[Freeipa-devel] [freeipa PR#856][opened] adtrustinstance: fix a bug + pep8, py3 fixes
URL: https://github.com/freeipa/freeipa/pull/856 Author: stlaz Title: #856: adtrustinstance: fix a bug + pep8, py3 fixes Action: opened PR body: """ There was a bug in adtrustinstance where there was a comparison of a number to a string which was tailored so that it would always pass (or at least in the default case). Luckily for us, Python 3 is a bit more clever so it was throwing exceptions there. We may want a ticket different from https://pagure.io/freeipa/issue/4985 for that but I am keeping that one for now, will only create a new one if requested. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/856/head:pr856 git checkout pr856 From f471f653f44c6cc054680ae619bb1496ed79429c Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka Date: Wed, 7 Jun 2017 08:10:20 +0200 Subject: [PATCH 1/3] adtrustinstance: fix ID range comparison The ID range comparison was comparing numbers to a string or possibly to `None` and was tailored in such a way that the check would always pass although it went directly against the definition of the absolute value of a substitution. https://pagure.io/freeipa/issue/4985 --- ipaserver/install/adtrustinstance.py | 9 +++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py index 66dd6b57b6..b5d5751276 100644 --- a/ipaserver/install/adtrustinstance.py +++ b/ipaserver/install/adtrustinstance.py @@ -345,9 +345,14 @@ def __add_rid_bases(self): # Abort if RID bases are too close local_range = ranges_with_no_rid_base[0] -size = local_range.single_value.get('ipaIDRangeSize') +try: +size = int(local_range.single_value.get('ipaIDRangeSize')) +except ValueError: +raise RuntimeError('ipaIDRangeSize is set to a non-integer ' + 'value or is not set at all (got {val})' + .format(val=size)) -if abs(self.rid_base - self.secondary_rid_base) > size: +if abs(self.rid_base - self.secondary_rid_base) < size: self.print_msg("Primary and secondary RID base are too close. " "They have to differ at least by %d." % size) raise RuntimeError("RID bases too close.\n") From 7b9f7a3ce53736dbf4077e3ea8fd04589e6ca131 Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka Date: Wed, 7 Jun 2017 08:16:17 +0200 Subject: [PATCH 2/3] adtrustinstance: pep8 fix --- ipaserver/install/adtrustinstance.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py index b5d5751276..c303d032d4 100644 --- a/ipaserver/install/adtrustinstance.py +++ b/ipaserver/install/adtrustinstance.py @@ -354,7 +354,7 @@ def __add_rid_bases(self): if abs(self.rid_base - self.secondary_rid_base) < size: self.print_msg("Primary and secondary RID base are too close. " - "They have to differ at least by %d." % size) + "They have to differ at least by %d." % size) raise RuntimeError("RID bases too close.\n") # Modify the range From 2dfe19fdfab39dd019f10467845222d65ff0f7f9 Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka Date: Wed, 7 Jun 2017 08:18:32 +0200 Subject: [PATCH 3/3] adtrustinstance: write the conf as a string Since ipautil.template_file() returns a string, we should not try to write it as bytes. https://pagure.io/freeipa/issue/4985 --- ipaserver/install/adtrustinstance.py | 17 + 1 file changed, 5 insertions(+), 12 deletions(-) diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py index c303d032d4..5e5f13f747 100644 --- a/ipaserver/install/adtrustinstance.py +++ b/ipaserver/install/adtrustinstance.py @@ -509,23 +509,16 @@ def __add_s4u2proxy_target(self): self.print_msg(UPGRADE_ERROR % dict(dn=targets_dn)) def __write_smb_registry(self): -template = os.path.join(paths.USR_SHARE_IPA_DIR, "smb.conf.template") -conf = ipautil.template_file(template, self.sub_dict) -[tmp_fd, tmp_name] = tempfile.mkstemp() -os.write(tmp_fd, conf) -os.close(tmp_fd) - # Workaround for: https://fedorahosted.org/freeipa/ticket/5687 # We make sure that paths.SMB_CONF file exists, hence touch it with open(paths.SMB_CONF, 'a'): os.utime(paths.SMB_CONF, None) -args = [paths.NET, "conf", "import", tmp_name] - -try: -ipautil.run(args) -finally: -os.remove(tmp_name) +template = os.path.join(paths.USR_SHARE_IPA_DIR, "smb.conf.template") +conf = ipautil.template_file(template, self.sub_dict) +with tempfile.NamedTemporaryFile(mode='w') as tmp_c
[Freeipa-devel] [freeipa PR#856][+py3] adtrustinstance: fix a bug + pep8, py3 fixes
URL: https://github.com/freeipa/freeipa/pull/856 Title: #856: adtrustinstance: fix a bug + pep8, py3 fixes Label: +py3 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#833][comment] Fixes traceback in log and corrects console output
URL: https://github.com/freeipa/freeipa/pull/833 Title: #833: Fixes traceback in log and corrects console output stlaz commented: """ Yes, I believe that when base DN of a search is not found, we should not be generally treating this gently. """ See the full comment at https://github.com/freeipa/freeipa/pull/833#issuecomment-306693161 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#833][comment] Fixes traceback in log and corrects console output
URL: https://github.com/freeipa/freeipa/pull/833 Title: #833: Fixes traceback in log and corrects console output HonzaCholasta commented: """ NACK. Please don't "fix" the framework with workarounds for ill-behaved commands, this needs to be fixed in the trust plugin. """ See the full comment at https://github.com/freeipa/freeipa/pull/833#issuecomment-306691293 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#833][-ack] Fixes traceback in log and corrects console output
URL: https://github.com/freeipa/freeipa/pull/833 Title: #833: Fixes traceback in log and corrects console output Label: -ack ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#855][comment] Prevent issues with older clients
URL: https://github.com/freeipa/freeipa/pull/855 Title: #855: Prevent issues with older clients simo5 commented: """ I thought just defining it as None in the constants was enough ? We do not want to set a kinit_lifetime entry in defaults.conf, I am ok with the default being None for now I think. """ See the full comment at https://github.com/freeipa/freeipa/pull/855#issuecomment-306616228 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#855][comment] Prevent issues with older clients
URL: https://github.com/freeipa/freeipa/pull/855 Title: #855: Prevent issues with older clients abbra commented: """ Pylint failed: ``` * Module ipaserver.rpcserver ipaserver/rpcserver.py:973: [E1101(no-member), login_password.kinit] Class 'env' has no 'kinit_lifetime' member) make: *** [pylint] Error 2 ``` Do we want to set `kinit_lifetime` during upgrade if it is missing? """ See the full comment at https://github.com/freeipa/freeipa/pull/855#issuecomment-306563697 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#833][+ack] Fixes traceback in log and corrects console output
URL: https://github.com/freeipa/freeipa/pull/833 Title: #833: Fixes traceback in log and corrects console output Label: +ack ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#833][comment] Fixes traceback in log and corrects console output
URL: https://github.com/freeipa/freeipa/pull/833 Title: #833: Fixes traceback in log and corrects console output felipevolpone commented: """ Tested and it works. Looks good to me. """ See the full comment at https://github.com/freeipa/freeipa/pull/833#issuecomment-306559399 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#855][comment] Prevent issues with older clients
URL: https://github.com/freeipa/freeipa/pull/855 Title: #855: Prevent issues with older clients simo5 commented: """ In my test setup I verified the cookie does not have the MaxAge setting, and that kinit_lifetime properly causes the session to expire after the lifetime indicated. """ See the full comment at https://github.com/freeipa/freeipa/pull/855#issuecomment-306539239 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#855][comment] Prevent issues with older clients
URL: https://github.com/freeipa/freeipa/pull/855 Title: #855: Prevent issues with older clients simo5 commented: """ Fixes https://pagure.io/freeipa/issue/6774 """ See the full comment at https://github.com/freeipa/freeipa/pull/855#issuecomment-306538965 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#855][opened] Prevent issues with older clients
URL: https://github.com/freeipa/freeipa/pull/855 Author: simo5 Title: #855: Prevent issues with older clients Action: opened PR body: """ Older clients have issues parsing cookies, and cannot handle well the MaxAge setting. So the first patch is about removing it. Unfortunately this means cookies will be valid for the duration of the authentication ticket which is set to 24h by default. This is a bit high, so the second patch adds the ability to set the "kinit_lifetime" in /etc/api/default.conf so that users authenticating using username/password can have their tickets (and therefore their session) hard capped at whatever lifetime is set there. Users that use HTTP negotiate can control their session duration by getting shorter lived tickets via kinit. In all cases users can click on the logout button to blow away credentials. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/855/head:pr855 git checkout pr855 From f0a57d5b9b17331d4bf277ff28718b42c66460b9 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Mon, 5 Jun 2017 09:50:22 -0400 Subject: [PATCH 1/2] Add code to be able to set default kinit lifetime This is done by setting the kinit_lifetime option in default.conf to a value that can be passed in with the -l option syntax of kinit. https://pagure.io/freeipa/issue/6774 Signed-off-by: Simo Sorce --- ipalib/constants.py | 1 + ipalib/install/kinit.py | 5 - ipaserver/rpcserver.py | 3 ++- 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/ipalib/constants.py b/ipalib/constants.py index 5279b64789..ab466bab7f 100644 --- a/ipalib/constants.py +++ b/ipalib/constants.py @@ -155,6 +155,7 @@ ('session_auth_duration', '20 minutes'), # How a session expiration is computed, see SessionManager.set_session_expiration_time() ('session_duration_type', 'inactivity_timeout'), +('kinit_lifetime', None), # Debugging: ('verbose', 0), diff --git a/ipalib/install/kinit.py b/ipalib/install/kinit.py index 73471f103e..91ea5132aa 100644 --- a/ipalib/install/kinit.py +++ b/ipalib/install/kinit.py @@ -63,7 +63,7 @@ def kinit_keytab(principal, keytab, ccache_name, config=None, attempts=1): def kinit_password(principal, password, ccache_name, config=None, armor_ccache_name=None, canonicalize=False, - enterprise=False): + enterprise=False, lifetime=None): """ perform interactive kinit as principal using password. If using FAST for web-based authentication, use armor_ccache_path to specify http service @@ -76,6 +76,9 @@ def kinit_password(principal, password, ccache_name, config=None, % armor_ccache_name) args.extend(['-T', armor_ccache_name]) +if lifetime: +args.extend(['-l', lifetime]) + if canonicalize: root_logger.debug("Requesting principal canonicalization") args.append('-C') diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py index 32f286148b..2990df2598 100644 --- a/ipaserver/rpcserver.py +++ b/ipaserver/rpcserver.py @@ -969,7 +969,8 @@ def kinit(self, principal, password, ccache_name): password, ccache_name, armor_ccache_name=armor_path, -enterprise=True) +enterprise=True, +lifetime=self.api.env.kinit_lifetime) if armor_path: self.debug('Cleanup the armor ccache') From 969ed06cec5aa8efe8164899fbb73ff26f96b944 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Tue, 6 Jun 2017 09:04:58 -0400 Subject: [PATCH 2/2] Revert setting sessionMaxAge for old clients Older clients have issues properly parsing cookies and the sessionMaxAge setting is one of those that breaks them. Comment out the setting and add a comment that explains why it is not set by default. https://pagure.io/freeipa/issue/6774 Signed-off-by: Simo Sorce --- install/conf/ipa.conf | 6 -- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf index a7ca5ce715..01bf9a4f97 100644 --- a/install/conf/ipa.conf +++ b/install/conf/ipa.conf @@ -1,5 +1,5 @@ # -# VERSION 26 - DO NOT REMOVE THIS LINE +# VERSION 27 - DO NOT REMOVE THIS LINE # # This file may be overwritten on upgrades. # @@ -77,7 +77,9 @@ WSGIScriptReloading Off Session On SessionCookieName ipa_session path=/ipa;httponly;secure; SessionHeader IPASESSION - SessionMaxAge 1800 + # Uncomment the following to have shorter sessions, but beware this may break + # old IPA client tols that incorrectly parse cookies. + # SessionMaxAge 1800 GssapiSessionKey file:/etc/httpd/alias/ipasession.key GssapiImpersonate On ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#848][comment] sssd.py: Deprecating no-sssd option.
URL: https://github.com/freeipa/freeipa/pull/848 Title: #848: sssd.py: Deprecating no-sssd option. MartinBasti commented: """ Please fill `changelog` in the ticket about this change. """ See the full comment at https://github.com/freeipa/freeipa/pull/848#issuecomment-306537875 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#836][closed] Only warn when specified server IP addresses don't match intf
URL: https://github.com/freeipa/freeipa/pull/836 Author: MartinBasti Title: #836: Only warn when specified server IP addresses don't match intf Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/836/head:pr836 git checkout pr836 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#836][comment] Only warn when specified server IP addresses don't match intf
URL: https://github.com/freeipa/freeipa/pull/836 Title: #836: Only warn when specified server IP addresses don't match intf MartinBasti commented: """ master: * 6637980af6069623d944d9d592cbadba20b610a2 Only warn when specified server IP addresses don't match intf ipa-4-5: * 6206ac8bd23250bda0f8eb628f422671b9b99ad1 Only warn when specified server IP addresses don't match intf """ See the full comment at https://github.com/freeipa/freeipa/pull/836#issuecomment-306536699 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#836][+pushed] Only warn when specified server IP addresses don't match intf
URL: https://github.com/freeipa/freeipa/pull/836 Title: #836: Only warn when specified server IP addresses don't match intf Label: +pushed ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#854][comment] RFC: server-side smart card auth advise plugin
URL: https://github.com/freeipa/freeipa/pull/854 Title: #854: RFC: server-side smart card auth advise plugin abbra commented: """ It looks good, thanks. One small comment is that we probably want to allow the script to work on non-RPM platforms as well (Debian or Ubuntu too) where `yum` does not exist. On the other hand, we also would probably want to eventually allow setting this up against `mod_ssl` too. These two changes can be added later. """ See the full comment at https://github.com/freeipa/freeipa/pull/854#issuecomment-306523469 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#854][opened] RFC: server-side smart card auth advise plugin
URL: https://github.com/freeipa/freeipa/pull/854 Author: martbab Title: #854: RFC: server-side smart card auth advise plugin Action: opened PR body: """ This advise plugin generates a script which configures all the components required for successful processing of smart card auth requests on IPA server. I could split it into sub-advises and call them from the combined advise but that would require some further refactoring of advise plugin framework. Let me know if you would prefer this way instead. https://pagure.io/freeipa/issue/6982 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/854/head:pr854 git checkout pr854 From 7761b0c4dd29d07a4431a55da7343f77e6cb0d49 Mon Sep 17 00:00:00 2001 From: Martin Babinsky Date: Mon, 5 Jun 2017 16:59:25 +0200 Subject: [PATCH 1/2] Extend the advice printing code by some useful abstractions The advise printing code was augmented by methods that simplify generating bash snippets that report errors or failed commands. https://pagure.io/freeipa/issue/6982 --- ipaserver/advise/base.py | 34 -- 1 file changed, 32 insertions(+), 2 deletions(-) diff --git a/ipaserver/advise/base.py b/ipaserver/advise/base.py index 40dabd0426..72ac7b092f 100644 --- a/ipaserver/advise/base.py +++ b/ipaserver/advise/base.py @@ -94,8 +94,38 @@ def debug(self, line): if self.options.verbose: self.comment('DEBUG: ' + line) -def command(self, line): -self.content.append(line) +def command(self, line, indent_spaces=0): +self.content.append( +'{}{}'.format(self._format_indent(indent_spaces), line)) + +def _format_indent(self, num_spaces): +return ' ' * num_spaces + +def echo_error(self, error_message, indent_spaces=0): +self.command( +'{}echo "{}" >&2'.format( +self._format_indent(indent_spaces), error_message)) + +def exit_on_failed_command(self, command_to_run, + error_message_lines, indent_spaces=0): +self.command(command_to_run, indent_spaces=indent_spaces) +self.exit_on_predicate( +'"$?" -ne "0"', error_message_lines, indent_spaces=indent_spaces) + +def exit_on_predicate(self, predicate, error_message_lines, + indent_spaces=0): +if_command = 'if [ {} ]'.format(predicate) +self.command(if_command, indent_spaces=indent_spaces) +self.command('then', indent_spaces=indent_spaces) + +indented_block_spaces = indent_spaces + 2 + +for error_message_line in error_message_lines: +self.echo_error( +error_message_line, indent_spaces=indented_block_spaces) + +self.command('exit 1', indent_spaces=indented_block_spaces) +self.command('fi', indent_spaces=indent_spaces) class Advice(Plugin): From 63c3389d2ba7a819b5ffe5e235ebaf2edc59e19b Mon Sep 17 00:00:00 2001 From: Martin Babinsky Date: Fri, 2 Jun 2017 18:36:29 +0200 Subject: [PATCH 2/2] Prepare an advise plugin for server-side smart card auth configuration The plugin will contain topics for configuring Smart Card authentication on FreeIPA server. https://pagure.io/freeipa/issue/6982 --- ipaserver/advise/plugins/smart_card_auth.py | 147 1 file changed, 147 insertions(+) create mode 100644 ipaserver/advise/plugins/smart_card_auth.py diff --git a/ipaserver/advise/plugins/smart_card_auth.py b/ipaserver/advise/plugins/smart_card_auth.py new file mode 100644 index 00..7e388a75b7 --- /dev/null +++ b/ipaserver/advise/plugins/smart_card_auth.py @@ -0,0 +1,147 @@ +# +# Copyright (C) 2017 FreeIPA Contributors see COPYING for license +# + +from ipalib.plugable import Registry +from ipaplatform.paths import paths +from ipaserver.advise.base import Advice +from ipaserver.install.httpinstance import NSS_OCSP_ENABLED + +register = Registry() + + +@register() +class config_server_for_smart_card_auth(Advice): +""" +Configures smart card authentication via Kerberos (PKINIT) and for WebUI +""" + +description = ("Instructions for enabling Smart Card authentication on " + "FreeIPA server. Includes Apache configuration, enabling " + "PKINIT on KDC and configuring WebUI to accept Smart Card " + "auth requests") + +nss_conf = paths.HTTPD_NSS_CONF +nss_ocsp_directive = 'NSSOCSP' +nss_nickname_directive = 'NSSNickname' + +def get_info(self): +self.check_ccache_not_empty() +self.check_hostname_is_in_masters() +self.resolve_ipaca_records() +self.enable_nss_ocsp() +self.mark_httpd_cert_as_trusted() +self.restart_httpd() +self.record_httpd_ocsp_status() +self.check_and_enable_pkinit() +self.enable_ok_to_auth_as_delegate_on_http_principal() + +def check_ccache_not_empty(self): +self.lo
[Freeipa-devel] [freeipa PR#853][comment] x509,certdb: handle certificates as bytes
URL: https://github.com/freeipa/freeipa/pull/853 Title: #853: x509,certdb: handle certificates as bytes stlaz commented: """ This will require some more refactoring, adding WIP label. Basically, `Bytes` parameter only base64-decodes its value if it's of `unicode`/`str` instance (Python2/Python3), but in most cases, its value is checked with `validate_ceritifate()` of the `ipaserver.plugins.service` module, which requires the certificate to be in DER format. But the ceritificate won't be decoded to DER from PEM as it above decoding condition is not fulfilled. """ See the full comment at https://github.com/freeipa/freeipa/pull/853#issuecomment-306514713 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#853][+WIP] x509,certdb: handle certificates as bytes
URL: https://github.com/freeipa/freeipa/pull/853 Title: #853: x509,certdb: handle certificates as bytes Label: +WIP ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#843][closed] [WIP] Fixing test_installation.py tests
URL: https://github.com/freeipa/freeipa/pull/843 Author: felipevolpone Title: #843: [WIP] Fixing test_installation.py tests Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/843/head:pr843 git checkout pr843 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#836][comment] Only warn when specified server IP addresses don't match intf
URL: https://github.com/freeipa/freeipa/pull/836 Title: #836: Only warn when specified server IP addresses don't match intf tomaskrizek commented: """ Thanks for the updates, looks good now. """ See the full comment at https://github.com/freeipa/freeipa/pull/836#issuecomment-306482223 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#836][+ack] Only warn when specified server IP addresses don't match intf
URL: https://github.com/freeipa/freeipa/pull/836 Title: #836: Only warn when specified server IP addresses don't match intf Label: +ack ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#836][+prioritized] Only warn when specified server IP addresses don't match intf
URL: https://github.com/freeipa/freeipa/pull/836 Title: #836: Only warn when specified server IP addresses don't match intf Label: +prioritized ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#841][+prioritized] ipa-kdb: use canonical principal in certauth plugin
URL: https://github.com/freeipa/freeipa/pull/841 Title: #841: ipa-kdb: use canonical principal in certauth plugin Label: +prioritized ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#847][closed] Turn off OCSP check
URL: https://github.com/freeipa/freeipa/pull/847 Author: pvomacka Title: #847: Turn off OCSP check Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/847/head:pr847 git checkout pr847 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#847][comment] Turn off OCSP check
URL: https://github.com/freeipa/freeipa/pull/847 Title: #847: Turn off OCSP check martbab commented: """ ipa-4-5: * 51b361f475b3e25ace982873beb05cafcba95808 Turn off OCSP check master: * 566361e63d4a670460df3dbb28b9d19f38eaea2d Turn off OCSP check """ See the full comment at https://github.com/freeipa/freeipa/pull/847#issuecomment-306459491 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#847][+pushed] Turn off OCSP check
URL: https://github.com/freeipa/freeipa/pull/847 Title: #847: Turn off OCSP check Label: +pushed ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#847][+ack] Turn off OCSP check
URL: https://github.com/freeipa/freeipa/pull/847 Title: #847: Turn off OCSP check Label: +ack ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#852][closed] pkinit manage: introduce ipa-pkinit-manage
URL: https://github.com/freeipa/freeipa/pull/852 Author: HonzaCholasta Title: #852: pkinit manage: introduce ipa-pkinit-manage Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/852/head:pr852 git checkout pr852 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#852][+pushed] pkinit manage: introduce ipa-pkinit-manage
URL: https://github.com/freeipa/freeipa/pull/852 Title: #852: pkinit manage: introduce ipa-pkinit-manage Label: +pushed ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#852][comment] pkinit manage: introduce ipa-pkinit-manage
URL: https://github.com/freeipa/freeipa/pull/852 Title: #852: pkinit manage: introduce ipa-pkinit-manage martbab commented: """ ipa-4-5: * 1b62e5aac9d9668604e82879c020bff310fa549f server certinstall: update KDC master entry * c072135340bc8e75f621e2b9163b1347b9eb528f pkinit manage: introduce ipa-pkinit-manage * cb9353d6e0fbc0912dd20bf29e3835a7740d1af6 server upgrade: do not enable PKINIT by default master: * e131905f3e0fe9179c5f4a09da4e7a204012603a server certinstall: update KDC master entry * 92276c1e8809f3ff6b59bd6124869f816627bac7 pkinit manage: introduce ipa-pkinit-manage * 0772ef20b39b11950fddc913a350534988294c89 server upgrade: do not enable PKINIT by default """ See the full comment at https://github.com/freeipa/freeipa/pull/852#issuecomment-306458799 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#852][+ack] pkinit manage: introduce ipa-pkinit-manage
URL: https://github.com/freeipa/freeipa/pull/852 Title: #852: pkinit manage: introduce ipa-pkinit-manage Label: +ack ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#836][comment] Only warn when specified server IP addresses don't match intf
URL: https://github.com/freeipa/freeipa/pull/836 Title: #836: Only warn when specified server IP addresses don't match intf MartinBasti commented: """ I don't see reason why not, PR updated. """ See the full comment at https://github.com/freeipa/freeipa/pull/836#issuecomment-306457326 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#836][synchronized] Only warn when specified server IP addresses don't match intf
URL: https://github.com/freeipa/freeipa/pull/836 Author: MartinBasti Title: #836: Only warn when specified server IP addresses don't match intf Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/836/head:pr836 git checkout pr836 From bf9886a84393d1d1546db7e49b102e08a16a83e7 Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Wed, 31 May 2017 15:50:05 +0200 Subject: [PATCH] Only warn when specified server IP addresses don't match intf In containers local addresses differ from public addresses and we need a way to provide only public address to installers. https://pagure.io/freeipa/issue/2715 https://pagure.io/freeipa/issue/4317 --- ipaclient/install/client.py| 4 +- ipalib/install/hostname.py | 2 +- ipalib/util.py | 14 +++ ipapython/ipautil.py | 62 -- ipaserver/install/dns.py | 1 + ipaserver/install/installutils.py | 4 +- ipaserver/install/server/install.py| 2 + ipaserver/install/server/replicainstall.py | 2 + 8 files changed, 59 insertions(+), 32 deletions(-) diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py index 1aa50372a4..388ab07e02 100644 --- a/ipaclient/install/client.py +++ b/ipaclient/install/client.py @@ -41,6 +41,7 @@ broadcast_ip_address_warning, network_ip_address_warning, normalize_hostname, +no_matching_interface_for_ip_address_warning, verify_host_resolvable, ) from ipaplatform import services @@ -1300,6 +1301,7 @@ def update_dns(server, hostname, options): network_ip_address_warning(update_ips) broadcast_ip_address_warning(update_ips) +no_matching_interface_for_ip_address_warning(update_ips) update_txt = "debug\n" update_txt += ipautil.template_str(DELETE_TEMPLATE_A, @@ -1445,7 +1447,7 @@ def check_ip_addresses(options): if options.ip_addresses: for ip in options.ip_addresses: try: -ipautil.CheckedIPAddress(ip, match_local=True) +ipautil.CheckedIPAddress(ip) except ValueError as e: root_logger.error(e) return False diff --git a/ipalib/install/hostname.py b/ipalib/install/hostname.py index ecc2963d15..25ac21e09c 100644 --- a/ipalib/install/hostname.py +++ b/ipalib/install/hostname.py @@ -34,7 +34,7 @@ class HostNameInstallInterface(service.ServiceInstallInterface): def ip_addresses(self, values): for value in values: try: -CheckedIPAddress(value, match_local=True) +CheckedIPAddress(value) except Exception as e: raise ValueError("invalid IP address {0}: {1}".format( value, e)) diff --git a/ipalib/util.py b/ipalib/util.py index 713fc107e9..1bd8495a49 100644 --- a/ipalib/util.py +++ b/ipalib/util.py @@ -1128,3 +1128,17 @@ def broadcast_ip_address_warning(addr_list): # print print("WARNING: IP address {} might be broadcast address".format( ip), file=sys.stderr) + + +def no_matching_interface_for_ip_address_warning(addr_list): +for ip in addr_list: +if not ip.get_matching_interface(): +root_logger.warning( +"No network interface matches the IP address %s", ip) +# fixme: once when loggers will be fixed, we can remove this +# print +print( +"WARNING: No network interface matches the IP address " +"{}".format(ip), +file=sys.stderr +) diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py index 317fc225b7..a277ed8747 100644 --- a/ipapython/ipautil.py +++ b/ipapython/ipautil.py @@ -161,34 +161,7 @@ def __init__(self, addr, match_local=False, parse_netmask=True, raise ValueError("cannot use multicast IP address {}".format(addr)) if match_local: -if self.version == 4: -family = netifaces.AF_INET -elif self.version == 6: -family = netifaces.AF_INET6 -else: -raise ValueError( -"Unsupported address family ({})".format(self.version) -) - -iface = None -for interface in netifaces.interfaces(): -for ifdata in netifaces.ifaddresses(interface).get(family, []): - -# link-local addresses contain '%suffix' that causes parse -# errors in IPNetwork -ifaddr = ifdata['addr'].split(u'%', 1)[0] - -ifnet = netaddr.IPNetwork('{addr}/{netmask}'.format( -addr=ifaddr, -netmask=ifdata['netmask'] -)) -if ifnet == self._net or ( -self._net is
[Freeipa-devel] [freeipa PR#838][+py3] Explicitly ask for py2 dependencies in py2 packages
URL: https://github.com/freeipa/freeipa/pull/838 Title: #838: Explicitly ask for py2 dependencies in py2 packages Label: +py3 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#847][synchronized] Turn off OCSP check
URL: https://github.com/freeipa/freeipa/pull/847 Author: pvomacka Title: #847: Turn off OCSP check Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/847/head:pr847 git checkout pr847 From f5c5d8721ef6728a5725f188ec960419bceed268 Mon Sep 17 00:00:00 2001 From: Pavel Vomacka Date: Thu, 1 Jun 2017 09:56:16 +0200 Subject: [PATCH] Turn off OCSP check The OCSP check was previously turned on but it introduced several issues. Therefore the check will be turned off by default. For turning on should be used ipa advise command with correct recipe. The solution is tracked here: https://pagure.io/freeipa/issue/6982 Fixes: https://pagure.io/freeipa/issue/6981 --- install/restart_scripts/restart_httpd | 15 +--- ipaserver/install/httpinstance.py | 43 +++ ipaserver/install/server/upgrade.py | 25 +++- 3 files changed, 28 insertions(+), 55 deletions(-) diff --git a/install/restart_scripts/restart_httpd b/install/restart_scripts/restart_httpd index cd7f12024e..d168481290 100644 --- a/install/restart_scripts/restart_httpd +++ b/install/restart_scripts/restart_httpd @@ -21,24 +21,11 @@ import syslog import traceback -from ipalib import api from ipaplatform import services -from ipaplatform.paths import paths -from ipapython.certdb import TRUSTED_PEER_TRUST_FLAGS -from ipaserver.install import certs, installutils +from ipaserver.install import certs def _main(): - -api.bootstrap(in_server=True, context='restart', confdir=paths.ETC_IPA) -api.finalize() - -db = certs.CertDB(api.env.realm, nssdir=paths.HTTPD_ALIAS_DIR) -nickname = installutils.get_directive(paths.HTTPD_NSS_CONF, "NSSNickname") - -# Add trust flag which set certificate trusted for SSL connections. -db.trust_root_cert(nickname, TRUSTED_PEER_TRUST_FLAGS) - syslog.syslog(syslog.LOG_NOTICE, 'certmonger restarted httpd') try: diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index 555c82213c..b29b8afac4 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -34,8 +34,7 @@ from ipalib.install import certmonger from ipapython import ipaldap from ipapython.certdb import (IPA_CA_TRUST_FLAGS, - EXTERNAL_CA_TRUST_FLAGS, - TRUSTED_PEER_TRUST_FLAGS) + EXTERNAL_CA_TRUST_FLAGS) from ipaserver.install import replication from ipaserver.install import service from ipaserver.install import certs @@ -67,6 +66,10 @@ ] NSS_CIPHER_REVISION = '20160129' +OCSP_DIRECTIVE = 'NSSOCSP' + +NSS_OCSP_ENABLED = 'nss_ocsp_enabled' + def httpd_443_configured(): """ @@ -156,7 +159,7 @@ def create_instance(self, realm, fqdn, domain_name, dm_password=None, self.set_mod_nss_protocol) self.step("setting mod_nss password file", self.__set_mod_nss_passwordfile) self.step("enabling mod_nss renegotiate", self.enable_mod_nss_renegotiate) -self.step("enabling mod_nss OCSP", self.enable_mod_nss_ocsp) +self.step("disabling mod_nss OCSP", self.disable_mod_nss_ocsp) self.step("adding URL rewriting rules", self.__add_include) self.step("configuring httpd", self.__configure_http) self.step("setting up httpd keytab", self.request_service_keytab) @@ -263,7 +266,12 @@ def enable_mod_nss_renegotiate(self): installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRenegotiation', 'on', False) installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRequireSafeNegotiation', 'on', False) -def enable_mod_nss_ocsp(self): +def disable_mod_nss_ocsp(self): +if sysupgrade.get_upgrade_state('http', NSS_OCSP_ENABLED) is None: +self.__disable_mod_nss_ocsp() +sysupgrade.set_upgrade_state('http', NSS_OCSP_ENABLED, False) + +def __disable_mod_nss_ocsp(self): aug = Augeas(flags=Augeas.NO_LOAD | Augeas.NO_MODL_AUTOLOAD) aug.set('/augeas/load/Httpd/lens', 'Httpd.lns') @@ -271,22 +279,21 @@ def enable_mod_nss_ocsp(self): aug.load() path = '/files{}/VirtualHost'.format(paths.HTTPD_NSS_CONF) +ocsp_path = '{}/directive[.="{}"]'.format(path, OCSP_DIRECTIVE) +ocsp_arg = '{}/arg'.format(ocsp_path) +ocsp_comment = '{}/#comment[.="{}"]'.format(path, OCSP_DIRECTIVE) -ocsp_comment = aug.get( -'{}/#comment[.=~regexp("NSSOCSP .*")]'.format(path)) -ocsp_dir = aug.get('{}/directive[.="NSSOCSP"]'.format(path)) +ocsp_dir = aug.get(ocsp_path) -if ocsp_dir is None and ocsp_comment is not None: -# Directive is missing, comment is present -aug.set('{}/#comment[.=~regexp("NSSOCSP .*")]'.format(path), -'NSSOCSP') -aug.rename('{}/#comment[.="NSSOCSP"]'.format(path), 'directive')
[Freeipa-devel] [freeipa PR#843][comment] [WIP] Fixing test_installation.py tests
URL: https://github.com/freeipa/freeipa/pull/843 Title: #843: [WIP] Fixing test_installation.py tests MartinBasti commented: """ IIRC that those tests used to pass, so it may be a new bug in IPA or it just suffer from domino effect caused by `ipa-ca` issues. I actually don't understand what your commit fixes. This error `There is no KRA server in the domain, can't setup a KRA clone` shouldn't happen because installing KRA is part of test in `InstallTestBase1.test_replica0_ipa_kra_install` that precedes installation of `replica1` and `replica2`. So topology should have KRA server installed on `replica0`. IMO this step failed due `ipa-ca` failure and caused domino effect. """ See the full comment at https://github.com/freeipa/freeipa/pull/843#issuecomment-306417233 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org