Re: [Freeipa-devel] [PATCH] 0257 Add initial CA-less installation tests
On 22.8.2013 09:46, Petr Viktorin wrote: On 08/16/2013 07:13 PM, Petr Viktorin wrote: On 07/30/2013 05:47 PM, Petr Viktorin wrote: Hello, This patch implements the first batch of integration tests for CA-less intallation. Tests from http://www.freeipa.org/page/V3/CA-less_install up to IPA server install with missing DS PKCS#12 password are included. Running this already takes an hour in the lab I use, so I decided to split the patch up and post the first part for review now. The two tests for revoked certificates fail. This is expected as we don't handle revoked certs yet. Continuing, this patch includes all tests except the ones for UI (pvoborni's patch 443) and certinstall (I'll review jcholast's fixes first). See commit message for details. Here is the completed patch, with all test except the Web UI ones. - The following case is omitted as it is invalid: - Verify that IPA client install does not configure certmonger Instead of making a note in the commit, I would prefer if you deleted the test case. There's no need to keep it if it's invalid, right? Honza -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] FreeIPA server package group
On 08/26/2013 09:54 AM, Tomas Babej wrote: Hi, I cooked up a patch for comps that adds a FreeIPA package group. Please chime in if you're OK with package selection / description. For illustration, see the attached image. FreeIPA will be added as an add-on in an installer under the Infrastructure server environment, that means, in the included images it will be at the same level as DNS or FTP server. It will also appear in the Software Selection tool (PackageKit). It should also be available under as yum groupinstall FreeIPA server, and in PackageKit, as I understand comps is also source for that too. https://fedoraproject.org/wiki/How_to_use_and_edit_comps.xml_for_package_groups https://fedorahosted.org/freeipa/ticket/3630 IMO the Audit part in the description is false advertisement. Same issue is in package descriptions. -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] EXTDOM: Do not overwrite domain_name for INP_SID
Hi, I found the problem when testing Sumit's PAC responder SSSD patches. It seems that the domain name is always overwritten with input SID. I think using the domain we parse out from output of getnamebysid can be safely used, but I'm not all that familiar with the extdom plugin.. From d24e37c5a32203fa2a2210a736f2c7dda5c3425e Mon Sep 17 00:00:00 2001 From: Jakub Hrozek jhro...@redhat.com Date: Sun, 25 Aug 2013 14:39:27 +0200 Subject: [PATCH] EXTDOM: Do not overwrite domain_name for INP_SID --- daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c index 26262e4ff411c70d562733236c071a44c0d46d7e..675fc368042373314e9416dcf7d5866cb8c9871e 100644 --- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c +++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c @@ -271,8 +271,6 @@ int handle_request(struct ipa_extdom_ctx *ctx, struct extdom_req *req, ret = LDAP_OPERATIONS_ERROR; goto done; } - -domain_name = strdup(req-data.name.domain_name); break; case INP_NAME: ret = asprintf(fq_name, %s%c%s, req-data.name.object_name, -- 1.8.3.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] FreeIPA server package group
On Mon 26 Aug 2013 10:12:09 AM CEST, Petr Vobornik wrote: On 08/26/2013 09:54 AM, Tomas Babej wrote: Hi, I cooked up a patch for comps that adds a FreeIPA package group. Please chime in if you're OK with package selection / description. For illustration, see the attached image. FreeIPA will be added as an add-on in an installer under the Infrastructure server environment, that means, in the included images it will be at the same level as DNS or FTP server. It will also appear in the Software Selection tool (PackageKit). It should also be available under as yum groupinstall FreeIPA server, and in PackageKit, as I understand comps is also source for that too. https://fedoraproject.org/wiki/How_to_use_and_edit_comps.xml_for_package_groups https://fedorahosted.org/freeipa/ticket/3630 IMO the Audit part in the description is false advertisement. Same issue is in package descriptions. I know, it's taken directly from there. I'd rather have it consistent, if we're going to change it here, we should do there too, so that we do not end up with multiple (seemingly incomplete) descriptions at various places. -- Tomas Babej Associate Software Engeneer | Red Hat | Identity Management RHCE | Brno Site | IRC: tbabej | freeipa.org ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0092] Remove redundant shebangs
On 08/23/2013 07:23 PM, Nathaniel McCallum wrote: On Thu, 2013-08-22 at 17:52 +0200, Tomas Babej wrote: Hi, Remove redundant shebangs from files that are not used as scripts. https://fedorahosted.org/freeipa/ticket/3853 ACK Pushed to master, ipa-3-3. master: edf92f765099366ae4e0b28e2aeaa54b7af92712 ipa-3-3: f1b0f1655abc0fba2f72b7ff01b5f25afefb4414 -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 447 Show human-readable error name in error dialog title
On 08/23/2013 07:25 PM, Nathaniel McCallum wrote: On Thu, 2013-08-22 at 16:15 +0200, Petr Vobornik wrote: Fixes RPC server's JSON encoding of exception's name. It allows to show the name in Web UI's error dialog title. ACK Pushed to master: 34342b9a972a3a454b979dc64d0a510c5af24894 -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0091] Perform dirsrv tuning at platform level
On 08/23/2013 07:50 PM, Nathaniel McCallum wrote: On Thu, 2013-08-22 at 17:23 +0200, Tomas Babej wrote: On 08/20/2013 06:40 PM, Nathaniel McCallum wrote: On Mon, 2013-08-19 at 14:48 +0200, Tomas Babej wrote: Hi, When configuring the 389 Directory Server instance, we tune it so that number of file descriptors available to the DS is increased from the default 1024 to 8192. There are platform specific steps that need to be conducted differently on systemd compatible platforms and sysV compatible platforms. systemd: set LimitNOFILE to 8192 in /etc/sysconfig/dirsrv.systemd sysV: set ulimit -n 8192 in /etc/sysconfig/dirsrv set ulimit - nofile 8192 in /etc/security/limits.conf https://fedorahosted.org/freeipa/ticket/3823 I'd prefer the use of 'with' in the RedHatDirectoryService: # check limits.conf need_limits = True with open(/etc/security/limits.conf) as f: for line in f: sline = line.strip() if not sline.startswith(DS_USER): continue if sline.find('nofile') == -1: continue # ok we already have an explicit entry for user/nofile need_limits = False ... and ... with open(/etc/sysconfig/dirsrv, a+) as f: f.write('ulimit -n %s\n' % str(num)) Nathaniel Fixed and I did some additional refactoring in the code. Attached. ACK Pushed to master, ipa-3-3 master: 6961cf2e77cca8f3784a6d82cebeb0bb8df1f535 ipa-3-3: 509e579472800a75fccb89c9fb83614744d80c87 -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0083] Make CS.cfg edits with CA instance stopped
On 08/23/2013 02:23 PM, Tomas Babej wrote: On 08/05/2013 05:43 PM, Martin Kosek wrote: On 08/02/2013 03:32 PM, Tomas Babej wrote: Hi, This patch makes sure that all edits to CS.cfg configuration file are performed while pki-tomcatd service is stopped. Introduces a new contextmanager stopped_service for handling a general problem of performing a task that needs certain service being stopped. https://fedorahosted.org/freeipa/ticket/3804 Tomas 1) I think it would make sense to ideally run the steps updating CS.cfg close together, stop PKI before this group and start it after it finishes. Otherwise, installer runs many service stops and starts which may be error prone, especially given the fragile (and sometimes slow) java server handling. 2) I am thinking that stopped_service context manager could be as well defined in ipaserver/install/service.py, as a context manager of the class. That way, every installer class could use that like: class CAInstance(): ... def __some_step(self): with self.stopped_service(start_when_finished=True): # do something I considered this approach, but this might introduce unnecessary errors if we ever reorder the install steps in cainstance.py. I rather added two explicit steps to stop and start the CA instance. That way, context manager could just use self.name to avoid numerous hardcoded service names like: ... with stopped_service('pki_tomcatd', instance_name=self.dogtag_constants.PKI_INSTANCE_NAME): ... Yes, but there are functions outside CAInstance class that leverage this context. 3) After I installed pki-ca, I saw no published CRL files: # ls -la /var/lib/ipa/pki-ca/publish/ I am not sure what is the root cause, maybe some of the numerous start/restarts broke the publisher process. I'm not seeing this with the updated version of the patch anymore. Martin Updated patch attached. ACK for master ipa-3-3. For ipa-3-2, the patch needs a rebase. Pushed: master: ab6a6e27d88b44b8c3f07290ae753558705363ee ipa-3-3: 12cb45c767d097a39d082ebad0f846bdb94ed9ca -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [DOC] Chapter 2 Installation
Hello, this patch fix some setup outputs and remove outdated section about updating freeIPA version 2 -- Martin Basti From d0781341370cfa9e434fdff4cc0fe19eaf44eee0 Mon Sep 17 00:00:00 2001 From: Martin Basti mba...@redhat.com Date: Mon, 26 Aug 2013 15:28:42 +0200 Subject: [PATCH] Chapter 2 - Installing Fixed setup outputs Removed outdated section about updating version 2 https://fedorahosted.org/freeipa/ticket/3763 --- src/user_guide/en-US/Installing.xml | 199 1 file changed, 113 insertions(+), 86 deletions(-) diff --git a/src/user_guide/en-US/Installing.xml b/src/user_guide/en-US/Installing.xml index 4e653012ad21615480f59ceeadf83f5771cde1b4..3e9ba40971b53972dc2afac6639050fa49974b0c 100644 --- a/src/user_guide/en-US/Installing.xml +++ b/src/user_guide/en-US/Installing.xml @@ -85,7 +85,7 @@ section id=supported-browserstitleSupported Web Browsers/title para -The only supported browser to access the IPA; web UI is Firefox 3.x or 4.x. +The only supported browser to access the IPA; web UI is Firefox (version 4.x and newer). /para /section @@ -602,91 +602,96 @@ negative-time-to-live hosts 20 /listitem listitem para + Choose to not configure DNS. (If you need to configure DNS see xref linkend=install-dns /.) + /para + programlisting Do you want to configure integrated DNS (BIND)? [no]: /programlisting + /listitem + listitem + para Enter the hostname. This is determined automatically using reverse DNS. /para -programlisting language=BashServer host name [ipaserver.example.com]:/programlisting +programlistingServer host name [ipaserver.example.com]:/programlisting /listitem listitem para Enter the domain name. This is determined automatically based on the hostname. /para -programlisting language=BashPlease confirm the domain name [example.com]:/programlisting - /listitem - listitem - para - The script then reprints the hostname, IP address, and domain name. - /para -programlisting language=BashThe IPA Master Server will be configured with -Hostname:ipaserver.example.com -IP address: 192.168.1.1 -Domain name: example.com/programlisting +programlistingPlease confirm the domain name [example.com]:/programlisting /listitem + listitem para Enter the new Kerberos realm name. This is usually based on the domain name. /para -programlisting language=BashPlease provide a realm name [EXAMPLE.COM]:/programlisting +programlistingPlease provide a realm name [EXAMPLE.COM]:/programlisting /listitem listitem para Enter the password for the DS; superuser, commandcn=Directory Manager/command. There are password strength requirements for this password, including a minimum password length. /para -programlisting language=BashDirectory Manager password: +programlistingDirectory Manager password: Password (confirm):/programlisting /listitem listitem para Enter the password for the IPA; system user account, commandadmin/command. This user is created on the machine. /para -programlisting language=BashIPA admin password: +programlistingIPA admin password: Password (confirm):/programlisting /listitem listitem para + The script then reprints the hostname, IP address, domain name and realm name. + /para +programlistingThe IPA Master Server will be configured with +Hostname:ipaserver.example.com +IP address: 192.168.1.1 +Domain name: example.com +Realm name: EXAMPLE.COM + +Continue to configure the system with these values? [no]: yes/programlisting + /listitem + listitem + para After that, the script configures all of the associated services for IPA;, with task counts and progress bars. /para -programlisting language=BashConfiguring ntpd +programlistingConfiguring NTP daemon (ntpd) [1/4]: stopping ntpd - ... -done configuring ntpd. - -Configuring directory server for the CA: Estimated time 30 seconds - [1/3]: creating directory server user -... -done configuring pkids. - -Configuring certificate server: Estimated time 6 minutes - [1/17]: creating certificate server user - -done configuring pki-cad. - -Configuring directory server: Estimated time 1 minute - [1/32]: creating directory server user -... -done configuring dirsrv. - -Configuring Kerberos KDC: Estimated time 30 seconds - [1/14]: setting KDC account password -... -done configuring krb5kdc. - + ... +Done configuring NTP daemon (ntpd). +Configuring directory server (dirsrv): Estimated time 1 minute + [1/38]: creating directory server user + ... +Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds + [1/20]: creating certificate server user + ... +Done configuring certificate server (pki-tomcatd). +Configuring Kerberos KDC (krb5kdc): Estimated time 30 seconds + [1/10]:
[Freeipa-devel] [DOC] 0002 Chapter 3 Installing clients
Hello, this patch fix some setup outputs, add tips and order of command in examples -- Martin Basti From 503ea1244427d902cd8547a11ecbe06b751702e4 Mon Sep 17 00:00:00 2001 From: Martin Basti mba...@redhat.com Date: Mon, 26 Aug 2013 17:00:34 +0200 Subject: [PATCH 2/2] Chapter 3 - installing clients Edited some configuration outputs Add some TIPs Edited order of some commands --- src/user_guide/en-US/InstallingClients.xml | 98 +++--- 1 file changed, 63 insertions(+), 35 deletions(-) diff --git a/src/user_guide/en-US/InstallingClients.xml b/src/user_guide/en-US/InstallingClients.xml index 6f8bea75b7ba2937c1a1093e8f3d1a86b64167d0..22558f348e085bfe31d133ba4129949fcd6fbdc7 100644 --- a/src/user_guide/en-US/InstallingClients.xml +++ b/src/user_guide/en-US/InstallingClients.xml @@ -127,7 +127,7 @@ example.com = EXAMPLE.COM -- listitem para - OS; 14, 15, 16, and 17 + OS; 14, 15, 16, 17, 18 and 19 /para /listitem listitem @@ -291,13 +291,13 @@ example.com = EXAMPLE.COM para For a regular user system, this requires only the filenameipa-client/filename package: /para -programlisting language=Bash condition=fedora# yum install freeipa-client/programlisting -programlisting language=Bash condition=redhat# yum install ipa-client/programlisting +programlisting language=Bash condition=fedora[root@client ~]# yum install freeipa-client/programlisting +programlisting language=Bash condition=redhat[root@client ~]# yum install ipa-client/programlisting para An administrator machine requires the filename condition=redhatipa-admintools/filenamefilename condition=fedorafreeipa-admintools/filename package, as well: /para -programlisting language=Bash condition=fedora# yum install freeipa-client freeipa-admintools/programlisting -programlisting language=Bash condition=redhat# yum install ipa-client ipa-admintools/programlisting +programlisting language=Bash condition=fedora[root@client ~]# yum install freeipa-client freeipa-admintools/programlisting +programlisting language=Bash condition=redhat[root@client ~]# yum install ipa-client ipa-admintools/programlisting /listitem listitem @@ -315,7 +315,7 @@ example.com = EXAMPLE.COM Run the client setup command. /para -programlisting language=Bash# ipa-client-install --enable-dns-updates/programlisting +programlisting language=Bash[root@client ~]# ipa-client-install --enable-dns-updates/programlisting para The option--enable-dns-updates/option option updates DNS with the client machine's IP address. This option should only be used if the IPA; server was installed with integrated DNS or if the DNS server on the network accepts DNS entry updates with the GSS-TSIG protocol. /para @@ -341,7 +341,7 @@ example.com = EXAMPLE.COM If prompted, enter the domain name for the IPA; DNS domain. /para -programlisting language=BashDNS discovery failed to determine your DNS domain +programlistingDNS discovery failed to determine your DNS domain Please provide the domain name of your IPA server (ex: example.com): example.com/programlisting /listitem @@ -367,14 +367,28 @@ Please provide your IPA server name (ex: ipa.example.com): ipaserver.example.com screen Continue to configure the system with these values? [no]: yes User authorized to enroll computers: admin -Password for ad...@example.com: -Enrolled in IPA; realm EXAMPLE.COM +Synchronizing time with KDC... +Password for ad...@example.com: +Successfully retrieved CA cert + Subject: CN=Certificate Authority,O=EXAMPLE.COM + Issuer: CN=Certificate Authority,O=EXAMPLE.COM + Valid From: Tue Aug 13 09:29:07 2013 UTC + Valid Until: Sat Aug 13 09:29:07 2033 UTC + +Enrolled in IPA realm EXAMPLE.COM Created /etc/ipa/default.conf +New SSSD config will be created Configured /etc/sssd/sssd.conf -Configured /etc/krb5.conf for IPA; realm EXAMPLE.COM +Configured /etc/krb5.conf for IPA realm EXAMPLE.COM +Failed to update DNS records. +Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub +Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub +Could not update DNS SSHFP records. SSSD enabled -Kerberos 5 enabled +Configured /etc/openldap/ldap.conf NTP enabled +Configured /etc/ssh/ssh_config +Configured /etc/ssh/sshd_config Client configuration complete. /screen @@ -385,8 +399,8 @@ Client configuration complete. /para programlisting language=Bash$ id -$ getent passwd replaceableuserID/replaceable -$ getent group ipausers/programlisting +$ getent passwd admin +$ getent group admins/programlisting /listitem listitem @@ -402,10 +416,16 @@ RPCSVCGSSDARGS=-vvv/programlisting /note orderedlist listitem + para + Get credentials from Kerberos. + /para + programlisting[root@server ~]#kinit admin/programlisting + /listitem + listitem para On IPAA; server, add an NFS service
[Freeipa-devel] FreeIPA and Dogtag support for User Certificates in OpenStack Keystone
Keystone needs signing certificates for Signing PKI tokens. In addition, CERN has a developed an approach that allows user to authenticate to Keystone via X509 for batch jobs. This requires Client Certs. Both of these use cases are easily supported by Dogtag, but not exposed via FreeIPA yet. The easiest path forward is to open up direct access to the Dogtag REST APIs. In this case, the work flow would be: User sends CSR to Dogtag Agent approves User fetches signed certificate User uploads to IPA The questions I have relate to Dogtag/IPA integration: All actions to Dogtag shuld be via mod_nss secured with Kerberos. Does this tie in with Dogtag, or would Dogtag require Client Side Certificate validation? Even with Kerberos authentication, there is still no cross reference between the Kerberos Principal and the CSR Subject. Is this a problem? I thought there was a custom Tomcat Realm for integrating with Kerberos. If so, does this expose the correct data to check the Subject in the CSR? Are there security implications in the user uploading their own certifcates to FreeIPA's LDAP? Can we re-enable the Dogtag XSRF checking without breaking IPA? Does it make sense to have an extension to ipa-server-install that specifies a Keystone user that becomes a Dogtag agent, or a comparable commandline tool of the ipa-* family? If we expose an URL for CSRs, that exposes the potential to request CSRs of any set of attributes. The Agent would need to be careful not to sign in appropriate requests. Is there any support for limiting the types of Requests that would be acceptable? ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel