[Freeipa-devel] [PATCH] 140 Check trust chain length in CA-less install
Hi, the attached patch fixes https://fedorahosted.org/freeipa/ticket/3707. Honza -- Jan Cholasta From bc3ecb7548c76c2ee181f090a851fa15e12dcbec Mon Sep 17 00:00:00 2001 From: Jan Cholasta jchol...@redhat.com Date: Tue, 18 Jun 2013 08:57:12 + Subject: [PATCH] Check trust chain length in CA-less install. https://fedorahosted.org/freeipa/ticket/3707 --- ipaserver/install/installutils.py | 11 +-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py index 830a78a..977ccb1 100644 --- a/ipaserver/install/installutils.py +++ b/ipaserver/install/installutils.py @@ -740,13 +740,20 @@ def check_pkcs12(pkcs12_info, ca_file, hostname): [(server_cert_name, server_cert_trust)] = server_certs # Check we have the whole cert chain the CA is in it -for cert_name in nssdb.get_trust_chain(server_cert_name): -if cert_name == ca_cert_name: +trust_chain = nssdb.get_trust_chain(server_cert_name) +while trust_chain: +if trust_chain[0] == ca_cert_name: break +trust_chain = trust_chain[1:] else: raise ScriptError( '%s is not signed by %s, or the full certificate chain is not ' 'present in the PKCS#12 file' % (pkcs12_filename, ca_file)) +if len(trust_chain) != 2: +raise ScriptError( +'trust chain of the server certificate in %s contains %s ' +'certificates, expected 2' % +(pkcs12_filename, len(trust_chain))) # Check server validity try: -- 1.8.2.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 0227-0229 freeipa-tests package Beaker integration plugin
On 06/17/2013 07:27 PM, Martin Kosek wrote: On 06/17/2013 06:59 PM, Jan Cholasta wrote: On 17.6.2013 17:08, Petr Viktorin wrote: We can fix individual out-of-tree failures later, the priority now is that in-tree tests are not broken, and that the beakerlib plugin works. Well, works just fine for me, so ACK. Honza Thanks for review! I just had to merge freeipa.spec.in and update the changelog date to avoid making the strict RPM date checker angry. Pushed all 3 to master. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel There is one line in .gitignore which refers to the old location of the service.crt file. The attached patch fixes that. -- Regards, Ana Krivokapic Associate Software Engineer FreeIPA team Red Hat Inc. From e55fd3497062e5aa6b3b78ed5ac843896987c727 Mon Sep 17 00:00:00 2001 From: Ana Krivokapic akriv...@redhat.com Date: Tue, 18 Jun 2013 16:02:05 +0200 Subject: [PATCH] Fix location of service.crt in .gitignore --- .gitignore | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.gitignore b/.gitignore index 8a2829a376d875917d9acf086036503df8ee8822..738b00b13b7014ea915da9bcd06ab1ac4eee3764 100644 --- a/.gitignore +++ b/.gitignore @@ -80,7 +80,7 @@ ipa-client/missing ipa-client/py-compile ipa-client/stamp-h1 ipa-client/version.m4 -tests/test_xmlrpc/service.crt +ipatests/test_xmlrpc/service.crt freeipa.spec ipapython/setup.py ipapython/version.py -- 1.8.1.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 0227-0229 freeipa-tests package Beaker integration plugin
On 06/18/2013 04:07 PM, Ana Krivokapic wrote: On 06/17/2013 07:27 PM, Martin Kosek wrote: On 06/17/2013 06:59 PM, Jan Cholasta wrote: On 17.6.2013 17:08, Petr Viktorin wrote: We can fix individual out-of-tree failures later, the priority now is that in-tree tests are not broken, and that the beakerlib plugin works. Well, works just fine for me, so ACK. Honza Thanks for review! I just had to merge freeipa.spec.in and update the changelog date to avoid making the strict RPM date checker angry. Pushed all 3 to master. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel There is one line in .gitignore which refers to the old location of the service.crt file. The attached patch fixes that. Good point. ACK, pushed to master. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] A puppet module for freeipa
On Tue, 2013-06-18 at 10:38 -0400, James wrote: Hi freeipa-devel, I just joined today, I'd like to introduce myself, I'm James. Hi. I am currently working on (among other things) a puppet module for freeipa. I've just published an initial release: https://github.com/purpleidea/puppet-ipa It only has a few resource types at the moment, but I plan to add support for services and other things shortly. I'd really like to thank the ipa devel team for actually returning useful (and accurate) return codes! I've written modules for other projects that don't, and it's a lot harder. Thanks! I've been hanging out in #freeipa as 'purpleidea', and asking questions to make sure I get the design right. Thanks in advance for your help! I'm fairly new to freeipa, but so far I like it quite a lot. It's been on my TODO list for a number of years. I'll probably write about this and other technical things over at my blog. https://ttboj.wordpress.com/ I hope that the code is useful to you, and comments are welcome. If you'd rather not hear about any of this on freeipa-devel, that's okay too, just let me know. James, great start! Feel free to use this list for development oriented questions related to any aspect of FreeIPA. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] A puppet module for freeipa
On Tue, 2013-06-18 at 11:16 -0400, Simo Sorce wrote: On Tue, 2013-06-18 at 10:38 -0400, James wrote: Hi freeipa-devel, I just joined today, I'd like to introduce myself, I'm James. Hi. I am currently working on (among other things) a puppet module for freeipa. I've just published an initial release: https://github.com/purpleidea/puppet-ipa It only has a few resource types at the moment, but I plan to add support for services and other things shortly. I'd really like to thank the ipa devel team for actually returning useful (and accurate) return codes! I've written modules for other projects that don't, and it's a lot harder. Thanks! I've been hanging out in #freeipa as 'purpleidea', and asking questions to make sure I get the design right. Thanks in advance for your help! I'm fairly new to freeipa, but so far I like it quite a lot. It's been on my TODO list for a number of years. I'll probably write about this and other technical things over at my blog. https://ttboj.wordpress.com/ I hope that the code is useful to you, and comments are welcome. If you'd rather not hear about any of this on freeipa-devel, that's okay too, just let me know. James, great start! Feel free to use this list for development oriented questions related to any aspect of FreeIPA. Simo. Thanks Simo! So far #freeipa and #kerberos have been particularly helpful. I'll probably post back here if I get stuck on something particularly tricky. Feel free to call me out if anyone finds me abusing the ipa api incorrectly in my code. Cheers, James signature.asc Description: This is a digitally signed message part ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 421 Fix default value selection in radio widget
Fix default value selection in radio widget https://fedorahosted.org/freeipa/ticket/3718 -- Petr Vobornik From 9df5d05592e247b9d082377c0c309efbc5e1f74d Mon Sep 17 00:00:00 2001 From: Petr Vobornik pvobo...@redhat.com Date: Tue, 18 Jun 2013 18:11:04 +0200 Subject: [PATCH] Fix default value selection in radio widget https://fedorahosted.org/freeipa/ticket/3718 --- install/ui/src/freeipa/widget.js | 12 +++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/install/ui/src/freeipa/widget.js b/install/ui/src/freeipa/widget.js index 0913914d5af158c8e94e841583077b1dfe4166c1..ac93b91d6960de127ba0e6b71a6efbe81771a59f 100644 --- a/install/ui/src/freeipa/widget.js +++ b/install/ui/src/freeipa/widget.js @@ -666,6 +666,7 @@ IPA.option_widget_base = function(spec, that) { that.value_changed = that.value_changed || IPA.observer(); that.updated = that.updated || IPA.observer(); that.default_value = spec.default_value || null; +that.default_on_empty = spec.default_on_empty === undefined ? true : spec.default_on_empty; /** * Jquery reference to current node @@ -959,9 +960,18 @@ IPA.option_widget_base = function(spec, that) { if (values values.length 0) { + +if (that.default_on_empty that.default_value !== null) { +for (var i=0; ivalues.length; i++) { +if (values[i] === '') { +values[i] = that.default_value; +} +} +} + // check the option when option or some of its child should be // checked -for (var i=0; ithat.options.length; i++) { +for (i=0; ithat.options.length; i++) { var option = that.options[i]; var opt_vals = that.get_values(option); var has_opt = array.some(values, function(val) { -- 1.8.1.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Permit reads to ipatokenRadiusProxyUser objects
Patch attached. From 14ba1309f1523c87efa9f70824b2cd85891bcaa4 Mon Sep 17 00:00:00 2001 From: Nathaniel McCallum npmccal...@redhat.com Date: Tue, 18 Jun 2013 14:21:25 -0400 Subject: [PATCH] Permit reads to ipatokenRadiusProxyUser objects This fixes an outstanding permissions issue from the OTP work. https://fedorahosted.org/freeipa/ticket/3693 --- install/share/default-aci.ldif| 2 +- ipaserver/install/plugins/update_anonymous_aci.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/install/share/default-aci.ldif b/install/share/default-aci.ldif index 18881ec..8a0fa60 100644 --- a/install/share/default-aci.ldif +++ b/install/share/default-aci.ldif @@ -3,7 +3,7 @@ dn: $SUFFIX changetype: modify add: aci -aci: (targetfilter = ((!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusProxyUser))(!(objectClass=ipatokenRadiusConfiguration(target != ldap:///idnsname=*,cn=dns,$SUFFIX;)(targetattr != userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming)(version 3.0; acl Enable Anonymous access; allow (read, search, compare) userdn = ldap:///anyone;;) +aci: (targetfilter = ((!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusConfiguration(target != ldap:///idnsname=*,cn=dns,$SUFFIX;)(targetattr != userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming)(version 3.0; acl Enable Anonymous access; allow (read, search, compare) userdn = ldap:///anyone;;) aci: (targetattr = memberOf || memberHost || memberUser)(version 3.0; acl No anonymous access to member information; deny (read,search,compare) userdn != ldap:///all;;) aci: (targetattr != userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash)(version 3.0; acl Admin can manage any entry; allow (all) groupdn = ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX;;) aci: (targetattr = userpassword || krbprincipalkey || sambalmpassword || sambantpassword)(version 3.0; acl selfservice:Self can write own password; allow (write) userdn=ldap:///self;;) diff --git a/ipaserver/install/plugins/update_anonymous_aci.py b/ipaserver/install/plugins/update_anonymous_aci.py index 1e75113..af4196a 100644 --- a/ipaserver/install/plugins/update_anonymous_aci.py +++ b/ipaserver/install/plugins/update_anonymous_aci.py @@ -35,7 +35,7 @@ class update_anonymous_aci(PostUpdate): aciname = u'Enable Anonymous access' aciprefix = u'none' ldap = self.obj.backend -targetfilter = '((!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusProxyUser))(!(objectClass=ipatokenRadiusConfiguration)))' +targetfilter = '((!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusConfiguration)))' filter = None (dn, entry_attrs) = ldap.get_entry(api.env.basedn, ['aci']) -- 1.8.2.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel