[Freeipa-devel] [PATCHES] 152-158 ipa-server-certinstall fixes
On 11.7.2013 14:10, Jan Cholasta wrote: Hi, this is the first batch of patches for https://fedorahosted.org/freeipa/ticket/3641. It contains port of ipa-server-certinstall to the admintool framework and fixes some bugs. Note that there's still some work I have to do to make ipa-server-certinstall work properly for installs with CA, currently it works reliably only on CA-less installs. This patchset also does not make it possible to change the CA certificate (as requested in the ticket). We discussed this with Rob and agreed that it should instead be done as part of https://fedorahosted.org/freeipa/ticket/3737. Unless there are any objections, that's what is going to happen. Added patches (157 and 158) to support installs with CA. Honza -- Jan Cholasta From ce481fa8d10a90612e1a7bfd75e69a3a240ba0c2 Mon Sep 17 00:00:00 2001 From: Jan Cholasta jchol...@redhat.com Date: Mon, 15 Jul 2013 08:12:14 + Subject: [PATCH 1/2] Replace only the cert instead of the whole NSS DB in ipa-server-certinstall. https://fedorahosted.org/freeipa/ticket/3641 --- ipaserver/install/certs.py | 4 ipaserver/install/ipa_server_certinstall.py | 31 +++-- 2 files changed, 20 insertions(+), 15 deletions(-) diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py index 531ea76..681892b 100644 --- a/ipaserver/install/certs.py +++ b/ipaserver/install/certs.py @@ -708,6 +708,10 @@ class CertDB(object): -f, self.passwd_fname] self.run_certutil(args) +def delete_cert(self, nickname): +args = [-D, -n, nickname] +self.run_certutil(args) + def create_pin_file(self): This is the format of Directory Server pin files. diff --git a/ipaserver/install/ipa_server_certinstall.py b/ipaserver/install/ipa_server_certinstall.py index c2cd4df..e467609 100644 --- a/ipaserver/install/ipa_server_certinstall.py +++ b/ipaserver/install/ipa_server_certinstall.py @@ -101,18 +101,20 @@ class ServerCertInstall(admintool.AdminTool): def install_dirsrv_cert(self): serverid = dsinstance.realm_to_serverid(api.env.realm) dirname = dsinstance.config_dirname(serverid) -pwdfile = os.path.join(dirname, 'pwdfile.txt') - -server_cert = self.import_cert(dirname, self.options.dirsrv_pin, - pwdfile) conn = ldap2(shared_instance=False, base_dn='') conn.connect(bind_dn=DN(('cn', 'directory manager')), bind_pw=self.dm_password) -entry = conn.make_entry(DN(('cn', 'RSA'), ('cn', 'encryption'), - ('cn', 'config')), -nssslpersonalityssl=[server_cert]) +entry = conn.get_entry(DN(('cn', 'RSA'), ('cn', 'encryption'), + ('cn', 'config')), + ['nssslpersonalityssl']) +old_cert = entry.single_value('nssslpersonalityssl') + +server_cert = self.import_cert(dirname, self.options.dirsrv_pin, + old_cert) + +entry['nssslpersonalityssl'] = [server_cert] try: conn.update_entry(entry) except errors.EmptyModlist: @@ -122,10 +124,12 @@ class ServerCertInstall(admintool.AdminTool): def install_http_cert(self): dirname = certs.NSS_DIR -pwdfile = os.path.join(dirname, 'pwdfile.txt') + +old_cert = installutils.get_directive(httpinstance.NSS_CONF, + 'NSSNickname') server_cert = self.import_cert(dirname, self.options.http_pin, - pwdfile) + old_cert) installutils.set_directive(httpinstance.NSS_CONF, 'NSSNickname', server_cert) @@ -140,20 +144,17 @@ class ServerCertInstall(admintool.AdminTool): os.chown(os.path.join(dirname, 'key3.db'), 0, pent.pw_gid) os.chown(os.path.join(dirname, 'secmod.db'), 0, pent.pw_gid) -def import_cert(self, dirname, pkcs12_passwd, db_pwdfile): +def import_cert(self, dirname, pkcs12_passwd, old_cert): pw = write_tmp_file(pkcs12_passwd) server_cert = installutils.check_pkcs12( pkcs12_info=(self.pkcs12_fname, pw.name), ca_file=CACERT, hostname=api.env.host) -with open(db_pwdfile) as fd: -db_password = fd.read() - cdb = certs.CertDB(api.env.realm, nssdir=dirname) try: -cdb.create_from_pkcs12(self.pkcs12_fname, pw.name, - db_password, CACERT) +cdb.delete_cert(old_cert) +cdb.import_pkcs12(self.pkcs12_fname, pw.name) except RuntimeError, e: raise admintool.ScriptError(str(e)) -- 1.8.3.1 From 4250f0d1a8ba606d158ec5298391edbcca27855e Mon Sep 17 00:00:00 2001 From: Jan
Re: [Freeipa-devel] [PATCH] 3031 Allow TTL to be configured during ipa-client-install
This patch allows the user during ipa-client-install to pick the TTL to be used on the creation of the client DNS records and configures the value in sssd.conf so that ongoing changes to IP use the TTL as desired. Apologies but I just realised I missed the link to the ticket this refers to... so just to be clear it's for this one: https://fedorahosted.org/freeipa/ticket/3031 Cheers, James ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 1102 set correct content-type
On 11.7.2013 22:50, Rob Crittenden wrote: Set the correct content-type on negotiated XML-RPC requests. It was being set as text/plain when it should be text/xml. rob ACK. Honza -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 149-151 Ask for PKCS#12 password interactively
On 12.7.2013 10:19, Tomas Babej wrote: Just a nitpick: + # If any of the PKCS#12 options are selected, all are required. + pkcs12_req = (options.dirsrv_pkcs12, options.http_pkcs12) + pkcs12_opt = (options.pkinit_pkcs12,) + if any(pkcs12_req + pkcs12_opt) and not all(pkcs12_req): parser.error(All PKCS#12 options are required if any are used.) This error message is somewhat misleading, since --pkinit-pkcs12 options is not required. Fixed. Updated patches attached. Honza -- Jan Cholasta From 6b21db9dc6c2cc3b7fb5a13877cbe8cb3aec1213 Mon Sep 17 00:00:00 2001 From: Jan Cholasta jchol...@redhat.com Date: Tue, 9 Jul 2013 10:23:47 + Subject: [PATCH 1/3] Ask for PKCS#12 password interactively in ipa-server-install. https://fedorahosted.org/freeipa/ticket/3717 --- install/tools/ipa-server-install | 76 ++-- 1 file changed, 50 insertions(+), 26 deletions(-) diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index cc88a0b..4ba6f0e 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -276,13 +276,20 @@ def parse_options(): if not options.forwarders and not options.no_forwarders: parser.error(You must specify at least one --forwarder option or --no-forwarders option) -# If any of the PKCS#12 options are selected, all are required. Create a -# list of the options and count it to enforce that all are required without -# having a huge set of it blocks. -pkcs12 = [options.dirsrv_pkcs12, options.http_pkcs12, options.dirsrv_pin, options.http_pin] -cnt = pkcs12.count(None) -if cnt 0 and cnt 4: -parser.error(All PKCS#12 options are required if any are used.) +# If any of the PKCS#12 options are selected, all are required. +pkcs12_req = (options.dirsrv_pkcs12, options.http_pkcs12) +pkcs12_opt = (options.pkinit_pkcs12,) +if any(pkcs12_req + pkcs12_opt) and not all(pkcs12_req): +parser.error(--dirsrv_pkcs12 and --http_pkcs12 are required if any + PKCS#12 options are used.) + +if options.unattended: +if options.dirsrv_pkcs12 and not options.dirsrv_pin: +parser.error(You must specify --dirsrv_pin with --dirsrv_pkcs12) +if options.http_pkcs12 and not options.http_pin: +parser.error(You must specify --http_pin with --http_pkcs12) +if options.pkinit_pkcs12 and not options.pkinit_pin: +parser.error(You must specify --pkinit_pin with --pkinit_pkcs12) if options.dirsrv_pkcs12 and not options.root_ca_file: parser.error( @@ -704,18 +711,6 @@ def main(): sys.exit(1) cert = certdict[certissuer] -if options.http_pkcs12: -http_pin_file = ipautil.write_tmp_file(options.http_pin) -http_pkcs12_info = (options.http_pkcs12, http_pin_file.name) - -if options.dirsrv_pkcs12: -dirsrv_pin_file = ipautil.write_tmp_file(options.dirsrv_pin) -dirsrv_pkcs12_info = (options.dirsrv_pkcs12, dirsrv_pin_file.name) - -if options.pkinit_pkcs12: -pkinit_pin_file = ipautil.write_tmp_file(options.pkinit_pin) -pkinit_pkcs12_info = (options.pkinit_pkcs12, pkinit_pin_file.name) - # We only set up the CA if the PKCS#12 options are not given. if options.dirsrv_pkcs12: setup_ca = False @@ -834,13 +829,6 @@ def main(): else: domain_name = options.domain_name -if options.http_pkcs12: -# Check the given PKCS#12 files -ca_file = options.root_ca_file -check_pkcs12 = installutils.check_pkcs12 -http_cert_name = check_pkcs12(http_pkcs12_info, ca_file, host_name) -dirsrv_cert_name = check_pkcs12(dirsrv_pkcs12_info, ca_file, host_name) - domain_name = domain_name.lower() ip = get_server_ip_address(host_name, fstore, options.unattended, options) @@ -858,6 +846,42 @@ def main(): if not options.subject: options.subject = DN(('O', realm_name)) +ca_file = options.root_ca_file + +if options.http_pkcs12: +if not options.http_pin: +options.http_pin = installutils.read_password( +Enter %s unlock % options.http_pkcs12, +confirm=False, validate=False) +if options.http_pin is None: +sys.exit(%s unlock password required % options.http_pkcs12) +http_pin_file = ipautil.write_tmp_file(options.http_pin) +http_pkcs12_info = (options.http_pkcs12, http_pin_file.name) +http_cert_name = installutils.check_pkcs12( +http_pkcs12_info, ca_file, host_name) + +if options.dirsrv_pkcs12: +if not options.dirsrv_pin: +options.dirsrv_pin = installutils.read_password( +Enter %s unlock % options.dirsrv_pkcs12, +confirm=False, validate=False) +if options.dirsrv_pin is None: +sys.exit(%s unlock password required %
Re: [Freeipa-devel] [PATCH] Remove unused variable
On Wednesday 10 of July 2013 22:27:16 Jakub Hrozek wrote: Hi, I was doing quite a few builds of freeipa for testing and patch reviews lately and found a couple of unused variables. The attached patch removed the variables. ACK Tomas___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Use pkg-config to detect cmocka
On 07/04/2013 01:49 PM, Lukas Slebodnik wrote: On (04/07/13 13:10), Alexander Bokovoy wrote: On Thu, 04 Jul 2013, Lukas Slebodnik wrote: ehlo, libcmocka-0.3 was released and package is available in fedore = 18. libcmocka-devel contains pkg-config file, therefore it is better to use pkg-config to detect this library. Patch is attached. Few comments. 0. Please follow https://fedorahosted.org/freeipa/wiki/PatchFormat changed 1. It would be nice to have a ticket in the FreeIPA trac. Could ticket#3434 be used? I know that ticket is fixed. https://fedorahosted.org/freeipa/ticket/3434 Funcionality of patch is the same as Sumit's version. 2. I think at this point we need to decide whether we want to have BuildRequires: libcmocka-devel in freeipa.spec.in. Given the change, older version would become unsupported but we don't really have any packaging dependency yet. At the moment, there isnot any cmocka test in freeipa source repo. LS Any update with this patch? If the build works OK, I would push it. I think we do not need to add libcmocka BuildRequires ATM and leave the cmocka tests optional (especially if there is no cmocka test). Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 0044 Add 'ipa_server_mode' option to SSSD configuration
Hello, This patch addresses ticket https://fedorahosted.org/freeipa/ticket/3652. -- Regards, Ana Krivokapic Associate Software Engineer FreeIPA team Red Hat Inc. From 6c332b4a1149a35ebc76ee7756050edc0333ac21 Mon Sep 17 00:00:00 2001 From: Ana Krivokapic akriv...@redhat.com Date: Mon, 15 Jul 2013 11:09:14 +0200 Subject: [PATCH] Add 'ipa_server_mode' option to SSSD configuration https://fedorahosted.org/freeipa/ticket/3652 --- freeipa.spec.in | 5 - install/tools/ipa-upgradeconfig | 13 - ipa-client/ipa-install/ipa-client-install | 2 ++ 3 files changed, 18 insertions(+), 2 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index 05b43bc229abbe3b3b481b9c34e240749de1f226..38d6fca1e0b2229e526e956ff38262e29a03d6ae 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -228,7 +228,7 @@ Requires: pam_krb5 Requires: wget Requires: libcurl = 7.21.7-2 Requires: xmlrpc-c = 1.27.4 -Requires: sssd = 1.8.0 +Requires: sssd = 1.10.90 Requires: certmonger = 0.65 Requires: nss-tools Requires: bind-utils @@ -819,6 +819,9 @@ fi %endif # ! %{ONLY_CLIENT} %changelog +* Mon Jul 15 2013 Ana Krivokapic akriv...@redhat.com - 3.2.99-6 +- Bump minimum version of sssd to 1.10.90 for the 'ipa_server_mode' option. + * Thu Jul 11 2013 Martin Kosek mko...@redhat.com - 3.2.99-5 - Run ipa-upgradeconfig and server restart in posttrans to avoid inconsistency issues when there are still old parts of software (like entitlements plugin) diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig index 4e9216964a045b5a87c22f6eb87bb1844f4adce9..0c955b61dbc14d18aee2d1a01f3a11c67012f522 100644 --- a/install/tools/ipa-upgradeconfig +++ b/install/tools/ipa-upgradeconfig @@ -32,6 +32,7 @@ import fileinput import ConfigParser from ipalib import api +import SSSDConfig import ipalib.util import ipalib.errors from ipapython import ipautil, sysrestore, version, services @@ -39,7 +40,6 @@ from ipapython.config import IPAOptionParser from ipapython.ipa_log_manager import * from ipapython import certmonger from ipapython import dogtag -from ipapython.dn import DN from ipaserver.install import installutils from ipaserver.install import dsinstance from ipaserver.install import httpinstance @@ -841,6 +841,15 @@ def fix_schema_file_syntax(ds): sysupgrade.set_upgrade_state('ds', 'fix_schema_syntax', True) +def set_sssd_domain_option(option, value): +sssdconfig = SSSDConfig.SSSDConfig() +sssdconfig.import_config() +domain = sssdconfig.get_domain(str(api.env.domain)) +domain.set_option(option, value) +sssdconfig.save_domain(domain) +sssdconfig.write(/etc/sssd/sssd.conf) + + def main(): Get some basics about the system. If getting those basics fail then @@ -974,5 +983,7 @@ def main(): except ipautil.CalledProcessError, e: root_logger.error(Failed to restart %s: %s, ca.service_name, e) +set_sssd_domain_option('ipa_server_mode', 'True') + if __name__ == '__main__': installutils.run_script(main, operation_name='ipa-upgradeconfig') diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index 867307aa570b4e8e90a1a8182f1481f0d11a9840..ce7fadee7d15867ecf5b480cea559e8a62f6449a 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -1104,8 +1104,10 @@ def configure_sssd_conf(fstore, cli_realm, cli_domain, cli_server, options, clie else: domain.set_option('ipa_server', '_srv_, %s' % ', '.join(cli_server)) else: +domain.set_option('ipa_server_mode', 'True') # the master should only use itself for Kerberos domain.set_option('ipa_server', cli_server[0]) + domain.set_option('ipa_domain', cli_domain) domain.set_option('ipa_hostname', client_hostname) if cli_domain.lower() != cli_realm.lower(): -- 1.8.1.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0072] Provide ipa-client-advise tool
On 07/11/2013 08:59 AM, Tomas Babej wrote: On Wednesday 26 of June 2013 10:12:48 Petr Spacek wrote: [snip] Appropriate error handling = Return 'Permission denied' if particular operation requires higher privileges. IMHO 'cryptic' error message is bad in any case, so the right way how to fix 'cryptic' error messages is to fix the places where errors are thrown. I don't think that additional checks in 'advisor' to hide 'cryptic' errors are the right approach. -- Petr^2 Spacek To wrap-up, after an offline discussion Petr: We came to an conclusion that since 'require_root' attribute is optional (Petr was not aware of that, and that fact was what caused his concern), with default value False, the attribute should not pose any additional burden for the plugin developer. Tomas Agreed, I think that current approach is fine. Alexander, are you OK with the ipa-advise tool as is? We can add more bells and whistles or options/API for plugins when we have actually more ipa-advise plugins and see the real needs of such plugins. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH 0174] Fix crash during zone_refresh triggered by connection failure
Hello, Fix crash during zone_refresh triggered by connection failure. Variable 'iter' was initialized too late. Code in cleanup section of refresh_zones_from_ldap() dereferenced the uninitialized variable. -- Petr^2 Spacek From 3affa9c2431928a5b5708875ab937d598059561e Mon Sep 17 00:00:00 2001 From: Petr Spacek pspa...@redhat.com Date: Mon, 15 Jul 2013 15:08:01 +0200 Subject: [PATCH] Fix crash during zone_refresh triggered by connection failure. Variable 'iter' was initialized too late. Code in cleanup section of refresh_zones_from_ldap() dereferenced the uninitialized variable. Signed-off-by: Petr Spacek pspa...@redhat.com --- src/ldap_helper.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/ldap_helper.c b/src/ldap_helper.c index 05aa1a1d4b5091816af092895e881c0e2b1ff0eb..d0286af6c6e6e0084386ae5d1fe4e2ebb2954d4a 100644 --- a/src/ldap_helper.c +++ b/src/ldap_helper.c @@ -1632,6 +1632,7 @@ refresh_zones_from_ldap(ldap_instance_t *ldap_inst, isc_boolean_t delete_only) dns_rbt_t *forward_rbt = NULL; /** Forward zones only */ isc_boolean_t psearch; const char *base = NULL; + rbt_iterator_t *iter = NULL; char *config_attrs[] = { idnsForwardPolicy, idnsForwarders, idnsAllowSyncPTR, idnsZoneRefresh, @@ -1729,7 +1730,6 @@ refresh_zones_from_ldap(ldap_instance_t *ldap_inst, isc_boolean_t delete_only) /* Walk through master zone register and remove all zones which * disappeared from LDAP. */ - rbt_iterator_t *iter = NULL; char name_txt[DNS_NAME_FORMATSIZE]; DECLARE_BUFFERED_NAME(registered_name); DECLARE_BUFFERED_NAME(ldap_name); -- 1.8.3.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0072] Provide ipa-client-advise tool
On Mon, 15 Jul 2013, Martin Kosek wrote: On 07/11/2013 08:59 AM, Tomas Babej wrote: On Wednesday 26 of June 2013 10:12:48 Petr Spacek wrote: [snip] Appropriate error handling = Return 'Permission denied' if particular operation requires higher privileges. IMHO 'cryptic' error message is bad in any case, so the right way how to fix 'cryptic' error messages is to fix the places where errors are thrown. I don't think that additional checks in 'advisor' to hide 'cryptic' errors are the right approach. -- Petr^2 Spacek To wrap-up, after an offline discussion Petr: We came to an conclusion that since 'require_root' attribute is optional (Petr was not aware of that, and that fact was what caused his concern), with default value False, the attribute should not pose any additional burden for the plugin developer. Tomas Agreed, I think that current approach is fine. Alexander, are you OK with the ipa-advise tool as is? We can add more bells and whistles or options/API for plugins when we have actually more ipa-advise plugins and see the real needs of such plugins. Yes, I'm OK. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 143-147 Improve performance with large groups
On 07/11/2013 12:15 PM, Alexander Bokovoy wrote: On Thu, 11 Jul 2013, Jan Cholasta wrote: On 11.7.2013 11:58, Alexander Bokovoy wrote: On Mon, 08 Jul 2013, Alexander Bokovoy wrote: On Thu, 27 Jun 2013, Jan Cholasta wrote: On 27.6.2013 17:34, Rich Megginson wrote: On 06/27/2013 09:31 AM, Jan Cholasta wrote: The search is hard-coded in the referint plugin, see https://git.fedorahosted.org/cgit/389/ds.git/tree/ldap/servers/plugins/referint/referint.c#n745. Not sure if it makes sense to do a wildcard/substr search here - please file a ticket with 389 to investigate. https://fedorahosted.org/389/ticket/47411 So, should we merge this patchset or wait until 389-ds analyzes 47411? To me it looks like we can use this one as an interim solution, once Web UI performance is checked through. I've commited the patchset to master. Web UI works just fine for me and with a VM limited to 1GB RAM I seem to get snappier response even when running whole IPA stack and Firefox in the same VM. We can add WebUI improvements later. I have some WIP, but I need to discuss it with Petr first (he's away this week). Ok. The patchset is in ipa-3-2 as well now. Just checking: 1) Jan, did you check size of these new indexes on IPA master with such a high number of users? How big are they? I want to make sure that this won't create an issue on upgrades to new 3.2.x. 2) Does the patch set also fix the problem for Web UI? Currently, I think it will still grab and process all member attributes even though it does not need it. If the Web UI performance is still not sharp, I would rather leave this ticket opened and let JanPetr cooperate on the Web UI part. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 0039-0040 systemd ipactl fixes
On 07/11/2013 05:03 PM, Alexander Bokovoy wrote: On Thu, 11 Jul 2013, Ana Krivokapic wrote: On 07/11/2013 11:38 AM, Alexander Bokovoy wrote: On Thu, 11 Jul 2013, Alexander Bokovoy wrote: On Wed, 10 Jul 2013, Ana Krivokapic wrote: On 07/08/2013 08:32 AM, Alexander Bokovoy wrote: On Thu, 20 Jun 2013, Ana Krivokapic wrote: Hello, Attached patches fix systemd and ipactl related bugs: https://fedorahosted.org/freeipa/ticket/3730 https://fedorahosted.org/freeipa/ticket/3729 NACK. For me upgrade case fails (rpm -Uhv), dirsrv didn't restart on upgrade properly and everything else has failed afterwards. This was caused due to 'systemctl is-active' returning exit status 3 ('activating'), and our code treating the non-zero exit status as a failure. I handled this case in the updated patch. As for the ipa.service and dependency ordering, I have done some further testing and found out the adding the '--ignore-dependencies' switch alone solves the shutdown issue. So I think that no modification of ipa.service file is necessary. Updated patches are attached. This is much better. However, 'ipactl stop' doesn't stop ns-slapd and dogtag: What's important is the fact that now I can issue reboot and VM restarts, not hangs, and then IPA starts properly on boot -- this is because when ns-slapd gets a signal from systemd, it automatically shuts itself down properly and the same happens to dogtag. This is good enough so that I push current patches to master but please proceed on fixing 'ipactl stop' issue. Thanks for catching that. I am attaching a patch which should solve this issue. Works now, I tried stop/start/restart, all processes were properly addressed. Thanks! Is that an ACK? If yes, please push the patches :-) Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 0039-0040 systemd ipactl fixes
On Mon, 15 Jul 2013, Martin Kosek wrote: On 07/11/2013 05:03 PM, Alexander Bokovoy wrote: On Thu, 11 Jul 2013, Ana Krivokapic wrote: On 07/11/2013 11:38 AM, Alexander Bokovoy wrote: On Thu, 11 Jul 2013, Alexander Bokovoy wrote: On Wed, 10 Jul 2013, Ana Krivokapic wrote: On 07/08/2013 08:32 AM, Alexander Bokovoy wrote: On Thu, 20 Jun 2013, Ana Krivokapic wrote: Hello, Attached patches fix systemd and ipactl related bugs: https://fedorahosted.org/freeipa/ticket/3730 https://fedorahosted.org/freeipa/ticket/3729 NACK. For me upgrade case fails (rpm -Uhv), dirsrv didn't restart on upgrade properly and everything else has failed afterwards. This was caused due to 'systemctl is-active' returning exit status 3 ('activating'), and our code treating the non-zero exit status as a failure. I handled this case in the updated patch. As for the ipa.service and dependency ordering, I have done some further testing and found out the adding the '--ignore-dependencies' switch alone solves the shutdown issue. So I think that no modification of ipa.service file is necessary. Updated patches are attached. This is much better. However, 'ipactl stop' doesn't stop ns-slapd and dogtag: What's important is the fact that now I can issue reboot and VM restarts, not hangs, and then IPA starts properly on boot -- this is because when ns-slapd gets a signal from systemd, it automatically shuts itself down properly and the same happens to dogtag. This is good enough so that I push current patches to master but please proceed on fixing 'ipactl stop' issue. Thanks for catching that. I am attaching a patch which should solve this issue. Works now, I tried stop/start/restart, all processes were properly addressed. Thanks! Is that an ACK? If yes, please push the patches :-) It is already in master, I only forgot to respond on the list: af7807aacc6cf1beb25e53483b54bd599bd6421d -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0073] Remove support for IPA deployments with no persistent search
On 07/11/2013 05:10 PM, Tomas Babej wrote: On Thursday 11 of July 2013 16:10:33 Ana Krivokapic wrote: On 07/11/2013 11:20 AM, Tomas Babej wrote: boolean_var = {} - for var in ('persistent_search', 'serial_autoincrement'): + for var in ('serial_autoincrement'): This won't work - a one element tuple needs a comma at the end: ('serial_autoincrement', ) boolean_var[var] = yes if getattr(self, var, False) else no self.sub_dict = dict(FQDN=self.fqdn, @@ -607,9 +604,8 @@ class BindInstance(service.Service): SUFFIX=self.suffix, OPTIONAL_NTP=optional_ntp, ZONEMGR=self.zonemgr, - ZONE_REFRESH=self.zone_refresh, IPA_CA_RECORD=ipa_ca, - PERSISTENT_SEARCH=boolean_var['persistent_search'], + PERSISTENT_SEARCH=yes, SERIAL_AUTOINCREMENT=boolean_var['serial_autoincrement'],) But anyway, I think this piece of code is unnecessarily complicated, I don't see a need for the 'boolean_var' dict here. I would suggest replacing it with something like: serial_autoincrement = yes if self.serial_autoincrement else no and then pass serial_autoincrement to self.sub_dict = dict(...) Attached patch refactored the relevant part of the code. Tomas Thanks for patches! I am just thinking, should we also hide the respective option from ipa global DNS configuration? That's idnszonerefresh attribute. We may want to mark the attribute as invisible in CLI + remove it from Web UI. Petr - what is your take on this? Do you plan to remove idnszonerefresh attribute support in the future (Fedora 20) as persistent search will be mandatory in that time? Thanks, Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 1102 set correct content-type
On 07/15/2013 10:44 AM, Jan Cholasta wrote: On 11.7.2013 22:50, Rob Crittenden wrote: Set the correct content-type on negotiated XML-RPC requests. It was being set as text/plain when it should be text/xml. rob ACK. Honza Pushed to master, ipa-3-2. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Remove unused variable
On 07/15/2013 12:27 PM, Tomas Babej wrote: On Wednesday 10 of July 2013 22:27:16 Jakub Hrozek wrote: Hi, I was doing quite a few builds of freeipa for testing and patch reviews lately and found a couple of unused variables. The attached patch removed the variables. ACK Tomas Pushed to master. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 143-147 Improve performance with large groups
On 15.7.2013 15:16, Martin Kosek wrote: On 07/11/2013 12:15 PM, Alexander Bokovoy wrote: On Thu, 11 Jul 2013, Jan Cholasta wrote: We can add WebUI improvements later. I have some WIP, but I need to discuss it with Petr first (he's away this week). Ok. The patchset is in ipa-3-2 as well now. Just checking: 1) Jan, did you check size of these new indexes on IPA master with such a high number of users? How big are they? I want to make sure that this won't create an issue on upgrades to new 3.2.x. With 10k users, the indices ate roughly 250 MB of disk space. 2) Does the patch set also fix the problem for Web UI? Currently, I think it will still grab and process all member attributes even though it does not need it. If the Web UI performance is still not sharp, I would rather leave this ticket opened and let JanPetr cooperate on the Web UI part. I agree on keeping the ticket open. Honza -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0073] Remove support for IPA deployments with no persistent search
On 15.7.2013 15:31, Martin Kosek wrote: On 07/11/2013 05:10 PM, Tomas Babej wrote: On Thursday 11 of July 2013 16:10:33 Ana Krivokapic wrote: On 07/11/2013 11:20 AM, Tomas Babej wrote: boolean_var = {} - for var in ('persistent_search', 'serial_autoincrement'): + for var in ('serial_autoincrement'): This won't work - a one element tuple needs a comma at the end: ('serial_autoincrement', ) boolean_var[var] = yes if getattr(self, var, False) else no self.sub_dict = dict(FQDN=self.fqdn, @@ -607,9 +604,8 @@ class BindInstance(service.Service): SUFFIX=self.suffix, OPTIONAL_NTP=optional_ntp, ZONEMGR=self.zonemgr, - ZONE_REFRESH=self.zone_refresh, IPA_CA_RECORD=ipa_ca, - PERSISTENT_SEARCH=boolean_var['persistent_search'], + PERSISTENT_SEARCH=yes, SERIAL_AUTOINCREMENT=boolean_var['serial_autoincrement'],) But anyway, I think this piece of code is unnecessarily complicated, I don't see a need for the 'boolean_var' dict here. I would suggest replacing it with something like: serial_autoincrement = yes if self.serial_autoincrement else no and then pass serial_autoincrement to self.sub_dict = dict(...) Attached patch refactored the relevant part of the code. Tomas Thanks for patches! I am just thinking, should we also hide the respective option from ipa global DNS configuration? That's idnszonerefresh attribute. We may want to mark the attribute as invisible in CLI + remove it from Web UI. Petr - what is your take on this? Do you plan to remove idnszonerefresh attribute support in the future (Fedora 20) as persistent search will be mandatory in that time? Yes, you are right. We completely forgot to web UI. And yes - please remove the option from web UI. The latest development shows that persistent search will be replaced by RFC 4533 (known as 'syncrepl'), but from user's point of view it doesn't matter. All options related to persistent search and zone_refresh will simply disappear. Syncrepl itself doesn't require explicit configuration. -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0073] Remove support for IPA deployments with no persistent search
On Mon, 2013-07-15 at 15:57 +0200, Martin Kosek wrote: On 07/15/2013 03:44 PM, Petr Spacek wrote: On 15.7.2013 15:31, Martin Kosek wrote: On 07/11/2013 05:10 PM, Tomas Babej wrote: On Thursday 11 of July 2013 16:10:33 Ana Krivokapic wrote: On 07/11/2013 11:20 AM, Tomas Babej wrote: boolean_var = {} - for var in ('persistent_search', 'serial_autoincrement'): + for var in ('serial_autoincrement'): This won't work - a one element tuple needs a comma at the end: ('serial_autoincrement', ) boolean_var[var] = yes if getattr(self, var, False) else no self.sub_dict = dict(FQDN=self.fqdn, @@ -607,9 +604,8 @@ class BindInstance(service.Service): SUFFIX=self.suffix, OPTIONAL_NTP=optional_ntp, ZONEMGR=self.zonemgr, - ZONE_REFRESH=self.zone_refresh, IPA_CA_RECORD=ipa_ca, - PERSISTENT_SEARCH=boolean_var['persistent_search'], + PERSISTENT_SEARCH=yes, SERIAL_AUTOINCREMENT=boolean_var['serial_autoincrement'],) But anyway, I think this piece of code is unnecessarily complicated, I don't see a need for the 'boolean_var' dict here. I would suggest replacing it with something like: serial_autoincrement = yes if self.serial_autoincrement else no and then pass serial_autoincrement to self.sub_dict = dict(...) Attached patch refactored the relevant part of the code. Tomas Thanks for patches! I am just thinking, should we also hide the respective option from ipa global DNS configuration? That's idnszonerefresh attribute. We may want to mark the attribute as invisible in CLI + remove it from Web UI. Petr - what is your take on this? Do you plan to remove idnszonerefresh attribute support in the future (Fedora 20) as persistent search will be mandatory in that time? Yes, you are right. We completely forgot to web UI. And yes - please remove the option from web UI. Ok, Tomas please do the changes as proposed above. The latest development shows that persistent search will be replaced by RFC 4533 (known as 'syncrepl'), but from user's point of view it doesn't matter. All options related to persistent search and zone_refresh will simply disappear. Syncrepl itself doesn't require explicit configuration. Ah, so this means that psearch option will be also removed from bind-dyndb-ldap? In Fedora 19 we just plan to hard-code it to yes, will that cause issues with Fedora 20? Should we already avoid using the psearch option and assume that bind-dyndb-ldap in Fedora 19 is using persistent search by default? Won't the new bind-dyndb-ldap simply ignore the psearch option when it moves to syncrepl ? Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0073] Remove support for IPA deployments with no persistent search
On 15.7.2013 16:15, Simo Sorce wrote: On Mon, 2013-07-15 at 15:57 +0200, Martin Kosek wrote: On 07/15/2013 03:44 PM, Petr Spacek wrote: On 15.7.2013 15:31, Martin Kosek wrote: On 07/11/2013 05:10 PM, Tomas Babej wrote: On Thursday 11 of July 2013 16:10:33 Ana Krivokapic wrote: On 07/11/2013 11:20 AM, Tomas Babej wrote: boolean_var = {} - for var in ('persistent_search', 'serial_autoincrement'): + for var in ('serial_autoincrement'): This won't work - a one element tuple needs a comma at the end: ('serial_autoincrement', ) boolean_var[var] = yes if getattr(self, var, False) else no self.sub_dict = dict(FQDN=self.fqdn, @@ -607,9 +604,8 @@ class BindInstance(service.Service): SUFFIX=self.suffix, OPTIONAL_NTP=optional_ntp, ZONEMGR=self.zonemgr, - ZONE_REFRESH=self.zone_refresh, IPA_CA_RECORD=ipa_ca, - PERSISTENT_SEARCH=boolean_var['persistent_search'], + PERSISTENT_SEARCH=yes, SERIAL_AUTOINCREMENT=boolean_var['serial_autoincrement'],) But anyway, I think this piece of code is unnecessarily complicated, I don't see a need for the 'boolean_var' dict here. I would suggest replacing it with something like: serial_autoincrement = yes if self.serial_autoincrement else no and then pass serial_autoincrement to self.sub_dict = dict(...) Attached patch refactored the relevant part of the code. Tomas Thanks for patches! I am just thinking, should we also hide the respective option from ipa global DNS configuration? That's idnszonerefresh attribute. We may want to mark the attribute as invisible in CLI + remove it from Web UI. Petr - what is your take on this? Do you plan to remove idnszonerefresh attribute support in the future (Fedora 20) as persistent search will be mandatory in that time? Yes, you are right. We completely forgot to web UI. And yes - please remove the option from web UI. Ok, Tomas please do the changes as proposed above. The latest development shows that persistent search will be replaced by RFC 4533 (known as 'syncrepl'), but from user's point of view it doesn't matter. All options related to persistent search and zone_refresh will simply disappear. Syncrepl itself doesn't require explicit configuration. Ah, so this means that psearch option will be also removed from bind-dyndb-ldap? In Fedora 19 we just plan to hard-code it to yes, will that cause issues with Fedora 20? Should we already avoid using the psearch option and assume that bind-dyndb-ldap in Fedora 19 is using persistent search by default? Won't the new bind-dyndb-ldap simply ignore the psearch option when it moves to syncrepl ? I can do it, but I think that cleanest way is to remove the 'psearch' option in upgrade script. Another option is to release new bind-dyndb-ldap to Fedora 19 and change default values to 'psearch yes' right now. Do you agree? -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 0230-0244 Integration testing framework
On 07/11/2013 01:28 PM, Jan Cholasta wrote: On 10.7.2013 17:50, Petr Viktorin wrote: On 07/10/2013 02:03 PM, Jan Cholasta wrote: make test seems to run fine with patches 230-242 applied, however ipa-run-tests produces the following output: [...Skipping nose output...] I guess the location of the test certificate should be made configurable in order to fix the host and service plugin test failures. Making the existing test suite pass out of tree it's not a goal for this patchset. There is a pending patch for the service cert. Better report it now than forget it later. Also, there is a lot of debugging messages in ipa-run-tests output which wasn't there before IIRC, is that intentional? Yes, I believe that for the integration tests it's better to see what is going on. Both for manual runs, and also this way the information is more easily picked up by CI tools. It's harder to see what's going on with so much noise IMHO, I would prefer less verbose output for manual runs by default. On the other hand, the integration tests take too long and without output they may seem stuck. I'd rather not make that the default. I'll try to find some balance and make it more easily configurable in future patches. If $MASTER (and possible other host names) is not resolvable, ipa-test-config --global crashes: $ ipa-test-config --global Traceback (most recent call last): File /usr/bin/ipa-test-config, line 104, in module print main(sys.argv[1:]), File /usr/bin/ipa-test-config, line 58, in main return config.env_to_script(get_object(conf, args).to_env(**kwargs)) File /usr/lib/python2.7/site-packages/ipatests/test_integration/config.py, line 168, in to_env env['MASTER'] = default_domain.master.hostname File /usr/lib/python2.7/site-packages/ipatests/test_integration/config.py, line 282, in master return self.masters[0] IndexError: list index out of range Fixed. Now, if the name is not resolvable, reading the config will fail. Alternatively, the IP address can be given in variables such as $BEAKERREPLICA1_IP_env1 (no, I didn't invent the name). This fixed ipa-test-config as advertised, but ipa-run-tests test_integration/test_simple_replication.py still fails. Both the tests in test_simple_replication.py fail for me. I suspect it is because the data isn't replicated fast enough, a little delay between user-show and user-add might fix this. Hm, they worked for me. I've added a delay. It seems fragile, I wonder what the proper way to do this would be. Hmm, the replica - master test still fails for me, even with delay increased to 20 s. Is there anything in the DS logs? Something less fragile than delay would certainly be nice. I'll read up on the DS replication docs, and ask for some guidance. I've made some other changes, mainly BeakerLib plugin output. Patch 240: Avoid infinite recursion that happened with some cases of bad SSH credentials Patch 241-243: Rework the BeakerLib plugin output to better match traditional Beaker tests Patch 244: Make it possible to explicitly specify IP addresses of hosts To sum things up, there are still some little bugs, but these can be fixed after the beta release, in general everything seems to work, so ACK. Thanks, pushed to master: 23d3fde05960d6e47485e246e11bec701b30cb59 Not closing the ticket yet until the issues are cleared (or moved to separate tickets). -- PetrĀ³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Use pkg-config to detect cmocka
On 07/15/2013 03:13 PM, Alexander Bokovoy wrote: On Mon, 15 Jul 2013, Martin Kosek wrote: On 07/04/2013 01:49 PM, Lukas Slebodnik wrote: On (04/07/13 13:10), Alexander Bokovoy wrote: On Thu, 04 Jul 2013, Lukas Slebodnik wrote: ehlo, libcmocka-0.3 was released and package is available in fedore = 18. libcmocka-devel contains pkg-config file, therefore it is better to use pkg-config to detect this library. Patch is attached. Few comments. 0. Please follow https://fedorahosted.org/freeipa/wiki/PatchFormat changed 1. It would be nice to have a ticket in the FreeIPA trac. Could ticket#3434 be used? I know that ticket is fixed. https://fedorahosted.org/freeipa/ticket/3434 Funcionality of patch is the same as Sumit's version. 2. I think at this point we need to decide whether we want to have BuildRequires: libcmocka-devel in freeipa.spec.in. Given the change, older version would become unsupported but we don't really have any packaging dependency yet. At the moment, there isnot any cmocka test in freeipa source repo. LS Any update with this patch? If the build works OK, I would push it. I think we do not need to add libcmocka BuildRequires ATM and leave the cmocka tests optional (especially if there is no cmocka test). Yes, it works fine. OK. I pushed the patch to master, ipa-3-2. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] DNSSEC support design considerations: key material handling
Hello, first pair of this message quickly concludes discussion about database part of the DNSSEC support and then key material handling is discussed. I'm sorry for the wall of text. On 27.6.2013 18:43, Simo Sorce wrote: * How to get sorted list of entries from LDAP? Use LDAP server-side sorting? Do we have necessary indices? We can do client side sorting as well I guess, I do not have a strong opinion here. The main reason why you need ordering is to detect delete records right ? Exactly. I realized that server-side sorting doesn't make sense because we plan to use syncrepl, so there is nothing to sort - only the flow of incremental updates. Syncrepl includes notice of deletions too, right ? Yes. Client receives delete notification with entryUUID, so we can unambiguously identify the deleted entry. I wrote example LDAP client and it works (against OpenLDAP :-). (Filesystem) cache maintenance Questions: How often should we save the cache from operating memory to disk? Prerequisite to be able to evaluate this question. How expensive is it to save the cache ? My test zone contains 65535 records, 255 A records, 1 SOA + 1 NS record. Benchmark results: zone dump0.5 s (to text file) zone load1 s (from text file) zone delete 9 s (LOL. This is caused by implementation details of RBTDB.) LDAP search on the whole sub-tree: 15 s Ouch, this looks very slow, missing indexes ?) I don't see any 'notes=U' in access log. Also, my OpenLDAP instance with the same DNS data can do the same search 2 seconds. Is this just the search? or is it search + zone load ? Just the search. Load time for bind-dyndb-ldap 3.x: 120 s So, a reload from scratch can take many 10s of seconds on big zones, did this test include DNSSEC signing ? Or would we need to add that on top ? The time is for plain load. Current code is horribly ineffective and generates one extra LDAP search for each update. This madness will be eliminated by syncrepl, so the plain load time should be cut to much smaller value. We will see. The other problem is that current code serializes a lot of work. This also will be mitigated to certain level (not completely, for now). Originally, I planed to write a script which would compare data in LDAP with zone file on disk. This script could be used for debugging automated testing, so we can assess if the code behaves correctly and decide if we want to implement automatic re-synchronization when necessary. Wouldn't this script be subject to races depending at what time it is accessing either LDAP or the file ? Yes, it would. The script was intended for 'lab use': 1. Run DNS server. 2. Do big amount of dynamic updates in short time. 3. Shutdown DNS and LDAP servers. 4. Compare data in DNS database with data in LDAP. This could tell us how often and how many inconsistencies occur. After that we can make up some re-synchronization intervals etc. The main issue here is that it is hard to know when doing a full re-sync is necessary. And because it is expensive I am wary of doing it automatically too often. However perhaps a timed event so it is done once a day it is not a bad idea. I agree. I think that we sorted out necessary changes in storage/database part of the DNSSEC integration. The remaining part is mostly about key management. Following text mentions 'DNSSEC keys' many times, so I tried to summarize how keys are used in DNSSEC. Feel free to skip it. == DNSSEC theory == Each zone has *at least* two key pairs. They are called Key Signing Key (KSK, the first key pair) and Zone Signing Key (ZSK, the second key pair). - *Parent* zone contains a copy of public part of the KSK. - Zone itself contains public part of ZSK (and KSK). - Client uses public part of KSK (obtained from secure parent zone) for ZSK verification. - ZSK is used for signing of the real data in the zone (i.e. generating RRSIG records) and verification on client side. Each key and signature contains key-id, so one zone can be signed by multiple KSKs and ZSKs at the same time. This solves the key roll over problem. Each key contains this set of timestamps: Created, Revoke - self descriptive :-) Publish - public part of the key will be visible in zone after this time Active - new signatures with this key can be generated after this time Inactive - new signatures with this key cannot be generated after this time Delete - public part of the key will deleted from the zone after this time NIST says [1] that KSK should be changed ~ each 1-3 years (it requires change in parent zone) and ZSK should be changed ~ each 1-3 months. The recommendation says [1] that zone should have two ZSKs: One Active (used for signature generation) and second only Published (ready for roll over in case of emergency/when the first key pair expires). This mitigates problems with caches and stale key material during roll-over. BIND 9
Re: [Freeipa-devel] [PATCH 0073] Remove support for IPA deployments with no persistent search
On 07/15/2013 04:41 PM, Petr Spacek wrote: On 15.7.2013 16:15, Simo Sorce wrote: On Mon, 2013-07-15 at 15:57 +0200, Martin Kosek wrote: On 07/15/2013 03:44 PM, Petr Spacek wrote: On 15.7.2013 15:31, Martin Kosek wrote: On 07/11/2013 05:10 PM, Tomas Babej wrote: On Thursday 11 of July 2013 16:10:33 Ana Krivokapic wrote: On 07/11/2013 11:20 AM, Tomas Babej wrote: boolean_var = {} - for var in ('persistent_search', 'serial_autoincrement'): + for var in ('serial_autoincrement'): This won't work - a one element tuple needs a comma at the end: ('serial_autoincrement', ) boolean_var[var] = yes if getattr(self, var, False) else no self.sub_dict = dict(FQDN=self.fqdn, @@ -607,9 +604,8 @@ class BindInstance(service.Service): SUFFIX=self.suffix, OPTIONAL_NTP=optional_ntp, ZONEMGR=self.zonemgr, - ZONE_REFRESH=self.zone_refresh, IPA_CA_RECORD=ipa_ca, - PERSISTENT_SEARCH=boolean_var['persistent_search'], + PERSISTENT_SEARCH=yes, SERIAL_AUTOINCREMENT=boolean_var['serial_autoincrement'],) But anyway, I think this piece of code is unnecessarily complicated, I don't see a need for the 'boolean_var' dict here. I would suggest replacing it with something like: serial_autoincrement = yes if self.serial_autoincrement else no and then pass serial_autoincrement to self.sub_dict = dict(...) Attached patch refactored the relevant part of the code. Tomas Thanks for patches! I am just thinking, should we also hide the respective option from ipa global DNS configuration? That's idnszonerefresh attribute. We may want to mark the attribute as invisible in CLI + remove it from Web UI. Petr - what is your take on this? Do you plan to remove idnszonerefresh attribute support in the future (Fedora 20) as persistent search will be mandatory in that time? Yes, you are right. We completely forgot to web UI. And yes - please remove the option from web UI. Ok, Tomas please do the changes as proposed above. The latest development shows that persistent search will be replaced by RFC 4533 (known as 'syncrepl'), but from user's point of view it doesn't matter. All options related to persistent search and zone_refresh will simply disappear. Syncrepl itself doesn't require explicit configuration. Ah, so this means that psearch option will be also removed from bind-dyndb-ldap? In Fedora 19 we just plan to hard-code it to yes, will that cause issues with Fedora 20? Should we already avoid using the psearch option and assume that bind-dyndb-ldap in Fedora 19 is using persistent search by default? Won't the new bind-dyndb-ldap simply ignore the psearch option when it moves to syncrepl ? I can do it, but I think that cleanest way is to remove the 'psearch' option in upgrade script. Hm, right, this should make the upgrade script a lot simpler - it would just remove all psearch or zone_refresh references. Another option is to release new bind-dyndb-ldap to Fedora 19 and change default values to 'psearch yes' right now. Do you agree? Looks OK to me and would let us avoid doing any additional upgrade process for Fedora 20 - are you planning to do a Fedora 19 release any time soon? If yes, we can do the changes we are talking about in next 3.2.x release. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 143-147 Improve performance with large groups
On 07/15/2013 03:43 PM, Jan Cholasta wrote: On 15.7.2013 15:16, Martin Kosek wrote: On 07/11/2013 12:15 PM, Alexander Bokovoy wrote: On Thu, 11 Jul 2013, Jan Cholasta wrote: We can add WebUI improvements later. I have some WIP, but I need to discuss it with Petr first (he's away this week). Ok. The patchset is in ipa-3-2 as well now. Just checking: 1) Jan, did you check size of these new indexes on IPA master with such a high number of users? How big are they? I want to make sure that this won't create an issue on upgrades to new 3.2.x. With 10k users, the indices ate roughly 250 MB of disk space. 2) Does the patch set also fix the problem for Web UI? Currently, I think it will still grab and process all member attributes even though it does not need it. If the Web UI performance is still not sharp, I would rather leave this ticket opened and let JanPetr cooperate on the Web UI part. I agree on keeping the ticket open. Honza Ok, I reopened the ticket. Petr and Jan, please cooperate on this one. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0073] Remove support for IPA deployments with no persistent search
On Mon, 2013-07-15 at 16:41 +0200, Petr Spacek wrote: On 15.7.2013 16:15, Simo Sorce wrote: On Mon, 2013-07-15 at 15:57 +0200, Martin Kosek wrote: On 07/15/2013 03:44 PM, Petr Spacek wrote: On 15.7.2013 15:31, Martin Kosek wrote: On 07/11/2013 05:10 PM, Tomas Babej wrote: On Thursday 11 of July 2013 16:10:33 Ana Krivokapic wrote: On 07/11/2013 11:20 AM, Tomas Babej wrote: boolean_var = {} - for var in ('persistent_search', 'serial_autoincrement'): + for var in ('serial_autoincrement'): This won't work - a one element tuple needs a comma at the end: ('serial_autoincrement', ) boolean_var[var] = yes if getattr(self, var, False) else no self.sub_dict = dict(FQDN=self.fqdn, @@ -607,9 +604,8 @@ class BindInstance(service.Service): SUFFIX=self.suffix, OPTIONAL_NTP=optional_ntp, ZONEMGR=self.zonemgr, - ZONE_REFRESH=self.zone_refresh, IPA_CA_RECORD=ipa_ca, - PERSISTENT_SEARCH=boolean_var['persistent_search'], + PERSISTENT_SEARCH=yes, SERIAL_AUTOINCREMENT=boolean_var['serial_autoincrement'],) But anyway, I think this piece of code is unnecessarily complicated, I don't see a need for the 'boolean_var' dict here. I would suggest replacing it with something like: serial_autoincrement = yes if self.serial_autoincrement else no and then pass serial_autoincrement to self.sub_dict = dict(...) Attached patch refactored the relevant part of the code. Tomas Thanks for patches! I am just thinking, should we also hide the respective option from ipa global DNS configuration? That's idnszonerefresh attribute. We may want to mark the attribute as invisible in CLI + remove it from Web UI. Petr - what is your take on this? Do you plan to remove idnszonerefresh attribute support in the future (Fedora 20) as persistent search will be mandatory in that time? Yes, you are right. We completely forgot to web UI. And yes - please remove the option from web UI. Ok, Tomas please do the changes as proposed above. The latest development shows that persistent search will be replaced by RFC 4533 (known as 'syncrepl'), but from user's point of view it doesn't matter. All options related to persistent search and zone_refresh will simply disappear. Syncrepl itself doesn't require explicit configuration. Ah, so this means that psearch option will be also removed from bind-dyndb-ldap? In Fedora 19 we just plan to hard-code it to yes, will that cause issues with Fedora 20? Should we already avoid using the psearch option and assume that bind-dyndb-ldap in Fedora 19 is using persistent search by default? Won't the new bind-dyndb-ldap simply ignore the psearch option when it moves to syncrepl ? I can do it, but I think that cleanest way is to remove the 'psearch' option in upgrade script. Sure, but if the upgrade, for whatever reason, fails to remove it bind-dyndb-ldap should just ignore. Another option is to release new bind-dyndb-ldap to Fedora 19 and change default values to 'psearch yes' right now. Do you agree? Too much churn, I think it is ok to change it when we are done with syncrepl and upgrade config, with the fallback failsafe that even if upgrade doesn't remove the option bind-dyndb-ldap will simply ignore it. This will be safer even for people using stuff like cfengine/puppet to manage configurations and not realizing we changed the conf on upgrade, their confsystems will push again a conf file with psearch yes but bnid-dyndb-ldap won't break. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 0108 Add support for compatibility tree for trusted domain users
Hi! Attached patch allows to enable serving trusted domain users and groups through Schema Compatibilty plugin. The patch only does FreeIPA master configuration settings, the real work is done by the changes to slapi-nis plugin (in a separate email). Since ipa-adtrust-install can safely be run multiple times, one can re-run it on the IPA master to enable serving old clients, by specifying ipa-adtrust-install --enable-compat or answering 'yes' to the interactive question. I have expanded man page for ipa-adtrust-install to cover this option. Once enabled, following is possible: --- # ldapsearch -Y GSSAPI -b cn=compat,dc=vda,dc=li '((cn=domain adm...@ad.lan)(objectclass=posixgroup))' SASL/GSSAPI authentication started SASL username: ad...@vda.li SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base cn=compat,dc=vda,dc=li with scope subtree # filter: ((cn=domain adm...@ad.lan)(objectclass=posixgroup)) # requesting: ALL # # domain adm...@ad.lan, groups, compat, vda.li dn: cn=domain adm...@ad.lan,cn=groups,cn=compat,dc=vda,dc=li objectClass: posixGroup objectClass: extensibleObject objectClass: top gidNumber: 1442800512 memberUid: uid=administra...@ad.lan,cn=users,cn=compat,dc=vda,dc=li schema-compat-origin: sssd ipaNTSecurityIdentifier: S-1-5-21-3502988750-125904550-3683905862-512 cn: domain adm...@ad.lan # search result search: 4 result: 0 Success # numResponses: 2 # numEntries: 1 --- and for users: --- # ldapsearch -Y GSSAPI -b cn=compat,dc=vda,dc=li # '(uid=administra...@ad.lan)' SASL/GSSAPI authentication started SASL username: ad...@vda.li SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base cn=compat,dc=vda,dc=li with scope subtree # filter: (uid=administra...@ad.lan) # requesting: ALL # # administra...@ad.lan, users, compat, vda.li dn: uid=administra...@ad.lan,cn=users,cn=compat,dc=vda,dc=li objectClass: posixAccount objectClass: extensibleObject objectClass: top gecos: Administrator cn: Administrator uidNumber: 1442800500 gidNumber: 1442800500 homeDirectory: / schema-compat-origin: sssd ipaNTSecurityIdentifier: S-1-5-21-3502988750-125904550-3683905862-500 uid: administra...@ad.lan # search result search: 4 result: 0 Success # numResponses: 2 # numEntries: 1 Currently PAM authentication is a bit broken due to yet-to-hunt bug in SSSD or my environment (Jakub was unable to reproduce it) where SSSD thinks that AD DC is offline during authentication step. However, if you don't hit the bug, you can check authentication by doing following bind and entering a password for your AD administrator: # ldapsearch -D uid=administra...@ad.lan,cn=users,cn=compat,dc=vda,dc=li \ -W -x -C -a always -b dc=vda,dc=li '(uid=admin)' The bind operation needs to be performed _after_ user lookup. All these commands are only examples, I'm currently working on seeing how to configure pam_ldap/nss_ldap to use compat plugin this way. -- / Alexander Bokovoy From bd7addcc2a2b37cd128dcbea0bc6e9b2929e Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy aboko...@redhat.com Date: Mon, 15 Jul 2013 19:13:50 +0300 Subject: [PATCH] ipa-adtrust-install: configure compatibility tree to serve trusted domain users Enables support for trusted domains users for old clients through Schema Compatibility plugin. SSSD supports trusted domains natively starting with version 1.9 platform. For platforms that lack SSSD or run older SSSD version one needs to use this option. When enabled, slapi-nis package needs to be installed and schema-compat-plugin will be configured to provide lookup of users and groups from trusted domains via SSSD on IPA server. These users and groups will be available under cn=users,cn=compat,$SUFFIX and cn=groups,cn=compat,$SUFFIX trees. SSSD will normalize names of users and groups to lower case. In addition to providing these users and groups through the compat tree, this option enables authentication over LDAP for trusted domain users with DN under compat tree, i.e. using bind DN uid=administrator@ad.domain,cn=users,cn=compat,$SUFFIX. This authentication is related to PAM stack using 'system-auth' PAM service. If you have disabled HBAC rule 'allow_all', then make sure there is special service called 'system-auth' created and HBAC rule to allow access to anyone to this rule on IPA masters is added. Please note that system-auth PAM service is not used directly by any other application, therefore it is safe to create one specifically to support trusted domain users via compatibility path. https://fedorahosted.org/freeipa/ticket/3567 ---
Re: [Freeipa-devel] [PATCH 0073] Remove support for IPA deployments with no persistent search
On 07/15/2013 06:28 PM, Simo Sorce wrote: On Mon, 2013-07-15 at 16:41 +0200, Petr Spacek wrote: On 15.7.2013 16:15, Simo Sorce wrote: On Mon, 2013-07-15 at 15:57 +0200, Martin Kosek wrote: On 07/15/2013 03:44 PM, Petr Spacek wrote: On 15.7.2013 15:31, Martin Kosek wrote: On 07/11/2013 05:10 PM, Tomas Babej wrote: On Thursday 11 of July 2013 16:10:33 Ana Krivokapic wrote: On 07/11/2013 11:20 AM, Tomas Babej wrote: boolean_var = {} - for var in ('persistent_search', 'serial_autoincrement'): + for var in ('serial_autoincrement'): This won't work - a one element tuple needs a comma at the end: ('serial_autoincrement', ) boolean_var[var] = yes if getattr(self, var, False) else no self.sub_dict = dict(FQDN=self.fqdn, @@ -607,9 +604,8 @@ class BindInstance(service.Service): SUFFIX=self.suffix, OPTIONAL_NTP=optional_ntp, ZONEMGR=self.zonemgr, - ZONE_REFRESH=self.zone_refresh, IPA_CA_RECORD=ipa_ca, - PERSISTENT_SEARCH=boolean_var['persistent_search'], + PERSISTENT_SEARCH=yes, SERIAL_AUTOINCREMENT=boolean_var['serial_autoincrement'],) But anyway, I think this piece of code is unnecessarily complicated, I don't see a need for the 'boolean_var' dict here. I would suggest replacing it with something like: serial_autoincrement = yes if self.serial_autoincrement else no and then pass serial_autoincrement to self.sub_dict = dict(...) Attached patch refactored the relevant part of the code. Tomas Thanks for patches! I am just thinking, should we also hide the respective option from ipa global DNS configuration? That's idnszonerefresh attribute. We may want to mark the attribute as invisible in CLI + remove it from Web UI. Petr - what is your take on this? Do you plan to remove idnszonerefresh attribute support in the future (Fedora 20) as persistent search will be mandatory in that time? Yes, you are right. We completely forgot to web UI. And yes - please remove the option from web UI. Ok, Tomas please do the changes as proposed above. The latest development shows that persistent search will be replaced by RFC 4533 (known as 'syncrepl'), but from user's point of view it doesn't matter. All options related to persistent search and zone_refresh will simply disappear. Syncrepl itself doesn't require explicit configuration. Ah, so this means that psearch option will be also removed from bind-dyndb-ldap? In Fedora 19 we just plan to hard-code it to yes, will that cause issues with Fedora 20? Should we already avoid using the psearch option and assume that bind-dyndb-ldap in Fedora 19 is using persistent search by default? Won't the new bind-dyndb-ldap simply ignore the psearch option when it moves to syncrepl ? I can do it, but I think that cleanest way is to remove the 'psearch' option in upgrade script. Sure, but if the upgrade, for whatever reason, fails to remove it bind-dyndb-ldap should just ignore. Another option is to release new bind-dyndb-ldap to Fedora 19 and change default values to 'psearch yes' right now. Do you agree? Too much churn, I think it is ok to change it when we are done with syncrepl and upgrade config, with the fallback failsafe that even if upgrade doesn't remove the option bind-dyndb-ldap will simply ignore it. This will be safer even for people using stuff like cfengine/puppet to manage configurations and not realizing we changed the conf on upgrade, their confsystems will push again a conf file with psearch yes but bnid-dyndb-ldap won't break. Simo. Hmm, that's right, it should be safer. Can bind-dyndb-ldap just yell to error log that there is an unknown configuration option? (if it does not do that already). Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] slapi-nis support for trusted domains
Hi! Attached please find two patches against slapi-nis 0.47 to serve trusted domain users and groups to old clients. FreeIPA master needs to be enabled with this, see my patch 0108 (on freeipa-devel@). The patches add both lookup and PAM-based authentication bind for the users returned by SSSD lookup. Here is the logic: 0. Configuration is performed by setting schema-compat-lookup-sssd: user|group schema-compat-sssd-min-id: value in corresponding schema-compat plugin tree (cn=users and cn=groups). If schema-compat-sssd-min-id is not set, it will default to 1000. It is used to filter out attempts to fetch system users (1000 on Fedora by default). 1. On query, we parse query filter to identify what type of request is this: user or group lookup and then issue getpwnam_r()/getgrnam_r() and getsidbyid() for libsss_nss_idmap to fetch all needed information. SSSD caches these requests they should be relatively fast. 2. Once we served the request, it is cached in schema-compat cache map. The entry in the cache is currently not expired explicitly but I'm working on expiring it on wrong authentication -- if PAM stack returns a response telling there is no such user. 3. Authentication bind for cached entries is done via PAM service 'system-auth'. If HBAC rule 'allow_all' is disabled in FreeIPA, one needs to create a rule with service 'system-auth' and allow all users to access it on IPA masters. Since system-auth is never used explicitly by any application (it is always included through PAM stack and only top-level PAM service is used to drive the HBAC ruleset), there is no problem. PAM authentication code is taken from pam_passthru DS plugin. We cannot use it unchanged because pam_passthru expects that LDAP entry will exist in DS, while it is not true for these synthetic entries representing trusted domain users. On Fedora one needs pam-devel and libsss_nss_idmap-devel to build the plugin with new functionality. -- / Alexander Bokovoy From d3433f2033015724fc6580c00d89627afbc06c1d Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy aboko...@redhat.com Date: Mon, 15 Jul 2013 14:18:52 +0300 Subject: [PATCH 1/2] configure: add configure checks for sss_idmap and define attribute to lookup sssd If schema compat plugin configuration has 'schema-compat-lookup-sssd: user|group' then schema compat plugin will perform lookups of users/groups that were not found in the main store using getpwnam_r()/getgrnam_r() and libsss_idmap library. This is special case to support legacy clients. Schema compat plugin in the case is assumed to be running on FreeIPA master configured with trusts against Active Directory and SSSD configure as ipa_server_mode = True. Additionally, such entries are added to schema compat plugin's map cache and can be used for authentication purposes. They will use PAM authentication pass-through to system-auth service. --- configure.ac| 48 src/Makefile.am | 6 ++ 2 files changed, 54 insertions(+) diff --git a/configure.ac b/configure.ac index 8d7cbe1..4a47d36 100644 --- a/configure.ac +++ b/configure.ac @@ -309,6 +309,47 @@ AC_SUBST(ASYNCNS_CFLAGS) AC_SUBST(ASYNCNS_LIBS) fi +AC_ARG_WITH(sss_nss_idmap, + AS_HELP_STRING([--with-sss-nss-idmap], [use libsss_nss_idmap]), + use_sss_nss_idmap=$withval,use_sss_nss_idmap=AUTO) +if pkg-config sss_nss_idmap 2 /dev/null ; then + if test x$use_sss_nss_idmap != xno ; then + AC_DEFINE(HAVE_SSS_NSS_IDMAP,1,[Define if you have libsss_nss_idmap.]) + PKG_CHECK_MODULES(SSS_NSS_IDMAP,sss_nss_idmap) + else + SSS_NSS_IDMAP_CFLAGS= + SSS_NSS_IDMAP_LIBS= + fi +else + if test $use_sss_idmap = yes ; then + PKG_CHECK_MODULES(SSS_NSS_IDMAP,sss_nss_idmap) + else + SSS_NSS_IDMAP_CFLAGS= + SSS_NSS_IDMAP_LIBS= + fi +fi +AM_CONDITIONAL([SSS_NSS_IDMAP], [test x$SSS_NSS_IDMAP_LIBS != x]) +AC_SUBST(SSS_NSS_IDMAP_CFLAGS) +AC_SUBST(SSS_NSS_IDMAP_LIBS) + +if x$SSS_NSS_IDMAP_LIBS != x ; then + AC_CHECK_HEADERS(pam.h) + if test x$ac_cv_header_pam_h = xno ; then + use_pam=yes + else + use_pam=no + fi + + if test $use_pam = yes ; then + PAM_CFLAGS= + PAM_LIBS=-lpam + else + AC_ERROR([pam.h not found and it is required for SSSD mode]) + fi + AC_SUBST(PAM_CFLAGS) + AC_SUBST(PAM_LIBS) +fi + mylibdir=`eval echo $libdir | sed s,NONE,${ac_default_prefix},g` mylibdir=`eval echo $mylibdir | sed s,NONE,${ac_prefix},g` case $server in @@ -401,6 +442,13 @@ AC_DEFINE_UNQUOTED(SCH_CONTAINER_CONFIGURATION_RDN_ATTR,$rdnattr, attrattr=schema-compat-entry-attribute AC_DEFINE_UNQUOTED(SCH_CONTAINER_CONFIGURATION_ATTR_ATTR,$attrattr, [Define to name of the attribute which is used to specify attributes to be used when