date:20130402


On 04/02/2013 10:48 AM, Jan Cholasta wrote:

On 29.3.2013 15:31, Petr Viktorin wrote:

On 03/29/2013 11:20 AM, Jan Cholasta wrote:

On 29.3.2013 11:14, Jan Cholasta wrote:

Also I was able to install IPA with revoked certificates, but it
doesn't
seem to break anything - the CRL specified in the certificates' CRL
distribution point is not automatically imported into any of the NSS
databases and when it is imported manually, everything still seems to
work fine. I haven't checked OCSP. Can and/or do we want to do
something
about this?


Update: the ipa command does not work:

$ ipa host-show $HOSTNAME --all --raw
ipa: ERROR: cert validation failed for CN=ipa.example.com,O=Example
((SEC_ERROR_REVOKED_CERTIFICATE) Peer's Certificate has been revoked.)
ipa: ERROR: cannot connect to 'https://ipa.example.com/ipa/xml': [Errno
-8180] (SEC_ERROR_REVOKED_CERTIFICATE) Peer's Certificate has been
revoked.


I think we can live with not checking CRLs now. I haven't found a way to
download CRLs with certutil or python-nss (short of explicitly examining
the certs, downloading the CRL and importing it, but I don't think IPA
is the place for that).
I've asked John.


OK, thanks.




Patch 205:

Can we instead require the PKCS#12 files to always contain the whole
certificate chain? IMO that way it would be more obvious what should
actually be in the files and it would make things easier should there
ever be need for --root-ca-subject.


Not requiring the root CA is a convenient shortcut. It's common to have
certs signed directly by the CA, and in this case you can use either a
single-cert PKCS#12 or one with the full chain.
Actually, originally the full chain was required, and a user already
complained :)

If we add a new option, we can specify its requirements on the other
options.


No problem.



Adding a new patch for client installation.



I found one more bug: the replica wasn't setting the ra_plugin option 
properly, preventing installing a replica of a replica.

I squashed the following change into 204:

diff --git a/install/tools/ipa-replica-install 
b/install/tools/ipa-replica-install

index 8fce3a8..af80c1e 100755
--- a/install/tools/ipa-replica-install
+++ b/install/tools/ipa-replica-install
@@ -539,6 +539,9 @@ def main():
 fd.write(ra_plugin=dogtag\n)
 fd.write(dogtag_version=%s\n %
 dogtag.install_constants.DOGTAG_VERSION)
+else:
+fd.write(enable_ra=False\n)
+fd.write(ra_plugin=none\n)
 fd.write(mode=production\n)
 fd.close()
 finally:



This is nothing critical, but I think that make-testcert should check if
dogtag is installed and when it's not, print a message informing the
user that they should issue the test certificate manually and place it
in the appropriate location.

Besides that, ACK.


I'll make another patch so this set is not delayed.


Honza




--
Petr³

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 378-380 Improved CNAME and DNAME validation

On 04/02/2013 11:57 AM, Ana Krivokapic wrote:
 On 03/11/2013 10:26 AM, Martin Kosek wrote:
 On 03/06/2013 01:07 PM, Petr Spacek wrote:
 On 6.3.2013 09:32, Martin Kosek wrote:
 +error=u'CNAME record is not allowed to coexist with any
 other record'),

 Sorry for nitpicking again, but I would add note '(RFC 1034, section 
 3.6.2)'.

 Thank you!


 Fixed.

 Martin


 ___
 Freeipa-devel mailing list
 Freeipa-devel@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-devel
 
 Patches 379 and 380 need rebasing.
 
 -- 
 Regards,
 
 Ana Krivokapic
 Associate Software Engineer
 FreeIPA team
 Red Hat Inc.
 

Rebased patches attached.

Martin
From a43ab47125583e744714c172fa337819e3eed53b Mon Sep 17 00:00:00 2001
From: Martin Kosek mko...@redhat.com
Date: Mon, 4 Mar 2013 12:48:05 +0100
Subject: [PATCH 1/3] Change CNAME and DNAME attributes to single valued

These DNS attributeTypes are of a singleton type, update LDAP schema
to reflect it.

https://fedorahosted.org/freeipa/ticket/3440
https://fedorahosted.org/freeipa/ticket/3450
---
 install/share/60ipadns.ldif   | 4 ++--
 install/updates/10-bind-schema.update | 2 ++
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/install/share/60ipadns.ldif b/install/share/60ipadns.ldif
index 9697227fb7166b3711568ddea3e5c345277befa3..6293385d62ce10dd3020ad291a947ff0f0d67c6e 100644
--- a/install/share/60ipadns.ldif
+++ b/install/share/60ipadns.ldif
@@ -21,14 +21,14 @@ attributeTypes: (1.3.6.1.4.1.2428.20.1.35 NAME 'nAPTRRecord' DESC 'Naming Author
 attributeTypes: (1.3.6.1.4.1.2428.20.1.36 NAME 'kXRecord' DESC 'Key Exchange Delegation, RFC 2230' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
 attributeTypes: (1.3.6.1.4.1.2428.20.1.37 NAME 'certRecord' DESC 'certificate, RFC 2538' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
 attributeTypes: (1.3.6.1.4.1.2428.20.1.38 NAME 'a6Record' DESC 'A6 Record Type, RFC 2874' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-attributeTypes: (1.3.6.1.4.1.2428.20.1.39 NAME 'dNameRecord' DESC 'Non-Terminal DNS Name Redirection, RFC 2672' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+attributeTypes: (1.3.6.1.4.1.2428.20.1.39 NAME 'dNameRecord' DESC 'Non-Terminal DNS Name Redirection, RFC 2672' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
 attributeTypes: (1.3.6.1.4.1.2428.20.1.43 NAME 'dSRecord' DESC 'Delegation Signer, RFC 3658' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
 attributeTypes: (1.3.6.1.4.1.2428.20.1.44 NAME 'sSHFPRecord' DESC 'SSH Key Fingerprint, draft-ietf-secsh-dns-05.txt' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
 attributeTypes: (1.3.6.1.4.1.2428.20.1.46 NAME 'rRSIGRecord' DESC 'RRSIG, RFC 3755' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
 attributeTypes: (1.3.6.1.4.1.2428.20.1.47 NAME 'nSECRecord' DESC 'NSEC, RFC 3755' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
 attributeTypes: (0.9.2342.19200300.100.1.26 NAME 'aRecord' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
 attributeTypes: (0.9.2342.19200300.100.1.29 NAME 'nSRecord' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-attributeTypes: (0.9.2342.19200300.100.1.31 NAME 'cNAMERecord' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+attributeTypes: (0.9.2342.19200300.100.1.31 NAME 'cNAMERecord' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
 attributeTypes: (0.9.2342.19200300.100.1.28 NAME 'mXRecord' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
 attributeTypes: (0.9.2342.19200300.100.1.27 NAME 'mDRecord' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
 attributeTypes: (2.16.840.1.113730.3.8.5.0 NAME 'idnsName' DESC 'DNS FQDN' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN 'IPA v2' )
diff --git a/install/updates/10-bind-schema.update b/install/updates/10-bind-schema.update
index 3c43c8ec79fe6cb9830a27fb2880b6ed0cf0d8e4..cbe7a672b5300d5b945bf996a596909008dda5aa 100644
--- a/install/updates/10-bind-schema.update
+++ b/install/updates/10-bind-schema.update
@@ -78,3 +78,5 @@ add:objectClasses:
 
 dn: cn=schema
 replace:objectClasses:( 2.16.840.1.113730.3.8.6.1 NAME 'idnsZone' DESC 'Zone class' SUP idnsRecord STRUCTURAL MUST ( idnsZoneActive $$ idnsSOAmName $$ idnsSOArName $$ idnsSOAserial $$ idnsSOArefresh $$ idnsSOAretry $$ idnsSOAexpire $$ idnsSOAminimum ) MAY

Re: [Freeipa-devel] [RFE] Multiple trust servers per realm

On 04/02/2013 11:19 AM, Tomas Babej wrote:
 On Fri 08 Mar 2013 02:16:26 PM CET, Alexander Bokovoy wrote:
 Hi,

 http://www.freeipa.org/page/V3/MultipleTrustServers covers RFE to have
 multiple domain controllers exposed to trusted domains.

 Attached patch also implements needed changes for ipa-adtrust-install
 part. Global trust configuration options are already implemented and
 available in git master, while Web UI support for them needs to be
 added.

 The patch attached actually fixes our current (rather wrong) way of
 exposing all LDAP- and Kerberos-related SRV records to default site
 configuration and _msdcs SRV namespace. This was wrong because it
 assumed that all servers mentioned in SRV records could be domain
 controllers, that is, they are usable to contact over SMB protocol.
 The latter isn't true until we ran ipa-adtrust-install on them.

 The patch only exposes those servers which manage cifs/fqdn@REALM
 services and only if those services are also members of cn=adtrust
 agents container. This is fairly strict filter and it allows also to
 have other types of SMB servers as part of the realm.

 Below is a copy of the RFE:
 ==
 __NOTOC__

 = Overview =

 Ticket [https://fedorahosted.org/freeipa/ticket/2189 #2189];

 Each FreeIPA server in the realm has potential to serve as domain
 controller in the cross-forest realm trust. This page outlines design
 for implementing multiple servers support in FreeIPA.

 = Use Cases =

 Once ttipa-adtrust-install/tt ran on the FreeIPA server, the server
 can handle requests from trusted domains by means of Samba project's
 ttsmbd/tt and ttwinbindd/tt daemons.

 Hosts in FreeIPA realm may be enrolled against specific FreeIPA replica
 server. User from trusted domain can access these hosts and their
 identities will be resolved against the replica. However, if replica
 server does not have trust support configured, these identities will not
 be processed since running ttwinbindd/tt process is required to
 contact the trusted domain's domain controllers and Global Catalog
 servers.

 Domain controllers are advertised to clients via SRV records in DNS.
 Since replica servers may be arranged in a specific topology, adding new
 domain controller would need to respect the topology design. It means
 priority/weight of the domain controller compared to other domain
 controllers should be adjustable. Prime use case for this is branch
 office deployments.

 = Design=
 * Each domain controller uses separate identity and service key to talk
   to FreeIPA LDAP server. The identity is tied to the server hostname.

 * Service principal is ttcifs/hostname@REALM/tt, identified in LDAP
   as ttkrbprincipalname=cifs/hostname@REALM/tt.

 * All identities are members of ttcn=adtrust
   agents/tt,ttcn=sysaccounts/tt,ttcn=etc/tt,tt$SUFFIX/tt.
   Thus, all replica servers can see what other servers are providing
   domain controller service.

 * Replica server only becomes domain controller when
   ttipa-adtrust-install/tt utility was executed on it. It means all
   DC setup is delivered via the ttipa-adtrust-install/tt.

 * ttipa-adtrust-install/tt should be able to detect other DCs by
   looking at existing identities as members of the ttcn=adtrust
   agents/tt,ttcn=sysaccounts/tt,ttcn=etc/tt,tt$SUFFIX/tt
   tree and modify list of SRV records under tt_msdcs/tt and default
   site configuration if DNS is controlled by FreeIPA.

 * Domain Controller priority/weight can be modified at run time since it
   only affects SRV records in the DNS (if FreeIPA controls the DNS).
   Normal ttipa dnsrecord-mod/tt commands should be used for this
   purpose, operating on SRV records for tt_msdcs/tt and default site
   configuration.

 * There are trust properties that are global for the realm. Some of them
   are modifiable, some not. Thus, ttipa trustconfig-show/tt and
   ttipa trustconfig-mod/tt should reflect both global and local
   settings (realm-wise and DC-wise).

 * Following properties of the trust are global for the realm:
 ** NetBIOS domain name (read-only, affects existing trusts)
 ** Domain name (read-only, affects existing trusts)
 ** Domain GUID (read-only, informational)
 ** Additional domain suffixes exposed to the trusted party, handled as
black list against global list of additional domains associated
 with our
or transitive realm, read/write
 ** Fallback primary group (read-write)

 * Following properties of the trust are per Domain Controller:
 ** priority of the DC and GC services (read-write, DNS SRV record)

 Details on ttipa trustconfig/tt commands design are available at
 http://www.freeipa.org/page/V3/Trust_config_command
 Details on additional domain suffixes handling are available at
 http://www.freeipa.org/page/V3/Domain_suffixes

 = Implementation =
 Implementation-wise there are three parts:

 * ttipa-adtrust-install/tt:
 ** Gather list of CIFS services that are also members of

[Freeipa-devel] [PATCH] 0208 make-testcert: Add better messages for errors with CA-less


On 03/18/2013 12:58 PM, Petr Viktorin wrote:

Hello,
While the work is not complete, these patches allowed me to install an
IPA server without a CA, using PKCS#12 files for the server certs.

The patches don't break normal installation.
The --selfsign option (but not yet the code behind it) is removed.

The absence of a CA is indicated by `enable_ra=False` in the IPA config.

ipa-replica-install will still refuse to run; I'll look into that next.

I removed some unused code that got in my way: Dogtag 9 installation (we
can run a Dogtag 9-style CA, but we never *install* it), and
ipapython.certdb.CertDB (unused, not to be confused with ipaserver's
CertDB).



Hello,

This improves a developer testing tool. Details inside.

Submitting separately so any problems don't hold back the big batch of 
CA-less patches.


--
Petr³
From 75b1c9e84fdf119a9ef07f851b76f0208185d51a Mon Sep 17 00:00:00 2001
From: Petr Viktorin pvikt...@redhat.com
Date: Tue, 2 Apr 2013 12:30:50 +0200
Subject: [PATCH] make-testcert: Add better messages for errors with CA-less
 servers

This adds better diagnostics/instructions for two cases of user error:

* The enable_ra setting in ~/.ipa/default.conf doesn't what is on the server.
  If server is CA-less but enable_ra=True, cert-request won't be available;
print out instructions to correct this
  If server has a CA but enable_ra=False, make-testcert behaves as CA-less, see below

* In CA-less mode, the cert doesn't already exist.
  Remind that enable_ra must be set properly (for the above case)
  Instruct user to issue a cert and put it in place
---
 make-testcert | 9 -
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/make-testcert b/make-testcert
index a5814e1de9428e74a6343f5f13193748e3e04df6..e61089b3176d52e4888c48fb19d75fda8ea804af 100755
--- a/make-testcert
+++ b/make-testcert
@@ -84,6 +84,12 @@ def makecert(reqdir):
 api.register(client)
 api.finalize()
 
+if not api.env.enable_ra:
+print IPA CA is not installed, no cert found
+print Ensure enable_ra in ~/.ipa/default.conf matches the server.
+print Issue a test cert manually and put it in %s % CERTPATH
+return 1
+
 ra = rabase.rabase()
 if not os.path.exists(ra.sec_dir) and api.env.xmlrpc_uri == 'http://localhost:/ipa/xml':
 sys.exit('The in-tree self-signed CA is not configured, see tests/test_xmlrpc/test_cert.py')
@@ -116,7 +122,8 @@ def makecert(reqdir):
 except errors.NotFound:
 return certificate request failed
 except errors.CommandError:
-return You need to set enable_ra=True in ~/.ipa/default.conf
+return ('cert_request command not found. If the IPA CA is not '
+'installed, set enable_ra=False in ~/.ipa/default.conf')
 
 nss.nss_init_nodb()
 c = x509.load_certificate(cert, x509.PEM)
-- 
1.8.1.4

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCHES] 0197-0207 Installing without a CA, with custom SSL certs

On 04/02/2013 12:06 PM, Petr Viktorin wrote:
 On 04/02/2013 12:05 PM, Petr Viktorin wrote:
 On 04/02/2013 10:48 AM, Jan Cholasta wrote:
 On 29.3.2013 15:31, Petr Viktorin wrote:
 On 03/29/2013 11:20 AM, Jan Cholasta wrote:
 On 29.3.2013 11:14, Jan Cholasta wrote:
 Also I was able to install IPA with revoked certificates, but it
 doesn't
 seem to break anything - the CRL specified in the certificates' CRL
 distribution point is not automatically imported into any of the NSS
 databases and when it is imported manually, everything still seems to
 work fine. I haven't checked OCSP. Can and/or do we want to do
 something
 about this?

 Update: the ipa command does not work:

 $ ipa host-show $HOSTNAME --all --raw
 ipa: ERROR: cert validation failed for CN=ipa.example.com,O=Example
 ((SEC_ERROR_REVOKED_CERTIFICATE) Peer's Certificate has been revoked.)
 ipa: ERROR: cannot connect to 'https://ipa.example.com/ipa/xml': [Errno
 -8180] (SEC_ERROR_REVOKED_CERTIFICATE) Peer's Certificate has been
 revoked.

 I think we can live with not checking CRLs now. I haven't found a way to
 download CRLs with certutil or python-nss (short of explicitly examining
 the certs, downloading the CRL and importing it, but I don't think IPA
 is the place for that).
 I've asked John.

 OK, thanks.


 Patch 205:

 Can we instead require the PKCS#12 files to always contain the whole
 certificate chain? IMO that way it would be more obvious what should
 actually be in the files and it would make things easier should there
 ever be need for --root-ca-subject.

 Not requiring the root CA is a convenient shortcut. It's common to have
 certs signed directly by the CA, and in this case you can use either a
 single-cert PKCS#12 or one with the full chain.
 Actually, originally the full chain was required, and a user already
 complained :)

 If we add a new option, we can specify its requirements on the other
 options.

 No problem.


 Adding a new patch for client installation.


 I found one more bug: the replica wasn't setting the ra_plugin option
 properly, preventing installing a replica of a replica.
 I squashed the following change into 204:

 diff --git a/install/tools/ipa-replica-install
 b/install/tools/ipa-replica-install
 index 8fce3a8..af80c1e 100755
 --- a/install/tools/ipa-replica-install
 +++ b/install/tools/ipa-replica-install
 @@ -539,6 +539,9 @@ def main():
   fd.write(ra_plugin=dogtag\n)
   fd.write(dogtag_version=%s\n %
   dogtag.install_constants.DOGTAG_VERSION)
 +else:
 +fd.write(enable_ra=False\n)
 +fd.write(ra_plugin=none\n)
   fd.write(mode=production\n)
   fd.close()
   finally:

 
 I forgot to attach the patches; here they are.
 

 This is nothing critical, but I think that make-testcert should check if
 dogtag is installed and when it's not, print a message informing the
 user that they should issue the test certificate manually and place it
 in the appropriate location.

 Besides that, ACK.

 I'll make another patch so this set is not delayed.

 Honza


ACK for the small diff change. The rest was already reviewed by Jan. Thanks to
both!

Pushed all patches to master.

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCHES] 0197-0204 Installing without a CA, with custom SSL certs

On 03/29/2013 06:33 PM, Petr Viktorin wrote:
 On 03/29/2013 06:17 PM, Petr Vobornik wrote:
 Hello,

 attaching Web UI part.

 Petr

 
 Works well for me, if someone can check if the Javascript looks fine then ACK.
 

I think that functional review is OK in this case, there are no architectonic
changes...

Pushed to master.

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH 0043] Properly handle ipa-replica-install when its zone is not managed by IPA

2013-04-02 Thread Rob Crittenden

Ana Krivokapic wrote:

On 03/29/2013 04:00 PM, Tomas Babej wrote:

On 03/29/2013 03:48 PM, Ana Krivokapic wrote:

On 03/29/2013 03:11 PM, Tomas Babej wrote:

On 03/29/2013 02:15 PM, Ana Krivokapic wrote:

On 03/26/2013 04:59 PM, Tomas Babej wrote:

Hi,

The ipa-replica-install script tries to add replica's A and PTR
records to the master DNS, if master does manage DNS. However,
master need not to manage replica's zone. Properly handle this use
case.

https://fedorahosted.org/freeipa/ticket/3496

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

The patch works well and fixes the issue.

Just a couple of nitpicks:

1) However, master need not to manage replica's zone. -- This
sentence sounds a little strange to me, but I am not a native
speaker so I may be wrong about that.

The phrase should be ok. I assume you're worried about need not
construct, which may sound a bit unusal as opposed to, for example,
does not need to.

One could argue that it sounds archaic. However, consider the
following chart, which clearly proves the opposite:

http://books.google.com/ngrams/chart?content=need%20not%2Cneeds%20not%2Cdoes%20not%20need%20to%2Cdoesn%20'%20t%20need%20tocorpus=0smoothing=3year_start=1800year_end=2000
http://books.google.com/ngrams/chart?content=need%20not%2Cneeds%20not%2Cdoes%20not%20need%20to%2Cdoesn%20%27%20t%20need%20tocorpus=0smoothing=3year_start=1800year_end=2000

For more detailed explanation, see:

http://english.stackexchange.com/questions/29409/why-use-need-not-instead-of-do-not-need-to

Actually, the part that sounded weird to me is the to that comes
after need not in your commit message. Also, the stackexchange link
you provided states: This /need/ is a *modal verb*: it always
requires an infinitive without /to/;.

Sorry that I wasn't clear about this in my first email.

Yes, that's a mistake on my part, thanks fot catching that. Fixed the
commit message.

2) There are three PEP8 501 errors introduced by the patch, but
given the recent discussion on this subject, I think it is really
up to you if you want to take the time to fix these.

Sure I do. Thanks for the catch. Updated patch attached.

There is still one line with E501:

install/tools/ipa-replica-install:303:80: E501 line too long (80 79
characters)

I left that one so intentionally. Imho, it would only mangle the line
unnecessarily, the line is exactly 80 characters long with no nice
point where to break it.

OK, makes sense.

ACK from the functional perspective.

--
Regards,

Ana Krivokapic
Associate Software Engineer
FreeIPA team
Red Hat Inc.

--
Regards,

Ana Krivokapic
Associate Software Engineer
FreeIPA team
Red Hat Inc.

ACK

Pushed to master and ipa-3-1

rob

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [RFE] CA-less install


On 03/22/2013 01:10 PM, Petr Viktorin wrote:

The design page for CA-less installation with user-provided SSL certs is
available at http://freeipa.org/page/V3/CA-less_install. I've also
copied it to this mail.

Does it answer all your questions?



Since the patches were pushed, I've linked the RFE in 
http://freeipa.org/page/V3_Designs


--
Petr³

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [RFE] Drop --selfsign


On 03/20/2013 05:11 PM, Petr Viktorin wrote:

Here is a RFE for https://fedorahosted.org/freeipa/ticket/3494.
It's for dropping the --selfsign option from ipa-server-install. The
functionality itself stays in for now (on upgraded self-signed masters).

http://freeipa.org/page/V3/Drop_selfsign



Since the patch was pushed, I've linked the RFE in 
http://freeipa.org/page/V3_Designs


--
Petr³

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH 0123-0126] Separate master and forward zones (add idnsForwardZone object class)


On 22.3.2013 13:03, Petr Spacek wrote:

Hello,

this patch set separates master zones (idnsZone objectClass) from forward
zones (idnsForwardZone objectClass). Support for forward zones in idnsZone
objectClass is still present to ease upgrades.

See each commit message for all the gory details.


I encountered a crash caused by bug in patch 126. Fixed version is attached.

Diff between patch 126 version 1 and 2:

--- a/src/ldap_helper.c
+++ b/src/ldap_helper.c
@@ -3391,7 +3391,7 @@ update_zone(isc_task_t *task, isc_event_t *event)

CHECK(dn_to_dnsname(inst-mctx, pevent-dn, currname, NULL));

-   if (result == ISC_R_SUCCESS 
+   if (ldap_qresult_zone != NULL 
HEAD(ldap_qresult_zone-ldap_entries) != NULL) {
entry_zone = HEAD(ldap_qresult_zone-ldap_entries);
CHECK(ldap_entry_getclass(entry_zone, objclass));

--
Petr^2 Spacek
From 85ed07b47fb9480faea13218b8a6c28659506449 Mon Sep 17 00:00:00 2001
From: Petr Spacek pspa...@redhat.com
Date: Fri, 22 Mar 2013 12:38:55 +0100
Subject: [PATCH] Add support for pure forward zones - idnsForwardZone
 objectClass.

Master zones are stored in zone_register and pure forward zones
are stored in fwd_register.

This patch doesn't remove support for forward zones within
idnsZone objectClass. Support for forward zones in both
objectClasses enables incremental update, where old and new
plugin versions operate on the same LDAP database.

Support for forward zones defined by idnsZone objectClass
will be removed in near future.

Forward zones defined in idnsZone objectClass are not disabled
after removing from LDAP if persistent search is disabled
(see ticket #106).
This problem doesn't affect zones defined with idnsForwardZone
objectClass.

https://fedorahosted.org/bind-dyndb-ldap/ticket/99

Signed-off-by: Petr Spacek pspa...@redhat.com
---
 src/Makefile.am|   4 +
 src/fwd_register.c | 156 +
 src/fwd_register.h |  35 ++
 src/ldap_entry.c   |  33 --
 src/ldap_entry.h   |   7 +-
 src/ldap_helper.c  | 336 ++---
 6 files changed, 441 insertions(+), 130 deletions(-)
 create mode 100644 src/fwd_register.c
 create mode 100644 src/fwd_register.h

diff --git a/src/Makefile.am b/src/Makefile.am
index 252255788b01e003031f5f0ee2fc8469b53633be..87c3252736fa4f918f105166497b32b0219ef8ea 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -5,11 +5,13 @@ HDRS =\
 	acl.h			\
 	cache.h			\
 	compat.h		\
+	fwd_register.h		\
 	krb5_helper.h		\
 	ldap_convert.h		\
 	ldap_entry.h		\
 	ldap_helper.h		\
 	log.h			\
+	rbt_helper.h		\
 	rdlist.h		\
 	semaphore.h		\
 	settings.h		\
@@ -23,12 +25,14 @@ ldap_la_SOURCES =		\
 	$(HDRS)			\
 	acl.c			\
 	cache.c			\
+	fwd_register.c		\
 	krb5_helper.c		\
 	ldap_convert.c		\
 	ldap_driver.c		\
 	ldap_entry.c		\
 	ldap_helper.c		\
 	log.c			\
+	rbt_helper.c		\
 	rdlist.c		\
 	semaphore.c		\
 	settings.c		\
diff --git a/src/fwd_register.c b/src/fwd_register.c
new file mode 100644
index ..c663b25909b0e393421c49950d1f29a1352cfe6c
--- /dev/null
+++ b/src/fwd_register.c
@@ -0,0 +1,156 @@
+#include isc/rwlock.h
+#include dns/name.h
+
+#include rbt_helper.h
+#include fwd_register.h
+#include util.h
+
+struct fwd_register {
+	isc_mem_t	*mctx;
+	isc_rwlock_t	rwlock;
+	dns_rbt_t	*rbt;
+};
+
+isc_result_t
+fwdr_create(isc_mem_t *mctx, fwd_register_t **fwdrp)
+{
+	isc_result_t result;
+	fwd_register_t *fwdr = NULL;
+
+	REQUIRE(fwdrp != NULL  *fwdrp == NULL);
+
+	CHECKED_MEM_GET_PTR(mctx, fwdr);
+	ZERO_PTR(fwdr);
+	isc_mem_attach(mctx, fwdr-mctx);
+	CHECK(dns_rbt_create(mctx, NULL, NULL, fwdr-rbt));
+	CHECK(isc_rwlock_init(fwdr-rwlock, 0, 0));
+
+	*fwdrp = fwdr;
+	return ISC_R_SUCCESS;
+
+cleanup:
+	if (fwdr != NULL) {
+		if (fwdr-rbt != NULL)
+			dns_rbt_destroy(fwdr-rbt);
+		MEM_PUT_AND_DETACH(fwdr);
+	}
+
+	return result;
+}
+
+void
+fwdr_destroy(fwd_register_t **fwdrp)
+{
+	fwd_register_t *fwdr;
+
+	if (fwdrp == NULL || *fwdrp == NULL)
+		return;
+
+	fwdr = *fwdrp;
+
+	RWLOCK(fwdr-rwlock, isc_rwlocktype_write);
+	dns_rbt_destroy(fwdr-rbt);
+	RWUNLOCK(fwdr-rwlock, isc_rwlocktype_write);
+	isc_rwlock_destroy(fwdr-rwlock);
+	MEM_PUT_AND_DETACH(fwdr);
+
+	*fwdrp = NULL;
+}
+
+/*
+ * Add forward zone to the forwarding register 'fwdr'. Origin of the zone
+ * must be absolute and the zone cannot already be in the register.
+ */
+isc_result_t
+fwdr_add_zone(fwd_register_t *fwdr, dns_name_t *name)
+{
+	isc_result_t result;
+	void *dummy = NULL;
+
+	REQUIRE(fwdr != NULL);
+	REQUIRE(name != NULL);
+
+	if (!dns_name_isabsolute(name)) {
+		log_bug(forward zone with bad origin);
+		return ISC_R_FAILURE;
+	}
+
+	RWLOCK(fwdr-rwlock, isc_rwlocktype_write);
+
+	/*
+	 * First make sure the node doesn't exist. Partial matches mean
+	 * there are also child zones in the LDAP database which is allowed.
+	 */
+	result = dns_rbt_findname(fwdr-rbt, name, 0, NULL, dummy);
+	if (result != ISC_R_NOTFOUND  result !=

Re: [Freeipa-devel] [PATCH] 378-380 Improved CNAME and DNAME validation

2013-04-02 Thread Ana Krivokapic

On 04/02/2013 12:12 PM, Martin Kosek wrote:
 On 04/02/2013 11:57 AM, Ana Krivokapic wrote:
 On 03/11/2013 10:26 AM, Martin Kosek wrote:
 On 03/06/2013 01:07 PM, Petr Spacek wrote:
 On 6.3.2013 09:32, Martin Kosek wrote:
 +error=u'CNAME record is not allowed to coexist with any
 other record'),
 Sorry for nitpicking again, but I would add note '(RFC 1034, section 
 3.6.2)'.

 Thank you!

 Fixed.

 Martin


 ___
 Freeipa-devel mailing list
 Freeipa-devel@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-devel
 Patches 379 and 380 need rebasing.

 -- 
 Regards,

 Ana Krivokapic
 Associate Software Engineer
 FreeIPA team
 Red Hat Inc.

 Rebased patches attached.

 Martin

The first patch (schema update) correctly changes both CNAME and DNAME
attributes to single valued attributes.

I tested the newly introduced validation rules, trying to add:
 * more than 1 cname record with the same name
 * cname + ptr
 * cname + dname
 * cname + any other record
 * more than 1 dname
 * dname + ns
 * dname + ns (root zone)

As expected, validation fails for all the above cases except the last
one (dname + ns in the root zone).

ACK

-- 
Regards,

Ana Krivokapic
Associate Software Engineer
FreeIPA team
Red Hat Inc.

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] 399 Require 389-base-base 1.3.0.5

Pulls the following fixes:
- upgrade deadlock caused by DNA plugin reconfiguration
- CVE-2013-1897: unintended information exposure when rootdse is
  enabled

https://fedorahosted.org/freeipa/ticket/3540


ACKed by Rob on IRC, pushed to master, ipa-3-1.

I will bump this Requires also for Fedora 18 and F19 build.

Martin
From 5f5d65b787a0cf96e8d45e052fa16afa9dcc264f Mon Sep 17 00:00:00 2001
From: Martin Kosek mko...@redhat.com
Date: Tue, 2 Apr 2013 16:25:46 +0200
Subject: [PATCH] Require 389-base-base 1.3.0.5

Pulls the following fixes:
- upgrade deadlock caused by DNA plugin reconfiguration
- CVE-2013-1897: unintended information exposure when rootdse is
  enabled

https://fedorahosted.org/freeipa/ticket/3540
---
 freeipa.spec.in | 9 -
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 665a6d7207042a5b0defd63186149fbf5684a096..5e844534dd3f3629b94fc868b9a09643c84846c5 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -88,7 +88,7 @@ Requires: %{name}-python = %{version}-%{release}
 Requires: %{name}-client = %{version}-%{release}
 Requires: %{name}-admintools = %{version}-%{release}
 Requires: %{name}-server-selinux = %{version}-%{release}
-Requires: 389-ds-base = 1.3.0
+Requires: 389-ds-base = 1.3.0.5
 Requires: openldap-clients
 Requires: nss
 Requires: nss-tools
@@ -139,6 +139,7 @@ Requires: zip
 Requires: policycoreutils = %{POLICYCOREUTILSVER}
 Requires: tar
 Requires(pre): certmonger = 0.65
+Requires(pre): 389-ds-base = 1.3.0.5
 
 # We have a soft-requires on bind. It is an optional part of
 # IPA but if it is configured we need a way to require versions
@@ -782,6 +783,12 @@ fi
 %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/ca.crt
 
 %changelog
+* Tue Apr  2 2013 Martin Kosek mko...@redhat.com - 3.1.99-2
+- Require 389-base-base = 1.3.0.5 to pull the following fixes:
+  - upgrade deadlock caused by DNA plugin reconfiguration
+  - CVE-2013-1897: unintended information exposure when
+nsslapd-allow-anonymous-access is set to rootdse
+
 * Wed Mar 27 2013 Martin Kosek mko...@redhat.com - 3.1.99-2
 - Remove conflict with krb5-server  1.11 as ipa-kdb is compatible
 - ipa-ldap-updater show produce errors only
-- 
1.8.1.4

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH 0123-0126] Separate master and forward zones (add idnsForwardZone object class)

On Fri, Mar 22, 2013 at 01:03:12PM +0100, Petr Spacek wrote:
 Hello,
 
 this patch set separates master zones (idnsZone objectClass) from
 forward zones (idnsForwardZone objectClass). Support for forward
 zones in idnsZone objectClass is still present to ease upgrades.
 
 See each commit message for all the gory details.

Since patches are non-trivial, I will review them per partes (i.e. each patch
in separate mail). Please check my comments below.

Regards, Adam

 From d0c598ea7e9c02a1ec786c6f1c596ae1be7ac1e2 Mon Sep 17 00:00:00 2001
 From: Petr Spacek pspa...@redhat.com
 Date: Fri, 22 Mar 2013 12:17:07 +0100
 Subject: [PATCH] Add helper functions for generic iteration over RBT.
 
 https://fedorahosted.org/bind-dyndb-ldap/ticket/99
 
 Signed-off-by: Petr Spacek pspa...@redhat.com
 ---
  src/rbt_helper.c | 150 
 +++
  src/rbt_helper.h |  29 +++
  2 files changed, 179 insertions(+)
  create mode 100644 src/rbt_helper.c
  create mode 100644 src/rbt_helper.h
 
 diff --git a/src/rbt_helper.c b/src/rbt_helper.c
 new file mode 100644
 index 
 ..70ab06134694e36a6ae049284d506bbf5bc3a977
 --- /dev/null
 +++ b/src/rbt_helper.c
 @@ -0,0 +1,150 @@
 +#include dns/rbt.h
 +
 +#include rbt_helper.h
 +
 +#define LDAPDB_RBTITER_MAGIC ISC_MAGIC('L', 'D', 'P', 'I')
 +
 +/**
 + * Copy the RBT node name, i.e. copies the name pointed to by RBT iterator.
 + *
 + * @param[in]  iter Initialized RBT iterator.
 + * @param[out] nodename Target dns_name suitable for rbt_fullnamefromnode() 
 call.
 + *
 + * @pre Nodename has pre-allocated storage space.
 + *
 + * @retval ISC_R_SUCCESS   Actual name was copied to nodename.
 + * @retval ISC_R_NOTFOUND  Iterator doesn't point to any node.
 + * @retval DNS_R_EMPTYNAME Iterator points to name without assigned data,
 + * nodename is unchanged.
 + * @retval others  Errors from dns_name_concatenate() and others.
 + *
 + */
 +static isc_result_t
 +rbt_iter_getnodename(rbt_iterator_t *iter, dns_name_t *nodename) {
 + isc_result_t result;
 + dns_rbtnode_t *node = NULL;
 +
 + REQUIRE(iter != NULL);
 + REQUIRE(nodename != NULL);
 + REQUIRE(ISC_MAGIC_VALID(iter, LDAPDB_RBTITER_MAGIC));
 +
 + CHECK(dns_rbtnodechain_current(iter-chain, NULL, NULL, node));
 + if (node-data == NULL)
 + return DNS_R_EMPTYNAME;
 +
 + CHECK(dns_rbt_fullnamefromnode(node, nodename));
 + result = ISC_R_SUCCESS;
 +
 +cleanup:
 + return result;
 +}
 +
 +/**
 + * Initialize RBT iterator, lock RBT and copy name of the first node with
 + * non-NULL data. Empty RBT nodes (with data == NULL) are ignored.
 + *
 + * RBT remains locked after iterator initialization. RBT has to be
 + * unlocked by reaching end of iteration or explicit rbt_iter_stop() call.
 + *
 + * @param[in,out] rwlock   guard for RBT, will be read-locked
 + * @param[out]iter iterator structure, will be initialized
 + * @param[out]nodename dns_name with pre-allocated storage
 + *
 + * @pre Nodename has pre-allocated storage space.
 + *
 + * @retval ISC_R_SUCCESS   Node with non-NULL data found,
 + * RBT is in locked state, iterator is valid,
 + * nodename holds copy of actual RBT node name.
 + * @retval ISC_R_NOTFOUND  Node with non-NULL data is not present,
 + * RBT is in unlocked state, iterator is invalid.
 + * @retval others  Any error from rbt_iter_getnodename() and
 + * rbt_iter_next().
 + */
 +isc_result_t
 +rbt_iter_first(isc_mem_t *mctx, dns_rbt_t *rbt, isc_rwlock_t *rwlock,
 +rbt_iterator_t *iter, dns_name_t *nodename) {
 +
 + isc_result_t result;
 +
 + REQUIRE(rbt != NULL);
 + REQUIRE(rwlock != NULL);
 + REQUIRE(iter != NULL);
 +
 + ZERO_PTR(iter);
 +
 + isc_mem_attach(mctx, iter-mctx);
 + dns_rbtnodechain_init(iter-chain, mctx);
 + iter-rbt = rbt;
 + iter-rwlock = rwlock;
 + iter-locktype = isc_rwlocktype_read;
 + iter-magic = LDAPDB_RBTITER_MAGIC;
 +
 + RWLOCK(iter-rwlock, iter-locktype);
 +
 + result = dns_rbtnodechain_first(iter-chain, rbt, NULL, NULL);
 + if (result != DNS_R_NEWORIGIN) {
 + rbt_iter_stop(iter);
 + return result;

I would substitute those two lines with goto cleanup;.

 + }
 +
 + result = rbt_iter_getnodename(iter, nodename);
 + if (result == DNS_R_EMPTYNAME)
 + result = rbt_iter_next(iter, nodename);
 + if (result == ISC_R_NOMORE)
 + result = ISC_R_NOTFOUND;

In my opinion this function should leave rbt in locked state only when it
returns ISC_R_SUCCESS. All other cases should unlock the tree. I recommend to
add this statement:

cleanup:
if (result != ISC_R_SUCCESS)
rbt_iter_stop(iter);

 +
 + return result;
 +}
 +
 +/**
 + * Copy name of the next non-empty node in RBT.
 + *
 + *

Re: [Freeipa-devel] [PATCH 0123-0126] Separate master and forward zones (add idnsForwardZone object class)

On Fri, Mar 22, 2013 at 01:03:12PM +0100, Petr Spacek wrote:
 Hello,
 
 this patch set separates master zones (idnsZone objectClass) from
 forward zones (idnsForwardZone objectClass). Support for forward
 zones in idnsZone objectClass is still present to ease upgrades.
 
 See each commit message for all the gory details.
 
 -- 
 Petr^2 Spacek

Ack for patch 0124.

 From 005707761a5b99d50871de91252f9f23a7441d19 Mon Sep 17 00:00:00 2001
 From: Petr Spacek pspa...@redhat.com
 Date: Fri, 22 Mar 2013 12:19:02 +0100
 Subject: [PATCH] Add missing includes to util.h.
 
 Now include util.h should be enough for util.h usage.
 
 Signed-off-by: Petr Spacek pspa...@redhat.com
 ---
  src/util.h | 9 -
  1 file changed, 8 insertions(+), 1 deletion(-)
 
 diff --git a/src/util.h b/src/util.h
 index 
 d6d3c73e6d25657805eee904e6047c542e52a656..17a3f3b4ca65ab4a80c4e4fcc9ea909bb7a9178c
  100644
 --- a/src/util.h
 +++ b/src/util.h
 @@ -21,10 +21,17 @@
  #ifndef _LD_UTIL_H_
  #define _LD_UTIL_H_
  
 -extern isc_boolean_t verbose_checks; /* from settings.c */
 +#include string.h
 +
 +#include isc/mem.h
 +#include isc/buffer.h
 +#include dns/types.h
 +#include dns/name.h
  
  #include log.h
  
 +extern isc_boolean_t verbose_checks; /* from settings.c */
 +
  #define CLEANUP_WITH(result_code)\
   do {\
   result = (result_code); \
 -- 
 1.7.11.7

-- 
Adam Tkac, Red Hat, Inc.

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 378-380 Improved CNAME and DNAME validation

On 04/02/2013 04:53 PM, Ana Krivokapic wrote:
 On 04/02/2013 12:12 PM, Martin Kosek wrote:
 On 04/02/2013 11:57 AM, Ana Krivokapic wrote:
 On 03/11/2013 10:26 AM, Martin Kosek wrote:
 On 03/06/2013 01:07 PM, Petr Spacek wrote:
 On 6.3.2013 09:32, Martin Kosek wrote:
 +error=u'CNAME record is not allowed to coexist with any
 other record'),
 Sorry for nitpicking again, but I would add note '(RFC 1034, section 
 3.6.2)'.

 Thank you!

 Fixed.

 Martin


 ___
 Freeipa-devel mailing list
 Freeipa-devel@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-devel
 Patches 379 and 380 need rebasing.

 -- 
 Regards,

 Ana Krivokapic
 Associate Software Engineer
 FreeIPA team
 Red Hat Inc.

 Rebased patches attached.

 Martin
 
 The first patch (schema update) correctly changes both CNAME and DNAME
 attributes to single valued attributes.
 
 I tested the newly introduced validation rules, trying to add:
  * more than 1 cname record with the same name
  * cname + ptr
  * cname + dname
  * cname + any other record
  * more than 1 dname
  * dname + ns
  * dname + ns (root zone)
 
 As expected, validation fails for all the above cases except the last
 one (dname + ns in the root zone).
 
 ACK
 

Thanks. Pushed to master.

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [RFE] CA-less install


On 04/02/2013 02:14 AM, Robert Relyea wrote:

On 03/29/2013 07:40 AM, John Dennis wrote:

On 03/29/2013 07:57 AM, Petr Viktorin wrote:

On 03/27/2013 04:40 PM, John Dennis wrote:

On 03/27/2013 11:23 AM, Petr Viktorin wrote:

I don't want to check the subject because this RFE was prompted by
IPA's
normal CA rejecting valid wildcart certs. Is there a reasonable way to
ask NSS if it will trust the cert?


Yes. NSS provides a variety of tools to test validation.

Going just on memory here, our current version of python-nss has a
simple call to test validation. Sometime in the last year I added a
fair
amount of new support for certificate validation including getting back
diagnostic information for validation failures, however if I recall
correctly the extended functionality in python-nss has not been
released
yet.


Does the new code include downloading and importing CRLs?


Cert verification is a complex topic. This is further exacerbated by
the introduction of PKIX. My understanding is NSS had classic
verification code and later introduced PKIX. There has been an
evolution between classic verification and PKIX. This is outside my
domain of expertise. How and when CRL's are loaded in NSS is not
something I can give advice on, especially in an area undergoing change.

I'm going to have to defer to an expert in this area, Bob Relyea, I've
CC'ed him on this email.

It's hard to get the context in the middle, and and John had noted, NSS
is transitioning from the old Cert_Verify interface to the new PKIX_ code.

I'll answer the question for the traditional CERTVerify code, which is
the only you get in SSL by default, and the one most people still use:

No, CRLs are not downloaded and imported automatically, but if you
download and import CRL's, NSS will use them. There's an installable
PKCS #11 module which can be configured to download and install CRLs,
then provide them to NSS. It's call mod_revocator.

The expected revocation strategy NSS uses is OCSP, and you can turn on
automatic OCSP fetching.


Bob, to put this in context [1] the functionality in python-nss being
discussed is the binding of the CERT_VerifyCertificate() function,
something I added recently. Now the question arises as to how CRL's
are meant to play into the verification process. Can you please
explain how NSS expects this to be done? Pointers to existing
documentation and code examples would also be helpful.


There's a separate CERT_ImportCRL() which will import the CRL into the
database. mod_revocator() can also be used to do the fetching for you,
Matthew has examples on how various servers set them up (I believe the
only NSS set up is installing the module in your secmod.db/pkcs11.txt
with modutil.



It would also be helpful to understand the PKIX roadmap and how this
might affect coding decisions at the API level.


the PKIX interface is available now, and is actually used by Chrome (for
all certs) and Firefox (for ev processing). Firefox is in the process of
moving to libpkix for everything.  There is an environment variable you
can set (I don't remember it specifically, but I could look it up for
you if you want) that will cause the transitional
CERT_VerifyCertificate() interface to use the libpkix engine, but it
keeps the old CERT_VerifyCertificate semantics (like no CRL or AIA cert
fetching)..

With libpkix, the revocation options are quite broad and complexed. We
really expect people would use a set of preconfigured policies, though
libpkix API allows for quite some variance. It would take me some time
to dig up all the descriptions, but I can if you want them.


[1] Some additional context, the original motivation for exposing NSS
cert verification to IPA was to solve the following problem. If
someone wants to make the IPA CA a sub-CA (as opposed to a self-signed
CA) we want to validate the externally provided CA cert *before*
proceeding with the IPA installation. This is because if the CA cert
is invalid everything will hugely blow-up (because we use the CA cert
to sign all the certs issued in IPA, especially those used to validate
cooperating components/agents, if those certs do not work nothing in
IPA works). In addition to this narrow goal we in general want to be
able to perform cert verification correctly in other contexts as well
so the extent to which you can educate us in general on this topic
will be appreciated.

OK, thanks. I'd go ahead and start with CERT_VerifyCertificate() unless
you specifically need some of the advanced libpkix features.


The original context is sanity checking: is a SSL server cert we get 
from a user valid? If it is then we install the corresponding server.

Requirements here are:
- No extra information from the user, other than the cert itself (the 
admin gives us a cert, we don't want to ask how to find out if it's valid)
- It needs to be a simple call/tool, since there's little gain over just 
documenting that we want good certs.

So it looks it's not worth it to go there.


The new

Re: [Freeipa-devel] [PATCH 0123-0126] Separate master and forward zones (add idnsForwardZone object class)


On 2.4.2013 17:17, Adam Tkac wrote:

On Fri, Mar 22, 2013 at 01:03:12PM +0100, Petr Spacek wrote:

Hello,

this patch set separates master zones (idnsZone objectClass) from
forward zones (idnsForwardZone objectClass). Support for forward
zones in idnsZone objectClass is still present to ease upgrades.

See each commit message for all the gory details.


Since patches are non-trivial, I will review them per partes (i.e. each patch
in separate mail). Please check my comments below.

Regards, Adam


 From d0c598ea7e9c02a1ec786c6f1c596ae1be7ac1e2 Mon Sep 17 00:00:00 2001
From: Petr Spacek pspa...@redhat.com
Date: Fri, 22 Mar 2013 12:17:07 +0100
Subject: [PATCH] Add helper functions for generic iteration over RBT.

https://fedorahosted.org/bind-dyndb-ldap/ticket/99

Signed-off-by: Petr Spacek pspa...@redhat.com
---
  src/rbt_helper.c | 150 +++
  src/rbt_helper.h |  29 +++
  2 files changed, 179 insertions(+)
  create mode 100644 src/rbt_helper.c
  create mode 100644 src/rbt_helper.h

diff --git a/src/rbt_helper.c b/src/rbt_helper.c
new file mode 100644
index 
..70ab06134694e36a6ae049284d506bbf5bc3a977
--- /dev/null
+++ b/src/rbt_helper.c
@@ -0,0 +1,150 @@
+#include dns/rbt.h
+
+#include rbt_helper.h
+
+#define LDAPDB_RBTITER_MAGIC ISC_MAGIC('L', 'D', 'P', 'I')
+
+/**
+ * Copy the RBT node name, i.e. copies the name pointed to by RBT iterator.
+ *
+ * @param[in]  iter Initialized RBT iterator.
+ * @param[out] nodename Target dns_name suitable for rbt_fullnamefromnode() 
call.
+ *
+ * @pre Nodename has pre-allocated storage space.
+ *
+ * @retval ISC_R_SUCCESS   Actual name was copied to nodename.
+ * @retval ISC_R_NOTFOUND  Iterator doesn't point to any node.
+ * @retval DNS_R_EMPTYNAME Iterator points to name without assigned data,
+ * nodename is unchanged.
+ * @retval others  Errors from dns_name_concatenate() and others.
+ *
+ */
+static isc_result_t
+rbt_iter_getnodename(rbt_iterator_t *iter, dns_name_t *nodename) {
+   isc_result_t result;
+   dns_rbtnode_t *node = NULL;
+
+   REQUIRE(iter != NULL);
+   REQUIRE(nodename != NULL);
+   REQUIRE(ISC_MAGIC_VALID(iter, LDAPDB_RBTITER_MAGIC));
+
+   CHECK(dns_rbtnodechain_current(iter-chain, NULL, NULL, node));
+   if (node-data == NULL)
+   return DNS_R_EMPTYNAME;
+
+   CHECK(dns_rbt_fullnamefromnode(node, nodename));
+   result = ISC_R_SUCCESS;
+
+cleanup:
+   return result;
+}
+
+/**
+ * Initialize RBT iterator, lock RBT and copy name of the first node with
+ * non-NULL data. Empty RBT nodes (with data == NULL) are ignored.
+ *
+ * RBT remains locked after iterator initialization. RBT has to be
+ * unlocked by reaching end of iteration or explicit rbt_iter_stop() call.
+ *
+ * @param[in,out] rwlock   guard for RBT, will be read-locked
+ * @param[out]iter iterator structure, will be initialized
+ * @param[out]nodename dns_name with pre-allocated storage
+ *
+ * @pre Nodename has pre-allocated storage space.
+ *
+ * @retval ISC_R_SUCCESS   Node with non-NULL data found,
+ * RBT is in locked state, iterator is valid,
+ * nodename holds copy of actual RBT node name.
+ * @retval ISC_R_NOTFOUND  Node with non-NULL data is not present,
+ * RBT is in unlocked state, iterator is invalid.
+ * @retval others  Any error from rbt_iter_getnodename() and
+ * rbt_iter_next().
+ */
+isc_result_t
+rbt_iter_first(isc_mem_t *mctx, dns_rbt_t *rbt, isc_rwlock_t *rwlock,
+  rbt_iterator_t *iter, dns_name_t *nodename) {
+
+   isc_result_t result;
+
+   REQUIRE(rbt != NULL);
+   REQUIRE(rwlock != NULL);
+   REQUIRE(iter != NULL);
+
+   ZERO_PTR(iter);
+
+   isc_mem_attach(mctx, iter-mctx);
+   dns_rbtnodechain_init(iter-chain, mctx);
+   iter-rbt = rbt;
+   iter-rwlock = rwlock;
+   iter-locktype = isc_rwlocktype_read;
+   iter-magic = LDAPDB_RBTITER_MAGIC;
+
+   RWLOCK(iter-rwlock, iter-locktype);
+
+   result = dns_rbtnodechain_first(iter-chain, rbt, NULL, NULL);
+   if (result != DNS_R_NEWORIGIN) {
+   rbt_iter_stop(iter);
+   return result;


I would substitute those two lines with goto cleanup;.


+   }
+
+   result = rbt_iter_getnodename(iter, nodename);
+   if (result == DNS_R_EMPTYNAME)
+   result = rbt_iter_next(iter, nodename);
+   if (result == ISC_R_NOMORE)
+   result = ISC_R_NOTFOUND;


In my opinion this function should leave rbt in locked state only when it
returns ISC_R_SUCCESS. All other cases should unlock the tree. I recommend to
add this statement:

cleanup:
if (result != ISC_R_SUCCESS)
rbt_iter_stop(iter);


+
+   return result;
+}
+
+/**
+ * Copy name of the next non-empty node in RBT.
+ *
+ * @param[in]

[Freeipa-devel] Announcing FreeIPA 3.2.0 Prerelease 1

The FreeIPA team is proud to announce a first PRERELEASE of FreeIPA v3.2.0. We
would like to welcome any early testers of this prerelase to provide us
feedback and help us stabilize this feature release which we plan to release as
final in the beginning of May 2013.

It can be downloaded from http://www.freeipa.org/page/Downloads. The new
version has also been built for Fedora 19 Alpha, if it does not appear in your
Fedora 19 yet, you can download the build from koji:

http://koji.fedoraproject.org/koji/buildinfo?buildID=408311

== Highlights in 3.2.0 Prerelease 1 ==

=== New features ===
* Support installing FreeIPA without an embedded Certificate Authority, with
user-provided SSL certificates for the HTTP and Directory servers. [1]
* New cert-find command. Search certificates in the Dogtag database based on
their serial number, validity or revocation details. This feature is available
both as a CLI command and Web UI page. [2]
* New trustconfig-show and trustconfig-mod command. Show or modify AD Trust
settings generated during AD Trust installation (ipa-adtrust-install) [3]
* Multiple FreeIPA servers can now be designated as Domain Controllers for
trusts with Active Directory [12]
* New realmdomains-show and realmdomains-mod command. Manage list of DNS
domains associated with FreeIPA realm (realmdomains sommand). This list is
primarily used by AD, which can pull all domains managed by FreeIPA and use
that list for routing authentication requests for domains which do not match
FreeIPA realm name. [4]
* Support trusted domain users in HBAC test command (hbactest command).
* Allow filtering incoming trusted domain SIDs per-trust (trust-mod command). 
[5]
* Configurable PAC type for services. Service commands can now configure a set
of PAC types (MS-PAC, PAD, no PAC) that are supported and handled for the 
service.
* Faster UI loading. FreeIPA Web UI application is now packaged in minimalized
format. FreeIPA web server is now also able to transmit data in compressed
format. [6] [7]
* UI now accepts confirmation of cancel of its dialogs via keyboard [11]
* Client reenrollment. A host that has been recreated can now be reenrolled to
FreeIPA server using a backed up host keytab or admin credentials [8]
* Service and Host commands now provide options to add or remove selected
Kerberos flags [9]

=== Prerelease 1 limitations ===

* List of DNS domains associated with FreeIPA realm currently only works with a
special Samba build available for Fedora 18:
http://koji.fedoraproject.org/koji/taskinfo?taskID=5184105. One needs to
rebuild FreeIPA 3.2.0 prerelease 1 against this Samba version in order to get
it working.
* Test of trusted domain users in HBAC rules is accessible to only to members
of 'Trust Admins' group due to privilege limitations
* Same applies to any other trust-specific operations that require translation
between user/group name and its security identifier (SID)

=== Bug fixes ===

* Fixed migration from OpenLDAP. FreeIPA is now able to migrate users and
groups from OpenLDAP database instances.
* Migration process is now also a lot faster and provides more debug output (to
httpd error log).
* SUDO rules disabled by sudorule-disable command are now removed from
ou=sudoers compat tree without a need to restart 389 Directory Server instance.
* Fixed LDAP schema upgrade when upgrading from a pre-2.2.0 release
* Fixed server installation with external CA (--external-ca)
* Consolidate on-line help system, show help without need of valid Kerberos
credentials (ipa help)
* New LDAP plugin (ipa_dns) has been added to add missing idnsSOASerial
attribute for replicas which either do not have integrated DNS service enabled
to which have disabled SOA serial autoincrement
* LDAP lockout plugin has been fixed so that lockout policies are applied
consistently both for LDAP binds and Kerberos authentication
* ... and many others stabilization fixes, see Detailed changelog for full 
details

== Changes in API or CLI ==
=== Dropped --selfsign option ===
FreeIPA servers prior to 3.2.0 could be installed with --selfsign option. This
configured the server with a NSS database based Certificate Authority with a
selfsigned CA certificate and limited certificate operation support.

This option was always intended for development or testing purposes only and
was not intended for use in production. This release drops this option and
deprecates the functionality. Current FreeIPA servers installed with
--selfsigned option will still work, instructions on how to migrate to
supported certificate options will be provided.

FreeIPA servers version 3.2.0 and later supports the following 2 flavors of
certificate management:
* FreeIPA with pki-ca (dogtag) with either a self-signed certificate or with a
certificate signed by external CA (--external-ca option)
* FreeIPA with no pki-ca installed with certificates signed and provided by an
external CA [1]

=== Dropped CSV support ===
FreeIPA client CLI supported CSV in some arguments so

Re: [Freeipa-devel] [PATCH 0123-0126] Separate master and forward zones (add idnsForwardZone object class)

On Fri, Mar 22, 2013 at 01:03:12PM +0100, Petr Spacek wrote:
 Hello,
 
 this patch set separates master zones (idnsZone objectClass) from
 forward zones (idnsForwardZone objectClass). Support for forward
 zones in idnsZone objectClass is still present to ease upgrades.
 
 See each commit message for all the gory details.

Just check one comment below, otherwise ack.

 From 71fc42de24d3709efbe7dee24973c1b456b37fe4 Mon Sep 17 00:00:00 2001
 From: Petr Spacek pspa...@redhat.com
 Date: Fri, 22 Mar 2013 12:38:55 +0100
 Subject: [PATCH] Add support for pure forward zones - idnsForwardZone
  objectClass.
 
 Master zones are stored in zone_register and pure forward zones
 are stored in fwd_register.
 
 This patch doesn't remove support for forward zones within
 idnsZone objectClass. Support for forward zones in both
 objectClasses enables incremental update, where old and new
 plugin versions operate on the same LDAP database.
 
 Support for forward zones defined by idnsZone objectClass
 will be removed in near future.
 
 Forward zones defined in idnsZone objectClass are not disabled
 after removing from LDAP if persistent search is disabled
 (see ticket #106).
 This problem doesn't affect zones defined with idnsForwardZone
 objectClass.
 
 https://fedorahosted.org/bind-dyndb-ldap/ticket/99
 
 Signed-off-by: Petr Spacek pspa...@redhat.com
 ---
  src/Makefile.am|   4 +
  src/fwd_register.c | 156 +
  src/fwd_register.h |  35 ++
  src/ldap_entry.c   |  33 --
  src/ldap_entry.h   |   7 +-
  src/ldap_helper.c  | 334 
 ++---
  6 files changed, 440 insertions(+), 129 deletions(-)
  create mode 100644 src/fwd_register.c
  create mode 100644 src/fwd_register.h
 
 diff --git a/src/Makefile.am b/src/Makefile.am
 index 
 252255788b01e003031f5f0ee2fc8469b53633be..87c3252736fa4f918f105166497b32b0219ef8ea
  100644
 --- a/src/Makefile.am
 +++ b/src/Makefile.am
 @@ -5,11 +5,13 @@ HDRS =  \
   acl.h   \
   cache.h \
   compat.h\
 + fwd_register.h  \
   krb5_helper.h   \
   ldap_convert.h  \
   ldap_entry.h\
   ldap_helper.h   \
   log.h   \
 + rbt_helper.h\
   rdlist.h\
   semaphore.h \
   settings.h  \
 @@ -23,12 +25,14 @@ ldap_la_SOURCES = \
   $(HDRS) \
   acl.c   \
   cache.c \
 + fwd_register.c  \
   krb5_helper.c   \
   ldap_convert.c  \
   ldap_driver.c   \
   ldap_entry.c\
   ldap_helper.c   \
   log.c   \
 + rbt_helper.c\
   rdlist.c\
   semaphore.c \
   settings.c  \
 diff --git a/src/fwd_register.c b/src/fwd_register.c
 new file mode 100644
 index 
 ..c663b25909b0e393421c49950d1f29a1352cfe6c
 --- /dev/null
 +++ b/src/fwd_register.c
 @@ -0,0 +1,156 @@
 +#include isc/rwlock.h
 +#include dns/name.h
 +
 +#include rbt_helper.h
 +#include fwd_register.h
 +#include util.h
 +
 +struct fwd_register {
 + isc_mem_t   *mctx;
 + isc_rwlock_trwlock;
 + dns_rbt_t   *rbt;
 +};
 +
 +isc_result_t
 +fwdr_create(isc_mem_t *mctx, fwd_register_t **fwdrp)
 +{
 + isc_result_t result;
 + fwd_register_t *fwdr = NULL;
 +
 + REQUIRE(fwdrp != NULL  *fwdrp == NULL);
 +
 + CHECKED_MEM_GET_PTR(mctx, fwdr);
 + ZERO_PTR(fwdr);
 + isc_mem_attach(mctx, fwdr-mctx);
 + CHECK(dns_rbt_create(mctx, NULL, NULL, fwdr-rbt));
 + CHECK(isc_rwlock_init(fwdr-rwlock, 0, 0));
 +
 + *fwdrp = fwdr;
 + return ISC_R_SUCCESS;
 +
 +cleanup:
 + if (fwdr != NULL) {
 + if (fwdr-rbt != NULL)
 + dns_rbt_destroy(fwdr-rbt);
 + MEM_PUT_AND_DETACH(fwdr);
 + }
 +
 + return result;
 +}
 +
 +void
 +fwdr_destroy(fwd_register_t **fwdrp)
 +{
 + fwd_register_t *fwdr;
 +
 + if (fwdrp == NULL || *fwdrp == NULL)
 + return;
 +
 + fwdr = *fwdrp;
 +
 + RWLOCK(fwdr-rwlock, isc_rwlocktype_write);
 + dns_rbt_destroy(fwdr-rbt);
 + RWUNLOCK(fwdr-rwlock, isc_rwlocktype_write);
 + isc_rwlock_destroy(fwdr-rwlock);
 + MEM_PUT_AND_DETACH(fwdr);
 +
 + *fwdrp = NULL;
 +}
 +
 +/*
 + * Add forward zone to the forwarding register 'fwdr'. Origin of the zone
 + * must be absolute and the zone cannot already be in the register.
 + */
 +isc_result_t
 +fwdr_add_zone(fwd_register_t *fwdr, dns_name_t *name)
 +{
 + isc_result_t result;
 + void *dummy = NULL;
 +
 + REQUIRE(fwdr != NULL);
 + REQUIRE(name != NULL);
 +
 + if (!dns_name_isabsolute(name)) {
 + log_bug(forward zone with bad origin);
 + return ISC_R_FAILURE;
 + }

Re: [Freeipa-devel] [PATCH 0134] Make RBT iterators more resilient.

On Tue, Apr 02, 2013 at 06:49:53PM +0200, Petr Spacek wrote:
 Hello,
 
 Make RBT iterators more resilient.
 
 This patch implements more resilient interface for RBT iterators, as
 I promised in thread about patches 123-126.
 
 Now multiple calls to rbt_iter_stop() with the same argument do not hurt.

Ack

 From 9ee8cb1b9be0db6ca1530b43e96547b130181519 Mon Sep 17 00:00:00 2001
 From: Petr Spacek pspa...@redhat.com
 Date: Tue, 2 Apr 2013 18:46:48 +0200
 Subject: [PATCH] Make RBT iterators more resilient.
 
 Signed-off-by: Petr Spacek pspa...@redhat.com
 ---
  src/fwd_register.c  |  2 +-
  src/fwd_register.h  |  2 +-
  src/ldap_helper.c   |  4 +++-
  src/rbt_helper.c| 66 
 -
  src/rbt_helper.h| 15 +++-
  src/zone_register.c |  4 ++--
  src/zone_register.h |  2 +-
  7 files changed, 56 insertions(+), 39 deletions(-)
 
 diff --git a/src/fwd_register.c b/src/fwd_register.c
 index 
 c663b25909b0e393421c49950d1f29a1352cfe6c..81eaac5b66ff66890935e7e6a94138c5e854332d
  100644
 --- a/src/fwd_register.c
 +++ b/src/fwd_register.c
 @@ -146,7 +146,7 @@ cleanup:
  }
  
  isc_result_t
 -fwdr_rbt_iter_init(fwd_register_t *fwdr, rbt_iterator_t *iter,
 +fwdr_rbt_iter_init(fwd_register_t *fwdr, rbt_iterator_t **iter,
  dns_name_t *nodename) {
   if (fwdr-rbt == NULL)
   return ISC_R_NOTFOUND;
 diff --git a/src/fwd_register.h b/src/fwd_register.h
 index 
 0bee3cba82d1deca1aa2fce235be118d076332f0..5fb96c0eb9b07e7374f4591d9cc166714abc23bd
  100644
 --- a/src/fwd_register.h
 +++ b/src/fwd_register.h
 @@ -29,7 +29,7 @@ isc_result_t
  fwdr_zone_ispresent(fwd_register_t *fwdr, dns_name_t *name);
  
  isc_result_t
 -fwdr_rbt_iter_init(fwd_register_t *fwdr, rbt_iterator_t *iter,
 +fwdr_rbt_iter_init(fwd_register_t *fwdr, rbt_iterator_t **iter,
  dns_name_t *nodename);
  
  #endif /* !_LD_FWD_REGISTER_H_ */
 diff --git a/src/ldap_helper.c b/src/ldap_helper.c
 index 
 72456228ba9d223d239f34ae88d63192e0ffbbb4..99d67724a61304a2f39a0d3fa9391ce35f12b72f
  100644
 --- a/src/ldap_helper.c
 +++ b/src/ldap_helper.c
 @@ -1549,7 +1549,7 @@ refresh_zones_from_ldap(ldap_instance_t *ldap_inst, 
 isc_boolean_t delete_only)
  
   /* Walk through master zone register and remove all zones which
* disappeared from LDAP. */
 - rbt_iterator_t iter;
 + rbt_iterator_t *iter = NULL;
   char name_txt[DNS_NAME_FORMATSIZE];
   DECLARE_BUFFERED_NAME(registered_name);
   DECLARE_BUFFERED_NAME(ldap_name);
 @@ -1588,6 +1588,7 @@ refresh_zones_from_ldap(ldap_instance_t *ldap_inst, 
 isc_boolean_t delete_only)
   /* Walk through forward zone register and remove all zones which
* disappeared from LDAP. */
   INIT_BUFFERED_NAME(registered_name);
 + iter = NULL;
   result = fwdr_rbt_iter_init(ldap_inst-fwd_register, iter, 
 registered_name);
   while (result == ISC_R_SUCCESS) {
   void *data = NULL;
 @@ -1625,6 +1626,7 @@ refresh_zones_from_ldap(ldap_instance_t *ldap_inst, 
 isc_boolean_t delete_only)
   goto cleanup;
  
  cleanup:
 + rbt_iter_stop(iter);
   if (master_rbt != NULL)
   dns_rbt_destroy(master_rbt);
   if (forward_rbt != NULL)
 diff --git a/src/rbt_helper.c b/src/rbt_helper.c
 index 
 70ab06134694e36a6ae049284d506bbf5bc3a977..ab37e3c754d06c1b49e389e2e85a5340d4317db2
  100644
 --- a/src/rbt_helper.c
 +++ b/src/rbt_helper.c
 @@ -4,6 +4,16 @@
  
  #define LDAPDB_RBTITER_MAGIC ISC_MAGIC('L', 'D', 'P', 'I')
  
 +struct rbt_iterator {
 + unsigned intmagic;
 + isc_mem_t   *mctx;
 + dns_rbt_t   *rbt;
 + isc_rwlock_t*rwlock;
 + isc_rwlocktype_tlocktype;
 + dns_rbtnodechain_t  chain;
 +};
 +
 +
  /**
   * Copy the RBT node name, i.e. copies the name pointed to by RBT iterator.
   *
 @@ -47,7 +57,7 @@ cleanup:
   * unlocked by reaching end of iteration or explicit rbt_iter_stop() call.
   *
   * @param[in,out] rwlock   guard for RBT, will be read-locked
 - * @param[out]iter iterator structure, will be initialized
 + * @param[out]iterpiterator structure, will be initialized
   * @param[out]nodename dns_name with pre-allocated storage
   *
   * @pre Nodename has pre-allocated storage space.
 @@ -62,14 +72,16 @@ cleanup:
   */
  isc_result_t
  rbt_iter_first(isc_mem_t *mctx, dns_rbt_t *rbt, isc_rwlock_t *rwlock,
 -rbt_iterator_t *iter, dns_name_t *nodename) {
 +rbt_iterator_t **iterp, dns_name_t *nodename) {
  
   isc_result_t result;
 + rbt_iterator_t *iter = NULL;
  
   REQUIRE(rbt != NULL);
   REQUIRE(rwlock != NULL);
 - REQUIRE(iter != NULL);
 + REQUIRE(iterp != NULL  *iterp == NULL);
  
 + CHECKED_MEM_GET_PTR(mctx, iter);
   ZERO_PTR(iter);
  
   isc_mem_attach(mctx, iter-mctx);
 @@ -82,69 +94,81 @@ rbt_iter_first(isc_mem_t *mctx, dns_rbt_t *rbt, 
 isc_rwlock_t *rwlock,

[Freeipa-devel] [PATCH 0134] Make RBT iterators more resilient.


Hello,

Make RBT iterators more resilient.

This patch implements more resilient interface for RBT iterators, as I 
promised in thread about patches 123-126.


Now multiple calls to rbt_iter_stop() with the same argument do not hurt.

--
Petr^2 Spacek
From 9ee8cb1b9be0db6ca1530b43e96547b130181519 Mon Sep 17 00:00:00 2001
From: Petr Spacek pspa...@redhat.com
Date: Tue, 2 Apr 2013 18:46:48 +0200
Subject: [PATCH] Make RBT iterators more resilient.

Signed-off-by: Petr Spacek pspa...@redhat.com
---
 src/fwd_register.c  |  2 +-
 src/fwd_register.h  |  2 +-
 src/ldap_helper.c   |  4 +++-
 src/rbt_helper.c| 66 -
 src/rbt_helper.h| 15 +++-
 src/zone_register.c |  4 ++--
 src/zone_register.h |  2 +-
 7 files changed, 56 insertions(+), 39 deletions(-)

diff --git a/src/fwd_register.c b/src/fwd_register.c
index c663b25909b0e393421c49950d1f29a1352cfe6c..81eaac5b66ff66890935e7e6a94138c5e854332d 100644
--- a/src/fwd_register.c
+++ b/src/fwd_register.c
@@ -146,7 +146,7 @@ cleanup:
 }
 
 isc_result_t
-fwdr_rbt_iter_init(fwd_register_t *fwdr, rbt_iterator_t *iter,
+fwdr_rbt_iter_init(fwd_register_t *fwdr, rbt_iterator_t **iter,
 		   dns_name_t *nodename) {
 	if (fwdr-rbt == NULL)
 		return ISC_R_NOTFOUND;
diff --git a/src/fwd_register.h b/src/fwd_register.h
index 0bee3cba82d1deca1aa2fce235be118d076332f0..5fb96c0eb9b07e7374f4591d9cc166714abc23bd 100644
--- a/src/fwd_register.h
+++ b/src/fwd_register.h
@@ -29,7 +29,7 @@ isc_result_t
 fwdr_zone_ispresent(fwd_register_t *fwdr, dns_name_t *name);
 
 isc_result_t
-fwdr_rbt_iter_init(fwd_register_t *fwdr, rbt_iterator_t *iter,
+fwdr_rbt_iter_init(fwd_register_t *fwdr, rbt_iterator_t **iter,
 		   dns_name_t *nodename);
 
 #endif /* !_LD_FWD_REGISTER_H_ */
diff --git a/src/ldap_helper.c b/src/ldap_helper.c
index 72456228ba9d223d239f34ae88d63192e0ffbbb4..99d67724a61304a2f39a0d3fa9391ce35f12b72f 100644
--- a/src/ldap_helper.c
+++ b/src/ldap_helper.c
@@ -1549,7 +1549,7 @@ refresh_zones_from_ldap(ldap_instance_t *ldap_inst, isc_boolean_t delete_only)
 
 	/* Walk through master zone register and remove all zones which
 	 * disappeared from LDAP. */
-	rbt_iterator_t iter;
+	rbt_iterator_t *iter = NULL;
 	char name_txt[DNS_NAME_FORMATSIZE];
 	DECLARE_BUFFERED_NAME(registered_name);
 	DECLARE_BUFFERED_NAME(ldap_name);
@@ -1588,6 +1588,7 @@ refresh_zones_from_ldap(ldap_instance_t *ldap_inst, isc_boolean_t delete_only)
 	/* Walk through forward zone register and remove all zones which
 	 * disappeared from LDAP. */
 	INIT_BUFFERED_NAME(registered_name);
+	iter = NULL;
 	result = fwdr_rbt_iter_init(ldap_inst-fwd_register, iter, registered_name);
 	while (result == ISC_R_SUCCESS) {
 		void *data = NULL;
@@ -1625,6 +1626,7 @@ refresh_zones_from_ldap(ldap_instance_t *ldap_inst, isc_boolean_t delete_only)
 		goto cleanup;
 
 cleanup:
+	rbt_iter_stop(iter);
 	if (master_rbt != NULL)
 		dns_rbt_destroy(master_rbt);
 	if (forward_rbt != NULL)
diff --git a/src/rbt_helper.c b/src/rbt_helper.c
index 70ab06134694e36a6ae049284d506bbf5bc3a977..ab37e3c754d06c1b49e389e2e85a5340d4317db2 100644
--- a/src/rbt_helper.c
+++ b/src/rbt_helper.c
@@ -4,6 +4,16 @@
 
 #define LDAPDB_RBTITER_MAGIC ISC_MAGIC('L', 'D', 'P', 'I')
 
+struct rbt_iterator {
+	unsigned int		magic;
+	isc_mem_t		*mctx;
+	dns_rbt_t		*rbt;
+	isc_rwlock_t		*rwlock;
+	isc_rwlocktype_t	locktype;
+	dns_rbtnodechain_t	chain;
+};
+
+
 /**
  * Copy the RBT node name, i.e. copies the name pointed to by RBT iterator.
  *
@@ -47,7 +57,7 @@ cleanup:
  * unlocked by reaching end of iteration or explicit rbt_iter_stop() call.
  *
  * @param[in,out] rwlock   guard for RBT, will be read-locked
- * @param[out]iter iterator structure, will be initialized
+ * @param[out]iterpiterator structure, will be initialized
  * @param[out]nodename dns_name with pre-allocated storage
  *
  * @pre Nodename has pre-allocated storage space.
@@ -62,14 +72,16 @@ cleanup:
  */
 isc_result_t
 rbt_iter_first(isc_mem_t *mctx, dns_rbt_t *rbt, isc_rwlock_t *rwlock,
-	   rbt_iterator_t *iter, dns_name_t *nodename) {
+	   rbt_iterator_t **iterp, dns_name_t *nodename) {
 
 	isc_result_t result;
+	rbt_iterator_t *iter = NULL;
 
 	REQUIRE(rbt != NULL);
 	REQUIRE(rwlock != NULL);
-	REQUIRE(iter != NULL);
+	REQUIRE(iterp != NULL  *iterp == NULL);
 
+	CHECKED_MEM_GET_PTR(mctx, iter);
 	ZERO_PTR(iter);
 
 	isc_mem_attach(mctx, iter-mctx);
@@ -82,69 +94,81 @@ rbt_iter_first(isc_mem_t *mctx, dns_rbt_t *rbt, isc_rwlock_t *rwlock,
 	RWLOCK(iter-rwlock, iter-locktype);
 
 	result = dns_rbtnodechain_first(iter-chain, rbt, NULL, NULL);
-	if (result != DNS_R_NEWORIGIN) {
-		rbt_iter_stop(iter);
-		return result;
-	}
+	if (result != DNS_R_NEWORIGIN)
+		goto cleanup;
 
 	result = rbt_iter_getnodename(iter, nodename);
 	if (result == DNS_R_EMPTYNAME)
-		result = rbt_iter_next(iter, nodename);
+		result = rbt_iter_next(iter, nodename);
 	if (result == ISC_R_NOMORE)
 		result = ISC_R_NOTFOUND;
 
+cleanup:

[Freeipa-devel] [PATCH] 0011 Remove CA cert on client uninstall

2013-04-02 Thread Ana Krivokapic

Hello,

The CA cert (/etc/ipa/ca.crt) was not being removed on client uninstall,
causing failure on subsequent client installation in some cases.

https://fedorahosted.org/freeipa/ticket/3537

-- 
Regards,

Ana Krivokapic
Associate Software Engineer
FreeIPA team
Red Hat Inc.

From 061fce1ead601d5f46a22a49db72d8bd0d47a489 Mon Sep 17 00:00:00 2001
From: Ana Krivokapic akriv...@redhat.com
Date: Tue, 2 Apr 2013 19:48:38 +0200
Subject: [PATCH] Remove CA cert on client uninstall

The CA cert (/etc/ipa/ca.crt) was not being removed
on client uninstall, causing failure on subsequent client
installation in some cases.

https://fedorahosted.org/freeipa/ticket/3537
---
 ipa-client/ipa-install/ipa-client-install | 9 +
 1 file changed, 9 insertions(+)

diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index 56896f3636bc6f9544804239923c60a11ad71350..126611a824f072bbfba1a7fe28584a5b921d5704 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -644,6 +644,15 @@ def uninstall(options, env):
 root_logger.warning('Please remove /etc/ipa/default.conf manually, '
 'as it can cause subsequent installation to fail.')
 
+# Remove the CA cert
+try:
+os.remove(CACERT)
+except OSError, e:
+root_logger.warning('%s could not be removed: %s', CACERT, str(e))
+root_logger.warning('Please remove %s manually, '
+'as it can cause subsequent '
+'installation to fail.', CACERT)
+
 root_logger.info(Client uninstall complete.)
 
 # The next block of code prompts for reboot, therefore all uninstall
-- 
1.8.1.4

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH 0123-0126] Separate master and forward zones (add idnsForwardZone object class)


On 2.4.2013 17:18, Adam Tkac wrote:

On Fri, Mar 22, 2013 at 01:03:12PM +0100, Petr Spacek wrote:

Hello,

this patch set separates master zones (idnsZone objectClass) from
forward zones (idnsForwardZone objectClass). Support for forward
zones in idnsZone objectClass is still present to ease upgrades.

See each commit message for all the gory details.

--
Petr^2  Spacek

Ack for patch 0124.


Pushed to master: 59b157618c2b241740f3b3125e6da6230fa0314c

--
Petr^2 Spacek

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH 0123-0126] Separate master and forward zones (add idnsForwardZone object class)


On 2.4.2013 18:34, Adam Tkac wrote:

On Fri, Mar 22, 2013 at 01:03:12PM +0100, Petr Spacek wrote:

Hello,

this patch set separates master zones (idnsZone objectClass) from
forward zones (idnsForwardZone objectClass). Support for forward
zones in idnsZone objectClass is still present to ease upgrades.

See each commit message for all the gory details.

Just check one comment below, otherwise ack.

[...]


if (result == ISC_R_SUCCESS) {
log_debug(5, Refresh %s, entry-dn);
/* Add found zone to RB-tree for later check. */
-   result = dns_rbt_addname(rbt, name, NULL);
+   if (zone_class  LDAP_ENTRYCLASS_MASTER)
+   result = dns_rbt_addname(master_rbt, name, 
NULL);
+   else


In my opinion you should use else if (zone_class  LDAP_ENTRYCLASS_FORWARD)
here.


+   result = dns_rbt_addname(forward_rbt, name, 
NULL);
}


Fixed version pushed to master: 760bebb0e8744301420cf6e4918690ed171529a2

--
Petr^2 Spacek

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH 0123-0126] Separate master and forward zones (add idnsForwardZone object class)


On 2.4.2013 17:30, Adam Tkac wrote:

On Fri, Mar 22, 2013 at 01:03:12PM +0100, Petr Spacek wrote:

Hello,

this patch set separates master zones (idnsZone objectClass) from
forward zones (idnsForwardZone objectClass). Support for forward
zones in idnsZone objectClass is still present to ease upgrades.

See each commit message for all the gory details.

--
Petr^2  Spacek

Ack for patch 125 as is.


Pushed to master: edb6dbcf7a81605e6ccbd8efe1e323862710e0f7

--
Petr^2 Spacek

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH 0137-0138] Preparation for 3.0 release


Hello,

attached patches update NEWS and SPEC files.

Pushed to master:
eb8059eb25912d1c4b262e00ba35d9c44767e1dc
8397ba4ff819825e645b9554fdd17a0d239cc8a9

--
Petr^2 Spacek
From 446104069d43cec34ff373c7e5757844a1bc9ec8 Mon Sep 17 00:00:00 2001
From: Petr Spacek pspa...@redhat.com
Date: Tue, 2 Apr 2013 19:36:54 +0200
Subject: [PATCH] Update NEWS file for upcoming 3.0 release.

Signed-off-by: Petr Spacek pspa...@redhat.com
---
 NEWS | 19 +++
 1 file changed, 19 insertions(+)

diff --git a/NEWS b/NEWS
index 78e16942ed551d0ec1a71f4865d02134c46ada87..173c12ce89c448f4053779d91a963846d0706d18 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,22 @@
+3.0
+=
+[1] DNAME records are supported. DNAME attribute was changed to single-valued.
+https://fedorahosted.org/bind-dyndb-ldap/ticket/63
+
+[2] Master and forward zones now have separate object classes:
+idnsZone and idnsForwardZone. idnsForward* attributes in idnsZone object
+class will have old semantics for some time.
+https://fedorahosted.org/bind-dyndb-ldap/ticket/99
+
+[3] Settings system was heavily refactored. From now, unknown options in
+configuration file cause error. DNS dynamic updates should create
+slightly lower load on LDAP server because of settings 'cache'.
+https://fedorahosted.org/bind-dyndb-ldap/ticket/53
+https://fedorahosted.org/bind-dyndb-ldap/ticket/81
+
+[4] Deadlock triggered by PTR record synchronization was fixed.
+https://fedorahosted.org/bind-dyndb-ldap/ticket/113
+
 2.6
 =
 [1] Invalid zones are automatically reloaded after each change in zone data.
-- 
1.7.11.7

From ea30247f2b3c74b11ca2c10f26386939454b4e1d Mon Sep 17 00:00:00 2001
From: Petr Spacek pspa...@redhat.com
Date: Tue, 2 Apr 2013 19:38:15 +0200
Subject: [PATCH] Bump NVR to 3.0.

Signed-off-by: Petr Spacek pspa...@redhat.com
---
 configure.ac | 2 +-
 contrib/bind-dyndb-ldap.spec | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/configure.ac b/configure.ac
index a40c49cc44063946522dc8b093660e00a6d2fee4..f964235dc08b3de5e79fe9928707c7039ebfb918 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,5 +1,5 @@
 AC_PREREQ([2.59])
-AC_INIT([bind-dyndb-ldap], [2.5], [freeipa-devel@redhat.com])
+AC_INIT([bind-dyndb-ldap], [3.0], [freeipa-devel@redhat.com])
 
 AM_INIT_AUTOMAKE([-Wall foreign dist-bzip2])
 
diff --git a/contrib/bind-dyndb-ldap.spec b/contrib/bind-dyndb-ldap.spec
index d0e49eab8fb26a787385fbbdf5c03cf35026d73f..227c15cbf0b955486d8873562beccd32ce79e45a 100644
--- a/contrib/bind-dyndb-ldap.spec
+++ b/contrib/bind-dyndb-ldap.spec
@@ -1,7 +1,7 @@
 %define VERSION %{version}
 
 Name:   bind-dyndb-ldap
-Version:2.5
+Version:3.0
 Release:0%{?dist}
 Summary:LDAP back-end plug-in for BIND
 
-- 
1.7.11.7

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH 0134] Make RBT iterators more resilient.


On 2.4.2013 19:13, Adam Tkac wrote:

On Tue, Apr 02, 2013 at 06:49:53PM +0200, Petr Spacek wrote:

Hello,

 Make RBT iterators more resilient.

This patch implements more resilient interface for RBT iterators, as
I promised in thread about patches 123-126.

Now multiple calls to rbt_iter_stop() with the same argument do not hurt.

Ack


Pushed to master: dc3c3014d6f2fbba447efc1489a0488dd34ad625

--
Petr^2 Spacek

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH 0123-0126] Separate master and forward zones (add idnsForwardZone object class)


On 2.4.2013 17:17, Adam Tkac wrote:

On Fri, Mar 22, 2013 at 01:03:12PM +0100, Petr Spacek wrote:

Hello,

this patch set separates master zones (idnsZone objectClass) from
forward zones (idnsForwardZone objectClass). Support for forward
zones in idnsZone objectClass is still present to ease upgrades.

See each commit message for all the gory details.

Since patches are non-trivial, I will review them per partes (i.e. each patch
in separate mail). Please check my comments below.

Regards, Adam


After discussion I pushed original version to master:
9d073c1ef7c28e29397a766320d12ecdb7e1941b

--
Petr^2 Spacek

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH 0135-0137] Schema updates


Hello,

schema was updated to match latest development.

Pushed to master:
3bf0d6fa6e6fe1bd81882a6819e9680e9c069997
b5bb6bc3b731c9e3b9d2efc4fb7a4420803ef55d
9bb52d52189f5e7a74b4994653a40de84fc8f4ea

--
Petr^2 Spacek
From 0f10e921572b77eadf9ef393cb6d65a0297d4a7b Mon Sep 17 00:00:00 2001
From: Petr Spacek pspa...@redhat.com
Date: Tue, 2 Apr 2013 19:17:38 +0200
Subject: [PATCH] Add idnsForwardZone objectClass to the schema.

Signed-off-by: Petr Spacek pspa...@redhat.com
---
 doc/schema | 8 
 1 file changed, 8 insertions(+)

diff --git a/doc/schema b/doc/schema
index 06772baf5a154fcf2e1a37eabe229d8c2688a523..cf22fa51323daf97776c24da378a9a204573c895 100644
--- a/doc/schema
+++ b/doc/schema
@@ -315,3 +315,11 @@ objectclass ( 2.16.840.1.113730.3.8.6.2
 	MAY ( idnsForwardPolicy $ idnsForwarders $ idnsAllowSyncPTR $
 	idnsZoneRefresh $ idnsPersistentSearch
 	) )
+
+objectClasses: ( 2.16.840.1.113730.3.8.6.3
+	NAME 'idnsForwardZone'
+	DESC 'Forward Zone class'
+	SUP top
+	STRUCTURAL
+	MUST ( idnsName $ idnsZoneActive )
+	MAY ( idnsForwarders $ idnsForwardPolicy ) )
-- 
1.7.11.7

From 920c8fe4daa69b661e4e5413a2654417ae33f36c Mon Sep 17 00:00:00 2001
From: Petr Spacek pspa...@redhat.com
Date: Tue, 2 Apr 2013 19:18:02 +0200
Subject: [PATCH] Change DNAME record (attribute) to single valued.

http://tools.ietf.org/html/rfc6672#section-2.4

Signed-off-by: Petr Spacek pspa...@redhat.com
---
 doc/schema | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/doc/schema b/doc/schema
index cf22fa51323daf97776c24da378a9a204573c895..e6059153028b044f714f24b449957d4bcaefc017 100644
--- a/doc/schema
+++ b/doc/schema
@@ -117,10 +117,11 @@ attributetype ( 1.3.6.1.4.1.2428.20.1.38
 
 attributetype ( 1.3.6.1.4.1.2428.20.1.39
 	NAME 'dNameRecord'
-	DESC 'Non-Terminal DNS Name Redirection, RFC 2672'
+	DESC 'Non-Terminal DNS Name Redirection, RFC 6672'
 	EQUALITY caseIgnoreIA5Match
 	SUBSTR caseIgnoreIA5SubstringsMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+	SINGLE-VALUE )
 
 attributetype ( 1.3.6.1.4.1.2428.20.1.43
 	NAME 'dSRecord'
-- 
1.7.11.7

From 18c975c52210d9c58c586eb2d748fbe6e690327a Mon Sep 17 00:00:00 2001
From: Petr Spacek pspa...@redhat.com
Date: Tue, 2 Apr 2013 19:19:12 +0200
Subject: [PATCH] Add notes about OID allocation and contacts to the schema
 file.

Signed-off-by: Petr Spacek pspa...@redhat.com
---
 doc/schema | 29 +
 1 file changed, 29 insertions(+)

diff --git a/doc/schema b/doc/schema
index e6059153028b044f714f24b449957d4bcaefc017..f23bda064984ae79c9e45ed75525d77ab80a4d7f 100644
--- a/doc/schema
+++ b/doc/schema
@@ -1,3 +1,32 @@
+# This schema contains OIDs from Uninett and FreeIPA.
+#
+# Unninet: http://drift.uninett.no/nett/ip-nett/dnsattributes.schema
+#  Base OID for DNS records is 1.3.6.1.4.1.2428.20.1,
+#  see http://drift.uninett.no/nett/ip-nett/oids.html
+#
+# FreeIPA: http://freeipa.org/
+#  Base OID for DNS records is 2.16.840.1.113730.3.8.5
+#  Base OID for DNS objectClasses is 2.16.840.1.113730.3.8.6
+#
+# If you want to add some record types that are defined by IANA,
+# please define it similar to what is done for the existing ones. The
+# name should be {TYPE}Record, and OID should be
+# 1.3.6.1.4.1.2428.20.1.value. For instance the RR type LOC has value
+# 29, so attribute name should be LocRecord (casing shouldn't matter),
+# and the OID is 1.3.6.1.4.1.2428.20.1.29. If you follow this, you
+# know that it will be compatible with what others use, and one is
+# guaranteed that the OIDs are unique.
+# The IANA DNS record type values are available from
+# URL: http://www.iana.org/assignments/dns-parameters .
+#
+# If you define new attributes, please report them to dr...@uninett.no
+# to get them added of this schema.
+#
+# The basic record types like A, CNAME etc are defined in the cosine
+# schema and not in this schema.  This means that your LDAP server
+# must use both the cosine schema and this one to get all the DNS
+# attributes defined.
+
 attributetype ( 1.3.6.1.4.1.2428.20.0.0
 	NAME 'dNSTTL'
 	DESC 'An integer denoting time to live'
-- 
1.7.11.7

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [Freeipa-interest] Announcing bind-dyndb-ldap version 3.0