[Freeipa-devel] [PATCH] Create pkiuser before calling pkicreate, pkicreate depends on the user existing
--- ipaserver/install/cainstance.py |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index a43809c..97ba833 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -445,9 +445,9 @@ class CAInstance(service.Service): self.cert_chain_file=cert_chain_file self.external=2 +self.step(creating certificate server user, self.__create_ca_user) if not ipautil.dir_exists(/var/lib/pki-ca): self.step(creating pki-ca instance, self.create_instance) -self.step(creating certificate server user, self.__create_ca_user) self.step(configuring certificate server instance, self.__configure_instance) # Step 1 of external is getting a CSR so we don't need to do these # steps until we get a cert back from the external CA. -- 1.6.6 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 350 improvements to cert plugin
This makes the cert plugin use the built-in output functions and conform with output validation. It also normalizes an incoming PKCS#10 request to strip any data before or after the BEGIN/END blocks. And finally I added a get_subject() helper so we can include the subject when retrieving a cert with cert_get. rob freeipa-350-cert.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 352 fix ipa-rmkeytab
On F-12 I noticed that ipa-rmkeytab failed trying to remove entries. Turned out I needed to suspend looping when doing the removal. I think it was a fluke that this worked on F-11 with an older krb5-server. rob freeipa-352-rmkeytab.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 351 configurable certificate subjects
Let the user, upon installation, set the certificate subject base for the dogtag CA. Certificate requests will automatically be given this subject base, regardless of what is in the CSR. The selfsign plugin does not currently support this dynamic name re-assignment and will reject any incoming requests that don't conform to the subject base. The certificate subject base is stored in cn=ipaconfig but it does NOT dynamically update the configuration, for dogtag at least. The file /var/lib/pki-ca/profiles/ca/caIPAserviceCert.cfg would need to be updated and pki-cad restarted. For example: # ipa-server-install --ca --subject=O=Example If the installed CA is dogtag then the following will happen: 1. request for CN=test.example.com will issue CN=test.example.com, O=Example 2. request for CN=test.example.com, O=Test will issue CN=test.example.com, O=Example 3. request for CN=test.example.com, O=Example will issue CN=test.example.com, O=Example If the installed CA is selfsign then the following will happen: 1. request for CN=test.example.com will be rejected 2. request for CN=test.example.com, O=Test will be rejected 3. request for CN=test.example.com, O=Example will issue CN=test.example.com, O=Example rob freeipa-351-subject.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Create pkiuser before calling pkicreate, pkicreate depends on the user existing
John Dennis wrote: --- ipaserver/install/cainstance.py |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index a43809c..97ba833 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -445,9 +445,9 @@ class CAInstance(service.Service): self.cert_chain_file=cert_chain_file self.external=2 +self.step(creating certificate server user, self.__create_ca_user) if not ipautil.dir_exists(/var/lib/pki-ca): self.step(creating pki-ca instance, self.create_instance) -self.step(creating certificate server user, self.__create_ca_user) self.step(configuring certificate server instance, self.__configure_instance) # Step 1 of external is getting a CSR so we don't need to do these # steps until we get a cert back from the external CA. ack, pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] Use the dns plugin during installation
On Thu, 2009-12-03 at 17:25 +0100, Martin Nagy wrote: Hi, these three patches should make sure that we add dns records the right way. It will also serve for the ipa-dns-install command that's almost ready, patch will be coming soon. Thanks Martin I've rebased the paches and fixed some other things I found later. Attached. Martin From 7397f0b2cd051f61c5810fe16e1f770c4805ccb7 Mon Sep 17 00:00:00 2001 From: Martin Nagy mn...@redhat.com Date: Thu, 3 Dec 2009 16:32:56 +0100 Subject: [PATCH 01/12] Move api finalization in ipa-server-install after writing default.conf We will need to have ipalib correctly configured before we start installing DNS entries with api.Command.dns. --- install/tools/ipa-server-install | 45 ++--- 1 files changed, 22 insertions(+), 23 deletions(-) diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index c92989a..ba27ac3 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -481,18 +481,12 @@ def main(): fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore') +# Configuration for ipalib, we will bootstrap and finalize later, after +# we are sure we have the configuration file ready. cfg = dict( in_server=True, -webui_assets_dir=ASSETS_DIR, debug=options.debug ) -if not options.uninstall: -if options.ca: -cfg['ra_plugin'] = 'dogtag' -else: -cfg['ra_plugin'] = 'selfsign' -api.bootstrap(**cfg) -api.finalize() if options.uninstall: if not options.unattended: @@ -502,6 +496,8 @@ def main(): print Aborting uninstall operation. sys.exit(1) +api.bootstrap(**cfg) +api.finalize() return uninstall(not certs.ipa_self_signed()) # This will override any settings passed in on the cmdline @@ -662,6 +658,24 @@ def main(): else: dns_forwarders = () +# Create the management framework config file and finalize api +fstore.backup_file(/etc/ipa/default.conf) +fd = open(/etc/ipa/default.conf, w) +fd.write([global]\n) +fd.write(basedn= + util.realm_to_suffix(realm_name) + \n) +fd.write(realm= + realm_name + \n) +fd.write(domain= + domain_name + \n) +fd.write(xmlrpc_uri=https://%s/ipa/xml\n; % host_name) +fd.write(ldap_uri=ldapi://%%2fvar%%2frun%%2fslapd-%s.socket\n % dsinstance.realm_to_serverid(realm_name)) +fd.write(enable_ra=True\n) +if options.ca: +fd.write(ra_plugin=dogtag\n) +fd.write('webui_assets_dir=' + ASSETS_DIR + '\n') +fd.close() + +api.bootstrap(**cfg) +api.finalize() + if not options.unattended: print print The following operations may take some minutes to complete. @@ -753,21 +767,6 @@ def main(): http.create_instance(realm_name, host_name, domain_name, dm_password, autoconfig=True, self_signed_ca=not options.ca) ipautil.run([/sbin/restorecon, /var/cache/ipa/sessions]) -# Create the management framework config file -fstore.backup_file(/etc/ipa/default.conf) -fd = open(/etc/ipa/default.conf, w) -fd.write([global]\n) -fd.write(basedn= + util.realm_to_suffix(realm_name) + \n) -fd.write(realm= + realm_name + \n) -fd.write(domain= + domain_name + \n) -fd.write(xmlrpc_uri=https://%s/ipa/xml\n; % host_name) -fd.write(ldap_uri=ldapi://%%2fvar%%2frun%%2fslapd-%s.socket\n % dsinstance.realm_to_serverid(realm_name)) -fd.write(enable_ra=True\n) -if options.ca: -fd.write(ra_plugin=dogtag\n) -fd.write('webui_assets_dir=' + ASSETS_DIR + '\n') -fd.close() - # Apply any LDAP updates. Needs to be done after the configuration file # is created service.print_msg(Applying LDAP updates) -- 1.6.2.5 From 2d5d396856f1cf393f58deb53d7a6e30095845fc Mon Sep 17 00:00:00 2001 From: Martin Nagy mn...@redhat.com Date: Tue, 10 Nov 2009 13:21:09 +0100 Subject: [PATCH 02/12] Use the dns plug-in for addition of records during installation Fixes #528943 --- install/share/Makefile.am |1 - install/share/dns.ldif| 88 install/share/dns_reverse.ldif| 24 ipaserver/install/bindinstance.py | 115 ++--- 4 files changed, 82 insertions(+), 146 deletions(-) delete mode 100644 install/share/dns_reverse.ldif diff --git a/install/share/Makefile.am b/install/share/Makefile.am index b74f990..e3e7cf6 100644 --- a/install/share/Makefile.am +++ b/install/share/Makefile.am @@ -16,7 +16,6 @@ app_DATA =\ default-keytypes.ldif \ delegation.ldif \ dns.ldif \ - dns_reverse.ldif \ kerberos.ldif \ indices.ldif \ bind.named.conf.template \ diff --git a/install/share/dns.ldif b/install/share/dns.ldif index 8ce9d69..cb783b8 100644 --- a/install/share/dns.ldif +++ b/install/share/dns.ldif @@ -4,91 +4,3 @@ objectClass: nsContainer
Re: [Freeipa-devel] [PATCHES] Use the dns plugin during installation
On Thu, 2009-12-03 at 17:25 +0100, Martin Nagy wrote: Hi, these three patches should make sure that we add dns records the right way. It will also serve for the ipa-dns-install command that's almost ready, patch will be coming soon. Thanks Martin New patches, rebased + some minor issues in the previous patches fixed, please review. Martin From 7397f0b2cd051f61c5810fe16e1f770c4805ccb7 Mon Sep 17 00:00:00 2001 From: Martin Nagy mn...@redhat.com Date: Thu, 3 Dec 2009 16:32:56 +0100 Subject: [PATCH 01/12] Move api finalization in ipa-server-install after writing default.conf We will need to have ipalib correctly configured before we start installing DNS entries with api.Command.dns. --- install/tools/ipa-server-install | 45 ++--- 1 files changed, 22 insertions(+), 23 deletions(-) diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index c92989a..ba27ac3 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -481,18 +481,12 @@ def main(): fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore') +# Configuration for ipalib, we will bootstrap and finalize later, after +# we are sure we have the configuration file ready. cfg = dict( in_server=True, -webui_assets_dir=ASSETS_DIR, debug=options.debug ) -if not options.uninstall: -if options.ca: -cfg['ra_plugin'] = 'dogtag' -else: -cfg['ra_plugin'] = 'selfsign' -api.bootstrap(**cfg) -api.finalize() if options.uninstall: if not options.unattended: @@ -502,6 +496,8 @@ def main(): print Aborting uninstall operation. sys.exit(1) +api.bootstrap(**cfg) +api.finalize() return uninstall(not certs.ipa_self_signed()) # This will override any settings passed in on the cmdline @@ -662,6 +658,24 @@ def main(): else: dns_forwarders = () +# Create the management framework config file and finalize api +fstore.backup_file(/etc/ipa/default.conf) +fd = open(/etc/ipa/default.conf, w) +fd.write([global]\n) +fd.write(basedn= + util.realm_to_suffix(realm_name) + \n) +fd.write(realm= + realm_name + \n) +fd.write(domain= + domain_name + \n) +fd.write(xmlrpc_uri=https://%s/ipa/xml\n; % host_name) +fd.write(ldap_uri=ldapi://%%2fvar%%2frun%%2fslapd-%s.socket\n % dsinstance.realm_to_serverid(realm_name)) +fd.write(enable_ra=True\n) +if options.ca: +fd.write(ra_plugin=dogtag\n) +fd.write('webui_assets_dir=' + ASSETS_DIR + '\n') +fd.close() + +api.bootstrap(**cfg) +api.finalize() + if not options.unattended: print print The following operations may take some minutes to complete. @@ -753,21 +767,6 @@ def main(): http.create_instance(realm_name, host_name, domain_name, dm_password, autoconfig=True, self_signed_ca=not options.ca) ipautil.run([/sbin/restorecon, /var/cache/ipa/sessions]) -# Create the management framework config file -fstore.backup_file(/etc/ipa/default.conf) -fd = open(/etc/ipa/default.conf, w) -fd.write([global]\n) -fd.write(basedn= + util.realm_to_suffix(realm_name) + \n) -fd.write(realm= + realm_name + \n) -fd.write(domain= + domain_name + \n) -fd.write(xmlrpc_uri=https://%s/ipa/xml\n; % host_name) -fd.write(ldap_uri=ldapi://%%2fvar%%2frun%%2fslapd-%s.socket\n % dsinstance.realm_to_serverid(realm_name)) -fd.write(enable_ra=True\n) -if options.ca: -fd.write(ra_plugin=dogtag\n) -fd.write('webui_assets_dir=' + ASSETS_DIR + '\n') -fd.close() - # Apply any LDAP updates. Needs to be done after the configuration file # is created service.print_msg(Applying LDAP updates) -- 1.6.2.5 From 2d5d396856f1cf393f58deb53d7a6e30095845fc Mon Sep 17 00:00:00 2001 From: Martin Nagy mn...@redhat.com Date: Tue, 10 Nov 2009 13:21:09 +0100 Subject: [PATCH 02/12] Use the dns plug-in for addition of records during installation Fixes #528943 --- install/share/Makefile.am |1 - install/share/dns.ldif| 88 install/share/dns_reverse.ldif| 24 ipaserver/install/bindinstance.py | 115 ++--- 4 files changed, 82 insertions(+), 146 deletions(-) delete mode 100644 install/share/dns_reverse.ldif diff --git a/install/share/Makefile.am b/install/share/Makefile.am index b74f990..e3e7cf6 100644 --- a/install/share/Makefile.am +++ b/install/share/Makefile.am @@ -16,7 +16,6 @@ app_DATA =\ default-keytypes.ldif \ delegation.ldif \ dns.ldif \ - dns_reverse.ldif \ kerberos.ldif \ indices.ldif \ bind.named.conf.template \ diff --git a/install/share/dns.ldif b/install/share/dns.ldif index 8ce9d69..cb783b8 100644 --- a/install/share/dns.ldif +++ b/install/share/dns.ldif @@ -4,91 +4,3 @@ objectClass:
Re: [Freeipa-devel] [PATCHES] IPA to DS migration.
Pavel Zuna wrote: Ok, here's the latest version of IPA to DS migration suite. It includes the following: - A fix for a name collision in textui, Jason's big patch added a second method named print_entry. Nobody noticed there was one already. - Patch to the ipa-pwd-extop plugin to allow adding entries with pre-hashed password if migration mode is enabled. - BIND pre-operation plugin to generate Kerberos keys on simple BIND's if missing. - Migration plugin. - Option in config plugin to enable/disable migration mode. - Password migration page. what has changed since the last version: - LDAP backend is used to connect to DS, no more low level python-ldap calls. - The plugin checks if migration is enabled and gives direction on how to enable it. - The plugin can now be extended to support other objects than just users and groups. You just need to create an LDAPObject and add it's name along with a search filter (to find the objects in DS) and optionaly callbacks to handle special cases. There's some inline documentation. - LDAP URI validation. - Better error messages. - Fixed typos. The migration won't be easy to test, so tomorrow I'll setup 2 VMs on the blades. One with IPA + migration suite and one with DS along with some scripts to generate objects that I used for testing. Using the migration plugin is really easy, you just point it to the DS server and enter the directory manager password. Pavel ack, pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 353 enable sssd and certmonger
Configure sssd and certmonger in ipa-client-install This does a number of things under the hood: - Use authconfig to enable sssd in nss and pam - Configure /etc/sssd/sssd.conf to use our IPA provider - Enable the certmonger process and request a server cert - join the IPA domain and retrieve a principal. The clinet machine *must* exist in IPA to be able to do a join. - And then undo all this on uninstall There are 2 ways to join a host, using a one-time password or a user with the proper privileges. For example, create a host joinable by an admin (must be in the hostadmin role): $ ipa host-add test.example.com To add a host with a OTP: $ ipa host-add --password=Secret123 test2.example.com Then run ipa-client-install on the client and it should basically work the same as before except it will quit if the host has already been enrolled. rob freeipa-353-sssd.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 352 fix ipa-rmkeytab
John Dennis wrote: On 01/20/2010 11:50 AM, Rob Crittenden wrote: On F-12 I noticed that ipa-rmkeytab failed trying to remove entries. Turned out I needed to suspend looping when doing the removal. I think it was a fluke that this worked on F-11 with an older krb5-server. ACK pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCHES] Add A and PTR records during ipa-replica-prepare
Hi, these patches will allow one to specify an ip address of the replica to ipa-replica-prepare. The dns records will then be added. This should make life better for QA :) Martin From 05c6e118b748839012a7e8bc0613367d8d27d7a8 Mon Sep 17 00:00:00 2001 From: Martin Nagy mn...@redhat.com Date: Mon, 23 Nov 2009 11:08:03 +0100 Subject: [PATCH 1/2] Get rid of ipapython.config in ipa-replica-prepare Also get rid of functions get_host_name(), get_realm_name() and get_domain_name(). They used the old ipapython.config. Instead, use the variables from api.env. We also change them to bootstrap() and finalize() correctly. --- install/tools/ipa-replica-install | 30 ++ install/tools/ipa-replica-prepare | 78 - 2 files changed, 30 insertions(+), 78 deletions(-) diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install index 349d518..cbdd08d 100755 --- a/install/tools/ipa-replica-install +++ b/install/tools/ipa-replica-install @@ -310,12 +310,21 @@ def main(): except ldap.INVALID_CREDENTIALS, e : sys.exit(\nThe password provided is incorrect for LDAP server %s % config.master_host_name) +# Create the management framework config file +# Note: We must do this before bootstraping and finalizing ipalib.api +fd = open(/etc/ipa/default.conf, w) +fd.write([global]\n) +fd.write(basedn= + util.realm_to_suffix(config.realm_name) + \n) +fd.write(realm= + config.realm_name + \n) +fd.write(domain= + config.domain_name + \n) +fd.write(xmlrpc_uri=https://%s/ipa/xml\n; % config.host_name) +fd.write(ldap_uri=ldapi://%%2fvar%%2frun%%2fslapd-%s.socket\n % dsinstance.realm_to_serverid(config.realm_name)) if ipautil.file_exists(config.dir + /ca.p12): -ca_type = 'dogtag' -else: -ca_type = 'selfsign' +fd.write(enable_ra=True\n) +fd.write(ra_plugin=dogtag\n) +fd.close() -api.bootstrap(in_server=True, ra_plugin=ca_type) +api.bootstrap(in_server=True) api.finalize() # Install CA cert so that we can do SSL connections with ldap @@ -352,19 +361,6 @@ def main(): # generated ds.add_cert_to_service() -# Create the management framework config file -fd = open(/etc/ipa/default.conf, w) -fd.write([global]\n) -fd.write(basedn= + util.realm_to_suffix(config.realm_name) + \n) -fd.write(realm= + config.realm_name + \n) -fd.write(domain= + config.domain_name + \n) -fd.write(xmlrpc_uri=https://%s/ipa/xml\n; % config.host_name) -fd.write(ldap_uri=ldapi://%%2fvar%%2frun%%2fslapd-%s.socket\n % dsinstance.realm_to_serverid(config.realm_name)) -if ipautil.file_exists(config.dir + /ca.p12): -fd.write(enable_ra=True\n) -fd.write(ra_plugin=dogtag\n) -fd.close() - # Apply any LDAP updates. Needs to be done after the replica is synced-up service.print_msg(Applying LDAP updates) ds.apply_updates() diff --git a/install/tools/ipa-replica-prepare b/install/tools/ipa-replica-prepare index bc86a41..175ac62 100755 --- a/install/tools/ipa-replica-prepare +++ b/install/tools/ipa-replica-prepare @@ -26,12 +26,10 @@ from ConfigParser import SafeConfigParser import krbV from optparse import OptionParser -import ipapython.config from ipapython import ipautil from ipaserver.install import dsinstance, installutils, certs, httpinstance from ipaserver import ipaldap from ipapython import version -from ipalib.constants import DEFAULT_CONFIG from ipalib import api import ldap @@ -50,7 +48,6 @@ def parse_options(): parser.add_option(-p, --password, dest=password, help=Directory Manager (existing master) password) -ipapython.config.add_standard_options(parser) options, args = parser.parse_args() # If any of the PKCS#12 options are selected, all are required. Create a @@ -64,36 +61,8 @@ def parse_options(): if len(args) != 1: parser.error(must provide the fully-qualified name of the replica) -ipapython.config.init_config(options) - return options, args -def get_host_name(): -hostname = installutils.get_fqdn() -try: -installutils.verify_fqdn(hostname) -except RuntimeError, e: -logging.error(str(e)) -sys.exit(1) - -return hostname - -def get_realm_name(): -try: -c = krbV.default_context() -return c.default_realm -except Exception, e: -return None - -def get_domain_name(): -try: -ipapython.config.init_config() -domain_name = ipapython.config.config.get_domain() -except Exception, e: -return None - -return domain_name - def check_ipa_configuration(realm_name): config_dir = dsinstance.config_dirname(dsinstance.realm_to_serverid(realm_name)) if not ipautil.dir_exists(config_dir): @@ -119,8 +88,8 @@ def export_certdb(realm_name, ds_dir, dir, passwd_fname, fname, hostname): #ca_db =
[Freeipa-devel] [PATCH] Set BIND to use ldapi and use fake mname
Hi, some additional comments are in the patch. Martin From 003b8ee61673216243fe872297d069cb476e5600 Mon Sep 17 00:00:00 2001 From: Martin Nagy mn...@redhat.com Date: Wed, 25 Nov 2009 01:00:26 +0100 Subject: [PATCH] Set BIND to use ldapi and use fake mname The fake_mname for now doesn't exists but is a feature that will be added in the near future. Since any unknown arguments to bind-dyndb-ldap are ignored, we are safe to use it now. --- install/share/bind.named.conf.template |3 ++- ipaserver/install/bindinstance.py |2 ++ 2 files changed, 4 insertions(+), 1 deletions(-) diff --git a/install/share/bind.named.conf.template b/install/share/bind.named.conf.template index 8b5fac2..d733d61 100644 --- a/install/share/bind.named.conf.template +++ b/install/share/bind.named.conf.template @@ -32,8 +32,9 @@ include /etc/named.rfc1912.zones; dynamic-db ipa { library ldap.so; - arg uri ldap://$FQDN;; + arg uri ldapi://%2fvar%2frun%2fslapd-$SERVER_ID.socket; arg base cn=dns, $SUFFIX; + arg fake_mname $FQDN; arg auth_method sasl; arg sasl_mech GSSAPI; arg sasl_user DNS/$FQDN; diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py index 8ee46d4..13e9e16 100644 --- a/ipaserver/install/bindinstance.py +++ b/ipaserver/install/bindinstance.py @@ -26,6 +26,7 @@ import installutils import ldap import service from ipaserver import ipaldap +from ipaserver.install.dsinstance import realm_to_serverid from ipapython import sysrestore from ipapython import ipautil @@ -222,6 +223,7 @@ class BindInstance(service.Service): DOMAIN=self.domain, HOST=self.host, REALM=self.realm, + SERVER_ID=realm_to_serverid(self.realm), FORWARDERS=fwds, SUFFIX=self.suffix, OPTIONAL_NTP=optional_ntp) -- 1.6.2.5 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 353 enable sssd and certmonger
On Wed, 2010-01-20 at 17:01 -0500, Rob Crittenden wrote: Configure sssd and certmonger in ipa-client-install This does a number of things under the hood: - Use authconfig to enable sssd in nss and pam - Configure /etc/sssd/sssd.conf to use our IPA provider - Enable the certmonger process and request a server cert - join the IPA domain and retrieve a principal. The clinet machine *must* exist in IPA to be able to do a join. - And then undo all this on uninstall rob Heh, joining FreeIPA and SSSD at last, cool :-) ACK Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 344 require fully-qualified hostname in ipa-join
On Fri, 2010-01-08 at 16:04 -0500, Rob Crittenden wrote: Require a fully-qualified hostname in ipa-join. The server side will enforce this as well but better to catch it early. rob ACK Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 351 configurable certificate subjects
John Dennis wrote: On 01/20/2010 11:31 AM, Rob Crittenden wrote: Let the user, upon installation, set the certificate subject base for the dogtag CA. Certificate requests will automatically be given this subject base, regardless of what is in the CSR. The selfsign plugin does not currently support this dynamic name re-assignment and will reject any incoming requests that don't conform to the subject base. The certificate subject base is stored in cn=ipaconfig but it does NOT dynamically update the configuration, for dogtag at least. The file /var/lib/pki-ca/profiles/ca/caIPAserviceCert.cfg would need to be updated and pki-cad restarted. For example: # ipa-server-install --ca --subject=O=Example If the installed CA is dogtag then the following will happen: 1. request for CN=test.example.com will issue CN=test.example.com, O=Example 2. request for CN=test.example.com, O=Test will issue CN=test.example.com, O=Example 3. request for CN=test.example.com, O=Example will issue CN=test.example.com, O=Example If the installed CA is selfsign then the following will happen: 1. request for CN=test.example.com will be rejected 2. request for CN=test.example.com, O=Test will be rejected 3. request for CN=test.example.com, O=Example will issue CN=test.example.com, O=Example rob ACK pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel