date:20130715


On 11.7.2013 14:10, Jan Cholasta wrote:

Hi,

this is the first batch of patches for
https://fedorahosted.org/freeipa/ticket/3641. It contains port of
ipa-server-certinstall to the admintool framework and fixes some bugs.

Note that there's still some work I have to do to make
ipa-server-certinstall work properly for installs with CA, currently it
works reliably only on CA-less installs.

This patchset also does not make it possible to change the CA
certificate (as requested in the ticket). We discussed this with Rob and
agreed that it should instead be done as part of
https://fedorahosted.org/freeipa/ticket/3737. Unless there are any
objections, that's what is going to happen.


Added patches (157 and 158) to support installs with CA.

Honza

--
Jan Cholasta
From ce481fa8d10a90612e1a7bfd75e69a3a240ba0c2 Mon Sep 17 00:00:00 2001
From: Jan Cholasta jchol...@redhat.com
Date: Mon, 15 Jul 2013 08:12:14 +
Subject: [PATCH 1/2] Replace only the cert instead of the whole NSS DB in
 ipa-server-certinstall.

https://fedorahosted.org/freeipa/ticket/3641
---
 ipaserver/install/certs.py  |  4 
 ipaserver/install/ipa_server_certinstall.py | 31 +++--
 2 files changed, 20 insertions(+), 15 deletions(-)

diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
index 531ea76..681892b 100644
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -708,6 +708,10 @@ class CertDB(object):
 -f, self.passwd_fname]
 self.run_certutil(args)
 
+def delete_cert(self, nickname):
+args = [-D, -n, nickname]
+self.run_certutil(args)
+
 def create_pin_file(self):
 
 This is the format of Directory Server pin files.
diff --git a/ipaserver/install/ipa_server_certinstall.py b/ipaserver/install/ipa_server_certinstall.py
index c2cd4df..e467609 100644
--- a/ipaserver/install/ipa_server_certinstall.py
+++ b/ipaserver/install/ipa_server_certinstall.py
@@ -101,18 +101,20 @@ class ServerCertInstall(admintool.AdminTool):
 def install_dirsrv_cert(self):
 serverid = dsinstance.realm_to_serverid(api.env.realm)
 dirname = dsinstance.config_dirname(serverid)
-pwdfile = os.path.join(dirname, 'pwdfile.txt')
-
-server_cert = self.import_cert(dirname, self.options.dirsrv_pin,
-   pwdfile)
 
 conn = ldap2(shared_instance=False, base_dn='')
 conn.connect(bind_dn=DN(('cn', 'directory manager')),
  bind_pw=self.dm_password)
 
-entry = conn.make_entry(DN(('cn', 'RSA'), ('cn', 'encryption'),
-   ('cn', 'config')),
-nssslpersonalityssl=[server_cert])
+entry = conn.get_entry(DN(('cn', 'RSA'), ('cn', 'encryption'),
+  ('cn', 'config')),
+   ['nssslpersonalityssl'])
+old_cert = entry.single_value('nssslpersonalityssl')
+
+server_cert = self.import_cert(dirname, self.options.dirsrv_pin,
+   old_cert)
+
+entry['nssslpersonalityssl'] = [server_cert]
 try:
 conn.update_entry(entry)
 except errors.EmptyModlist:
@@ -122,10 +124,12 @@ class ServerCertInstall(admintool.AdminTool):
 
 def install_http_cert(self):
 dirname = certs.NSS_DIR
-pwdfile = os.path.join(dirname, 'pwdfile.txt')
+
+old_cert = installutils.get_directive(httpinstance.NSS_CONF,
+  'NSSNickname')
 
 server_cert = self.import_cert(dirname, self.options.http_pin,
-   pwdfile)
+   old_cert)
 
 installutils.set_directive(httpinstance.NSS_CONF,
'NSSNickname', server_cert)
@@ -140,20 +144,17 @@ class ServerCertInstall(admintool.AdminTool):
 os.chown(os.path.join(dirname, 'key3.db'), 0, pent.pw_gid)
 os.chown(os.path.join(dirname, 'secmod.db'), 0, pent.pw_gid)
 
-def import_cert(self, dirname, pkcs12_passwd, db_pwdfile):
+def import_cert(self, dirname, pkcs12_passwd, old_cert):
 pw = write_tmp_file(pkcs12_passwd)
 server_cert = installutils.check_pkcs12(
 pkcs12_info=(self.pkcs12_fname, pw.name),
 ca_file=CACERT,
 hostname=api.env.host)
 
-with open(db_pwdfile) as fd:
-db_password = fd.read()
-
 cdb = certs.CertDB(api.env.realm, nssdir=dirname)
 try:
-cdb.create_from_pkcs12(self.pkcs12_fname, pw.name,
-   db_password, CACERT)
+cdb.delete_cert(old_cert)
+cdb.import_pkcs12(self.pkcs12_fname, pw.name)
 except RuntimeError, e:
 raise admintool.ScriptError(str(e))
 
-- 
1.8.3.1

From 4250f0d1a8ba606d158ec5298391edbcca27855e Mon Sep 17 00:00:00 2001
From: Jan

Re: [Freeipa-devel] [PATCH] 3031 Allow TTL to be configured during ipa-client-install

2013-07-15 Thread James Hogarth




 This patch allows the user during ipa-client-install to pick the TTL to be
 used on the creation of the client DNS records and configures the value in
 sssd.conf so that ongoing changes to IP use the TTL as desired.



Apologies but I just realised I missed the link to the ticket this refers
to... so just to be clear it's for this one:

https://fedorahosted.org/freeipa/ticket/3031

Cheers,

James
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 1102 set correct content-type


On 11.7.2013 22:50, Rob Crittenden wrote:

Set the correct content-type on negotiated XML-RPC requests. It was
being set as text/plain when it should be text/xml.

rob



ACK.

Honza

--
Jan Cholasta

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCHES] 149-151 Ask for PKCS#12 password interactively


On 12.7.2013 10:19, Tomas Babej wrote:

Just a nitpick:

+ # If any of the PKCS#12 options are selected, all are required.

+ pkcs12_req = (options.dirsrv_pkcs12, options.http_pkcs12)

+ pkcs12_opt = (options.pkinit_pkcs12,)

+ if any(pkcs12_req + pkcs12_opt) and not all(pkcs12_req):

parser.error(All PKCS#12 options are required if any are used.)

This error message is somewhat misleading, since --pkinit-pkcs12 options
is not required.


Fixed.

Updated patches attached.

Honza

--
Jan Cholasta
From 6b21db9dc6c2cc3b7fb5a13877cbe8cb3aec1213 Mon Sep 17 00:00:00 2001
From: Jan Cholasta jchol...@redhat.com
Date: Tue, 9 Jul 2013 10:23:47 +
Subject: [PATCH 1/3] Ask for PKCS#12 password interactively in
 ipa-server-install.

https://fedorahosted.org/freeipa/ticket/3717
---
 install/tools/ipa-server-install | 76 ++--
 1 file changed, 50 insertions(+), 26 deletions(-)

diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index cc88a0b..4ba6f0e 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -276,13 +276,20 @@ def parse_options():
 if not options.forwarders and not options.no_forwarders:
 parser.error(You must specify at least one --forwarder option or --no-forwarders option)
 
-# If any of the PKCS#12 options are selected, all are required. Create a
-# list of the options and count it to enforce that all are required without
-# having a huge set of it blocks.
-pkcs12 = [options.dirsrv_pkcs12, options.http_pkcs12, options.dirsrv_pin, options.http_pin]
-cnt = pkcs12.count(None)
-if cnt  0 and cnt  4:
-parser.error(All PKCS#12 options are required if any are used.)
+# If any of the PKCS#12 options are selected, all are required.
+pkcs12_req = (options.dirsrv_pkcs12, options.http_pkcs12)
+pkcs12_opt = (options.pkinit_pkcs12,)
+if any(pkcs12_req + pkcs12_opt) and not all(pkcs12_req):
+parser.error(--dirsrv_pkcs12 and --http_pkcs12 are required if any 
+ PKCS#12 options are used.)
+
+if options.unattended:
+if options.dirsrv_pkcs12 and not options.dirsrv_pin:
+parser.error(You must specify --dirsrv_pin with --dirsrv_pkcs12)
+if options.http_pkcs12 and not options.http_pin:
+parser.error(You must specify --http_pin with --http_pkcs12)
+if options.pkinit_pkcs12 and not options.pkinit_pin:
+parser.error(You must specify --pkinit_pin with --pkinit_pkcs12)
 
 if options.dirsrv_pkcs12 and not options.root_ca_file:
 parser.error(
@@ -704,18 +711,6 @@ def main():
 sys.exit(1)
 cert = certdict[certissuer]
 
-if options.http_pkcs12:
-http_pin_file = ipautil.write_tmp_file(options.http_pin)
-http_pkcs12_info = (options.http_pkcs12, http_pin_file.name)
-
-if options.dirsrv_pkcs12:
-dirsrv_pin_file = ipautil.write_tmp_file(options.dirsrv_pin)
-dirsrv_pkcs12_info = (options.dirsrv_pkcs12, dirsrv_pin_file.name)
-
-if options.pkinit_pkcs12:
-pkinit_pin_file = ipautil.write_tmp_file(options.pkinit_pin)
-pkinit_pkcs12_info = (options.pkinit_pkcs12, pkinit_pin_file.name)
-
 # We only set up the CA if the PKCS#12 options are not given.
 if options.dirsrv_pkcs12:
 setup_ca = False
@@ -834,13 +829,6 @@ def main():
 else:
 domain_name = options.domain_name
 
-if options.http_pkcs12:
-# Check the given PKCS#12 files
-ca_file = options.root_ca_file
-check_pkcs12 = installutils.check_pkcs12
-http_cert_name = check_pkcs12(http_pkcs12_info, ca_file, host_name)
-dirsrv_cert_name = check_pkcs12(dirsrv_pkcs12_info, ca_file, host_name)
-
 domain_name = domain_name.lower()
 
 ip = get_server_ip_address(host_name, fstore, options.unattended, options)
@@ -858,6 +846,42 @@ def main():
 if not options.subject:
 options.subject = DN(('O', realm_name))
 
+ca_file = options.root_ca_file
+
+if options.http_pkcs12:
+if not options.http_pin:
+options.http_pin = installutils.read_password(
+Enter %s unlock % options.http_pkcs12,
+confirm=False, validate=False)
+if options.http_pin is None:
+sys.exit(%s unlock password required % options.http_pkcs12)
+http_pin_file = ipautil.write_tmp_file(options.http_pin)
+http_pkcs12_info = (options.http_pkcs12, http_pin_file.name)
+http_cert_name = installutils.check_pkcs12(
+http_pkcs12_info, ca_file, host_name)
+
+if options.dirsrv_pkcs12:
+if not options.dirsrv_pin:
+options.dirsrv_pin = installutils.read_password(
+Enter %s unlock % options.dirsrv_pkcs12,
+confirm=False, validate=False)
+if options.dirsrv_pin is None:
+sys.exit(%s unlock password required %

Re: [Freeipa-devel] [PATCH] Remove unused variable

2013-07-15 Thread Tomas Babej

On Wednesday 10 of July 2013 22:27:16 Jakub Hrozek wrote:
 Hi,
 
 I was doing quite a few builds of freeipa for testing and patch reviews
 lately and found a couple of unused variables. The attached patch
 removed the variables.

ACK

Tomas___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] Use pkg-config to detect cmocka

On 07/04/2013 01:49 PM, Lukas Slebodnik wrote:
 On (04/07/13 13:10), Alexander Bokovoy wrote:
 On Thu, 04 Jul 2013, Lukas Slebodnik wrote:
 ehlo,

 libcmocka-0.3 was released and package is available in fedore = 18.
 libcmocka-devel contains pkg-config file,
 therefore it is better to use pkg-config to detect this library.

 Patch is attached.
 Few comments.

 0. Please follow https://fedorahosted.org/freeipa/wiki/PatchFormat
 changed
 
 1. It would be nice to have a ticket in the FreeIPA trac.
 Could ticket#3434 be used? I know that ticket is fixed.
 https://fedorahosted.org/freeipa/ticket/3434
 Funcionality of patch is the same as Sumit's version.
 
 2. I think at this point we need to decide whether we want to have
  BuildRequires: libcmocka-devel
   in freeipa.spec.in. Given the change, older version would become
   unsupported but we don't really have any packaging dependency yet.
 At the moment, there isnot any cmocka test in freeipa source repo.
 
 LS
 

Any update with this patch? If the build works OK, I would push it.

I think we do not need to add libcmocka BuildRequires ATM and leave the cmocka
tests optional (especially if there is no cmocka test).

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] 0044 Add 'ipa_server_mode' option to SSSD configuration

2013-07-15 Thread Ana Krivokapic

Hello,

This patch addresses ticket https://fedorahosted.org/freeipa/ticket/3652.

-- 
Regards,

Ana Krivokapic
Associate Software Engineer
FreeIPA team
Red Hat Inc.

From 6c332b4a1149a35ebc76ee7756050edc0333ac21 Mon Sep 17 00:00:00 2001
From: Ana Krivokapic akriv...@redhat.com
Date: Mon, 15 Jul 2013 11:09:14 +0200
Subject: [PATCH] Add 'ipa_server_mode' option to SSSD configuration

https://fedorahosted.org/freeipa/ticket/3652
---
 freeipa.spec.in   |  5 -
 install/tools/ipa-upgradeconfig   | 13 -
 ipa-client/ipa-install/ipa-client-install |  2 ++
 3 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 05b43bc229abbe3b3b481b9c34e240749de1f226..38d6fca1e0b2229e526e956ff38262e29a03d6ae 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -228,7 +228,7 @@ Requires: pam_krb5
 Requires: wget
 Requires: libcurl = 7.21.7-2
 Requires: xmlrpc-c = 1.27.4
-Requires: sssd = 1.8.0
+Requires: sssd = 1.10.90
 Requires: certmonger = 0.65
 Requires: nss-tools
 Requires: bind-utils
@@ -819,6 +819,9 @@ fi
 %endif  # ! %{ONLY_CLIENT}
 
 %changelog
+* Mon Jul 15 2013 Ana Krivokapic akriv...@redhat.com - 3.2.99-6
+- Bump minimum version of sssd to 1.10.90 for the 'ipa_server_mode' option.
+
 * Thu Jul 11 2013 Martin Kosek mko...@redhat.com - 3.2.99-5
 - Run ipa-upgradeconfig and server restart in posttrans to avoid inconsistency
   issues when there are still old parts of software (like entitlements plugin)
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index 4e9216964a045b5a87c22f6eb87bb1844f4adce9..0c955b61dbc14d18aee2d1a01f3a11c67012f522 100644
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -32,6 +32,7 @@ import fileinput
 import ConfigParser
 
 from ipalib import api
+import SSSDConfig
 import ipalib.util
 import ipalib.errors
 from ipapython import ipautil, sysrestore, version, services
@@ -39,7 +40,6 @@ from ipapython.config import IPAOptionParser
 from ipapython.ipa_log_manager import *
 from ipapython import certmonger
 from ipapython import dogtag
-from ipapython.dn import DN
 from ipaserver.install import installutils
 from ipaserver.install import dsinstance
 from ipaserver.install import httpinstance
@@ -841,6 +841,15 @@ def fix_schema_file_syntax(ds):
 sysupgrade.set_upgrade_state('ds', 'fix_schema_syntax', True)
 
 
+def set_sssd_domain_option(option, value):
+sssdconfig = SSSDConfig.SSSDConfig()
+sssdconfig.import_config()
+domain = sssdconfig.get_domain(str(api.env.domain))
+domain.set_option(option, value)
+sssdconfig.save_domain(domain)
+sssdconfig.write(/etc/sssd/sssd.conf)
+
+
 def main():
 
 Get some basics about the system. If getting those basics fail then
@@ -974,5 +983,7 @@ def main():
 except ipautil.CalledProcessError, e:
 root_logger.error(Failed to restart %s: %s, ca.service_name, e)
 
+set_sssd_domain_option('ipa_server_mode', 'True')
+
 if __name__ == '__main__':
 installutils.run_script(main, operation_name='ipa-upgradeconfig')
diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index 867307aa570b4e8e90a1a8182f1481f0d11a9840..ce7fadee7d15867ecf5b480cea559e8a62f6449a 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -1104,8 +1104,10 @@ def configure_sssd_conf(fstore, cli_realm, cli_domain, cli_server, options, clie
 else:
 domain.set_option('ipa_server', '_srv_, %s' % ', '.join(cli_server))
 else:
+domain.set_option('ipa_server_mode', 'True')
 # the master should only use itself for Kerberos
 domain.set_option('ipa_server', cli_server[0])
+
 domain.set_option('ipa_domain', cli_domain)
 domain.set_option('ipa_hostname', client_hostname)
 if cli_domain.lower() != cli_realm.lower():
-- 
1.8.1.4

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH 0072] Provide ipa-client-advise tool

On 07/11/2013 08:59 AM, Tomas Babej wrote:
 On Wednesday 26 of June 2013 10:12:48 Petr Spacek wrote:
 
  
 
 [snip]
 
  
 

 
 Appropriate error handling = Return 'Permission denied' if particular
 
 operation requires higher privileges.
 

 
 IMHO 'cryptic' error message is bad in any case, so the right way how to fix
 
 'cryptic' error messages is to fix the places where errors are thrown.
 

 
 I don't think that additional checks in 'advisor' to hide 'cryptic' errors 
 are
 
 the right approach.
 

 
 --
 
 Petr^2 Spacek
 
  
 
 To wrap-up, after an offline discussion Petr:
 
  
 
 We came to an conclusion that since 'require_root' attribute is optional (Petr
 was not aware of that, and that fact was what caused his concern), with 
 default
 value False, the attribute should not pose any additional burden for
 
 the plugin developer.
 
  
 
 Tomas
 

Agreed, I think that current approach is fine.

Alexander, are you OK with the ipa-advise tool as is? We can add more bells and
whistles or options/API for plugins when we have actually more ipa-advise
plugins and see the real needs of such plugins.

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH 0174] Fix crash during zone_refresh triggered by connection failure


Hello,

Fix crash during zone_refresh triggered by connection failure.

Variable 'iter' was initialized too late. Code in cleanup section of
refresh_zones_from_ldap() dereferenced the uninitialized variable.

--
Petr^2 Spacek
From 3affa9c2431928a5b5708875ab937d598059561e Mon Sep 17 00:00:00 2001
From: Petr Spacek pspa...@redhat.com
Date: Mon, 15 Jul 2013 15:08:01 +0200
Subject: [PATCH] Fix crash during zone_refresh triggered by connection
 failure.

Variable 'iter' was initialized too late. Code in cleanup section of
refresh_zones_from_ldap() dereferenced the uninitialized variable.

Signed-off-by: Petr Spacek pspa...@redhat.com
---
 src/ldap_helper.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/ldap_helper.c b/src/ldap_helper.c
index 05aa1a1d4b5091816af092895e881c0e2b1ff0eb..d0286af6c6e6e0084386ae5d1fe4e2ebb2954d4a 100644
--- a/src/ldap_helper.c
+++ b/src/ldap_helper.c
@@ -1632,6 +1632,7 @@ refresh_zones_from_ldap(ldap_instance_t *ldap_inst, isc_boolean_t delete_only)
 	dns_rbt_t *forward_rbt = NULL; /**  Forward zones only */
 	isc_boolean_t psearch;
 	const char *base = NULL;
+	rbt_iterator_t *iter = NULL;
 	char *config_attrs[] = {
 		idnsForwardPolicy, idnsForwarders, 
 		idnsAllowSyncPTR, idnsZoneRefresh,
@@ -1729,7 +1730,6 @@ refresh_zones_from_ldap(ldap_instance_t *ldap_inst, isc_boolean_t delete_only)
 
 	/* Walk through master zone register and remove all zones which
 	 * disappeared from LDAP. */
-	rbt_iterator_t *iter = NULL;
 	char name_txt[DNS_NAME_FORMATSIZE];
 	DECLARE_BUFFERED_NAME(registered_name);
 	DECLARE_BUFFERED_NAME(ldap_name);
-- 
1.8.3.1

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH 0072] Provide ipa-client-advise tool


On Mon, 15 Jul 2013, Martin Kosek wrote:

On 07/11/2013 08:59 AM, Tomas Babej wrote:

On Wednesday 26 of June 2013 10:12:48 Petr Spacek wrote:



[snip]








Appropriate error handling = Return 'Permission denied' if particular



operation requires higher privileges.







IMHO 'cryptic' error message is bad in any case, so the right way how to fix



'cryptic' error messages is to fix the places where errors are thrown.







I don't think that additional checks in 'advisor' to hide 'cryptic' errors are



the right approach.







--



Petr^2 Spacek




To wrap-up, after an offline discussion Petr:



We came to an conclusion that since 'require_root' attribute is optional (Petr
was not aware of that, and that fact was what caused his concern), with default
value False, the attribute should not pose any additional burden for

the plugin developer.



Tomas



Agreed, I think that current approach is fine.

Alexander, are you OK with the ipa-advise tool as is? We can add more bells and
whistles or options/API for plugins when we have actually more ipa-advise
plugins and see the real needs of such plugins.

Yes, I'm OK.

--
/ Alexander Bokovoy

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCHES] 143-147 Improve performance with large groups

On 07/11/2013 12:15 PM, Alexander Bokovoy wrote:
On Thu, 11 Jul 2013, Jan Cholasta wrote:
On 11.7.2013 11:58, Alexander Bokovoy wrote:
On Mon, 08 Jul 2013, Alexander Bokovoy wrote:
On Thu, 27 Jun 2013, Jan Cholasta wrote:
On 27.6.2013 17:34, Rich Megginson wrote:
On 06/27/2013 09:31 AM, Jan Cholasta wrote:
The search is hard-coded in the referint plugin, see
https://git.fedorahosted.org/cgit/389/ds.git/tree/ldap/servers/plugins/referint/referint.c#n745.

Not sure if it makes sense to do a wildcard/substr search here - please
file a ticket with 389 to investigate.

https://fedorahosted.org/389/ticket/47411
So, should we merge this patchset or wait until 389-ds analyzes 47411?
To me it looks like we can use this one as an interim solution, once Web
UI performance is checked through.
I've commited the patchset to master. Web UI works just fine for me and
with a VM limited to 1GB RAM I seem to get snappier response even when
running whole IPA stack and Firefox in the same VM.

We can add WebUI improvements later. I have some WIP, but I need to discuss
it with Petr first (he's away this week).
Ok.

The patchset is in ipa-3-2 as well now.

Just checking:

1) Jan, did you check size of these new indexes on IPA master with such a high
number of users? How big are they? I want to make sure that this won't create
an issue on upgrades to new 3.2.x.

2) Does the patch set also fix the problem for Web UI? Currently, I think it
will still grab and process all member attributes even though it does not need
it. If the Web UI performance is still not sharp, I would rather leave this
ticket opened and let JanPetr cooperate on the Web UI part.

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCHES] 0039-0040 systemd ipactl fixes

On 07/11/2013 05:03 PM, Alexander Bokovoy wrote:
 On Thu, 11 Jul 2013, Ana Krivokapic wrote:
 On 07/11/2013 11:38 AM, Alexander Bokovoy wrote:
 On Thu, 11 Jul 2013, Alexander Bokovoy wrote:
 On Wed, 10 Jul 2013, Ana Krivokapic wrote:
 On 07/08/2013 08:32 AM, Alexander Bokovoy wrote:
 On Thu, 20 Jun 2013, Ana Krivokapic wrote:
 Hello,

 Attached patches fix systemd and ipactl related bugs:

 https://fedorahosted.org/freeipa/ticket/3730
 https://fedorahosted.org/freeipa/ticket/3729
 NACK. For me upgrade case fails (rpm -Uhv), dirsrv didn't restart on
 upgrade properly and everything else has failed afterwards.


 This was caused due to 'systemctl is-active' returning exit status 3
 ('activating'), and our code treating the non-zero exit status as a
 failure. I
 handled this case in the updated patch.

 As for the ipa.service and dependency ordering, I have done some further
 testing
 and found out the adding the '--ignore-dependencies' switch alone solves 
 the
 shutdown issue. So I think that no modification of ipa.service file is
 necessary.

 Updated patches are attached.
 This is much better. However, 'ipactl stop' doesn't stop ns-slapd and
 dogtag:
 What's important is the fact that now I can issue reboot and VM
 restarts, not hangs, and then IPA starts properly on boot -- this is
 because when ns-slapd gets a signal from systemd, it automatically shuts
 itself down properly and the same happens to dogtag. This is good
 enough so that I push current patches to master but please proceed on
 fixing 'ipactl stop' issue.



 Thanks for catching that. I am attaching a patch which should solve this 
 issue.
 Works now, I tried stop/start/restart, all processes were properly addressed.
 
 Thanks!
 

Is that an ACK? If yes, please push the patches :-)

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCHES] 0039-0040 systemd ipactl fixes


On Mon, 15 Jul 2013, Martin Kosek wrote:

On 07/11/2013 05:03 PM, Alexander Bokovoy wrote:

On Thu, 11 Jul 2013, Ana Krivokapic wrote:

On 07/11/2013 11:38 AM, Alexander Bokovoy wrote:

On Thu, 11 Jul 2013, Alexander Bokovoy wrote:

On Wed, 10 Jul 2013, Ana Krivokapic wrote:

On 07/08/2013 08:32 AM, Alexander Bokovoy wrote:

On Thu, 20 Jun 2013, Ana Krivokapic wrote:

Hello,

Attached patches fix systemd and ipactl related bugs:

https://fedorahosted.org/freeipa/ticket/3730
https://fedorahosted.org/freeipa/ticket/3729

NACK. For me upgrade case fails (rpm -Uhv), dirsrv didn't restart on
upgrade properly and everything else has failed afterwards.



This was caused due to 'systemctl is-active' returning exit status 3
('activating'), and our code treating the non-zero exit status as a
failure. I
handled this case in the updated patch.

As for the ipa.service and dependency ordering, I have done some further
testing
and found out the adding the '--ignore-dependencies' switch alone solves the
shutdown issue. So I think that no modification of ipa.service file is
necessary.

Updated patches are attached.

This is much better. However, 'ipactl stop' doesn't stop ns-slapd and
dogtag:

What's important is the fact that now I can issue reboot and VM
restarts, not hangs, and then IPA starts properly on boot -- this is
because when ns-slapd gets a signal from systemd, it automatically shuts
itself down properly and the same happens to dogtag. This is good
enough so that I push current patches to master but please proceed on
fixing 'ipactl stop' issue.




Thanks for catching that. I am attaching a patch which should solve this issue.

Works now, I tried stop/start/restart, all processes were properly addressed.

Thanks!



Is that an ACK? If yes, please push the patches :-)

It is already in master, I only forgot to respond on the list:
af7807aacc6cf1beb25e53483b54bd599bd6421d

--
/ Alexander Bokovoy

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH 0073] Remove support for IPA deployments with no persistent search

On 07/11/2013 05:10 PM, Tomas Babej wrote:
 On Thursday 11 of July 2013 16:10:33 Ana Krivokapic wrote:
 
 On 07/11/2013 11:20 AM, Tomas Babej wrote:
 
  boolean_var = {}
 
  - for var in ('persistent_search', 'serial_autoincrement'):
 
  + for var in ('serial_autoincrement'):
 
 This won't work - a one element tuple needs a comma at the end:
 
 ('serial_autoincrement', )
 
  boolean_var[var] = yes if getattr(self, var, False) else no
 
 
 
  self.sub_dict = dict(FQDN=self.fqdn,
 
  @@ -607,9 +604,8 @@ class BindInstance(service.Service):
 
  SUFFIX=self.suffix,
 
  OPTIONAL_NTP=optional_ntp,
 
  ZONEMGR=self.zonemgr,
 
  - ZONE_REFRESH=self.zone_refresh,
 
  IPA_CA_RECORD=ipa_ca,
 
  - PERSISTENT_SEARCH=boolean_var['persistent_search'],
 
  + PERSISTENT_SEARCH=yes,
 
  SERIAL_AUTOINCREMENT=boolean_var['serial_autoincrement'],)
 

 
 But anyway, I think this piece of code is unnecessarily complicated, I don't 
 see
 
 a need for the 'boolean_var' dict here. I would suggest replacing it with
 
 something like:
 

 
 serial_autoincrement = yes if self.serial_autoincrement else no
 

 
 and then pass serial_autoincrement to self.sub_dict = dict(...)
 

 

 
  
 
 Attached patch refactored the relevant part of the code.
 
  
 
 Tomas
 

Thanks for patches! I am just thinking, should we also hide the respective
option from ipa global DNS configuration? That's idnszonerefresh attribute.

We may want to mark the attribute as invisible in CLI + remove it from Web UI.
Petr - what is your take on this? Do you plan to remove idnszonerefresh
attribute support in the future (Fedora 20) as persistent search will be
mandatory in that time?

Thanks,
Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 1102 set correct content-type

On 07/15/2013 10:44 AM, Jan Cholasta wrote:
 On 11.7.2013 22:50, Rob Crittenden wrote:
 Set the correct content-type on negotiated XML-RPC requests. It was
 being set as text/plain when it should be text/xml.

 rob

 
 ACK.
 
 Honza
 

Pushed to master, ipa-3-2.

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] Remove unused variable

On 07/15/2013 12:27 PM, Tomas Babej wrote:
 On Wednesday 10 of July 2013 22:27:16 Jakub Hrozek wrote:
 
 Hi,
 

 
 I was doing quite a few builds of freeipa for testing and patch reviews
 
 lately and found a couple of unused variables. The attached patch
 
 removed the variables.
 
  
 
 ACK
 
  
 
 Tomas
 

Pushed to master.

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCHES] 143-147 Improve performance with large groups


On 15.7.2013 15:16, Martin Kosek wrote:

On 07/11/2013 12:15 PM, Alexander Bokovoy wrote:

On Thu, 11 Jul 2013, Jan Cholasta wrote:

We can add WebUI improvements later. I have some WIP, but I need to discuss
it with Petr first (he's away this week).

Ok.

The patchset is in ipa-3-2 as well now.


Just checking:

1) Jan, did you check size of these new indexes on IPA master with such a high
number of users? How big are they? I want to make sure that this won't create
an issue on upgrades to new 3.2.x.


With 10k users, the indices ate roughly 250 MB of disk space.



2) Does the patch set also fix the problem for Web UI? Currently, I think it
will still grab and process all member attributes even though it does not need
it. If the Web UI performance is still not sharp, I would rather leave this
ticket opened and let JanPetr cooperate on the Web UI part.


I agree on keeping the ticket open.

Honza

--
Jan Cholasta

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH 0073] Remove support for IPA deployments with no persistent search


On 15.7.2013 15:31, Martin Kosek wrote:

On 07/11/2013 05:10 PM, Tomas Babej wrote:

On Thursday 11 of July 2013 16:10:33 Ana Krivokapic wrote:


On 07/11/2013 11:20 AM, Tomas Babej wrote:



boolean_var = {}



- for var in ('persistent_search', 'serial_autoincrement'):



+ for var in ('serial_autoincrement'):



This won't work - a one element tuple needs a comma at the end:



('serial_autoincrement', )



boolean_var[var] = yes if getattr(self, var, False) else no







self.sub_dict = dict(FQDN=self.fqdn,



@@ -607,9 +604,8 @@ class BindInstance(service.Service):



SUFFIX=self.suffix,



OPTIONAL_NTP=optional_ntp,



ZONEMGR=self.zonemgr,



- ZONE_REFRESH=self.zone_refresh,



IPA_CA_RECORD=ipa_ca,



- PERSISTENT_SEARCH=boolean_var['persistent_search'],



+ PERSISTENT_SEARCH=yes,



SERIAL_AUTOINCREMENT=boolean_var['serial_autoincrement'],)







But anyway, I think this piece of code is unnecessarily complicated, I don't see



a need for the 'boolean_var' dict here. I would suggest replacing it with



something like:







serial_autoincrement = yes if self.serial_autoincrement else no







and then pass serial_autoincrement to self.sub_dict = dict(...)












Attached patch refactored the relevant part of the code.



Tomas



Thanks for patches! I am just thinking, should we also hide the respective
option from ipa global DNS configuration? That's idnszonerefresh attribute.

We may want to mark the attribute as invisible in CLI + remove it from Web UI.
Petr - what is your take on this? Do you plan to remove idnszonerefresh
attribute support in the future (Fedora 20) as persistent search will be
mandatory in that time?


Yes, you are right. We completely forgot to web UI. And yes - please remove 
the option from web UI.


The latest development shows that persistent search will be replaced by RFC 
4533 (known as 'syncrepl'), but from user's point of view it doesn't matter. 
All options related to persistent search and zone_refresh will simply 
disappear. Syncrepl itself doesn't require explicit configuration.


--
Petr^2 Spacek

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH 0073] Remove support for IPA deployments with no persistent search

2013-07-15 Thread Simo Sorce

On Mon, 2013-07-15 at 15:57 +0200, Martin Kosek wrote:
 On 07/15/2013 03:44 PM, Petr Spacek wrote:
  On 15.7.2013 15:31, Martin Kosek wrote:
  On 07/11/2013 05:10 PM, Tomas Babej wrote:
  On Thursday 11 of July 2013 16:10:33 Ana Krivokapic wrote:
 
  On 07/11/2013 11:20 AM, Tomas Babej wrote:
 
  boolean_var = {}
 
  - for var in ('persistent_search', 'serial_autoincrement'):
 
  + for var in ('serial_autoincrement'):
 
  This won't work - a one element tuple needs a comma at the end:
 
  ('serial_autoincrement', )
 
  boolean_var[var] = yes if getattr(self, var, False) else no
 
 
 
  self.sub_dict = dict(FQDN=self.fqdn,
 
  @@ -607,9 +604,8 @@ class BindInstance(service.Service):
 
  SUFFIX=self.suffix,
 
  OPTIONAL_NTP=optional_ntp,
 
  ZONEMGR=self.zonemgr,
 
  - ZONE_REFRESH=self.zone_refresh,
 
  IPA_CA_RECORD=ipa_ca,
 
  - PERSISTENT_SEARCH=boolean_var['persistent_search'],
 
  + PERSISTENT_SEARCH=yes,
 
  SERIAL_AUTOINCREMENT=boolean_var['serial_autoincrement'],)
 
 
 
  But anyway, I think this piece of code is unnecessarily complicated, I
  don't see
 
  a need for the 'boolean_var' dict here. I would suggest replacing it with
 
  something like:
 
 
 
  serial_autoincrement = yes if self.serial_autoincrement else no
 
 
 
  and then pass serial_autoincrement to self.sub_dict = dict(...)
 
 
 
 
 
 
 
  Attached patch refactored the relevant part of the code.
 
 
 
  Tomas
 
 
  Thanks for patches! I am just thinking, should we also hide the respective
  option from ipa global DNS configuration? That's idnszonerefresh attribute.
 
  We may want to mark the attribute as invisible in CLI + remove it from Web 
  UI.
  Petr - what is your take on this? Do you plan to remove idnszonerefresh
  attribute support in the future (Fedora 20) as persistent search will be
  mandatory in that time?
  
  Yes, you are right. We completely forgot to web UI. And yes - please remove 
  the
  option from web UI.
 
 Ok, Tomas please do the changes as proposed above.
 
  
  The latest development shows that persistent search will be replaced by RFC
  4533 (known as 'syncrepl'), but from user's point of view it doesn't matter.
  All options related to persistent search and zone_refresh will simply
  disappear. Syncrepl itself doesn't require explicit configuration.
 
 Ah, so this means that psearch option will be also removed from
 bind-dyndb-ldap? In Fedora 19 we just plan to hard-code it to yes, will that
 cause issues with Fedora 20? Should we already avoid using the psearch 
 option
 and assume that bind-dyndb-ldap in Fedora 19 is using persistent search by 
 default?

Won't the new bind-dyndb-ldap simply ignore the psearch option when it
moves to syncrepl ?

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH 0073] Remove support for IPA deployments with no persistent search


On 15.7.2013 16:15, Simo Sorce wrote:

On Mon, 2013-07-15 at 15:57 +0200, Martin Kosek wrote:

On 07/15/2013 03:44 PM, Petr Spacek wrote:

On 15.7.2013 15:31, Martin Kosek wrote:

On 07/11/2013 05:10 PM, Tomas Babej wrote:

On Thursday 11 of July 2013 16:10:33 Ana Krivokapic wrote:


On 07/11/2013 11:20 AM, Tomas Babej wrote:



boolean_var = {}



- for var in ('persistent_search', 'serial_autoincrement'):



+ for var in ('serial_autoincrement'):



This won't work - a one element tuple needs a comma at the end:



('serial_autoincrement', )



boolean_var[var] = yes if getattr(self, var, False) else no







self.sub_dict = dict(FQDN=self.fqdn,



@@ -607,9 +604,8 @@ class BindInstance(service.Service):



SUFFIX=self.suffix,



OPTIONAL_NTP=optional_ntp,



ZONEMGR=self.zonemgr,



- ZONE_REFRESH=self.zone_refresh,



IPA_CA_RECORD=ipa_ca,



- PERSISTENT_SEARCH=boolean_var['persistent_search'],



+ PERSISTENT_SEARCH=yes,



SERIAL_AUTOINCREMENT=boolean_var['serial_autoincrement'],)







But anyway, I think this piece of code is unnecessarily complicated, I
don't see



a need for the 'boolean_var' dict here. I would suggest replacing it with



something like:







serial_autoincrement = yes if self.serial_autoincrement else no







and then pass serial_autoincrement to self.sub_dict = dict(...)












Attached patch refactored the relevant part of the code.



Tomas



Thanks for patches! I am just thinking, should we also hide the respective
option from ipa global DNS configuration? That's idnszonerefresh attribute.

We may want to mark the attribute as invisible in CLI + remove it from Web UI.
Petr - what is your take on this? Do you plan to remove idnszonerefresh
attribute support in the future (Fedora 20) as persistent search will be
mandatory in that time?


Yes, you are right. We completely forgot to web UI. And yes - please remove the
option from web UI.


Ok, Tomas please do the changes as proposed above.



The latest development shows that persistent search will be replaced by RFC
4533 (known as 'syncrepl'), but from user's point of view it doesn't matter.
All options related to persistent search and zone_refresh will simply
disappear. Syncrepl itself doesn't require explicit configuration.


Ah, so this means that psearch option will be also removed from
bind-dyndb-ldap? In Fedora 19 we just plan to hard-code it to yes, will that
cause issues with Fedora 20? Should we already avoid using the psearch option
and assume that bind-dyndb-ldap in Fedora 19 is using persistent search by 
default?


Won't the new bind-dyndb-ldap simply ignore the psearch option when it
moves to syncrepl ?


I can do it, but I think that cleanest way is to remove the 'psearch' option 
in upgrade script.


Another option is to release new bind-dyndb-ldap to Fedora 19 and change 
default values to 'psearch yes' right now. Do you agree?


--
Petr^2 Spacek

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCHES] 0230-0244 Integration testing framework

2013-07-15 Thread Petr Viktorin


On 07/11/2013 01:28 PM, Jan Cholasta wrote:

On 10.7.2013 17:50, Petr Viktorin wrote:

On 07/10/2013 02:03 PM, Jan Cholasta wrote:

make test seems to run fine with patches 230-242 applied, however
ipa-run-tests produces the following output:


[...Skipping nose output...]



I guess the location of the test certificate should be made configurable
in order to fix the host and service plugin test failures.


Making the existing test suite pass out of tree it's not a goal for this
patchset. There is a pending patch for the service cert.


Better report it now than forget it later.




Also, there is a lot of debugging messages in ipa-run-tests output which
wasn't there before IIRC, is that intentional?


Yes, I believe that for the integration tests it's better to see what is
going on. Both for manual runs, and also this way the information is
more easily picked up by CI tools.


It's harder to see what's going on with so much noise IMHO, I would
prefer less verbose output for manual runs by default.


On the other hand, the integration tests take too long and without 
output they may seem stuck. I'd rather not make that the default.
I'll try to find some balance and make it more easily configurable in 
future patches.



If $MASTER (and possible other host names) is not resolvable,
ipa-test-config --global crashes:

$ ipa-test-config --global
Traceback (most recent call last):
   File /usr/bin/ipa-test-config, line 104, in module
 print main(sys.argv[1:]),
   File /usr/bin/ipa-test-config, line 58, in main
 return config.env_to_script(get_object(conf,
args).to_env(**kwargs))
   File
/usr/lib/python2.7/site-packages/ipatests/test_integration/config.py,
line 168, in to_env
 env['MASTER'] = default_domain.master.hostname
   File
/usr/lib/python2.7/site-packages/ipatests/test_integration/config.py,
line 282, in master
 return self.masters[0]
IndexError: list index out of range


Fixed.
Now, if the name is not resolvable, reading the config will fail.
Alternatively, the IP address can be given in variables such as
$BEAKERREPLICA1_IP_env1 (no, I didn't invent the name).


This fixed ipa-test-config as advertised, but ipa-run-tests
test_integration/test_simple_replication.py still fails.


Both the tests in test_simple_replication.py fail for me. I suspect it
is because the data isn't replicated fast enough, a little delay between
user-show and user-add might fix this.


Hm, they worked for me.
  I've added a delay. It seems fragile, I wonder what the proper way to
do this would be.


Hmm, the replica - master test still fails for me, even with delay
increased to 20 s.


Is there anything in the DS logs?


Something less fragile than delay would certainly be nice.


I'll read up on the DS replication docs, and ask for some guidance.


I've made some other changes, mainly BeakerLib plugin output.

Patch 240: Avoid infinite recursion that happened with some cases of bad
SSH credentials
Patch 241-243: Rework the BeakerLib plugin output to better match
traditional Beaker tests
Patch 244: Make it possible to explicitly specify IP addresses of hosts


To sum things up, there are still some little bugs, but these can be
fixed after the beta release, in general everything seems to work, so ACK.


Thanks, pushed to master: 23d3fde05960d6e47485e246e11bec701b30cb59
Not closing the ticket yet until the issues are cleared (or moved to 
separate tickets).


--
Petr³

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] Use pkg-config to detect cmocka

On 07/15/2013 03:13 PM, Alexander Bokovoy wrote:
 On Mon, 15 Jul 2013, Martin Kosek wrote:
 On 07/04/2013 01:49 PM, Lukas Slebodnik wrote:
 On (04/07/13 13:10), Alexander Bokovoy wrote:
 On Thu, 04 Jul 2013, Lukas Slebodnik wrote:
 ehlo,

 libcmocka-0.3 was released and package is available in fedore = 18.
 libcmocka-devel contains pkg-config file,
 therefore it is better to use pkg-config to detect this library.

 Patch is attached.
 Few comments.

 0. Please follow https://fedorahosted.org/freeipa/wiki/PatchFormat
 changed

 1. It would be nice to have a ticket in the FreeIPA trac.
 Could ticket#3434 be used? I know that ticket is fixed.
 https://fedorahosted.org/freeipa/ticket/3434
 Funcionality of patch is the same as Sumit's version.

 2. I think at this point we need to decide whether we want to have
  BuildRequires: libcmocka-devel
   in freeipa.spec.in. Given the change, older version would become
   unsupported but we don't really have any packaging dependency yet.
 At the moment, there isnot any cmocka test in freeipa source repo.

 LS


 Any update with this patch? If the build works OK, I would push it.

 I think we do not need to add libcmocka BuildRequires ATM and leave the 
 cmocka
 tests optional (especially if there is no cmocka test).
 Yes, it works fine.

OK. I pushed the patch to master, ipa-3-2.

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] DNSSEC support design considerations: key material handling


Hello,

first pair of this message quickly concludes discussion about database part of 
the DNSSEC support and then key material handling is discussed.


I'm sorry for the wall of text.

On 27.6.2013 18:43, Simo Sorce wrote:

 * How to get sorted list of entries from LDAP? Use LDAP
   server-side sorting? Do we have necessary indices?
 
 We can do client side sorting as well I guess, I do not have a strong
 opinion here. The main reason why you need ordering is to detect delete
 records right ?

Exactly. I realized that server-side sorting doesn't make sense because we
plan to use syncrepl, so there is nothing to sort - only the flow of
incremental updates.

Syncrepl includes notice of deletions too, right ?
Yes. Client receives delete notification with entryUUID, so we can 
unambiguously identify the deleted entry.


I wrote example LDAP client and it works (against OpenLDAP :-).


  (Filesystem) cache maintenance

  Questions: How often should we save the cache from operating
 memory to disk?

Prerequisite to be able to evaluate this question. How expensive is it
to save the cache ?

My test zone contains 65535  records, 255 A records, 1 SOA + 1 NS record.

Benchmark results:
zone dump0.5 s (to text file)
zone load1 s (from text file)
zone delete  9 s (LOL. This is caused by implementation details of RBTDB.)

LDAP search on the whole sub-tree:  15 s


Ouch, this looks very slow, missing indexes ?)
I don't see any 'notes=U' in access log. Also, my OpenLDAP instance with the 
same DNS data can do the same search  2 seconds.



Is this just the search? or is it search + zone load ?

Just the search.


Load time for bind-dyndb-ldap 3.x:  120 s


So, a reload from scratch can take many 10s of seconds on big zones, did
this test include DNSSEC signing ? Or would we need to add that on top ?
The time is for plain load. Current code is horribly ineffective and generates 
one extra LDAP search for each update. This madness will be eliminated by 
syncrepl, so the plain load time should be cut to much smaller value. We will see.


The other problem is that current code serializes a lot of work. This also 
will be mitigated to certain level (not completely, for now).



Originally, I planed to write a script which would compare data in LDAP with
zone file on disk. This script could be used for debugging  automated
testing, so we can assess if the code behaves correctly and decide if we want
to implement automatic re-synchronization when necessary.


Wouldn't this script be subject to races depending at what time it is
accessing either LDAP or the file ?

Yes, it would. The script was intended for 'lab use':
1. Run DNS server.
2. Do big amount of dynamic updates in short time.
3. Shutdown DNS and LDAP servers.
4. Compare data in DNS database with data in LDAP.

This could tell us how often and how many inconsistencies occur. After that we 
can make up some re-synchronization intervals etc.



The main issue here is that it is hard to know when doing a full re-sync
is necessary. And because it is expensive I am wary of doing it
automatically too often.

However perhaps a timed event so it is done once a day it is not a bad
idea.

I agree.


I think that we sorted out necessary changes in storage/database part of the 
DNSSEC integration.



The remaining part is mostly about key management.

Following text mentions 'DNSSEC keys' many times, so I tried to summarize how 
keys are used in DNSSEC. Feel free to skip it.


== DNSSEC theory ==

Each zone has *at least* two key pairs. They are called Key Signing Key (KSK, 
the first key pair) and Zone Signing Key (ZSK, the second key pair).


- *Parent* zone contains a copy of public part of the KSK.
- Zone itself contains public part of ZSK (and KSK).
- Client uses public part of KSK (obtained from secure parent zone) for ZSK 
verification.
- ZSK is used for signing of the real data in the zone (i.e. generating RRSIG 
records) and verification on client side.


Each key and signature contains key-id, so one zone can be signed by multiple 
KSKs and ZSKs at the same time. This solves the key roll over problem.


Each key contains this set of timestamps:
Created, Revoke - self descriptive :-)
Publish - public part of the key will be visible in zone after this time
Active - new signatures with this key can be generated after this time
Inactive - new signatures with this key cannot be generated after this time
Delete - public part of the key will deleted from the zone after this time

NIST says [1] that KSK should be changed ~ each 1-3 years (it requires change 
in parent zone) and ZSK should be changed ~ each 1-3 months.


The recommendation says [1] that zone should have two ZSKs: One Active (used 
for signature generation) and second only Published (ready for roll over in 
case of emergency/when the first key pair expires). This mitigates problems 
with caches and stale key material during roll-over.


BIND 9

Re: [Freeipa-devel] [PATCH 0073] Remove support for IPA deployments with no persistent search

On 07/15/2013 04:41 PM, Petr Spacek wrote:
 On 15.7.2013 16:15, Simo Sorce wrote:
 On Mon, 2013-07-15 at 15:57 +0200, Martin Kosek wrote:
 On 07/15/2013 03:44 PM, Petr Spacek wrote:
 On 15.7.2013 15:31, Martin Kosek wrote:
 On 07/11/2013 05:10 PM, Tomas Babej wrote:
 On Thursday 11 of July 2013 16:10:33 Ana Krivokapic wrote:

 On 07/11/2013 11:20 AM, Tomas Babej wrote:

 boolean_var = {}

 - for var in ('persistent_search', 'serial_autoincrement'):

 + for var in ('serial_autoincrement'):

 This won't work - a one element tuple needs a comma at the end:

 ('serial_autoincrement', )

 boolean_var[var] = yes if getattr(self, var, False) else no



 self.sub_dict = dict(FQDN=self.fqdn,

 @@ -607,9 +604,8 @@ class BindInstance(service.Service):

 SUFFIX=self.suffix,

 OPTIONAL_NTP=optional_ntp,

 ZONEMGR=self.zonemgr,

 - ZONE_REFRESH=self.zone_refresh,

 IPA_CA_RECORD=ipa_ca,

 - PERSISTENT_SEARCH=boolean_var['persistent_search'],

 + PERSISTENT_SEARCH=yes,

 SERIAL_AUTOINCREMENT=boolean_var['serial_autoincrement'],)



 But anyway, I think this piece of code is unnecessarily complicated, I
 don't see

 a need for the 'boolean_var' dict here. I would suggest replacing it 
 with

 something like:



 serial_autoincrement = yes if self.serial_autoincrement else no



 and then pass serial_autoincrement to self.sub_dict = dict(...)







 Attached patch refactored the relevant part of the code.



 Tomas


 Thanks for patches! I am just thinking, should we also hide the respective
 option from ipa global DNS configuration? That's idnszonerefresh 
 attribute.

 We may want to mark the attribute as invisible in CLI + remove it from Web
 UI.
 Petr - what is your take on this? Do you plan to remove idnszonerefresh
 attribute support in the future (Fedora 20) as persistent search will be
 mandatory in that time?

 Yes, you are right. We completely forgot to web UI. And yes - please remove
 the
 option from web UI.

 Ok, Tomas please do the changes as proposed above.


 The latest development shows that persistent search will be replaced by RFC
 4533 (known as 'syncrepl'), but from user's point of view it doesn't 
 matter.
 All options related to persistent search and zone_refresh will simply
 disappear. Syncrepl itself doesn't require explicit configuration.

 Ah, so this means that psearch option will be also removed from
 bind-dyndb-ldap? In Fedora 19 we just plan to hard-code it to yes, will 
 that
 cause issues with Fedora 20? Should we already avoid using the psearch 
 option
 and assume that bind-dyndb-ldap in Fedora 19 is using persistent search by
 default?

 Won't the new bind-dyndb-ldap simply ignore the psearch option when it
 moves to syncrepl ?
 
 I can do it, but I think that cleanest way is to remove the 'psearch' option 
 in
 upgrade script.

Hm, right, this should make the upgrade script a lot simpler - it would just
remove all psearch or zone_refresh references.

 
 Another option is to release new bind-dyndb-ldap to Fedora 19 and change
 default values to 'psearch yes' right now. Do you agree?

Looks OK to me and would let us avoid doing any additional upgrade process for
Fedora 20 - are you planning to do a Fedora 19 release any time soon? If yes,
we can do the changes we are talking about in next 3.2.x release.

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCHES] 143-147 Improve performance with large groups

On 07/15/2013 03:43 PM, Jan Cholasta wrote:
 On 15.7.2013 15:16, Martin Kosek wrote:
 On 07/11/2013 12:15 PM, Alexander Bokovoy wrote:
 On Thu, 11 Jul 2013, Jan Cholasta wrote:
 We can add WebUI improvements later. I have some WIP, but I need to discuss
 it with Petr first (he's away this week).
 Ok.

 The patchset is in ipa-3-2 as well now.

 Just checking:

 1) Jan, did you check size of these new indexes on IPA master with such a 
 high
 number of users? How big are they? I want to make sure that this won't create
 an issue on upgrades to new 3.2.x.
 
 With 10k users, the indices ate roughly 250 MB of disk space.
 

 2) Does the patch set also fix the problem for Web UI? Currently, I think it
 will still grab and process all member attributes even though it does not 
 need
 it. If the Web UI performance is still not sharp, I would rather leave this
 ticket opened and let JanPetr cooperate on the Web UI part.
 
 I agree on keeping the ticket open.
 
 Honza
 

Ok, I reopened the ticket. Petr and Jan, please cooperate on this one.

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH 0073] Remove support for IPA deployments with no persistent search

2013-07-15 Thread Simo Sorce

On Mon, 2013-07-15 at 16:41 +0200, Petr Spacek wrote:
 On 15.7.2013 16:15, Simo Sorce wrote:
  On Mon, 2013-07-15 at 15:57 +0200, Martin Kosek wrote:
  On 07/15/2013 03:44 PM, Petr Spacek wrote:
  On 15.7.2013 15:31, Martin Kosek wrote:
  On 07/11/2013 05:10 PM, Tomas Babej wrote:
  On Thursday 11 of July 2013 16:10:33 Ana Krivokapic wrote:
 
  On 07/11/2013 11:20 AM, Tomas Babej wrote:
 
  boolean_var = {}
 
  - for var in ('persistent_search', 'serial_autoincrement'):
 
  + for var in ('serial_autoincrement'):
 
  This won't work - a one element tuple needs a comma at the end:
 
  ('serial_autoincrement', )
 
  boolean_var[var] = yes if getattr(self, var, False) else no
 
 
 
  self.sub_dict = dict(FQDN=self.fqdn,
 
  @@ -607,9 +604,8 @@ class BindInstance(service.Service):
 
  SUFFIX=self.suffix,
 
  OPTIONAL_NTP=optional_ntp,
 
  ZONEMGR=self.zonemgr,
 
  - ZONE_REFRESH=self.zone_refresh,
 
  IPA_CA_RECORD=ipa_ca,
 
  - PERSISTENT_SEARCH=boolean_var['persistent_search'],
 
  + PERSISTENT_SEARCH=yes,
 
  SERIAL_AUTOINCREMENT=boolean_var['serial_autoincrement'],)
 
 
 
  But anyway, I think this piece of code is unnecessarily complicated, I
  don't see
 
  a need for the 'boolean_var' dict here. I would suggest replacing it 
  with
 
  something like:
 
 
 
  serial_autoincrement = yes if self.serial_autoincrement else no
 
 
 
  and then pass serial_autoincrement to self.sub_dict = dict(...)
 
 
 
 
 
 
 
  Attached patch refactored the relevant part of the code.
 
 
 
  Tomas
 
 
  Thanks for patches! I am just thinking, should we also hide the 
  respective
  option from ipa global DNS configuration? That's idnszonerefresh 
  attribute.
 
  We may want to mark the attribute as invisible in CLI + remove it from 
  Web UI.
  Petr - what is your take on this? Do you plan to remove idnszonerefresh
  attribute support in the future (Fedora 20) as persistent search will be
  mandatory in that time?
 
  Yes, you are right. We completely forgot to web UI. And yes - please 
  remove the
  option from web UI.
 
  Ok, Tomas please do the changes as proposed above.
 
 
  The latest development shows that persistent search will be replaced by 
  RFC
  4533 (known as 'syncrepl'), but from user's point of view it doesn't 
  matter.
  All options related to persistent search and zone_refresh will simply
  disappear. Syncrepl itself doesn't require explicit configuration.
 
  Ah, so this means that psearch option will be also removed from
  bind-dyndb-ldap? In Fedora 19 we just plan to hard-code it to yes, will 
  that
  cause issues with Fedora 20? Should we already avoid using the psearch 
  option
  and assume that bind-dyndb-ldap in Fedora 19 is using persistent search by 
  default?
 
  Won't the new bind-dyndb-ldap simply ignore the psearch option when it
  moves to syncrepl ?
 
 I can do it, but I think that cleanest way is to remove the 'psearch' option 
 in upgrade script.

Sure, but if the upgrade, for whatever reason, fails to remove it
bind-dyndb-ldap should just ignore.

 Another option is to release new bind-dyndb-ldap to Fedora 19 and change 
 default values to 'psearch yes' right now. Do you agree?

Too much churn, I think it is ok to change it when we are done with
syncrepl and upgrade config, with the fallback failsafe that even if
upgrade doesn't remove the option bind-dyndb-ldap will simply ignore it.

This will be safer even for people using stuff like cfengine/puppet to
manage configurations and not realizing we changed the conf on upgrade,
their confsystems will push again a conf file with psearch yes but
bnid-dyndb-ldap won't break.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] 0108 Add support for compatibility tree for trusted domain users


Hi!

Attached patch allows to enable serving trusted domain users and groups
through Schema Compatibilty plugin.

The patch only does FreeIPA master configuration settings, the real work
is done by the changes to slapi-nis plugin (in a separate email).

Since ipa-adtrust-install can safely be run multiple times, one can
re-run it on the IPA master to enable serving old clients, by specifying

ipa-adtrust-install --enable-compat

or answering 'yes' to the interactive question.

I have expanded man page for ipa-adtrust-install to cover this option.

Once enabled, following is possible:
---
# ldapsearch -Y GSSAPI -b cn=compat,dc=vda,dc=li '((cn=domain 
adm...@ad.lan)(objectclass=posixgroup))'
SASL/GSSAPI authentication started
SASL username: ad...@vda.li
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base cn=compat,dc=vda,dc=li with scope subtree
# filter: ((cn=domain adm...@ad.lan)(objectclass=posixgroup))
# requesting: ALL
#

# domain adm...@ad.lan, groups, compat, vda.li
dn: cn=domain adm...@ad.lan,cn=groups,cn=compat,dc=vda,dc=li
objectClass: posixGroup
objectClass: extensibleObject
objectClass: top
gidNumber: 1442800512
memberUid: uid=administra...@ad.lan,cn=users,cn=compat,dc=vda,dc=li
schema-compat-origin: sssd
ipaNTSecurityIdentifier: S-1-5-21-3502988750-125904550-3683905862-512
cn: domain adm...@ad.lan

# search result
search: 4
result: 0 Success

# numResponses: 2
# numEntries: 1
---

and for users:
---
# ldapsearch -Y GSSAPI -b cn=compat,dc=vda,dc=li
# '(uid=administra...@ad.lan)'  
SASL/GSSAPI authentication started

SASL username: ad...@vda.li
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base cn=compat,dc=vda,dc=li with scope subtree
# filter: (uid=administra...@ad.lan)
# requesting: ALL
#

# administra...@ad.lan, users, compat, vda.li
dn: uid=administra...@ad.lan,cn=users,cn=compat,dc=vda,dc=li
objectClass: posixAccount
objectClass: extensibleObject
objectClass: top
gecos: Administrator
cn: Administrator
uidNumber: 1442800500
gidNumber: 1442800500
homeDirectory: /
schema-compat-origin: sssd
ipaNTSecurityIdentifier: S-1-5-21-3502988750-125904550-3683905862-500
uid: administra...@ad.lan

# search result
search: 4
result: 0 Success

# numResponses: 2
# numEntries: 1


Currently PAM authentication is a bit broken due to yet-to-hunt bug in
SSSD or my environment (Jakub was unable to reproduce it) where SSSD
thinks that AD DC is offline during authentication step.

However, if you don't hit the bug, you can check authentication by doing
following bind and entering a password for your AD administrator:
# ldapsearch -D uid=administra...@ad.lan,cn=users,cn=compat,dc=vda,dc=li \
 -W -x -C -a always  -b dc=vda,dc=li '(uid=admin)'

The bind operation needs to be performed _after_ user lookup.

All these commands are only examples, I'm currently working on seeing
how to configure pam_ldap/nss_ldap to use compat plugin this way.
--
/ Alexander Bokovoy
From bd7addcc2a2b37cd128dcbea0bc6e9b2929e Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy aboko...@redhat.com
Date: Mon, 15 Jul 2013 19:13:50 +0300
Subject: [PATCH] ipa-adtrust-install: configure compatibility tree to serve
 trusted domain users

Enables  support  for  trusted  domains  users  for old clients through Schema
Compatibility plugin.  SSSD supports trusted domains natively starting with
version 1.9 platform. For platforms that lack SSSD or run older SSSD version
one needs  to  use  this  option.  When  enabled, slapi-nis  package  needs  to
be  installed  and schema-compat-plugin will be configured to provide lookup of
users and groups from trusted domains via SSSD on IPA server. These users and
groups will be available under  cn=users,cn=compat,$SUFFIX  and
cn=groups,cn=compat,$SUFFIX trees.  SSSD will normalize names of users and
groups to lower case.

In  addition  to  providing  these users and groups through the compat tree,
this option enables authentication over LDAP for trusted domain users with DN
under compat tree, i.e. using bind DN 
uid=administrator@ad.domain,cn=users,cn=compat,$SUFFIX.

This authentication  is related to  PAM  stack  using  'system-auth' PAM
service. If you have disabled HBAC rule 'allow_all', then make sure there is
special service called 'system-auth' created and HBAC rule to allow access to
anyone to this rule on IPA masters is added. Please note that system-auth PAM
service is  not used directly by any other application, therefore it is safe to
create one specifically to support trusted domain users via compatibility path.

https://fedorahosted.org/freeipa/ticket/3567
---

Re: [Freeipa-devel] [PATCH 0073] Remove support for IPA deployments with no persistent search

On 07/15/2013 06:28 PM, Simo Sorce wrote:
 On Mon, 2013-07-15 at 16:41 +0200, Petr Spacek wrote:
 On 15.7.2013 16:15, Simo Sorce wrote:
 On Mon, 2013-07-15 at 15:57 +0200, Martin Kosek wrote:
 On 07/15/2013 03:44 PM, Petr Spacek wrote:
 On 15.7.2013 15:31, Martin Kosek wrote:
 On 07/11/2013 05:10 PM, Tomas Babej wrote:
 On Thursday 11 of July 2013 16:10:33 Ana Krivokapic wrote:

 On 07/11/2013 11:20 AM, Tomas Babej wrote:

 boolean_var = {}

 - for var in ('persistent_search', 'serial_autoincrement'):

 + for var in ('serial_autoincrement'):

 This won't work - a one element tuple needs a comma at the end:

 ('serial_autoincrement', )

 boolean_var[var] = yes if getattr(self, var, False) else no



 self.sub_dict = dict(FQDN=self.fqdn,

 @@ -607,9 +604,8 @@ class BindInstance(service.Service):

 SUFFIX=self.suffix,

 OPTIONAL_NTP=optional_ntp,

 ZONEMGR=self.zonemgr,

 - ZONE_REFRESH=self.zone_refresh,

 IPA_CA_RECORD=ipa_ca,

 - PERSISTENT_SEARCH=boolean_var['persistent_search'],

 + PERSISTENT_SEARCH=yes,

 SERIAL_AUTOINCREMENT=boolean_var['serial_autoincrement'],)



 But anyway, I think this piece of code is unnecessarily complicated, I
 don't see

 a need for the 'boolean_var' dict here. I would suggest replacing it 
 with

 something like:



 serial_autoincrement = yes if self.serial_autoincrement else no



 and then pass serial_autoincrement to self.sub_dict = dict(...)







 Attached patch refactored the relevant part of the code.



 Tomas


 Thanks for patches! I am just thinking, should we also hide the 
 respective
 option from ipa global DNS configuration? That's idnszonerefresh 
 attribute.

 We may want to mark the attribute as invisible in CLI + remove it from 
 Web UI.
 Petr - what is your take on this? Do you plan to remove idnszonerefresh
 attribute support in the future (Fedora 20) as persistent search will be
 mandatory in that time?

 Yes, you are right. We completely forgot to web UI. And yes - please 
 remove the
 option from web UI.

 Ok, Tomas please do the changes as proposed above.


 The latest development shows that persistent search will be replaced by 
 RFC
 4533 (known as 'syncrepl'), but from user's point of view it doesn't 
 matter.
 All options related to persistent search and zone_refresh will simply
 disappear. Syncrepl itself doesn't require explicit configuration.

 Ah, so this means that psearch option will be also removed from
 bind-dyndb-ldap? In Fedora 19 we just plan to hard-code it to yes, will 
 that
 cause issues with Fedora 20? Should we already avoid using the psearch 
 option
 and assume that bind-dyndb-ldap in Fedora 19 is using persistent search by 
 default?

 Won't the new bind-dyndb-ldap simply ignore the psearch option when it
 moves to syncrepl ?

 I can do it, but I think that cleanest way is to remove the 'psearch' option 
 in upgrade script.
 
 Sure, but if the upgrade, for whatever reason, fails to remove it
 bind-dyndb-ldap should just ignore.
 
 Another option is to release new bind-dyndb-ldap to Fedora 19 and change 
 default values to 'psearch yes' right now. Do you agree?
 
 Too much churn, I think it is ok to change it when we are done with
 syncrepl and upgrade config, with the fallback failsafe that even if
 upgrade doesn't remove the option bind-dyndb-ldap will simply ignore it.
 
 This will be safer even for people using stuff like cfengine/puppet to
 manage configurations and not realizing we changed the conf on upgrade,
 their confsystems will push again a conf file with psearch yes but
 bnid-dyndb-ldap won't break.
 
 Simo.
 

Hmm, that's right, it should be safer. Can bind-dyndb-ldap just yell to error
log that there is an unknown configuration option? (if it does not do that
already).

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] slapi-nis support for trusted domains