[Freeipa-devel] [freeipa PR#926][closed] test_caless: remove xfail in wildcard certificate tests
URL: https://github.com/freeipa/freeipa/pull/926 Author: Rezney Title: #926: test_caless: remove xfail in wildcard certificate tests Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/926/head:pr926 git checkout pr926 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#922][closed] logging: make sure logging level is set to proper value
URL: https://github.com/freeipa/freeipa/pull/922 Author: tomaskrizek Title: #922: logging: make sure logging level is set to proper value Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/922/head:pr922 git checkout pr922 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#928][closed] WebUI: fix jslint error
URL: https://github.com/freeipa/freeipa/pull/928 Author: pvomacka Title: #928: WebUI: fix jslint error Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/928/head:pr928 git checkout pr928 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#911][closed] WebUI: fix for negative number in pagination size settings
URL: https://github.com/freeipa/freeipa/pull/911 Author: pvomacka Title: #911: WebUI: fix for negative number in pagination size settings Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/911/head:pr911 git checkout pr911 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#915][opened] [master only] Move tmpfiles.d configuration handling back to spec file
URL: https://github.com/freeipa/freeipa/pull/915 Author: martbab Title: #915: [master only] Move tmpfiles.d configuration handling back to spec file Action: opened PR body: """ Since ipaapi user is now created during RPM install and not in runtime, we may switch back to shipping tmpfiles.d configuration directly in RPMs and not create it in runtime, which is a preferred way to handle drop-in configuration anyway. This also means that the drop-in config will be shipped in /usr/lib instead of /etc according to Fedora packaging guidelines. This partially reverts commit 38c66896de1769077cd5b057133606ec5eeaf62b. https://pagure.io/freeipa/issue/7053 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/915/head:pr915 git checkout pr915 From cd76bf8b30e13b56548c0a1b2153f4f775d0ea5d Mon Sep 17 00:00:00 2001 From: Martin Babinsky Date: Tue, 11 Jul 2017 14:10:28 +0200 Subject: [PATCH] Move tmpfiles.d configuration handling back to spec file Since ipaapi user is now created during RPM install and not in runtime, we may switch back to shipping tmpfiles.d configuration directly in RPMs and not create it in runtime, which is a preferred way to handle drop-in configuration anyway. This also means that the drop-in config will be shipped in /usr/lib instead of /etc according to Fedora packaging guidelines. This partially reverts commit 38c66896de1769077cd5b057133606ec5eeaf62b. https://pagure.io/freeipa/issue/7053 --- configure.ac | 1 + freeipa.spec.in| 3 ++- init/Makefile.am | 2 +- init/tmpfilesd/Makefile.am | 20 init/tmpfilesd/ipa.conf.in | 3 +++ install/share/Makefile.am | 1 - install/share/ipa.conf.tmpfiles| 2 -- ipaplatform/base/paths.py | 1 - ipaplatform/base/tasks.py | 8 ipaplatform/redhat/tasks.py| 21 - ipaserver/install/server/install.py| 10 -- ipaserver/install/server/replicainstall.py | 3 --- ipaserver/install/server/upgrade.py| 4 13 files changed, 27 insertions(+), 52 deletions(-) create mode 100644 init/tmpfilesd/Makefile.am create mode 100644 init/tmpfilesd/ipa.conf.in delete mode 100644 install/share/ipa.conf.tmpfiles diff --git a/configure.ac b/configure.ac index c43759c5bb..f098eb1dac 100644 --- a/configure.ac +++ b/configure.ac @@ -558,6 +558,7 @@ AC_CONFIG_FILES([ daemons/ipa-slapi-plugins/ipa-range-check/Makefile daemons/ipa-slapi-plugins/topology/Makefile init/systemd/Makefile +init/tmpfilesd/Makefile init/Makefile install/Makefile install/certmonger/Makefile diff --git a/freeipa.spec.in b/freeipa.spec.in index 72ce4ccc2c..1073987e98 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -1321,6 +1321,8 @@ fi %config(noreplace) %{_sysconfdir}/sysconfig/ipa-dnskeysyncd %config(noreplace) %{_sysconfdir}/sysconfig/ipa-ods-exporter %config(noreplace) %{_sysconfdir}/ipa/kdcproxy/kdcproxy.conf +# NOTE: systemd specific section +%{_tmpfilesdir}/ipa.conf %attr(644,root,root) %{_unitdir}/ipa-custodia.service %ghost %attr(644,root,root) %{etc_systemd_dir}/httpd.d/ipa.conf # END @@ -1330,7 +1332,6 @@ fi %{_usr}/share/ipa/*.ldif %{_usr}/share/ipa/*.uldif %{_usr}/share/ipa/*.template -%{_usr}/share/ipa/ipa.conf.tmpfiles %dir %{_usr}/share/ipa/advise %dir %{_usr}/share/ipa/advise/legacy %{_usr}/share/ipa/advise/legacy/*.template diff --git a/init/Makefile.am b/init/Makefile.am index bee4243912..8f4d1d0a8f 100644 --- a/init/Makefile.am +++ b/init/Makefile.am @@ -2,7 +2,7 @@ # AUTOMAKE_OPTIONS = 1.7 -SUBDIRS = systemd +SUBDIRS = systemd tmpfilesd dist_sysconfenv_DATA = \ ipa-dnskeysyncd \ diff --git a/init/tmpfilesd/Makefile.am b/init/tmpfilesd/Makefile.am new file mode 100644 index 00..7db2e9e0cd --- /dev/null +++ b/init/tmpfilesd/Makefile.am @@ -0,0 +1,20 @@ +dist_noinst_DATA = \ + ipa.conf.in + +systemdtmpfiles_DATA = \ + ipa.conf + +CLEANFILES = $(systemdtmpfiles_DATA) + +%: %.in Makefile + sed -e 's|@localstatedir[@]|$(localstatedir)|g' '$(srcdir)/$@.in' >$@ + +# create empty directories as needed +# DESTDIR might not be set, in that case default to system root +DESTDIR ?= / +install-data-hook: + for conf in $(systemdtmpfiles_DATA); do \ + systemd-tmpfiles --remove --create --boot \ +--root $(DESTDIR) \ +$(DESTDIR)$(systemdtmpfilesdir)/$${conf} || :; \ + done diff --git a/init/tmpfilesd/ipa.conf.in b/init/tmpfilesd/ipa.conf.in new file mode 100644 index 00..750e808edb --- /dev/null +++ b/init/tmpfilesd/ipa.conf.in @@ -0,0 +1,3 @@ +d @localstatedir@/run/ipa 0711 root root +d @localstatedir@/run/ipa/ccaches 0770 ipaapi ipaapi + diff --git a/install/share/Makefile.am b/install/share
[Freeipa-devel] [freeipa PR#912][opened] [4-5 only] replica install: drop-in IPA specific config to tmpfiles.d
URL: https://github.com/freeipa/freeipa/pull/912 Author: martbab Title: #912: [4-5 only] replica install: drop-in IPA specific config to tmpfiles.d Action: opened PR body: """ While server installation and upgrade code configures the IPA specific tmpfiles location and creates relevant directories, the replica installer code path is covered incompletely and one step is missing. https://pagure.io/freeipa/issue/7053 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/912/head:pr912 git checkout pr912 From d8933ead6569c71be606683d568664637c19a722 Mon Sep 17 00:00:00 2001 From: Martin Babinsky Date: Tue, 11 Jul 2017 12:41:38 +0200 Subject: [PATCH] replica install: drop-in IPA specific config to tmpfiles.d While server installation and upgrade code configures the IPA specific tmpfiles location and creates relevant directories, the replica installer code path is covered incompletely and one step is missing. https://pagure.io/freeipa/issue/7053 --- ipaserver/install/server/replicainstall.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py index 4f28de25bd..814925de15 100644 --- a/ipaserver/install/server/replicainstall.py +++ b/ipaserver/install/server/replicainstall.py @@ -1515,6 +1515,9 @@ def install(installer): # remove the extracted replica file remove_replica_info_dir(installer) +# Make sure the files we crated in /var/run are recreated at startup +tasks.configure_tmpfiles() + # Everything installed properly, activate ipa service. services.knownservices.ipa.enable() ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#623][closed] client install: do not assume /etc/krb5.conf.d exists
URL: https://github.com/freeipa/freeipa/pull/623 Author: HonzaCholasta Title: #623: client install: do not assume /etc/krb5.conf.d exists Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/623/head:pr623 git checkout pr623 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#893][opened] smard card advises fixes + general improvements
URL: https://github.com/freeipa/freeipa/pull/893 Author: martbab Title: #893: smard card advises fixes + general improvements Action: opened PR body: """ Add some missing operations to the client/server smart card advises and fix issues. Also provide more transparent generators of Bash control flow branches and loops. https://pagure.io/freeipa/issue/7036 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/893/head:pr893 git checkout pr893 From d50a6278ab151e0facda48a64006a48507ec6e25 Mon Sep 17 00:00:00 2001 From: Martin Babinsky Date: Wed, 21 Jun 2017 18:28:50 +0200 Subject: [PATCH 01/11] smart-card advise: configure systemwide NSS DB also on master Previously the Smart card signing CA cert was uploaded to systemwide NSS DB only on the client, but it need to be added also to the server. Modify the advise plugins to allow for common configuration steps to occur in both cases. https://pagure.io/freeipa/issue/7036 --- ipaserver/advise/plugins/smart_card_auth.py | 59 + 1 file changed, 35 insertions(+), 24 deletions(-) diff --git a/ipaserver/advise/plugins/smart_card_auth.py b/ipaserver/advise/plugins/smart_card_auth.py index 5859e35093..0ee4808d47 100644 --- a/ipaserver/advise/plugins/smart_card_auth.py +++ b/ipaserver/advise/plugins/smart_card_auth.py @@ -10,8 +10,39 @@ register = Registry() +class common_smart_card_auth_config(Advice): +""" +Common steps required to properly configure both server and client for +smart card auth +""" + +systemwide_nssdb = paths.NSS_DB_DIR +smart_card_ca_cert_variable_name = "SC_CA_CERT" + +def check_and_set_ca_cert_path(self): +ca_path_variable = self.smart_card_ca_cert_variable_name +self.log.command("{}=$1".format(ca_path_variable)) +self.log.exit_on_predicate( +'[ -z "${}" ]'.format(ca_path_variable), +['You need to provide the path to the PEM file containing CA ' + 'signing the Smart Cards'] +) +self.log.exit_on_predicate( +'[ ! -f "${}" ]'.format(ca_path_variable), +['Invalid CA certificate filename: ${}'.format(ca_path_variable), + 'Please check that the path exists and is a valid file'] +) + +def upload_smartcard_ca_certificate_to_systemwide_db(self): +self.log.command( +'certutil -d {} -A -i ${} -n "Smart Card CA" -t CT,C,C'.format( +self.systemwide_nssdb, self.smart_card_ca_cert_variable_name +) +) + + @register() -class config_server_for_smart_card_auth(Advice): +class config_server_for_smart_card_auth(common_smart_card_auth_config): """ Configures smart card authentication via Kerberos (PKINIT) and for WebUI """ @@ -28,6 +59,7 @@ class config_server_for_smart_card_auth(Advice): def get_info(self): self.log.exit_on_nonroot_euid() +self.check_and_set_ca_cert_path() self.check_ccache_not_empty() self.check_hostname_is_in_masters() self.resolve_ipaca_records() @@ -37,6 +69,7 @@ def get_info(self): self.record_httpd_ocsp_status() self.check_and_enable_pkinit() self.enable_ok_to_auth_as_delegate_on_http_principal() +self.upload_smartcard_ca_certificate_to_systemwide_db() def check_ccache_not_empty(self): self.log.comment('Check whether the credential cache is not empty') @@ -162,11 +195,10 @@ def enable_ok_to_auth_as_delegate_on_http_principal(self): @register() -class config_client_for_smart_card_auth(Advice): +class config_client_for_smart_card_auth(common_smart_card_auth_config): """ Configures smart card authentication on FreeIPA client """ -smart_card_ca_cert_variable_name = "SC_CA_CERT" description = ("Instructions for enabling Smart Card authentication on " " a single FreeIPA client. Configures Smart Card daemon, " @@ -190,20 +222,6 @@ def get_info(self): self.run_authconfig_to_configure_smart_card_auth() self.restart_sssd() -def check_and_set_ca_cert_path(self): -ca_path_variable = self.smart_card_ca_cert_variable_name -self.log.command("{}=$1".format(ca_path_variable)) -self.log.exit_on_predicate( -'[ -z "${}" ]'.format(ca_path_variable), -['You need to provide the path to the PEM file containing CA ' - 'signing the Smart Cards'] -) -self.log.exit_on_predicate( -'[ ! -f "${}" ]'.format(ca_path_variable), -['Invalid CA certificate filename: ${}'.format(ca_path_variable), - 'Please check that the path exists and is a valid file'] -) - def check_and_remove_pam_pkcs11(self): self.log.command('rpm -qi pam_pkcs11 > /dev/null') self.log.commands_on_predicate( @@ -247,13 +265,6 @@ def add_pkcs11_module_to_systemwide_db(self
[Freeipa-devel] [freeipa PR#886][opened] *config-show: Restore the original reporting of server roles/attributes
URL: https://github.com/freeipa/freeipa/pull/886 Author: martbab Title: #886: *config-show: Restore the original reporting of server roles/attributes Action: opened PR body: """ Revert to the FreeIPA 4.4 behavior of these commands: if no master provides the role (or the information is inaccessible to the caller), return an empty list. If no one provides the attribute do not return anything. We may also discuss other options such as do not show anything if both properties are empty. This is indeed implied by the params in the commands which are optional. https://pagure.io/freeipa/issue/7029 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/886/head:pr886 git checkout pr886 From 099a0bf5281318cdd7aef29736a735ebf96c56d8 Mon Sep 17 00:00:00 2001 From: Martin Babinsky Date: Wed, 21 Jun 2017 17:21:04 +0200 Subject: [PATCH] *config-show: Restore the original reporting of server roles/attributes Revert to the FreeIPA 4.4 behavior of these commands: if no master provides the role (or the information is inaccessible to the caller), return an empty list. If no one provides the attribute do not return anything. https://pagure.io/freeipa/issue/7029 --- ipaserver/plugins/config.py | 3 +-- ipaserver/plugins/serverroles.py | 4 +++- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/ipaserver/plugins/config.py b/ipaserver/plugins/config.py index df6bd466af..ce15e6096f 100644 --- a/ipaserver/plugins/config.py +++ b/ipaserver/plugins/config.py @@ -278,8 +278,7 @@ def update_entry_with_role_config(self, role_name, entry_attrs): role_config = backend.config_retrieve(role_name) for key, value in role_config.items(): -if value: -entry_attrs.update({key: value}) +entry_attrs.update({key: value}) def show_servroles_attributes(self, entry_attrs, *roles, **options): diff --git a/ipaserver/plugins/serverroles.py b/ipaserver/plugins/serverroles.py index e81635c331..85cf7edd01 100644 --- a/ipaserver/plugins/serverroles.py +++ b/ipaserver/plugins/serverroles.py @@ -136,7 +136,9 @@ def config_retrieve(self, servrole): for name, attr in assoc_attributes.items(): attr_value = attr.get(self.api) -result.update({name: attr_value}) + +if attr_value: +result.update({name: attr_value}) return result ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#876][closed] python-netifaces: update to reflect upstream changes
URL: https://github.com/freeipa/freeipa/pull/876 Author: MartinBasti Title: #876: python-netifaces: update to reflect upstream changes Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/876/head:pr876 git checkout pr876 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#802][closed] Improve cert messages some more + do that for KDC certs as well
URL: https://github.com/freeipa/freeipa/pull/802 Author: stlaz Title: #802: Improve cert messages some more + do that for KDC certs as well Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/802/head:pr802 git checkout pr802 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#802][+pushed] Improve cert messages some more + do that for KDC certs as well
URL: https://github.com/freeipa/freeipa/pull/802 Title: #802: Improve cert messages some more + do that for KDC certs as well Label: +pushed ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#802][comment] Improve cert messages some more + do that for KDC certs as well
URL: https://github.com/freeipa/freeipa/pull/802 Title: #802: Improve cert messages some more + do that for KDC certs as well martbab commented: """ master: * f827fe0f19596d29f9354368077fb43be2e16e8e cert-validate: keep all messages in cert validation * bee3c1eccd44f7671a1455d12235bcbb910494b3 More verbose error message on kdc cert validation """ See the full comment at https://github.com/freeipa/freeipa/pull/802#issuecomment-309035747 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#802][+ack] Improve cert messages some more + do that for KDC certs as well
URL: https://github.com/freeipa/freeipa/pull/802 Title: #802: Improve cert messages some more + do that for KDC certs as well Label: +ack ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#876][comment] python-netifaces: update to reflect upstream changes
URL: https://github.com/freeipa/freeipa/pull/876 Title: #876: python-netifaces: update to reflect upstream changes martbab commented: """ Shouldn't we bump requires on python-netifaces so that we don't accidentally pull in the older version that can break this new code? """ See the full comment at https://github.com/freeipa/freeipa/pull/876#issuecomment-309006143 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#873][closed] kra: promote: Get ticket before attempting to get KRA keys with custodia
URL: https://github.com/freeipa/freeipa/pull/873 Author: dkupka Title: #873: kra: promote: Get ticket before attempting to get KRA keys with custodia Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/873/head:pr873 git checkout pr873 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#873][+pushed] kra: promote: Get ticket before attempting to get KRA keys with custodia
URL: https://github.com/freeipa/freeipa/pull/873 Title: #873: kra: promote: Get ticket before attempting to get KRA keys with custodia Label: +pushed ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#873][comment] kra: promote: Get ticket before attempting to get KRA keys with custodia
URL: https://github.com/freeipa/freeipa/pull/873 Title: #873: kra: promote: Get ticket before attempting to get KRA keys with custodia martbab commented: """ master: * 342f72140f9bd8b8db19f469ae4c56cac7492901 kra: promote: Get ticket before calling custodia ipa-4-5: * 15076a1c2b0fb31dce3903e5f50cab9edf68ad07 kra: promote: Get ticket before calling custodia """ See the full comment at https://github.com/freeipa/freeipa/pull/873#issuecomment-308661144 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#701][+pushed] ipa help doesn't always work
URL: https://github.com/freeipa/freeipa/pull/701 Title: #701: ipa help doesn't always work Label: +pushed ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#701][closed] ipa help doesn't always work
URL: https://github.com/freeipa/freeipa/pull/701 Author: neffs Title: #701: ipa help doesn't always work Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/701/head:pr701 git checkout pr701 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#701][comment] ipa help doesn't always work
URL: https://github.com/freeipa/freeipa/pull/701 Title: #701: ipa help doesn't always work martbab commented: """ master: * d5bb541061e6c0952d2075a24d0a58c87455f233 Store help in Schema before writing to disk * bf0ba9b36e95f2e2b14bb27059280027d8354c13 Disable pylint in get_help function because of type confusion. """ See the full comment at https://github.com/freeipa/freeipa/pull/701#issuecomment-308648946 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#867][comment] trust-mod: allow modifying list of UPNs of a trusted forest
URL: https://github.com/freeipa/freeipa/pull/867 Title: #867: trust-mod: allow modifying list of UPNs of a trusted forest martbab commented: """ ipa-4-5: * 9a31b21bff7c83219a4973adf815c900628ab620 trust-mod: allow modifying list of UPNs of a trusted forest master: * abb638487580af99882b4751b64939d0aff0d38b trust-mod: allow modifying list of UPNs of a trusted forest """ See the full comment at https://github.com/freeipa/freeipa/pull/867#issuecomment-308452464 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#867][closed] trust-mod: allow modifying list of UPNs of a trusted forest
URL: https://github.com/freeipa/freeipa/pull/867 Author: abbra Title: #867: trust-mod: allow modifying list of UPNs of a trusted forest Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/867/head:pr867 git checkout pr867 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#867][+pushed] trust-mod: allow modifying list of UPNs of a trusted forest
URL: https://github.com/freeipa/freeipa/pull/867 Title: #867: trust-mod: allow modifying list of UPNs of a trusted forest Label: +pushed ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#867][comment] trust-mod: allow modifying list of UPNs of a trusted forest
URL: https://github.com/freeipa/freeipa/pull/867 Title: #867: trust-mod: allow modifying list of UPNs of a trusted forest martbab commented: """ Nevermind I fixed this for @abbra. Let's wait for Travis and then we can push it. """ See the full comment at https://github.com/freeipa/freeipa/pull/867#issuecomment-308434278 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#867][synchronized] trust-mod: allow modifying list of UPNs of a trusted forest
URL: https://github.com/freeipa/freeipa/pull/867 Author: abbra Title: #867: trust-mod: allow modifying list of UPNs of a trusted forest Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/867/head:pr867 git checkout pr867 From 2cd8af5201af9e2e962c4987a3b3641f3b83c982 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Mon, 12 Jun 2017 11:05:06 +0300 Subject: [PATCH] trust-mod: allow modifying list of UPNs of a trusted forest There are two ways for maintaining user principal names (UPNs) in Active Directory: - associate UPN suffixes with the forest root and then allow for each user account to choose UPN suffix for logon - directly modify userPrincipalName attribute in LDAP Both approaches lead to the same result: AD DC accepts user@UPN-Suffix as a proper principal in AS-REQ and TGS-REQ. The latter (directly modify userPrincipalName) case has a consequence that this UPN suffix is not visible via netr_DsRGetForestTrustInformation DCE RPC call. As result, FreeIPA KDC will not know that a particular UPN suffix does belong to a trusted Active Directory forest. As result, SSSD will not be able to authenticate and validate this user from a trusted Active Directory forest. This is especially true for one-word UPNs which otherwise wouldn't work properly on Kerberos level for both FreeIPA and Active Directory. Administrators are responsible for amending the list of UPNs associated with the forest in this case. With this commit, an option is added to 'ipa trust-mod' that allows specifying arbitrary UPN suffixes to a trusted forest root. As with all '-mod' commands, the change replaces existing UPNs when applied, so administrators are responsible to specify all of them: ipa trust-mod ad.test --upn-suffixes={existing.upn,another_upn,new} Fixes: https://pagure.io/freeipa/issue/7015 --- API.txt| 3 ++- VERSION.m4 | 4 ++-- ipaserver/plugins/trust.py | 3 ++- 3 files changed, 6 insertions(+), 4 deletions(-) diff --git a/API.txt b/API.txt index 44567a22da..aabd9c0d4a 100644 --- a/API.txt +++ b/API.txt @@ -5772,11 +5772,12 @@ output: ListOfEntries('result') output: Output('summary', type=[, ]) output: Output('truncated', type=[]) command: trust_mod/1 -args: 1,9,3 +args: 1,10,3 arg: Str('cn', cli_name='realm') option: Str('addattr*', cli_name='addattr') option: Flag('all', autofill=True, cli_name='all', default=False) option: Str('delattr*', cli_name='delattr') +option: Str('ipantadditionalsuffixes*', autofill=False, cli_name='upn_suffixes') option: Str('ipantsidblacklistincoming*', autofill=False, cli_name='sid_blacklist_incoming') option: Str('ipantsidblacklistoutgoing*', autofill=False, cli_name='sid_blacklist_outgoing') option: Flag('raw', autofill=True, cli_name='raw', default=False) diff --git a/VERSION.m4 b/VERSION.m4 index 706c243739..cc308f1e23 100644 --- a/VERSION.m4 +++ b/VERSION.m4 @@ -73,8 +73,8 @@ define(IPA_DATA_VERSION, 2010061412) # # define(IPA_API_VERSION_MAJOR, 2) -define(IPA_API_VERSION_MINOR, 227) -# Last change: Add `pkinit-status` command +define(IPA_API_VERSION_MINOR, 228) +# Last change: Expose ipaNTAdditionalSuffixes in trust-mod diff --git a/ipaserver/plugins/trust.py b/ipaserver/plugins/trust.py index 075b39dcc3..d0bbfbc47c 100644 --- a/ipaserver/plugins/trust.py +++ b/ipaserver/plugins/trust.py @@ -553,8 +553,9 @@ class trust(LDAPObject): flags={'virtual_attribute', 'no_create', 'no_update', 'no_search'}, ), Str('ipantadditionalsuffixes*', +cli_name='upn_suffixes', label=_('UPN suffixes'), -flags={'no_create', 'no_update', 'no_search'}, +flags={'no_create', 'no_search'}, ), ) ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#867][synchronized] trust-mod: allow modifying list of UPNs of a trusted forest
URL: https://github.com/freeipa/freeipa/pull/867 Author: abbra Title: #867: trust-mod: allow modifying list of UPNs of a trusted forest Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/867/head:pr867 git checkout pr867 From eed383573ccad874114194e724c9ba282b2e4529 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Mon, 12 Jun 2017 11:05:06 +0300 Subject: [PATCH 1/2] trust-mod: allow modifying list of UPNs of a trusted forest There are two ways for maintaining user principal names (UPNs) in Active Directory: - associate UPN suffixes with the forest root and then allow for each user account to choose UPN suffix for logon - directly modify userPrincipalName attribute in LDAP Both approaches lead to the same result: AD DC accepts user@UPN-Suffix as a proper principal in AS-REQ and TGS-REQ. The latter (directly modify userPrincipalName) case has a consequence that this UPN suffix is not visible via netr_DsRGetForestTrustInformation DCE RPC call. As result, FreeIPA KDC will not know that a particular UPN suffix does belong to a trusted Active Directory forest. As result, SSSD will not be able to authenticate and validate this user from a trusted Active Directory forest. This is especially true for one-word UPNs which otherwise wouldn't work properly on Kerberos level for both FreeIPA and Active Directory. Administrators are responsible for amending the list of UPNs associated with the forest in this case. With this commit, an option is added to 'ipa trust-mod' that allows specifying arbitrary UPN suffixes to a trusted forest root. As with all '-mod' commands, the change replaces existing UPNs when applied, so administrators are responsible to specify all of them: ipa trust-mod ad.test --upns={existing.upn,another_upn,new} Fixes: https://pagure.io/freeipa/issue/7015 --- API.txt| 3 ++- VERSION.m4 | 4 ++-- ipaserver/plugins/trust.py | 3 ++- 3 files changed, 6 insertions(+), 4 deletions(-) diff --git a/API.txt b/API.txt index 44567a22da..4930b0d6b2 100644 --- a/API.txt +++ b/API.txt @@ -5772,11 +5772,12 @@ output: ListOfEntries('result') output: Output('summary', type=[, ]) output: Output('truncated', type=[]) command: trust_mod/1 -args: 1,9,3 +args: 1,10,3 arg: Str('cn', cli_name='realm') option: Str('addattr*', cli_name='addattr') option: Flag('all', autofill=True, cli_name='all', default=False) option: Str('delattr*', cli_name='delattr') +option: Str('ipantadditionalsuffixes*', autofill=False, cli_name='upns') option: Str('ipantsidblacklistincoming*', autofill=False, cli_name='sid_blacklist_incoming') option: Str('ipantsidblacklistoutgoing*', autofill=False, cli_name='sid_blacklist_outgoing') option: Flag('raw', autofill=True, cli_name='raw', default=False) diff --git a/VERSION.m4 b/VERSION.m4 index 706c243739..cc308f1e23 100644 --- a/VERSION.m4 +++ b/VERSION.m4 @@ -73,8 +73,8 @@ define(IPA_DATA_VERSION, 2010061412) # # define(IPA_API_VERSION_MAJOR, 2) -define(IPA_API_VERSION_MINOR, 227) -# Last change: Add `pkinit-status` command +define(IPA_API_VERSION_MINOR, 228) +# Last change: Expose ipaNTAdditionalSuffixes in trust-mod diff --git a/ipaserver/plugins/trust.py b/ipaserver/plugins/trust.py index 075b39dcc3..310634904e 100644 --- a/ipaserver/plugins/trust.py +++ b/ipaserver/plugins/trust.py @@ -553,8 +553,9 @@ class trust(LDAPObject): flags={'virtual_attribute', 'no_create', 'no_update', 'no_search'}, ), Str('ipantadditionalsuffixes*', +cli_name='upns', label=_('UPN suffixes'), -flags={'no_create', 'no_update', 'no_search'}, +flags={'no_create', 'no_search'}, ), ) From 78e0a8f1fb352b2db54ec220646505c914c0760d Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Mon, 12 Jun 2017 11:05:06 +0300 Subject: [PATCH 2/2] trust-mod: allow modifying list of UPNs of a trusted forest There are two ways for maintaining user principal names (UPNs) in Active Directory: - associate UPN suffixes with the forest root and then allow for each user account to choose UPN suffix for logon - directly modify userPrincipalName attribute in LDAP Both approaches lead to the same result: AD DC accepts user@UPN-Suffix as a proper principal in AS-REQ and TGS-REQ. The latter (directly modify userPrincipalName) case has a consequence that this UPN suffix is not visible via netr_DsRGetForestTrustInformation DCE RPC call. As result, FreeIPA KDC will not know that a particular UPN suffix does belong to a trusted Active Directory forest. As result, SSSD will not be able to authenticate and validate this user from a trusted Active Directory forest. This is especially true for one-word UPNs which otherwis
[Freeipa-devel] [freeipa PR#867][comment] trust-mod: allow modifying list of UPNs of a trusted forest
URL: https://github.com/freeipa/freeipa/pull/867 Title: #867: trust-mod: allow modifying list of UPNs of a trusted forest martbab commented: """ LGTM, the only little nitpick I have is that the CLI option should be named `--upn-suffixes` as `--upns` implies that you can specify full User principal names which you don't. You only specify suffixes. """ See the full comment at https://github.com/freeipa/freeipa/pull/867#issuecomment-308396576 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#854][+pushed] server-side and client-side advises for configuring smart card auth
URL: https://github.com/freeipa/freeipa/pull/854 Title: #854: server-side and client-side advises for configuring smart card auth Label: +pushed ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#854][closed] server-side and client-side advises for configuring smart card auth
URL: https://github.com/freeipa/freeipa/pull/854 Author: martbab Title: #854: server-side and client-side advises for configuring smart card auth Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/854/head:pr854 git checkout pr854 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#854][comment] server-side and client-side advises for configuring smart card auth
URL: https://github.com/freeipa/freeipa/pull/854 Title: #854: server-side and client-side advises for configuring smart card auth martbab commented: """ master: * 0569c02f17f853d97280f52f4a7fefecc72cf45d Extend the advice printing code by some useful abstractions * e418e9a4ca747886c53d05ae80597834f1d3d021 Prepare advise plugin for smart card auth configuration ipa-4-5: * 7ea7ee4326679c098d3e4e4d6a2bc743707708ca Extend the advice printing code by some useful abstractions * 84ca9761bd47f28b72581d1fe6bd8cfa824b6df3 Prepare advise plugin for smart card auth configuration """ See the full comment at https://github.com/freeipa/freeipa/pull/854#issuecomment-308390829 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#854][synchronized] server-side and client-side advises for configuring smart card auth
URL: https://github.com/freeipa/freeipa/pull/854 Author: martbab Title: #854: server-side and client-side advises for configuring smart card auth Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/854/head:pr854 git checkout pr854 From 1deb530a75b1031b59edb48df1e71678e4e6 Mon Sep 17 00:00:00 2001 From: Martin Babinsky Date: Mon, 5 Jun 2017 16:59:25 +0200 Subject: [PATCH 1/2] Extend the advice printing code by some useful abstractions The advise printing code was augmented by methods that simplify generating bash snippets that report errors or failed commands. https://pagure.io/freeipa/issue/6982 --- ipaserver/advise/base.py | 63 ++-- 1 file changed, 61 insertions(+), 2 deletions(-) diff --git a/ipaserver/advise/base.py b/ipaserver/advise/base.py index 40dabd0426..ba412b8724 100644 --- a/ipaserver/advise/base.py +++ b/ipaserver/advise/base.py @@ -94,8 +94,67 @@ def debug(self, line): if self.options.verbose: self.comment('DEBUG: ' + line) -def command(self, line): -self.content.append(line) +def command(self, line, indent_spaces=0): +self.content.append( +'{}{}'.format(self._format_indent(indent_spaces), line)) + +def _format_indent(self, num_spaces): +return ' ' * num_spaces + +def echo_error(self, error_message, indent_spaces=0): +self.command( +self._format_error(error_message), indent_spaces=indent_spaces) + +def _format_error(self, error_message): +return 'echo "{}" >&2'.format(error_message) + +def exit_on_failed_command(self, command_to_run, + error_message_lines, indent_spaces=0): +self.command(command_to_run, indent_spaces=indent_spaces) +self.exit_on_predicate( +'[ "$?" -ne "0" ]', +error_message_lines, +indent_spaces=indent_spaces) + +def exit_on_nonroot_euid(self): +self.exit_on_predicate( +'[ "$(id -u)" -ne "0" ]', +["This script has to be run as root user"] +) + +def exit_on_predicate(self, predicate, error_message_lines, + indent_spaces=0): +commands_to_run = [ +self._format_error(error_message_line) +for error_message_line in error_message_lines] + +commands_to_run.append('exit 1') +self.commands_on_predicate( +predicate, +commands_to_run, +indent_spaces=indent_spaces) + +def commands_on_predicate(self, predicate, commands_to_run_when_true, + commands_to_run_when_false=None, + indent_spaces=0): +if_command = 'if {}'.format(predicate) +self.command(if_command, indent_spaces=indent_spaces) +self.command('then', indent_spaces=indent_spaces) + +indented_block_spaces = indent_spaces + 2 + +for command_to_run_when_true in commands_to_run_when_true: +self.command( +command_to_run_when_true, indent_spaces=indented_block_spaces) + +if commands_to_run_when_false is not None: +self.command("else", indent_spaces=indent_spaces) +for command_to_run_when_false in commands_to_run_when_false: +self.command( +command_to_run_when_false, +indent_spaces=indented_block_spaces) + +self.command('fi', indent_spaces=indent_spaces) class Advice(Plugin): From b4d4fe048ee4c7c03d69283b92010e18c3e88056 Mon Sep 17 00:00:00 2001 From: Martin Babinsky Date: Fri, 2 Jun 2017 18:36:29 +0200 Subject: [PATCH 2/2] Prepare advise plugin for smart card auth configuration The plugin contains recipes for configuring Smart Card authentication on FreeIPA server and enrolled client. https://www.freeipa.org/page/V4/Smartcard_authentication_ipa-advise_recipes https://pagure.io/freeipa/issue/6982 --- ipaserver/advise/plugins/smart_card_auth.py | 266 1 file changed, 266 insertions(+) create mode 100644 ipaserver/advise/plugins/smart_card_auth.py diff --git a/ipaserver/advise/plugins/smart_card_auth.py b/ipaserver/advise/plugins/smart_card_auth.py new file mode 100644 index 00..5859e35093 --- /dev/null +++ b/ipaserver/advise/plugins/smart_card_auth.py @@ -0,0 +1,266 @@ +# +# Copyright (C) 2017 FreeIPA Contributors see COPYING for license +# + +from ipalib.plugable import Registry +from ipaplatform.paths import paths +from ipaserver.advise.base import Advice +from ipaserver.install.httpinstance import NSS_OCSP_ENABLED + +register = Registry() + + +@register() +class config_server_for_smart_card_auth(Advice): +""" +Configures smart card authentication via Kerberos (PKINIT) and for WebUI +""" + +description = ("Instructions for enabling Smart Card authentication on " +
[Freeipa-devel] [freeipa PR#854][comment] server-side and client-side advises for configuring smart card auth
URL: https://github.com/freeipa/freeipa/pull/854 Title: #854: server-side and client-side advises for configuring smart card auth martbab commented: """ Also I get the following error when running authconfig: ```console authconfig: Authentication module /lib64/security/pam_pkcs11.so is missing. Authentication process might not work correctly. ``` It is understandable, since I have removed pam_pkcs11 package as per documentation, but it still puzzles me. It may be that I have an old version of authconfig, as I am developing this on F25 where I have authconfig-6.2.10-14.fc25.x86_64. """ See the full comment at https://github.com/freeipa/freeipa/pull/854#issuecomment-307427676 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#854][comment] server-side and client-side advises for configuring smart card auth
URL: https://github.com/freeipa/freeipa/pull/854 Title: #854: server-side and client-side advises for configuring smart card auth martbab commented: """ @flo regarding enabling Smart Card login ( add PKCS#11 module, configure SSSD and such), do we really need to setup this on server? I do not expect somebody logging directly to machine hosting FreeIPA server using smard card reader. """ See the full comment at https://github.com/freeipa/freeipa/pull/854#issuecomment-307424330 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#849][+pushed] session_storage: Correctly handle string/byte types
URL: https://github.com/freeipa/freeipa/pull/849 Title: #849: session_storage: Correctly handle string/byte types Label: +pushed ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#849][closed] session_storage: Correctly handle string/byte types
URL: https://github.com/freeipa/freeipa/pull/849 Author: stlaz Title: #849: session_storage: Correctly handle string/byte types Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/849/head:pr849 git checkout pr849 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#849][comment] session_storage: Correctly handle string/byte types
URL: https://github.com/freeipa/freeipa/pull/849 Title: #849: session_storage: Correctly handle string/byte types martbab commented: """ master: * d665224a85610cccbe7d291e9ed41d2ce7e5b61c session_storage: Correctly handle string/byte types """ See the full comment at https://github.com/freeipa/freeipa/pull/849#issuecomment-307413021 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#840][closed] Add Role 'Enrollment Administrator'
URL: https://github.com/freeipa/freeipa/pull/840 Author: Tiboris Title: #840: Add Role 'Enrollment Administrator' Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/840/head:pr840 git checkout pr840 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#840][comment] Add Role 'Enrollment Administrator'
URL: https://github.com/freeipa/freeipa/pull/840 Title: #840: Add Role 'Enrollment Administrator' martbab commented: """ master: * 468eb3c712140399ed2ec346ff4356bffd590e09 Add Role 'Enrollment Administrator' """ See the full comment at https://github.com/freeipa/freeipa/pull/840#issuecomment-307407213 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#840][+pushed] Add Role 'Enrollment Administrator'
URL: https://github.com/freeipa/freeipa/pull/840 Title: #840: Add Role 'Enrollment Administrator' Label: +pushed ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#838][comment] Explicitly ask for py2 dependencies in py2 packages
URL: https://github.com/freeipa/freeipa/pull/838 Title: #838: Explicitly ask for py2 dependencies in py2 packages martbab commented: """ master: * a2147de6e2eb217163d6f106d3220c7b1e7570b5 Explicitly ask for py2 dependencies in py2 packages """ See the full comment at https://github.com/freeipa/freeipa/pull/838#issuecomment-307405964 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#838][closed] Explicitly ask for py2 dependencies in py2 packages
URL: https://github.com/freeipa/freeipa/pull/838 Author: MartinBasti Title: #838: Explicitly ask for py2 dependencies in py2 packages Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/838/head:pr838 git checkout pr838 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#838][+pushed] Explicitly ask for py2 dependencies in py2 packages
URL: https://github.com/freeipa/freeipa/pull/838 Title: #838: Explicitly ask for py2 dependencies in py2 packages Label: +pushed ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#854][comment] server-side and client-side advises for configuring smart card auth
URL: https://github.com/freeipa/freeipa/pull/854 Title: #854: server-side and client-side advises for configuring smart card auth martbab commented: """ @flo ah sorry I missed that. I will incorporate it into advise then. """ See the full comment at https://github.com/freeipa/freeipa/pull/854#issuecomment-307360499 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#854][comment] server-side and client-side advises for configuring smart card auth
URL: https://github.com/freeipa/freeipa/pull/854 Title: #854: server-side and client-side advises for configuring smart card auth martbab commented: """ That section[1] only instructs to configure `pam_cert_auth=true` in the SSSD's `pam` section which is already done on both server and client, see `enable_pam_auth_in_sssd` method. Am I missing something? [1] https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7-Beta/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/idm-smart-cards.html """ See the full comment at https://github.com/freeipa/freeipa/pull/854#issuecomment-307358447 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#854][comment] server-side and client-side advises for configuring smart card auth
URL: https://github.com/freeipa/freeipa/pull/854 Title: #854: server-side and client-side advises for configuring smart card auth martbab commented: """ @abbra thanks for review. Is `pam_pkcs11` removal necessary for client? Also what option does the recipe need to pass to `authconfig` to properly configure smart card auth? isn't it enough to configure SSSD? """ See the full comment at https://github.com/freeipa/freeipa/pull/854#issuecomment-307352108 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#854][comment] server-side and client-side advises for configuring smart card auth
URL: https://github.com/freeipa/freeipa/pull/854 Title: #854: server-side and client-side advises for configuring smart card auth martbab commented: """ @flo @abbra I have rebased PR and included also a recipe for client configuration for the sake of completeness. """ See the full comment at https://github.com/freeipa/freeipa/pull/854#issuecomment-307326811 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#854][edited] server-side and client-side advises for configuring smart card auth
URL: https://github.com/freeipa/freeipa/pull/854 Author: martbab Title: #854: server-side and client-side advises for configuring smart card auth Action: edited Changed field: body Original value: """ This advise plugin generates a script which configures all the components required for successful processing of smart card auth requests on IPA server. I could split it into sub-advises and call them from the combined advise but that would require some further refactoring of advise plugin framework. Let me know if you would prefer this way instead. https://pagure.io/freeipa/issue/6982 """ ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#854][edited] server-side and client-side advises for configuring smart card auth
URL: https://github.com/freeipa/freeipa/pull/854 Author: martbab Title: #854: server-side and client-side advises for configuring smart card auth Action: edited Changed field: title Original value: """ RFC: server-side smart card auth advise plugin """ ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#854][synchronized] RFC: server-side smart card auth advise plugin
URL: https://github.com/freeipa/freeipa/pull/854 Author: martbab Title: #854: RFC: server-side smart card auth advise plugin Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/854/head:pr854 git checkout pr854 From 70298a7285cb84d28172a059dfe23917c074e4c2 Mon Sep 17 00:00:00 2001 From: Martin Babinsky Date: Mon, 5 Jun 2017 16:59:25 +0200 Subject: [PATCH 1/3] Extend the advice printing code by some useful abstractions The advise printing code was augmented by methods that simplify generating bash snippets that report errors or failed commands. https://pagure.io/freeipa/issue/6982 --- ipaserver/advise/base.py | 53 ++-- 1 file changed, 51 insertions(+), 2 deletions(-) diff --git a/ipaserver/advise/base.py b/ipaserver/advise/base.py index 40dabd0426..7b23adc115 100644 --- a/ipaserver/advise/base.py +++ b/ipaserver/advise/base.py @@ -94,8 +94,57 @@ def debug(self, line): if self.options.verbose: self.comment('DEBUG: ' + line) -def command(self, line): -self.content.append(line) +def command(self, line, indent_spaces=0): +self.content.append( +'{}{}'.format(self._format_indent(indent_spaces), line)) + +def _format_indent(self, num_spaces): +return ' ' * num_spaces + +def echo_error(self, error_message, indent_spaces=0): +self.command( +self._format_error(error_message, indent_spaces=indent_spaces)) + +def _format_error(self, error_message, indent_spaces=0): +return '{}echo "{}" >&2'.format( +self._format_indent(indent_spaces), error_message) + +def exit_on_failed_command(self, command_to_run, + error_message_lines, indent_spaces=0): +self.command(command_to_run, indent_spaces=indent_spaces) +self.exit_on_predicate( +'"$?" -ne "0"', error_message_lines, indent_spaces=indent_spaces) + +def exit_on_nonroot_euid(self): +self.exit_on_predicate( +'"$(id -u)" -ne "0"', +["This script has to be run as root user"] +) + +def exit_on_predicate(self, predicate, error_message_lines, + indent_spaces=0): +commands_to_run = [ +self._format_error(error_message_line, indent_spaces=indent_spaces) +for error_message_line in error_message_lines] + +commands_to_run.append('exit 1') +self.commands_on_predicate( +predicate, +commands_to_run, +indent_spaces=indent_spaces) + +def commands_on_predicate(self, predicate, commands_to_run, + indent_spaces=0): +if_command = 'if [ {} ]'.format(predicate) +self.command(if_command, indent_spaces=indent_spaces) +self.command('then', indent_spaces=indent_spaces) + +indented_block_spaces = indent_spaces + 2 + +for command_to_run in commands_to_run: +self.command(command_to_run, indent_spaces=indented_block_spaces) + +self.command('fi', indent_spaces=indent_spaces) class Advice(Plugin): From 6de3a19dd2fe43909b5b38bd4688da3eed339e4e Mon Sep 17 00:00:00 2001 From: Martin Babinsky Date: Fri, 2 Jun 2017 18:36:29 +0200 Subject: [PATCH 2/3] Prepare an advise plugin for server-side smart card auth configuration The plugin will contain topics for configuring Smart Card authentication on FreeIPA server. https://pagure.io/freeipa/issue/6982 --- ipaserver/advise/plugins/smart_card_auth.py | 166 1 file changed, 166 insertions(+) create mode 100644 ipaserver/advise/plugins/smart_card_auth.py diff --git a/ipaserver/advise/plugins/smart_card_auth.py b/ipaserver/advise/plugins/smart_card_auth.py new file mode 100644 index 00..55fe996d7e --- /dev/null +++ b/ipaserver/advise/plugins/smart_card_auth.py @@ -0,0 +1,166 @@ +# +# Copyright (C) 2017 FreeIPA Contributors see COPYING for license +# + +from ipalib.plugable import Registry +from ipaplatform.paths import paths +from ipaserver.advise.base import Advice +from ipaserver.install.httpinstance import NSS_OCSP_ENABLED + +register = Registry() + + +@register() +class config_server_for_smart_card_auth(Advice): +""" +Configures smart card authentication via Kerberos (PKINIT) and for WebUI +""" + +description = ("Instructions for enabling Smart Card authentication on " + " a single FreeIPA server. Includes Apache configuration, " + "enabling PKINIT on KDC and configuring WebUI to accept " + "Smart Card auth requests. To enable the feature in the " + "whole topology you have to run the script on each master") + +nss_conf = paths.HTTPD_NSS_CONF +nss_ocsp_directive = 'NSSOCSP' +nss_nickname_directive = 'NSSNickname' + +def get_info(self): +self.log.exit_
[Freeipa-devel] [freeipa PR#854][comment] RFC: server-side smart card auth advise plugin
URL: https://github.com/freeipa/freeipa/pull/854 Title: #854: RFC: server-side smart card auth advise plugin martbab commented: """ @flo thanks for your input, I will rework the PR tomorrow. """ See the full comment at https://github.com/freeipa/freeipa/pull/854#issuecomment-306811993 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#854][comment] RFC: server-side smart card auth advise plugin
URL: https://github.com/freeipa/freeipa/pull/854 Title: #854: RFC: server-side smart card auth advise plugin martbab commented: """ support for non-RPM platforms would require some more additions to the base Advice code to handle this systematically, or alternatively we may just test for the presence of required command and fail with instruction to install the missing package using platform-specific means. While we may want to migrate to `mod_ssl` in the future, there will be much more work to do regarding switching TLS modules so the advise can be ported as a part of this effort. """ See the full comment at https://github.com/freeipa/freeipa/pull/854#issuecomment-306714152 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#854][opened] RFC: server-side smart card auth advise plugin
URL: https://github.com/freeipa/freeipa/pull/854 Author: martbab Title: #854: RFC: server-side smart card auth advise plugin Action: opened PR body: """ This advise plugin generates a script which configures all the components required for successful processing of smart card auth requests on IPA server. I could split it into sub-advises and call them from the combined advise but that would require some further refactoring of advise plugin framework. Let me know if you would prefer this way instead. https://pagure.io/freeipa/issue/6982 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/854/head:pr854 git checkout pr854 From 7761b0c4dd29d07a4431a55da7343f77e6cb0d49 Mon Sep 17 00:00:00 2001 From: Martin Babinsky Date: Mon, 5 Jun 2017 16:59:25 +0200 Subject: [PATCH 1/2] Extend the advice printing code by some useful abstractions The advise printing code was augmented by methods that simplify generating bash snippets that report errors or failed commands. https://pagure.io/freeipa/issue/6982 --- ipaserver/advise/base.py | 34 -- 1 file changed, 32 insertions(+), 2 deletions(-) diff --git a/ipaserver/advise/base.py b/ipaserver/advise/base.py index 40dabd0426..72ac7b092f 100644 --- a/ipaserver/advise/base.py +++ b/ipaserver/advise/base.py @@ -94,8 +94,38 @@ def debug(self, line): if self.options.verbose: self.comment('DEBUG: ' + line) -def command(self, line): -self.content.append(line) +def command(self, line, indent_spaces=0): +self.content.append( +'{}{}'.format(self._format_indent(indent_spaces), line)) + +def _format_indent(self, num_spaces): +return ' ' * num_spaces + +def echo_error(self, error_message, indent_spaces=0): +self.command( +'{}echo "{}" >&2'.format( +self._format_indent(indent_spaces), error_message)) + +def exit_on_failed_command(self, command_to_run, + error_message_lines, indent_spaces=0): +self.command(command_to_run, indent_spaces=indent_spaces) +self.exit_on_predicate( +'"$?" -ne "0"', error_message_lines, indent_spaces=indent_spaces) + +def exit_on_predicate(self, predicate, error_message_lines, + indent_spaces=0): +if_command = 'if [ {} ]'.format(predicate) +self.command(if_command, indent_spaces=indent_spaces) +self.command('then', indent_spaces=indent_spaces) + +indented_block_spaces = indent_spaces + 2 + +for error_message_line in error_message_lines: +self.echo_error( +error_message_line, indent_spaces=indented_block_spaces) + +self.command('exit 1', indent_spaces=indented_block_spaces) +self.command('fi', indent_spaces=indent_spaces) class Advice(Plugin): From 63c3389d2ba7a819b5ffe5e235ebaf2edc59e19b Mon Sep 17 00:00:00 2001 From: Martin Babinsky Date: Fri, 2 Jun 2017 18:36:29 +0200 Subject: [PATCH 2/2] Prepare an advise plugin for server-side smart card auth configuration The plugin will contain topics for configuring Smart Card authentication on FreeIPA server. https://pagure.io/freeipa/issue/6982 --- ipaserver/advise/plugins/smart_card_auth.py | 147 1 file changed, 147 insertions(+) create mode 100644 ipaserver/advise/plugins/smart_card_auth.py diff --git a/ipaserver/advise/plugins/smart_card_auth.py b/ipaserver/advise/plugins/smart_card_auth.py new file mode 100644 index 00..7e388a75b7 --- /dev/null +++ b/ipaserver/advise/plugins/smart_card_auth.py @@ -0,0 +1,147 @@ +# +# Copyright (C) 2017 FreeIPA Contributors see COPYING for license +# + +from ipalib.plugable import Registry +from ipaplatform.paths import paths +from ipaserver.advise.base import Advice +from ipaserver.install.httpinstance import NSS_OCSP_ENABLED + +register = Registry() + + +@register() +class config_server_for_smart_card_auth(Advice): +""" +Configures smart card authentication via Kerberos (PKINIT) and for WebUI +""" + +description = ("Instructions for enabling Smart Card authentication on " + "FreeIPA server. Includes Apache configuration, enabling " + "PKINIT on KDC and configuring WebUI to accept Smart Card " + "auth requests") + +nss_conf = paths.HTTPD_NSS_CONF +nss_ocsp_directive = 'NSSOCSP' +nss_nickname_directive = 'NSSNickname' + +def get_info(self): +self.check_ccache_not_empty() +self.check_hostname_is_in_masters() +self.resolve_ipaca_records() +self.enable_nss_ocsp() +self.mark_httpd_cert_as_trusted() +self.restart_httpd() +self.record_httpd_ocsp_status() +self.check_and_enable_pkinit() +self.enable_ok_to_auth_as_delegate_on_http_principal() + +def check_ccache_not_empty(self): +self.lo
[Freeipa-devel] [freeipa PR#847][closed] Turn off OCSP check
URL: https://github.com/freeipa/freeipa/pull/847 Author: pvomacka Title: #847: Turn off OCSP check Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/847/head:pr847 git checkout pr847 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#847][comment] Turn off OCSP check
URL: https://github.com/freeipa/freeipa/pull/847 Title: #847: Turn off OCSP check martbab commented: """ ipa-4-5: * 51b361f475b3e25ace982873beb05cafcba95808 Turn off OCSP check master: * 566361e63d4a670460df3dbb28b9d19f38eaea2d Turn off OCSP check """ See the full comment at https://github.com/freeipa/freeipa/pull/847#issuecomment-306459491 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#847][+pushed] Turn off OCSP check
URL: https://github.com/freeipa/freeipa/pull/847 Title: #847: Turn off OCSP check Label: +pushed ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#847][+ack] Turn off OCSP check
URL: https://github.com/freeipa/freeipa/pull/847 Title: #847: Turn off OCSP check Label: +ack ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#852][closed] pkinit manage: introduce ipa-pkinit-manage
URL: https://github.com/freeipa/freeipa/pull/852 Author: HonzaCholasta Title: #852: pkinit manage: introduce ipa-pkinit-manage Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/852/head:pr852 git checkout pr852 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#852][+pushed] pkinit manage: introduce ipa-pkinit-manage
URL: https://github.com/freeipa/freeipa/pull/852 Title: #852: pkinit manage: introduce ipa-pkinit-manage Label: +pushed ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#852][comment] pkinit manage: introduce ipa-pkinit-manage
URL: https://github.com/freeipa/freeipa/pull/852 Title: #852: pkinit manage: introduce ipa-pkinit-manage martbab commented: """ ipa-4-5: * 1b62e5aac9d9668604e82879c020bff310fa549f server certinstall: update KDC master entry * c072135340bc8e75f621e2b9163b1347b9eb528f pkinit manage: introduce ipa-pkinit-manage * cb9353d6e0fbc0912dd20bf29e3835a7740d1af6 server upgrade: do not enable PKINIT by default master: * e131905f3e0fe9179c5f4a09da4e7a204012603a server certinstall: update KDC master entry * 92276c1e8809f3ff6b59bd6124869f816627bac7 pkinit manage: introduce ipa-pkinit-manage * 0772ef20b39b11950fddc913a350534988294c89 server upgrade: do not enable PKINIT by default """ See the full comment at https://github.com/freeipa/freeipa/pull/852#issuecomment-306458799 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#852][+ack] pkinit manage: introduce ipa-pkinit-manage
URL: https://github.com/freeipa/freeipa/pull/852 Title: #852: pkinit manage: introduce ipa-pkinit-manage Label: +ack ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#821][closed] fix incorrect suffix handling in topology checks
URL: https://github.com/freeipa/freeipa/pull/821 Author: martbab Title: #821: fix incorrect suffix handling in topology checks Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/821/head:pr821 git checkout pr821 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#821][comment] fix incorrect suffix handling in topology checks
URL: https://github.com/freeipa/freeipa/pull/821 Title: #821: fix incorrect suffix handling in topology checks martbab commented: """ ipa-4-5: * d651a9877d0e2f9dd1b057630508b488678bb86e fix incorrect suffix handling in topology checks master: * 8ef4888af77f8e6fd8324297d26287b575b18163 fix incorrect suffix handling in topology checks """ See the full comment at https://github.com/freeipa/freeipa/pull/821#issuecomment-306237609 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#821][+pushed] fix incorrect suffix handling in topology checks
URL: https://github.com/freeipa/freeipa/pull/821 Title: #821: fix incorrect suffix handling in topology checks Label: +pushed ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#851][closed] ipa-kdb: add pkinit authentication indicator in case of a successful certauth
URL: https://github.com/freeipa/freeipa/pull/851 Author: abbra Title: #851: ipa-kdb: add pkinit authentication indicator in case of a successful certauth Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/851/head:pr851 git checkout pr851 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#851][comment] ipa-kdb: add pkinit authentication indicator in case of a successful certauth
URL: https://github.com/freeipa/freeipa/pull/851 Title: #851: ipa-kdb: add pkinit authentication indicator in case of a successful certauth martbab commented: """ master: * e8a7e2e38ad7cea2964305247430e964d2b785b1 ipa-kdb: add pkinit authentication indicator in case of a successful certauth ipa-4-5: * ca02cea8dfd63290e4821833fc2ac7d457290e9f ipa-kdb: add pkinit authentication indicator in case of a successful certauth """ See the full comment at https://github.com/freeipa/freeipa/pull/851#issuecomment-306237025 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#851][+pushed] ipa-kdb: add pkinit authentication indicator in case of a successful certauth
URL: https://github.com/freeipa/freeipa/pull/851 Title: #851: ipa-kdb: add pkinit authentication indicator in case of a successful certauth Label: +pushed ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#847][comment] Turn off OCSP check
URL: https://github.com/freeipa/freeipa/pull/847 Title: #847: Turn off OCSP check martbab commented: """ How did we resolve the issue of tracking nssocsp status in sysupgrade state? Shouldn't we record this so that we now it was disabled by our installer/upgrader? """ See the full comment at https://github.com/freeipa/freeipa/pull/847#issuecomment-305804717 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#835][closed] kdc.key should not be visible to all
URL: https://github.com/freeipa/freeipa/pull/835 Author: stlaz Title: #835: kdc.key should not be visible to all Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/835/head:pr835 git checkout pr835 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#835][+pushed] kdc.key should not be visible to all
URL: https://github.com/freeipa/freeipa/pull/835 Title: #835: kdc.key should not be visible to all Label: +pushed ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#835][comment] kdc.key should not be visible to all
URL: https://github.com/freeipa/freeipa/pull/835 Title: #835: kdc.key should not be visible to all martbab commented: """ master: * 3b6892783ee6ed6dac9c4f328cc89ae030ce10a7 kdc.key should not be visible to all ipa-4-5: * 37be8e9ac3b46d6d31199227216b5a5a8d5d5614 kdc.key should not be visible to all """ See the full comment at https://github.com/freeipa/freeipa/pull/835#issuecomment-305239546 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#835][+ack] kdc.key should not be visible to all
URL: https://github.com/freeipa/freeipa/pull/835 Title: #835: kdc.key should not be visible to all Label: +ack ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#832][closed] Add remote_plugins subdirectories to RPM
URL: https://github.com/freeipa/freeipa/pull/832 Author: MartinBasti Title: #832: Add remote_plugins subdirectories to RPM Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/832/head:pr832 git checkout pr832 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#832][comment] Add remote_plugins subdirectories to RPM
URL: https://github.com/freeipa/freeipa/pull/832 Title: #832: Add remote_plugins subdirectories to RPM martbab commented: """ @MartinBasti please make a separate PR for ipa-4-4 branch. """ See the full comment at https://github.com/freeipa/freeipa/pull/832#issuecomment-305122966 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#832][+pushed] Add remote_plugins subdirectories to RPM
URL: https://github.com/freeipa/freeipa/pull/832 Title: #832: Add remote_plugins subdirectories to RPM Label: +pushed ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#832][comment] Add remote_plugins subdirectories to RPM
URL: https://github.com/freeipa/freeipa/pull/832 Title: #832: Add remote_plugins subdirectories to RPM martbab commented: """ ipa-4-5: * 359e3f261705976229bace2d0a22546670181603 Add remote_plugins subdirectories to RPM master: * 71adc8cd3ff6d6e54f332e94bfda3ed59396de90 Add remote_plugins subdirectories to RPM """ See the full comment at https://github.com/freeipa/freeipa/pull/832#issuecomment-305123104 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#831][+pushed] [4.4] custodia dep: require explictly python2 version
URL: https://github.com/freeipa/freeipa/pull/831 Title: #831: [4.4] custodia dep: require explictly python2 version Label: +pushed ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#831][comment] [4.4] custodia dep: require explictly python2 version
URL: https://github.com/freeipa/freeipa/pull/831 Title: #831: [4.4] custodia dep: require explictly python2 version martbab commented: """ ipa-4-4: * a1276d550a1a5f28e1214ceb53cbe460428baef1 custodia dep: require explictly python2 version """ See the full comment at https://github.com/freeipa/freeipa/pull/831#issuecomment-305122558 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#831][closed] [4.4] custodia dep: require explictly python2 version
URL: https://github.com/freeipa/freeipa/pull/831 Author: MartinBasti Title: #831: [4.4] custodia dep: require explictly python2 version Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/831/head:pr831 git checkout pr831 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#830][+pushed] custodia dep: require explictly python2 version
URL: https://github.com/freeipa/freeipa/pull/830 Title: #830: custodia dep: require explictly python2 version Label: +pushed ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#830][comment] custodia dep: require explictly python2 version
URL: https://github.com/freeipa/freeipa/pull/830 Title: #830: custodia dep: require explictly python2 version martbab commented: """ master: * a90a113b66fca620b04635442b135a5136ece7ba custodia dep: require explictly python2 version ipa-4-5: * 444107a00bf995aca62aba74ea02b52e577ab791 custodia dep: require explictly python2 version """ See the full comment at https://github.com/freeipa/freeipa/pull/830#issuecomment-305122168 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#830][closed] custodia dep: require explictly python2 version
URL: https://github.com/freeipa/freeipa/pull/830 Author: MartinBasti Title: #830: custodia dep: require explictly python2 version Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/830/head:pr830 git checkout pr830 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#801][+pushed] httpinstance: wait until the service entry is replicated
URL: https://github.com/freeipa/freeipa/pull/801 Title: #801: httpinstance: wait until the service entry is replicated Label: +pushed ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#801][comment] httpinstance: wait until the service entry is replicated
URL: https://github.com/freeipa/freeipa/pull/801 Title: #801: httpinstance: wait until the service entry is replicated martbab commented: """ master: * ab71cd5a1693c221950bdfa9ffdfb99b9c317004 httpinstance: wait until the service entry is replicated ipa-4-5: * 9871bc08f8b8f51e2a05c4dfa18d844f9c141b8d httpinstance: wait until the service entry is replicated """ See the full comment at https://github.com/freeipa/freeipa/pull/801#issuecomment-304843404 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#801][closed] httpinstance: wait until the service entry is replicated
URL: https://github.com/freeipa/freeipa/pull/801 Author: HonzaCholasta Title: #801: httpinstance: wait until the service entry is replicated Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/801/head:pr801 git checkout pr801 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#801][+ack] httpinstance: wait until the service entry is replicated
URL: https://github.com/freeipa/freeipa/pull/801 Title: #801: httpinstance: wait until the service entry is replicated Label: +ack ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#797][comment] ipa-replica-conncheck: handle ssh not installed
URL: https://github.com/freeipa/freeipa/pull/797 Title: #797: ipa-replica-conncheck: handle ssh not installed martbab commented: """ ipa-4-5: * bacccb70a2e91efa22ee19aec9cca75bac94bd95 ipa-replica-conncheck: handle ssh not installed master: * f960450820c13284b52b4c5f420f0f1191a45619 ipa-replica-conncheck: handle ssh not installed """ See the full comment at https://github.com/freeipa/freeipa/pull/797#issuecomment-304832646 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#797][+pushed] ipa-replica-conncheck: handle ssh not installed
URL: https://github.com/freeipa/freeipa/pull/797 Title: #797: ipa-replica-conncheck: handle ssh not installed Label: +pushed ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#797][closed] ipa-replica-conncheck: handle ssh not installed
URL: https://github.com/freeipa/freeipa/pull/797 Author: flo-renaud Title: #797: ipa-replica-conncheck: handle ssh not installed Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/797/head:pr797 git checkout pr797 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#797][+ack] ipa-replica-conncheck: handle ssh not installed
URL: https://github.com/freeipa/freeipa/pull/797 Title: #797: ipa-replica-conncheck: handle ssh not installed Label: +ack ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#821][synchronized] fix incorrect suffix handling in topology checks
URL: https://github.com/freeipa/freeipa/pull/821 Author: martbab Title: #821: fix incorrect suffix handling in topology checks Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/821/head:pr821 git checkout pr821 From 25bb509404d8111fd761ec3074e558a725c7dadd Mon Sep 17 00:00:00 2001 From: Martin Babinsky Date: Fri, 26 May 2017 12:23:51 +0200 Subject: [PATCH] fix incorrect suffix handling in topology checks When trying to delete a partially removed master entry lacking 'iparepltopomanagedsuffix' attribute, the code that tries to retrieve tha value for further computations passes None and causes unhandled internal errors. If the attribute is empty or not present, we should return empty list instead as to not break calling cod attribute, the code that tries to retrieve tha value for further computations passes None and causes unhandled internal errors. We should return empty list instead. https://pagure.io/freeipa/issue/6965 --- ipaserver/topology.py | 11 +++ 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/ipaserver/topology.py b/ipaserver/topology.py index 385da29a66..2b6b083547 100644 --- a/ipaserver/topology.py +++ b/ipaserver/topology.py @@ -72,12 +72,15 @@ def get_topology_connection_errors(graph): def map_masters_to_suffixes(masters): masters_to_suffix = {} +managed_suffix_attr = 'iparepltopomanagedsuffix_topologysuffix' for master in masters: -try: -managed_suffixes = master.get( -'iparepltopomanagedsuffix_topologysuffix') -except KeyError: +if managed_suffix_attr not in master: +continue + +managed_suffixes = master[managed_suffix_attr] + +if managed_suffixes is None: continue for suffix_name in managed_suffixes: ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#821][comment] fix incorrect suffix handling in topology checks
URL: https://github.com/freeipa/freeipa/pull/821 Title: #821: fix incorrect suffix handling in topology checks martbab commented: """ @pvoborni it shouldn't but given how our framework sometimes (mis)-behaves the possibility is there. """ See the full comment at https://github.com/freeipa/freeipa/pull/821#issuecomment-304643335 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#817][closed] [py3] Change ConfigParser to RawConfigParser
URL: https://github.com/freeipa/freeipa/pull/817 Author: stlaz Title: #817: [py3] Change ConfigParser to RawConfigParser Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/817/head:pr817 git checkout pr817 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#817][comment] [py3] Change ConfigParser to RawConfigParser
URL: https://github.com/freeipa/freeipa/pull/817 Title: #817: [py3] Change ConfigParser to RawConfigParser martbab commented: """ master: * 35675ca2bbe9c044f115764a2daac45f7468be00 Change ConfigParser to RawConfigParser """ See the full comment at https://github.com/freeipa/freeipa/pull/817#issuecomment-304306864 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#817][+pushed] [py3] Change ConfigParser to RawConfigParser
URL: https://github.com/freeipa/freeipa/pull/817 Title: #817: [py3] Change ConfigParser to RawConfigParser Label: +pushed ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#812][comment] [WIP] Refactoring cert-find to use API call directly instead of using
URL: https://github.com/freeipa/freeipa/pull/812 Title: #812: [WIP] Refactoring cert-find to use API call directly instead of using martbab commented: """ Remember taht you have to use 'exact=False' in the filter to perform substring search for krbPrincipalName given the fact that (except for services) the principal is constructed from primary key by appending realm (and prepending `host/` in the case of hosts). This, however, opens a range of possibilities for new bug to creep in (considering 'tuser' is the owner but we have 'tuser1' and 'tuser2' in LDAP, what will your search filter return?). That's why I think this is not correct solution given we currently reference owners by primary keys and not by principals (krbPrincipalName != primary key in most cases except services without krbCanonicalName attribute). I am more inclined to @HonzaCholasta's solution as it seems cleaner to me. An alternative is to report principals as cert owners, which will break API, however. """ See the full comment at https://github.com/freeipa/freeipa/pull/812#issuecomment-304304587 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#812][comment] [WIP] Refactoring cert-find to use API call directly instead of using
URL: https://github.com/freeipa/freeipa/pull/812 Title: #812: [WIP] Refactoring cert-find to use API call directly instead of using martbab commented: """ Remember taht you have to use 'exact=False' in the filter to perform substring search for krbPrincipalName given the fact that (except for services) the principal is constructed from primary key by appending realm (and prepending `host/` in the case of hosts). This, however, opens a range of possibilities for new bug to creep in (considering 'tuser' is the owner but we have 'tuser1' and 'tuser2' in LDAP, what will your search filter return?). That's why I think this is not correct solution given we currently reference owners by primary keys and not by principals (krbPrincipalName != primary key in most cases except services without krbCanonicalName attribute). I am more inclined to @HonzaCholasta's solution as it seems cleaner to me. An alternative is to report principals as cert owners, which will break API, however. """ See the full comment at https://github.com/freeipa/freeipa/pull/812#issuecomment-304304587 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#816][closed] only stop/disable simple service if it is installed
URL: https://github.com/freeipa/freeipa/pull/816 Author: martbab Title: #816: only stop/disable simple service if it is installed Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/816/head:pr816 git checkout pr816 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#816][+pushed] only stop/disable simple service if it is installed
URL: https://github.com/freeipa/freeipa/pull/816 Title: #816: only stop/disable simple service if it is installed Label: +pushed ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#816][comment] only stop/disable simple service if it is installed
URL: https://github.com/freeipa/freeipa/pull/816 Title: #816: only stop/disable simple service if it is installed martbab commented: """ ipa-4-5: * 6114150de20a7d8371c7383f619cd0fefe339cbf only stop/disable simple service if it is installed master: * 8b6f8ed7d47542b9bd8b7453a8a0e202ed1db97d only stop/disable simple service if it is installed """ See the full comment at https://github.com/freeipa/freeipa/pull/816#issuecomment-304293870 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org