Re: [Freeipa-devel] [PATCH 0027] Add checks for SELinux in install scripts
On Mon 01 Apr 2013 10:01:14 PM CEST, Rob Crittenden wrote: Tomas Babej wrote: On Tue 19 Feb 2013 08:37:26 PM CET, Rob Crittenden wrote: Tomas Babej wrote: On 02/04/2013 04:21 PM, Rob Crittenden wrote: Tomas Babej wrote: On 01/30/2013 05:12 PM, Tomas Babej wrote: Hi, The checks make sure that SELinux is: - installed and enabled (on server install) - installed and enabled OR not installed (on client install) Please note that client installs with SELinux not installed are allowed since freeipa-client package has no dependency on SELinux. (any objections to this approach?) The (unsupported) option --allow-no-selinux has been added. It can used to bypass the checks. Parts of platform-dependant code were refactored to use newly added is_selinux_enabled() function. https://fedorahosted.org/freeipa/ticket/3359 Tomas I forgot to edit the man pages. Thanks Rob! Updated patch attached. Tomas After a bit of off-line discussion I don't think we're quite ready yet to require SELinux by default on client installations (even with a flag to work around it). The feeling is this would be disruptive to existing automation. Can you still do the check but not enforce it, simply display a big warning if SELinux is disabled? rob Sure, here is the updated patch. I edited the commit message, RFE description and man pages according to the new behaviour. Tomas The patch looks good, I'm just wondering about one thing. The default value for is_selinux_enabled() is True in ipapython/services.py.in. So this means that any non-Red Hat/non-Fedora system, by default, is going to assume that SELinux is enabled. My hesitation has to when we call check_selinux_status(). It may incorrectly error out. I suspect that the user would have to work around this using --allow-selinux-disabled but this wouldn't make a lot of sense since they actually do have SELinux disabled. Yes, you're right. And the error message would not even be helpful since it would tell the user to install policycoreutils package. This would be the case both with server and client installs when selinux would not be installed at all. What do you think? rob Well we have 2 options as I see it: 1.) We can either return None as default, and add checks to check_selinux_status, restore_context and install scripts that would ensure that we behave properly when is_selinux_enabled() is not implemented. 2.) We can remove the default value, since it would cause forementioned crash and add comment that this function needs to be implemented properly in every platform file. I'm probably for option 2, there's no need to clutter the code with checks that compensate for improper platform file implementations. Tomas I agree with you on option 2. rob I updated the patch accordingly. Tomas From 1d8d6b6315d109e936464aac4ee23d35bcd3d84f Mon Sep 17 00:00:00 2001 From: Tomas Babej tba...@redhat.com Date: Thu, 24 Jan 2013 15:37:21 -0500 Subject: [PATCH] Add checks for SELinux in install scripts The checks make sure that SELinux is: - installed and enabled, otherwise the installation aborts (on server install) - installed and enabled OR not installed, otherwise the warning message is displayed (on client install) The (unsupported) option --allow-selinux-disabled has been added. It can used to bypass the checks. Documented in man pages altered accordingly. Parts of platform-dependant code were refactored to use newly added is_selinux_enabled() function. https://fedorahosted.org/freeipa/ticket/3359 --- install/tools/ipa-server-install | 11 +++ install/tools/man/ipa-server-install.1| 3 ++ ipa-client/ipa-install/ipa-client-install | 17 ++ ipa-client/man/ipa-client-install.1 | 3 ++ ipapython/platform/fedora16/__init__.py | 3 +- ipapython/platform/fedora16/selinux.py| 3 ++ ipapython/platform/fedora18/__init__.py | 3 +- ipapython/platform/redhat/__init__.py | 53 +-- ipapython/services.py.in | 7 9 files changed, 78 insertions(+), 25 deletions(-) diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index a289941e43acb52fc30bbf3750652f0868e92651..483665b1b3e50996f5a6db30819f57dff53db8e2 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -159,6 +159,8 @@ def parse_options(): help=do not configure OpenSSH client) basic_group.add_option(--no-sshd, dest=conf_sshd, default=True, action=store_false, help=do not configure OpenSSH server) +basic_group.add_option(--allow-selinux-disabled, dest=selinux_disabled, action=store_true, + default=False, help=allow installation with SELinux disabled (not supported)) basic_group.add_option(-d, --debug, dest=debug, action=store_true, default=False, help=print debugging information) basic_group.add_option(-U, --unattended,
Re: [Freeipa-devel] [PATCHES] 0197-0207 Installing without a CA, with custom SSL certs
On 29.3.2013 15:31, Petr Viktorin wrote: On 03/29/2013 11:20 AM, Jan Cholasta wrote: On 29.3.2013 11:14, Jan Cholasta wrote: Also I was able to install IPA with revoked certificates, but it doesn't seem to break anything - the CRL specified in the certificates' CRL distribution point is not automatically imported into any of the NSS databases and when it is imported manually, everything still seems to work fine. I haven't checked OCSP. Can and/or do we want to do something about this? Update: the ipa command does not work: $ ipa host-show $HOSTNAME --all --raw ipa: ERROR: cert validation failed for CN=ipa.example.com,O=Example ((SEC_ERROR_REVOKED_CERTIFICATE) Peer's Certificate has been revoked.) ipa: ERROR: cannot connect to 'https://ipa.example.com/ipa/xml': [Errno -8180] (SEC_ERROR_REVOKED_CERTIFICATE) Peer's Certificate has been revoked. I think we can live with not checking CRLs now. I haven't found a way to download CRLs with certutil or python-nss (short of explicitly examining the certs, downloading the CRL and importing it, but I don't think IPA is the place for that). I've asked John. OK, thanks. Patch 205: Can we instead require the PKCS#12 files to always contain the whole certificate chain? IMO that way it would be more obvious what should actually be in the files and it would make things easier should there ever be need for --root-ca-subject. Not requiring the root CA is a convenient shortcut. It's common to have certs signed directly by the CA, and in this case you can use either a single-cert PKCS#12 or one with the full chain. Actually, originally the full chain was required, and a user already complained :) If we add a new option, we can specify its requirements on the other options. No problem. Adding a new patch for client installation. This is nothing critical, but I think that make-testcert should check if dogtag is installed and when it's not, print a message informing the user that they should issue the test certificate manually and place it in the appropriate location. Besides that, ACK. Honza -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [RFE] Multiple trust servers per realm
On Fri 08 Mar 2013 02:16:26 PM CET, Alexander Bokovoy wrote: Hi, http://www.freeipa.org/page/V3/MultipleTrustServers covers RFE to have multiple domain controllers exposed to trusted domains. Attached patch also implements needed changes for ipa-adtrust-install part. Global trust configuration options are already implemented and available in git master, while Web UI support for them needs to be added. The patch attached actually fixes our current (rather wrong) way of exposing all LDAP- and Kerberos-related SRV records to default site configuration and _msdcs SRV namespace. This was wrong because it assumed that all servers mentioned in SRV records could be domain controllers, that is, they are usable to contact over SMB protocol. The latter isn't true until we ran ipa-adtrust-install on them. The patch only exposes those servers which manage cifs/fqdn@REALM services and only if those services are also members of cn=adtrust agents container. This is fairly strict filter and it allows also to have other types of SMB servers as part of the realm. Below is a copy of the RFE: == __NOTOC__ = Overview = Ticket [https://fedorahosted.org/freeipa/ticket/2189 #2189]; Each FreeIPA server in the realm has potential to serve as domain controller in the cross-forest realm trust. This page outlines design for implementing multiple servers support in FreeIPA. = Use Cases = Once ttipa-adtrust-install/tt ran on the FreeIPA server, the server can handle requests from trusted domains by means of Samba project's ttsmbd/tt and ttwinbindd/tt daemons. Hosts in FreeIPA realm may be enrolled against specific FreeIPA replica server. User from trusted domain can access these hosts and their identities will be resolved against the replica. However, if replica server does not have trust support configured, these identities will not be processed since running ttwinbindd/tt process is required to contact the trusted domain's domain controllers and Global Catalog servers. Domain controllers are advertised to clients via SRV records in DNS. Since replica servers may be arranged in a specific topology, adding new domain controller would need to respect the topology design. It means priority/weight of the domain controller compared to other domain controllers should be adjustable. Prime use case for this is branch office deployments. = Design= * Each domain controller uses separate identity and service key to talk to FreeIPA LDAP server. The identity is tied to the server hostname. * Service principal is ttcifs/hostname@REALM/tt, identified in LDAP as ttkrbprincipalname=cifs/hostname@REALM/tt. * All identities are members of ttcn=adtrust agents/tt,ttcn=sysaccounts/tt,ttcn=etc/tt,tt$SUFFIX/tt. Thus, all replica servers can see what other servers are providing domain controller service. * Replica server only becomes domain controller when ttipa-adtrust-install/tt utility was executed on it. It means all DC setup is delivered via the ttipa-adtrust-install/tt. * ttipa-adtrust-install/tt should be able to detect other DCs by looking at existing identities as members of the ttcn=adtrust agents/tt,ttcn=sysaccounts/tt,ttcn=etc/tt,tt$SUFFIX/tt tree and modify list of SRV records under tt_msdcs/tt and default site configuration if DNS is controlled by FreeIPA. * Domain Controller priority/weight can be modified at run time since it only affects SRV records in the DNS (if FreeIPA controls the DNS). Normal ttipa dnsrecord-mod/tt commands should be used for this purpose, operating on SRV records for tt_msdcs/tt and default site configuration. * There are trust properties that are global for the realm. Some of them are modifiable, some not. Thus, ttipa trustconfig-show/tt and ttipa trustconfig-mod/tt should reflect both global and local settings (realm-wise and DC-wise). * Following properties of the trust are global for the realm: ** NetBIOS domain name (read-only, affects existing trusts) ** Domain name (read-only, affects existing trusts) ** Domain GUID (read-only, informational) ** Additional domain suffixes exposed to the trusted party, handled as black list against global list of additional domains associated with our or transitive realm, read/write ** Fallback primary group (read-write) * Following properties of the trust are per Domain Controller: ** priority of the DC and GC services (read-write, DNS SRV record) Details on ttipa trustconfig/tt commands design are available at http://www.freeipa.org/page/V3/Trust_config_command Details on additional domain suffixes handling are available at http://www.freeipa.org/page/V3/Domain_suffixes = Implementation = Implementation-wise there are three parts: * ttipa-adtrust-install/tt: ** Gather list of CIFS services that are also members of ttcn=adtrust agents/tt and add SRV records for them to _msdcs in
Re: [Freeipa-devel] [PATCH] 273 Add ipakrbokasdelegate option to service and host Web UI pages
Hi, On 29.3.2013 17:23, Petr Vobornik wrote: On 03/29/2013 05:10 PM, Petr Vobornik wrote: https://fedorahosted.org/freeipa/ticket/3329 Attaching new rebased version. It seems everything works fine, ACK. Honza -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 378-380 Improved CNAME and DNAME validation
On 03/11/2013 10:26 AM, Martin Kosek wrote: On 03/06/2013 01:07 PM, Petr Spacek wrote: On 6.3.2013 09:32, Martin Kosek wrote: +error=u'CNAME record is not allowed to coexist with any other record'), Sorry for nitpicking again, but I would add note '(RFC 1034, section 3.6.2)'. Thank you! Fixed. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Patches 379 and 380 need rebasing. -- Regards, Ana Krivokapic Associate Software Engineer FreeIPA team Red Hat Inc. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 0197-0207 Installing without a CA, with custom SSL certs
On 04/02/2013 10:48 AM, Jan Cholasta wrote: On 29.3.2013 15:31, Petr Viktorin wrote: On 03/29/2013 11:20 AM, Jan Cholasta wrote: On 29.3.2013 11:14, Jan Cholasta wrote: Also I was able to install IPA with revoked certificates, but it doesn't seem to break anything - the CRL specified in the certificates' CRL distribution point is not automatically imported into any of the NSS databases and when it is imported manually, everything still seems to work fine. I haven't checked OCSP. Can and/or do we want to do something about this? Update: the ipa command does not work: $ ipa host-show $HOSTNAME --all --raw ipa: ERROR: cert validation failed for CN=ipa.example.com,O=Example ((SEC_ERROR_REVOKED_CERTIFICATE) Peer's Certificate has been revoked.) ipa: ERROR: cannot connect to 'https://ipa.example.com/ipa/xml': [Errno -8180] (SEC_ERROR_REVOKED_CERTIFICATE) Peer's Certificate has been revoked. I think we can live with not checking CRLs now. I haven't found a way to download CRLs with certutil or python-nss (short of explicitly examining the certs, downloading the CRL and importing it, but I don't think IPA is the place for that). I've asked John. OK, thanks. Patch 205: Can we instead require the PKCS#12 files to always contain the whole certificate chain? IMO that way it would be more obvious what should actually be in the files and it would make things easier should there ever be need for --root-ca-subject. Not requiring the root CA is a convenient shortcut. It's common to have certs signed directly by the CA, and in this case you can use either a single-cert PKCS#12 or one with the full chain. Actually, originally the full chain was required, and a user already complained :) If we add a new option, we can specify its requirements on the other options. No problem. Adding a new patch for client installation. I found one more bug: the replica wasn't setting the ra_plugin option properly, preventing installing a replica of a replica. I squashed the following change into 204: diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install index 8fce3a8..af80c1e 100755 --- a/install/tools/ipa-replica-install +++ b/install/tools/ipa-replica-install @@ -539,6 +539,9 @@ def main(): fd.write(ra_plugin=dogtag\n) fd.write(dogtag_version=%s\n % dogtag.install_constants.DOGTAG_VERSION) +else: +fd.write(enable_ra=False\n) +fd.write(ra_plugin=none\n) fd.write(mode=production\n) fd.close() finally: This is nothing critical, but I think that make-testcert should check if dogtag is installed and when it's not, print a message informing the user that they should issue the test certificate manually and place it in the appropriate location. Besides that, ACK. I'll make another patch so this set is not delayed. Honza -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 378-380 Improved CNAME and DNAME validation
On 04/02/2013 11:57 AM, Ana Krivokapic wrote: On 03/11/2013 10:26 AM, Martin Kosek wrote: On 03/06/2013 01:07 PM, Petr Spacek wrote: On 6.3.2013 09:32, Martin Kosek wrote: +error=u'CNAME record is not allowed to coexist with any other record'), Sorry for nitpicking again, but I would add note '(RFC 1034, section 3.6.2)'. Thank you! Fixed. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Patches 379 and 380 need rebasing. -- Regards, Ana Krivokapic Associate Software Engineer FreeIPA team Red Hat Inc. Rebased patches attached. Martin From a43ab47125583e744714c172fa337819e3eed53b Mon Sep 17 00:00:00 2001 From: Martin Kosek mko...@redhat.com Date: Mon, 4 Mar 2013 12:48:05 +0100 Subject: [PATCH 1/3] Change CNAME and DNAME attributes to single valued These DNS attributeTypes are of a singleton type, update LDAP schema to reflect it. https://fedorahosted.org/freeipa/ticket/3440 https://fedorahosted.org/freeipa/ticket/3450 --- install/share/60ipadns.ldif | 4 ++-- install/updates/10-bind-schema.update | 2 ++ 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/install/share/60ipadns.ldif b/install/share/60ipadns.ldif index 9697227fb7166b3711568ddea3e5c345277befa3..6293385d62ce10dd3020ad291a947ff0f0d67c6e 100644 --- a/install/share/60ipadns.ldif +++ b/install/share/60ipadns.ldif @@ -21,14 +21,14 @@ attributeTypes: (1.3.6.1.4.1.2428.20.1.35 NAME 'nAPTRRecord' DESC 'Naming Author attributeTypes: (1.3.6.1.4.1.2428.20.1.36 NAME 'kXRecord' DESC 'Key Exchange Delegation, RFC 2230' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributeTypes: (1.3.6.1.4.1.2428.20.1.37 NAME 'certRecord' DESC 'certificate, RFC 2538' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributeTypes: (1.3.6.1.4.1.2428.20.1.38 NAME 'a6Record' DESC 'A6 Record Type, RFC 2874' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) -attributeTypes: (1.3.6.1.4.1.2428.20.1.39 NAME 'dNameRecord' DESC 'Non-Terminal DNS Name Redirection, RFC 2672' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +attributeTypes: (1.3.6.1.4.1.2428.20.1.39 NAME 'dNameRecord' DESC 'Non-Terminal DNS Name Redirection, RFC 2672' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) attributeTypes: (1.3.6.1.4.1.2428.20.1.43 NAME 'dSRecord' DESC 'Delegation Signer, RFC 3658' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributeTypes: (1.3.6.1.4.1.2428.20.1.44 NAME 'sSHFPRecord' DESC 'SSH Key Fingerprint, draft-ietf-secsh-dns-05.txt' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributeTypes: (1.3.6.1.4.1.2428.20.1.46 NAME 'rRSIGRecord' DESC 'RRSIG, RFC 3755' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributeTypes: (1.3.6.1.4.1.2428.20.1.47 NAME 'nSECRecord' DESC 'NSEC, RFC 3755' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributeTypes: (0.9.2342.19200300.100.1.26 NAME 'aRecord' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributeTypes: (0.9.2342.19200300.100.1.29 NAME 'nSRecord' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) -attributeTypes: (0.9.2342.19200300.100.1.31 NAME 'cNAMERecord' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +attributeTypes: (0.9.2342.19200300.100.1.31 NAME 'cNAMERecord' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) attributeTypes: (0.9.2342.19200300.100.1.28 NAME 'mXRecord' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributeTypes: (0.9.2342.19200300.100.1.27 NAME 'mDRecord' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributeTypes: (2.16.840.1.113730.3.8.5.0 NAME 'idnsName' DESC 'DNS FQDN' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN 'IPA v2' ) diff --git a/install/updates/10-bind-schema.update b/install/updates/10-bind-schema.update index 3c43c8ec79fe6cb9830a27fb2880b6ed0cf0d8e4..cbe7a672b5300d5b945bf996a596909008dda5aa 100644 --- a/install/updates/10-bind-schema.update +++ b/install/updates/10-bind-schema.update @@ -78,3 +78,5 @@ add:objectClasses: dn: cn=schema replace:objectClasses:( 2.16.840.1.113730.3.8.6.1 NAME 'idnsZone' DESC 'Zone class' SUP idnsRecord STRUCTURAL MUST ( idnsZoneActive $$ idnsSOAmName $$ idnsSOArName $$ idnsSOAserial $$ idnsSOArefresh $$ idnsSOAretry $$ idnsSOAexpire $$ idnsSOAminimum ) MAY
Re: [Freeipa-devel] [RFE] Multiple trust servers per realm
On 04/02/2013 11:19 AM, Tomas Babej wrote: On Fri 08 Mar 2013 02:16:26 PM CET, Alexander Bokovoy wrote: Hi, http://www.freeipa.org/page/V3/MultipleTrustServers covers RFE to have multiple domain controllers exposed to trusted domains. Attached patch also implements needed changes for ipa-adtrust-install part. Global trust configuration options are already implemented and available in git master, while Web UI support for them needs to be added. The patch attached actually fixes our current (rather wrong) way of exposing all LDAP- and Kerberos-related SRV records to default site configuration and _msdcs SRV namespace. This was wrong because it assumed that all servers mentioned in SRV records could be domain controllers, that is, they are usable to contact over SMB protocol. The latter isn't true until we ran ipa-adtrust-install on them. The patch only exposes those servers which manage cifs/fqdn@REALM services and only if those services are also members of cn=adtrust agents container. This is fairly strict filter and it allows also to have other types of SMB servers as part of the realm. Below is a copy of the RFE: == __NOTOC__ = Overview = Ticket [https://fedorahosted.org/freeipa/ticket/2189 #2189]; Each FreeIPA server in the realm has potential to serve as domain controller in the cross-forest realm trust. This page outlines design for implementing multiple servers support in FreeIPA. = Use Cases = Once ttipa-adtrust-install/tt ran on the FreeIPA server, the server can handle requests from trusted domains by means of Samba project's ttsmbd/tt and ttwinbindd/tt daemons. Hosts in FreeIPA realm may be enrolled against specific FreeIPA replica server. User from trusted domain can access these hosts and their identities will be resolved against the replica. However, if replica server does not have trust support configured, these identities will not be processed since running ttwinbindd/tt process is required to contact the trusted domain's domain controllers and Global Catalog servers. Domain controllers are advertised to clients via SRV records in DNS. Since replica servers may be arranged in a specific topology, adding new domain controller would need to respect the topology design. It means priority/weight of the domain controller compared to other domain controllers should be adjustable. Prime use case for this is branch office deployments. = Design= * Each domain controller uses separate identity and service key to talk to FreeIPA LDAP server. The identity is tied to the server hostname. * Service principal is ttcifs/hostname@REALM/tt, identified in LDAP as ttkrbprincipalname=cifs/hostname@REALM/tt. * All identities are members of ttcn=adtrust agents/tt,ttcn=sysaccounts/tt,ttcn=etc/tt,tt$SUFFIX/tt. Thus, all replica servers can see what other servers are providing domain controller service. * Replica server only becomes domain controller when ttipa-adtrust-install/tt utility was executed on it. It means all DC setup is delivered via the ttipa-adtrust-install/tt. * ttipa-adtrust-install/tt should be able to detect other DCs by looking at existing identities as members of the ttcn=adtrust agents/tt,ttcn=sysaccounts/tt,ttcn=etc/tt,tt$SUFFIX/tt tree and modify list of SRV records under tt_msdcs/tt and default site configuration if DNS is controlled by FreeIPA. * Domain Controller priority/weight can be modified at run time since it only affects SRV records in the DNS (if FreeIPA controls the DNS). Normal ttipa dnsrecord-mod/tt commands should be used for this purpose, operating on SRV records for tt_msdcs/tt and default site configuration. * There are trust properties that are global for the realm. Some of them are modifiable, some not. Thus, ttipa trustconfig-show/tt and ttipa trustconfig-mod/tt should reflect both global and local settings (realm-wise and DC-wise). * Following properties of the trust are global for the realm: ** NetBIOS domain name (read-only, affects existing trusts) ** Domain name (read-only, affects existing trusts) ** Domain GUID (read-only, informational) ** Additional domain suffixes exposed to the trusted party, handled as black list against global list of additional domains associated with our or transitive realm, read/write ** Fallback primary group (read-write) * Following properties of the trust are per Domain Controller: ** priority of the DC and GC services (read-write, DNS SRV record) Details on ttipa trustconfig/tt commands design are available at http://www.freeipa.org/page/V3/Trust_config_command Details on additional domain suffixes handling are available at http://www.freeipa.org/page/V3/Domain_suffixes = Implementation = Implementation-wise there are three parts: * ttipa-adtrust-install/tt: ** Gather list of CIFS services that are also members of
[Freeipa-devel] [PATCH] 0208 make-testcert: Add better messages for errors with CA-less
On 03/18/2013 12:58 PM, Petr Viktorin wrote: Hello, While the work is not complete, these patches allowed me to install an IPA server without a CA, using PKCS#12 files for the server certs. The patches don't break normal installation. The --selfsign option (but not yet the code behind it) is removed. The absence of a CA is indicated by `enable_ra=False` in the IPA config. ipa-replica-install will still refuse to run; I'll look into that next. I removed some unused code that got in my way: Dogtag 9 installation (we can run a Dogtag 9-style CA, but we never *install* it), and ipapython.certdb.CertDB (unused, not to be confused with ipaserver's CertDB). Hello, This improves a developer testing tool. Details inside. Submitting separately so any problems don't hold back the big batch of CA-less patches. -- Petr³ From 75b1c9e84fdf119a9ef07f851b76f0208185d51a Mon Sep 17 00:00:00 2001 From: Petr Viktorin pvikt...@redhat.com Date: Tue, 2 Apr 2013 12:30:50 +0200 Subject: [PATCH] make-testcert: Add better messages for errors with CA-less servers This adds better diagnostics/instructions for two cases of user error: * The enable_ra setting in ~/.ipa/default.conf doesn't what is on the server. If server is CA-less but enable_ra=True, cert-request won't be available; print out instructions to correct this If server has a CA but enable_ra=False, make-testcert behaves as CA-less, see below * In CA-less mode, the cert doesn't already exist. Remind that enable_ra must be set properly (for the above case) Instruct user to issue a cert and put it in place --- make-testcert | 9 - 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/make-testcert b/make-testcert index a5814e1de9428e74a6343f5f13193748e3e04df6..e61089b3176d52e4888c48fb19d75fda8ea804af 100755 --- a/make-testcert +++ b/make-testcert @@ -84,6 +84,12 @@ def makecert(reqdir): api.register(client) api.finalize() +if not api.env.enable_ra: +print IPA CA is not installed, no cert found +print Ensure enable_ra in ~/.ipa/default.conf matches the server. +print Issue a test cert manually and put it in %s % CERTPATH +return 1 + ra = rabase.rabase() if not os.path.exists(ra.sec_dir) and api.env.xmlrpc_uri == 'http://localhost:/ipa/xml': sys.exit('The in-tree self-signed CA is not configured, see tests/test_xmlrpc/test_cert.py') @@ -116,7 +122,8 @@ def makecert(reqdir): except errors.NotFound: return certificate request failed except errors.CommandError: -return You need to set enable_ra=True in ~/.ipa/default.conf +return ('cert_request command not found. If the IPA CA is not ' +'installed, set enable_ra=False in ~/.ipa/default.conf') nss.nss_init_nodb() c = x509.load_certificate(cert, x509.PEM) -- 1.8.1.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 0197-0207 Installing without a CA, with custom SSL certs
On 04/02/2013 12:06 PM, Petr Viktorin wrote: On 04/02/2013 12:05 PM, Petr Viktorin wrote: On 04/02/2013 10:48 AM, Jan Cholasta wrote: On 29.3.2013 15:31, Petr Viktorin wrote: On 03/29/2013 11:20 AM, Jan Cholasta wrote: On 29.3.2013 11:14, Jan Cholasta wrote: Also I was able to install IPA with revoked certificates, but it doesn't seem to break anything - the CRL specified in the certificates' CRL distribution point is not automatically imported into any of the NSS databases and when it is imported manually, everything still seems to work fine. I haven't checked OCSP. Can and/or do we want to do something about this? Update: the ipa command does not work: $ ipa host-show $HOSTNAME --all --raw ipa: ERROR: cert validation failed for CN=ipa.example.com,O=Example ((SEC_ERROR_REVOKED_CERTIFICATE) Peer's Certificate has been revoked.) ipa: ERROR: cannot connect to 'https://ipa.example.com/ipa/xml': [Errno -8180] (SEC_ERROR_REVOKED_CERTIFICATE) Peer's Certificate has been revoked. I think we can live with not checking CRLs now. I haven't found a way to download CRLs with certutil or python-nss (short of explicitly examining the certs, downloading the CRL and importing it, but I don't think IPA is the place for that). I've asked John. OK, thanks. Patch 205: Can we instead require the PKCS#12 files to always contain the whole certificate chain? IMO that way it would be more obvious what should actually be in the files and it would make things easier should there ever be need for --root-ca-subject. Not requiring the root CA is a convenient shortcut. It's common to have certs signed directly by the CA, and in this case you can use either a single-cert PKCS#12 or one with the full chain. Actually, originally the full chain was required, and a user already complained :) If we add a new option, we can specify its requirements on the other options. No problem. Adding a new patch for client installation. I found one more bug: the replica wasn't setting the ra_plugin option properly, preventing installing a replica of a replica. I squashed the following change into 204: diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install index 8fce3a8..af80c1e 100755 --- a/install/tools/ipa-replica-install +++ b/install/tools/ipa-replica-install @@ -539,6 +539,9 @@ def main(): fd.write(ra_plugin=dogtag\n) fd.write(dogtag_version=%s\n % dogtag.install_constants.DOGTAG_VERSION) +else: +fd.write(enable_ra=False\n) +fd.write(ra_plugin=none\n) fd.write(mode=production\n) fd.close() finally: I forgot to attach the patches; here they are. This is nothing critical, but I think that make-testcert should check if dogtag is installed and when it's not, print a message informing the user that they should issue the test certificate manually and place it in the appropriate location. Besides that, ACK. I'll make another patch so this set is not delayed. Honza ACK for the small diff change. The rest was already reviewed by Jan. Thanks to both! Pushed all patches to master. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 0197-0204 Installing without a CA, with custom SSL certs
On 03/29/2013 06:33 PM, Petr Viktorin wrote: On 03/29/2013 06:17 PM, Petr Vobornik wrote: Hello, attaching Web UI part. Petr Works well for me, if someone can check if the Javascript looks fine then ACK. I think that functional review is OK in this case, there are no architectonic changes... Pushed to master. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0043] Properly handle ipa-replica-install when its zone is not managed by IPA
Ana Krivokapic wrote: On 03/29/2013 04:00 PM, Tomas Babej wrote: On 03/29/2013 03:48 PM, Ana Krivokapic wrote: On 03/29/2013 03:11 PM, Tomas Babej wrote: On 03/29/2013 02:15 PM, Ana Krivokapic wrote: On 03/26/2013 04:59 PM, Tomas Babej wrote: Hi, The ipa-replica-install script tries to add replica's A and PTR records to the master DNS, if master does manage DNS. However, master need not to manage replica's zone. Properly handle this use case. https://fedorahosted.org/freeipa/ticket/3496 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel The patch works well and fixes the issue. Just a couple of nitpicks: 1) However, master need not to manage replica's zone. -- This sentence sounds a little strange to me, but I am not a native speaker so I may be wrong about that. The phrase should be ok. I assume you're worried about need not construct, which may sound a bit unusal as opposed to, for example, does not need to. One could argue that it sounds archaic. However, consider the following chart, which clearly proves the opposite: http://books.google.com/ngrams/chart?content=need%20not%2Cneeds%20not%2Cdoes%20not%20need%20to%2Cdoesn%20'%20t%20need%20tocorpus=0smoothing=3year_start=1800year_end=2000 http://books.google.com/ngrams/chart?content=need%20not%2Cneeds%20not%2Cdoes%20not%20need%20to%2Cdoesn%20%27%20t%20need%20tocorpus=0smoothing=3year_start=1800year_end=2000 For more detailed explanation, see: http://english.stackexchange.com/questions/29409/why-use-need-not-instead-of-do-not-need-to Actually, the part that sounded weird to me is the to that comes after need not in your commit message. Also, the stackexchange link you provided states: This /need/ is a *modal verb*: it always requires an infinitive without /to/;. Sorry that I wasn't clear about this in my first email. Yes, that's a mistake on my part, thanks fot catching that. Fixed the commit message. 2) There are three PEP8 501 errors introduced by the patch, but given the recent discussion on this subject, I think it is really up to you if you want to take the time to fix these. Sure I do. Thanks for the catch. Updated patch attached. There is still one line with E501: install/tools/ipa-replica-install:303:80: E501 line too long (80 79 characters) I left that one so intentionally. Imho, it would only mangle the line unnecessarily, the line is exactly 80 characters long with no nice point where to break it. OK, makes sense. ACK from the functional perspective. -- Regards, Ana Krivokapic Associate Software Engineer FreeIPA team Red Hat Inc. -- Regards, Ana Krivokapic Associate Software Engineer FreeIPA team Red Hat Inc. ACK Pushed to master and ipa-3-1 rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [RFE] CA-less install
On 03/22/2013 01:10 PM, Petr Viktorin wrote: The design page for CA-less installation with user-provided SSL certs is available at http://freeipa.org/page/V3/CA-less_install. I've also copied it to this mail. Does it answer all your questions? Since the patches were pushed, I've linked the RFE in http://freeipa.org/page/V3_Designs -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [RFE] Drop --selfsign
On 03/20/2013 05:11 PM, Petr Viktorin wrote: Here is a RFE for https://fedorahosted.org/freeipa/ticket/3494. It's for dropping the --selfsign option from ipa-server-install. The functionality itself stays in for now (on upgraded self-signed masters). http://freeipa.org/page/V3/Drop_selfsign Since the patch was pushed, I've linked the RFE in http://freeipa.org/page/V3_Designs -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0123-0126] Separate master and forward zones (add idnsForwardZone object class)
On 22.3.2013 13:03, Petr Spacek wrote: Hello, this patch set separates master zones (idnsZone objectClass) from forward zones (idnsForwardZone objectClass). Support for forward zones in idnsZone objectClass is still present to ease upgrades. See each commit message for all the gory details. I encountered a crash caused by bug in patch 126. Fixed version is attached. Diff between patch 126 version 1 and 2: --- a/src/ldap_helper.c +++ b/src/ldap_helper.c @@ -3391,7 +3391,7 @@ update_zone(isc_task_t *task, isc_event_t *event) CHECK(dn_to_dnsname(inst-mctx, pevent-dn, currname, NULL)); - if (result == ISC_R_SUCCESS + if (ldap_qresult_zone != NULL HEAD(ldap_qresult_zone-ldap_entries) != NULL) { entry_zone = HEAD(ldap_qresult_zone-ldap_entries); CHECK(ldap_entry_getclass(entry_zone, objclass)); -- Petr^2 Spacek From 85ed07b47fb9480faea13218b8a6c28659506449 Mon Sep 17 00:00:00 2001 From: Petr Spacek pspa...@redhat.com Date: Fri, 22 Mar 2013 12:38:55 +0100 Subject: [PATCH] Add support for pure forward zones - idnsForwardZone objectClass. Master zones are stored in zone_register and pure forward zones are stored in fwd_register. This patch doesn't remove support for forward zones within idnsZone objectClass. Support for forward zones in both objectClasses enables incremental update, where old and new plugin versions operate on the same LDAP database. Support for forward zones defined by idnsZone objectClass will be removed in near future. Forward zones defined in idnsZone objectClass are not disabled after removing from LDAP if persistent search is disabled (see ticket #106). This problem doesn't affect zones defined with idnsForwardZone objectClass. https://fedorahosted.org/bind-dyndb-ldap/ticket/99 Signed-off-by: Petr Spacek pspa...@redhat.com --- src/Makefile.am| 4 + src/fwd_register.c | 156 + src/fwd_register.h | 35 ++ src/ldap_entry.c | 33 -- src/ldap_entry.h | 7 +- src/ldap_helper.c | 336 ++--- 6 files changed, 441 insertions(+), 130 deletions(-) create mode 100644 src/fwd_register.c create mode 100644 src/fwd_register.h diff --git a/src/Makefile.am b/src/Makefile.am index 252255788b01e003031f5f0ee2fc8469b53633be..87c3252736fa4f918f105166497b32b0219ef8ea 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -5,11 +5,13 @@ HDRS =\ acl.h \ cache.h \ compat.h \ + fwd_register.h \ krb5_helper.h \ ldap_convert.h \ ldap_entry.h \ ldap_helper.h \ log.h \ + rbt_helper.h \ rdlist.h \ semaphore.h \ settings.h \ @@ -23,12 +25,14 @@ ldap_la_SOURCES = \ $(HDRS) \ acl.c \ cache.c \ + fwd_register.c \ krb5_helper.c \ ldap_convert.c \ ldap_driver.c \ ldap_entry.c \ ldap_helper.c \ log.c \ + rbt_helper.c \ rdlist.c \ semaphore.c \ settings.c \ diff --git a/src/fwd_register.c b/src/fwd_register.c new file mode 100644 index ..c663b25909b0e393421c49950d1f29a1352cfe6c --- /dev/null +++ b/src/fwd_register.c @@ -0,0 +1,156 @@ +#include isc/rwlock.h +#include dns/name.h + +#include rbt_helper.h +#include fwd_register.h +#include util.h + +struct fwd_register { + isc_mem_t *mctx; + isc_rwlock_t rwlock; + dns_rbt_t *rbt; +}; + +isc_result_t +fwdr_create(isc_mem_t *mctx, fwd_register_t **fwdrp) +{ + isc_result_t result; + fwd_register_t *fwdr = NULL; + + REQUIRE(fwdrp != NULL *fwdrp == NULL); + + CHECKED_MEM_GET_PTR(mctx, fwdr); + ZERO_PTR(fwdr); + isc_mem_attach(mctx, fwdr-mctx); + CHECK(dns_rbt_create(mctx, NULL, NULL, fwdr-rbt)); + CHECK(isc_rwlock_init(fwdr-rwlock, 0, 0)); + + *fwdrp = fwdr; + return ISC_R_SUCCESS; + +cleanup: + if (fwdr != NULL) { + if (fwdr-rbt != NULL) + dns_rbt_destroy(fwdr-rbt); + MEM_PUT_AND_DETACH(fwdr); + } + + return result; +} + +void +fwdr_destroy(fwd_register_t **fwdrp) +{ + fwd_register_t *fwdr; + + if (fwdrp == NULL || *fwdrp == NULL) + return; + + fwdr = *fwdrp; + + RWLOCK(fwdr-rwlock, isc_rwlocktype_write); + dns_rbt_destroy(fwdr-rbt); + RWUNLOCK(fwdr-rwlock, isc_rwlocktype_write); + isc_rwlock_destroy(fwdr-rwlock); + MEM_PUT_AND_DETACH(fwdr); + + *fwdrp = NULL; +} + +/* + * Add forward zone to the forwarding register 'fwdr'. Origin of the zone + * must be absolute and the zone cannot already be in the register. + */ +isc_result_t +fwdr_add_zone(fwd_register_t *fwdr, dns_name_t *name) +{ + isc_result_t result; + void *dummy = NULL; + + REQUIRE(fwdr != NULL); + REQUIRE(name != NULL); + + if (!dns_name_isabsolute(name)) { + log_bug(forward zone with bad origin); + return ISC_R_FAILURE; + } + + RWLOCK(fwdr-rwlock, isc_rwlocktype_write); + + /* + * First make sure the node doesn't exist. Partial matches mean + * there are also child zones in the LDAP database which is allowed. + */ + result = dns_rbt_findname(fwdr-rbt, name, 0, NULL, dummy); + if (result != ISC_R_NOTFOUND result !=
Re: [Freeipa-devel] [PATCH] 378-380 Improved CNAME and DNAME validation
On 04/02/2013 12:12 PM, Martin Kosek wrote: On 04/02/2013 11:57 AM, Ana Krivokapic wrote: On 03/11/2013 10:26 AM, Martin Kosek wrote: On 03/06/2013 01:07 PM, Petr Spacek wrote: On 6.3.2013 09:32, Martin Kosek wrote: +error=u'CNAME record is not allowed to coexist with any other record'), Sorry for nitpicking again, but I would add note '(RFC 1034, section 3.6.2)'. Thank you! Fixed. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Patches 379 and 380 need rebasing. -- Regards, Ana Krivokapic Associate Software Engineer FreeIPA team Red Hat Inc. Rebased patches attached. Martin The first patch (schema update) correctly changes both CNAME and DNAME attributes to single valued attributes. I tested the newly introduced validation rules, trying to add: * more than 1 cname record with the same name * cname + ptr * cname + dname * cname + any other record * more than 1 dname * dname + ns * dname + ns (root zone) As expected, validation fails for all the above cases except the last one (dname + ns in the root zone). ACK -- Regards, Ana Krivokapic Associate Software Engineer FreeIPA team Red Hat Inc. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 399 Require 389-base-base 1.3.0.5
Pulls the following fixes: - upgrade deadlock caused by DNA plugin reconfiguration - CVE-2013-1897: unintended information exposure when rootdse is enabled https://fedorahosted.org/freeipa/ticket/3540 ACKed by Rob on IRC, pushed to master, ipa-3-1. I will bump this Requires also for Fedora 18 and F19 build. Martin From 5f5d65b787a0cf96e8d45e052fa16afa9dcc264f Mon Sep 17 00:00:00 2001 From: Martin Kosek mko...@redhat.com Date: Tue, 2 Apr 2013 16:25:46 +0200 Subject: [PATCH] Require 389-base-base 1.3.0.5 Pulls the following fixes: - upgrade deadlock caused by DNA plugin reconfiguration - CVE-2013-1897: unintended information exposure when rootdse is enabled https://fedorahosted.org/freeipa/ticket/3540 --- freeipa.spec.in | 9 - 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index 665a6d7207042a5b0defd63186149fbf5684a096..5e844534dd3f3629b94fc868b9a09643c84846c5 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -88,7 +88,7 @@ Requires: %{name}-python = %{version}-%{release} Requires: %{name}-client = %{version}-%{release} Requires: %{name}-admintools = %{version}-%{release} Requires: %{name}-server-selinux = %{version}-%{release} -Requires: 389-ds-base = 1.3.0 +Requires: 389-ds-base = 1.3.0.5 Requires: openldap-clients Requires: nss Requires: nss-tools @@ -139,6 +139,7 @@ Requires: zip Requires: policycoreutils = %{POLICYCOREUTILSVER} Requires: tar Requires(pre): certmonger = 0.65 +Requires(pre): 389-ds-base = 1.3.0.5 # We have a soft-requires on bind. It is an optional part of # IPA but if it is configured we need a way to require versions @@ -782,6 +783,12 @@ fi %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/ca.crt %changelog +* Tue Apr 2 2013 Martin Kosek mko...@redhat.com - 3.1.99-2 +- Require 389-base-base = 1.3.0.5 to pull the following fixes: + - upgrade deadlock caused by DNA plugin reconfiguration + - CVE-2013-1897: unintended information exposure when +nsslapd-allow-anonymous-access is set to rootdse + * Wed Mar 27 2013 Martin Kosek mko...@redhat.com - 3.1.99-2 - Remove conflict with krb5-server 1.11 as ipa-kdb is compatible - ipa-ldap-updater show produce errors only -- 1.8.1.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0123-0126] Separate master and forward zones (add idnsForwardZone object class)
On Fri, Mar 22, 2013 at 01:03:12PM +0100, Petr Spacek wrote: Hello, this patch set separates master zones (idnsZone objectClass) from forward zones (idnsForwardZone objectClass). Support for forward zones in idnsZone objectClass is still present to ease upgrades. See each commit message for all the gory details. Since patches are non-trivial, I will review them per partes (i.e. each patch in separate mail). Please check my comments below. Regards, Adam From d0c598ea7e9c02a1ec786c6f1c596ae1be7ac1e2 Mon Sep 17 00:00:00 2001 From: Petr Spacek pspa...@redhat.com Date: Fri, 22 Mar 2013 12:17:07 +0100 Subject: [PATCH] Add helper functions for generic iteration over RBT. https://fedorahosted.org/bind-dyndb-ldap/ticket/99 Signed-off-by: Petr Spacek pspa...@redhat.com --- src/rbt_helper.c | 150 +++ src/rbt_helper.h | 29 +++ 2 files changed, 179 insertions(+) create mode 100644 src/rbt_helper.c create mode 100644 src/rbt_helper.h diff --git a/src/rbt_helper.c b/src/rbt_helper.c new file mode 100644 index ..70ab06134694e36a6ae049284d506bbf5bc3a977 --- /dev/null +++ b/src/rbt_helper.c @@ -0,0 +1,150 @@ +#include dns/rbt.h + +#include rbt_helper.h + +#define LDAPDB_RBTITER_MAGIC ISC_MAGIC('L', 'D', 'P', 'I') + +/** + * Copy the RBT node name, i.e. copies the name pointed to by RBT iterator. + * + * @param[in] iter Initialized RBT iterator. + * @param[out] nodename Target dns_name suitable for rbt_fullnamefromnode() call. + * + * @pre Nodename has pre-allocated storage space. + * + * @retval ISC_R_SUCCESS Actual name was copied to nodename. + * @retval ISC_R_NOTFOUND Iterator doesn't point to any node. + * @retval DNS_R_EMPTYNAME Iterator points to name without assigned data, + * nodename is unchanged. + * @retval others Errors from dns_name_concatenate() and others. + * + */ +static isc_result_t +rbt_iter_getnodename(rbt_iterator_t *iter, dns_name_t *nodename) { + isc_result_t result; + dns_rbtnode_t *node = NULL; + + REQUIRE(iter != NULL); + REQUIRE(nodename != NULL); + REQUIRE(ISC_MAGIC_VALID(iter, LDAPDB_RBTITER_MAGIC)); + + CHECK(dns_rbtnodechain_current(iter-chain, NULL, NULL, node)); + if (node-data == NULL) + return DNS_R_EMPTYNAME; + + CHECK(dns_rbt_fullnamefromnode(node, nodename)); + result = ISC_R_SUCCESS; + +cleanup: + return result; +} + +/** + * Initialize RBT iterator, lock RBT and copy name of the first node with + * non-NULL data. Empty RBT nodes (with data == NULL) are ignored. + * + * RBT remains locked after iterator initialization. RBT has to be + * unlocked by reaching end of iteration or explicit rbt_iter_stop() call. + * + * @param[in,out] rwlock guard for RBT, will be read-locked + * @param[out]iter iterator structure, will be initialized + * @param[out]nodename dns_name with pre-allocated storage + * + * @pre Nodename has pre-allocated storage space. + * + * @retval ISC_R_SUCCESS Node with non-NULL data found, + * RBT is in locked state, iterator is valid, + * nodename holds copy of actual RBT node name. + * @retval ISC_R_NOTFOUND Node with non-NULL data is not present, + * RBT is in unlocked state, iterator is invalid. + * @retval others Any error from rbt_iter_getnodename() and + * rbt_iter_next(). + */ +isc_result_t +rbt_iter_first(isc_mem_t *mctx, dns_rbt_t *rbt, isc_rwlock_t *rwlock, +rbt_iterator_t *iter, dns_name_t *nodename) { + + isc_result_t result; + + REQUIRE(rbt != NULL); + REQUIRE(rwlock != NULL); + REQUIRE(iter != NULL); + + ZERO_PTR(iter); + + isc_mem_attach(mctx, iter-mctx); + dns_rbtnodechain_init(iter-chain, mctx); + iter-rbt = rbt; + iter-rwlock = rwlock; + iter-locktype = isc_rwlocktype_read; + iter-magic = LDAPDB_RBTITER_MAGIC; + + RWLOCK(iter-rwlock, iter-locktype); + + result = dns_rbtnodechain_first(iter-chain, rbt, NULL, NULL); + if (result != DNS_R_NEWORIGIN) { + rbt_iter_stop(iter); + return result; I would substitute those two lines with goto cleanup;. + } + + result = rbt_iter_getnodename(iter, nodename); + if (result == DNS_R_EMPTYNAME) + result = rbt_iter_next(iter, nodename); + if (result == ISC_R_NOMORE) + result = ISC_R_NOTFOUND; In my opinion this function should leave rbt in locked state only when it returns ISC_R_SUCCESS. All other cases should unlock the tree. I recommend to add this statement: cleanup: if (result != ISC_R_SUCCESS) rbt_iter_stop(iter); + + return result; +} + +/** + * Copy name of the next non-empty node in RBT. + * + *
Re: [Freeipa-devel] [PATCH 0123-0126] Separate master and forward zones (add idnsForwardZone object class)
On Fri, Mar 22, 2013 at 01:03:12PM +0100, Petr Spacek wrote: Hello, this patch set separates master zones (idnsZone objectClass) from forward zones (idnsForwardZone objectClass). Support for forward zones in idnsZone objectClass is still present to ease upgrades. See each commit message for all the gory details. -- Petr^2 Spacek Ack for patch 0124. From 005707761a5b99d50871de91252f9f23a7441d19 Mon Sep 17 00:00:00 2001 From: Petr Spacek pspa...@redhat.com Date: Fri, 22 Mar 2013 12:19:02 +0100 Subject: [PATCH] Add missing includes to util.h. Now include util.h should be enough for util.h usage. Signed-off-by: Petr Spacek pspa...@redhat.com --- src/util.h | 9 - 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/src/util.h b/src/util.h index d6d3c73e6d25657805eee904e6047c542e52a656..17a3f3b4ca65ab4a80c4e4fcc9ea909bb7a9178c 100644 --- a/src/util.h +++ b/src/util.h @@ -21,10 +21,17 @@ #ifndef _LD_UTIL_H_ #define _LD_UTIL_H_ -extern isc_boolean_t verbose_checks; /* from settings.c */ +#include string.h + +#include isc/mem.h +#include isc/buffer.h +#include dns/types.h +#include dns/name.h #include log.h +extern isc_boolean_t verbose_checks; /* from settings.c */ + #define CLEANUP_WITH(result_code)\ do {\ result = (result_code); \ -- 1.7.11.7 -- Adam Tkac, Red Hat, Inc. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 378-380 Improved CNAME and DNAME validation
On 04/02/2013 04:53 PM, Ana Krivokapic wrote: On 04/02/2013 12:12 PM, Martin Kosek wrote: On 04/02/2013 11:57 AM, Ana Krivokapic wrote: On 03/11/2013 10:26 AM, Martin Kosek wrote: On 03/06/2013 01:07 PM, Petr Spacek wrote: On 6.3.2013 09:32, Martin Kosek wrote: +error=u'CNAME record is not allowed to coexist with any other record'), Sorry for nitpicking again, but I would add note '(RFC 1034, section 3.6.2)'. Thank you! Fixed. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Patches 379 and 380 need rebasing. -- Regards, Ana Krivokapic Associate Software Engineer FreeIPA team Red Hat Inc. Rebased patches attached. Martin The first patch (schema update) correctly changes both CNAME and DNAME attributes to single valued attributes. I tested the newly introduced validation rules, trying to add: * more than 1 cname record with the same name * cname + ptr * cname + dname * cname + any other record * more than 1 dname * dname + ns * dname + ns (root zone) As expected, validation fails for all the above cases except the last one (dname + ns in the root zone). ACK Thanks. Pushed to master. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [RFE] CA-less install
On 04/02/2013 02:14 AM, Robert Relyea wrote: On 03/29/2013 07:40 AM, John Dennis wrote: On 03/29/2013 07:57 AM, Petr Viktorin wrote: On 03/27/2013 04:40 PM, John Dennis wrote: On 03/27/2013 11:23 AM, Petr Viktorin wrote: I don't want to check the subject because this RFE was prompted by IPA's normal CA rejecting valid wildcart certs. Is there a reasonable way to ask NSS if it will trust the cert? Yes. NSS provides a variety of tools to test validation. Going just on memory here, our current version of python-nss has a simple call to test validation. Sometime in the last year I added a fair amount of new support for certificate validation including getting back diagnostic information for validation failures, however if I recall correctly the extended functionality in python-nss has not been released yet. Does the new code include downloading and importing CRLs? Cert verification is a complex topic. This is further exacerbated by the introduction of PKIX. My understanding is NSS had classic verification code and later introduced PKIX. There has been an evolution between classic verification and PKIX. This is outside my domain of expertise. How and when CRL's are loaded in NSS is not something I can give advice on, especially in an area undergoing change. I'm going to have to defer to an expert in this area, Bob Relyea, I've CC'ed him on this email. It's hard to get the context in the middle, and and John had noted, NSS is transitioning from the old Cert_Verify interface to the new PKIX_ code. I'll answer the question for the traditional CERTVerify code, which is the only you get in SSL by default, and the one most people still use: No, CRLs are not downloaded and imported automatically, but if you download and import CRL's, NSS will use them. There's an installable PKCS #11 module which can be configured to download and install CRLs, then provide them to NSS. It's call mod_revocator. The expected revocation strategy NSS uses is OCSP, and you can turn on automatic OCSP fetching. Bob, to put this in context [1] the functionality in python-nss being discussed is the binding of the CERT_VerifyCertificate() function, something I added recently. Now the question arises as to how CRL's are meant to play into the verification process. Can you please explain how NSS expects this to be done? Pointers to existing documentation and code examples would also be helpful. There's a separate CERT_ImportCRL() which will import the CRL into the database. mod_revocator() can also be used to do the fetching for you, Matthew has examples on how various servers set them up (I believe the only NSS set up is installing the module in your secmod.db/pkcs11.txt with modutil. It would also be helpful to understand the PKIX roadmap and how this might affect coding decisions at the API level. the PKIX interface is available now, and is actually used by Chrome (for all certs) and Firefox (for ev processing). Firefox is in the process of moving to libpkix for everything. There is an environment variable you can set (I don't remember it specifically, but I could look it up for you if you want) that will cause the transitional CERT_VerifyCertificate() interface to use the libpkix engine, but it keeps the old CERT_VerifyCertificate semantics (like no CRL or AIA cert fetching).. With libpkix, the revocation options are quite broad and complexed. We really expect people would use a set of preconfigured policies, though libpkix API allows for quite some variance. It would take me some time to dig up all the descriptions, but I can if you want them. [1] Some additional context, the original motivation for exposing NSS cert verification to IPA was to solve the following problem. If someone wants to make the IPA CA a sub-CA (as opposed to a self-signed CA) we want to validate the externally provided CA cert *before* proceeding with the IPA installation. This is because if the CA cert is invalid everything will hugely blow-up (because we use the CA cert to sign all the certs issued in IPA, especially those used to validate cooperating components/agents, if those certs do not work nothing in IPA works). In addition to this narrow goal we in general want to be able to perform cert verification correctly in other contexts as well so the extent to which you can educate us in general on this topic will be appreciated. OK, thanks. I'd go ahead and start with CERT_VerifyCertificate() unless you specifically need some of the advanced libpkix features. The original context is sanity checking: is a SSL server cert we get from a user valid? If it is then we install the corresponding server. Requirements here are: - No extra information from the user, other than the cert itself (the admin gives us a cert, we don't want to ask how to find out if it's valid) - It needs to be a simple call/tool, since there's little gain over just documenting that we want good certs. So it looks it's not worth it to go there. The new
Re: [Freeipa-devel] [PATCH 0123-0126] Separate master and forward zones (add idnsForwardZone object class)
On 2.4.2013 17:17, Adam Tkac wrote: On Fri, Mar 22, 2013 at 01:03:12PM +0100, Petr Spacek wrote: Hello, this patch set separates master zones (idnsZone objectClass) from forward zones (idnsForwardZone objectClass). Support for forward zones in idnsZone objectClass is still present to ease upgrades. See each commit message for all the gory details. Since patches are non-trivial, I will review them per partes (i.e. each patch in separate mail). Please check my comments below. Regards, Adam From d0c598ea7e9c02a1ec786c6f1c596ae1be7ac1e2 Mon Sep 17 00:00:00 2001 From: Petr Spacek pspa...@redhat.com Date: Fri, 22 Mar 2013 12:17:07 +0100 Subject: [PATCH] Add helper functions for generic iteration over RBT. https://fedorahosted.org/bind-dyndb-ldap/ticket/99 Signed-off-by: Petr Spacek pspa...@redhat.com --- src/rbt_helper.c | 150 +++ src/rbt_helper.h | 29 +++ 2 files changed, 179 insertions(+) create mode 100644 src/rbt_helper.c create mode 100644 src/rbt_helper.h diff --git a/src/rbt_helper.c b/src/rbt_helper.c new file mode 100644 index ..70ab06134694e36a6ae049284d506bbf5bc3a977 --- /dev/null +++ b/src/rbt_helper.c @@ -0,0 +1,150 @@ +#include dns/rbt.h + +#include rbt_helper.h + +#define LDAPDB_RBTITER_MAGIC ISC_MAGIC('L', 'D', 'P', 'I') + +/** + * Copy the RBT node name, i.e. copies the name pointed to by RBT iterator. + * + * @param[in] iter Initialized RBT iterator. + * @param[out] nodename Target dns_name suitable for rbt_fullnamefromnode() call. + * + * @pre Nodename has pre-allocated storage space. + * + * @retval ISC_R_SUCCESS Actual name was copied to nodename. + * @retval ISC_R_NOTFOUND Iterator doesn't point to any node. + * @retval DNS_R_EMPTYNAME Iterator points to name without assigned data, + * nodename is unchanged. + * @retval others Errors from dns_name_concatenate() and others. + * + */ +static isc_result_t +rbt_iter_getnodename(rbt_iterator_t *iter, dns_name_t *nodename) { + isc_result_t result; + dns_rbtnode_t *node = NULL; + + REQUIRE(iter != NULL); + REQUIRE(nodename != NULL); + REQUIRE(ISC_MAGIC_VALID(iter, LDAPDB_RBTITER_MAGIC)); + + CHECK(dns_rbtnodechain_current(iter-chain, NULL, NULL, node)); + if (node-data == NULL) + return DNS_R_EMPTYNAME; + + CHECK(dns_rbt_fullnamefromnode(node, nodename)); + result = ISC_R_SUCCESS; + +cleanup: + return result; +} + +/** + * Initialize RBT iterator, lock RBT and copy name of the first node with + * non-NULL data. Empty RBT nodes (with data == NULL) are ignored. + * + * RBT remains locked after iterator initialization. RBT has to be + * unlocked by reaching end of iteration or explicit rbt_iter_stop() call. + * + * @param[in,out] rwlock guard for RBT, will be read-locked + * @param[out]iter iterator structure, will be initialized + * @param[out]nodename dns_name with pre-allocated storage + * + * @pre Nodename has pre-allocated storage space. + * + * @retval ISC_R_SUCCESS Node with non-NULL data found, + * RBT is in locked state, iterator is valid, + * nodename holds copy of actual RBT node name. + * @retval ISC_R_NOTFOUND Node with non-NULL data is not present, + * RBT is in unlocked state, iterator is invalid. + * @retval others Any error from rbt_iter_getnodename() and + * rbt_iter_next(). + */ +isc_result_t +rbt_iter_first(isc_mem_t *mctx, dns_rbt_t *rbt, isc_rwlock_t *rwlock, + rbt_iterator_t *iter, dns_name_t *nodename) { + + isc_result_t result; + + REQUIRE(rbt != NULL); + REQUIRE(rwlock != NULL); + REQUIRE(iter != NULL); + + ZERO_PTR(iter); + + isc_mem_attach(mctx, iter-mctx); + dns_rbtnodechain_init(iter-chain, mctx); + iter-rbt = rbt; + iter-rwlock = rwlock; + iter-locktype = isc_rwlocktype_read; + iter-magic = LDAPDB_RBTITER_MAGIC; + + RWLOCK(iter-rwlock, iter-locktype); + + result = dns_rbtnodechain_first(iter-chain, rbt, NULL, NULL); + if (result != DNS_R_NEWORIGIN) { + rbt_iter_stop(iter); + return result; I would substitute those two lines with goto cleanup;. + } + + result = rbt_iter_getnodename(iter, nodename); + if (result == DNS_R_EMPTYNAME) + result = rbt_iter_next(iter, nodename); + if (result == ISC_R_NOMORE) + result = ISC_R_NOTFOUND; In my opinion this function should leave rbt in locked state only when it returns ISC_R_SUCCESS. All other cases should unlock the tree. I recommend to add this statement: cleanup: if (result != ISC_R_SUCCESS) rbt_iter_stop(iter); + + return result; +} + +/** + * Copy name of the next non-empty node in RBT. + * + * @param[in]
[Freeipa-devel] Announcing FreeIPA 3.2.0 Prerelease 1
The FreeIPA team is proud to announce a first PRERELEASE of FreeIPA v3.2.0. We would like to welcome any early testers of this prerelase to provide us feedback and help us stabilize this feature release which we plan to release as final in the beginning of May 2013. It can be downloaded from http://www.freeipa.org/page/Downloads. The new version has also been built for Fedora 19 Alpha, if it does not appear in your Fedora 19 yet, you can download the build from koji: http://koji.fedoraproject.org/koji/buildinfo?buildID=408311 == Highlights in 3.2.0 Prerelease 1 == === New features === * Support installing FreeIPA without an embedded Certificate Authority, with user-provided SSL certificates for the HTTP and Directory servers. [1] * New cert-find command. Search certificates in the Dogtag database based on their serial number, validity or revocation details. This feature is available both as a CLI command and Web UI page. [2] * New trustconfig-show and trustconfig-mod command. Show or modify AD Trust settings generated during AD Trust installation (ipa-adtrust-install) [3] * Multiple FreeIPA servers can now be designated as Domain Controllers for trusts with Active Directory [12] * New realmdomains-show and realmdomains-mod command. Manage list of DNS domains associated with FreeIPA realm (realmdomains sommand). This list is primarily used by AD, which can pull all domains managed by FreeIPA and use that list for routing authentication requests for domains which do not match FreeIPA realm name. [4] * Support trusted domain users in HBAC test command (hbactest command). * Allow filtering incoming trusted domain SIDs per-trust (trust-mod command). [5] * Configurable PAC type for services. Service commands can now configure a set of PAC types (MS-PAC, PAD, no PAC) that are supported and handled for the service. * Faster UI loading. FreeIPA Web UI application is now packaged in minimalized format. FreeIPA web server is now also able to transmit data in compressed format. [6] [7] * UI now accepts confirmation of cancel of its dialogs via keyboard [11] * Client reenrollment. A host that has been recreated can now be reenrolled to FreeIPA server using a backed up host keytab or admin credentials [8] * Service and Host commands now provide options to add or remove selected Kerberos flags [9] === Prerelease 1 limitations === * List of DNS domains associated with FreeIPA realm currently only works with a special Samba build available for Fedora 18: http://koji.fedoraproject.org/koji/taskinfo?taskID=5184105. One needs to rebuild FreeIPA 3.2.0 prerelease 1 against this Samba version in order to get it working. * Test of trusted domain users in HBAC rules is accessible to only to members of 'Trust Admins' group due to privilege limitations * Same applies to any other trust-specific operations that require translation between user/group name and its security identifier (SID) === Bug fixes === * Fixed migration from OpenLDAP. FreeIPA is now able to migrate users and groups from OpenLDAP database instances. * Migration process is now also a lot faster and provides more debug output (to httpd error log). * SUDO rules disabled by sudorule-disable command are now removed from ou=sudoers compat tree without a need to restart 389 Directory Server instance. * Fixed LDAP schema upgrade when upgrading from a pre-2.2.0 release * Fixed server installation with external CA (--external-ca) * Consolidate on-line help system, show help without need of valid Kerberos credentials (ipa help) * New LDAP plugin (ipa_dns) has been added to add missing idnsSOASerial attribute for replicas which either do not have integrated DNS service enabled to which have disabled SOA serial autoincrement * LDAP lockout plugin has been fixed so that lockout policies are applied consistently both for LDAP binds and Kerberos authentication * ... and many others stabilization fixes, see Detailed changelog for full details == Changes in API or CLI == === Dropped --selfsign option === FreeIPA servers prior to 3.2.0 could be installed with --selfsign option. This configured the server with a NSS database based Certificate Authority with a selfsigned CA certificate and limited certificate operation support. This option was always intended for development or testing purposes only and was not intended for use in production. This release drops this option and deprecates the functionality. Current FreeIPA servers installed with --selfsigned option will still work, instructions on how to migrate to supported certificate options will be provided. FreeIPA servers version 3.2.0 and later supports the following 2 flavors of certificate management: * FreeIPA with pki-ca (dogtag) with either a self-signed certificate or with a certificate signed by external CA (--external-ca option) * FreeIPA with no pki-ca installed with certificates signed and provided by an external CA [1] === Dropped CSV support === FreeIPA client CLI supported CSV in some arguments so
Re: [Freeipa-devel] [PATCH 0123-0126] Separate master and forward zones (add idnsForwardZone object class)
On Fri, Mar 22, 2013 at 01:03:12PM +0100, Petr Spacek wrote: Hello, this patch set separates master zones (idnsZone objectClass) from forward zones (idnsForwardZone objectClass). Support for forward zones in idnsZone objectClass is still present to ease upgrades. See each commit message for all the gory details. Just check one comment below, otherwise ack. From 71fc42de24d3709efbe7dee24973c1b456b37fe4 Mon Sep 17 00:00:00 2001 From: Petr Spacek pspa...@redhat.com Date: Fri, 22 Mar 2013 12:38:55 +0100 Subject: [PATCH] Add support for pure forward zones - idnsForwardZone objectClass. Master zones are stored in zone_register and pure forward zones are stored in fwd_register. This patch doesn't remove support for forward zones within idnsZone objectClass. Support for forward zones in both objectClasses enables incremental update, where old and new plugin versions operate on the same LDAP database. Support for forward zones defined by idnsZone objectClass will be removed in near future. Forward zones defined in idnsZone objectClass are not disabled after removing from LDAP if persistent search is disabled (see ticket #106). This problem doesn't affect zones defined with idnsForwardZone objectClass. https://fedorahosted.org/bind-dyndb-ldap/ticket/99 Signed-off-by: Petr Spacek pspa...@redhat.com --- src/Makefile.am| 4 + src/fwd_register.c | 156 + src/fwd_register.h | 35 ++ src/ldap_entry.c | 33 -- src/ldap_entry.h | 7 +- src/ldap_helper.c | 334 ++--- 6 files changed, 440 insertions(+), 129 deletions(-) create mode 100644 src/fwd_register.c create mode 100644 src/fwd_register.h diff --git a/src/Makefile.am b/src/Makefile.am index 252255788b01e003031f5f0ee2fc8469b53633be..87c3252736fa4f918f105166497b32b0219ef8ea 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -5,11 +5,13 @@ HDRS = \ acl.h \ cache.h \ compat.h\ + fwd_register.h \ krb5_helper.h \ ldap_convert.h \ ldap_entry.h\ ldap_helper.h \ log.h \ + rbt_helper.h\ rdlist.h\ semaphore.h \ settings.h \ @@ -23,12 +25,14 @@ ldap_la_SOURCES = \ $(HDRS) \ acl.c \ cache.c \ + fwd_register.c \ krb5_helper.c \ ldap_convert.c \ ldap_driver.c \ ldap_entry.c\ ldap_helper.c \ log.c \ + rbt_helper.c\ rdlist.c\ semaphore.c \ settings.c \ diff --git a/src/fwd_register.c b/src/fwd_register.c new file mode 100644 index ..c663b25909b0e393421c49950d1f29a1352cfe6c --- /dev/null +++ b/src/fwd_register.c @@ -0,0 +1,156 @@ +#include isc/rwlock.h +#include dns/name.h + +#include rbt_helper.h +#include fwd_register.h +#include util.h + +struct fwd_register { + isc_mem_t *mctx; + isc_rwlock_trwlock; + dns_rbt_t *rbt; +}; + +isc_result_t +fwdr_create(isc_mem_t *mctx, fwd_register_t **fwdrp) +{ + isc_result_t result; + fwd_register_t *fwdr = NULL; + + REQUIRE(fwdrp != NULL *fwdrp == NULL); + + CHECKED_MEM_GET_PTR(mctx, fwdr); + ZERO_PTR(fwdr); + isc_mem_attach(mctx, fwdr-mctx); + CHECK(dns_rbt_create(mctx, NULL, NULL, fwdr-rbt)); + CHECK(isc_rwlock_init(fwdr-rwlock, 0, 0)); + + *fwdrp = fwdr; + return ISC_R_SUCCESS; + +cleanup: + if (fwdr != NULL) { + if (fwdr-rbt != NULL) + dns_rbt_destroy(fwdr-rbt); + MEM_PUT_AND_DETACH(fwdr); + } + + return result; +} + +void +fwdr_destroy(fwd_register_t **fwdrp) +{ + fwd_register_t *fwdr; + + if (fwdrp == NULL || *fwdrp == NULL) + return; + + fwdr = *fwdrp; + + RWLOCK(fwdr-rwlock, isc_rwlocktype_write); + dns_rbt_destroy(fwdr-rbt); + RWUNLOCK(fwdr-rwlock, isc_rwlocktype_write); + isc_rwlock_destroy(fwdr-rwlock); + MEM_PUT_AND_DETACH(fwdr); + + *fwdrp = NULL; +} + +/* + * Add forward zone to the forwarding register 'fwdr'. Origin of the zone + * must be absolute and the zone cannot already be in the register. + */ +isc_result_t +fwdr_add_zone(fwd_register_t *fwdr, dns_name_t *name) +{ + isc_result_t result; + void *dummy = NULL; + + REQUIRE(fwdr != NULL); + REQUIRE(name != NULL); + + if (!dns_name_isabsolute(name)) { + log_bug(forward zone with bad origin); + return ISC_R_FAILURE; + }
Re: [Freeipa-devel] [PATCH 0134] Make RBT iterators more resilient.
On Tue, Apr 02, 2013 at 06:49:53PM +0200, Petr Spacek wrote: Hello, Make RBT iterators more resilient. This patch implements more resilient interface for RBT iterators, as I promised in thread about patches 123-126. Now multiple calls to rbt_iter_stop() with the same argument do not hurt. Ack From 9ee8cb1b9be0db6ca1530b43e96547b130181519 Mon Sep 17 00:00:00 2001 From: Petr Spacek pspa...@redhat.com Date: Tue, 2 Apr 2013 18:46:48 +0200 Subject: [PATCH] Make RBT iterators more resilient. Signed-off-by: Petr Spacek pspa...@redhat.com --- src/fwd_register.c | 2 +- src/fwd_register.h | 2 +- src/ldap_helper.c | 4 +++- src/rbt_helper.c| 66 - src/rbt_helper.h| 15 +++- src/zone_register.c | 4 ++-- src/zone_register.h | 2 +- 7 files changed, 56 insertions(+), 39 deletions(-) diff --git a/src/fwd_register.c b/src/fwd_register.c index c663b25909b0e393421c49950d1f29a1352cfe6c..81eaac5b66ff66890935e7e6a94138c5e854332d 100644 --- a/src/fwd_register.c +++ b/src/fwd_register.c @@ -146,7 +146,7 @@ cleanup: } isc_result_t -fwdr_rbt_iter_init(fwd_register_t *fwdr, rbt_iterator_t *iter, +fwdr_rbt_iter_init(fwd_register_t *fwdr, rbt_iterator_t **iter, dns_name_t *nodename) { if (fwdr-rbt == NULL) return ISC_R_NOTFOUND; diff --git a/src/fwd_register.h b/src/fwd_register.h index 0bee3cba82d1deca1aa2fce235be118d076332f0..5fb96c0eb9b07e7374f4591d9cc166714abc23bd 100644 --- a/src/fwd_register.h +++ b/src/fwd_register.h @@ -29,7 +29,7 @@ isc_result_t fwdr_zone_ispresent(fwd_register_t *fwdr, dns_name_t *name); isc_result_t -fwdr_rbt_iter_init(fwd_register_t *fwdr, rbt_iterator_t *iter, +fwdr_rbt_iter_init(fwd_register_t *fwdr, rbt_iterator_t **iter, dns_name_t *nodename); #endif /* !_LD_FWD_REGISTER_H_ */ diff --git a/src/ldap_helper.c b/src/ldap_helper.c index 72456228ba9d223d239f34ae88d63192e0ffbbb4..99d67724a61304a2f39a0d3fa9391ce35f12b72f 100644 --- a/src/ldap_helper.c +++ b/src/ldap_helper.c @@ -1549,7 +1549,7 @@ refresh_zones_from_ldap(ldap_instance_t *ldap_inst, isc_boolean_t delete_only) /* Walk through master zone register and remove all zones which * disappeared from LDAP. */ - rbt_iterator_t iter; + rbt_iterator_t *iter = NULL; char name_txt[DNS_NAME_FORMATSIZE]; DECLARE_BUFFERED_NAME(registered_name); DECLARE_BUFFERED_NAME(ldap_name); @@ -1588,6 +1588,7 @@ refresh_zones_from_ldap(ldap_instance_t *ldap_inst, isc_boolean_t delete_only) /* Walk through forward zone register and remove all zones which * disappeared from LDAP. */ INIT_BUFFERED_NAME(registered_name); + iter = NULL; result = fwdr_rbt_iter_init(ldap_inst-fwd_register, iter, registered_name); while (result == ISC_R_SUCCESS) { void *data = NULL; @@ -1625,6 +1626,7 @@ refresh_zones_from_ldap(ldap_instance_t *ldap_inst, isc_boolean_t delete_only) goto cleanup; cleanup: + rbt_iter_stop(iter); if (master_rbt != NULL) dns_rbt_destroy(master_rbt); if (forward_rbt != NULL) diff --git a/src/rbt_helper.c b/src/rbt_helper.c index 70ab06134694e36a6ae049284d506bbf5bc3a977..ab37e3c754d06c1b49e389e2e85a5340d4317db2 100644 --- a/src/rbt_helper.c +++ b/src/rbt_helper.c @@ -4,6 +4,16 @@ #define LDAPDB_RBTITER_MAGIC ISC_MAGIC('L', 'D', 'P', 'I') +struct rbt_iterator { + unsigned intmagic; + isc_mem_t *mctx; + dns_rbt_t *rbt; + isc_rwlock_t*rwlock; + isc_rwlocktype_tlocktype; + dns_rbtnodechain_t chain; +}; + + /** * Copy the RBT node name, i.e. copies the name pointed to by RBT iterator. * @@ -47,7 +57,7 @@ cleanup: * unlocked by reaching end of iteration or explicit rbt_iter_stop() call. * * @param[in,out] rwlock guard for RBT, will be read-locked - * @param[out]iter iterator structure, will be initialized + * @param[out]iterpiterator structure, will be initialized * @param[out]nodename dns_name with pre-allocated storage * * @pre Nodename has pre-allocated storage space. @@ -62,14 +72,16 @@ cleanup: */ isc_result_t rbt_iter_first(isc_mem_t *mctx, dns_rbt_t *rbt, isc_rwlock_t *rwlock, -rbt_iterator_t *iter, dns_name_t *nodename) { +rbt_iterator_t **iterp, dns_name_t *nodename) { isc_result_t result; + rbt_iterator_t *iter = NULL; REQUIRE(rbt != NULL); REQUIRE(rwlock != NULL); - REQUIRE(iter != NULL); + REQUIRE(iterp != NULL *iterp == NULL); + CHECKED_MEM_GET_PTR(mctx, iter); ZERO_PTR(iter); isc_mem_attach(mctx, iter-mctx); @@ -82,69 +94,81 @@ rbt_iter_first(isc_mem_t *mctx, dns_rbt_t *rbt, isc_rwlock_t *rwlock,
[Freeipa-devel] [PATCH 0134] Make RBT iterators more resilient.
Hello, Make RBT iterators more resilient. This patch implements more resilient interface for RBT iterators, as I promised in thread about patches 123-126. Now multiple calls to rbt_iter_stop() with the same argument do not hurt. -- Petr^2 Spacek From 9ee8cb1b9be0db6ca1530b43e96547b130181519 Mon Sep 17 00:00:00 2001 From: Petr Spacek pspa...@redhat.com Date: Tue, 2 Apr 2013 18:46:48 +0200 Subject: [PATCH] Make RBT iterators more resilient. Signed-off-by: Petr Spacek pspa...@redhat.com --- src/fwd_register.c | 2 +- src/fwd_register.h | 2 +- src/ldap_helper.c | 4 +++- src/rbt_helper.c| 66 - src/rbt_helper.h| 15 +++- src/zone_register.c | 4 ++-- src/zone_register.h | 2 +- 7 files changed, 56 insertions(+), 39 deletions(-) diff --git a/src/fwd_register.c b/src/fwd_register.c index c663b25909b0e393421c49950d1f29a1352cfe6c..81eaac5b66ff66890935e7e6a94138c5e854332d 100644 --- a/src/fwd_register.c +++ b/src/fwd_register.c @@ -146,7 +146,7 @@ cleanup: } isc_result_t -fwdr_rbt_iter_init(fwd_register_t *fwdr, rbt_iterator_t *iter, +fwdr_rbt_iter_init(fwd_register_t *fwdr, rbt_iterator_t **iter, dns_name_t *nodename) { if (fwdr-rbt == NULL) return ISC_R_NOTFOUND; diff --git a/src/fwd_register.h b/src/fwd_register.h index 0bee3cba82d1deca1aa2fce235be118d076332f0..5fb96c0eb9b07e7374f4591d9cc166714abc23bd 100644 --- a/src/fwd_register.h +++ b/src/fwd_register.h @@ -29,7 +29,7 @@ isc_result_t fwdr_zone_ispresent(fwd_register_t *fwdr, dns_name_t *name); isc_result_t -fwdr_rbt_iter_init(fwd_register_t *fwdr, rbt_iterator_t *iter, +fwdr_rbt_iter_init(fwd_register_t *fwdr, rbt_iterator_t **iter, dns_name_t *nodename); #endif /* !_LD_FWD_REGISTER_H_ */ diff --git a/src/ldap_helper.c b/src/ldap_helper.c index 72456228ba9d223d239f34ae88d63192e0ffbbb4..99d67724a61304a2f39a0d3fa9391ce35f12b72f 100644 --- a/src/ldap_helper.c +++ b/src/ldap_helper.c @@ -1549,7 +1549,7 @@ refresh_zones_from_ldap(ldap_instance_t *ldap_inst, isc_boolean_t delete_only) /* Walk through master zone register and remove all zones which * disappeared from LDAP. */ - rbt_iterator_t iter; + rbt_iterator_t *iter = NULL; char name_txt[DNS_NAME_FORMATSIZE]; DECLARE_BUFFERED_NAME(registered_name); DECLARE_BUFFERED_NAME(ldap_name); @@ -1588,6 +1588,7 @@ refresh_zones_from_ldap(ldap_instance_t *ldap_inst, isc_boolean_t delete_only) /* Walk through forward zone register and remove all zones which * disappeared from LDAP. */ INIT_BUFFERED_NAME(registered_name); + iter = NULL; result = fwdr_rbt_iter_init(ldap_inst-fwd_register, iter, registered_name); while (result == ISC_R_SUCCESS) { void *data = NULL; @@ -1625,6 +1626,7 @@ refresh_zones_from_ldap(ldap_instance_t *ldap_inst, isc_boolean_t delete_only) goto cleanup; cleanup: + rbt_iter_stop(iter); if (master_rbt != NULL) dns_rbt_destroy(master_rbt); if (forward_rbt != NULL) diff --git a/src/rbt_helper.c b/src/rbt_helper.c index 70ab06134694e36a6ae049284d506bbf5bc3a977..ab37e3c754d06c1b49e389e2e85a5340d4317db2 100644 --- a/src/rbt_helper.c +++ b/src/rbt_helper.c @@ -4,6 +4,16 @@ #define LDAPDB_RBTITER_MAGIC ISC_MAGIC('L', 'D', 'P', 'I') +struct rbt_iterator { + unsigned int magic; + isc_mem_t *mctx; + dns_rbt_t *rbt; + isc_rwlock_t *rwlock; + isc_rwlocktype_t locktype; + dns_rbtnodechain_t chain; +}; + + /** * Copy the RBT node name, i.e. copies the name pointed to by RBT iterator. * @@ -47,7 +57,7 @@ cleanup: * unlocked by reaching end of iteration or explicit rbt_iter_stop() call. * * @param[in,out] rwlock guard for RBT, will be read-locked - * @param[out]iter iterator structure, will be initialized + * @param[out]iterpiterator structure, will be initialized * @param[out]nodename dns_name with pre-allocated storage * * @pre Nodename has pre-allocated storage space. @@ -62,14 +72,16 @@ cleanup: */ isc_result_t rbt_iter_first(isc_mem_t *mctx, dns_rbt_t *rbt, isc_rwlock_t *rwlock, - rbt_iterator_t *iter, dns_name_t *nodename) { + rbt_iterator_t **iterp, dns_name_t *nodename) { isc_result_t result; + rbt_iterator_t *iter = NULL; REQUIRE(rbt != NULL); REQUIRE(rwlock != NULL); - REQUIRE(iter != NULL); + REQUIRE(iterp != NULL *iterp == NULL); + CHECKED_MEM_GET_PTR(mctx, iter); ZERO_PTR(iter); isc_mem_attach(mctx, iter-mctx); @@ -82,69 +94,81 @@ rbt_iter_first(isc_mem_t *mctx, dns_rbt_t *rbt, isc_rwlock_t *rwlock, RWLOCK(iter-rwlock, iter-locktype); result = dns_rbtnodechain_first(iter-chain, rbt, NULL, NULL); - if (result != DNS_R_NEWORIGIN) { - rbt_iter_stop(iter); - return result; - } + if (result != DNS_R_NEWORIGIN) + goto cleanup; result = rbt_iter_getnodename(iter, nodename); if (result == DNS_R_EMPTYNAME) - result = rbt_iter_next(iter, nodename); + result = rbt_iter_next(iter, nodename); if (result == ISC_R_NOMORE) result = ISC_R_NOTFOUND; +cleanup:
[Freeipa-devel] [PATCH] 0011 Remove CA cert on client uninstall
Hello, The CA cert (/etc/ipa/ca.crt) was not being removed on client uninstall, causing failure on subsequent client installation in some cases. https://fedorahosted.org/freeipa/ticket/3537 -- Regards, Ana Krivokapic Associate Software Engineer FreeIPA team Red Hat Inc. From 061fce1ead601d5f46a22a49db72d8bd0d47a489 Mon Sep 17 00:00:00 2001 From: Ana Krivokapic akriv...@redhat.com Date: Tue, 2 Apr 2013 19:48:38 +0200 Subject: [PATCH] Remove CA cert on client uninstall The CA cert (/etc/ipa/ca.crt) was not being removed on client uninstall, causing failure on subsequent client installation in some cases. https://fedorahosted.org/freeipa/ticket/3537 --- ipa-client/ipa-install/ipa-client-install | 9 + 1 file changed, 9 insertions(+) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index 56896f3636bc6f9544804239923c60a11ad71350..126611a824f072bbfba1a7fe28584a5b921d5704 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -644,6 +644,15 @@ def uninstall(options, env): root_logger.warning('Please remove /etc/ipa/default.conf manually, ' 'as it can cause subsequent installation to fail.') +# Remove the CA cert +try: +os.remove(CACERT) +except OSError, e: +root_logger.warning('%s could not be removed: %s', CACERT, str(e)) +root_logger.warning('Please remove %s manually, ' +'as it can cause subsequent ' +'installation to fail.', CACERT) + root_logger.info(Client uninstall complete.) # The next block of code prompts for reboot, therefore all uninstall -- 1.8.1.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0123-0126] Separate master and forward zones (add idnsForwardZone object class)
On 2.4.2013 17:18, Adam Tkac wrote: On Fri, Mar 22, 2013 at 01:03:12PM +0100, Petr Spacek wrote: Hello, this patch set separates master zones (idnsZone objectClass) from forward zones (idnsForwardZone objectClass). Support for forward zones in idnsZone objectClass is still present to ease upgrades. See each commit message for all the gory details. -- Petr^2 Spacek Ack for patch 0124. Pushed to master: 59b157618c2b241740f3b3125e6da6230fa0314c -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0123-0126] Separate master and forward zones (add idnsForwardZone object class)
On 2.4.2013 18:34, Adam Tkac wrote: On Fri, Mar 22, 2013 at 01:03:12PM +0100, Petr Spacek wrote: Hello, this patch set separates master zones (idnsZone objectClass) from forward zones (idnsForwardZone objectClass). Support for forward zones in idnsZone objectClass is still present to ease upgrades. See each commit message for all the gory details. Just check one comment below, otherwise ack. [...] if (result == ISC_R_SUCCESS) { log_debug(5, Refresh %s, entry-dn); /* Add found zone to RB-tree for later check. */ - result = dns_rbt_addname(rbt, name, NULL); + if (zone_class LDAP_ENTRYCLASS_MASTER) + result = dns_rbt_addname(master_rbt, name, NULL); + else In my opinion you should use else if (zone_class LDAP_ENTRYCLASS_FORWARD) here. + result = dns_rbt_addname(forward_rbt, name, NULL); } Fixed version pushed to master: 760bebb0e8744301420cf6e4918690ed171529a2 -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0123-0126] Separate master and forward zones (add idnsForwardZone object class)
On 2.4.2013 17:30, Adam Tkac wrote: On Fri, Mar 22, 2013 at 01:03:12PM +0100, Petr Spacek wrote: Hello, this patch set separates master zones (idnsZone objectClass) from forward zones (idnsForwardZone objectClass). Support for forward zones in idnsZone objectClass is still present to ease upgrades. See each commit message for all the gory details. -- Petr^2 Spacek Ack for patch 125 as is. Pushed to master: edb6dbcf7a81605e6ccbd8efe1e323862710e0f7 -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH 0137-0138] Preparation for 3.0 release
Hello, attached patches update NEWS and SPEC files. Pushed to master: eb8059eb25912d1c4b262e00ba35d9c44767e1dc 8397ba4ff819825e645b9554fdd17a0d239cc8a9 -- Petr^2 Spacek From 446104069d43cec34ff373c7e5757844a1bc9ec8 Mon Sep 17 00:00:00 2001 From: Petr Spacek pspa...@redhat.com Date: Tue, 2 Apr 2013 19:36:54 +0200 Subject: [PATCH] Update NEWS file for upcoming 3.0 release. Signed-off-by: Petr Spacek pspa...@redhat.com --- NEWS | 19 +++ 1 file changed, 19 insertions(+) diff --git a/NEWS b/NEWS index 78e16942ed551d0ec1a71f4865d02134c46ada87..173c12ce89c448f4053779d91a963846d0706d18 100644 --- a/NEWS +++ b/NEWS @@ -1,3 +1,22 @@ +3.0 += +[1] DNAME records are supported. DNAME attribute was changed to single-valued. +https://fedorahosted.org/bind-dyndb-ldap/ticket/63 + +[2] Master and forward zones now have separate object classes: +idnsZone and idnsForwardZone. idnsForward* attributes in idnsZone object +class will have old semantics for some time. +https://fedorahosted.org/bind-dyndb-ldap/ticket/99 + +[3] Settings system was heavily refactored. From now, unknown options in +configuration file cause error. DNS dynamic updates should create +slightly lower load on LDAP server because of settings 'cache'. +https://fedorahosted.org/bind-dyndb-ldap/ticket/53 +https://fedorahosted.org/bind-dyndb-ldap/ticket/81 + +[4] Deadlock triggered by PTR record synchronization was fixed. +https://fedorahosted.org/bind-dyndb-ldap/ticket/113 + 2.6 = [1] Invalid zones are automatically reloaded after each change in zone data. -- 1.7.11.7 From ea30247f2b3c74b11ca2c10f26386939454b4e1d Mon Sep 17 00:00:00 2001 From: Petr Spacek pspa...@redhat.com Date: Tue, 2 Apr 2013 19:38:15 +0200 Subject: [PATCH] Bump NVR to 3.0. Signed-off-by: Petr Spacek pspa...@redhat.com --- configure.ac | 2 +- contrib/bind-dyndb-ldap.spec | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/configure.ac b/configure.ac index a40c49cc44063946522dc8b093660e00a6d2fee4..f964235dc08b3de5e79fe9928707c7039ebfb918 100644 --- a/configure.ac +++ b/configure.ac @@ -1,5 +1,5 @@ AC_PREREQ([2.59]) -AC_INIT([bind-dyndb-ldap], [2.5], [freeipa-devel@redhat.com]) +AC_INIT([bind-dyndb-ldap], [3.0], [freeipa-devel@redhat.com]) AM_INIT_AUTOMAKE([-Wall foreign dist-bzip2]) diff --git a/contrib/bind-dyndb-ldap.spec b/contrib/bind-dyndb-ldap.spec index d0e49eab8fb26a787385fbbdf5c03cf35026d73f..227c15cbf0b955486d8873562beccd32ce79e45a 100644 --- a/contrib/bind-dyndb-ldap.spec +++ b/contrib/bind-dyndb-ldap.spec @@ -1,7 +1,7 @@ %define VERSION %{version} Name: bind-dyndb-ldap -Version:2.5 +Version:3.0 Release:0%{?dist} Summary:LDAP back-end plug-in for BIND -- 1.7.11.7 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0134] Make RBT iterators more resilient.
On 2.4.2013 19:13, Adam Tkac wrote: On Tue, Apr 02, 2013 at 06:49:53PM +0200, Petr Spacek wrote: Hello, Make RBT iterators more resilient. This patch implements more resilient interface for RBT iterators, as I promised in thread about patches 123-126. Now multiple calls to rbt_iter_stop() with the same argument do not hurt. Ack Pushed to master: dc3c3014d6f2fbba447efc1489a0488dd34ad625 -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0123-0126] Separate master and forward zones (add idnsForwardZone object class)
On 2.4.2013 17:17, Adam Tkac wrote: On Fri, Mar 22, 2013 at 01:03:12PM +0100, Petr Spacek wrote: Hello, this patch set separates master zones (idnsZone objectClass) from forward zones (idnsForwardZone objectClass). Support for forward zones in idnsZone objectClass is still present to ease upgrades. See each commit message for all the gory details. Since patches are non-trivial, I will review them per partes (i.e. each patch in separate mail). Please check my comments below. Regards, Adam After discussion I pushed original version to master: 9d073c1ef7c28e29397a766320d12ecdb7e1941b -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH 0135-0137] Schema updates
Hello, schema was updated to match latest development. Pushed to master: 3bf0d6fa6e6fe1bd81882a6819e9680e9c069997 b5bb6bc3b731c9e3b9d2efc4fb7a4420803ef55d 9bb52d52189f5e7a74b4994653a40de84fc8f4ea -- Petr^2 Spacek From 0f10e921572b77eadf9ef393cb6d65a0297d4a7b Mon Sep 17 00:00:00 2001 From: Petr Spacek pspa...@redhat.com Date: Tue, 2 Apr 2013 19:17:38 +0200 Subject: [PATCH] Add idnsForwardZone objectClass to the schema. Signed-off-by: Petr Spacek pspa...@redhat.com --- doc/schema | 8 1 file changed, 8 insertions(+) diff --git a/doc/schema b/doc/schema index 06772baf5a154fcf2e1a37eabe229d8c2688a523..cf22fa51323daf97776c24da378a9a204573c895 100644 --- a/doc/schema +++ b/doc/schema @@ -315,3 +315,11 @@ objectclass ( 2.16.840.1.113730.3.8.6.2 MAY ( idnsForwardPolicy $ idnsForwarders $ idnsAllowSyncPTR $ idnsZoneRefresh $ idnsPersistentSearch ) ) + +objectClasses: ( 2.16.840.1.113730.3.8.6.3 + NAME 'idnsForwardZone' + DESC 'Forward Zone class' + SUP top + STRUCTURAL + MUST ( idnsName $ idnsZoneActive ) + MAY ( idnsForwarders $ idnsForwardPolicy ) ) -- 1.7.11.7 From 920c8fe4daa69b661e4e5413a2654417ae33f36c Mon Sep 17 00:00:00 2001 From: Petr Spacek pspa...@redhat.com Date: Tue, 2 Apr 2013 19:18:02 +0200 Subject: [PATCH] Change DNAME record (attribute) to single valued. http://tools.ietf.org/html/rfc6672#section-2.4 Signed-off-by: Petr Spacek pspa...@redhat.com --- doc/schema | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/doc/schema b/doc/schema index cf22fa51323daf97776c24da378a9a204573c895..e6059153028b044f714f24b449957d4bcaefc017 100644 --- a/doc/schema +++ b/doc/schema @@ -117,10 +117,11 @@ attributetype ( 1.3.6.1.4.1.2428.20.1.38 attributetype ( 1.3.6.1.4.1.2428.20.1.39 NAME 'dNameRecord' - DESC 'Non-Terminal DNS Name Redirection, RFC 2672' + DESC 'Non-Terminal DNS Name Redirection, RFC 6672' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + SINGLE-VALUE ) attributetype ( 1.3.6.1.4.1.2428.20.1.43 NAME 'dSRecord' -- 1.7.11.7 From 18c975c52210d9c58c586eb2d748fbe6e690327a Mon Sep 17 00:00:00 2001 From: Petr Spacek pspa...@redhat.com Date: Tue, 2 Apr 2013 19:19:12 +0200 Subject: [PATCH] Add notes about OID allocation and contacts to the schema file. Signed-off-by: Petr Spacek pspa...@redhat.com --- doc/schema | 29 + 1 file changed, 29 insertions(+) diff --git a/doc/schema b/doc/schema index e6059153028b044f714f24b449957d4bcaefc017..f23bda064984ae79c9e45ed75525d77ab80a4d7f 100644 --- a/doc/schema +++ b/doc/schema @@ -1,3 +1,32 @@ +# This schema contains OIDs from Uninett and FreeIPA. +# +# Unninet: http://drift.uninett.no/nett/ip-nett/dnsattributes.schema +# Base OID for DNS records is 1.3.6.1.4.1.2428.20.1, +# see http://drift.uninett.no/nett/ip-nett/oids.html +# +# FreeIPA: http://freeipa.org/ +# Base OID for DNS records is 2.16.840.1.113730.3.8.5 +# Base OID for DNS objectClasses is 2.16.840.1.113730.3.8.6 +# +# If you want to add some record types that are defined by IANA, +# please define it similar to what is done for the existing ones. The +# name should be {TYPE}Record, and OID should be +# 1.3.6.1.4.1.2428.20.1.value. For instance the RR type LOC has value +# 29, so attribute name should be LocRecord (casing shouldn't matter), +# and the OID is 1.3.6.1.4.1.2428.20.1.29. If you follow this, you +# know that it will be compatible with what others use, and one is +# guaranteed that the OIDs are unique. +# The IANA DNS record type values are available from +# URL: http://www.iana.org/assignments/dns-parameters . +# +# If you define new attributes, please report them to dr...@uninett.no +# to get them added of this schema. +# +# The basic record types like A, CNAME etc are defined in the cosine +# schema and not in this schema. This means that your LDAP server +# must use both the cosine schema and this one to get all the DNS +# attributes defined. + attributetype ( 1.3.6.1.4.1.2428.20.0.0 NAME 'dNSTTL' DESC 'An integer denoting time to live' -- 1.7.11.7 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [Freeipa-interest] Announcing bind-dyndb-ldap version 3.0
The FreeIPA team is proud to announce bind-dyndb-ldap version 3.0. It can be downloaded from https://fedorahosted.org/released/bind-dyndb-ldap/. The new version has also been built for Fedora 19: https://admin.fedoraproject.org/updates/bind-dyndb-ldap-3.0-1.fc19 This release includes several fixes and new features. == Changes in 3.0 == [1] DNAME records are supported. DNAME attribute was changed to single-valued. https://fedorahosted.org/bind-dyndb-ldap/ticket/63 [2] Master and forward zones now have separate object classes: idnsZone and idnsForwardZone. idnsForward* attributes in idnsZone object class will have old semantics for some time. https://fedorahosted.org/bind-dyndb-ldap/ticket/99 [3] Settings system was heavily refactored. From now, unknown options in configuration file cause error. DNS dynamic updates should create slightly lower load on LDAP server because of settings 'cache'. https://fedorahosted.org/bind-dyndb-ldap/ticket/53 https://fedorahosted.org/bind-dyndb-ldap/ticket/81 [4] Deadlock triggered by PTR record synchronization was fixed. https://fedorahosted.org/bind-dyndb-ldap/ticket/113 == Upgrading == An server can be upgraded simply by installing updated rpms. BIND has to be restarted manually after the RPM installation. You will need to clean up configuration file /etc/named.conf if your configuration contains typos or other unsupported options. Downgrading back to any 2.x version is supported under following conditions: - new object class idnsForwardZone is not utilized - DNAME records are not utilized - configured connection count is = 3 (to prevent deadlocks in 2.x releases) == Feedback == Please provide comments, bugs and other feedback via the freeipa-users mailing list: http://www.redhat.com/mailman/listinfo/freeipa-users -- Petr Spacek Software engineer Red Hat ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [RFE] CA-less install
On 04/02/2013 11:33 AM, Petr Viktorin wrote: On 04/02/2013 02:14 AM, Robert Relyea wrote: On 03/29/2013 07:40 AM, John Dennis wrote: On 03/29/2013 07:57 AM, Petr Viktorin wrote: On 03/27/2013 04:40 PM, John Dennis wrote: On 03/27/2013 11:23 AM, Petr Viktorin wrote: I don't want to check the subject because this RFE was prompted by IPA's normal CA rejecting valid wildcart certs. Is there a reasonable way to ask NSS if it will trust the cert? Yes. NSS provides a variety of tools to test validation. Going just on memory here, our current version of python-nss has a simple call to test validation. Sometime in the last year I added a fair amount of new support for certificate validation including getting back diagnostic information for validation failures, however if I recall correctly the extended functionality in python-nss has not been released yet. Does the new code include downloading and importing CRLs? Cert verification is a complex topic. This is further exacerbated by the introduction of PKIX. My understanding is NSS had classic verification code and later introduced PKIX. There has been an evolution between classic verification and PKIX. This is outside my domain of expertise. How and when CRL's are loaded in NSS is not something I can give advice on, especially in an area undergoing change. I'm going to have to defer to an expert in this area, Bob Relyea, I've CC'ed him on this email. It's hard to get the context in the middle, and and John had noted, NSS is transitioning from the old Cert_Verify interface to the new PKIX_ code. I'll answer the question for the traditional CERTVerify code, which is the only you get in SSL by default, and the one most people still use: No, CRLs are not downloaded and imported automatically, but if you download and import CRL's, NSS will use them. There's an installable PKCS #11 module which can be configured to download and install CRLs, then provide them to NSS. It's call mod_revocator. The expected revocation strategy NSS uses is OCSP, and you can turn on automatic OCSP fetching. Bob, to put this in context [1] the functionality in python-nss being discussed is the binding of the CERT_VerifyCertificate() function, something I added recently. Now the question arises as to how CRL's are meant to play into the verification process. Can you please explain how NSS expects this to be done? Pointers to existing documentation and code examples would also be helpful. There's a separate CERT_ImportCRL() which will import the CRL into the database. mod_revocator() can also be used to do the fetching for you, Matthew has examples on how various servers set them up (I believe the only NSS set up is installing the module in your secmod.db/pkcs11.txt with modutil. It would also be helpful to understand the PKIX roadmap and how this might affect coding decisions at the API level. the PKIX interface is available now, and is actually used by Chrome (for all certs) and Firefox (for ev processing). Firefox is in the process of moving to libpkix for everything. There is an environment variable you can set (I don't remember it specifically, but I could look it up for you if you want) that will cause the transitional CERT_VerifyCertificate() interface to use the libpkix engine, but it keeps the old CERT_VerifyCertificate semantics (like no CRL or AIA cert fetching).. With libpkix, the revocation options are quite broad and complexed. We really expect people would use a set of preconfigured policies, though libpkix API allows for quite some variance. It would take me some time to dig up all the descriptions, but I can if you want them. [1] Some additional context, the original motivation for exposing NSS cert verification to IPA was to solve the following problem. If someone wants to make the IPA CA a sub-CA (as opposed to a self-signed CA) we want to validate the externally provided CA cert *before* proceeding with the IPA installation. This is because if the CA cert is invalid everything will hugely blow-up (because we use the CA cert to sign all the certs issued in IPA, especially those used to validate cooperating components/agents, if those certs do not work nothing in IPA works). In addition to this narrow goal we in general want to be able to perform cert verification correctly in other contexts as well so the extent to which you can educate us in general on this topic will be appreciated. OK, thanks. I'd go ahead and start with CERT_VerifyCertificate() unless you specifically need some of the advanced libpkix features. The original context is sanity checking: is a SSL server cert we get from a user valid? If it is then we install the corresponding server. Requirements here are: - No extra information from the user, other than the cert itself (the admin gives us a cert, we don't want to ask how to find out if it's valid) - It needs to be a simple call/tool, since there's little gain over just documenting that we want good certs. So it looks it's
Re: [Freeipa-devel] [RFE] CA-less install
On 04/02/2013 02:07 PM, John Dennis wrote: On 04/02/2013 11:33 AM, Petr Viktorin wrote: On 04/02/2013 02:14 AM, Robert Relyea wrote: On 03/29/2013 07:40 AM, John Dennis wrote: On 03/29/2013 07:57 AM, Petr Viktorin wrote: On 03/27/2013 04:40 PM, John Dennis wrote: On 03/27/2013 11:23 AM, Petr Viktorin wrote: I don't want to check the subject because this RFE was prompted by IPA's normal CA rejecting valid wildcart certs. Is there a reasonable way to ask NSS if it will trust the cert? Yes. NSS provides a variety of tools to test validation. Going just on memory here, our current version of python-nss has a simple call to test validation. Sometime in the last year I added a fair amount of new support for certificate validation including getting back diagnostic information for validation failures, however if I recall correctly the extended functionality in python-nss has not been released yet. Does the new code include downloading and importing CRLs? Cert verification is a complex topic. This is further exacerbated by the introduction of PKIX. My understanding is NSS had classic verification code and later introduced PKIX. There has been an evolution between classic verification and PKIX. This is outside my domain of expertise. How and when CRL's are loaded in NSS is not something I can give advice on, especially in an area undergoing change. I'm going to have to defer to an expert in this area, Bob Relyea, I've CC'ed him on this email. It's hard to get the context in the middle, and and John had noted, NSS is transitioning from the old Cert_Verify interface to the new PKIX_ code. I'll answer the question for the traditional CERTVerify code, which is the only you get in SSL by default, and the one most people still use: No, CRLs are not downloaded and imported automatically, but if you download and import CRL's, NSS will use them. There's an installable PKCS #11 module which can be configured to download and install CRLs, then provide them to NSS. It's call mod_revocator. The expected revocation strategy NSS uses is OCSP, and you can turn on automatic OCSP fetching. Bob, to put this in context [1] the functionality in python-nss being discussed is the binding of the CERT_VerifyCertificate() function, something I added recently. Now the question arises as to how CRL's are meant to play into the verification process. Can you please explain how NSS expects this to be done? Pointers to existing documentation and code examples would also be helpful. There's a separate CERT_ImportCRL() which will import the CRL into the database. mod_revocator() can also be used to do the fetching for you, Matthew has examples on how various servers set them up (I believe the only NSS set up is installing the module in your secmod.db/pkcs11.txt with modutil. It would also be helpful to understand the PKIX roadmap and how this might affect coding decisions at the API level. the PKIX interface is available now, and is actually used by Chrome (for all certs) and Firefox (for ev processing). Firefox is in the process of moving to libpkix for everything. There is an environment variable you can set (I don't remember it specifically, but I could look it up for you if you want) that will cause the transitional CERT_VerifyCertificate() interface to use the libpkix engine, but it keeps the old CERT_VerifyCertificate semantics (like no CRL or AIA cert fetching).. With libpkix, the revocation options are quite broad and complexed. We really expect people would use a set of preconfigured policies, though libpkix API allows for quite some variance. It would take me some time to dig up all the descriptions, but I can if you want them. [1] Some additional context, the original motivation for exposing NSS cert verification to IPA was to solve the following problem. If someone wants to make the IPA CA a sub-CA (as opposed to a self-signed CA) we want to validate the externally provided CA cert *before* proceeding with the IPA installation. This is because if the CA cert is invalid everything will hugely blow-up (because we use the CA cert to sign all the certs issued in IPA, especially those used to validate cooperating components/agents, if those certs do not work nothing in IPA works). In addition to this narrow goal we in general want to be able to perform cert verification correctly in other contexts as well so the extent to which you can educate us in general on this topic will be appreciated. OK, thanks. I'd go ahead and start with CERT_VerifyCertificate() unless you specifically need some of the advanced libpkix features. The original context is sanity checking: is a SSL server cert we get from a user valid? If it is then we install the corresponding server. Requirements here are: - No extra information from the user, other than the cert itself (the admin gives us a cert, we don't want to ask how to find out if it's valid) - It needs to be a simple call/tool, since there's little gain over