Re: [Freeipa-devel] [PATCH] 479 optimize modify principal operations

2012-02-15 Thread Rob Crittenden 

Rob Crittenden wrote:

Simo Sorce wrote:

We were unconditionally searching the LDAP database to find the
principal on modification.
By using the stored entry_dn when available we avoid a costly round-trip
to the LDAP server just to save back some modified attributes.

This is an important performance improvement for the KDC given now we
save data each time an AS request is performed.

Simo.


ACK


Pushed to master and ipa-2-2

rob

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 480 Do not store LastPwdChange unless it really changed

2012-02-15 Thread Rob Crittenden 

Rob Crittenden wrote:

Simo Sorce wrote:

Due to an idiosyncrasy of kadmin, the right flag to indicate
krbLastPwdChange is changed is not set. The previous check ended up
always saving the data in all cases because the data was always present.
Restrict it to store a password change when there is actually new key
material.

This prevents also audit operations to cause replications.

Simo.


ACK


Pushed to master and ipa-2-2

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] ignore pylint warning

2012-02-15 Thread Rob Crittenden 
A false pylint warning was being printed on F16+. I pushed a patch to 
master and ipa-2-2 to disable it under the 1-liner rule.


rob

From 06627a542ff45a9eaa3aa1f125cb86b5aa273b16 Mon Sep 17 00:00:00 2001
From: Rob Crittenden 
Date: Wed, 15 Feb 2012 10:33:11 -0500
Subject: [PATCH] Disable false pylint error in freeipa-systemd-upgrade

---
 init/systemd/freeipa-systemd-upgrade |2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/init/systemd/freeipa-systemd-upgrade 
b/init/systemd/freeipa-systemd-upgrade

index e662d28..1f1a616 100755
--- a/init/systemd/freeipa-systemd-upgrade
+++ b/init/systemd/freeipa-systemd-upgrade
@@ -80,7 +80,7 @@ try:
 # when enabling DS instances we'll also do configure 
/etc/sysconfig/dirsrv.systemd
 # which comes with 389-ds-base-1.2.10-0.8.a7 on F-16 and later. 
This is handled in

 # fedora16 platform code
-realm = config.config.default_realm.upper().replace('.','-')
+realm = config.config.default_realm.upper().replace('.','-') 
#pylint: disable=E1103
 print "Re-enable Directory server instances PKI-IPA and %s " % 
(realm)

 if os.path.exists('/etc/systemd/system/dirsrv@.service'):
 os.unlink('/etc/systemd/system/dirsrv@.service')
--
1.7.7.6

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] configure ipa_memcached on upgraded instances

2012-02-15 Thread Rob Crittenden 

The ipa_memcached service wasn't being added to upgraded installations.

We also were never unconfiguring it on uninstall and we were missing 
this fact, both fixed.


rob


freeipa-rcrit-951-memcacheupgrade.patch
Description: application/mbox
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH 61] Cache authentication in session

2012-02-15 Thread Simo Sorce 
On Wed, 2012-02-15 at 11:24 -0600, Endi Sukma Dewata wrote:
> On 2/15/2012 8:01 AM, Simo Sorce wrote:
> >> If someone already has a session then changes to another principal, will
> >> he get a new session and then reauthenticate against the login URL? Or
> >> will he use the same session but just reauthenticate?
> >
> > I guess it depends on what you mean by "changes to another principal".
> > If you mean a simple kdestroy/kinit, then the interface will not see the
> > change until the session expires. (Which is why I want a session
> > expiration much shorter for Negotiate auth).
> 
> Even if we make it shorter (e.g. 5 minutes) there's still a window where 
> the browser is still using the old session. Will this be OK since it's 
> not about somebody leaving the machine idle, but in this case someone 
> else is taking over the machine while there's an active session? Also, 
> both users might not be aware about the length of this window.

My preferred way would be to have it configurable, but I think 5 min.
would be a reasonable compromise.

> > However if the user presses the logout button in the UI his session will
> > be destroyed and so the next attempt will cause a new negotiation to
> > happen and the UI will change to use the new principal.
> 
> Right, this is not the concern.
> 
> >> What if he then changes back to the previous principal, will he reuse
> >> the old session? If so will he be required to authenticate again?
> >
> > What old session do you refer to ?
> > The previous session of the same user has been destroyed, the other user
> > session is still valid until it expires or the user presses log out, so
> > nothing changes there.
> 
> Assuming there is a way for the server to detect principal change 
> earlier than session expiration,

There is none without a Negotiate operation which we now do only when
the session expires (hence my request for short expiration times).

>  the server could either (a) reuse the 
> same session but with new credentials, or (b) it could create a new 
> session for the new user. In option (b) there's a possibility to keep 
> the old session (thus the question about reusing the old session), but I 
> don't think we want to do that.
> 
> If the assumption is wrong, the only possible option is (b), but in this 
> case the old session is no longer available.

Right, the old session is always destroyed.

> That's true if the above assumption is wrong. We're already planning to 
> execute a whoami operation after each authentication so the UI can 
> detect the change.

ok

> >> Would it be possible for someone from another machine to randomly guess
> >> a session ID and then take over an existing authenticated session?
> >
> > The session ID is currently a 48bit random number (we ask John to make
> > it a 128bit number). *Guessing* that number is going to be *very* though
> > (read technically impossible if the randomness is properly handled at
> > the creation of the session ID in the server.
> 
> Hey... many people have won the lottery :)

I know nobody, do you? :-)

> > However if somehow the sessionid is exposed than an attacker can hijack
> > the connection. The risk is extremely low, but it is another reason why
> > having a short expiration for Negotiate auth would be better, than
> > treating it the same as form based auth.
> 
> Agreed, although the form based auth is still exposed to the same 
> hijacking issue.

Yes form based auth is just a leap of faith, you base all your security
on the SSL connection, and there isn't much you can do beyond that.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH 61] Cache authentication in session

2012-02-15 Thread Endi Sukma Dewata 

On 2/15/2012 8:01 AM, Simo Sorce wrote:

If someone already has a session then changes to another principal, will
he get a new session and then reauthenticate against the login URL? Or
will he use the same session but just reauthenticate?


I guess it depends on what you mean by "changes to another principal".
If you mean a simple kdestroy/kinit, then the interface will not see the
change until the session expires. (Which is why I want a session
expiration much shorter for Negotiate auth).


Even if we make it shorter (e.g. 5 minutes) there's still a window where 
the browser is still using the old session. Will this be OK since it's 
not about somebody leaving the machine idle, but in this case someone 
else is taking over the machine while there's an active session? Also, 
both users might not be aware about the length of this window.



However if the user presses the logout button in the UI his session will
be destroyed and so the next attempt will cause a new negotiation to
happen and the UI will change to use the new principal.


Right, this is not the concern.


What if he then changes back to the previous principal, will he reuse
the old session? If so will he be required to authenticate again?


What old session do you refer to ?
The previous session of the same user has been destroyed, the other user
session is still valid until it expires or the user presses log out, so
nothing changes there.


Assuming there is a way for the server to detect principal change 
earlier than session expiration, the server could either (a) reuse the 
same session but with new credentials, or (b) it could create a new 
session for the new user. In option (b) there's a possibility to keep 
the old session (thus the question about reusing the old session), but I 
don't think we want to do that.


If the assumption is wrong, the only possible option is (b), but in this 
case the old session is no longer available.



I think if the principal change is always preceded by reauthentication,
the UI will only need to redo the whoami after successful login.
Otherwise, the UI will need to check the principal change after each
operation like in the current code.


The UI will know when the principal changes because it will get an error
and it will be told to go to the re-authentication URL. When you
re-authenticate you should always check if the principal changed.


That's true if the above assumption is wrong. We're already planning to 
execute a whoami operation after each authentication so the UI can 
detect the change.



Would it be possible for someone from another machine to randomly guess
a session ID and then take over an existing authenticated session?


The session ID is currently a 48bit random number (we ask John to make
it a 128bit number). *Guessing* that number is going to be *very* though
(read technically impossible if the randomness is properly handled at
the creation of the session ID in the server.


Hey... many people have won the lottery :)


However if somehow the sessionid is exposed than an attacker can hijack
the connection. The risk is extremely low, but it is another reason why
having a short expiration for Negotiate auth would be better, than
treating it the same as form based auth.


Agreed, although the form based auth is still exposed to the same 
hijacking issue.


--
Endi S. Dewata

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH 61] Cache authentication in session

2012-02-15 Thread Endi Sukma Dewata 

On 2/15/2012 2:51 AM, Dmitri Pal wrote:

On 02/14/2012 01:01 PM, Endi Sukma Dewata wrote:


If someone already has a session then changes to another principal,
will he get a new session and then reauthenticate against the login
URL? Or will he use the same session but just reauthenticate?


AFAIU the session ID will be (should be) lost when you switch the
principal and new ID returned to the browser.
The old session is still valid for 20 min if you did not log out but it
should not be accessible.


I looked at the code briefly, if I understand correctly it looks like 
the server will get the session ID from the cookie and use it to find 
the existing session data from memcached. So if someone does a kinit to 
change principal, the browser will still send the same session ID 
because it doesn't know about the change, so the server will continue to 
use the old session with the old credentials until the session expires 
(which could be a long time if the server keeps resetting the expiration 
time).


Previously without sessions the UI will detect the change as soon as the 
user executes another operation in the UI.



It seems that everything depends on what is the key for the internal
cache. I would think that the key should be principal+session ID and
session ID is long and strong. We said in one of the earlier discussions
that it should be at least 128 bits of entropy. Was that done? If not
please log a ticket.


Assuming the principal will be stored in the cookie, it might not work 
because the browser will not know about the principal change so it's 
still sending the same principal.



So am I right that the key is principal+session ID? If it is just
principal then yes the session can be resurrected but I do not think we
want this. If the key is just the ID there is a potential of the
privilege escalation if one principal tries to guess the ID for another
active session. Very unlikely but it seems that it is safer to have it
as a composit key. May be we should file an RFE on this.


Right now the key is just a 48-bit ID.


What if he then changes back to the previous principal, will he reuse
the old session? If so will he be required to authenticate again?


Old session should not be accessible.


The question assumes that if the user changes principal he will get a 
new session, which doesn't seem to be the case. But suppose that issue 
is fixed, I agree that we need to make sure the old session is destroyed.



Would it be possible for someone from another machine to randomly
guess a session ID and then take over an existing authenticated session?


Then we need to make ID even longer.


I believe John is going to make it 128-bit in the next patch.

--
Endi S. Dewata

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 950 update replicas for s4u2proxy

2012-02-15 Thread Martin Kosek 
On Wed, 2012-02-15 at 11:22 -0500, Rob Crittenden wrote:
> I handled installing a new replica for s4u2proxy but not upgrading a 
> previous one. This should take care of adding the right delegation 
> permissions.
> 
> rob

ACK. Pushed to master, ipa-2-2.

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] 086 Fixed problem when attributes_widget was displaying empty option

2012-02-15 Thread Petr Vobornik 

Attribute table was modified to skip creation of option for empty value.

https://fedorahosted.org/freeipa/ticket/2291
--
Petr Vobornik
From fb0df6e11f9d105e58ae6e08c15ff270f8c2206a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Voborn=C3=ADk?= 
Date: Wed, 15 Feb 2012 17:47:53 +0100
Subject: [PATCH] Fixed problem when attributes_widget was displaying empty
 option

Attribute table was modified to skip creation of option for empty value.

https://fedorahosted.org/freeipa/ticket/2291
---
 install/ui/aci.js |7 ++-
 1 files changed, 6 insertions(+), 1 deletions(-)

diff --git a/install/ui/aci.js b/install/ui/aci.js
index fc72b51929e94bb73dae5c01b6e1ecf50b6e8303..02e03f309f279d62f411e3b9ffd8bae9fe09dc06 100644
--- a/install/ui/aci.js
+++ b/install/ui/aci.js
@@ -487,7 +487,12 @@ IPA.attributes_widget = function(spec) {
 
 values = values || [];
 for (var i=0; i___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 949 remove Apache ccache on upgrade

2012-02-15 Thread Martin Kosek 
On Wed, 2012-02-15 at 09:58 -0500, Rob Crittenden wrote:
> Remove any Apache ccache on upgrade. We have no way of knowing what is 
> in there so play it safe.
> 
> rob

ACK. This fixes the upgrade issue.

Pushed to master, ipa-2-2.

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 947 fix synxtax in 30-s4u2proxy.update

2012-02-15 Thread Martin Kosek 
On Wed, 2012-02-15 at 11:23 +0100, Martin Kosek wrote:
> On Tue, 2012-02-14 at 15:51 -0500, Rob Crittenden wrote:
> > Martin Kosek wrote:
> > > On Mon, 2012-02-13 at 11:43 -0500, Rob Crittenden wrote:
> > >> Remove quotes around a value in 30-s4u2proxy.update. The update was
> > >> failing to apply.
> > >>
> > >> I also noticed that FQDN wasn't being set properly in all cases in
> > >> sub_dict. This should fix it.
> > >>
> > >> rob
> > >
> > > This patch did not apply for me. I guess it depends on some other patch
> > > that fixes wrong DN in s4u2proxy ipaAllowedTargets:
> > >
> > > -default: ipaAllowedTarget: 
> > > 'cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,$SUFFIX'
> > > +default: ipaAllowedTarget: 
> > > cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,$SUFFIX
> > >
> > > Current update file says:
> > >
> > > default: ipaAllowedTarget: 'cn=ipa-ldap-delegation-targets,cn=etc,$SUFFIX'
> > >
> > > which is a non-existent DN.
> > >
> > > Martin
> > >
> > 
> > It relies on patch 941
> 
> Yeah, that's the one.
> 
> I am now testing all the upgrade patches, but I s4u2proxy does not work
> for me yet on upgraded server instance (tested on F16). krb5kdc keeps
> reporting decrypt errors:
> 
> /var/log/krb5kdc.log:
> Feb 15 04:25:43 vm-068.idm.lab.bos.redhat.com krb5kdc[872](info):
> TGS_REQ (4 etypes {18 17 16 23}) 10.16.78.68: PROCESS_TGS: authtime 0,
>  for , Decrypt integrity check failed
> Feb 15 04:25:43 vm-068.idm.lab.bos.redhat.com krb5kdc[872](info):
> TGS_REQ (4 etypes {18 17 16 23}) 10.16.78.68: PROCESS_TGS: authtime 0,
>  for , Decrypt integrity check failed
> 
> New installs on the same machine work though. I am still trying to find
> out the root cause of this.
> 
> Martin
> 

Ok, we found out the root cause. The problem was that Apache CCACHE from
previous install was not removed. Rob's patch 949 fixes that.

ACK for this patch. Pushed to master, ipa-2-2.

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 941 fix replica s4u2proxy delegation

2012-02-15 Thread Martin Kosek 
On Wed, 2012-02-15 at 11:30 +0100, Martin Kosek wrote:
> On Mon, 2012-02-06 at 15:12 -0500, Rob Crittenden wrote:
> > Replicas weren't being added to the S4U2Proxy configuration so weren't 
> > allowed to delegate tickets. This fixes things.
> > 
> > rob
> 
> This would work fine for new replicas which adds replica-s4u2proxy.ldif
> but what about upgrading the current ones?
> 
> I am not sure that 30-s4u2proxy.update would add their principals to
> s4u2proxy configuration.
> 
> Martin
> 

Discussed with Rob, it is really an issue. He plans to deal with it in
another ticket.

In that case its ACK. Pushed to master, ipa-2-2.

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] 950 update replicas for s4u2proxy

2012-02-15 Thread Rob Crittenden 
I handled installing a new replica for s4u2proxy but not upgrading a 
previous one. This should take care of adding the right delegation 
permissions.


rob


freeipa-rcrit-950-replica.patch
Description: application/mbox
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] s4u2proxy support

2012-02-15 Thread Martin Kosek 
On Wed, 2012-01-04 at 15:11 -0500, Rob Crittenden wrote:
> Alexander Bokovoy wrote:
> > On Wed, 14 Dec 2011, Rob Crittenden wrote:
> >
> >> Dmitri Pal wrote:
> >>> On 12/12/2011 07:15 PM, Simo Sorce wrote:
>  On Mon, 2011-12-12 at 15:22 -0500, Rob Crittenden wrote:
> > This patch adds support for s4u2proxy. This means that the Apache
> > server
> > will obtain the ldap service ticket on behalf of the user rather than
> > the using having to send their TGT. The user's ticket still needs to
> > be
> > forwardable, we just don't require it to be forwarded any more.
> 
>  Should we make the patch allow the old behavior by using a switch that
>  revert to forwarding the TGT ?
> 
>  It would be useful during upgrades if some of your servers still need
>  forwarded TGTs, or if you want to use a newer client against an old
>  server while you have the newer stuff under test.
>  (And to test in general).
> 
>  Simo.
> >>> +1
> >>>
> >>
> >> Updated patch attached.
> >>
> >> rob
> >
> >> > From 03a2c9a536811437e4847e1c6b11d2ac0eff98f2 Mon Sep 17 00:00:00 2001
> >> From: Rob Crittenden
> >> Date: Thu, 8 Dec 2011 14:23:18 -0500
> >> Subject: [PATCH] Don't set delegation flag in client, we're using S4U2Proxy
> >>   now
> >>
> >> A forwardable ticket is still required but we no longer need to send
> >> the TGT to the IPA server. A new flag, --delegation, is available if
> >> the old behavior is required.
> > A minor point: please fix commit message to use proper option name:
> >
> > --delegate
> >
> >> +parser.add_option('--delegate', action='store_true',
> >> +help='Delegate the TGT to the IPA server',
> >> +)
> >
> > Otherwise ACK.
> >
> 
> Updated both patches. The first (914) to address Alexander's concern. 
> The second to add a new global lock directive. I updated the 
> mod_auth_kerb patch based on feedback from the package maintainer.
> 
> rob

ACK for patch 914-4. Pushed to master, ipa-2-2.

In reality, it was really sent in the thread for patch 947. I just
renamed it and created a rebased version for master branch. Both patches
are attached.

Martin
>From d78756d9bcaf1d75cc592fc621e25c4d1df980a3 Mon Sep 17 00:00:00 2001
From: Rob Crittenden 
Date: Thu, 8 Dec 2011 14:23:18 -0500
Subject: [PATCH] Don't set delegation flag in client, we're using S4U2Proxy
 now

A forwardable ticket is still required but we no longer need to send
the TGT to the IPA server. A new flag, --delegate, is available if
the old behavior is required.

Set the minimum n-v-r for mod_auth_kerb and krb5-server to pick up
needed patches for S4U2Proxy to work.

https://fedorahosted.org/freeipa/ticket/1098
https://fedorahosted.org/freeipa/ticket/2246
---
 freeipa.spec.in   |   15 +++
 install/share/bootstrap-template.ldif |2 +-
 ipa.1 |3 +++
 ipalib/backend.py |2 +-
 ipalib/constants.py   |1 +
 ipalib/plugable.py|5 -
 ipalib/rpc.py |   24 +---
 7 files changed, 34 insertions(+), 18 deletions(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 6c92747..06e7d9e 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -92,17 +92,13 @@ Requires(pre): 389-ds-base >= 1.2.10-0.5.a5
 Requires: openldap-clients
 Requires: nss
 Requires: nss-tools
-%if 0%{?fedora} >= 16
-Requires: krb5-server >= 1.9.1-15
-%else
-Requires: krb5-server
-%endif
+Requires: krb5-server >= 1.9.2-6
 Requires: krb5-pkinit-openssl
 Requires: cyrus-sasl-gssapi%{?_isa}
 Requires: ntp
 Requires: httpd
 Requires: mod_wsgi
-Requires: mod_auth_kerb >= 5.4-9
+Requires: mod_auth_kerb >= 5.4-8
 Requires: mod_nss >= 1.0.8-10
 Requires: python-ldap
 Requires: python-krbV
@@ -665,11 +661,14 @@ fi
 %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/ca.crt
 
 %changelog
-* Wed Jan 11 2012 Simo Sorce  - 2.2.0-8
+- Set min for krb5-server to 1.9.2-6 to pick up needed s4u2proxy patches
+
+* Wed Jan 11 2012 Simo Sorce  - 2.2.0-7
 - Remove dependency on samba4 libs
 
 * Wed Jan 11 2012 Rob Crittenden  - 2.2.0-6
-- Set min for mod_auth_kerb to 5.4-9 to pick up s4u2proxy support
+- Set min for mod_auth_kerb to 5.4-8 to pick up s4u2proxy support
 
 * Tue Jan 10 2012 Alexander Bokovoy  - 2.2.0-5
 - Fix dependency for samba4-devel package
diff --git a/install/share/bootstrap-template.ldif b/install/share/bootstrap-template.ldif
index b58bfd7..e33f065 100644
--- a/install/share/bootstrap-template.ldif
+++ b/install/share/bootstrap-template.ldif
@@ -174,7 +174,7 @@ objectClass: groupOfPrincipals
 objectClass: top
 cn: ipa-http-delegation
 memberPrincipal: HTTP/$HOST@$REALM
-ipaAllowedTarget: cn=ipa-ldap-delegation-targets,cn=etc,$SUFFIX
+ipaAllowedTarget: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,$SUFFIX
 
 dn: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,$SUFFIX
 changetype: add
diff --git a/i

Re: [Freeipa-devel] [PATCH] 480 Do not store LastPwdChange unless it really changed

2012-02-15 Thread Rob Crittenden 

Simo Sorce wrote:

Due to an idiosyncrasy of kadmin, the right flag to indicate
krbLastPwdChange is changed is not set. The previous check ended up
always saving the data in all cases because the data was always present.
Restrict it to store a password change when there is actually new key
material.

This prevents also audit operations to cause replications.

Simo.


ACK

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 479 optimize modify principal operations

2012-02-15 Thread Rob Crittenden 

Simo Sorce wrote:

We were unconditionally searching the LDAP database to find the
principal on modification.
By using the stored entry_dn when available we avoid a costly round-trip
to the LDAP server just to save back some modified attributes.

This is an important performance improvement for the KDC given now we
save data each time an AS request is performed.

Simo.


ACK

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 940 apply some validation to some classes only

2012-02-15 Thread Jan Cholasta 

On 15.2.2012 15:33, Rob Crittenden wrote:

Jan Cholasta wrote:

On 14.2.2012 22:16, Rob Crittenden wrote:

Jan Cholasta wrote:

On 14.2.2012 16:44, Jan Cholasta wrote:

On 7.2.2012 20:25, Rob Crittenden wrote:

Rob Crittenden wrote:

Jan Cholasta wrote:

Dne 7.2.2012 09:27, Martin Kosek napsal(a):

On Mon, 2012-02-06 at 11:52 -0500, Rob Crittenden wrote:

Martin Kosek wrote:

On Fri, 2012-02-03 at 16:58 -0500, Rob Crittenden wrote:

There is some validation that we only need to apply when an
entry is
being created, namely the key itself. This is to allow us to
manage an
otherwise illegal entry that finds its way into the system
(i.e.
migration).

Consider this. We migrate a group with a space in it. This
isn't
allowed
in IPA but we also provide no way to delete it because the cn
regex
kicks out the group-del command.

The trick is adding appropriate context so we can know during
validation
how we got here. A command object has a bases field which
contains
the
base classes associated with it, which appears to contain only
the
leaf
baseclass. So using this we can tell how we got to validation
and
can
skip based on that baseclass name.

I went back and forth a bit on where the right place to put
this
was,
I'm open to more fine tuning. I initially skipped just the
pattern
validation then expanded it to apply to all validation in the
Parameter.

rob


1) This patch breaks API.txt, it needs re-generating.

2) This may be a matter of opinion but I think that
+ if self.onlyvalidateclasses and \
+ not any(x in self.onlyvalidateclasses for x in classbases):
+ return

would be more readable than:

+ if self.onlyvalidateclasses and \
+ not [x for x in classbases if x in self.onlyvalidateclasses]:
+ return

3) I would move the entire self.onlyvalidateclasses up to the
validate()
method. It would have several benefits:
- the validation skip would be done just once, not for every
value as
the decision does not use the value at all
- we would not have to modify _validate_scalar() methods at all
since
they won't need classbases

4) I think it would be better to keep validation for --rename
options.
As it is generated from RDN attribute parameter, it inherits
onlyvalidateclasses list as well.

Otherwise your patch would let user to rename a valid object
to an
invalid one:

# ipa user-mod fbar --rename="bad boy"

Modified user "fbar"

User login: bad boy
First name: Foo
Last name: Bar
Home directory: /home/fbar
Login shell: /bin/sh
UID: 480800040
GID: 480800040
Account disabled: False
Password: False
Member of groups: ipausers
Kerberos keys available: False

Martin



This should address your concerns.

rob



Its almost OK, there is just one part that's not that OK:

@@ -831,6 +836,9 @@ class Param(ReadOnly):
else:
raise RequirementError(name=self.name)
return
+ if 'rename' not in (self.name, self.cli_name):
+ if self.onlyvalidateclasses and not [x for x in
self.onlyvalidateclasses if x in classbases]: #pylint:
disable=E1101
+ return
if self.multivalue:
if type(value) is not tuple:
raise TypeError(

I don't think that hard-coding this skip for onlyvalidateclasses
based
just on parameter name is a good thing to do and may cause
problems in
the future. For example if we create some option called "rename"
and
deliberately set onlyvalidateclasses for the option - it would
then be
skipped as well.

I think it would be a better solution to just update
_get_rename_option() in baseldap.py to set onlyvalidateclasses
to ()

Martin



I must say I'm not a big fan of this approach. You are healing the
symptoms (custom validation on some parameters makes it
impossible to
manipulate existing LDAP entries with invalid attribute values =>
add a
way to mark parameters to be validated only in certain commands to
prevent that), but the real issue here is that we should not
perform
custom validation when referring to existing LDAP attribute
values at
all (or only partially), no matter what parameter and command.
Fixing
this would make the problem go away for all commands, present or
future,
without the need for adding a list of command classes to each
parameter
that is affected.

Honza



It is all about context, and parameters have very little of it. The
bottom line is we only want to do validation on new values.

I think I can bump this up a level by adding a validate boolean to
Param
and Command both defaulting to False. crud.Create will override
this to
True and cloning rename could perhaps also set this flag.

Then in validation if the parent object has validation set or the
parameter does we validate, otherwise we skip it.

This will require some other changes for Enums, they may always
require
validation (I'll need to be sure --delattr can remove a bad one).

rob


Updated patch. The primary key will be validated only on adds. The
values will be validated on adds and mods.


It turns out there already is infrastructure which does exactly the
same
thing: the "query" kwarg of the Parameter class. W

Re: [Freeipa-devel] Fix build issues in master with krb5 1.10

2012-02-15 Thread Rob Crittenden 

Simo Sorce wrote:

The following 2 patches are need to have a functioning kdc.
Without them building against krb5 1.10 produces a ipadb.so module that
fails to load due to missing symbols leaving kadmin.local and krb5kdc
without a database.

The reason this happens is that during development of this code MIT had
some necessary API functions marked private and didn't expose headers.
These functions have been made public in 1.10 and renamed. Headers with
functions declaration and defines are also available now.

They are needed only in master as in 2.2 this code is commented out and
builds fine against 1.9

Simo.


ACK

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] 949 remove Apache ccache on upgrade

2012-02-15 Thread Rob Crittenden 
Remove any Apache ccache on upgrade. We have no way of knowing what is 
in there so play it safe.


rob


freeipa-rcrit-949-ccache.patch
Description: application/mbox
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 947 fix synxtax in 30-s4u2proxy.update

2012-02-15 Thread Rob Crittenden 

Martin Kosek wrote:

On Tue, 2012-02-14 at 15:51 -0500, Rob Crittenden wrote:

Martin Kosek wrote:

On Mon, 2012-02-13 at 11:43 -0500, Rob Crittenden wrote:

Remove quotes around a value in 30-s4u2proxy.update. The update was
failing to apply.

I also noticed that FQDN wasn't being set properly in all cases in
sub_dict. This should fix it.

rob


This patch did not apply for me. I guess it depends on some other patch
that fixes wrong DN in s4u2proxy ipaAllowedTargets:

-default: ipaAllowedTarget: 
'cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,$SUFFIX'
+default: ipaAllowedTarget: 
cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,$SUFFIX

Current update file says:

default: ipaAllowedTarget: 'cn=ipa-ldap-delegation-targets,cn=etc,$SUFFIX'

which is a non-existent DN.

Martin



It relies on patch 941


Yeah, that's the one.

I am now testing all the upgrade patches, but I s4u2proxy does not work
for me yet on upgraded server instance (tested on F16). krb5kdc keeps
reporting decrypt errors:

/var/log/krb5kdc.log:
Feb 15 04:25:43 vm-068.idm.lab.bos.redhat.com krb5kdc[872](info):
TGS_REQ (4 etypes {18 17 16 23}) 10.16.78.68: PROCESS_TGS: authtime 0,
  for, Decrypt integrity check failed
Feb 15 04:25:43 vm-068.idm.lab.bos.redhat.com krb5kdc[872](info):
TGS_REQ (4 etypes {18 17 16 23}) 10.16.78.68: PROCESS_TGS: authtime 0,
  for, Decrypt integrity check failed

New installs on the same machine work though. I am still trying to find
out the root cause of this.

Martin



Turned out a stale Apache ccache was in /tmp. I've created a new ticket 
and patch for that.


Martin also noticed that allowedTargets wasn't being set properly on new 
installs. Updated patch attached.


rob


freeipa-rcrit-947-2-upgrade.patch
Description: application/mbox
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 940 apply some validation to some classes only

2012-02-15 Thread Rob Crittenden 

Jan Cholasta wrote:

On 14.2.2012 22:16, Rob Crittenden wrote:

Jan Cholasta wrote:

On 14.2.2012 16:44, Jan Cholasta wrote:

On 7.2.2012 20:25, Rob Crittenden wrote:

Rob Crittenden wrote:

Jan Cholasta wrote:

Dne 7.2.2012 09:27, Martin Kosek napsal(a):

On Mon, 2012-02-06 at 11:52 -0500, Rob Crittenden wrote:

Martin Kosek wrote:

On Fri, 2012-02-03 at 16:58 -0500, Rob Crittenden wrote:

There is some validation that we only need to apply when an
entry is
being created, namely the key itself. This is to allow us to
manage an
otherwise illegal entry that finds its way into the system (i.e.
migration).

Consider this. We migrate a group with a space in it. This isn't
allowed
in IPA but we also provide no way to delete it because the cn
regex
kicks out the group-del command.

The trick is adding appropriate context so we can know during
validation
how we got here. A command object has a bases field which
contains
the
base classes associated with it, which appears to contain only
the
leaf
baseclass. So using this we can tell how we got to validation
and
can
skip based on that baseclass name.

I went back and forth a bit on where the right place to put this
was,
I'm open to more fine tuning. I initially skipped just the
pattern
validation then expanded it to apply to all validation in the
Parameter.

rob


1) This patch breaks API.txt, it needs re-generating.

2) This may be a matter of opinion but I think that
+ if self.onlyvalidateclasses and \
+ not any(x in self.onlyvalidateclasses for x in classbases):
+ return

would be more readable than:

+ if self.onlyvalidateclasses and \
+ not [x for x in classbases if x in self.onlyvalidateclasses]:
+ return

3) I would move the entire self.onlyvalidateclasses up to the
validate()
method. It would have several benefits:
- the validation skip would be done just once, not for every
value as
the decision does not use the value at all
- we would not have to modify _validate_scalar() methods at all
since
they won't need classbases

4) I think it would be better to keep validation for --rename
options.
As it is generated from RDN attribute parameter, it inherits
onlyvalidateclasses list as well.

Otherwise your patch would let user to rename a valid object
to an
invalid one:

# ipa user-mod fbar --rename="bad boy"

Modified user "fbar"

User login: bad boy
First name: Foo
Last name: Bar
Home directory: /home/fbar
Login shell: /bin/sh
UID: 480800040
GID: 480800040
Account disabled: False
Password: False
Member of groups: ipausers
Kerberos keys available: False

Martin



This should address your concerns.

rob



Its almost OK, there is just one part that's not that OK:

@@ -831,6 +836,9 @@ class Param(ReadOnly):
else:
raise RequirementError(name=self.name)
return
+ if 'rename' not in (self.name, self.cli_name):
+ if self.onlyvalidateclasses and not [x for x in
self.onlyvalidateclasses if x in classbases]: #pylint:
disable=E1101
+ return
if self.multivalue:
if type(value) is not tuple:
raise TypeError(

I don't think that hard-coding this skip for onlyvalidateclasses
based
just on parameter name is a good thing to do and may cause
problems in
the future. For example if we create some option called "rename"
and
deliberately set onlyvalidateclasses for the option - it would
then be
skipped as well.

I think it would be a better solution to just update
_get_rename_option() in baseldap.py to set onlyvalidateclasses
to ()

Martin



I must say I'm not a big fan of this approach. You are healing the
symptoms (custom validation on some parameters makes it
impossible to
manipulate existing LDAP entries with invalid attribute values =>
add a
way to mark parameters to be validated only in certain commands to
prevent that), but the real issue here is that we should not perform
custom validation when referring to existing LDAP attribute
values at
all (or only partially), no matter what parameter and command.
Fixing
this would make the problem go away for all commands, present or
future,
without the need for adding a list of command classes to each
parameter
that is affected.

Honza



It is all about context, and parameters have very little of it. The
bottom line is we only want to do validation on new values.

I think I can bump this up a level by adding a validate boolean to
Param
and Command both defaulting to False. crud.Create will override
this to
True and cloning rename could perhaps also set this flag.

Then in validation if the parent object has validation set or the
parameter does we validate, otherwise we skip it.

This will require some other changes for Enums, they may always
require
validation (I'll need to be sure --delattr can remove a bad one).

rob


Updated patch. The primary key will be validated only on adds. The
values will be validated on adds and mods.


It turns out there already is infrastructure which does exactly the
same
thing: the "query" kwarg of the Parameter class. We should fix its
behavior rather than reinv

Re: [Freeipa-devel] [PATCH] 948 handle ipa_kpasswd on upgrades

2012-02-15 Thread Martin Kosek 
On Wed, 2012-02-15 at 08:45 -0500, Rob Crittenden wrote:
> Rob Crittenden wrote:
> > Martin Kosek wrote:
> >> On Mon, 2012-02-13 at 11:46 -0500, Rob Crittenden wrote:
> >>> When upgrading from 2.1 to 2.2 we need to kill any ipa_kpasswd processes
> >>> and uninstall it.
> >>>
> >>> We also need to update the dbmodules section in /etc/krb5.conf to
> >>> reflect the new kdb.
> >>>
> >>> rob
> >>
> >> The patch works fine, I just have few comments.
> >>
> >> This line seems a bit confusing (at least for me):
> >> + if not enabled is None and not enabled:
> >> + ipa_kpasswd.remove()
> >>
> >> I would prefer
> >> + if enabled is not None and not enabled:
> >> + ipa_kpasswd.remove()
> >>
> >> I know, its just a nitpick.
> >
> > I saw that too and was tempted to change it but this is the way it is
> > done currently in services, didn't want to mess with success :-)
> >
> > I'm not opposed.
> >
> >>
> >> I checked update_dbmodules() function. It works but as we discussed,
> >> there is a lot of hard-coding and a success of this function depends on
> >> proper indentation etc. I would accept this fix as a short-term
> >> solution, in the future we may want to use some better means to update
> >> our configs like augeas that was already discussed before.
> >
> > Yes, ideally we'll switch to using the ipaChangeConf module but it
> > doesn't support searching within subsections yet.
> 
> Updated patch moving position of not.
> 
> rob

Thanks for the update. Now, my nitpick mastery is complete...

ACK. Pushed to master, ipa-2-2.

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH 61] Cache authentication in session

2012-02-15 Thread Simo Sorce 
On Tue, 2012-02-14 at 12:01 -0600, Endi Sukma Dewata wrote:

> If someone already has a session then changes to another principal, will 
> he get a new session and then reauthenticate against the login URL? Or 
> will he use the same session but just reauthenticate?

I guess it depends on what you mean by "changes to another principal".
If you mean a simple kdestroy/kinit, then the interface will not see the
change until the session expires. (Which is why I want a session
expiration much shorter for Negotiate auth).

However if the user presses the logout button in the UI his session will
be destroyed and so the next attempt will cause a new negotiation to
happen and the UI will change to use the new principal.

> What if he then changes back to the previous principal, will he reuse 
> the old session? If so will he be required to authenticate again?

What old session do you refer to ?
The previous session of the same user has been destroyed, the other user
session is still valid until it expires or the user presses log out, so
nothing changes there.

> I think if the principal change is always preceded by reauthentication, 
> the UI will only need to redo the whoami after successful login. 
> Otherwise, the UI will need to check the principal change after each 
> operation like in the current code.

The UI will know when the principal changes because it will get an error
and it will be told to go to the re-authentication URL. When you
re-authenticate you should always check if the principal changed.

> Would it be possible for someone from another machine to randomly guess 
> a session ID and then take over an existing authenticated session?

The session ID is currently a 48bit random number (we ask John to make
it a 128bit number). *Guessing* that number is going to be *very* though
(read technically impossible if the randomness is properly handled at
the creation of the session ID in the server.
However if somehow the sessionid is exposed than an attacker can hijack
the connection. The risk is extremely low, but it is another reason why
having a short expiration for Negotiate auth would be better, than
treating it the same as form based auth.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 948 handle ipa_kpasswd on upgrades

2012-02-15 Thread Rob Crittenden 

Rob Crittenden wrote:

Martin Kosek wrote:

On Mon, 2012-02-13 at 11:46 -0500, Rob Crittenden wrote:

When upgrading from 2.1 to 2.2 we need to kill any ipa_kpasswd processes
and uninstall it.

We also need to update the dbmodules section in /etc/krb5.conf to
reflect the new kdb.

rob


The patch works fine, I just have few comments.

This line seems a bit confusing (at least for me):
+ if not enabled is None and not enabled:
+ ipa_kpasswd.remove()

I would prefer
+ if enabled is not None and not enabled:
+ ipa_kpasswd.remove()

I know, its just a nitpick.


I saw that too and was tempted to change it but this is the way it is
done currently in services, didn't want to mess with success :-)

I'm not opposed.



I checked update_dbmodules() function. It works but as we discussed,
there is a lot of hard-coding and a success of this function depends on
proper indentation etc. I would accept this fix as a short-term
solution, in the future we may want to use some better means to update
our configs like augeas that was already discussed before.


Yes, ideally we'll switch to using the ipaChangeConf module but it
doesn't support searching within subsections yet.


Updated patch moving position of not.

rob


freeipa-rcrit-948-2-kpasswd.patch
Description: application/mbox
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 948 handle ipa_kpasswd on upgrades

2012-02-15 Thread Rob Crittenden 

Martin Kosek wrote:

On Mon, 2012-02-13 at 11:46 -0500, Rob Crittenden wrote:

When upgrading from 2.1 to 2.2 we need to kill any ipa_kpasswd processes
and uninstall it.

We also need to update the dbmodules section in /etc/krb5.conf to
reflect the new kdb.

rob


The patch works fine, I just have few comments.

This line seems a bit confusing (at least for me):
+if not enabled is None and not enabled:
+ipa_kpasswd.remove()

I would prefer
+if enabled is not None and not enabled:
+ipa_kpasswd.remove()

I know, its just a nitpick.


I saw that too and was tempted to change it but this is the way it is 
done currently in services, didn't want to mess with success :-)


I'm not opposed.



I checked update_dbmodules() function. It works but as we discussed,
there is a lot of hard-coding and a success of this function depends on
proper indentation etc. I would accept this fix as a short-term
solution, in the future we may want to use some better means to update
our configs like augeas that was already discussed before.


Yes, ideally we'll switch to using the ipaChangeConf module but it 
doesn't support searching within subsections yet.


rob

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 948 handle ipa_kpasswd on upgrades

2012-02-15 Thread Martin Kosek 
On Mon, 2012-02-13 at 11:46 -0500, Rob Crittenden wrote:
> When upgrading from 2.1 to 2.2 we need to kill any ipa_kpasswd processes 
> and uninstall it.
> 
> We also need to update the dbmodules section in /etc/krb5.conf to 
> reflect the new kdb.
> 
> rob

The patch works fine, I just have few comments.

This line seems a bit confusing (at least for me):
+if not enabled is None and not enabled:
+ipa_kpasswd.remove()

I would prefer
+if enabled is not None and not enabled:
+ipa_kpasswd.remove()

I know, its just a nitpick.

I checked update_dbmodules() function. It works but as we discussed,
there is a lot of hard-coding and a success of this function depends on
proper indentation etc. I would accept this fix as a short-term
solution, in the future we may want to use some better means to update
our configs like augeas that was already discussed before.

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 0010 Use stricter semantics when checking IP address for DNS records

2012-02-15 Thread Martin Kosek 
On Wed, 2012-02-15 at 11:20 +0100, Petr Viktorin wrote:
> This fixes https://fedorahosted.org/freeipa/ticket/2379 by using 
> inet_pton instead of inet_aton.
> 

Yeah, this would fix the stricter checking. I planed to improve A/
validation in a scope of this ticket, I plan to use CheckedIPAddress to
be more consistent with the rest of the plugin. I made the change you
just did in CheckedIPAddress already.

My point is that we may want to be even stricter and forbid for example
broadcast or multicast addresses to be placed to A/ records.

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 946 Upgrade schema from 2.1 to 2.2

2012-02-15 Thread Martin Kosek 
On Mon, 2012-02-13 at 11:42 -0500, Rob Crittenden wrote:
> Add missing schema when upgrading from 2.1 to 2.2 This schema relates to 
> delegation for S4U2Proxy.
> 
> rob

Although I wasn't able to make s4u2proxy update work on my updated
FreeIPA instance yet this patch is OK. Schema is updated correctly.

ACK. Pushed to master, ipa-2-2.

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 940 apply some validation to some classes only

2012-02-15 Thread Jan Cholasta 

On 14.2.2012 22:16, Rob Crittenden wrote:

Jan Cholasta wrote:

On 14.2.2012 16:44, Jan Cholasta wrote:

On 7.2.2012 20:25, Rob Crittenden wrote:

Rob Crittenden wrote:

Jan Cholasta wrote:

Dne 7.2.2012 09:27, Martin Kosek napsal(a):

On Mon, 2012-02-06 at 11:52 -0500, Rob Crittenden wrote:

Martin Kosek wrote:

On Fri, 2012-02-03 at 16:58 -0500, Rob Crittenden wrote:

There is some validation that we only need to apply when an
entry is
being created, namely the key itself. This is to allow us to
manage an
otherwise illegal entry that finds its way into the system (i.e.
migration).

Consider this. We migrate a group with a space in it. This isn't
allowed
in IPA but we also provide no way to delete it because the cn
regex
kicks out the group-del command.

The trick is adding appropriate context so we can know during
validation
how we got here. A command object has a bases field which
contains
the
base classes associated with it, which appears to contain only
the
leaf
baseclass. So using this we can tell how we got to validation and
can
skip based on that baseclass name.

I went back and forth a bit on where the right place to put this
was,
I'm open to more fine tuning. I initially skipped just the
pattern
validation then expanded it to apply to all validation in the
Parameter.

rob


1) This patch breaks API.txt, it needs re-generating.

2) This may be a matter of opinion but I think that
+ if self.onlyvalidateclasses and \
+ not any(x in self.onlyvalidateclasses for x in classbases):
+ return

would be more readable than:

+ if self.onlyvalidateclasses and \
+ not [x for x in classbases if x in self.onlyvalidateclasses]:
+ return

3) I would move the entire self.onlyvalidateclasses up to the
validate()
method. It would have several benefits:
- the validation skip would be done just once, not for every
value as
the decision does not use the value at all
- we would not have to modify _validate_scalar() methods at all
since
they won't need classbases

4) I think it would be better to keep validation for --rename
options.
As it is generated from RDN attribute parameter, it inherits
onlyvalidateclasses list as well.

Otherwise your patch would let user to rename a valid object to an
invalid one:

# ipa user-mod fbar --rename="bad boy"

Modified user "fbar"

User login: bad boy
First name: Foo
Last name: Bar
Home directory: /home/fbar
Login shell: /bin/sh
UID: 480800040
GID: 480800040
Account disabled: False
Password: False
Member of groups: ipausers
Kerberos keys available: False

Martin



This should address your concerns.

rob



Its almost OK, there is just one part that's not that OK:

@@ -831,6 +836,9 @@ class Param(ReadOnly):
else:
raise RequirementError(name=self.name)
return
+ if 'rename' not in (self.name, self.cli_name):
+ if self.onlyvalidateclasses and not [x for x in
self.onlyvalidateclasses if x in classbases]: #pylint: disable=E1101
+ return
if self.multivalue:
if type(value) is not tuple:
raise TypeError(

I don't think that hard-coding this skip for onlyvalidateclasses
based
just on parameter name is a good thing to do and may cause
problems in
the future. For example if we create some option called "rename" and
deliberately set onlyvalidateclasses for the option - it would
then be
skipped as well.

I think it would be a better solution to just update
_get_rename_option() in baseldap.py to set onlyvalidateclasses to ()

Martin



I must say I'm not a big fan of this approach. You are healing the
symptoms (custom validation on some parameters makes it impossible to
manipulate existing LDAP entries with invalid attribute values =>
add a
way to mark parameters to be validated only in certain commands to
prevent that), but the real issue here is that we should not perform
custom validation when referring to existing LDAP attribute values at
all (or only partially), no matter what parameter and command. Fixing
this would make the problem go away for all commands, present or
future,
without the need for adding a list of command classes to each
parameter
that is affected.

Honza



It is all about context, and parameters have very little of it. The
bottom line is we only want to do validation on new values.

I think I can bump this up a level by adding a validate boolean to
Param
and Command both defaulting to False. crud.Create will override
this to
True and cloning rename could perhaps also set this flag.

Then in validation if the parent object has validation set or the
parameter does we validate, otherwise we skip it.

This will require some other changes for Enums, they may always
require
validation (I'll need to be sure --delattr can remove a bad one).

rob


Updated patch. The primary key will be validated only on adds. The
values will be validated on adds and mods.


It turns out there already is infrastructure which does exactly the same
thing: the "query" kwarg of the Parameter class. We should fix its
behavior rather than reinvent the wheel.


This

Re: [Freeipa-devel] [PATCH] 944 upgrade files for selinuxusermap

2012-02-15 Thread Martin Kosek 
On Tue, 2012-02-14 at 17:45 -0500, Rob Crittenden wrote:
> Rob Crittenden wrote:
> > Rob Crittenden wrote:
> >> The update files were missing for SELinuxUserMap support, this adds them.
> >
> > Rebased patch
> >
> > rob
> 
> Sorry, sent the wrong patch. Here is the right one.
> 
> rob

I guess you forgot something :-) Anyway, I rebased the original patch
944 and its OK. SELinux update works fine.

ACK. Pushed to master, ipa-2-2.

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 941 fix replica s4u2proxy delegation

2012-02-15 Thread Martin Kosek 
On Mon, 2012-02-06 at 15:12 -0500, Rob Crittenden wrote:
> Replicas weren't being added to the S4U2Proxy configuration so weren't 
> allowed to delegate tickets. This fixes things.
> 
> rob

This would work fine for new replicas which adds replica-s4u2proxy.ldif
but what about upgrading the current ones?

I am not sure that 30-s4u2proxy.update would add their principals to
s4u2proxy configuration.

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 947 fix synxtax in 30-s4u2proxy.update

2012-02-15 Thread Martin Kosek 
On Tue, 2012-02-14 at 15:51 -0500, Rob Crittenden wrote:
> Martin Kosek wrote:
> > On Mon, 2012-02-13 at 11:43 -0500, Rob Crittenden wrote:
> >> Remove quotes around a value in 30-s4u2proxy.update. The update was
> >> failing to apply.
> >>
> >> I also noticed that FQDN wasn't being set properly in all cases in
> >> sub_dict. This should fix it.
> >>
> >> rob
> >
> > This patch did not apply for me. I guess it depends on some other patch
> > that fixes wrong DN in s4u2proxy ipaAllowedTargets:
> >
> > -default: ipaAllowedTarget: 
> > 'cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,$SUFFIX'
> > +default: ipaAllowedTarget: 
> > cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,$SUFFIX
> >
> > Current update file says:
> >
> > default: ipaAllowedTarget: 'cn=ipa-ldap-delegation-targets,cn=etc,$SUFFIX'
> >
> > which is a non-existent DN.
> >
> > Martin
> >
> 
> It relies on patch 941

Yeah, that's the one.

I am now testing all the upgrade patches, but I s4u2proxy does not work
for me yet on upgraded server instance (tested on F16). krb5kdc keeps
reporting decrypt errors:

/var/log/krb5kdc.log:
Feb 15 04:25:43 vm-068.idm.lab.bos.redhat.com krb5kdc[872](info):
TGS_REQ (4 etypes {18 17 16 23}) 10.16.78.68: PROCESS_TGS: authtime 0,
 for , Decrypt integrity check failed
Feb 15 04:25:43 vm-068.idm.lab.bos.redhat.com krb5kdc[872](info):
TGS_REQ (4 etypes {18 17 16 23}) 10.16.78.68: PROCESS_TGS: authtime 0,
 for , Decrypt integrity check failed

New installs on the same machine work though. I am still trying to find
out the root cause of this.

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] 0010 Use stricter semantics when checking IP address for DNS records

2012-02-15 Thread Petr Viktorin 
This fixes https://fedorahosted.org/freeipa/ticket/2379 by using 
inet_pton instead of inet_aton.



--
PetrĀ³
>From 5f81db8537b7af6e23acc1ad07d3a8a5118d41b7 Mon Sep 17 00:00:00 2001
From: Petr Viktorin 
Date: Wed, 15 Feb 2012 05:11:24 -0500
Subject: [PATCH] Use stricter semantics when checking IP address for DNS records

https://fedorahosted.org/freeipa/ticket/2379
---
 ipalib/plugins/dns.py |2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py
index fe32efccdf9b0e0d7d8d58dd9896205ef369ec5a..1582f7b122b0f35e1fd156883e28cea1e5402f42 100644
--- a/ipalib/plugins/dns.py
+++ b/ipalib/plugins/dns.py
@@ -196,7 +196,7 @@ def _reverse_zone_name(netstr):
 
 def _validate_ipaddr(ugettext, ipaddr, ip_version=None):
 try:
-ip = netaddr.IPAddress(ipaddr)
+ip = netaddr.IPAddress(ipaddr, flags=netaddr.INET_PTON)
 
 if ip_version is not None:
 if ip.version != ip_version:
-- 
1.7.7.6

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH 61] Cache authentication in session

2012-02-15 Thread Dmitri Pal 
On 02/14/2012 01:01 PM, Endi Sukma Dewata wrote:
>
> If someone already has a session then changes to another principal,
> will he get a new session and then reauthenticate against the login
> URL? Or will he use the same session but just reauthenticate?
>

AFAIU the session ID will be (should be) lost when you switch the
principal and new ID returned to the browser.
The old session is still valid for 20 min if you did not log out but it
should not be accessible.
It seems that everything depends on what is the key for the internal
cache. I would think that the key should be principal+session ID and
session ID is long and strong. We said in one of the earlier discussions
that it should be at least 128 bits of entropy. Was that done? If not
please log a ticket.

So am I right that the key is principal+session ID? If it is just
principal then yes the session can be resurrected but I do not think we
want this. If the key is just the ID there is a potential of the
privilege escalation if one principal tries to guess the ID for another
active session. Very unlikely but it seems that it is safer to have it
as a composit key. May be we should file an RFE on this. 


> What if he then changes back to the previous principal, will he reuse
> the old session? If so will he be required to authenticate again?
>

Old session should not be accessible.

> I think if the principal change is always preceded by
> reauthentication, the UI will only need to redo the whoami after
> successful login. Otherwise, the UI will need to check the principal
> change after each operation like in the current code.
>
> Would it be possible for someone from another machine to randomly
> guess a session ID and then take over an existing authenticated session?
>
Then we need to make ID even longer.

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 076 UI support for ssh keys

2012-02-15 Thread Petr Vobornik 

On 02/11/2012 12:36 AM, Endi Sukma Dewata wrote:

On 2/6/2012 8:15 AM, Petr Vobornik wrote:

ipasshpubkey attribute was added to user and host details pages.

New widget for ssh public keys was created.

Static preview:
http://pvoborni.fedorapeople.org/ssh/#identity=user&navigation=identity&user-facet=default&user-pkey=aortiz


https://fedorahosted.org/freeipa/ticket/2340


Everything works, so it's ACKed. I have some comments:


Pushed to master, ipa-2-2.



1. When you click Add to add a new SSH public key the UI creates a new
space for the key. The space is still empty, but it shows an undo
button, implying there's a change that can be saved. However, clicking
Update will generate an error "no modifications to be performed". Some
possible solutions:

(a) Show the "Set SSH key" dialog when you click Add. Once you entered
the key, it creates the new space that already contains the new key.

(b) When you click Update, remove all empty new space and do not
generate the modify operation unless there are other changes.


This should be addressed in save and test_dirty_method (omit empty keys 
in save). 1a is a nice idea but user can still set an empty key - it 
doesn't solve the problem.


2. If we decided to do #1a, the dialog title would be "Add SSH Public
Key" and the button would be Add. For edit the title would be "Edit SSH
Public Key" and the button would be Update.

3. Instead of showing "New: key set" or "New: key not set" we probably
can show the first few characters of the key itself. This way if you're
entering multiple keys you know which ones are already added.


Like it.


4. It's also possible to use a table widget, which will work like
solution #1a except that all changes are saved immediately so we don't
need to show the partial key like in #3.


I don't think table fits in the facet. Table would be better candidate 
for attribute with more than one displayed column.


5. Instead of using a "Show/Set key" link, we probably can link the
fingerprint (for existing keys) or the partial key like in #3 (for new
keys). If we did the table like in #4, it can be an Edit link.


Might work.


6. When modifying a key, changing the fingerprint to "Modified" is
probably not necessary because the undo button will imply that the key
has been modified and we can't see the original fingerprint anymore.


Maybe. I didn't want to show the fingerprint because it is not valid for 
the modified value.


7. When you edit an existing key and set it into empty, it will say
"Modified: key not set". I think we can just strikeout the fingerprint
because it's the same as deleting the key.


Agree.


8. This is a minor server issue, not sure whether it's already fixed in
the latest patch. When adding a new user with a key, the output of the
user-add command contains the key too. In user-show the key is only
shown with the --all option.



1-7 - I'll address them later.


--
Petr Vobornik

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 077 Redirection to PTR records from A, AAAA records

2012-02-15 Thread Petr Vobornik 

On 02/14/2012 04:35 PM, Endi Sukma Dewata wrote:

On 2/14/2012 8:01 AM, Petr Vobornik wrote:

1. After redirection the breadcrumb doesn't link to the correct zone.

...  This is an existing issue so let's do this separately.

So the patch is ACKed, feel free to push.


Pushed to master, ipa-2-2.



The other improvements can be done separately if you want.


I'll create separate tickets for them.


--
Petr Vobornik

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel