ipautil.CalledProcessError:
+raise ScriptError("Failed to execute authconfig command")
 
 def backup(self, path):
-ipautil.run(["/usr/sbin/authconfig", "--savebackup", path])
+try:
+ipautil.run([paths.AUTHCONFIG, "--savebackup", path])
+except ipautil.CalledProcessError:
+raise ScriptError("Failed to execute authconfig command")
 
 # do not backup these files since we don't want to mess with
 # users/groups during restore. Authconfig doesn't seem to mind about
@@ -101,4 +111,7 @@ def backup(self, path):
 pass
 
 def restore(self, path):
-ipautil.run(["/usr/sbin/authconfig", "--restorebackup", path])
+try:
+ipautil.run([paths.AUTHCONFIG, "--restorebackup", path])
+except ipautil.CalledProcessError:
+raise ScriptError("Failed to execute authconfig command")
diff --git a/ipaplatform/redhat/paths.py b/ipaplatform/redhat/paths.py
index b27b065..aaf71e2 100644
--- a/ipaplatform/redhat/paths.py
+++ b/ipaplatform/redhat/paths.py
@@ -33,6 +33,7 @@ class RedHatPathNamespace(BasePathNamespace):
 if sys.maxsize > 2**32:
 LIBSOFTHSM2_SO = BasePathNamespace.LIBSOFTHSM2_SO_64
 PAM_KRB5_SO = BasePathNamespace.PAM_KRB5_SO_64
+AUTHCONFIG = '/usr/sbin/authconfig'
 
 
 paths = RedHatPathNamespace()
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

[HonzaCholasta]

  URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

HonzaCholasta commented:
"""
Not sure if it's this PR or not, but `ipa-server-install` *sometimes* fails 
with:
```
  [11/22]: setting up ssl
  [error] NetworkError: cannot connect to 
'ldapi://%2fvar%2frun%2fslapd-ABC-IDM-LAB-ENG-BRQ-REDHAT-COM.socket': 
ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR
cannot connect to 
'ldapi://%2fvar%2frun%2fslapd-ABC-IDM-LAB-ENG-BRQ-REDHAT-COM.socket': 
ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERRORThe 
ipa-server-install command failed. See /var/log/ipaserver-install.log for more 
information
```
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/314#issuecomment-272106420
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#377][comment] dogtaginstance: track server certificate with our renew agent

[abbra]

  URL: https://github.com/freeipa/freeipa/pull/377
Title: #377: dogtaginstance: track server certificate with our renew agent

abbra commented:
"""
Looks very good to me. ACK from my side. 
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/377#issuecomment-272106955
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] CSR autogeneration next steps

[Jan Cholasta]

On 11.1.2017 00:38, Ben Lipton wrote:


On 01/10/2017 01:58 AM, Jan Cholasta wrote:

On 19.12.2016 21:59, Ben Lipton wrote:


On 12/15/2016 11:11 PM, Ben Lipton wrote:


On 12/12/2016 03:52 AM, Jan Cholasta wrote:

On 5.12.2016 16:48, Ben Lipton wrote:

Hi Jan, thanks for the comments.


On 12/05/2016 04:25 AM, Jan Cholasta wrote:

Hi Ben,

On 3.11.2016 00:12, Ben Lipton wrote:

Hi everybody,

Soon I'm going to have to reduce the amount of time I spend on new
development work for the CSR autogeneration project, and I want to
leave
the project in as organized a state as possible. So, I'm taking
inventory of the work I've done in order to make sure that what's
ready
for review can get reviewed and the ideas that have been discussed
get
prototyped or at least recorded so they won't be forgotten.


Thanks, I have some questions and comments, see below.



Code that's ready for review (I will continue to put in as much
time as
needed to help get these ready for submission):

- Current PR: https://github.com/freeipa/freeipa/pull/10


How hard would it be to update the PR to use the "new" interface
from
the design thread? By this I mean that currently there is a command
(cert_get_requestdata), which creates a CSR from profile id +
principal + helper, but in the design we discussed a command which
creates a CertificationRequestInfo from profile id + principal +
public key.

Internally it could use the OpenSSL helper, no need to implement the
full "new" design. With your build_requestinfo.c code below it looks
like it should be pretty straightforward.


This is probably doable with the cffi, but I'm concerned about
usability. A user can run the current command to get a (reusable)
script, and run the script to get a CSR. It works with keys in
both PEM
files and NSS databases already. If we change to outputting a
CertificationRequestInfo, in order to make this usable on the command
line, we'll need:
- An additional tool to sign a CSR given a CertificationRequestInfo
(for
both types of key storage).
- A way to extract a SubjectPublicKeyInfo structure from a key within
the ipa command (like [1] but we need it for both types of key
storage)
Since as far as I know there's no standard encoding for files
containing
only a CertificationRequestInfo or a SubjectPublicKeyInfo, we'll be
writing and distributing these ourselves. I think that's where
most of
the extra work will come in.


For PEM files, this is easily doable using python-cryptography (to
extract SubjectPublicKeyInfo and sign CertificationRequestInfo) and
PyASN1 (to create a CSR from the CertificationRequestInfo and the
signature).


I didn't realize that python-cryptography knew about
SubjectPublicKeyInfo structures, but indeed this seems to be pretty
straightforward:

key = load_pem_private_key(key_bytes, None, default_backend())
pubkey_info = key.public_key().public_bytes(Encoding.DER,
PublicFormat.SubjectPublicKeyInfo)

Thanks for letting me know this functionality already existed.


I'm currently working on the step of signing the
CertificationRequestInfo and creating a CSR from it. I think I have it
working with pyasn1, but of course the "signature algorithm" for the CSR
needs to be specified and implemented within the code since I'm not
using a library that understands CSRs natively. The code I have
currently always produces CSRs with the sha256WithRSAEncryption
algorithm (DER-encode request info, SHA256, PKCS #1v1.5 padding, RSA
encryption), and the OID for that algorithm is hardcoded in the output
CSR. Is this ok or will we need more flexibility than that?


IMO it's OK for starters.



For NSS databases, this will be trickier and will require calling C
functions, as neither certutil nor python-nss provide a way to a)
address existing keys in the database by key ID b) get
SubjectPublicKeyInfo for a given key.


This can be worked around by:

1. Generating a key + temporary certificate:

n=$(head -c 40 /dev/urandom | base32)
certutil -S -n $n -s CN=$n -x -t ,,

2. Extracting the public key from the certificate:

certutil -L -n $n -a >temp.crt
(extract the public key using python-cryptography)

3. Deleting the temporary certificate:

certutil -D -n $n

4. Importing the newly issued certificate:

certutil -A -n $n -t ,, -a 
Oof, thanks, I'm not sure I would have been able to come up with that.
Can you generate a key without a temporary certificate if you use the
NSS API, or does their model require every key to belong to a cert?


I'm pretty sure it's possible, but it certainly won't be as simple as 
this. I gave up after a few hours of digging into NSS source code and 
not being able to figure out how.




As for encoding, the obvious choice is DER. It does not really matter
there is no standard file format, as we won't be transferring these
as files anyway.


Agreed. I just meant there aren't tools already because this isn't a
type of file one often needs to process.




Would it be ok to stick with the current design in this PR? I

[Freeipa-devel] [freeipa PR#181][comment] Tests : User Tracker creation of user with minimal values

[mbasti-rh]

  URL: https://github.com/freeipa/freeipa/pull/181
Title: #181: Tests : User Tracker creation of user with minimal values

mbasti-rh commented:
"""
This PR still needs rebase, it is not possible to apply patch without 3way 
merge, please pull the latest master and do rebase, we merge only patches that 
can be merged without 3-way merge

```
$ hub am https://github.com/freeipa/freeipa/pull/181 -3
Applying: Unaccessible variable self.attrs in Tracker
Using index info to reconstruct a base tree...
M   ipatests/test_xmlrpc/tracker/base.py
Falling back to patching base and 3-way merge...
No changes -- Patch already applied.
Applying: User Tracker: creation of user with minimal values
Using index info to reconstruct a base tree...
M   ipatests/test_xmlrpc/tracker/user_plugin.py
Falling back to patching base and 3-way merge...
Auto-merging ipatests/test_xmlrpc/tracker/user_plugin.py
Applying: User Tracker: Test to create user with minimal values
```
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/181#issuecomment-272122000
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#210][comment] Tests: Stage User Tracker implementation

[mbasti-rh]

  URL: https://github.com/freeipa/freeipa/pull/210
Title: #210: Tests: Stage User Tracker implementation

mbasti-rh commented:
"""
Needs rebase

```
Applying: Unaccessible variable self.attrs in Tracker
Patch failed at 0001 Unaccessible variable self.attrs in Tracker
The copy of the patch that failed is found in: .git/rebase-apply/patch
When you have resolved this problem, run "git am --continue".
If you prefer to skip this patch, run "git am --skip" instead.
To restore the original branch and stop patching, run "git am --abort".
error: patch failed: ipatests/test_xmlrpc/tracker/base.py:76
error: ipatests/test_xmlrpc/tracker/base.py: patch does not apply
```
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/210#issuecomment-272123222
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#385][+pushed] Generate sha256 ssh pubkey fingerprints for hosts

[mbasti-rh]

  URL: https://github.com/freeipa/freeipa/pull/385
Title: #385: Generate sha256 ssh pubkey fingerprints for hosts

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#385][closed] Generate sha256 ssh pubkey fingerprints for hosts

[mbasti-rh]

   URL: https://github.com/freeipa/freeipa/pull/385
Author: stlaz
 Title: #385: Generate sha256 ssh pubkey fingerprints for hosts
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/385/head:pr385
git checkout pr385
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#385][comment] Generate sha256 ssh pubkey fingerprints for hosts

[mbasti-rh]

  URL: https://github.com/freeipa/freeipa/pull/385
Title: #385: Generate sha256 ssh pubkey fingerprints for hosts

mbasti-rh commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/721105c53de6fbc0abc7799ec7f48920e02089bd
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/385#issuecomment-272124272
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#383][closed] Remove duplicated step from DS install

[mbasti-rh]

   URL: https://github.com/freeipa/freeipa/pull/383
Author: mbasti-rh
 Title: #383: Remove duplicated step from DS install
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/383/head:pr383
git checkout pr383
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#383][comment] Remove duplicated step from DS install

[mbasti-rh]

  URL: https://github.com/freeipa/freeipa/pull/383
Title: #383: Remove duplicated step from DS install

mbasti-rh commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/083b4241d287a731e2cf7fed5c61b30da52a8e37
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/383#issuecomment-272125454
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#383][+pushed] Remove duplicated step from DS install

[mbasti-rh]

  URL: https://github.com/freeipa/freeipa/pull/383
Title: #383: Remove duplicated step from DS install

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#374][closed] pytest: set rules to find test files and functions

[mbasti-rh]

   URL: https://github.com/freeipa/freeipa/pull/374
Author: tiran
 Title: #374: pytest: set rules to find test files and functions
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/374/head:pr374
git checkout pr374
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#374][+pushed] pytest: set rules to find test files and functions

[mbasti-rh]

  URL: https://github.com/freeipa/freeipa/pull/374
Title: #374: pytest: set rules to find test files and functions

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#374][comment] pytest: set rules to find test files and functions

[mbasti-rh]

  URL: https://github.com/freeipa/freeipa/pull/374
Title: #374: pytest: set rules to find test files and functions

mbasti-rh commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/68cb4d2b0f6b28f20513371e46b279d80c0b3070
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/374#issuecomment-272126112
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#391][opened] ipapython: Add dependencies on version.py

[tiran]

   URL: https://github.com/freeipa/freeipa/pull/391
Author: tiran
 Title: #391: ipapython: Add dependencies on version.py
Action: opened

PR body:
"""
install-exec and bdist_wheel also depend on version.py. Let's ensure
that version.py is correctly generated when installing or building
packages.

Yes, make is clever and correctly merges dependencies with rules from
included make files.

Signed-off-by: Christian Heimes 
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/391/head:pr391
git checkout pr391






  http://ogp.me/ns# fb: http://ogp.me/ns/fb# object: http://ogp.me/ns/object# article: http://ogp.me/ns/article# profile: http://ogp.me/ns/profile#";>



https://assets-cdn.github.com/assets/frameworks-b431521ec2343144c1229e0d67b03f2806422759f2de314fc592fa70e320750b.css"; media="all" rel="stylesheet" />
https://assets-cdn.github.com/assets/github-f24296410327fccc57419dda75a8c155a5168de328cf1c9ec171abc14aeaab2c.css"; media="all" rel="stylesheet" />


https://assets-cdn.github.com/assets/site-293f92180d0a619a750fa2b5eae9e36740f5723a59c0ec308972c70d24e834fc.css"; media="all" rel="stylesheet" />






ipapython: Add dependencies on version.py by tiran · Pull Request #391 · freeipa/freeipa · GitHub

https://github.com/fluidicon.png"; title="GitHub">












  https://avatars2.githubusercontent.com/u/444071?v=3&s=400"; name="twitter:image:src" />
  https://avatars2.githubusercontent.com/u/444071?v=3&s=400"; property="og:image" />https://github.com/freeipa/freeipa/pull/391"; property="og:url" />
  https://api.github.com/_private/browser/stats";>
https://api.github.com/_private/browser/errors";>
https://assets-cdn.github.com/";>


















  







  


  https://assets-cdn.github.com/pinned-octocat.svg"; color="#00">
  https://assets-cdn.github.com/favicon.ico";>







span.labelstyle-d93f0b, .linked-labelstyle-d93f0b {  background-color: #d93f0b !important;  color: #fff !important;}.labelstyle-d93f0b.selected {  background-color: #d93f0b !important;  color: #fff !important;}.label-select-menu .labelstyle-d93f0b.selected {  background:rgba(217, 63, 11, 0.12) !important;  color: #982c07 !important;}

span.labelstyle-1d76db, .linked-labelstyle-1d76db {  background-color: #1d76db !important;  color: #fff !important;}.labelstyle-1d76db.selected {  background-color: #1d76db !important;  color: #fff !important;}.label-select-menu .labelstyle-1d76db.selected {  background:rgba(29, 118, 219, 0.12) !important;  color: #145299 !important;}

span.labelstyle-0e8a16, .linked-labelstyle-0e8a16 {  background-color: #0e8a16 !important;  color: #fff !important;}.labelstyle-0e8a16.selected {  background-color: #0e8a16 !important;  color: #fff !important;}.label-select-menu .labelstyle-0e8a16.selected {  background:rgba(14, 138, 22, 0.12) !important;  color: #0f9918 !important;}
  

  
  https://github.com/freeipa/freeipa.git";>

  
  https://github.com/freeipa/freeipa/commits/version_dependency.atom"; rel="alternate" title="Recent Commits to freeipa:version_dependency" type="application/atom+xml">


  


  

Skip to content







  
  
https://github.com/"; aria-label="Homepage" data-ga-click="(Logged out) Header, go to homepage, icon:logo-wordmark">
  



  



  

  Personal

  Open source

  Business

  Explore
  

  
Sign up
  Sign in
  


  Pricing
  Blog
  https://help.github.com";>Support
  https://github.com/search";>Search GitHub
  
  

  This repository
  





  






  




http://schema.org/SoftwareSourceCode";>

  

  





  
  

Watch
  
  
18
  

  

  
  

Star
  


  53


  

  
  

Fork
  


  58

  



  
  freeipa/freeipa



  
  

http://schema.org/BreadcrumbList";
 role="navigation"
 data-pjax="#js-repo-pjax-container">

  http://schema.org/ListItem"; itemprop="itemListElement">

  
  Code
  
  


  http://schema.org/ListItem"; itemprop="itemListElement">

  
  Pull requests
  41
  
  

  

Projects
0



  

Pulse

  

Graphs




  



  











  

  
  
  


  
ipapython: Add dependencies on version.py
  
  #391

  


  


  
  Open



  
tiran
  
   wants to merge 1 commit into



  freeipa:master

  

  
base:
master
  
  

  
 

[Freeipa-devel] [freeipa PR#377][comment] dogtaginstance: track server certificate with our renew agent

[stlaz]

  URL: https://github.com/freeipa/freeipa/pull/377
Title: #377: dogtaginstance: track server certificate with our renew agent

stlaz commented:
"""
Works fine.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/377#issuecomment-272137913
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#377][comment] dogtaginstance: track server certificate with our renew agent

[stlaz]

  URL: https://github.com/freeipa/freeipa/pull/377
Title: #377: dogtaginstance: track server certificate with our renew agent

stlaz commented:
"""
I made a patch that makes is_renewal_master and set_renewal_master classmethods 
on @tiran recommendation. Feel free to push it along or leave it, don't let it 
slow us down if you don't like it.
http://pastebin.com/dCDTAtnS
ACK
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/377#issuecomment-272147569
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#377][+ack] dogtaginstance: track server certificate with our renew agent

[stlaz]

  URL: https://github.com/freeipa/freeipa/pull/377
Title: #377: dogtaginstance: track server certificate with our renew agent

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] Changed SSH public key fingerprint to SHA256

[Standa Laznicka]

Hello list,

In PR https://github.com/freeipa/freeipa/pull/385 we changed the hashing 
algorithm for SSH public key fingerprints which are printed for 
hosts/users in their respective show commands. These fingerprints are 
not stored anywhere and are calculated during runtime on demand.


We did the mentioned change to move from MD5 use of which breaks IPA in 
FIPS. Also, SHA256 (along with MD5) fingerprints are now printed by 
default in Fedora 25 when trying to connect to a new host via ssh.


If you think this could break some use-case, please, share your concern.

Have a nice day,
Standa

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#392][opened] Fix coverity issue

[tomaskrizek]

   URL: https://github.com/freeipa/freeipa/pull/392
Author: tomaskrizek
 Title: #392: Fix coverity issue
Action: opened

PR body:
"""

"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/392/head:pr392
git checkout pr392
From 83ce37eaf66fdb6d93e647af95cbc4be577d5382 Mon Sep 17 00:00:00 2001
From: Tomas Krizek 
Date: Thu, 12 Jan 2017 10:49:12 +0100
Subject: [PATCH] Fix coverity issue

---
 ipaserver/plugins/cert.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py
index cc47084..d8bfc1c 100644
--- a/ipaserver/plugins/cert.py
+++ b/ipaserver/plugins/cert.py
@@ -780,7 +780,8 @@ def execute(self, csr, all=False, raw=False, **kw):
 "match requested principal") % gn.name)
 elif isinstance(gn, cryptography.x509.general_name.RFC822Name):
 if principal_type == USER:
-if gn.value not in principal_obj.get('mail', []):
+if principal_obj and gn.value not in principal_obj.get(
+'mail', []):
 raise errors.ValidationError(
 name='csr',
 error=_(
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#392][comment] Fix coverity issue

[mbasti-rh]

  URL: https://github.com/freeipa/freeipa/pull/392
Title: #392: Fix coverity issue

mbasti-rh commented:
"""
Could be commit message more descriptive or at least any?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/392#issuecomment-272158709
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#367][synchronized] Remove nsslib from IPA

[stlaz]

   URL: https://github.com/freeipa/freeipa/pull/367
Author: stlaz
 Title: #367: Remove nsslib from IPA
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/367/head:pr367
git checkout pr367
From ca18b7f39e5d8f86ad122a5e66124f9e2ea7fcfe Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Tue, 20 Dec 2016 10:05:36 +0100
Subject: [PATCH 1/7] Remove NSSConnection from the Python RPC module

NSSConnection was causing a lot of trouble in the past and there is
a lot of logic around it just to make it not fail. What's more,
when using NSS to create an SSL connection in FIPS mode, NSS
always requires database password which makes the `ipa` command
totally unusable.

NSSConnection is therefore replaced with Python's
httplib.HTTPSConnection which is OpenSSL based.

https://fedorahosted.org/freeipa/ticket/5695
---
 ipalib/config.py|  3 ++
 ipalib/constants.py |  1 +
 ipalib/rpc.py   | 70 ---
 ipalib/util.py  | 94 +
 4 files changed, 112 insertions(+), 56 deletions(-)

diff --git a/ipalib/config.py b/ipalib/config.py
index 20591db..8ecada6 100644
--- a/ipalib/config.py
+++ b/ipalib/config.py
@@ -493,6 +493,9 @@ def _bootstrap(self, **overrides):
 if 'nss_dir' not in self:
 self.nss_dir = self._join('confdir', 'nssdb')
 
+if 'ca_certfile' not in self:
+self.ca_certfile = self._join('confdir', 'ca.crt')
+
 # Set plugins_on_demand:
 if 'plugins_on_demand' not in self:
 self.plugins_on_demand = (self.context == 'cli')
diff --git a/ipalib/constants.py b/ipalib/constants.py
index 81643da..4f40545 100644
--- a/ipalib/constants.py
+++ b/ipalib/constants.py
@@ -226,6 +226,7 @@
 ('conf_default', object),  # File containing context independent config
 ('plugins_on_demand', object),  # Whether to finalize plugins on-demand (bool)
 ('nss_dir', object),  # Path to nssdb, default {confdir}/nssdb
+('ca_certfile', object),  # Path to CA cert file
 
 # Set in Env._finalize_core():
 ('in_server', object),  # Whether or not running in-server (bool)
diff --git a/ipalib/rpc.py b/ipalib/rpc.py
index 921f5cb..0aeea1b 100644
--- a/ipalib/rpc.py
+++ b/ipalib/rpc.py
@@ -44,7 +44,7 @@
 import gssapi
 from dns import resolver, rdatatype
 from dns.exception import DNSException
-from nss.error import NSPRError
+from ssl import SSLError
 import six
 from six.moves import urllib
 
@@ -60,8 +60,7 @@
 from ipapython.cookie import Cookie
 from ipapython.dnsutil import DNSName
 from ipalib.text import _
-import ipapython.nsslib
-from ipapython.nsslib import NSSConnection
+from ipalib.util import IPAHTTPSConnection
 from ipalib.krb_utils import KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN, KRB5KRB_AP_ERR_TKT_EXPIRED, \
  KRB5_FCC_PERM, KRB5_FCC_NOFILE, KRB5_CC_FORMAT, \
  KRB5_REALM_CANT_RESOLVE, KRB5_CC_NOTFOUND, get_principal
@@ -470,48 +469,20 @@ def get_host_info(self, host):
 
 return (host, extra_headers, x509)
 
+
 class SSLTransport(LanguageAwareTransport):
 """Handles an HTTPS transaction to an XML-RPC server."""
-
-def get_connection_dbdir(self):
-"""
-If there is a connections open it may have already initialized
-NSS database. Return the database location used by the connection.
-"""
-for value in context.__dict__.values():
-if not isinstance(value, Connection):
-continue
-if not isinstance(
-getattr(value.conn, '_ServerProxy__transport', None),
-SSLTransport):
-continue
-if hasattr(value.conn._ServerProxy__transport, 'dbdir'):
-return value.conn._ServerProxy__transport.dbdir
-return None
-
 def make_connection(self, host):
 host, self._extra_headers, _x509 = self.get_host_info(host)
 
 if self._connection and host == self._connection[0]:
 return self._connection[1]
 
-dbdir = context.nss_dir
-connection_dbdir = self.get_connection_dbdir()
-
-if connection_dbdir:
-# If an existing connection is already using the same NSS
-# database there is no need to re-initialize.
-no_init = dbdir == connection_dbdir
-
-else:
-# If the NSS database is already being used there is no
-# need to re-initialize.
-no_init = dbdir == ipapython.nsslib.current_dbdir
-
-conn = NSSConnection(host, 443, dbdir=dbdir, no_init=no_init,
- tls_version_min=api.env.tls_version_min,
- tls_version_max=api.env.tls_version_max)
-self.dbdir=dbdir
+conn = IPAHTTPSConnection(
+host, 443,
+api.env.ca_certfile,
+tls_version_min=api.env.

[Freeipa-devel] [freeipa PR#391][+ack] ipapython: Add dependencies on version.py

[apophys]

  URL: https://github.com/freeipa/freeipa/pull/391
Title: #391: ipapython: Add dependencies on version.py

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#367][comment] Remove nsslib from IPA

[stlaz]

  URL: https://github.com/freeipa/freeipa/pull/367
Title: #367: Remove nsslib from IPA

stlaz commented:
"""
@rcritten I spoke to the NSS people who assured me it's the intended behavior. 
But thanks for the remainder, I will open a Bugzilla for that as well, I was 
considering it before Christmas.

**edit:** https://bugzilla.redhat.com/show_bug.cgi?id=1410143
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/367#issuecomment-270383517
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

[simo5]

  URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

simo5 commented:
"""
Thanks @HonzaCholasta I already fixed the service thing but didn't push as I 
started getting another error on install, buit before I fix that I am working 
on releasing gssproxy where wer are hitting another heisenbug just in the 
testing suite (works as expected when installed).
On the ldapi error I have seen it too during development, for a period I was 
getting it every time once on install ie:
install, play, uninstall, install, Error!, uninstall, install, play ...
So I had to install - uninstall - reinstall for each test, but it had 
disappeared for a while.
It seem some uninstall snag to me, if I can find some info on why it occurs 
I'll open a bug (or fix it if it is due to my code changes).
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/314#issuecomment-272171891
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#181][comment] Tests : User Tracker creation of user with minimal values

[gkaihorodova]

  URL: https://github.com/freeipa/freeipa/pull/181
Title: #181: Tests : User Tracker creation of user with minimal values

gkaihorodova commented:
"""
@mbasti-rh  done. hope now it's fine
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/181#issuecomment-272172666
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#367][comment] Remove nsslib from IPA

[rcritten]

  URL: https://github.com/freeipa/freeipa/pull/367
Title: #367: Remove nsslib from IPA

rcritten commented:
"""
Wait, you added support for SSLv2? Please remove it, it isn't needed even for 
backwards compatibility and would not be considered a regression.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/367#issuecomment-272174784
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#367][comment] Remove nsslib from IPA

[tiran]

  URL: https://github.com/freeipa/freeipa/pull/367
Title: #367: Remove nsslib from IPA

tiran commented:
"""
@rcritten I wonder if we need to support any version except TLS 1.2 at all. Are 
there any versions of FreeIPA stack that do not have TLS 1.2 support?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/367#issuecomment-272176995
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#367][comment] Remove nsslib from IPA

[tiran]

  URL: https://github.com/freeipa/freeipa/pull/367
Title: #367: Remove nsslib from IPA

tiran commented:
"""
Let's not make @stlaz jump through more bike-shedding hoops. How about we let 
him finish this PR, and then address TLS versions, ciphers and other 
simplifications in another PR?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/367#issuecomment-272178840
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#392][synchronized] Fix coverity issue

[tomaskrizek]

   URL: https://github.com/freeipa/freeipa/pull/392
Author: tomaskrizek
 Title: #392: Fix coverity issue
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/392/head:pr392
git checkout pr392
From 9626860539c4d7bf5afb24423b9ef36ecef23185 Mon Sep 17 00:00:00 2001
From: Tomas Krizek 
Date: Thu, 12 Jan 2017 10:49:12 +0100
Subject: [PATCH] Fix coverity issue

A code path exists, where principal_obj is None. Add check
principal_obj is not None to avoid dereferencing it.
---
 ipaserver/plugins/cert.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py
index cc47084..d8bfc1c 100644
--- a/ipaserver/plugins/cert.py
+++ b/ipaserver/plugins/cert.py
@@ -780,7 +780,8 @@ def execute(self, csr, all=False, raw=False, **kw):
 "match requested principal") % gn.name)
 elif isinstance(gn, cryptography.x509.general_name.RFC822Name):
 if principal_type == USER:
-if gn.value not in principal_obj.get('mail', []):
+if principal_obj and gn.value not in principal_obj.get(
+'mail', []):
 raise errors.ValidationError(
 name='csr',
 error=_(
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#367][comment] Remove nsslib from IPA

[stlaz]

  URL: https://github.com/freeipa/freeipa/pull/367
Title: #367: Remove nsslib from IPA

stlaz commented:
"""
@rcritten `tls_version_min/max` could have been set to "ssl2" just as well as 
"ssl3" but perhaps it's for the best to remove them. I will try to do the 
certmonger part and will remove this with it.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/367#issuecomment-272182713
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [DESIGN] FreeIPA on FIPS + NSS question

[Christian Heimes]

On 2016-12-19 15:07, John Dennis wrote:
> I'm not a big fan of NSS, it has it's issues. As the author of the
> Python binding I'm quite aware of all the nasty behaviors NSS has and
> needs to be worked around. I wouldn't be sad to see it go but OpenSSL
> has it's own issues too. If you remove NSS you're also removing the
> option to support smart cards, HSM's etc. Perhaps before removing
> functionality it would be good to assess what the requirements are.

When Standa started to work on the PR, I raised similar concerns
regarding the feature set of OpenSSL. I asked him to write a design spec
to address some of the concerns.

HSM and smart card authentication are of no concern. Standa's PR
replaces FreeIPA's internal HTTS connection with a OpenSSL based
implementation. It's used to communicate from an IPA client to an IPA
server or from an IPA server to Dogtag. We don't support client cert
auth for client to server. Smart card authentication is performed based
on pkinit and Kerberos. Currently just IPA server to Dogtag uses client
cert authentication. That part will be replaced with GSSAPI eventually.

I'm more concerned that we loose the ability to check revocation state
of certificates. Python's ssl module has no support for OCSP. OpenSSL's
and Python's CRL capabilities are sub-par compared to NSS. The ssl
module can load CRLs but it has no means to retrieve or update a CRL
from a remote server.

For Fedora 26 we will have to deal with similar concerns for libldap.
Fedora has switched from NSS to OpenSSL as TLS backend.

Christian



signature.asc
Description: OpenPGP digital signature
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [DESIGN] FreeIPA on FIPS + NSS question

[Tomas Krizek]

On 12/19/2016 04:41 PM, Standa Laznicka wrote:
> On 12/19/2016 03:07 PM, John Dennis wrote:
>> On 12/19/2016 03:12 AM, Standa Laznicka wrote:
>>> On 12/16/2016 03:23 PM, Rob Crittenden wrote:
 Standa Laznicka wrote:
> Hello,
>
> I started a design page for FreeIPA on FIPS-enabled systems:
> https://www.freeipa.org/page/V4/FreeIPA-on-FIPS
>
> Me and Tomáš are still investigating what of all things will need to
> change in order to have FreeIPA on FIPS-enabled RHEL. So far I
> managed
> to install and run patched FreeIPA server and client and connect them
> together.
>
> There are some issues with NSS when trying to create an HTTPS request
> (apparently, NSS requires an NSS database password to set up an SSL
> connection). I am actually thinking of removing NSSConnection from
> the
> client altogether.
 Can you expand on this a bit? NSS should only need a pin when it needs
 access to a private key. What connection(s) are you talking about, and
 what would you replace NSSConnection with?

 rob
>>>
>>> Hello Rob,
>>>
>>> Thank you for this excellent question, in order to cut the email
>>> short I
>>> seem to have omitted quite a few information.
>>>
>>> One of the very first problems I had with FreeIPA with FIPS was that
>>> NSS
>>> was always asking for password/pin. I was discussing this with the NSS
>>> guys on their IRC chat last week and it turns out that NSS tries to
>>> create a private key every time you want to use it as a backend for an
>>> SSL connection on FIPS. I still don't think this is quite right so I
>>> may
>>> open a bugzilla for that.
>>
>> I don't understand, I thought the case you were having problems with
>> was the FreeIPA client, not the server. I assume when you use the
>> term "backend" you mean server, and yes when NSS is in server mode it
>> will access to keys. So isn't the problem NSS is not being
>> initialized correctly so that it recognizes it is in client mode and
>> not server mode?
>>
> What I meant was "a client backend for an SSL connection" - we're
> using NSS implementation of SSL (via python-nss) for HTTPS connections
> from client to server during which we're getting a CA cert from an NSS
> database but this eventually leads to a password prompt.
>>>
>>> Anyway, the guys suggested me that we could try to create the database
>>> with an empty password and everything will work. I don't quite like
>>> that, too, but it's at least something if you don't want the `ipa`
>>> command to always bug you for password you have no way knowing if
>>> you're
>>> just a regular user.
>>>
>>> What I think would be a better way to go is to use
>>> httplib.HTTPSConnection. We have the needed certificates in
>>> /etc/ipa/ca.crt anyway so why not use them instead. We had a discussion
>>> with Honza this morning and it seems that with this approach we may get
>>> rid of the NSSConnection class altogether (although I still need to
>>> check a few spots) and start the process of moving away from NSS which
>>> was discussed some year ago in an internal mailing list (for some
>>> reason).
>>>
>>> Will be happy to hear thoughts on this,
>>> Standa
>>
>> I'm not a big fan of NSS, it has it's issues. As the author of the
>> Python binding I'm quite aware of all the nasty behaviors NSS has and
>> needs to be worked around. I wouldn't be sad to see it go but OpenSSL
>> has it's own issues too. If you remove NSS you're also removing the
>> option to support smart cards, HSM's etc. Perhaps before removing
>> functionality it would be good to assess what the requirements are.
>>
> I'm sorry I generalized too much, the original topic was moving away
> from python-nss (of which I am even more sorry as you're the author).
>
We could use some ideas on how to handle replica installations in FIPS.

We might use some flag in LDAP to indicate that a topology is
FIPS-enabled. It seems like a good idea to force all servers in
FIPS-enabled topology to also be FIPS-enabled. At the start of replica
installation, a check could be performed to verify the FIPS topology
status is the same as the current system's FIPS status. However, this
proposal has a flaw. It is possible to simply install a FIPS-enabled
replica and then turn FIPS off. This would result in non-FIPS systems
being part of a FIPS-enabled topology.

So we have a couple questions:

Does it make sense to require all the servers in the topology to be
either FIPS-enabled or FIPS-disabled?
What would be a good approach to achieve this? Simply checking during
installation does not guarantee that FIPS will stay turned on.

-- 
Tomas Krizek



-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [DESIGN] FreeIPA on FIPS + NSS question

[Rob Crittenden]

Tomas Krizek wrote:
> On 12/19/2016 04:41 PM, Standa Laznicka wrote:
>> On 12/19/2016 03:07 PM, John Dennis wrote:
>>> On 12/19/2016 03:12 AM, Standa Laznicka wrote:
 On 12/16/2016 03:23 PM, Rob Crittenden wrote:
> Standa Laznicka wrote:
>> Hello,
>>
>> I started a design page for FreeIPA on FIPS-enabled systems:
>> https://www.freeipa.org/page/V4/FreeIPA-on-FIPS
>>
>> Me and Tomáš are still investigating what of all things will need to
>> change in order to have FreeIPA on FIPS-enabled RHEL. So far I
>> managed
>> to install and run patched FreeIPA server and client and connect them
>> together.
>>
>> There are some issues with NSS when trying to create an HTTPS request
>> (apparently, NSS requires an NSS database password to set up an SSL
>> connection). I am actually thinking of removing NSSConnection from
>> the
>> client altogether.
> Can you expand on this a bit? NSS should only need a pin when it needs
> access to a private key. What connection(s) are you talking about, and
> what would you replace NSSConnection with?
>
> rob

 Hello Rob,

 Thank you for this excellent question, in order to cut the email
 short I
 seem to have omitted quite a few information.

 One of the very first problems I had with FreeIPA with FIPS was that
 NSS
 was always asking for password/pin. I was discussing this with the NSS
 guys on their IRC chat last week and it turns out that NSS tries to
 create a private key every time you want to use it as a backend for an
 SSL connection on FIPS. I still don't think this is quite right so I
 may
 open a bugzilla for that.
>>>
>>> I don't understand, I thought the case you were having problems with
>>> was the FreeIPA client, not the server. I assume when you use the
>>> term "backend" you mean server, and yes when NSS is in server mode it
>>> will access to keys. So isn't the problem NSS is not being
>>> initialized correctly so that it recognizes it is in client mode and
>>> not server mode?
>>>
>> What I meant was "a client backend for an SSL connection" - we're
>> using NSS implementation of SSL (via python-nss) for HTTPS connections
>> from client to server during which we're getting a CA cert from an NSS
>> database but this eventually leads to a password prompt.

 Anyway, the guys suggested me that we could try to create the database
 with an empty password and everything will work. I don't quite like
 that, too, but it's at least something if you don't want the `ipa`
 command to always bug you for password you have no way knowing if
 you're
 just a regular user.

 What I think would be a better way to go is to use
 httplib.HTTPSConnection. We have the needed certificates in
 /etc/ipa/ca.crt anyway so why not use them instead. We had a discussion
 with Honza this morning and it seems that with this approach we may get
 rid of the NSSConnection class altogether (although I still need to
 check a few spots) and start the process of moving away from NSS which
 was discussed some year ago in an internal mailing list (for some
 reason).

 Will be happy to hear thoughts on this,
 Standa
>>>
>>> I'm not a big fan of NSS, it has it's issues. As the author of the
>>> Python binding I'm quite aware of all the nasty behaviors NSS has and
>>> needs to be worked around. I wouldn't be sad to see it go but OpenSSL
>>> has it's own issues too. If you remove NSS you're also removing the
>>> option to support smart cards, HSM's etc. Perhaps before removing
>>> functionality it would be good to assess what the requirements are.
>>>
>> I'm sorry I generalized too much, the original topic was moving away
>> from python-nss (of which I am even more sorry as you're the author).
>>
> We could use some ideas on how to handle replica installations in FIPS.
> 
> We might use some flag in LDAP to indicate that a topology is
> FIPS-enabled. It seems like a good idea to force all servers in
> FIPS-enabled topology to also be FIPS-enabled. At the start of replica
> installation, a check could be performed to verify the FIPS topology
> status is the same as the current system's FIPS status. However, this
> proposal has a flaw. It is possible to simply install a FIPS-enabled
> replica and then turn FIPS off. This would result in non-FIPS systems
> being part of a FIPS-enabled topology.
> 
> So we have a couple questions:
> 
> Does it make sense to require all the servers in the topology to be
> either FIPS-enabled or FIPS-disabled?
> What would be a good approach to achieve this? Simply checking during
> installation does not guarantee that FIPS will stay turned on.
> 

You could set some value in the replicated tree on FIPS status and write
a 389-ds plugin to refuse to start if the environment doesn't match.
Given this is started first it should cause a cascade of failures so no
s

[Freeipa-devel] [freeipa PR#382][synchronized] [Py3] ipa-server-install fixes (working NTP, DS, CA install steps)

[mbasti-rh]

   URL: https://github.com/freeipa/freeipa/pull/382
Author: mbasti-rh
 Title: #382: [Py3] ipa-server-install fixes (working NTP, DS, CA install steps)
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/382/head:pr382
git checkout pr382
From 928a2db32a36e7326d127ba711a2630ff7d74cc1 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Mon, 9 Jan 2017 11:53:59 +0100
Subject: [PATCH 01/16] py3: create_cert_db: write to file in a compatible way

Py3 expect bytes to be writed using os.write. Instead of that using
io module is more pythonic.

https://fedorahosted.org/freeipa/ticket/4985
---
 ipaserver/install/httpinstance.py | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index bacd5fc..ded0553 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -19,6 +19,7 @@
 
 from __future__ import print_function
 
+import io
 import os
 import os.path
 import pwd
@@ -314,9 +315,8 @@ def create_cert_db(self):
 
 # Create the password file for this db
 password = ipautil.ipa_generate_password()
-f = os.open(pwd_file, os.O_CREAT | os.O_RDWR)
-os.write(f, password)
-os.close(f)
+with io.open(pwd_file, 'w') as f:
+f.write(password)
 
 ipautil.run([paths.CERTUTIL, "-d", database, "-f", pwd_file, "-N"])
 

From 8c157e9643019bf6ffadab68efdb272d80038871 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Tue, 10 Jan 2017 13:45:11 +0100
Subject: [PATCH 02/16] py3: service.py: replace mkstemp by NamedTemporaryFile

NamedTemporaryfile can be used in more pythonic way and file can be
opened in textual mode that is required with PY3

https://fedorahosted.org/freeipa/ticket/4985
---
 ipapython/ipautil.py | 2 +-
 ipaserver/install/service.py | 7 ---
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py
index e3e4611..34d10ef 100644
--- a/ipapython/ipautil.py
+++ b/ipapython/ipautil.py
@@ -852,7 +852,7 @@ def ipa_generate_password(entropy_bits=256, uppercase=1, lowercase=1, digits=1,
 rnd = random.SystemRandom()
 
 todo_entropy = entropy_bits
-password = ''
+password = u''
 # Generate required character classes:
 # The order of generated characters is fixed to comply with check in
 # NSS function sftk_newPinCheck() in nss/lib/softoken/fipstokn.c.
diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py
index 6451f92..fbe3f23 100644
--- a/ipaserver/install/service.py
+++ b/ipaserver/install/service.py
@@ -208,9 +208,10 @@ def _ldap_mod(self, ldif, sub_dict=None, raise_on_err=True,
 args += ["-H", ldap_uri]
 
 if dm_password:
-[pw_fd, pw_name] = tempfile.mkstemp()
-os.write(pw_fd, dm_password)
-os.close(pw_fd)
+with tempfile.NamedTemporaryFile(
+mode='w', delete=False) as pw_file:
+pw_file.write(dm_password)
+pw_name = pw_file.name
 auth_parms = ["-x", "-D", "cn=Directory Manager", "-y", pw_name]
 # Use GSSAPI auth when not using DM password or not being root
 elif os.getegid() != 0:

From 35af241c73eb9a3a38a7f613ff24751bd5a10fae Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Mon, 9 Jan 2017 12:42:23 +0100
Subject: [PATCH 03/16] py3: open temporary ldif file in text mode

ldif parser uses file in text mode, so we have to open it in text mode
in py3

Also values passed to parser should be bytes

https://fedorahosted.org/freeipa/ticket/4985
---
 ipaserver/install/dsinstance.py | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 6e7019a..a38d4f7 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -589,14 +589,15 @@ def __update_dse_ldif(self):
 'dse.ldif'
 )
 
-with tempfile.NamedTemporaryFile(delete=False) as new_dse_ldif:
+with tempfile.NamedTemporaryFile(
+mode='w', delete=False) as new_dse_ldif:
 temp_filename = new_dse_ldif.name
 with open(dse_filename, "r") as input_file:
 parser = installutils.ModifyLDIF(input_file, new_dse_ldif)
 parser.replace_value(
 'cn=config,cn=ldbm database,cn=plugins,cn=config',
 'nsslapd-db-locks',
-['5']
+[b'5']
 )
 if self.config_ldif:
 # parse modifications from ldif file supplied by the admin

From 747a29ef0c09276c5b6fb71990d9a9271bce2c25 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Mon, 9 Jan 2017 19:01:29 +0100
Subject: [PATCH 04/16] py3: ldap modlist must have keys as string, n

Re: [Freeipa-devel] [DESIGN] FreeIPA on FIPS + NSS question

[Alexander Bokovoy]

On to, 12 tammi 2017, Christian Heimes wrote:

On 2016-12-19 15:07, John Dennis wrote:

I'm not a big fan of NSS, it has it's issues. As the author of the
Python binding I'm quite aware of all the nasty behaviors NSS has and
needs to be worked around. I wouldn't be sad to see it go but OpenSSL
has it's own issues too. If you remove NSS you're also removing the
option to support smart cards, HSM's etc. Perhaps before removing
functionality it would be good to assess what the requirements are.


When Standa started to work on the PR, I raised similar concerns
regarding the feature set of OpenSSL. I asked him to write a design spec
to address some of the concerns.

HSM and smart card authentication are of no concern. Standa's PR
replaces FreeIPA's internal HTTS connection with a OpenSSL based
implementation. It's used to communicate from an IPA client to an IPA
server or from an IPA server to Dogtag. We don't support client cert
auth for client to server. Smart card authentication is performed based
on pkinit and Kerberos. Currently just IPA server to Dogtag uses client
cert authentication. That part will be replaced with GSSAPI eventually.

We are adding client cert authentication in 4.5. This is pretty big part
of the release, actually, as we are getting external authentication and
privilege separation support. See Simo's PR#314 which is very close to
be merged.

We don't plan yet to use this for IPA client itself, but nothing prevent
clients other than web browsers to utilize client cert auth to establish
TLS session authentication. In fact, this is something which most likely
will be used for external entities anyway.



I'm more concerned that we loose the ability to check revocation state
of certificates. Python's ssl module has no support for OCSP. OpenSSL's
and Python's CRL capabilities are sub-par compared to NSS. The ssl
module can load CRLs but it has no means to retrieve or update a CRL
from a remote server.

For Fedora 26 we will have to deal with similar concerns for libldap.
Fedora has switched from NSS to OpenSSL as TLS backend.

Christian







--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code



--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#367][comment] Remove nsslib from IPA

[rcritten]

  URL: https://github.com/freeipa/freeipa/pull/367
Title: #367: Remove nsslib from IPA

rcritten commented:
"""
SSLv2 should not be supported, period.

Not that it would work anyway because most SSL libs have completely removed 
this support, but it is just a terrible idea to even try and allow it.

The rest I'm flexible on.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/367#issuecomment-272205432
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#393][opened] [WIP] Py3 allow to run wsgi

[mbasti-rh]

   URL: https://github.com/freeipa/freeipa/pull/393
Author: mbasti-rh
 Title: #393: [WIP] Py3 allow to run wsgi
Action: opened

PR body:
"""
With these patches we can run commands with server running on py3

Note: to use py3 install module `python3-mod_wsgi` that enables py3 wsgi 
automatically

Note: this may or may not depend (I haven't tested) on my PR #382 so it 
contains all patches, will be rebased when PR #382 merged

WSGI related patches
py3: session.py decode server name to str …7ff4b83
py3: rpcserver: decode input because json requires string …
a754021
Py3: Fix undefined variable …  5b4c9d8
py3: session: fix r/w ccache data …985deaf
py3: WSGI executioners must return bytes in list … acedc31

"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/393/head:pr393
git checkout pr393
From 928a2db32a36e7326d127ba711a2630ff7d74cc1 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Mon, 9 Jan 2017 11:53:59 +0100
Subject: [PATCH 01/21] py3: create_cert_db: write to file in a compatible way

Py3 expect bytes to be writed using os.write. Instead of that using
io module is more pythonic.

https://fedorahosted.org/freeipa/ticket/4985
---
 ipaserver/install/httpinstance.py | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index bacd5fc..ded0553 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -19,6 +19,7 @@
 
 from __future__ import print_function
 
+import io
 import os
 import os.path
 import pwd
@@ -314,9 +315,8 @@ def create_cert_db(self):
 
 # Create the password file for this db
 password = ipautil.ipa_generate_password()
-f = os.open(pwd_file, os.O_CREAT | os.O_RDWR)
-os.write(f, password)
-os.close(f)
+with io.open(pwd_file, 'w') as f:
+f.write(password)
 
 ipautil.run([paths.CERTUTIL, "-d", database, "-f", pwd_file, "-N"])
 

From 8c157e9643019bf6ffadab68efdb272d80038871 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Tue, 10 Jan 2017 13:45:11 +0100
Subject: [PATCH 02/21] py3: service.py: replace mkstemp by NamedTemporaryFile

NamedTemporaryfile can be used in more pythonic way and file can be
opened in textual mode that is required with PY3

https://fedorahosted.org/freeipa/ticket/4985
---
 ipapython/ipautil.py | 2 +-
 ipaserver/install/service.py | 7 ---
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py
index e3e4611..34d10ef 100644
--- a/ipapython/ipautil.py
+++ b/ipapython/ipautil.py
@@ -852,7 +852,7 @@ def ipa_generate_password(entropy_bits=256, uppercase=1, lowercase=1, digits=1,
 rnd = random.SystemRandom()
 
 todo_entropy = entropy_bits
-password = ''
+password = u''
 # Generate required character classes:
 # The order of generated characters is fixed to comply with check in
 # NSS function sftk_newPinCheck() in nss/lib/softoken/fipstokn.c.
diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py
index 6451f92..fbe3f23 100644
--- a/ipaserver/install/service.py
+++ b/ipaserver/install/service.py
@@ -208,9 +208,10 @@ def _ldap_mod(self, ldif, sub_dict=None, raise_on_err=True,
 args += ["-H", ldap_uri]
 
 if dm_password:
-[pw_fd, pw_name] = tempfile.mkstemp()
-os.write(pw_fd, dm_password)
-os.close(pw_fd)
+with tempfile.NamedTemporaryFile(
+mode='w', delete=False) as pw_file:
+pw_file.write(dm_password)
+pw_name = pw_file.name
 auth_parms = ["-x", "-D", "cn=Directory Manager", "-y", pw_name]
 # Use GSSAPI auth when not using DM password or not being root
 elif os.getegid() != 0:

From 35af241c73eb9a3a38a7f613ff24751bd5a10fae Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Mon, 9 Jan 2017 12:42:23 +0100
Subject: [PATCH 03/21] py3: open temporary ldif file in text mode

ldif parser uses file in text mode, so we have to open it in text mode
in py3

Also values passed to parser should be bytes

https://fedorahosted.org/freeipa/ticket/4985
---
 ipaserver/install/dsinstance.py | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 6e7019a..a38d4f7 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -589,14 +589,15 @@ def __update_dse_ldif(self):
 'dse.ldif'
 )
 
-with tempfile.NamedTemporaryFile(delete=False) as new_dse_ldif:
+with tempfile.NamedTemporaryFile(
+mode='w', delete=False) as new_dse_ldif:
 temp_filename = new_dse_ldif.name
 with open(dse_filename, "r") as input_file:
 

[Freeipa-devel] [freeipa PR#393][edited] [WIP] Py3 allow to run wsgi

[mbasti-rh]

   URL: https://github.com/freeipa/freeipa/pull/393
Author: mbasti-rh
 Title: #393: [WIP] Py3 allow to run wsgi
Action: edited

 Changed field: body
Original value:
"""
With these patches we can run commands with server running on py3

Note: to use py3 install module `python3-mod_wsgi` that enables py3 wsgi 
automatically

Note: this may or may not depend (I haven't tested) on my PR #382 so it 
contains all patches, will be rebased when PR #382 merged

WSGI related patches
py3: session.py decode server name to str …7ff4b83
py3: rpcserver: decode input because json requires string …
a754021
Py3: Fix undefined variable …  5b4c9d8
py3: session: fix r/w ccache data …985deaf
py3: WSGI executioners must return bytes in list … acedc31

"""

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#393][synchronized] [WIP] Py3 allow to run wsgi

[mbasti-rh]

   URL: https://github.com/freeipa/freeipa/pull/393
Author: mbasti-rh
 Title: #393: [WIP] Py3 allow to run wsgi
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/393/head:pr393
git checkout pr393
From 928a2db32a36e7326d127ba711a2630ff7d74cc1 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Mon, 9 Jan 2017 11:53:59 +0100
Subject: [PATCH 01/21] py3: create_cert_db: write to file in a compatible way

Py3 expect bytes to be writed using os.write. Instead of that using
io module is more pythonic.

https://fedorahosted.org/freeipa/ticket/4985
---
 ipaserver/install/httpinstance.py | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index bacd5fc..ded0553 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -19,6 +19,7 @@
 
 from __future__ import print_function
 
+import io
 import os
 import os.path
 import pwd
@@ -314,9 +315,8 @@ def create_cert_db(self):
 
 # Create the password file for this db
 password = ipautil.ipa_generate_password()
-f = os.open(pwd_file, os.O_CREAT | os.O_RDWR)
-os.write(f, password)
-os.close(f)
+with io.open(pwd_file, 'w') as f:
+f.write(password)
 
 ipautil.run([paths.CERTUTIL, "-d", database, "-f", pwd_file, "-N"])
 

From 8c157e9643019bf6ffadab68efdb272d80038871 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Tue, 10 Jan 2017 13:45:11 +0100
Subject: [PATCH 02/21] py3: service.py: replace mkstemp by NamedTemporaryFile

NamedTemporaryfile can be used in more pythonic way and file can be
opened in textual mode that is required with PY3

https://fedorahosted.org/freeipa/ticket/4985
---
 ipapython/ipautil.py | 2 +-
 ipaserver/install/service.py | 7 ---
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py
index e3e4611..34d10ef 100644
--- a/ipapython/ipautil.py
+++ b/ipapython/ipautil.py
@@ -852,7 +852,7 @@ def ipa_generate_password(entropy_bits=256, uppercase=1, lowercase=1, digits=1,
 rnd = random.SystemRandom()
 
 todo_entropy = entropy_bits
-password = ''
+password = u''
 # Generate required character classes:
 # The order of generated characters is fixed to comply with check in
 # NSS function sftk_newPinCheck() in nss/lib/softoken/fipstokn.c.
diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py
index 6451f92..fbe3f23 100644
--- a/ipaserver/install/service.py
+++ b/ipaserver/install/service.py
@@ -208,9 +208,10 @@ def _ldap_mod(self, ldif, sub_dict=None, raise_on_err=True,
 args += ["-H", ldap_uri]
 
 if dm_password:
-[pw_fd, pw_name] = tempfile.mkstemp()
-os.write(pw_fd, dm_password)
-os.close(pw_fd)
+with tempfile.NamedTemporaryFile(
+mode='w', delete=False) as pw_file:
+pw_file.write(dm_password)
+pw_name = pw_file.name
 auth_parms = ["-x", "-D", "cn=Directory Manager", "-y", pw_name]
 # Use GSSAPI auth when not using DM password or not being root
 elif os.getegid() != 0:

From 35af241c73eb9a3a38a7f613ff24751bd5a10fae Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Mon, 9 Jan 2017 12:42:23 +0100
Subject: [PATCH 03/21] py3: open temporary ldif file in text mode

ldif parser uses file in text mode, so we have to open it in text mode
in py3

Also values passed to parser should be bytes

https://fedorahosted.org/freeipa/ticket/4985
---
 ipaserver/install/dsinstance.py | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 6e7019a..a38d4f7 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -589,14 +589,15 @@ def __update_dse_ldif(self):
 'dse.ldif'
 )
 
-with tempfile.NamedTemporaryFile(delete=False) as new_dse_ldif:
+with tempfile.NamedTemporaryFile(
+mode='w', delete=False) as new_dse_ldif:
 temp_filename = new_dse_ldif.name
 with open(dse_filename, "r") as input_file:
 parser = installutils.ModifyLDIF(input_file, new_dse_ldif)
 parser.replace_value(
 'cn=config,cn=ldbm database,cn=plugins,cn=config',
 'nsslapd-db-locks',
-['5']
+[b'5']
 )
 if self.config_ldif:
 # parse modifications from ldif file supplied by the admin

From 747a29ef0c09276c5b6fb71990d9a9271bce2c25 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Mon, 9 Jan 2017 19:01:29 +0100
Subject: [PATCH 04/21] py3: ldap modlist must have keys as string, not bytes

https://fedorahosted.org/free

[Freeipa-devel] [freeipa PR#394][opened] Add fix for ipa plugins command

[Akasurde]

   URL: https://github.com/freeipa/freeipa/pull/394
Author: Akasurde
 Title: #394: Add fix for ipa plugins command
Action: opened

PR body:
"""
Fix adds count of plugins loaded to return dict

Fixes https://fedorahosted.org/freeipa/ticket/6513

Signed-off-by: Abhijeet Kasurde 
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/394/head:pr394
git checkout pr394
From dc2804cff9be5e090bbd5bb503142934438b58cb Mon Sep 17 00:00:00 2001
From: Abhijeet Kasurde 
Date: Thu, 12 Jan 2017 18:38:37 +0530
Subject: [PATCH] Add fix for ipa plugins command

Fix adds count of plugins loaded to return dict

Fixes https://fedorahosted.org/freeipa/ticket/6513

Signed-off-by: Abhijeet Kasurde 
---
 ipalib/misc.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/ipalib/misc.py b/ipalib/misc.py
index 687b018..264ec29 100644
--- a/ipalib/misc.py
+++ b/ipalib/misc.py
@@ -128,4 +128,5 @@ def execute(self, **options):
 
 return dict(
 result=result,
+count=len(result),
 )
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] GetEffectiveRights and add ACIs

[Fraser Tweedale]

In ca_add.pre_callback, we have:

  if not ldap.can_add(dn[1:]):
  raise ACIError(...)

`can_add' uses the GetEffectiveRights control to see what rights the
user has.

When a user with the 'System: Add CA' permission attempts to add a
CA, the above ACIError gets raised.  This is definitely a bug.  I
think it is a bug in DS GetEffectiveRights code.

The ACI in play is:

  dn: cn=cas,cn=ca,dc=ipa,dc=local
  aci: (targetfilter = "(objectclass=ipaca)")(version 3.0;acl "permission:System
: Add CA";allow (add) groupdn = "ldap:///cn=System: Add 
CA,cn=permissions,cn=
pbac,dc=ipa,dc=local";)
  ...

The user definitely has the right membership:

  dn: uid=alice,cn=users,cn=accounts,dc=ipa,dc=local
  memberof: cn=ipausers,cn=groups,cn=accounts,dc=ipa,dc=local
  memberof: cn=CA Administrator,cn=roles,cn=accounts,dc=ipa,dc=local
  memberof: cn=LWCA Administration,cn=privileges,cn=pbac,dc=ipa,dc=local
  memberof: cn=System: Add CA,cn=permissions,cn=pbac,dc=ipa,dc=local

William suggested I check whether direct vs. indirect membership
made a difference.  It does not.

A wild guess is that the algorithm that computes whether the subject
has add access under the given entry does not take the targetfilter
into account.  To solve, perhaps we could ignore ACI targetfilter when
computing add access for GER.

Alternatively, is there another way for a user to determine if they
can add an entry at a particular place, without actually doing the
add?

Thanks,
Fraser

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [DESIGN] IPA permission enforcement in Dogtag

[Fraser Tweedale]

Related to design:
http://www.freeipa.org/page/V4/Dogtag_GSS-API_Authentication

Currently there are some operations that hit the CA that involve a
number of privileged operations against the CA, but for which there
is only one associated IPA permission.  Deleting a CA is a good
example (but it is one specific case of a more general issue).
Summary of current ca-del behaviour:

1. Disable LWCA in Dogtag (uses RA Agent cert)
2. Delete LWCA in Dogtag (uses RA Agent cert)
3. Delete CA entry from IPA (requires "System: Delete CA" permission)

So there are two things going on under the hood: a modify operation
(disable CA) and the delete.

When we implement proxy authentication to Dogtag, Dogtag will
enforce the IPA permissions on its operations.  Disable will map to
"System: Modify CA" and delete to "System: Delete CA".  So to delete
a CA a user will need *both* permissions.  Which could be
surprising.

There are a couple of reasonable approaches to this.

1. Decouple the disable and delete operations.  If CA is not
disabled, the user will be instructed to execute the ca-disable
command separately before they can disable the CA.  This introduces
an additional manual step for operators.

2. Just improve the error reporting.  In my WIP, for a user that has
'System: Delete CA' permission but not 'System: Modify CA', the
reported failure is a 403 Authorization Error from Dogtag.  We can
add guards to fail more gracefully.

I lean towards #2 because I guess the common case will be that users
either get all CA admin permissions, or none, and we don't want to
make more work (in the form of more commands to run) for users in
the common case.

I welcome alternative views and suggestions.

Thanks,
Fraser

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#395][opened] Configure PKI ajp redirection to use "localhost" instead of "::1"

[flo-renaud]

   URL: https://github.com/freeipa/freeipa/pull/395
Author: flo-renaud
 Title: #395: Configure PKI ajp redirection to use "localhost" instead of "::1"
Action: opened

PR body:
"""
When ipa-server-install configures PKI, it provides a configuration file
with the parameter pki_ajp_host set to ::1. This parameter is used to configure
Tomcat redirection in /etc/pki/pki-tomcat/server.xml:

ie all requests to port 8009 are redirected to port 8443 on address ::1.

If the /etc/hosts config file does not define ::1 for localhost, then AJP
redirection fails and replica install is not able to request a certificate
for the replica. Using "localhost" instead works with IPv4 or IPv6.

https://fedorahosted.org/freeipa/ticket/6575
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/395/head:pr395
git checkout pr395
From d021e7264daaccbf9f7fc3d0ce9c302350d4dbfc Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud 
Date: Thu, 12 Jan 2017 18:17:15 +0100
Subject: [PATCH] Configure PKI ajp redirection to use "localhost" instead of
 "::1"

When ipa-server-install configures PKI, it provides a configuration file
with the parameter pki_ajp_host set to ::1. This parameter is used to configure
Tomcat redirection in /etc/pki/pki-tomcat/server.xml:

ie all requests to port 8009 are redirected to port 8443 on address ::1.

If the /etc/hosts config file does not define ::1 for localhost, then AJP
redirection fails and replica install is not able to request a certificate
for the replica. Using "localhost" instead works with IPv4 or IPv6.

https://fedorahosted.org/freeipa/ticket/6575
---
 ipaserver/install/cainstance.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index f933479..e291986 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -597,7 +597,7 @@ def __spawn_instance(self):
 
 # PKI IPv6 Configuration
 config.add_section("Tomcat")
-config.set("Tomcat", "pki_ajp_host", "::1")
+config.set("Tomcat", "pki_ajp_host", "localhost")
 
 # Generate configuration file
 with open(cfg_file, "wb") as f:
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code