[Freeipa-devel] [PATCH] 172 Bigger textarea for permission type=subtree
Patch description:
Adder dialog and details facet for permission type=subtree have small
textarea for defining subtree filter. It was unconfortable to define the
filter. This difference was removed.
https://fedorahosted.org/freeipa/ticket/2832
Note regarding related ticket:
Resizable textareas are browser-specific. We can do it in code too but I
don't think it is worth the effort.
Textarea in IE still seems smaller than in Firefox, but it has the same
number of rows and cols. I think it has enough space for defining the
filter so it should be fixing the problem.
--
Petr Vobornik
From 59ba0b5b059eb8ec4ef03c138cd085a939211051 Mon Sep 17 00:00:00 2001
From: Petr Vobornik pvobo...@redhat.com
Date: Mon, 16 Jul 2012 13:40:52 +0200
Subject: [PATCH] Bigger textarea for permission type=subtree
Adder dialog and details facet for permission type=subtree have small textarea for defining subtree filter. It was unconfortable to define the filter. This difference was removed.
https://fedorahosted.org/freeipa/ticket/2832
---
install/ui/aci.js |2 --
1 file changed, 2 deletions(-)
diff --git a/install/ui/aci.js b/install/ui/aci.js
index b2e5e19e54fe083093171d29fe894df321bb4c88..63181efac5f335d28a4c23bfa1ae2da95b9a0e75 100644
--- a/install/ui/aci.js
+++ b/install/ui/aci.js
@@ -688,8 +688,6 @@ IPA.permission_target_widget = function(spec) {
that.subtree_textarea = IPA.textarea_widget({
entity: that.entity,
name: 'subtree',
-cols: 30,
-rows: 1,
hidden: true
});
--
1.7.10.4
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 0061 ValidationError takes 'error' named argument, not 'reason'
Hi,
https://fedorahosted.org/freeipa/ticket/2865
--
/ Alexander Bokovoy
From afb200bbd4054b85f72a9cda8105ca07ee4deb2a Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy aboko...@redhat.com
Date: Mon, 16 Jul 2012 12:43:47 +0300
Subject: [PATCH 3/4] ipalib/plugins/trust.py: ValidationError takes 'error'
named argument, not 'reason'
https://fedorahosted.org/freeipa/ticket/2865
---
ipalib/plugins/trust.py |6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py
index
40bd93e654c0365ad202abfd82e84345583459dd..2932835e038d99d9c48f1822e76fbc2e1570f92f
100644
--- a/ipalib/plugins/trust.py
+++ b/ipalib/plugins/trust.py
@@ -182,13 +182,13 @@ class trust_add(LDAPCreate):
realm_admin = options['realm_admin']
if 'realm_passwd' not in options:
-raise errors.ValidationError(name=_('AD Trust setup'),
reason=_('Realm administrator password should be specified'))
+raise errors.ValidationError(name=_('AD Trust setup'),
error=_('Realm administrator password should be specified'))
realm_passwd = options['realm_passwd']
result = trustinstance.join_ad_full_credentials(keys[-1],
realm_server, realm_admin, realm_passwd)
if result is None:
-raise errors.ValidationError(name=_('AD Trust setup'),
reason=_('Unable to verify write permissions to the AD'))
+raise errors.ValidationError(name=_('AD Trust setup'),
error=_('Unable to verify write permissions to the AD'))
return dict(result=dict(),
value=trustinstance.remote_domain.info['dns_domain'])
@@ -198,7 +198,7 @@ class trust_add(LDAPCreate):
if 'trust_secret' in options:
result = trustinstance.join_ad_ipa_half(keys[-1], realm_server,
options['trust_secret'])
return dict(result=dict(),
value=trustinstance.remote_domain.info['dns_domain'])
-raise errors.ValidationError(name=_('AD Trust setup'), reason=_('Not
enough arguments specified to perform trust setup'))
+raise errors.ValidationError(name=_('AD Trust setup'), error=_('Not
enough arguments specified to perform trust setup'))
class trust_del(LDAPDelete):
__doc__ = _('Delete a trust.')
--
1.7.10.4
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 0062 support various forms of user account when establishing trusts
Hi,
Realm administrator account may be specified using different form:
Administrator, DOM\Administrator, Administrator@DOMAIN
This patch introduces handling of the second two forms:
- In DOM\Administrator only user name is used, short domain name
is then taken from a discovered record from the AD DC
- In Administrator@DOMAIN first DOMAIN is verified to be the same
as the domain we are establishing trust to, and then user name
is taken, together with short domain name taken from a discovered
record from the AD DC
Note that we do not support using to-be-trusted domain's trusted
domains' accounts to establish trust as there is basically zero chance
to verify that things will work with them. In addition, in order to
establish trust one needs to belong to Enterprise Admins group in AD or
have specially delegated permissions. These permissions are unlikely
delegated to the ones in already trusted domain.
https://fedorahosted.org/freeipa/ticket/2864
--
/ Alexander Bokovoy
From 3365e3501a1cdd13d3741fc791c7843839a5a058 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy aboko...@redhat.com
Date: Mon, 16 Jul 2012 13:12:42 +0300
Subject: [PATCH 4/4] Handle various forms of admin accounts when establishing
trusts
Realm administrator account may be specified using different form:
Administrator, DOM\Administrator, Administrator@DOMAIN
This patch introduces handling of the second two forms:
- In DOM\Administrator only user name is used, short domain name
is then taken from a discovered record from the AD DC
- In Administrator@DOMAIN first DOMAIN is verified to be the same
as the domain we are establishing trust to, and then user name
is taken, together with short domain name taken from a discovered
record from the AD DC
Note that we do not support using to-be-trusted domain's trusted domains'
accounts to establish trust as there is basically zero chance to verify
that things will work with them. In addition, in order to establish trust
one needs to belong to Enterprise Admins group in AD or have specially
delegated permissions. These permissions are unlikely delegated to the
ones in already trusted domain.
https://fedorahosted.org/freeipa/ticket/2864
---
ipalib/plugins/trust.py |8
ipaserver/dcerpc.py |5 +
2 files changed, 13 insertions(+)
diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py
index
2932835e038d99d9c48f1822e76fbc2e1570f92f..792e6cac2a2f9ebb61f84cc74d01be325995863e
100644
--- a/ipalib/plugins/trust.py
+++ b/ipalib/plugins/trust.py
@@ -180,6 +180,14 @@ class trust_add(LDAPCreate):
# generate random trustdom password to do work on both sides
if 'realm_admin' in options:
realm_admin = options['realm_admin']
+names = realm_admin.split('@')
+if len(names) 1:
+# realm admin name is in UPN format, user@realm, check that
+# realm is the same as the one that we are attempting to trust
+if keys[-1].lower() != names[-1].lower():
+raise errors.ValidationError(name=_('AD Trust setup'),
+ error=_('Trusted domain and administrator
account use different realms'))
+realm_admin = names[0]
if 'realm_passwd' not in options:
raise errors.ValidationError(name=_('AD Trust setup'),
error=_('Realm administrator password should be specified'))
diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py
index
07e40c2d35b41a2665232f3e6d853b47aef707bb..6b830f65b854b74fcf080b071212e7658f334adf
100644
--- a/ipaserver/dcerpc.py
+++ b/ipaserver/dcerpc.py
@@ -363,6 +363,11 @@ class TrustDomainJoins(object):
rd.read_only = True
if realm_admin and realm_passwd:
if 'name' in rd.info:
+names = realm_admin.split('\\')
+if len(names) 1:
+# realm admin is in DOMAIN\user format
+# strip DOMAIN part as we'll enforce the one discovered
+realm_admin = names[-1]
auth_string = u%s\%s%%%s % (rd.info['name'], realm_admin,
realm_passwd)
td = get_instance(self)
td.creds.parse_string(auth_string)
--
1.7.10.4
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 1033 renew CA subsystem certificates
Use the new certmonger capability to be able to renew the dogtag
subsystem certificates (audit, OCSP, etc).
See the ticket for full details.
rob
From a8932452a1a7343ffe0263183ef63e1efe6a7a6b Mon Sep 17 00:00:00 2001
From: Rob Crittenden rcrit...@redhat.com
Date: Wed, 11 Jul 2012 15:51:01 -0400
Subject: [PATCH] Use certmonger to renew CA subsystem certificates
Certificate renewal can be done only one one CA as the certificates need
to be shared amongst them. certmonger has been trained to communicate
directly with dogtag to perform the renewals. The initial CA installation
is the defacto certificate renewal master.
A copy of the certificate is stored in the IPA LDAP tree in
cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX, the rdn being the nickname of the
certificate, when a certificate is renewed. Only the most current
certificate is stored. It is valid to have no certificates there, it means
that no renewals have taken place.
The clones are configured with a new certmonger CA type that polls this
location in the IPA tree looking for an updated certificate. If one is
not found then certmonger is put into the CA_WORKING state and will poll
every 8 hours until an updated certificate is available.
The RA agent certificate, ipaCert in /etc/httpd/alias, is a special case.
When this certificate is updated we also need to update its entry in
the dogtag tree, adding the updated certificate and telling dogtag which
certificate to use. This is the certificate that lets IPA issue
certificates.
On upgrades we check to see if the certificate tracking is already in
place. If not then we need to determine if this is the master that will
do the renewals or not. This decision is made based on whether it was
the first master installed. It is concievable that this master is no
longer available meaning that none are actually tracking renewal. We
will need to document this.
https://fedorahosted.org/freeipa/ticket/2803
---
freeipa.spec.in|7 +-
install/Makefile.am|1 +
install/certmonger/Makefile.am | 14 +++
.../certmonger/dogtag-ipa-retrieve-agent-submit| 79 +++
install/conf/Makefile.am |3 +-
install/conf/ca_renewal|6 ++
install/configure.ac |1 +
install/restart_scripts/Makefile.am|3 +
install/restart_scripts/renew_ca_cert | 78 ++
install/restart_scripts/renew_ra_cert | 82 +++
install/restart_scripts/restart_dirsrv | 24 +
install/restart_scripts/restart_httpd | 20
install/restart_scripts/restart_pkicad | 44
install/share/bootstrap-template.ldif |6 ++
install/share/default-aci.ldif | 11 ++
install/tools/ipa-upgradeconfig| 29 ++
install/updates/21-ca_renewal_container.update |9 ++
install/updates/40-delegation.update |4 +
install/updates/Makefile.am|1 +
ipalib/x509.py |8 ++
ipapython/certmonger.py| 67 +
ipapython/ipautil.py | 23 +
ipapython/platform/base.py |2 +-
ipapython/platform/fedora16.py |1 +
ipaserver/install/cainstance.py| 106 +++-
25 files changed, 624 insertions(+), 5 deletions(-)
create mode 100644 install/certmonger/Makefile.am
create mode 100644 install/certmonger/dogtag-ipa-retrieve-agent-submit
create mode 100644 install/conf/ca_renewal
create mode 100644 install/restart_scripts/renew_ca_cert
create mode 100644 install/restart_scripts/renew_ra_cert
create mode 100644 install/restart_scripts/restart_pkicad
create mode 100644 install/updates/21-ca_renewal_container.update
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 7106310915c8a4e52a009036f7152a38a4c5f18d..be24bfcb609773636d537f94d721d3839baed823 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -247,7 +247,7 @@ Requires: xmlrpc-c
%endif
%endif
Requires: sssd = 1.8.0
-Requires: certmonger = 0.53
+Requires: certmonger = 0.58
Requires: nss-tools
Requires: bind-utils
Requires: oddjob-mkhomedir
@@ -569,6 +569,7 @@ fi
%{_sbindir}/ipactl
%{_sbindir}/ipa-upgradeconfig
%{_sbindir}/ipa-compliance
+%{_libexecdir}/certmonger/dogtag-ipa-retrieve-agent-submit
%{_sysconfdir}/cron.d/ipa-compliance
%config(noreplace) %{_sysconfdir}/sysconfig/ipa_memcached
%dir %attr(0700,apache,apache) %{_localstatedir}/run/ipa_memcached/
@@ -631,6 +632,7 @@ fi
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-rewrite.conf
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa.conf
%ghost %attr(0644,root,apache)
[Freeipa-devel] [PATCH] 1034 more robust cli sessions
Make command-line sessions a bit more robust.
This patch does two things. Firstly, it wraps all keyring activity in a
try/except so if a keyring operation fails it isn't fatal. The user just
won't benefit from sessions.
The second part adds per-principal sessions. The principal is included
in the session key so we can pull the right one depending on the
principal initiating the request.
rob
From 33dcbe98f09fd37d3a4382c11a97c74fea6c1e53 Mon Sep 17 00:00:00 2001
From: Rob Crittenden rcrit...@redhat.com
Date: Mon, 16 Jul 2012 10:40:12 -0400
Subject: [PATCH] Support per-principal sessions and handle session update
failures
User had a system that refused to store keys into the kernel keyring.
Any operation at all on the keyring would return Key has been revoked.
Wrap the operations in a try/except so we can ignore keyring failures.
Log at the debug level.
This also adds per-principal sessions. The principal name is stored
in the session key so switching principals in the ccache doesn't
require clearing the keyring.
https://fedorahosted.org/freeipa/ticket/2880
---
ipalib/rpc.py | 34 +++---
1 file changed, 23 insertions(+), 11 deletions(-)
diff --git a/ipalib/rpc.py b/ipalib/rpc.py
index 6518cb27deb621d8daf31862b7e5fae33bb4..c2356232ab86a8f47d96bbc48fcae3f33b2253c9 100644
--- a/ipalib/rpc.py
+++ b/ipalib/rpc.py
@@ -46,6 +46,7 @@ from ipalib.backend import Connectible
from ipalib.errors import public_errors, PublicError, UnknownError, NetworkError, KerberosError, XMLRPCMarshallError
from ipalib import errors
from ipalib.request import context, Connection
+from ipalib.util import get_current_principal
from ipapython import ipautil
from ipapython import kernel_keyring
@@ -57,6 +58,8 @@ from urllib2 import urlparse
from ipalib.krb_utils import KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN, KRB5KRB_AP_ERR_TKT_EXPIRED, \
KRB5_FCC_PERM, KRB5_FCC_NOFILE, KRB5_CC_FORMAT, KRB5_REALM_CANT_RESOLVE
+COOKIE_NAME = 'ipa_session_cookie:%s'
+
def xml_wrap(value):
Wrap all ``str`` in ``xmlrpclib.Binary``.
@@ -258,12 +261,6 @@ class SSLTransport(LanguageAwareTransport):
conn.connect()
return conn
-def parse_response(self, response):
-session_cookie = response.getheader('Set-Cookie')
-if session_cookie:
-kernel_keyring.update_key('ipa_session_cookie', session_cookie)
-return LanguageAwareTransport.parse_response(self, response)
-
class KerbTransport(SSLTransport):
@@ -327,6 +324,18 @@ class KerbTransport(SSLTransport):
return (host, extra_headers, x509)
+def parse_response(self, response):
+session_cookie = response.getheader('Set-Cookie')
+if session_cookie:
+principal = getattr(context, 'principal', None)
+try:
+kernel_keyring.update_key(COOKIE_NAME % principal, session_cookie)
+except ValueError, e:
+# Not fatal, we just can't use the session cookie we were
+# sent.
+self.debug('Unable to update session cookie: %s' % str(e))
+return SSLTransport.parse_response(self, response)
+
class DelegatedKerbTransport(KerbTransport):
@@ -400,10 +409,12 @@ class xmlclient(Connectible):
session = False
session_data = None
xmlrpc_uri = self.env.xmlrpc_uri
+principal = get_current_principal()
+setattr(context, 'principal', principal)
# We have a session cookie, try using the session URI to see if it
# is still valid
if not delegate:
-session_data = kernel_keyring.read_key('ipa_session_cookie')
+session_data = kernel_keyring.read_key(COOKIE_NAME % principal)
setattr(context, 'session_data', session_data)
(scheme, netloc, path, params, query, fragment) = urlparse.urlparse(self.env.xmlrpc_uri)
xmlrpc_uri = urlparse.urlunparse((scheme, netloc, '/ipa/session/xml', params, query, fragment))
@@ -453,9 +464,9 @@ class xmlclient(Connectible):
except ProtocolError, e:
if session_data and e.errcode == 401:
# Unauthorized. Remove the session and try again.
+delattr(context, 'session_data')
try:
-kernel_keyring.del_key('ipa_session_cookie')
-delattr(context, 'session_data')
+kernel_keyring.del_key(COOKIE_NAME % principal)
except ValueError:
# This shouldn't happen if we have a session but
# it isn't fatal.
@@ -519,9 +530,10 @@ class xmlclient(Connectible):
session_data = getattr(context, 'session_data', None)
if session_data and e.errcode == 401:
# Unauthorized. Remove the session and try again.
+
Re: [Freeipa-devel] [PATCH] 1034 more robust cli sessions
Rob Crittenden wrote:
Make command-line sessions a bit more robust.
This patch does two things. Firstly, it wraps all keyring activity in a
try/except so if a keyring operation fails it isn't fatal. The user just
won't benefit from sessions.
The second part adds per-principal sessions. The principal is included
in the session key so we can pull the right one depending on the
principal initiating the request.
Left a debug statement in, this one should build and work.
rob
From eeb47efeb7b0dfa8c03ad1d29f327a1322ca2ebb Mon Sep 17 00:00:00 2001
From: Rob Crittenden rcrit...@redhat.com
Date: Mon, 16 Jul 2012 10:40:12 -0400
Subject: [PATCH] Support per-principal sessions and handle session update
failures
User had a system that refused to store keys into the kernel keyring.
Any operation at all on the keyring would return Key has been revoked.
Wrap the operations in a try/except so we can ignore keyring failures.
Log at the debug level.
This also adds per-principal sessions. The principal name is stored
in the session key so switching principals in the ccache doesn't
require clearing the keyring.
https://fedorahosted.org/freeipa/ticket/2880
---
ipalib/rpc.py | 34 +++---
1 file changed, 23 insertions(+), 11 deletions(-)
diff --git a/ipalib/rpc.py b/ipalib/rpc.py
index 6518cb27deb621d8daf31862b7e5fae33bb4..8a6a5108800517338c33962a4c44ea817675b0df 100644
--- a/ipalib/rpc.py
+++ b/ipalib/rpc.py
@@ -46,6 +46,7 @@ from ipalib.backend import Connectible
from ipalib.errors import public_errors, PublicError, UnknownError, NetworkError, KerberosError, XMLRPCMarshallError
from ipalib import errors
from ipalib.request import context, Connection
+from ipalib.util import get_current_principal
from ipapython import ipautil
from ipapython import kernel_keyring
@@ -57,6 +58,8 @@ from urllib2 import urlparse
from ipalib.krb_utils import KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN, KRB5KRB_AP_ERR_TKT_EXPIRED, \
KRB5_FCC_PERM, KRB5_FCC_NOFILE, KRB5_CC_FORMAT, KRB5_REALM_CANT_RESOLVE
+COOKIE_NAME = 'ipa_session_cookie:%s'
+
def xml_wrap(value):
Wrap all ``str`` in ``xmlrpclib.Binary``.
@@ -258,12 +261,6 @@ class SSLTransport(LanguageAwareTransport):
conn.connect()
return conn
-def parse_response(self, response):
-session_cookie = response.getheader('Set-Cookie')
-if session_cookie:
-kernel_keyring.update_key('ipa_session_cookie', session_cookie)
-return LanguageAwareTransport.parse_response(self, response)
-
class KerbTransport(SSLTransport):
@@ -327,6 +324,18 @@ class KerbTransport(SSLTransport):
return (host, extra_headers, x509)
+def parse_response(self, response):
+session_cookie = response.getheader('Set-Cookie')
+if session_cookie:
+principal = getattr(context, 'principal', None)
+try:
+kernel_keyring.update_key(COOKIE_NAME % principal, session_cookie)
+except ValueError, e:
+# Not fatal, we just can't use the session cookie we were
+# sent.
+pass
+return SSLTransport.parse_response(self, response)
+
class DelegatedKerbTransport(KerbTransport):
@@ -400,10 +409,12 @@ class xmlclient(Connectible):
session = False
session_data = None
xmlrpc_uri = self.env.xmlrpc_uri
+principal = get_current_principal()
+setattr(context, 'principal', principal)
# We have a session cookie, try using the session URI to see if it
# is still valid
if not delegate:
-session_data = kernel_keyring.read_key('ipa_session_cookie')
+session_data = kernel_keyring.read_key(COOKIE_NAME % principal)
setattr(context, 'session_data', session_data)
(scheme, netloc, path, params, query, fragment) = urlparse.urlparse(self.env.xmlrpc_uri)
xmlrpc_uri = urlparse.urlunparse((scheme, netloc, '/ipa/session/xml', params, query, fragment))
@@ -453,9 +464,9 @@ class xmlclient(Connectible):
except ProtocolError, e:
if session_data and e.errcode == 401:
# Unauthorized. Remove the session and try again.
+delattr(context, 'session_data')
try:
-kernel_keyring.del_key('ipa_session_cookie')
-delattr(context, 'session_data')
+kernel_keyring.del_key(COOKIE_NAME % principal)
except ValueError:
# This shouldn't happen if we have a session but
# it isn't fatal.
@@ -519,9 +530,10 @@ class xmlclient(Connectible):
session_data = getattr(context, 'session_data', None)
if session_data and e.errcode == 401:
# Unauthorized. Remove the
Re: [Freeipa-devel] [PATCH] 1033 renew CA subsystem certificates
On Mon, Jul 16, 2012 at 09:23:24AM -0400, Rob Crittenden wrote: Use the new certmonger capability to be able to renew the dogtag subsystem certificates (audit, OCSP, etc). Are the copies of the certificates in the pki-ca CS.cfg file being updated elsewhere? Or is it not turning out to be a problem if they aren't? Nalin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 1033 renew CA subsystem certificates
Nalin Dahyabhai wrote: On Mon, Jul 16, 2012 at 09:23:24AM -0400, Rob Crittenden wrote: Use the new certmonger capability to be able to renew the dogtag subsystem certificates (audit, OCSP, etc). Are the copies of the certificates in the pki-ca CS.cfg file being updated elsewhere? Or is it not turning out to be a problem if they aren't? I didn't test validating OCSP signatures but the audit subsystem seemed fine (it complained wildly when I had the wrong trust in the NSS db). Andrew, do I need to update CS.cfg as well? rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 1033 renew CA subsystem certificates
On 07/16/2012 01:35 PM, Rob Crittenden wrote: Nalin Dahyabhai wrote: On Mon, Jul 16, 2012 at 09:23:24AM -0400, Rob Crittenden wrote: Use the new certmonger capability to be able to renew the dogtag subsystem certificates (audit, OCSP, etc). Are the copies of the certificates in the pki-ca CS.cfg file being updated elsewhere? Or is it not turning out to be a problem if they aren't? I didn't test validating OCSP signatures but the audit subsystem seemed fine (it complained wildly when I had the wrong trust in the NSS db). Andrew, do I need to update CS.cfg as well? Yes, you may need update CS.cfg too. Andrew ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCHSET] 496 add some PAC verification
This patchset is about Ticket #2849
The point is to verify that the PAC information we are getting from a
trusted realm is actually consistent with the information we know about
that trust relationship.
The patchset adds a way to load trust information in the kdb driver
(first 2 patches), reorganizes a bit the code around PAC verification
and adds a filtering function to match realm with AD and SID data.
Tested on my trust environment and seem to work fine.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
From 30f30901d99fb827016bee6e3f2a7d7dde7a460d Mon Sep 17 00:00:00 2001
From: Simo Sorce sso...@redhat.com
Date: Mon, 9 Jul 2012 09:15:51 -0400
Subject: [PATCH 1/5] Move mspac structure to be a private pointer
By keeping it's definition in the mspac file it is easier to modify and make
sure any opertion on it is handled in the same file.
---
daemons/ipa-kdb/ipa_kdb.h |9 ++-
daemons/ipa-kdb/ipa_kdb_mspac.c | 49 +--
2 files changed, 33 insertions(+), 25 deletions(-)
diff --git a/daemons/ipa-kdb/ipa_kdb.h b/daemons/ipa-kdb/ipa_kdb.h
index c1cc7a7d8ecdf86b10606233078abbb8685f6750..0a179dbcf0e9c17c0eb468638cd7436dc60d31a5 100644
--- a/daemons/ipa-kdb/ipa_kdb.h
+++ b/daemons/ipa-kdb/ipa_kdb.h
@@ -74,12 +74,7 @@
#define IPA_SETUP ipa-setup-override-restrictions
-struct ipadb_wincompat {
-char *flat_domain_name;
-char *flat_server_name;
-char *fallback_group;
-uint32_t fallback_rid;
-};
+struct ipadb_mspac;
struct ipadb_context {
char *uri;
@@ -91,7 +86,7 @@ struct ipadb_context {
bool override_restrictions;
krb5_key_salt_tuple *supp_encs;
int n_supp_encs;
-struct ipadb_wincompat wc;
+struct ipadb_mspac *mspac;
bool disable_last_success;
bool disable_lockout;
};
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index 1c7487c3c8f75d02466a2e0746fbef5d36e3d995..44cf522a00e4973077d716a9545f69f325e870ba 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -26,6 +26,13 @@
#include util/time.h
#include gen_ndr/ndr_krb5pac.h
+struct ipadb_mspac {
+char *flat_domain_name;
+char *flat_server_name;
+char *fallback_group;
+uint32_t fallback_rid;
+};
+
int krb5_klog_syslog(int, const char *, ...);
@@ -460,8 +467,8 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
}
if (info3-base.primary_gid == 0) {
-if (ipactx-wc.fallback_rid) {
-info3-base.primary_gid = ipactx-wc.fallback_rid;
+if (ipactx-mspac-fallback_rid) {
+info3-base.primary_gid = ipactx-mspac-fallback_rid;
} else {
/* can't give a pack without a primary group rid */
return ENOENT;
@@ -474,9 +481,9 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
/* always zero out, not used for Krb, only NTLM */
memset(info3-base.key, '\0', sizeof(info3-base.key));
-if (ipactx-wc.flat_server_name) {
+if (ipactx-mspac-flat_server_name) {
info3-base.logon_server.string =
-talloc_strdup(memctx, ipactx-wc.flat_server_name);
+talloc_strdup(memctx, ipactx-mspac-flat_server_name);
if (!info3-base.logon_server.string) {
return ENOMEM;
}
@@ -485,9 +492,9 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
return ENOENT;
}
-if (ipactx-wc.flat_domain_name) {
+if (ipactx-mspac-flat_domain_name) {
info3-base.logon_domain.string =
-talloc_strdup(memctx, ipactx-wc.flat_domain_name);
+talloc_strdup(memctx, ipactx-mspac-flat_domain_name);
if (!info3-base.logon_domain.string) {
return ENOMEM;
}
@@ -1318,11 +1325,17 @@ krb5_error_code ipadb_reinit_mspac(struct ipadb_context *ipactx)
int ret;
/* clean up in case we had old values around */
-free(ipactx-wc.flat_domain_name);
-ipactx-wc.flat_domain_name = NULL;
-free(ipactx-wc.fallback_group);
-ipactx-wc.fallback_group = NULL;
-ipactx-wc.fallback_rid = 0;
+if (ipactx-mspac) {
+free(ipactx-mspac-flat_domain_name);
+free(ipactx-mspac-fallback_group);
+free(ipactx-mspac);
+}
+
+ipactx-mspac = calloc(1, sizeof(struct ipadb_mspac));
+if (!ipactx-mspac) {
+kerr = ENOMEM;
+goto done;
+}
kerr = ipadb_simple_search(ipactx, ipactx-base, LDAP_SCOPE_SUBTREE,
(objectclass=ipaNTDomainAttrs), dom_attrs,
@@ -1341,22 +1354,22 @@ krb5_error_code ipadb_reinit_mspac(struct ipadb_context *ipactx)
ret = ipadb_ldap_attr_to_str(ipactx-lcontext, lentry,
ipaNTFlatName,
- ipactx-wc.flat_domain_name);
+ ipactx-mspac-flat_domain_name);
if (ret) {
kerr = ret;
goto done;
Re: [Freeipa-devel] [PATCH] 170 Differentiation of widget type and text_widget input type
On 7/12/2012 8:10 AM, Petr Vobornik wrote: There was a clash of 'type' attribute in widget's spec. Usually 'type' is used for telling a builder which field and widget to build. Text widget used this attribute also for definion of html input type. It was problematic for some special widgets, which defined own field and used text_widget, like service_type or dnszone_name. In those and possibly other cases it used widget type for specifying input type which lead to execution error in Internet Explorer. Firefox and Chrome took it. This patch is changing text_widget's 'type' to 'input_type' which removes the collision and hence fixes the problem. https://fedorahosted.org/freeipa/ticket/2806 and half of: https://fedorahosted.org/freeipa/ticket/2834 ACK. -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 171 Fixed display of attributes_widget in IE9
On 7/16/2012 3:56 AM, Petr Vobornik wrote: Attributes widget is using overflow css rule in tbody element. IE9 doesn't handle it well. To fix the issue, attributes widget was slightly modified and conditional css stylesheet was added just for fixing IE problems. https://fedorahosted.org/freeipa/ticket/2822 ACK. Separate issue, on IE the main navigation tabs aren't rendered nicely. There is a dark line underneath the label (Identity, Policy, IPA Server) when the tab is inactive. If you put the mouse over the tab the dark line will disappear. -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 172 Bigger textarea for permission type=subtree
On 7/16/2012 6:53 AM, Petr Vobornik wrote: Patch description: Adder dialog and details facet for permission type=subtree have small textarea for defining subtree filter. It was unconfortable to define the filter. This difference was removed. https://fedorahosted.org/freeipa/ticket/2832 Note regarding related ticket: Resizable textareas are browser-specific. We can do it in code too but I don't think it is worth the effort. Textarea in IE still seems smaller than in Firefox, but it has the same number of rows and cols. I think it has enough space for defining the filter so it should be fixing the problem. ACK. Possible improvement, instead of using a fixed column size the text area also could be made to occupy 100% of available width. Ideally it should have the same width as the text field or drop down list in this dialog. -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] DHCP support - Request for review
On 07/13/2012 08:39 PM, Petr Vobornik wrote:
On 06/27/2012 03:32 PM, William Brown wrote:
Hi,
I have been working on adding support for FreeIPA to support
configuration storage for ISC-DHCP 4.X servers. I have added the schema
which is included at installation, added the template / empty files that
will be filled in and used for the installation and created the ipalib
plugin for this. At this stage, this feature is still far from done. I
would appreciate a review of the work I have done to ensure I am on the
right track.
I would like to know if there is a better way to add ACLs than by
manually updating ldap by hand (IE, using the ACL libraries) (See
/install/share/dhcpd.ldif).
I just looked on the plugin part from Web UI (API) perspective. Proper
plugin review should do somebody else.
What seems bad:
1) all entity params are required. When I'm looking at ldif, only couple
of attributes are MUST.
Param is made optional by adding '?' after its name. Example from user.py:
Str('displayname?',
label=_('Display name'),
default_from=lambda givenname, sn: '%s %s' % (givenname, sn),
autofill=True,
),
However you can probably enforce some params to be required if it's
required by DHCP server and not to blindly copy the LDAP schema.
2) You don't have to specify 'primary_key=False', it's default.
3) Don't use prefix for cli_name like 'dhcp_server_implementation'
cli_name is used by IPA Client as an option name. Same for labels. For
example for adding dhcp server proper command would probably be:
ipa dhcpserver-add $NAME --service-dn=$SERVICE_DN etc
not:
ipa dhcpserver-add $NAME --dhcp-server-service-dn=$SERVICE_DN etc
so the param def should be:
Str('dhcpservicedn?',
cli_name='service_dn',
label=_('Service DN'),
),
5) All params are STR. I think some might be INT or something else.
6) You can fill 'default_attributes' list with more param names. What is
mentioned in default attributes is displayed by `XXX-show $CN` command.
What is not have to be displayed by `XXX-show $CN --all` command.
7) In labels you use 'Dhcp'. IMO it should be all uppercase.
Regards
I have never written an IPA plugin before, so most of this was new to
me. You did answer some of my questions about how you do things like
optional attributes etc. I have made most of these changes and will
complete the rest later (time allowing). Thanks for your advice.
--
Sincerely,
William Brown
pgp.mit.edu
http://pgp.mit.edu:11371/pks/lookup?op=vindexsearch=0x3C0AC6DAB2F928A2
signature.asc
Description: OpenPGP digital signature
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [Freeipa-users] stopping su -
sudo -i su - oracle No, you would run sudo -i oracle. -i = simulate initial login. Alternately, you can use sudo -s oracle for run shell as oracle Or you can run sudo -u oracle command -- Sincerely, William Brown pgp.mit.edu http://pgp.mit.edu:11371/pks/lookup?op=vindexsearch=0x3C0AC6DAB2F928A2 signature.asc Description: OpenPGP digital signature ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
