[Freeipa-devel] [PATCH] 140 Check trust chain length in CA-less install

2013-06-18 Thread Jan Cholasta 

Hi,

the attached patch fixes https://fedorahosted.org/freeipa/ticket/3707.

Honza

--
Jan Cholasta
From bc3ecb7548c76c2ee181f090a851fa15e12dcbec Mon Sep 17 00:00:00 2001
From: Jan Cholasta jchol...@redhat.com
Date: Tue, 18 Jun 2013 08:57:12 +
Subject: [PATCH] Check trust chain length in CA-less install.

https://fedorahosted.org/freeipa/ticket/3707
---
 ipaserver/install/installutils.py | 11 +--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py
index 830a78a..977ccb1 100644
--- a/ipaserver/install/installutils.py
+++ b/ipaserver/install/installutils.py
@@ -740,13 +740,20 @@ def check_pkcs12(pkcs12_info, ca_file, hostname):
 [(server_cert_name, server_cert_trust)] = server_certs
 
 # Check we have the whole cert chain  the CA is in it
-for cert_name in nssdb.get_trust_chain(server_cert_name):
-if cert_name == ca_cert_name:
+trust_chain = nssdb.get_trust_chain(server_cert_name)
+while trust_chain:
+if trust_chain[0] == ca_cert_name:
 break
+trust_chain = trust_chain[1:]
 else:
 raise ScriptError(
 '%s is not signed by %s, or the full certificate chain is not '
 'present in the PKCS#12 file' % (pkcs12_filename, ca_file))
+if len(trust_chain) != 2:
+raise ScriptError(
+'trust chain of the server certificate in %s contains %s '
+'certificates, expected 2' %
+(pkcs12_filename, len(trust_chain)))
 
 # Check server validity
 try:
-- 
1.8.2.1

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCHES] 0227-0229 freeipa-tests package Beaker integration plugin

2013-06-18 Thread Ana Krivokapic 
On 06/17/2013 07:27 PM, Martin Kosek wrote:
 On 06/17/2013 06:59 PM, Jan Cholasta wrote:
 On 17.6.2013 17:08, Petr Viktorin wrote:
 We can fix individual out-of-tree failures later, the priority now is
 that in-tree tests are not broken, and that the beakerlib plugin works.


 Well, works just fine for me, so ACK.

 Honza


 Thanks for review! I just had to merge freeipa.spec.in and update the
 changelog date to avoid making the strict RPM date checker angry.

 Pushed all 3 to master.

 Martin

 ___
 Freeipa-devel mailing list
 Freeipa-devel@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-devel

There is one line in .gitignore which refers to the old location of the
service.crt file. The attached patch fixes that.

-- 
Regards,

Ana Krivokapic
Associate Software Engineer
FreeIPA team
Red Hat Inc.

From e55fd3497062e5aa6b3b78ed5ac843896987c727 Mon Sep 17 00:00:00 2001
From: Ana Krivokapic akriv...@redhat.com
Date: Tue, 18 Jun 2013 16:02:05 +0200
Subject: [PATCH] Fix location of service.crt in .gitignore

---
 .gitignore | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.gitignore b/.gitignore
index 8a2829a376d875917d9acf086036503df8ee8822..738b00b13b7014ea915da9bcd06ab1ac4eee3764 100644
--- a/.gitignore
+++ b/.gitignore
@@ -80,7 +80,7 @@ ipa-client/missing
 ipa-client/py-compile
 ipa-client/stamp-h1
 ipa-client/version.m4
-tests/test_xmlrpc/service.crt
+ipatests/test_xmlrpc/service.crt
 freeipa.spec
 ipapython/setup.py
 ipapython/version.py
-- 
1.8.1.4

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCHES] 0227-0229 freeipa-tests package Beaker integration plugin

2013-06-18 Thread Martin Kosek 
On 06/18/2013 04:07 PM, Ana Krivokapic wrote:
 On 06/17/2013 07:27 PM, Martin Kosek wrote:
 On 06/17/2013 06:59 PM, Jan Cholasta wrote:
 On 17.6.2013 17:08, Petr Viktorin wrote:
 We can fix individual out-of-tree failures later, the priority now is
 that in-tree tests are not broken, and that the beakerlib plugin works.


 Well, works just fine for me, so ACK.

 Honza


 Thanks for review! I just had to merge freeipa.spec.in and update the
 changelog date to avoid making the strict RPM date checker angry.

 Pushed all 3 to master.

 Martin

 ___
 Freeipa-devel mailing list
 Freeipa-devel@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-devel
 
 There is one line in .gitignore which refers to the old location of the
 service.crt file. The attached patch fixes that.
 

Good point. ACK, pushed to master.

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] A puppet module for freeipa

2013-06-18 Thread Simo Sorce 
On Tue, 2013-06-18 at 10:38 -0400, James wrote:
 Hi freeipa-devel,
 
 I just joined today, I'd like to introduce myself, I'm James. Hi.
 
 I am currently working on (among other things) a puppet module for
 freeipa. I've just published an initial release:
 
 https://github.com/purpleidea/puppet-ipa
 
 It only has a few resource types at the moment, but I plan to add
 support for services and other things shortly.
 
 I'd really like to thank the ipa devel team for actually returning
 useful (and accurate) return codes! I've written modules for other
 projects that don't, and it's a lot harder. Thanks!
 
 I've been hanging out in #freeipa as 'purpleidea', and asking questions
 to make sure I get the design right. Thanks in advance for your help!
 I'm fairly new to freeipa, but so far I like it quite a lot. It's been
 on my TODO list for a number of years.
 
 I'll probably write about this and other technical things over at my
 blog. https://ttboj.wordpress.com/
 
 I hope that the code is useful to you, and comments are welcome. If
 you'd rather not hear about any of this on freeipa-devel, that's okay
 too, just let me know.


James,
great start!

Feel free to use this list for development oriented questions related to
any aspect of FreeIPA.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] A puppet module for freeipa

2013-06-18 Thread James 
On Tue, 2013-06-18 at 11:16 -0400, Simo Sorce wrote:
 On Tue, 2013-06-18 at 10:38 -0400, James wrote:
  Hi freeipa-devel,
  
  I just joined today, I'd like to introduce myself, I'm James. Hi.
  
  I am currently working on (among other things) a puppet module for
  freeipa. I've just published an initial release:
  
  https://github.com/purpleidea/puppet-ipa
  
  It only has a few resource types at the moment, but I plan to add
  support for services and other things shortly.
  
  I'd really like to thank the ipa devel team for actually returning
  useful (and accurate) return codes! I've written modules for other
  projects that don't, and it's a lot harder. Thanks!
  
  I've been hanging out in #freeipa as 'purpleidea', and asking questions
  to make sure I get the design right. Thanks in advance for your help!
  I'm fairly new to freeipa, but so far I like it quite a lot. It's been
  on my TODO list for a number of years.
  
  I'll probably write about this and other technical things over at my
  blog. https://ttboj.wordpress.com/
  
  I hope that the code is useful to you, and comments are welcome. If
  you'd rather not hear about any of this on freeipa-devel, that's okay
  too, just let me know.
 
 
 James,
 great start!
 
 Feel free to use this list for development oriented questions related to
 any aspect of FreeIPA.
 
 Simo.
Thanks Simo!

So far #freeipa and #kerberos have been particularly helpful. I'll
probably post back here if I get stuck on something particularly tricky.

Feel free to call me out if anyone finds me abusing the ipa api
incorrectly in my code.

Cheers,
James
 



signature.asc
Description: This is a digitally signed message part
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] 421 Fix default value selection in radio widget

2013-06-18 Thread Petr Vobornik 

Fix default value selection in radio widget

https://fedorahosted.org/freeipa/ticket/3718
--
Petr Vobornik
From 9df5d05592e247b9d082377c0c309efbc5e1f74d Mon Sep 17 00:00:00 2001
From: Petr Vobornik pvobo...@redhat.com
Date: Tue, 18 Jun 2013 18:11:04 +0200
Subject: [PATCH] Fix default value selection in radio widget

https://fedorahosted.org/freeipa/ticket/3718
---
 install/ui/src/freeipa/widget.js | 12 +++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/install/ui/src/freeipa/widget.js b/install/ui/src/freeipa/widget.js
index 0913914d5af158c8e94e841583077b1dfe4166c1..ac93b91d6960de127ba0e6b71a6efbe81771a59f 100644
--- a/install/ui/src/freeipa/widget.js
+++ b/install/ui/src/freeipa/widget.js
@@ -666,6 +666,7 @@ IPA.option_widget_base = function(spec, that) {
 that.value_changed = that.value_changed || IPA.observer();
 that.updated = that.updated || IPA.observer();
 that.default_value = spec.default_value || null;
+that.default_on_empty = spec.default_on_empty === undefined ? true : spec.default_on_empty;
 
 /**
  * Jquery reference to current node
@@ -959,9 +960,18 @@ IPA.option_widget_base = function(spec, that) {
 
 if (values  values.length  0) {
 
+
+if (that.default_on_empty  that.default_value !== null) {
+for (var i=0; ivalues.length; i++) {
+if (values[i] === '') {
+values[i] = that.default_value;
+}
+}
+}
+
 // check the option when option or some of its child should be
 // checked
-for (var i=0; ithat.options.length; i++) {
+for (i=0; ithat.options.length; i++) {
 var option = that.options[i];
 var opt_vals = that.get_values(option);
 var has_opt = array.some(values, function(val) {
-- 
1.8.1.4

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] Permit reads to ipatokenRadiusProxyUser objects

2013-06-18 Thread Nathaniel McCallum 
Patch attached.
From 14ba1309f1523c87efa9f70824b2cd85891bcaa4 Mon Sep 17 00:00:00 2001
From: Nathaniel McCallum npmccal...@redhat.com
Date: Tue, 18 Jun 2013 14:21:25 -0400
Subject: [PATCH] Permit reads to ipatokenRadiusProxyUser objects

This fixes an outstanding permissions issue from the OTP work.

https://fedorahosted.org/freeipa/ticket/3693
---
 install/share/default-aci.ldif| 2 +-
 ipaserver/install/plugins/update_anonymous_aci.py | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/install/share/default-aci.ldif b/install/share/default-aci.ldif
index 18881ec..8a0fa60 100644
--- a/install/share/default-aci.ldif
+++ b/install/share/default-aci.ldif
@@ -3,7 +3,7 @@
 dn: $SUFFIX
 changetype: modify
 add: aci
-aci: (targetfilter = ((!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusProxyUser))(!(objectClass=ipatokenRadiusConfiguration(target != ldap:///idnsname=*,cn=dns,$SUFFIX;)(targetattr != userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming)(version 3.0; acl Enable Anonymous access; allow (read, search, compare) userdn = ldap:///anyone;;)
+aci: (targetfilter = ((!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusConfiguration(target != ldap:///idnsname=*,cn=dns,$SUFFIX;)(targetattr != userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming)(version 3.0; acl Enable Anonymous access; allow (read, search, compare) userdn = ldap:///anyone;;)
 aci: (targetattr = memberOf || memberHost || memberUser)(version 3.0; acl No anonymous access to member information; deny (read,search,compare) userdn != ldap:///all;;)
 aci: (targetattr != userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash)(version 3.0; acl Admin can manage any entry; allow (all) groupdn = ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX;;)
 aci: (targetattr = userpassword || krbprincipalkey || sambalmpassword || sambantpassword)(version 3.0; acl selfservice:Self can write own password; allow (write) userdn=ldap:///self;;)
diff --git a/ipaserver/install/plugins/update_anonymous_aci.py b/ipaserver/install/plugins/update_anonymous_aci.py
index 1e75113..af4196a 100644
--- a/ipaserver/install/plugins/update_anonymous_aci.py
+++ b/ipaserver/install/plugins/update_anonymous_aci.py
@@ -35,7 +35,7 @@ class update_anonymous_aci(PostUpdate):
 aciname = u'Enable Anonymous access'
 aciprefix = u'none'
 ldap = self.obj.backend
-targetfilter = '((!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusProxyUser))(!(objectClass=ipatokenRadiusConfiguration)))'
+targetfilter = '((!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusConfiguration)))'
 filter = None
 
 (dn, entry_attrs) = ldap.get_entry(api.env.basedn, ['aci'])
-- 
1.8.2.1

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel