date:20140624

Re: [Freeipa-devel] LDAP schema for DNSSEC keys

2014-06-24 Thread Jan Cholasta


On 20.6.2014 20:23, Simo Sorce wrote:

On Fri, 2014-06-20 at 20:04 +0200, Petr Spacek wrote:

ipk11Private;privatekey: TRUE
ipk11Private;publickey: FALSE


can these two ever hold a different value ?
ie a privatekey be FALSE and a publickey be TRUE ?

If not I suggest you do not add this attribute at all and assume their
value ?


+1, we can use default values for most, if not all of the boolean flag 
attributes. Personally, I would try to avoid using ipk11 attributes 
until the PKCS#11 module is designed/implemented.



(btw I forgot what's the point of that attribute)


When it is true, a user may not access the object until the user has 
been authenticated to the token (what PKCS#11 spec says).




Simo.




--
Jan Cholasta

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] DNSSEC key wrapping: cryptographer needed

2014-06-24 Thread Jan Cholasta

On 23.6.2014 14:57, Petr Spacek wrote:

Hello list,

I'm working on key wrapping mechanism described in thread LDAP schema
for DNSSEC keys [0] and I'm really puzzled from the maze of crypto
here. I would really appreciate any suggestions or comments on this.

- I have difficulties to pick and use proper wrapping mechanisms and
their configuration/usage patterns.

- Rick van Rein from OpenDNSSEC-user list noted that we are defeating
purpose of PKCS#11 by exporting raw keys from HSM. I can see his point
and we should be able to do all crypto operations inside SoftHSM.

I have asked him to describe his doubts on freeipa-devel list - stay tuned.

We need to wrap
===
- asymmetric key (zone key) with symmetric key (master key)
- symmetric key (master key) with asymmetric key (replica key)

LDAP schema prescribes some storage formats but my question is about
crypto algorithms (and padding!) used for key wrapping.

Asymmetric keys
===
According to schema [1] wrapped asymmetric (i.e. private) key must be
stored in 'ipaPrivateKey' attribute as DER-encoded
EncryptedPrivateKeyInfo structure according to RFC 5958 [2].

It seem that SoftHSM's C_WrapKey PKCS#11 call will give us encryptedData
part of EncryptedPrivateKeyInfo structure so we only have to add
algorithm identifier, DER-encode the whole thing, and we could be done.

I'm not sure where should I stick IV or what happens if default (fixed)
IV value is left in place...?

Technically SoftHSM's C_WrapKey call produces PKCS#8 structure encrypted
with AES according to RFC 3394 (no padding) or RFC 5649 (with padding).

RFC 3394 works only on blocks of 64 bits, which is not our case because
EncryptedPrivateKeyInfo has no padding. So we should use RFC 5649 to get
proper padding etc.

And here is the problem: SoftHSM can use RFC 5649 using OpenSSL
functions but OpenSSL doesn't support RFC 5649! The patch with this
functionality was submitted back in 2010 to OpenSSL bug tracker [3] but
the ticket is in state new and there was no reply to the e-mail in the
original thread [4].

Does this mean SoftHSM does not support RFC 5649?

What do we do?
- Convince OpenSSL to review and accept the patch?
- Hack it around #0: Use something else as key wrapping method? Other
wrapping methods would require SoftHSM modification because SoftHSM
supports only AES mechanisms now.
- Hack it around #1: Implement the RFC 5649 wrapping algorithm in a
downstream patch in SoftHSM? Do we have enough expertise to implement it
correctly?
- Hack it around #2: Implement raw key extraction from SoftHSM and do
key wrapping somehow somewhere? (Please nooo.)

Symmetric keys
==
should be stored in 'ipaSecretKey' attribute but detailed storage format
definition is missing from schema [1] right now.

I thought we already agreed on using raw encrypted blob.

Unfortunately, SoftHSM doesn't support C_WrapKey PKCS#11 function with
asymmetric key as *wrapping* key so we need to add this functionality.

The first question is:
What algorithm and padding scheme should we use?

I guess PKCS#1 RSA or PKCS#1 RSA OAEP.

Something like OpenSSL's RSA_PKCS1_OAEP_PADDING [6]? That would be
relatively easy to implement to SoftHSM because it is already there,
just not handled in C_WrapKey (so we need to add appropriate 'glue' there).

Another question is storage format of the wrapped key.
PKCS#11 2.40d2 [7] contains this comment about PKCS #1 RSA OAEP
algorithm:
For wrapping, the “input” to the encryption operation is the value of
the CKA_VALUE attribute of the key that is wrapped; similarly for
unwrapping. The mechanism does not wrap the key type or any other
information about the key, except the key length; the application must
convey these separately.

AFAIK it means that it wraps raw secret key and nothing else. If I'm not
wrong we should be able to take resulting blob and stick it into
OneSymmetricKey structure from RFC 6031 [5]. Honza, is it correct
assumption/idea?

What is the benefit of using OneSymmetricKey here? There is no wrapping
algorithm identifier as in EncryptedPrivateKeyInfo and the whole thing
looks very PSKC-specific.

I would really appreciate any suggestions or comments on this.

Thank you for your time.

[0] https://www.redhat.com/archives/freeipa-devel/2014-April/msg00565.html
[1] http://www.freeipa.org/page/V4/PKCS11_in_LDAP/Schema#Encoded_key_data_2
[2] http://tools.ietf.org/html/rfc5958#section-3
[3] http://rt.openssl.org/Ticket/Display.html?id=2204
[4] http://marc.info/?l=openssl-devm=126953517430167w=2
[5] https://tools.ietf.org/html/rfc6031#section-2
[6] https://www.openssl.org/docs/crypto/RSA_public_encrypt.html
[7]
http://docs.oasis-open.org/pkcs11/pkcs11-curr/v2.40/csprd02/pkcs11-curr-v2.40-csprd02.html#_Toc387327841

--
Jan Cholasta

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 210 Allow SAN in IPA certificate profile

2014-06-24 Thread Jan Cholasta


On 23.6.2014 13:01, Martin Kosek wrote:

On 06/18/2014 02:09 PM, Jan Cholasta wrote:
...

3) I am thinking why do we need to introduce all the ASN parsing? I am talking
about _decode_krb5principalname and others. If we do not use the result
anywhere, why should we include this part at all?


To work around shortcomings of NSS/python-nss. In particular,
_decode_krb5principalname is used to decode KRB5PrincipalName SANs to a string.
This is necessary because certmonger puts such SANs in certificate requests it
generates.


I know, but we do not use the values besides DNS SAN type, right? I was just
afraid that a decode error in a decoding of an unused SAN type would cause the
entire CSR processing to crash.


If we do not allow principal name SANs, requests from certmonger will fail. If
we allow them, but ignore them, you could request a certificate for an
arbitrary unrelated principal. Thus, the only thing we can do is allow them and
validate them, which is what the patch does and why decoding KRB5PrincipalName
is necessary.


True, we need to make sure the principal type SANs match. ack on the intent.


4) I get crash in the certmonger request:

ipa-getcert request -d /etc/pki/nssdb/ -n test-san-1 -I test-san-1 -g 2048 -r
-N cn=`hostname` -K host/`hostname` -D test1.example.com -D
test2.example.com
-E mko...@redhat.com

# ipa-getcert list -i test-san-1
Number of certificates and requests being tracked: 8.
Request ID 'test-san-1':
  status: CA_UNREACHABLE
  ca-error: Server failed request, will retry: -504 (HTTP response code is
500,
not 200).
  stuck: yes


HTTPD traceback
[Mon Jun 16 13:06:14.528642 2014] [:error] [pid 12941] [remote

...

PyAsn1Error: TagSet(Tag(tagClass=128, tagFormat=0, tagId=2)) not in asn1Spec:
_GeneralName()


What version of certmonger are you using?


Latest Fedora 20, i.e. should be certmonger-0.71.2-1.fc20 (do not have access
to my VM atm). Is this a bug in certmonger?


No, it's bug in my code. Fixed.


Works.


Also added patch 301 which fixes a bug in ldap2.get_effective_rights I was
hitting with patch 234.

Updated patches attached.



Thanks. Functionally, the patch looks ok to me, we are close to final ack. Just
couple more minor changes need to happen:

1) We decided to drop ipaVirtualOperation concept in the end and allow people
reading this list. This implies following changes:

234 - drop ipaVirtualOperation from cn=request certificate with
subjectaltname,cn=virtual operations,cn=etc,$SUFFIX
300 - drop the entire patch (sorry)


OK.



2) I would like to have more confidence that no unauthorized SAN extension gets
in. I know we have the

+for name_type, name in subjectaltname:
+if name_type not in (pkcs10.SAN_DNSNAME,

loop, but I would also like to add else path to the SAN type validation loop,
in case somebody just expands the part above, but forgot to also add
validation. I want us to be explicit in this case:

+for name_type, name in subjectaltname:
+if name_type == pkcs10.SAN_DNSNAME:
...
+elif name_type in (pkcs10.SAN_OTHERNAME_KRB5PRINCIPALNAME,
+   pkcs10.SAN_OTHERNAME_UPN):
...

else:
 raise errors.ACIError(info=_(
Unauthorized subject alt name '%s'.) % name)




Fixed.



When this is fixed, we should be done.

Thanks,
Martin



Updated and rebased patches attached.

--
Jan Cholasta
From 26cfd1e4b12e84861b19028e8c81befc8e4bca8e Mon Sep 17 00:00:00 2001
From: Jan Cholasta jchol...@redhat.com
Date: Thu, 5 Dec 2013 14:34:14 +0100
Subject: [PATCH 1/3] Allow SAN in IPA certificate profile.

https://fedorahosted.org/freeipa/ticket/3977
---
 install/tools/ipa-upgradeconfig |  7 +-
 ipaserver/install/cainstance.py | 51 +
 2 files changed, 57 insertions(+), 1 deletion(-)

diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index 99dfbdf..688e178 100644
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -330,9 +330,14 @@ def upgrade_ipa_profile(ca, domain, fqdn):
 root_logger.debug('Subject Key Identifier updated.')
 else:
 root_logger.debug('Subject Key Identifier already set.')
+san = ca.enable_subject_alternative_name()
+if san:
+root_logger.debug('Subject Alternative Name updated.')
+else:
+root_logger.debug('Subject Alternative Name already set.')
 audit = ca.set_audit_renewal()
 uri = ca.set_crl_ocsp_extensions(domain, fqdn)
-if audit or ski or uri:
+if audit or ski or san or uri:
 return True
 else:
 root_logger.info('CA is not configured')
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index b5c6cdc..b13a77d 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -464,6 +464,7 @@ class CAInstance(service.Service):

Re: [Freeipa-devel] DNSSEC: IPA Installation/Upgrade

2014-06-24 Thread Petr Spacek


On 23.6.2014 17:49, Martin Basti wrote:

On Mon, 2014-06-23 at 17:44 +0200, Martin Basti wrote:

Hello,
I have following issues:

#1 Upgrading existing replicas to support DNSSEC won't work for current
design (replica-file as storage for temporal replica key).
Temporal private key needs to be copied to replica, and no encrypted
master-key for replica is prepared in LDAP, because user doesn't need to
run ipa-replica-prepare.

After discussion with Petr2, the solution is:
a) Each replica (except first - which generates master-key) generates
replica public and private keys.
b) Replica uploads public key to LDAP
c) Replica with generated master key, use the public key (b) to encrypt
master-key and store it to LDAP. Replica with master-key must detect, if
there is any new public replica key.
d) Replica (b) is now able to get master-key using own private replica
key


#2 We need to choose only one replica which will generate, (rotate, ...)
DNSSEC keys.

and generate master key too


My proposal is to test during installation/upgrade if any dnssec/master
keys are in LDAP. If no key was found, the first server is
installed/upgraded and DNSSEC key generator is required.

But there is issue with parallel upgrade multiple replicas (or if
replication temporarily doesn't work). There is no guarantee if replicas
will be able to detect if any replica became DNSSEC key generator.


Let me add that we are going to use syncrepl anyway so the overall latency 
should be minimal (if replication works).


--
Petr^2 Spacek

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 210 Allow SAN in IPA certificate profile

2014-06-24 Thread Martin Kosek

On 06/24/2014 11:30 AM, Jan Cholasta wrote:
 On 23.6.2014 13:01, Martin Kosek wrote:
 On 06/18/2014 02:09 PM, Jan Cholasta wrote:
 ...
 3) I am thinking why do we need to introduce all the ASN parsing? I am
 talking
 about _decode_krb5principalname and others. If we do not use the result
 anywhere, why should we include this part at all?

 To work around shortcomings of NSS/python-nss. In particular,
 _decode_krb5principalname is used to decode KRB5PrincipalName SANs to a
 string.
 This is necessary because certmonger puts such SANs in certificate
 requests it
 generates.

 I know, but we do not use the values besides DNS SAN type, right? I was 
 just
 afraid that a decode error in a decoding of an unused SAN type would cause 
 the
 entire CSR processing to crash.

 If we do not allow principal name SANs, requests from certmonger will fail. 
 If
 we allow them, but ignore them, you could request a certificate for an
 arbitrary unrelated principal. Thus, the only thing we can do is allow them 
 and
 validate them, which is what the patch does and why decoding 
 KRB5PrincipalName
 is necessary.

 True, we need to make sure the principal type SANs match. ack on the intent.

 4) I get crash in the certmonger request:

 ipa-getcert request -d /etc/pki/nssdb/ -n test-san-1 -I test-san-1 -g
 2048 -r
 -N cn=`hostname` -K host/`hostname` -D test1.example.com -D
 test2.example.com
 -E mko...@redhat.com

 # ipa-getcert list -i test-san-1
 Number of certificates and requests being tracked: 8.
 Request ID 'test-san-1':
   status: CA_UNREACHABLE
   ca-error: Server failed request, will retry: -504 (HTTP response
 code is
 500,
 not 200).
   stuck: yes


 HTTPD traceback
 [Mon Jun 16 13:06:14.528642 2014] [:error] [pid 12941] [remote
 ...
 PyAsn1Error: TagSet(Tag(tagClass=128, tagFormat=0, tagId=2)) not in
 asn1Spec:
 _GeneralName()

 What version of certmonger are you using?

 Latest Fedora 20, i.e. should be certmonger-0.71.2-1.fc20 (do not have 
 access
 to my VM atm). Is this a bug in certmonger?

 No, it's bug in my code. Fixed.

 Works.

 Also added patch 301 which fixes a bug in ldap2.get_effective_rights I was
 hitting with patch 234.

 Updated patches attached.


 Thanks. Functionally, the patch looks ok to me, we are close to final ack. 
 Just
 couple more minor changes need to happen:

 1) We decided to drop ipaVirtualOperation concept in the end and allow people
 reading this list. This implies following changes:

 234 - drop ipaVirtualOperation from cn=request certificate with
 subjectaltname,cn=virtual operations,cn=etc,$SUFFIX
 300 - drop the entire patch (sorry)
 
 OK.
 

 2) I would like to have more confidence that no unauthorized SAN extension 
 gets
 in. I know we have the

 +for name_type, name in subjectaltname:
 +if name_type not in (pkcs10.SAN_DNSNAME,

 loop, but I would also like to add else path to the SAN type validation 
 loop,
 in case somebody just expands the part above, but forgot to also add
 validation. I want us to be explicit in this case:

 +for name_type, name in subjectaltname:
 +if name_type == pkcs10.SAN_DNSNAME:
 ...
 +elif name_type in (pkcs10.SAN_OTHERNAME_KRB5PRINCIPALNAME,
 +   pkcs10.SAN_OTHERNAME_UPN):
 ...
 else:
  raise errors.ACIError(info=_(
 Unauthorized subject alt name '%s'.) % name)

 
 Fixed.
 

 When this is fixed, we should be done.

 Thanks,
 Martin

 
 Updated and rebased patches attached.
 

This looks good. We can finally push this beast. Note that we should also add
proper tests in future exercising the new functionality.

ACK. Pushed to master: 8b8774d138348ab4b938f98dc106ea983e261262

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCHES] 0594-0606 Convert default permissions to managed

2014-06-24 Thread Martin Kosek

On 06/24/2014 12:27 PM, Petr Viktorin wrote:
 On 06/23/2014 05:51 PM, Martin Kosek wrote:
 On 06/23/2014 02:59 PM, Petr Viktorin wrote:
 On 06/23/2014 10:07 AM, Martin Kosek wrote:
 On 06/20/2014 11:17 PM, Martin Kosek wrote:
 On 06/20/2014 05:06 PM, Petr Viktorin wrote:
 All these should be independent, except for conflicts in ACI.txt that are
 easily solved by running makeaci.

 Umh, now the fun begins as I see :) There will probably need to be some
 rebase,
 it clashed with some other ACI patches in my tree (namely Hosts which I
 acked).

 Rebased on top of my patch 0607, please apply that first.

 Added a new patch, 0608, which adds missing write permissions.


 594: we miss permissions for Automount Locations. Permissions for 
 keysmaps
 look ok.

 Added in 0608.


 595: System: Modify Group Membership is probably waiting for the group
 objectclass fix - the filter is different. Otherwise it looks ok.

 Right; rebased.

 596-598: HBAC is ok

 599: hostgroup is OK

 600: there must have been some DS problem on my side as my regular user 
 could
 not see any netgroup

 The problem is a bit closer to home this time.
 Fixed in patch 0607.

 601: privileges - we miss CRUD ACIs

 Added in 0608.

 We also miss CRUD permissions on permissions, but since currently these need
 pretty much unlimited access to ACIs, it's better to keep them admin-only.

 602: roles were ok

 603: ok

 I got this far today, the rest will need to wait for the next week.

 604: ok, I was able to create a service, get a keytab

 605: Should we case the permissions as Sudo Command instead of Sudo
 command?

 Yes, fixed

 606: we also miss Modify Sudo Command permission so that people can modify
 description. Otherwise ok.

 Added in 0608.



 1) # ipa-server-install:
 ...
 Applying LDAP updates
 ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERRORAdd failure missing
 required attribute objectclass
 ...

 There is a problem in this pending update:

 dn: cn=Modify Group membership,cn=permissions,cn=pbac,$SUFFIX
 add:member: 'cn=Modify Group membership,cn=privileges,cn=pbac,$SUFFIX'

 You apparently also need to make this permission also a member of Modify 
 Group
 membership privilege.
 
 Fixed, thank you.
 
 2) We may not need System: Modify Automount Locations as there is just the 
 CN
 and we do not support renames in automountlocation API. I am not insisting.
 
 Removed.
 
 When these 2 issues are resolved, we can push.
 
 I've also added a patch that fixes a permission-find test which assumed there
 are many old permissions.

Are you sure you tested the patches?

1) This change in 595 looks suspicious:

 dn: $SUFFIX
-# Don't allow the default 'manage group membership' to be able to manage the
-# admins group
-replace:aci:'(targetattr = member)(target =
ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX;)(version 3.0;acl
permission:Modify Group membership;allow (write) groupdn = ldap:///cn=Modify
Group membership,cn=permissions,cn=pbac,$SUFFIX;)::(targetfilter =
(!(cn=admins)))(targetattr = member)(target =
ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX;)(version 3.0;acl
permission:Modify Group membership;allow (write) groupdn = ldap:///cn=Modify
Group membership,cn=permissions,cn=pbac,$SUFFIX;)'

It lefts the update file with
dn: $SUFFIX
dn: cn=ipa,cn=etc,$SUFFIX
add:aci:'(target = ldap:///cn=*,cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX;)(version
3.0; acl Add CA Certific
...

2) About patch 609.3 - this test still looks very fragile. It would break just
with adding one more permission to SUFFIX.

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 647-651 [webui] Make utility section of navigation extensible

2014-06-24 Thread Petr Vobornik


On 23.6.2014 18:35, Endi Sukma Dewata wrote:

On 6/23/2014 8:15 AM, Petr Vobornik wrote:

1. I'm not sure if we really need a HashCreator. Ideally the router
should map a hash to a page. Links to another page can be hardcoded too
(and substitute the parameters).


The main purpose of a hash creator is to update hash when a facet state
changes. This change can be initiated from the facet itself, e.g. when
searching in a search facet. Removing the hash creator would make facets
dependent on navigation specifics.


I was thinking if the facet itself is changing the state, it will only
change the query part of the URL. The base facet URL itself is assigned
by the router. I think we used to put all UI states in the URL so that's
why we needed a hash creator.


My thinking was that the facet shouldn't be even aware of the hash or 
routing.





I would agree if it was related only to links. But even then it would be
better to have a method which would create the hash (for the one which
shares the same pattern) to reduce code reuse. In any case, it's
possible to hardcode hash parts in links if one needs to.


It's more about removing dependencies between pages. For example, to
link from one page to another we use something like this:

   navigation.show_entity(entity.name, facetname, [pkey]);

This means we're explicitly handling the link. And this also puts
additional restrictions such as the target page must be an entity page
which has one level sub page called 'facetname' that takes one primary
key. If the target page is not an entity page we'd have to use a
different method.

I think it would be cleaner if the link can be defined in a (future)
template like this:

   a href=#/{entity}/{facet}/{pkey}



How is this different? You still have to pass the entity, facet name and 
pkey. You just moved the logic form hash creator to the template. And I 
can bet that doing something more difficult there will be a pain.


Also it doesn't work for redirection initiated by other means then a 
link, e.g., when something gets deleted.


If one wants to create a link in a template he could use some link 
helper which would internally call the hash creator.



Note that the template is used to generate the links only. When the user
clicks the link we rely on the browser, or other routing libraries, to
handle it so less code to maintain and it puts the UI workflow in the
hands of UI designers.


Keeping facet and widget internals out of direct hash modification 
allows to embed the whole app or just some parts of it into other app. 
Or we can have two different or same facets displayed next to each 
other. Atm this is not an argument since we do not make it with this use 
case in mind. The same applies for code modifications by designers.





2. Ideally there should be no entity-specific navigation code. All
routing should be handled in a generic way. This probably depends on the
entity-facet separation that we discussed previously. So routes like
this:

   /e/:entity/:facet/:pkeys/*args

should be replaced by individual routes for each entity:

   /user/:facet/:pkeys/*args
   /group/:facet/:pkeys/*args


Yes, but IMHO the hash prefix is a detail. It would be more important if
it would be a REST API where it's a core aspect.


Right, a REST URL probably would look like:

   /ipa/ui/users/{facet}/{pkey}?{query}

And ideally if you open a REST URL in a browser you should get a UI. So
anything that brings the UI closer to this would be great.


4. The args/query in the navigation paths should be separated by a more
standard delimiter ? instead of //. For example:

   /ipa/ui/#/e/user/search//filter=test

should be replaced with:

   /ipa/ui/#/e/user/search?filter=test


note that // is a result of /:pkeys/, where :pkeys is '' Therefore a
simple replacement would lead to
 /ipa/ui/#/e/user/search/?filter=test

Please file a ticket, if you think it's important.


I was originally thinking this to be a way to mimic the REST URL, but
now I'm not sure if it would interfere with URL parsing because in this
case the ? will be part of the URL hash, not URL query, so maybe we
should just leave it for now.


Lets say that we would implement #2 and #4. Would we also want to keep
the old routes for backwards compatibility? (main purpose of hashes is
to make the page bookmarkable). IMHO people don't care about #2 and #4
much, but they care about broken bookmarks.


The hashes are probably more useful to make the browser's Back button
functional. Bookmarking is probably a secondary benefit, but are there
pages in the UI that people would likely to bookmark? An admin probably
would just bookmark the main URL, not a particular page in the UI.
Backward compatibility of routing is nice, but I don't think it's a hard
requirement.




--
Petr Vobornik

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] [WIP] ipatest/util: Use YAML-diff for reporting differences in assert_deepequal

2014-06-24 Thread Petr Viktorin


Hello,

With this patch applied and python-PyYAML installed, failed declarative 
tests will output a diff between the full expected/got structures, so 
you can see all the context and all the differences at once.
(I use YAML because it diffs very nicely, at least with the options used 
here.)


It's a hack/proof of concept, but I tried extra hard ensure it 
passes/fails in the same cases as the original assert_deepequal.


If you don't have python-PyYAML installed, the original assert_deepequal 
is used.


Feel free to use it if it helps.

--
Petr³
From ccaf260b7a5ad0608a3e953925d59080b96f75bc Mon Sep 17 00:00:00 2001
From: Petr Viktorin pvikt...@redhat.com
Date: Fri, 20 Sep 2013 15:22:30 +0200
Subject: [PATCH] [WIP] ipatest/util: Use YAML-diff for reporting differences
 in assert_deepequal

Unlike the errors from the original assert_deepequal, this format shows
all context and all differences.
The old function is kept as assert_deepequal_original, and checked to
ensure they raise in exactly the same situations.

If the YAML library is not available, the original implementation is used.
---
 ipatests/test_util.py |   2 +-
 ipatests/util.py  | 167 +++---
 2 files changed, 161 insertions(+), 8 deletions(-)

diff --git a/ipatests/test_util.py b/ipatests/test_util.py
index f87822a223f017f54f8b3bf5f6319b66e97482a7..9562513976c4a9104bdfdd9ae4146bd4056da844 100644
--- a/ipatests/test_util.py
+++ b/ipatests/test_util.py
@@ -130,7 +130,7 @@ def test_eq(self):
 
 
 def test_assert_deepequal():
-f = util.assert_deepequal
+f = util.assert_deepequal_original
 
 # Test with good scalar values:
 f(u'hello', u'hello')
diff --git a/ipatests/util.py b/ipatests/util.py
index 30fafdc76c3a139d954c6d7a5ad4c05360fe6de6..4436cab3a70d694edf31361a3d09a125b96f60f3 100644
--- a/ipatests/util.py
+++ b/ipatests/util.py
@@ -24,17 +24,29 @@
 import inspect
 import os
 from os import path
-import ldap
-import ldap.sasl
-import ldap.modlist
+import difflib
+from itertools import izip_longest
 import tempfile
 import shutil
 import re
+import pprint
+
+import ldap
+import ldap.sasl
+import ldap.modlist
+
 import ipalib
 from ipalib.plugable import Plugin
 from ipalib.request import context
 from ipapython.dn import DN
 
+try:
+import yaml
+except ImportError:
+have_yaml = False
+else:
+have_yaml = True
+
 
 class TempDir(object):
 def __init__(self):
@@ -275,7 +287,7 @@ def __ne__(self, other):
   path = %r
 
 
-def assert_deepequal(expected, got, doc='', stack=tuple()):
+def assert_deepequal_original(expected, got, doc='', stack=tuple()):
 
 Recursively check for type and equality.
 
@@ -290,7 +302,7 @@ def assert_deepequal(expected, got, doc='', stack=tuple()):
  got = [u'Hello', dict(world='how are you?')]
  expected == got
 True
- assert_deepequal(expected, got, doc='Testing my nested data')
+ assert_deepequal_original(expected, got, doc='Testing my nested data')
 Traceback (most recent call last):
   ...
 AssertionError: assert_deepequal: type(expected) is not type(got).
@@ -329,7 +341,7 @@ def assert_deepequal(expected, got, doc='', stack=tuple()):
 s_expected = sorted(expected)
 for (i, e_sub) in enumerate(s_expected):
 g_sub = s_got[i]
-assert_deepequal(e_sub, g_sub, doc, stack + (i,))
+assert_deepequal_original(e_sub, g_sub, doc, stack + (i,))
 elif isinstance(expected, dict):
 missing = set(expected).difference(got)
 extra = set(got).difference(expected)
@@ -341,7 +353,7 @@ def assert_deepequal(expected, got, doc='', stack=tuple()):
 for key in sorted(expected):
 e_sub = expected[key]
 g_sub = got[key]
-assert_deepequal(e_sub, g_sub, doc, stack + (key,))
+assert_deepequal_original(e_sub, g_sub, doc, stack + (key,))
 elif callable(expected):
 if not expected(got):
 raise AssertionError(
@@ -353,6 +365,147 @@ def assert_deepequal(expected, got, doc='', stack=tuple()):
 )
 
 
+def assert_deepequal_yaml(expected, got, doc='', stack=()):
+Recursively check for type and equality
+
+This works the same as assert_deepequal_original, except it produces
+more informative messages by showing a YAML diff.
+The equivalent behavior is checked in every call.
+
+old_expected, old_got = expected, got
+MISSING = object()
+
+def yaml_dump(structure):
+Dump structure in a particularly diff-friendly style of YAML
+
+Use pprint as a fallback if yaml.safe_dum fails (e.g. because it
+can't represent types that aren't pure data)
+
+try:
+return yaml.safe_dump(structure, default_flow_style=False)
+except Exception:
+return pprint.pformat(structure)
+
+def normalize(expected, got, stack):
+Recursively normalize ``expected`` and ``got`` for comparison  diff
+
+

Re: [Freeipa-devel] [PATCHES] 0594-0606 Convert default permissions to managed

2014-06-24 Thread Martin Kosek

On 06/24/2014 01:26 PM, Petr Viktorin wrote:
 On 06/24/2014 12:35 PM, Martin Kosek wrote:
 On 06/24/2014 12:27 PM, Petr Viktorin wrote:
 On 06/23/2014 05:51 PM, Martin Kosek wrote:
 On 06/23/2014 02:59 PM, Petr Viktorin wrote:
 On 06/23/2014 10:07 AM, Martin Kosek wrote:
 On 06/20/2014 11:17 PM, Martin Kosek wrote:
 On 06/20/2014 05:06 PM, Petr Viktorin wrote:
 All these should be independent, except for conflicts in ACI.txt that 
 are
 easily solved by running makeaci.

 Umh, now the fun begins as I see :) There will probably need to be some
 rebase,
 it clashed with some other ACI patches in my tree (namely Hosts which I
 acked).

 Rebased on top of my patch 0607, please apply that first.

 Added a new patch, 0608, which adds missing write permissions.


 594: we miss permissions for Automount Locations. Permissions for 
 keysmaps
 look ok.

 Added in 0608.


 595: System: Modify Group Membership is probably waiting for the group
 objectclass fix - the filter is different. Otherwise it looks ok.

 Right; rebased.

 596-598: HBAC is ok

 599: hostgroup is OK

 600: there must have been some DS problem on my side as my regular user
 could
 not see any netgroup

 The problem is a bit closer to home this time.
 Fixed in patch 0607.

 601: privileges - we miss CRUD ACIs

 Added in 0608.

 We also miss CRUD permissions on permissions, but since currently these 
 need
 pretty much unlimited access to ACIs, it's better to keep them admin-only.

 602: roles were ok

 603: ok

 I got this far today, the rest will need to wait for the next week.

 604: ok, I was able to create a service, get a keytab

 605: Should we case the permissions as Sudo Command instead of Sudo
 command?

 Yes, fixed

 606: we also miss Modify Sudo Command permission so that people can 
 modify
 description. Otherwise ok.

 Added in 0608.



 1) # ipa-server-install:
 ...
 Applying LDAP updates
 ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERRORAdd failure missing
 required attribute objectclass
 ...

 There is a problem in this pending update:

 dn: cn=Modify Group membership,cn=permissions,cn=pbac,$SUFFIX
 add:member: 'cn=Modify Group membership,cn=privileges,cn=pbac,$SUFFIX'

 You apparently also need to make this permission also a member of Modify
 Group
 membership privilege.

 Fixed, thank you.

 2) We may not need System: Modify Automount Locations as there is just
 the CN
 and we do not support renames in automountlocation API. I am not insisting.

 Removed.

 When these 2 issues are resolved, we can push.

 I've also added a patch that fixes a permission-find test which assumed 
 there
 are many old permissions.

 Are you sure you tested the patches?
 
 Yes.
 Not enough, I'm sure, but I did test them...
 
 1) This change in 595 looks suspicious:

   dn: $SUFFIX
 -# Don't allow the default 'manage group membership' to be able to manage the
 -# admins group
 -replace:aci:'(targetattr = member)(target =
 ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX;)(version 3.0;acl
 permission:Modify Group membership;allow (write) groupdn = 
 ldap:///cn=Modify
 Group membership,cn=permissions,cn=pbac,$SUFFIX;)::(targetfilter =
 (!(cn=admins)))(targetattr = member)(target =
 ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX;)(version 3.0;acl
 permission:Modify Group membership;allow (write) groupdn = 
 ldap:///cn=Modify
 Group membership,cn=permissions,cn=pbac,$SUFFIX;)'

 It lefts the update file with
 dn: $SUFFIX
 dn: cn=ipa,cn=etc,$SUFFIX
 add:aci:'(target = 
 ldap:///cn=*,cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX;)(version
 3.0; acl Add CA Certific
 ...
 
 Right. (It's removed in one of the later patches, so I didn't catch it.)
 
 2) About patch 609.3 - this test still looks very fragile. It would break 
 just
 with adding one more permission to SUFFIX.
 
 It follows the general style of declarative tests, which depend on a freshly
 installed system.
 I think it's a good test to have around, at least until there's a better suite
 for permission-find on legacy permissions.

Ok, as you wish.

The patch set now looks good to me, tests are also good. ACK to all, I pushed
them all to master.

This pretty much concludes the ground work on permission/aci refactoring - good
job Petr! :-)

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH 0056] Add otptoken-sync command

2014-06-24 Thread Alexander Bokovoy


On Tue, 03 Jun 2014, Nathaniel McCallum wrote:

On Tue, 2014-06-03 at 10:27 +0200, Petr Vobornik wrote:

On 3.6.2014 05:08, Nathaniel McCallum wrote:
 This command calls the token sync HTTP POST call in the server providing
 the CLI interface to synchronization.

 https://fedorahosted.org/freeipa/ticket/4260

 This patch depends on my patch #0055.


Build fails on validation. You forgot to update API.txt and also the
command misses __doc__.

(not a proper review)

Failed for me:

[root@ipa-01 rpms]# ipa otptoken-show test.token
 Unique ID: test.token
 Description: test token
 Owner: abbra
 Vendor: FreeIPA
 Model: hotp
[root@ipa-01 rpms]# ipa otptoken-sync abbra --token=test.token 
Password: 
First Code: 
Second Code: 
ipa: ERROR: non-public: IOError: ('http error', 401, 'Unauthorized',

httplib.HTTPMessage instance at 0x2cdde60)
Traceback (most recent call last):
 File /usr/lib/python2.7/site-packages/ipalib/backend.py, line 129,
in execute
   result = self.Command[_name](*args, **options)
 File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 439,
in __call__
   ret = self.run(*args, **options)
 File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 1118,
in run
   return self.forward(*args, **options)
 File /usr/lib/python2.7/site-packages/ipalib/plugins/otptoken.py,
line 427, in forward
   rsp = urllib.urlopen(sync_uri, query)
 File /usr/lib64/python2.7/urllib.py, line 89, in urlopen
   return opener.open(url, data)
 File /usr/lib64/python2.7/urllib.py, line 210, in open
   return getattr(self, name)(url, data)
 File /usr/lib64/python2.7/urllib.py, line 454, in open_https
   data)
 File /usr/lib64/python2.7/urllib.py, line 374, in http_error
   result = method(url, fp, errcode, errmsg, headers, data)
 File /usr/lib64/python2.7/urllib.py, line 689, in http_error_401
   errcode, errmsg, headers)
 File /usr/lib64/python2.7/urllib.py, line 381, in http_error_default
   raise IOError, ('http error', errcode, errmsg, headers)
IOError: ('http error', 401, 'Unauthorized', httplib.HTTPMessage instance at 
0x2cdde60)
ipa: ERROR: an internal error has occurred

Note that I can successfully use the token. It looks like authentication
with urllib.urlopen(sync_uri, query) fails.

--
/ Alexander Bokovoy

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH 0233] trusts: Add more read attributes

2014-06-24 Thread Tomas Babej

Hi,

this is a follow up patch for 232. Read access to additional attributes
is required for the trust objects.

-- 
Tomas Babej
Associate Software Engineer | Red Hat | Identity Management
RHCE | Brno Site | IRC: tbabej | freeipa.org 

From 8a0849d4bf59b61715ba7b055e980cc38a9fcd6a Mon Sep 17 00:00:00 2001
From: Tomas Babej tba...@redhat.com
Date: Tue, 24 Jun 2014 13:58:28 +0200
Subject: [PATCH] trusts: Add more read attributes

---
 ACI.txt | 2 +-
 ipalib/plugins/trust.py | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/ACI.txt b/ACI.txt
index 11af74a3d7155e92debe089dc15c7306ad120258..0398a52fcf2639f895f6bb7cd8bd91412affa6d3 100644
--- a/ACI.txt
+++ b/ACI.txt
@@ -111,7 +111,7 @@ aci: (targetattr = cmdcategory || cn || description || externalhost || external
 dn: cn=System: Read Sudoers compat tree,cn=permissions,cn=pbac,dc=ipa,dc=example
 aci: (targetattr = cn || description || objectclass || ou || sudocommand || sudohost || sudonotafter || sudonotbefore || sudooption || sudoorder || sudorunas || sudorunasgroup || sudorunasuser || sudouser)(target = ldap:///ou=sudoers,dc=ipa,dc=example;)(version 3.0;acl permission:System: Read Sudoers compat tree;allow (compare,read,search) userdn = ldap:///all;;)
 dn: cn=System: Read Trust Information,cn=permissions,cn=pbac,dc=ipa,dc=example
-aci: (targetattr = cn || ipantflatname || ipantsecurityidentifier || ipanttrusteddomainsid || objectclass)(version 3.0;acl permission:System: Read Trust Information;allow (compare,read,search) userdn = ldap:///all;;)
+aci: (targetattr = cn || ipantflatname || ipantsecurityidentifier || ipantsidblacklistincoming || ipantsidblacklistoutgoing || ipanttrusteddomainsid || ipanttrustpartner || objectclass)(version 3.0;acl permission:System: Read Trust Information;allow (compare,read,search) userdn = ldap:///all;;)
 dn: cn=System: Add User to default group,cn=permissions,cn=pbac,dc=ipa,dc=example
 aci: (targetattr = member)(target = ldap:///cn=ipausers,cn=groups,cn=accounts,dc=ipa,dc=example;)(version 3.0;acl permission:System: Add User to default group;allow (write) groupdn = ldap:///cn=System: Add User to default group,cn=permissions,cn=pbac,dc=ipa,dc=example;)
 dn: cn=System: Add Users,cn=permissions,cn=pbac,dc=ipa,dc=example
diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py
index 987fb7476d62b7aba5ef304d01a6d5922235d5b1..25755d7a41e93b869f4d4afbf0ac094c42212451 100644
--- a/ipalib/plugins/trust.py
+++ b/ipalib/plugins/trust.py
@@ -326,7 +326,8 @@ class trust(LDAPObject):
 'ipapermdefaultattr': {
 'cn', 'objectclass',
 'ipantflatname', 'ipantsecurityidentifier',
-'ipanttrusteddomainsid',
+'ipanttrusteddomainsid', 'ipanttrustpartner',
+'ipantsidblacklistincoming', 'ipantsidblacklistoutgoing'
 },
 },
 }
-- 
1.9.3

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 632 webui: simplify self-service menu

2014-06-24 Thread Petr Vobornik


On 12.6.2014 14:53, Endi Sukma Dewata wrote:

On 6/11/2014 10:17 AM, Endi Sukma Dewata wrote:

On 6/11/2014 6:06 AM, Petr Vobornik wrote:

1. If I recall correctly, a new user is required to change the password
upon the initial login. This can be done with kinit, but can this be
done via UI too? Right now a new user will get a login error without
any
message or link to reset the password.


It works for me. There was a ticket
https://fedorahosted.org/freeipa/ticket/4339 which corresponds to the
description.

Or it could be related to:
https://git.fedorahosted.org/cgit/freeipa.git/commit/?id=c41b782bc59cd0cb70cbd62d543f9c538109d410


(if you use an IPA version before the revert)


I just built the master yesterday. Let me see if I can reproduce it with
a newer build.


I'm still seeing the problem in the new build. Here are the steps to
reproduce:
1. Login as admin.
2. Add a new user with a password.
3. Logout.
4. Login as the new user.

It will say The password or username you entered is incorrect. There's
no message about expiration or link to change the password. So far the
only way to change the password is via kinit.



Found the culprit. It was caused by utc vs local time comparison.

Patch #676 should fix it.
--
Petr Vobornik

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] DNSSEC key wrapping: cryptographer needed

2014-06-24 Thread Simo Sorce

Tomas Mraz:
 On, 2014-06-23 at 14:57 +0200, Petr Spacek wrote:
  We need to wrap
  ===
  - asymmetric key (zone key)   with symmetric key  (master key)
  - symmetric key  (master key) with asymmetric key (replica key)
 
 Can you please provide more info what purpose these keys have? I
 understand that the zone key is the DNSSEC asymmetric key for the zone.
 But what about the master key and replica key? Why the master key is
 symmetric and the replica asymmetric?

What we want is the ability to store keys in LDAP so that multiple servers
can generate DNSSEC keys. This allows no single points of failure, and also
allows local servers to generate signatures for DNS names that may differ
from replica to replica in the future (think things like views).

In order to do that each DNS server need access to the Zone keys, but we do
not want to distribute the unencrypted in LDAP. We also do not want to have
to invent a parallel distribution method to send these keys to all the
replicas that need them. 

We do have a private/public key pair on each replica though so we can use
this fact to wrap a symmetric master key with all the public keys of the
replicas that need access to the zone keys, and encrypt the zone keys with
this master key.

The reason to use a symmetric in the middle is that is allows for a few things:
1. it is easy to re-encrypt it t replica creation time by one of the other
servers as soon as the replica is built and publishes its on key.
This solves the distribution problem to new replicas.

This same mechanism also allows to redistribute a new key if you need/want to
rotate it for whatever reason.

It also avoids the need to encrypt every zone private key multiple times with 
each
replica public key, which would cause a lot of churn.

HTH,
Simo.

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] 676 rpcserver: fix local vs utc time comparison

2014-06-24 Thread Petr Vobornik


login_password did not work properly in timezones other than +0h because
local time was compared with utc time.

Bug introduced in:
https://fedorahosted.org/freeipa/ticket/4339

We should review other code for invalid usage of datetime.now()
--
Petr Vobornik
From 0c60c536a7f91226fa0201568b2be99dba7b02c9 Mon Sep 17 00:00:00 2001
From: Petr Vobornik pvobo...@redhat.com
Date: Tue, 24 Jun 2014 15:54:41 +0200
Subject: [PATCH] rpcserver: fix local vs utc time comparison

login_password did not work properly in timezones other than +0h because
local time was compared with utc time.

Bug introduced in:
https://fedorahosted.org/freeipa/ticket/4339
---
 ipaserver/rpcserver.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py
index 30b9746397636128c0edc3fb4d2ad7f7bdc22495..0838ad143c4c2ec9aa5fd7db3027b70ba6fa5a92 100644
--- a/ipaserver/rpcserver.py
+++ b/ipaserver/rpcserver.py
@@ -959,7 +959,7 @@ class login_password(Backend, KerberosSession, HTTP_Status):
 ['krbpasswordexpiration'])
 if 'krbpasswordexpiration' in entry_attrs:
 expiration = entry_attrs['krbpasswordexpiration'][0]
-if expiration = datetime.datetime.now():
+if expiration = datetime.datetime.utcnow():
 reason = 'password-expired'
 
 except Exception:
-- 
1.9.0

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] DNSSEC key wrapping: cryptographer needed

2014-06-24 Thread Simo Sorce

- Original Message -
 Hello list,
 
 I'm working on key wrapping mechanism described in thread LDAP schema for
 DNSSEC keys [0] and I'm really puzzled from the maze of crypto here. I would
 really appreciate any suggestions or comments on this.
 
 - I have difficulties to pick and use proper wrapping mechanisms and their
 configuration/usage patterns.
 
 - Rick van Rein from OpenDNSSEC-user list noted that we are defeating purpose
 of PKCS#11 by exporting raw keys from HSM. I can see his point and we should
 be able to do all crypto operations inside SoftHSM.
 
 I have asked him to describe his doubts on freeipa-devel list - stay tuned.
 
 
 We need to wrap
 ===
 - asymmetric key (zone key)   with symmetric key  (master key)
 - symmetric key  (master key) with asymmetric key (replica key)
 
 LDAP schema prescribes some storage formats but my question is about crypto
 algorithms (and padding!) used for key wrapping.

It is important to get these details right indeed, we must be able to change
crypto algorithms if needed in the future, so algorithm agility must be part
of the story.

 Asymmetric keys
 ===
 According to schema [1] wrapped asymmetric (i.e. private) key must be stored
 in 'ipaPrivateKey' attribute as DER-encoded EncryptedPrivateKeyInfo structure
 according to RFC 5958 [2].
 
 It seem that SoftHSM's C_WrapKey PKCS#11 call will give us encryptedData part
 of EncryptedPrivateKeyInfo structure so we only have to add algorithm
 identifier, DER-encode the whole thing, and we could be done.

Right.

 I'm not sure where should I stick IV or what happens if default (fixed) IV
 value is left in place...?

We cannot use a fixed IV unless the wrapping algorithm uses an obfuscator within
the data, otherwise you open yourself up for attacks. I expect the IV (if 
needed)
to be provided by the SoftHSM itself ? If not something sounds broken.

If the IV is fixed for some reason we culd provide the data with a secret 
confounder
in the first block, but then we would not respect the standard in the first 
place.

I will try to take a look at RFC 5958 once I am back at home tomorrow.

 Technically SoftHSM's C_WrapKey call produces PKCS#8 structure encrypted with
 AES according to RFC 3394 (no padding) or RFC 5649 (with padding).
 
 RFC 3394 works only on blocks of 64 bits, which is not our case because
 EncryptedPrivateKeyInfo has no padding. So we should use RFC 5649 to get
 proper padding etc.

We could also define how we generate padding ourselves if RFC 3394 is easier,
although of course using RFC 5649 wuld be preferable rather than massaging the 
data
ourselves.

 And here is the problem: SoftHSM can use RFC 5649 using OpenSSL functions but
 OpenSSL doesn't support RFC 5649! The patch with this functionality was
 submitted back in 2010 to OpenSSL bug tracker [3] but the ticket is in state
 new and there was no reply to the e-mail in the original thread [4].
 
 What do we do?
 - Convince OpenSSL to review and accept the patch?

If we are using a standard this is not as important, we can make our own
implementation and then work with the OpenSSL community to get a proper 
implementation
in. Does NSS implements it btw ?

 - Hack it around #0: Use something else as key wrapping method? Other
 wrapping
 methods would require SoftHSM modification because SoftHSM supports only AES
 mechanisms now.
 - Hack it around #1: Implement the RFC 5649 wrapping algorithm in a
 downstream
 patch in SoftHSM? Do we have enough expertise to implement it correctly?
 - Hack it around #2: Implement raw key extraction from SoftHSM and do key
 wrapping somehow somewhere? (Please nooo.)

No, let's use standards where they exist, it is ok to make our own 
implementation until
upstream libraries finally get a good one, but let's avoid completely custom 
stuff.


 Symmetric keys
 ==
 should be stored in 'ipaSecretKey' attribute but detailed storage format
 definition is missing from schema [1] right now.
 
 Unfortunately, SoftHSM doesn't support C_WrapKey PKCS#11 function with
 asymmetric key as *wrapping* key so we need to add this functionality.
 
 The first question is:
 What algorithm and padding scheme should we use?

We need algorithm agility here too, so I would use some generic envelope 
mechanism
defined for encrypting data with asymetric keys and use it. If it is a good 
mechanism
it will allow to use multiple algorithms and key sizes etc..

 Something like OpenSSL's RSA_PKCS1_OAEP_PADDING [6]? That would be relatively
 easy to implement to SoftHSM because it is already there, just not handled in
 C_WrapKey (so we need to add appropriate 'glue' there).

I would not use something that ties us to RSA keys, it is probably highly 
desirable to
use EC keys too as an alternative.

 Another question is storage format of the wrapped key.
 PKCS#11 2.40d2 [7] contains this comment about PKCS #1 RSA OAEP algorithm:
 For wrapping, the “input” to the encryption operation is the value of the

Re: [Freeipa-devel] DNSSEC key wrapping: cryptographer needed

2014-06-24 Thread Tomas Mraz

On Po, 2014-06-23 at 14:57 +0200, Petr Spacek wrote:
 Hello list,
 
 I'm working on key wrapping mechanism described in thread LDAP schema for 
 DNSSEC keys [0] and I'm really puzzled from the maze of crypto here. I would 
 really appreciate any suggestions or comments on this.

I am not sure I am able to respond to all of your questions and problems
you're trying to solve but let's try at least some.

 - I have difficulties to pick and use proper wrapping mechanisms and their 
 configuration/usage patterns.
 
 - Rick van Rein from OpenDNSSEC-user list noted that we are defeating purpose 
 of PKCS#11 by exporting raw keys from HSM. I can see his point and we should 
 be able to do all crypto operations inside SoftHSM.
 
 I have asked him to describe his doubts on freeipa-devel list - stay tuned.

It is really questionable what are you trying to achieve here. I would
definitely stay away from trying to replicate any back-up mechanisms
that eventual HSM (software or hardware one) should have. This is all
fairly non-trivial functionality and if any HSM implementation is
serious enough it should have backup facility of its own (which should
also allow duplicating such HSM if needed). Note that simply allowing to
export wrapped key with a key you provide to HSM during a normal
operation (not as a special privileged operation) is defeating the
purpose of HSM anyway as you can unwrap the protected key as you wish.

So the only wrapping key that can be used in normal operation should be
a key that is preset or pre-generated in the HSM by the HSM admin.

 
 We need to wrap
 ===
 - asymmetric key (zone key)   with symmetric key  (master key)
 - symmetric key  (master key) with asymmetric key (replica key)

Can you please provide more info what purpose these keys have? I
understand that the zone key is the DNSSEC asymmetric key for the zone.
But what about the master key and replica key? Why the master key is
symmetric and the replica asymmetric?

 LDAP schema prescribes some storage formats but my question is about crypto 
 algorithms (and padding!) used for key wrapping.
 
 
 Asymmetric keys
 ===
 According to schema [1] wrapped asymmetric (i.e. private) key must be stored 
 in 'ipaPrivateKey' attribute as DER-encoded EncryptedPrivateKeyInfo structure 
 according to RFC 5958 [2].
 
 It seem that SoftHSM's C_WrapKey PKCS#11 call will give us encryptedData part 
 of EncryptedPrivateKeyInfo structure so we only have to add algorithm 
 identifier, DER-encode the whole thing, and we could be done.
 
 I'm not sure where should I stick IV or what happens if default (fixed) IV 
 value is left in place...?

In general using fixed IV when encrypting multiple data (keys) with the
same key breaks the security of the wrapped data. So no, fixed IV must
not be used.

 
 Technically SoftHSM's C_WrapKey call produces PKCS#8 structure encrypted with 
 AES according to RFC 3394 (no padding) or RFC 5649 (with padding).
 
 RFC 3394 works only on blocks of 64 bits, which is not our case because 
 EncryptedPrivateKeyInfo has no padding. So we should use RFC 5649 to get 
 proper padding etc.
 
 And here is the problem: SoftHSM can use RFC 5649 using OpenSSL functions but 
 OpenSSL doesn't support RFC 5649! The patch with this functionality was 
 submitted back in 2010 to OpenSSL bug tracker [3] but the ticket is in state 
 new and there was no reply to the e-mail in the original thread [4].

I am sorry, but this does not make much sense to me. Iff the SoftHSM's
C_WrapKey is really safe wrapping method for backing up and/or
replicating HSM's it must provide wrapped key in such format that the IV
is pregenerated as part of the Wrap operation and stored in the final
blob of wrapped key. Unfortunately I do not know much of SoftHSM.

 What do we do?
 - Convince OpenSSL to review and accept the patch?

I would say the patch is not too useful as is - there are multiple
problems with it such as it is not using proper high level interfaces
for the AES encryption, etc.

 - Hack it around #0: Use something else as key wrapping method? Other 
 wrapping 
 methods would require SoftHSM modification because SoftHSM supports only AES 
 mechanisms now.
 - Hack it around #1: Implement the RFC 5649 wrapping algorithm in a 
 downstream 
 patch in SoftHSM? Do we have enough expertise to implement it correctly?
 - Hack it around #2: Implement raw key extraction from SoftHSM and do key 
 wrapping somehow somewhere? (Please nooo.)
 
 
 Symmetric keys
 ==
 should be stored in 'ipaSecretKey' attribute but detailed storage format 
 definition is missing from schema [1] right now.
 
 Unfortunately, SoftHSM doesn't support C_WrapKey PKCS#11 function with 
 asymmetric key as *wrapping* key so we need to add this functionality.
 
 The first question is:
 What algorithm and padding scheme should we use?
 
 Something like OpenSSL's RSA_PKCS1_OAEP_PADDING [6]? That would be relatively 
 easy to implement to SoftHSM because it is

Re: [Freeipa-devel] [PATCHES 0066-0067] Upgrade procedure for forwardzones

2014-06-24 Thread Martin Kosek

On 06/18/2014 01:46 PM, Martin Basti wrote:
 On Wed, 2014-06-18 at 13:44 +0200, Martin Basti wrote:
 On Fri, 2014-06-13 at 10:28 +0200, Martin Basti wrote:
 Patches attached, require patches mbasti 0052-0055.
 ___
 Freeipa-devel mailing list
 Freeipa-devel@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-devel
 Rebased patches attached.
 PEP8 fixes.

 Sorry, patches are here

66.2:

1) Is it OK to just change constants in the update plugins?

-PRE_UPDATE = 1
-POST_UPDATE = 2
+PRE_SCHEMA_UPDATE = 1
+PRE_UPDATE = 2
+POST_UPDATE = 3

When people refer to the types via names, it should be OK. It just seemed
unnecessary to me.

67.2:

1) update_check_forwardzones:

I think we should set update_to_forward_zones to False when the objectclass is
there and add a check at the beginning of the execute to simply bail out, if
update_to_forward_zones is present in the sysupgrade file.

This will prevent the objectclass check (which takes some time) to run again
and again.

2) I would use different backup name:

+backup_filename = u'master-zones-transform-backup.ldif'

Probably something based on time so that different installations' backup do not
step on each other. You can inspire yourself in other backup files we create:

# ll /var/lib/ipa/backup/
total 16
drwx--. 2 root root 4096 May 30 08:10 ipa-full-2014-05-30-08-10-13
drwx--. 2 root root 4096 May 30 08:11 ipa-full-2014-05-30-08-11-09
drwx--. 2 root root 4096 May 30 08:13 ipa-full-2014-05-30-08-13-21
-rw-r--r--. 1 root root 3441 Jun 24 16:25 master-zones-transform-backup.ldif


3) This exception does not provide much information, we should at least log the
error message itself:

+except Exception:
+self.log.error('Unable to create backup file')
+return (False, False, [])



4) The actual upgrade failed in my case, when I had set forward policy:

# ipa-ldap-upgrade --upgrade
...
Updating managed permissions for user
Updating non-object managed permissions
Zones with specified forwarders with policy different than none will be
transformed to forward zones.
Original zones will be saved in LDIF format in
/var/lib/ipa/backup/master-zones-transform-backup.ldif file
No changes to ACI
Zone forward1.test. was sucessfully transformed to forward zone
Transform to forwardzone terminated: creating forwardzone forward2.test. failed
Traceback (most recent call last):
  File /usr/lib/python2.7/site-packages/ipaserver/install/plugins/dns.py,
line 265, in execute
api.Command['dnsforwardzone_add'](zone['idnsname'][0], **kw)
  File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 433, in 
__call__
params = self.convert(**params)
  File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 631, in 
convert
(k, self.params[k].convert(v)) for (k, v) in kw.iteritems()
  File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 631, in
genexpr
(k, self.params[k].convert(v)) for (k, v) in kw.iteritems()
  File /usr/lib/python2.7/site-packages/ipalib/parameters.py, line 797, in
convert
return self._convert_scalar(value)
  File /usr/lib/python2.7/site-packages/ipalib/parameters.py, line 806, in
_convert_scalar
error=ugettext(self.type_error),
ConversionError: invalid 'idnsforwardpolicy': Gettext('incorrect type',
domain='ipa', localedir=None)
...

Attaching my DNS zone setting.

Martin
dn: idnsname=forward1.test.,cn=dns,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=
 com
idnsAllowDynUpdate: FALSE
idnsUpdatePolicy: grant IDM.LAB.ENG.BRQ.REDHAT.COM krb5-self * A; grant IDM.
 LAB.ENG.BRQ.REDHAT.COM krb5-self * ; grant IDM.LAB.ENG.BRQ.REDHAT.COM k
 rb5-self * SSHFP;
idnsallowquery: any;
idnsallowtransfer: none;
idnsforwarders: 10.0.0.1
idnsname: forward1.test.
idnssoaexpire: 1209600
idnssoaminimum: 3600
idnssoamname: vm-236.idm.lab.eng.brq.redhat.com.
idnssoarefresh: 3600
idnssoaretry: 900
idnssoarname: hostmaster.forward1.test.
idnssoaserial: 1403609417
idnszoneactive: TRUE
managedBy: cn=Manage DNS zone forward1.test.,cn=permissions,cn=pbac,dc=idm,d
 c=lab,dc=eng,dc=brq,dc=redhat,dc=com
nsrecord: vm-236.idm.lab.eng.brq.redhat.com.
objectClass: idnszone
objectClass: top
objectClass: idnsrecord
objectClass: ipadnszone

dn: cn=Manage DNS zone forward1.test.,cn=permissions,cn=pbac,dc=idm,dc=lab,d
 c=eng,dc=brq,dc=redhat,dc=com
cn: Manage DNS zone forward1.test.
ipaPermissionType: SYSTEM
objectClass: ipapermission
objectClass: top
objectClass: groupofnames

dn: idnsname=foo,idnsname=forward1.test.,cn=dns,dc=idm,dc=lab,dc=eng,dc=brq,
 dc=redhat,dc=com
arecord: 10.0.0.1
idnsname: foo
objectClass: top
objectClass: idnsrecord

dn: idnsname=forward2.test.,cn=dns,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=
 com
idnsAllowDynUpdate: FALSE
idnsUpdatePolicy: grant IDM.LAB.ENG.BRQ.REDHAT.COM krb5-self * A; grant IDM.
 LAB.ENG.BRQ.REDHAT.COM krb5-self * ; grant IDM.LAB.ENG.BRQ.REDHAT.COM k
 rb5-self * SSHFP;
idnsallowquery: any;
idnsallowtransfer: none;

Re: [Freeipa-devel] [PATCH] 670-675 webui: dns forward zones

2014-06-24 Thread Petr Vobornik


On 24.6.2014 13:02, Petr Vobornik wrote:

ticket: https://fedorahosted.org/freeipa/ticket/4357

- patch 673 is compressed
- CI patches functionally depends on #667, #668

== PATCH] 670 webui: add confirmation for dns zone permission actions ==
All header actions should require confirmation.

== [PATCH] 671 webui: dns forward zones ==
Add DNS Forward Zones Web UI.

- pages under: Identity/DNS/DNS Forward Zones

== [PATCH] 672 webui-ci: dns forward zone tests ==
Selenium CI sanity tests for DNS Forward Zones

== [PATCH] 673 webui-test: static metadata update ==
Regular update of static metadata for testing and presentation purposes.
It should also contain new DNS Forward Zones metadata.

== [PATCH] 674 webui-test: dns forward zone json data ==
Fake API results for testing and presentation purposes of DNS Forward
Zones.

== [PATCH] 675 webui: fix detection of RPC command ==
old detection did not work with the static version used for test and
demonstration purposes.



Attaching an updated version of #675 with a fix for unit tests. Btw I'm 
not very satisfied with patch #675's approach. I'm open to suggestions 
for better approaches.

--
Petr Vobornik
From d39c27e9aeb85bdae0f10a3bf16a5d8aca42b4ff Mon Sep 17 00:00:00 2001
From: Petr Vobornik pvobo...@redhat.com
Date: Wed, 18 Jun 2014 18:59:44 +0200
Subject: [PATCH] webui: fix detection of RPC command

old detection did not work with the static version used for test and
demonstration purposes.

https://fedorahosted.org/freeipa/ticket/4357
---
 install/ui/src/freeipa/field.js |  4 ++--
 install/ui/test/aci_tests.js| 16 
 2 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/install/ui/src/freeipa/field.js b/install/ui/src/freeipa/field.js
index 1ae3ddf3ee98493426a1776f8a315206c5a0f8f6..0bc8c6f5eb633463ca829b0e46a0fbc0ffacefd7 100644
--- a/install/ui/src/freeipa/field.js
+++ b/install/ui/src/freeipa/field.js
@@ -775,8 +775,8 @@ field.Adapter = declare(null, {
 get_record: function(data) {
 
 // detection if it's result or raw RPC command response
-// all raw responses should contain `version` and `principal`
-if (!data.version || !data.principal) {
+// each RPC response should define properties as follows
+if (data.id === undefined || data.result === undefined || data.error === undefined) {
 return data;
 }
 
diff --git a/install/ui/test/aci_tests.js b/install/ui/test/aci_tests.js
index e82dd86df1f61ad98413492d687d14d4c73a9e79..1cfc2fb4fa059b464928a2c5cc25972e1d19c907 100644
--- a/install/ui/test/aci_tests.js
+++ b/install/ui/test/aci_tests.js
@@ -229,10 +229,10 @@ var get_visible_rows = function(section) {
 
 
 test(Testing type target., function() {
-var data = {};
-data.result = {};
-data.result.result = {
-type: 'hostgroup'
+var data = {
+id: null,
+error: null,
+result: { result: { type: 'hostgroup'} }
 };
 
 target_facet.load(data);
@@ -266,10 +266,10 @@ test(Testing type target., function() {
 
 test(Testing general target., function() {
 
-var data = {};
-data.result = {};
-data.result.result = {
-extratargetfilter: 'somevalue'
+var data = {
+id: null,
+error: null,
+result: { result: { extratargetfilter: 'hostgroup'} }
 };
 
 target_facet.load(data);
-- 
1.9.0

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH 0269] Silence GCC warning about uninitialized ldap_writeback

2014-06-24 Thread Petr Spacek


Hello,

Silence GCC warning about uninitialized ldap_writeback.

It seems like false positive, I can't imagine how ldap_writeback could be used 
without prior initialization.


--
Petr^2 Spacek
From eb253b58d6214b3f94d22c3ec2dcf62d0103ad46 Mon Sep 17 00:00:00 2001
From: Petr Spacek pspa...@redhat.com
Date: Mon, 23 Jun 2014 17:02:08 +0200
Subject: [PATCH] Silence GCC warning about uninitialized ldap_writeback.

Signed-off-by: Petr Spacek pspa...@redhat.com
---
 src/ldap_helper.c | 4 
 1 file changed, 4 insertions(+)

diff --git a/src/ldap_helper.c b/src/ldap_helper.c
index 43bacf779f44a709b0cefd638826633b9d2d8891..a7a782fdfc5ae4d28b50155c9614d66a427dc3e0 100644
--- a/src/ldap_helper.c
+++ b/src/ldap_helper.c
@@ -2130,7 +2130,11 @@ zone_sync_apex(const ldap_instance_t * const inst,
 	isc_boolean_t soa_tuple_alloc = ISC_FALSE;
 	isc_uint32_t curr_serial;
 
+	REQUIRE(ldap_writeback != NULL);
+
 	INIT_LIST(rdatalist);
+	*ldap_writeback = ISC_FALSE; /* GCC */
+
 	CHECK(setting_get_str(fake_mname, inst-local_settings,
 			  fake_mname));
 	CHECK(ldap_parse_rrentry(inst-mctx, entry, name, fake_mname,
-- 
1.9.3

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCHES 0066-0067] Upgrade procedure for forwardzones

2014-06-24 Thread Martin Basti

On Tue, 2014-06-24 at 16:36 +0200, Martin Kosek wrote:
 On 06/18/2014 01:46 PM, Martin Basti wrote:
  On Wed, 2014-06-18 at 13:44 +0200, Martin Basti wrote:
  On Fri, 2014-06-13 at 10:28 +0200, Martin Basti wrote:
  Patches attached, require patches mbasti 0052-0055.
  ___
  Freeipa-devel mailing list
  Freeipa-devel@redhat.com
  https://www.redhat.com/mailman/listinfo/freeipa-devel
  Rebased patches attached.
  PEP8 fixes.
 
  Sorry, patches are here
 
 66.2:
 
 1) Is it OK to just change constants in the update plugins?
 
 -PRE_UPDATE = 1
 -POST_UPDATE = 2
 +PRE_SCHEMA_UPDATE = 1
 +PRE_UPDATE = 2
 +POST_UPDATE = 3
 
 When people refer to the types via names, it should be OK. It just seemed
 unnecessary to me.
 
I checked where the constants are used, and it shouldn't broke anything.
It looks weird to me to have something which happens first with last
number.
Should I set PRE_SCHEMA_UPDATE = 3 and leave other unchanged then?

 67.2:
 
 1) update_check_forwardzones:
 
 I think we should set update_to_forward_zones to False when the objectclass is
 there and add a check at the beginning of the execute to simply bail out, if
 update_to_forward_zones is present in the sysupgrade file.
 
 This will prevent the objectclass check (which takes some time) to run again
 and again.
Good point thanks.

 2) I would use different backup name:
 
 +backup_filename = u'master-zones-transform-backup.ldif'
 
 Probably something based on time so that different installations' backup do 
 not
 step on each other. You can inspire yourself in other backup files we create:
 
 # ll /var/lib/ipa/backup/
 total 16
 drwx--. 2 root root 4096 May 30 08:10 ipa-full-2014-05-30-08-10-13
 drwx--. 2 root root 4096 May 30 08:11 ipa-full-2014-05-30-08-11-09
 drwx--. 2 root root 4096 May 30 08:13 ipa-full-2014-05-30-08-13-21
 -rw-r--r--. 1 root root 3441 Jun 24 16:25 master-zones-transform-backup.ldif
Is this better: forward-zones-transform-%datetime%.ldif ?

 
 3) This exception does not provide much information, we should at least log 
 the
 error message itself:
 
 +except Exception:
 +self.log.error('Unable to create backup file')
 +return (False, False, [])
Sorry my bad, I missed that

 
 4) The actual upgrade failed in my case, when I had set forward policy:
 
 # ipa-ldap-upgrade --upgrade
 ...
 Updating managed permissions for user
 Updating non-object managed permissions
 Zones with specified forwarders with policy different than none will be
 transformed to forward zones.
 Original zones will be saved in LDIF format in
 /var/lib/ipa/backup/master-zones-transform-backup.ldif file
 No changes to ACI
 Zone forward1.test. was sucessfully transformed to forward zone
 Transform to forwardzone terminated: creating forwardzone forward2.test. 
 failed
 Traceback (most recent call last):
   File /usr/lib/python2.7/site-packages/ipaserver/install/plugins/dns.py,
 line 265, in execute
 api.Command['dnsforwardzone_add'](zone['idnsname'][0], **kw)
   File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 433, in 
 __call__
 params = self.convert(**params)
   File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 631, in 
 convert
 (k, self.params[k].convert(v)) for (k, v) in kw.iteritems()
   File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 631, in
 genexpr
 (k, self.params[k].convert(v)) for (k, v) in kw.iteritems()
   File /usr/lib/python2.7/site-packages/ipalib/parameters.py, line 797, in
 convert
 return self._convert_scalar(value)
   File /usr/lib/python2.7/site-packages/ipalib/parameters.py, line 806, in
 _convert_scalar
 error=ugettext(self.type_error),
 ConversionError: invalid 'idnsforwardpolicy': Gettext('incorrect type',
 domain='ipa', localedir=None)
 ...
 
 Attaching my DNS zone setting.
I will inspect it.
 
 Martin
Thank you for review

-- 
Martin^2 Basti

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH 0270-0271] Add TLSA and DLV RR types to LDAP schema

2014-06-24 Thread Petr Spacek


Hello,

Add TLSA and DLV RR types to LDAP schema.

Those RR types will be handy for DNSSEC users.

--
Petr^2 Spacek
From eae0035df2a510512844f602acc70c096fcde2b4 Mon Sep 17 00:00:00 2001
From: Petr Spacek pspa...@redhat.com
Date: Mon, 23 Jun 2014 17:20:46 +0200
Subject: [PATCH] Add DLV RR type to LDAP schema.

https://fedorahosted.org/bind-dyndb-ldap/ticket/56

Signed-off-by: Petr Spacek pspa...@redhat.com
---
 doc/schema | 9 -
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/doc/schema b/doc/schema
index 9651fe154d01d39ed5874fb45792b4fab8c67340..2325ee3e50636fd6a491eeb5d851acb1e6bdb98d 100644
--- a/doc/schema
+++ b/doc/schema
@@ -160,6 +160,13 @@ attributetype ( 1.3.6.1.4.1.2428.20.1.51
 	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
 	SINGLE-VALUE )
 
+attributetype ( 1.3.6.1.4.1.2428.20.1.32769
+   NAME 'DLVRecord'
+   DESC 'RFC 4431: DNSSEC Lookaside Validation'
+   EQUALITY caseIgnoreIA5Match
+   SUBSTR caseIgnoreIA5SubstringsMatch
+   SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
 attributetype ( 2.16.840.1.113730.3.8.5.0
 	NAME 'idnsName'
 	DESC 'DNS FQDN'
@@ -295,7 +302,7 @@ objectclass ( 2.16.840.1.113730.3.8.6.0
 		SRVRecord $ TXTRecord $ MXRecord $ MDRecord $ HINFORecord $
 		MINFORecord $ AFSDBRecord $ LOCRecord $
 		NXTRecord $ NAPTRRecord $ KXRecord $ CERTRecord $ DNAMERecord $
-		DSRecord $ SSHFPRecord
+		DSRecord $ SSHFPRecord $ DLVRecord
 	) )
 
 objectclass ( 2.16.840.1.113730.3.8.6.1
-- 
1.9.3

From 174190a582825478a555c722e9e0314770b895a5 Mon Sep 17 00:00:00 2001
From: Petr Spacek pspa...@redhat.com
Date: Tue, 24 Jun 2014 16:41:12 +0200
Subject: [PATCH] Add TLSA RR type to LDAP schema.

https://fedorahosted.org/bind-dyndb-ldap/ticket/94

Signed-off-by: Petr Spacek pspa...@redhat.com
---
 doc/schema | 6 ++
 1 file changed, 6 insertions(+)

diff --git a/doc/schema b/doc/schema
index 2325ee3e50636fd6a491eeb5d851acb1e6bdb98d..73e8ee9d5fafd89b136b3f3cf248bfd23c91179c 100644
--- a/doc/schema
+++ b/doc/schema
@@ -160,6 +160,12 @@ attributetype ( 1.3.6.1.4.1.2428.20.1.51
 	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
 	SINGLE-VALUE )
 
+attributetype ( 1.3.6.1.4.1.2428.20.1.52 NAME 'TLSARecord'
+DESC 'DNS-Based Authentication of Named Entities - Transport Layer Security Protocol, RFC 6698'
+EQUALITY caseIgnoreIA5Match
+SUBSTR caseIgnoreIA5SubstringsMatch
+SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
 attributetype ( 1.3.6.1.4.1.2428.20.1.32769
NAME 'DLVRecord'
DESC 'RFC 4431: DNSSEC Lookaside Validation'
-- 
1.9.3

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH 0273-0274] Bump NVR to 5.0Update README and NEWS: DNSSEC and changes in forwarding semantics

2014-06-24 Thread Petr Spacek


Hello,

it's release time!

Bump NVR to 5.0 and update README and NEWS to describe DNSSEC support and 
changes in forwarding semantics.


--
Petr^2 Spacek
From d093af67072e44ce65be04c7267c4dbaa6cadf08 Mon Sep 17 00:00:00 2001
From: Petr Spacek pspa...@redhat.com
Date: Tue, 24 Jun 2014 16:14:28 +0200
Subject: [PATCH] Update README and NEWS: DNSSEC and changes in forwarding
 semantics.

https://fedorahosted.org/bind-dyndb-ldap/ticket/56
https://fedorahosted.org/bind-dyndb-ldap/ticket/99

Signed-off-by: Petr Spacek pspa...@redhat.com
---
 NEWS   |  14 
 README | 121 ++---
 2 files changed, 122 insertions(+), 13 deletions(-)

diff --git a/NEWS b/NEWS
index edfe8d71298843d1e9380a49baa49d86a52a8481..970ab7781d4775a499bded3c0299a759f4630f74 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,17 @@
+5.0
+
+[1] Support for DNSSEC in-line signing was added. Now any LDAP zone can be
+signed with keys provided by user.
+
+[2] DNSKEY, RRSIG, NSEC and NSEC3 records are automatically managed
+by BIND+bind-dyndb-ldap. Respective attributes in LDAP are ignored.
+
+[3] Forwarder semantic was changed to match BIND's semantic:
+- idnsZone object always represent master zone
+- idnsForwardZone object (new) always represent forward zone
+
+[4] Master root zone can be stored in LDAP.
+
 4.4
 
 [1] Error handling for zone loading was fixed.
diff --git a/README b/README
index b2c3653ef3ae653e4454ec43e341a220a4968e8f..4e3082b3b6fd6d7f8abcdb9f4c0803569eb0f896 100644
--- a/README
+++ b/README
@@ -10,16 +10,17 @@ for your version here:
 
 Hopefully, the patch will once be included in the official BIND release.
 
-Because of bug in dns_db_unregister() in older BIND versions, BIND = 9.7.0a1
-is required.
+BIND = 9.9.0 is required.
 
 2. Features
 ===
+
 * support for dynamic updates
 * SASL authentication
 * SyncRepl (RFC 4533) for run-time synchronization with LDAP server
 * read-query performance nearly same as with plain BIND
 * AXFR and IXFR zone transfers are supported
+* DNSSEC in-line signing is supported, including dynamic updates
 
 
 3. Installation
@@ -51,9 +52,11 @@ This will install the file ldap.so into the libdir/bind/ directory.
 You can find the complete LDAP schema in the documentation directory. An
 example zone ldif is available in the doc directory.
 
-4.1 Zone (idnsZone) attributes
---
+4.1 Master zone (idnsZone)
+--
+Object class idnsZone is equivalent to type master statement in named.conf.
 
+Attributes:
 * idnsAllowDynUpdate
 	Allow dynamic update of records in this zone. If attribute doesn't exist,
 	value dyn_update from plugin configuration will be used.
@@ -94,24 +97,46 @@ example zone ldif is available in the doc directory.
 	i.e. effectively disables forwarding and ignores idnsForwarders
 	attribute.
 
-	Value none disables forwarding for given zone and ignores
-	global forwarders. Zone with forward policy none is considered
-	as type master, not forward.
 	Values first and only are relevant in conjunction with a valid
 	idnsForwarders attribute. Their meaning is same as in BIND9.
 
 * idnsForwarders
-	Defines multiple IP addresses to which queries will be forwarded and
-	effectively creates forward zones.
+	Defines multiple IP addresses to which recursive queries will be
+	forwarded. This is equivalent to forwarders statement in master
+	zone configuration.
+
+	I.e. local BIND replies authoritatively to queries when possible
+	(including authoritative NXDOMAIN answers) so forwarding affects only
+	queries made by BIND to answer recursive queries which cannot be
+	answered locally. Please see
+	https://lists.isc.org/pipermail/bind-users/2006-January/060810.html
+	https://lists.isc.org/pipermail/bind-users/2011-March/083244.html
+
 	It is multi-value attribute: Each IP address (and optional port) has to
 	be in own value. BIND9 syntax for forwarders is required.
 	Optional port can be specified by adding  port number after IP 
 	address. IPv4 and IPv6 addresses are supported.
 	Examples: 1.2.3.4 or 1.2.3.4 port 553 or A::B or A::B port 553
 
-	Zones with idnsForwarders attribute specified and forward policy other
-	than none are considered as forward zones. All records in LDAP
-	belonging to those zones are ignored and all queries are forwarded.
+* idnsName
+	Absolute name of DNS zone. It is recommended to use names with trailing
+	period, e.g. example.com.
+
+* idnsSecInlineSigning (default FALSE)
+	DNSSEC in-line signing configuration. Value TRUE is equivalent to
+	following zone configuration in named.conf (default BIND values):
+
+	auto-dnssec maintain;
+	sig-validity-interval 2592000; # 30 days
+	# re-sign interval will be 648000 seconds = 7.5 days
+	sig-signing-signatures 10;
+	sig-signing-nodes 10;
+	sig-signing-type 65534;
+	update-check-ksk yes;
+	dnssec-loadkeys-interval 60;   # minutes
+	key-directory plugin-instance-dir/zone-name/keys;
+
+	There is no way

Re: [Freeipa-devel] [PATCH 0267-0268] Preparation for 4.4 release

2014-06-24 Thread Petr Spacek


On 23.6.2014 17:12, Petr Spacek wrote:

Hello,

Bump NVR to 4.4.

Update NEWS for upcoming 4.4 release.


Pushed to master:
2cd574e90a9fdebdbeaab45ef335e7d63e85dfd7
3a705963ed575f01b792a7e89d825cf56ce99734

At this point v4 branches from master.

--
Petr^2 Spacek

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] 677 webui: support unlock user command

2014-06-24 Thread Petr Vobornik


Call user-unlock command from Web UI.

It will unlock displayed user on current master.

related to:
https://fedorahosted.org/freeipa/ticket/2792
--
Petr Vobornik
From 1d39ac323d3c5975a6725bac50c81f655606f9b2 Mon Sep 17 00:00:00 2001
From: Petr Vobornik pvobo...@redhat.com
Date: Tue, 24 Jun 2014 12:24:23 +0200
Subject: [PATCH] webui: support unlock user command

Call user-unlock command from Web UI.

It will unlock displayed user on current master.

related to:
https://fedorahosted.org/freeipa/ticket/2792
---
 install/ui/src/freeipa/user.js | 10 +-
 install/ui/test/data/ipa_init.json |  4 +++-
 ipalib/plugins/internal.py |  2 ++
 ipatests/test_webui/test_user.py   |  2 ++
 4 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/install/ui/src/freeipa/user.js b/install/ui/src/freeipa/user.js
index 3685b116aad6708f88a437a4abebc68ff9df4474..50eaca17f6536061718bde9ca26e1c76c6e38e56 100644
--- a/install/ui/src/freeipa/user.js
+++ b/install/ui/src/freeipa/user.js
@@ -268,12 +268,20 @@ return {
 'delete',
 'reset_password',
 {
+$factory: IPA.object_action,
+name: 'unlock',
+method: 'unlock',
+label: '@i18n:objects.user.unlock',
+needs_confirm: true,
+confirm_msg: '@i18n:objects.user.unlock_confirm'
+},
+{
 $type: 'automember_rebuild',
 name: 'automember_rebuild',
 label: '@i18n:actions.automember_rebuild'
 }
 ],
-header_actions: ['reset_password', 'enable', 'disable', 'delete', 'automember_rebuild'],
+header_actions: ['reset_password', 'enable', 'disable', 'delete', 'unlock', 'automember_rebuild'],
 state: {
 evaluators: [
 {
diff --git a/install/ui/test/data/ipa_init.json b/install/ui/test/data/ipa_init.json
index c678d0315c3e92a54dc63f2bd4aef1c90ce68185..79aff6ded21bf43f1089ad4ee1f58b051c64d54a 100644
--- a/install/ui/test/data/ipa_init.json
+++ b/install/ui/test/data/ipa_init.json
@@ -499,7 +499,9 @@
 mailing: Mailing Address,
 misc: Misc. Information,
 status_confirmation: Are you sure you want to ${action} the user?br/The change will take effect immediately.,
-status_link: Click to ${action}
+status_link: Click to ${action},
+unlock: Unlock,
+unlock_confirm: Are you sure you want to unlock user ${object}?
 }
 },
 password: {
diff --git a/ipalib/plugins/internal.py b/ipalib/plugins/internal.py
index 57782c207a27e9b2c8ba83a54eb3cd4b20719f9e..6c322da51754a9c0f8bb6e4510a81ef7fa328f4c 100644
--- a/ipalib/plugins/internal.py
+++ b/ipalib/plugins/internal.py
@@ -645,6 +645,8 @@ class i18n_messages(Command):
 misc: _(Misc. Information),
 status_confirmation: _(Are you sure you want to ${action} the user?br/The change will take effect immediately.),
 status_link: _(Click to ${action}),
+unlock: _(Unlock),
+unlock_confirm: _(Are you sure you want to unlock user ${object}?),
 },
 },
 password: {
diff --git a/ipatests/test_webui/test_user.py b/ipatests/test_webui/test_user.py
index 766fdafb4ee700fc2a4131dbf92d694be8d17188..d6d7ced8d52d5509a837874a0bec50bdc39f0fab 100644
--- a/ipatests/test_webui/test_user.py
+++ b/ipatests/test_webui/test_user.py
@@ -156,6 +156,8 @@ class test_user(UI_driver):
 self.reset_password_action(pwd)
 self.assert_text_field('has_password', '**')
 
+self.action_list_action('unlock')
+
 # delete
 self.delete_action(user.ENTITY, user.PKEY)
 
-- 
1.9.0

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH 0269] Silence GCC warning about uninitialized ldap_writeback

2014-06-24 Thread Lukas Slebodnik

On (24/06/14 16:46), Petr Spacek wrote:
Hello,

Silence GCC warning about uninitialized ldap_writeback.

It seems like false positive, I can't imagine how ldap_writeback could be
used without prior initialization.

-- 
Petr^2 Spacek

From eb253b58d6214b3f94d22c3ec2dcf62d0103ad46 Mon Sep 17 00:00:00 2001
From: Petr Spacek pspa...@redhat.com
Date: Mon, 23 Jun 2014 17:02:08 +0200
Subject: [PATCH] Silence GCC warning about uninitialized ldap_writeback.

Signed-off-by: Petr Spacek pspa...@redhat.com
---
 src/ldap_helper.c | 4 
 1 file changed, 4 insertions(+)

diff --git a/src/ldap_helper.c b/src/ldap_helper.c
index 
43bacf779f44a709b0cefd638826633b9d2d8891..a7a782fdfc5ae4d28b50155c9614d66a427dc3e0
 100644
--- a/src/ldap_helper.c
+++ b/src/ldap_helper.c
@@ -2130,7 +2130,11 @@ zone_sync_apex(const ldap_instance_t * const inst,
   isc_boolean_t soa_tuple_alloc = ISC_FALSE;
   isc_uint32_t curr_serial;
 
+  REQUIRE(ldap_writeback != NULL);
+
   INIT_LIST(rdatalist);
+  *ldap_writeback = ISC_FALSE; /* GCC */
+
   CHECK(setting_get_str(fake_mname, inst-local_settings,
 fake_mname));
   CHECK(ldap_parse_rrentry(inst-mctx, entry, name, fake_mname,
-- 
1.9.3

ACK

LS

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH 0056] Add otptoken-sync command

2014-06-24 Thread Nathaniel McCallum

On Tue, 2014-06-24 at 19:34 +0300, Alexander Bokovoy wrote:
 On Tue, 24 Jun 2014, Nathaniel McCallum wrote:
 On Tue, 2014-06-24 at 15:39 +0300, Alexander Bokovoy wrote:
  On Tue, 03 Jun 2014, Nathaniel McCallum wrote:
  On Tue, 2014-06-03 at 10:27 +0200, Petr Vobornik wrote:
   On 3.6.2014 05:08, Nathaniel McCallum wrote:
This command calls the token sync HTTP POST call in the server 
providing
the CLI interface to synchronization.
   
https://fedorahosted.org/freeipa/ticket/4260
   
This patch depends on my patch #0055.
   
  
   Build fails on validation. You forgot to update API.txt and also the
   command misses __doc__.
  
   (not a proper review)
  Failed for me:
 
  [root@ipa-01 rpms]# ipa otptoken-show test.token
Unique ID: test.token
Description: test token
Owner: abbra
Vendor: FreeIPA
Model: hotp
  [root@ipa-01 rpms]# ipa otptoken-sync abbra --token=test.token
  Password:
  First Code:
  Second Code:
  ipa: ERROR: non-public: IOError: ('http error', 401, 'Unauthorized',
  httplib.HTTPMessage instance at 0x2cdde60)
  Traceback (most recent call last):
File /usr/lib/python2.7/site-packages/ipalib/backend.py, line 129,
  in execute
  result = self.Command[_name](*args, **options)
File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 439,
  in __call__
  ret = self.run(*args, **options)
File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 1118,
  in run
  return self.forward(*args, **options)
File /usr/lib/python2.7/site-packages/ipalib/plugins/otptoken.py,
  line 427, in forward
  rsp = urllib.urlopen(sync_uri, query)
File /usr/lib64/python2.7/urllib.py, line 89, in urlopen
  return opener.open(url, data)
File /usr/lib64/python2.7/urllib.py, line 210, in open
  return getattr(self, name)(url, data)
File /usr/lib64/python2.7/urllib.py, line 454, in open_https
  data)
File /usr/lib64/python2.7/urllib.py, line 374, in http_error
  result = method(url, fp, errcode, errmsg, headers, data)
File /usr/lib64/python2.7/urllib.py, line 689, in http_error_401
  errcode, errmsg, headers)
File /usr/lib64/python2.7/urllib.py, line 381, in http_error_default
  raise IOError, ('http error', errcode, errmsg, headers)
  IOError: ('http error', 401, 'Unauthorized', httplib.HTTPMessage instance 
  at 0x2cdde60)
  ipa: ERROR: an internal error has occurred
 
  Note that I can successfully use the token. It looks like authentication
  with urllib.urlopen(sync_uri, query) fails.
 
 Works for me (just tested). I suspect you have not updated the ipa httpd
 config. Did you apply patches 0054, 0055 and 0056?
 Yes, I did apply those patches and I installed packages as an upgrade.
 How I supposed to update httpd config? I think we need to solve this
 without re-install and it should be done automatically.

Oh. I thought it *was* done automatically...

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] User Life Cycle: scoping of referential integrity, memberof, IPA UUID plugins

2014-06-24 Thread thierry bordaz


Hello,

   User life cycle assigns a status to user entries depending where
   they are in the DIT.
   'Active' user will be under 'cn=accounts,SUFFIX' while 'Stage' and
   'Delete' users are somewhere under 'cn=provisioning,SUFFIX'.

   Only 'Active' users have valid membership attributes: A Stage/Delete
   user does not belong to any 'Active' group.
   membership is managed by DS plugins, and particularly RI and memberof.
   To automatically update membership attributes RI and memberof
   implement a scoping, that update/add/remove membership attributes if
   the group/user are Active.

   The scoping is a single valued attribute.

   It create failures in IPA tests if I restrict RI/memberof to
   'cn=accounts,SUFFIX'. For example adding a host (under
   'cn=accounts,SUFFIX) adds it to a network group that is under
   'cn=alt,SUFFIX'.
   A solution would be that the attribute that scopes the plugin is
   multivalued. But then it would require a long list of values:

   cn=pbac,SUFFIX
   cn=hbac,SUFFX
   cn=alt,SUFFIX
   cn=accounts, SUFFIX
   ...


   An other solution would be to exclude some parts of the DIT, here
   limited to 'cn=provisionning,SUFFIX'. (prefered solution).


   This is a similar issue with IPA UUID plugin that generates
   ipaUniqueID for entries under 'cn=accounts' but also 'cn=alt' or
   'cn=hbac'.

   regards
   thierry

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH 0056] Add otptoken-sync command

2014-06-24 Thread Alexander Bokovoy


On Tue, 24 Jun 2014, Nathaniel McCallum wrote:

On Tue, 2014-06-24 at 15:39 +0300, Alexander Bokovoy wrote:

On Tue, 03 Jun 2014, Nathaniel McCallum wrote:
On Tue, 2014-06-03 at 10:27 +0200, Petr Vobornik wrote:
 On 3.6.2014 05:08, Nathaniel McCallum wrote:
  This command calls the token sync HTTP POST call in the server providing
  the CLI interface to synchronization.
 
  https://fedorahosted.org/freeipa/ticket/4260
 
  This patch depends on my patch #0055.
 

 Build fails on validation. You forgot to update API.txt and also the
 command misses __doc__.

 (not a proper review)
Failed for me:

[root@ipa-01 rpms]# ipa otptoken-show test.token
  Unique ID: test.token
  Description: test token
  Owner: abbra
  Vendor: FreeIPA
  Model: hotp
[root@ipa-01 rpms]# ipa otptoken-sync abbra --token=test.token
Password:
First Code:
Second Code:
ipa: ERROR: non-public: IOError: ('http error', 401, 'Unauthorized',
httplib.HTTPMessage instance at 0x2cdde60)
Traceback (most recent call last):
  File /usr/lib/python2.7/site-packages/ipalib/backend.py, line 129,
in execute
result = self.Command[_name](*args, **options)
  File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 439,
in __call__
ret = self.run(*args, **options)
  File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 1118,
in run
return self.forward(*args, **options)
  File /usr/lib/python2.7/site-packages/ipalib/plugins/otptoken.py,
line 427, in forward
rsp = urllib.urlopen(sync_uri, query)
  File /usr/lib64/python2.7/urllib.py, line 89, in urlopen
return opener.open(url, data)
  File /usr/lib64/python2.7/urllib.py, line 210, in open
return getattr(self, name)(url, data)
  File /usr/lib64/python2.7/urllib.py, line 454, in open_https
data)
  File /usr/lib64/python2.7/urllib.py, line 374, in http_error
result = method(url, fp, errcode, errmsg, headers, data)
  File /usr/lib64/python2.7/urllib.py, line 689, in http_error_401
errcode, errmsg, headers)
  File /usr/lib64/python2.7/urllib.py, line 381, in http_error_default
raise IOError, ('http error', errcode, errmsg, headers)
IOError: ('http error', 401, 'Unauthorized', httplib.HTTPMessage instance at 
0x2cdde60)
ipa: ERROR: an internal error has occurred

Note that I can successfully use the token. It looks like authentication
with urllib.urlopen(sync_uri, query) fails.


Works for me (just tested). I suspect you have not updated the ipa httpd
config. Did you apply patches 0054, 0055 and 0056?

Yes, I did apply those patches and I installed packages as an upgrade.
How I supposed to update httpd config? I think we need to solve this
without re-install and it should be done automatically.

--
/ Alexander Bokovoy

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH 0056] Add otptoken-sync command

2014-06-24 Thread Nathaniel McCallum

On Tue, 2014-06-24 at 15:39 +0300, Alexander Bokovoy wrote:
 On Tue, 03 Jun 2014, Nathaniel McCallum wrote:
 On Tue, 2014-06-03 at 10:27 +0200, Petr Vobornik wrote:
  On 3.6.2014 05:08, Nathaniel McCallum wrote:
   This command calls the token sync HTTP POST call in the server providing
   the CLI interface to synchronization.
  
   https://fedorahosted.org/freeipa/ticket/4260
  
   This patch depends on my patch #0055.
  
 
  Build fails on validation. You forgot to update API.txt and also the
  command misses __doc__.
 
  (not a proper review)
 Failed for me:
 
 [root@ipa-01 rpms]# ipa otptoken-show test.token
   Unique ID: test.token
   Description: test token
   Owner: abbra
   Vendor: FreeIPA
   Model: hotp
 [root@ipa-01 rpms]# ipa otptoken-sync abbra --token=test.token 
 Password: 
 First Code: 
 Second Code: 
 ipa: ERROR: non-public: IOError: ('http error', 401, 'Unauthorized',
 httplib.HTTPMessage instance at 0x2cdde60)
 Traceback (most recent call last):
   File /usr/lib/python2.7/site-packages/ipalib/backend.py, line 129,
 in execute
 result = self.Command[_name](*args, **options)
   File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 439,
 in __call__
 ret = self.run(*args, **options)
   File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 1118,
 in run
 return self.forward(*args, **options)
   File /usr/lib/python2.7/site-packages/ipalib/plugins/otptoken.py,
 line 427, in forward
 rsp = urllib.urlopen(sync_uri, query)
   File /usr/lib64/python2.7/urllib.py, line 89, in urlopen
 return opener.open(url, data)
   File /usr/lib64/python2.7/urllib.py, line 210, in open
 return getattr(self, name)(url, data)
   File /usr/lib64/python2.7/urllib.py, line 454, in open_https
 data)
   File /usr/lib64/python2.7/urllib.py, line 374, in http_error
 result = method(url, fp, errcode, errmsg, headers, data)
   File /usr/lib64/python2.7/urllib.py, line 689, in http_error_401
 errcode, errmsg, headers)
   File /usr/lib64/python2.7/urllib.py, line 381, in http_error_default
 raise IOError, ('http error', errcode, errmsg, headers)
 IOError: ('http error', 401, 'Unauthorized', httplib.HTTPMessage instance at 
 0x2cdde60)
 ipa: ERROR: an internal error has occurred
 
 Note that I can successfully use the token. It looks like authentication
 with urllib.urlopen(sync_uri, query) fails.

Works for me (just tested). I suspect you have not updated the ipa httpd
config. Did you apply patches 0054, 0055 and 0056?

Nathaniel


___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH 0056] Add otptoken-sync command

2014-06-24 Thread Alexander Bokovoy


On Tue, 24 Jun 2014, Nathaniel McCallum wrote:

On Tue, 2014-06-24 at 19:34 +0300, Alexander Bokovoy wrote:

On Tue, 24 Jun 2014, Nathaniel McCallum wrote:
On Tue, 2014-06-24 at 15:39 +0300, Alexander Bokovoy wrote:
 On Tue, 03 Jun 2014, Nathaniel McCallum wrote:
 On Tue, 2014-06-03 at 10:27 +0200, Petr Vobornik wrote:
  On 3.6.2014 05:08, Nathaniel McCallum wrote:
   This command calls the token sync HTTP POST call in the server providing
   the CLI interface to synchronization.
  
   https://fedorahosted.org/freeipa/ticket/4260
  
   This patch depends on my patch #0055.
  
 
  Build fails on validation. You forgot to update API.txt and also the
  command misses __doc__.
 
  (not a proper review)
 Failed for me:

 [root@ipa-01 rpms]# ipa otptoken-show test.token
   Unique ID: test.token
   Description: test token
   Owner: abbra
   Vendor: FreeIPA
   Model: hotp
 [root@ipa-01 rpms]# ipa otptoken-sync abbra --token=test.token
 Password:
 First Code:
 Second Code:
 ipa: ERROR: non-public: IOError: ('http error', 401, 'Unauthorized',
 httplib.HTTPMessage instance at 0x2cdde60)
 Traceback (most recent call last):
   File /usr/lib/python2.7/site-packages/ipalib/backend.py, line 129,
 in execute
 result = self.Command[_name](*args, **options)
   File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 439,
 in __call__
 ret = self.run(*args, **options)
   File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 1118,
 in run
 return self.forward(*args, **options)
   File /usr/lib/python2.7/site-packages/ipalib/plugins/otptoken.py,
 line 427, in forward
 rsp = urllib.urlopen(sync_uri, query)
   File /usr/lib64/python2.7/urllib.py, line 89, in urlopen
 return opener.open(url, data)
   File /usr/lib64/python2.7/urllib.py, line 210, in open
 return getattr(self, name)(url, data)
   File /usr/lib64/python2.7/urllib.py, line 454, in open_https
 data)
   File /usr/lib64/python2.7/urllib.py, line 374, in http_error
 result = method(url, fp, errcode, errmsg, headers, data)
   File /usr/lib64/python2.7/urllib.py, line 689, in http_error_401
 errcode, errmsg, headers)
   File /usr/lib64/python2.7/urllib.py, line 381, in http_error_default
 raise IOError, ('http error', errcode, errmsg, headers)
 IOError: ('http error', 401, 'Unauthorized', httplib.HTTPMessage instance at 
0x2cdde60)
 ipa: ERROR: an internal error has occurred

 Note that I can successfully use the token. It looks like authentication
 with urllib.urlopen(sync_uri, query) fails.

Works for me (just tested). I suspect you have not updated the ipa httpd
config. Did you apply patches 0054, 0055 and 0056?
Yes, I did apply those patches and I installed packages as an upgrade.
How I supposed to update httpd config? I think we need to solve this
without re-install and it should be done automatically.


Oh. I thought it *was* done automatically...

No. You only modified the template which is used for an install from
scratch.
--
/ Alexander Bokovoy

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] Design Review Keytab Retrieval

2014-06-24 Thread Simo Sorce

- Original Message -
 On Fri, 2014-06-20 at 16:05 -0400, Simo Sorce wrote:
  On Fri, 2014-06-20 at 14:47 -0400, Nathaniel McCallum wrote:
   This change would have very small impact on your patch set, but would
   be
   much clearer for the future consumers of this protocol. Code can be
   changed; protocols can't.
  
  Ok this new patchset implements the requested change.
  Initial testing seem to indicate it all works as expected.
 
 0001: Line 555 has very wrong indentation.

Attached a new patch 0001 hat fixes this.

Simo.From 214d1e167f9c9ea687f219ef74162e557ae496b0 Mon Sep 17 00:00:00 2001
From: Simo Sorce s...@redhat.com
Date: Tue, 17 Sep 2013 00:25:14 -0400
Subject: [PATCH 1/6] keytabs: Modularize setkeytab operation

In preparation of adding another function to avoid code duplication.

Related:
https://fedorahosted.org/freeipa/ticket/3859
---
 .../ipa-pwd-extop/ipa_pwd_extop.c  | 1112 +++-
 1 file changed, 623 insertions(+), 489 deletions(-)

diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
index d8af3915300384933e621ffe8adea8904588985d..2648a53703fc6766bd2e29b830ea034fb519beff 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
@@ -93,8 +93,8 @@ void *ipapwd_get_plugin_id(void)
 return ipapwd_plugin_id;
 }
 
-static int filter_keys(struct ipapwd_krbcfg *krbcfg,
-   struct ipapwd_keyset *kset)
+static void filter_keys(struct ipapwd_krbcfg *krbcfg,
+struct ipapwd_keyset *kset)
 {
 int i, j;
 
@@ -123,8 +123,6 @@ static int filter_keys(struct ipapwd_krbcfg *krbcfg,
 i--;
 }
 }
-
-return 0;
 }
 
 static int ipapwd_to_ldap_pwpolicy_error(int ipapwderr)
@@ -562,49 +560,570 @@ free_and_return:
 
 }
 
+static char *check_service_name(krb5_context krbctx, char *svc)
+{
+krb5_principal krbname = NULL;
+krb5_error_code krberr;
+char *name = NULL;
+
+krberr = krb5_parse_name(krbctx, svc, krbname);
+if (krberr) {
+LOG_FATAL(krb5_parse_name failed\n);
+} else {
+/* invert so that we get the canonical form (add REALM if not present
+ * for example) */
+krberr = krb5_unparse_name(krbctx, krbname, name);
+if (krberr) {
+LOG_FATAL(krb5_unparse_name failed\n);
+}
+}
+
+krb5_free_principal(krbctx, krbname);
+return name;
+}
+
+static Slapi_Backend *get_realm_backend(void)
+{
+Slapi_Backend *be;
+Slapi_DN *sdn;
+
+sdn = slapi_sdn_new_dn_byval(ipa_realm_dn);
+if (!sdn) return NULL;
+be = slapi_be_select(sdn);
+slapi_sdn_free(sdn);
+return be;
+}
+
+static const char *get_realm_base_dn(void)
+{
+const Slapi_DN *bsdn;
+Slapi_Backend *be;
+
+/* Find ancestor base DN */
+be = get_realm_backend();
+if (!be) return NULL;
+
+bsdn = slapi_be_getsuffix(be, 0);
+if (!bsdn) return NULL;
+
+return slapi_sdn_get_dn(bsdn);
+}
+
+static Slapi_Entry *get_entry_by_principal(const char *principal)
+{
+const char *bdn;
+char *filter = NULL;
+Slapi_PBlock *pb = NULL;
+char *attrlist[] = { krbPrincipalKey, krbLastPwdChange,
+ userPassword, krbPrincipalName,
+ enrolledBy, NULL };
+Slapi_Entry **es = NULL;
+int res, ret, i;
+Slapi_Entry *entry = NULL;
+
+/* Find ancestor base DN */
+bdn = get_realm_base_dn();
+if (!bdn) {
+LOG_TRACE(Search for Base DN failed\n);
+goto free_and_return;
+}
+
+filter = slapi_ch_smprintf((krbPrincipalName=%s), principal);
+if (!filter) {
+LOG_TRACE(Building filter failed\n);
+goto free_and_return;
+}
+
+pb = slapi_pblock_new();
+slapi_search_internal_set_pb(pb, bdn, LDAP_SCOPE_SUBTREE, filter,
+ attrlist, 0,
+ NULL, /* Controls */ NULL, /* UniqueID */
+ ipapwd_plugin_id, 0); /* Flags */
+
+/* do search the tree */
+ret = slapi_search_internal_pb(pb);
+slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_RESULT, res);
+if (ret == -1 || res != LDAP_SUCCESS) {
+LOG_TRACE(Search for Principal failed, err (%d)\n, res ? res : ret);
+goto free_and_return;
+}
+
+/* get entries */
+slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_SEARCH_ENTRIES, es);
+if (!es) {
+LOG_TRACE(No entries ?!);
+goto free_and_return;
+}
+
+/* count entries */
+for (i = 0; es[i]; i++) /* count */ ;
+
+/* if there is none or more than one, freak out */
+if (i != 1) {
+LOG_TRACE(Too many entries, or entry no found (%d), i);
+goto free_and_return;
+}
+entry = slapi_entry_dup(es[0]);
+
+free_and_return:
+if (pb) {
+slapi_free_search_results_internal(pb);
+slapi_pblock_destroy(pb);
+

Re: [Freeipa-devel] [PATCH 0233] trusts: Add more read attributes

2014-06-24 Thread Tomas Babej

Attaching patch 234, which resolves another ACI issue related to trusts.

On 06/24/2014 02:50 PM, Tomas Babej wrote:
 Hi,

 this is a follow up patch for 232. Read access to additional attributes
 is required for the trust objects.



 ___
 Freeipa-devel mailing list
 Freeipa-devel@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-devel

-- 
Tomas Babej
Associate Software Engineer | Red Hat | Identity Management
RHCE | Brno Site | IRC: tbabej | freeipa.org 

From 629dc5ba07ef9490ba7dbce33306b02c3494893d Mon Sep 17 00:00:00 2001
From: Tomas Babej tba...@redhat.com
Date: Tue, 24 Jun 2014 18:24:32 +0200
Subject: [PATCH] trusts: Allow reading system trust accounts by adtrust agents

---
 ACI.txt  |  2 ++
 install/updates/60-trusts.update |  8 
 ipalib/plugins/trust.py  | 11 +++
 3 files changed, 21 insertions(+)

diff --git a/ACI.txt b/ACI.txt
index 0398a52fcf2639f895f6bb7cd8bd91412affa6d3..94e3f2850d84c3819772504e21b44246306c6be8 100644
--- a/ACI.txt
+++ b/ACI.txt
@@ -112,6 +112,8 @@ dn: cn=System: Read Sudoers compat tree,cn=permissions,cn=pbac,dc=ipa,dc=example
 aci: (targetattr = cn || description || objectclass || ou || sudocommand || sudohost || sudonotafter || sudonotbefore || sudooption || sudoorder || sudorunas || sudorunasgroup || sudorunasuser || sudouser)(target = ldap:///ou=sudoers,dc=ipa,dc=example;)(version 3.0;acl permission:System: Read Sudoers compat tree;allow (compare,read,search) userdn = ldap:///all;;)
 dn: cn=System: Read Trust Information,cn=permissions,cn=pbac,dc=ipa,dc=example
 aci: (targetattr = cn || ipantflatname || ipantsecurityidentifier || ipantsidblacklistincoming || ipantsidblacklistoutgoing || ipanttrusteddomainsid || ipanttrustpartner || objectclass)(version 3.0;acl permission:System: Read Trust Information;allow (compare,read,search) userdn = ldap:///all;;)
+dn: cn=System: Read system trust accounts,cn=permissions,cn=pbac,dc=ipa,dc=example
+aci: (targetattr = gidnumber || uidnumber)(version 3.0;acl permission:System: Read system trust accounts;allow (compare,read,search) groupdn = ldap:///cn=System: Read system trust accounts,cn=permissions,cn=pbac,dc=ipa,dc=example;)
 dn: cn=System: Add User to default group,cn=permissions,cn=pbac,dc=ipa,dc=example
 aci: (targetattr = member)(target = ldap:///cn=ipausers,cn=groups,cn=accounts,dc=ipa,dc=example;)(version 3.0;acl permission:System: Add User to default group;allow (write) groupdn = ldap:///cn=System: Add User to default group,cn=permissions,cn=pbac,dc=ipa,dc=example;)
 dn: cn=System: Add Users,cn=permissions,cn=pbac,dc=ipa,dc=example
diff --git a/install/updates/60-trusts.update b/install/updates/60-trusts.update
index 371bf656fcdea6b7ec54aeb42c5afd25ef1b90f9..d55bc94bbe917571999bcc7dfb6e6aaf641c4b49 100644
--- a/install/updates/60-trusts.update
+++ b/install/updates/60-trusts.update
@@ -15,6 +15,14 @@ default: objectClass: GroupOfNames
 default: objectClass: top
 default: cn: adtrust agents
 
+dn: cn=ADTrust Agents,cn=privileges,cn=pbac,$SUFFIX
+default: objectClass: top
+default: objectClass: groupofnames
+default: objectClass: nestedgroup
+default: cn: ADTrust Agents
+default: description: System accounts able to access trust information
+default: member: cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX
+
 dn: cn=trusts,$SUFFIX
 default: objectClass: top
 default: objectClass: nsContainer
diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py
index 25755d7a41e93b869f4d4afbf0ac094c42212451..565d87a77a923ac29763be5ffad8c8c67cd01588 100644
--- a/ipalib/plugins/trust.py
+++ b/ipalib/plugins/trust.py
@@ -330,6 +330,17 @@ class trust(LDAPObject):
 'ipantsidblacklistincoming', 'ipantsidblacklistoutgoing'
 },
 },
+
+'System: Read system trust accounts': {
+'non_object': True,
+'ipapermlocation': DN(container_dn, api.env.basedn),
+'replaces_global_anonymous_aci': True,
+'ipapermright': {'read', 'search', 'compare'},
+'ipapermdefaultattr': {
+'uidnumber', 'gidnumber'
+},
+'default_privileges': {'ADTrust Agents'},
+},
 }
 
 label = _('Trusts')
-- 
1.9.3

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] DNSSEC key wrapping: cryptographer needed

2014-06-24 Thread Petr Spacek


On 24.6.2014 15:45, Tomas Mraz wrote:

Technically SoftHSM's C_WrapKey call produces PKCS#8 structure encrypted with
AES according to RFC 3394 (no padding) or RFC 5649 (with padding).

RFC 3394 works only on blocks of 64 bits, which is not our case because
EncryptedPrivateKeyInfo has no padding. So we should use RFC 5649 to get
proper padding etc.

And here is the problem: SoftHSM can use RFC 5649 using OpenSSL functions but
OpenSSL doesn't support RFC 5649! The patch with this functionality was
submitted back in 2010 to OpenSSL bug tracker [3] but the ticket is in state
new and there was no reply to the e-mail in the original thread [4].

I am sorry, but this does not make much sense to me. Iff the SoftHSM's
C_WrapKey is really safe wrapping method for backing up and/or
replicating HSM's it must provide wrapped key in such format that the IV
is pregenerated as part of the Wrap operation and stored in the final
blob of wrapped key. Unfortunately I do not know much of SoftHSM.
SoftHSM is just PKCS#11 interface implementation so SoftHSM can't do 
something against PKCS#11 standard.


In this case the standard says that user has to provide IV explicitly and the 
C_WrapKey should fall-back to standardized default if IV was not given by user.


See section 6.13.3 AES Key Wrap in PKCS #11 Mechanisms v2.30: Cryptoki – 
Draft 7 on

ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-11/v2-30/pkcs-11v2-30m1-d7.pdf




What do we do?
- Convince OpenSSL to review and accept the patch?

I would say the patch is not too useful as is - there are multiple
problems with it such as it is not using proper high level interfaces
for the AES encryption, etc.
Ah, right, nowadays openssl/crypto/aes/aes_wrap.c file is very different from 
the 2010-version. I didn't notice it.


Would you review the patch if we re-write it against current OpenSSL git head?

--
Petr^2 Spacek

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH 0267-0268] Preparation for 4.4 release

2014-06-24 Thread Martin Kosek


On 06/24/2014 05:37 PM, Petr Spacek wrote:

On 23.6.2014 17:12, Petr Spacek wrote:

Hello,

Bump NVR to 4.4.

Update NEWS for upcoming 4.4 release.


Pushed to master:
2cd574e90a9fdebdbeaab45ef335e7d63e85dfd7
3a705963ed575f01b792a7e89d825cf56ce99734

At this point v4 branches from master.



Just for my education - what is the branching model in bind-dyndb-ldap? In 
FreeIPA, we branch when we release FreeIPA x.y so that bugfixing releases 
FreeIPA x.y.z can be done.


When you now branched at 4.4, do you plan to release bugfixes 4.4.x or rather 
4.5, 4.6...?


Thanks,
Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] DNSSEC key wrapping: cryptographer needed

2014-06-24 Thread Simo Sorce

On Tue, 2014-06-24 at 20:30 +0200, Petr Spacek wrote:
 On 24.6.2014 15:45, Tomas Mraz wrote:
  Technically SoftHSM's C_WrapKey call produces PKCS#8 structure encrypted 
  with
  AES according to RFC 3394 (no padding) or RFC 5649 (with padding).
  
  RFC 3394 works only on blocks of 64 bits, which is not our case because
  EncryptedPrivateKeyInfo has no padding. So we should use RFC 5649 to get
  proper padding etc.
  
  And here is the problem: SoftHSM can use RFC 5649 using OpenSSL functions 
  but
  OpenSSL doesn't support RFC 5649! The patch with this functionality was
  submitted back in 2010 to OpenSSL bug tracker [3] but the ticket is in 
  state
  new and there was no reply to the e-mail in the original thread [4].
  I am sorry, but this does not make much sense to me. Iff the SoftHSM's
  C_WrapKey is really safe wrapping method for backing up and/or
  replicating HSM's it must provide wrapped key in such format that the IV
  is pregenerated as part of the Wrap operation and stored in the final
  blob of wrapped key. Unfortunately I do not know much of SoftHSM.
 SoftHSM is just PKCS#11 interface implementation so SoftHSM can't do 
 something against PKCS#11 standard.
 
 In this case the standard says that user has to provide IV explicitly and the 
 C_WrapKey should fall-back to standardized default if IV was not given by 
 user.

Sounds completely bogus, but in this case we'll have to either provide a
random IV ourselves (and then store it alongside or provide data with a
confounder at the start implementing padding on our own.

 See section 6.13.3 AES Key Wrap in PKCS #11 Mechanisms v2.30: Cryptoki – 
 Draft 7 on
 ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-11/v2-30/pkcs-11v2-30m1-d7.pdf
 
 
  What do we do?
  - Convince OpenSSL to review and accept the patch?
  I would say the patch is not too useful as is - there are multiple
  problems with it such as it is not using proper high level interfaces
  for the AES encryption, etc.
 Ah, right, nowadays openssl/crypto/aes/aes_wrap.c file is very different from 
 the 2010-version. I didn't notice it.
 
 Would you review the patch if we re-write it against current OpenSSL git head?
 


-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] DNSSEC key wrapping: cryptographer needed

2014-06-24 Thread Simo Sorce

On Tue, 2014-06-24 at 15:33 -0400, Simo Sorce wrote:
 On Tue, 2014-06-24 at 20:30 +0200, Petr Spacek wrote:

  In this case the standard says that user has to provide IV explicitly and 
  the 
  C_WrapKey should fall-back to standardized default if IV was not given by 
  user.
 
 Sounds completely bogus, but in this case we'll have to either provide a
 random IV ourselves (and then store it alongside or provide data with a

Add the key data) here-^

Simo.

 confounder at the start implementing padding on our own.
 
  See section 6.13.3 AES Key Wrap in PKCS #11 Mechanisms v2.30: Cryptoki – 
  Draft 7 on
  ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-11/v2-30/pkcs-11v2-30m1-d7.pdf
  
  
   What do we do?
   - Convince OpenSSL to review and accept the patch?
   I would say the patch is not too useful as is - there are multiple
   problems with it such as it is not using proper high level interfaces
   for the AES encryption, etc.
  Ah, right, nowadays openssl/crypto/aes/aes_wrap.c file is very different 
  from 
  the 2010-version. I didn't notice it.
  
  Would you review the patch if we re-write it against current OpenSSL git 
  head?
  
 
 


-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH 0056] Add otptoken-sync command

2014-06-24 Thread Martin Kosek


On 06/24/2014 06:44 PM, Alexander Bokovoy wrote:

On Tue, 24 Jun 2014, Nathaniel McCallum wrote:

On Tue, 2014-06-24 at 19:34 +0300, Alexander Bokovoy wrote:

On Tue, 24 Jun 2014, Nathaniel McCallum wrote:
On Tue, 2014-06-24 at 15:39 +0300, Alexander Bokovoy wrote:
 On Tue, 03 Jun 2014, Nathaniel McCallum wrote:
 On Tue, 2014-06-03 at 10:27 +0200, Petr Vobornik wrote:
  On 3.6.2014 05:08, Nathaniel McCallum wrote:
   This command calls the token sync HTTP POST call in the server
providing
   the CLI interface to synchronization.
  
   https://fedorahosted.org/freeipa/ticket/4260
  
   This patch depends on my patch #0055.
  
 
  Build fails on validation. You forgot to update API.txt and also the
  command misses __doc__.
 
  (not a proper review)
 Failed for me:

 [root@ipa-01 rpms]# ipa otptoken-show test.token
   Unique ID: test.token
   Description: test token
   Owner: abbra
   Vendor: FreeIPA
   Model: hotp
 [root@ipa-01 rpms]# ipa otptoken-sync abbra --token=test.token
 Password:
 First Code:
 Second Code:
 ipa: ERROR: non-public: IOError: ('http error', 401, 'Unauthorized',
 httplib.HTTPMessage instance at 0x2cdde60)
 Traceback (most recent call last):
   File /usr/lib/python2.7/site-packages/ipalib/backend.py, line 129,
 in execute
 result = self.Command[_name](*args, **options)
   File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 439,
 in __call__
 ret = self.run(*args, **options)
   File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 1118,
 in run
 return self.forward(*args, **options)
   File /usr/lib/python2.7/site-packages/ipalib/plugins/otptoken.py,
 line 427, in forward
 rsp = urllib.urlopen(sync_uri, query)
   File /usr/lib64/python2.7/urllib.py, line 89, in urlopen
 return opener.open(url, data)
   File /usr/lib64/python2.7/urllib.py, line 210, in open
 return getattr(self, name)(url, data)
   File /usr/lib64/python2.7/urllib.py, line 454, in open_https
 data)
   File /usr/lib64/python2.7/urllib.py, line 374, in http_error
 result = method(url, fp, errcode, errmsg, headers, data)
   File /usr/lib64/python2.7/urllib.py, line 689, in http_error_401
 errcode, errmsg, headers)
   File /usr/lib64/python2.7/urllib.py, line 381, in http_error_default
 raise IOError, ('http error', errcode, errmsg, headers)
 IOError: ('http error', 401, 'Unauthorized', httplib.HTTPMessage
instance at 0x2cdde60)
 ipa: ERROR: an internal error has occurred

 Note that I can successfully use the token. It looks like authentication
 with urllib.urlopen(sync_uri, query) fails.

Works for me (just tested). I suspect you have not updated the ipa httpd
config. Did you apply patches 0054, 0055 and 0056?
Yes, I did apply those patches and I installed packages as an upgrade.
How I supposed to update httpd config? I think we need to solve this
without re-install and it should be done automatically.


Oh. I thought it *was* done automatically...

No. You only modified the template which is used for an install from
scratch.


It *will* get updated automatically if you bump the VERSION on the first line 
of install/conf/ipa.conf.


Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH 0056] Add otptoken-sync command

2014-06-24 Thread Nathaniel McCallum

On Tue, 2014-06-24 at 21:40 +0200, Martin Kosek wrote:
 On 06/24/2014 06:44 PM, Alexander Bokovoy wrote:
  On Tue, 24 Jun 2014, Nathaniel McCallum wrote:
  On Tue, 2014-06-24 at 19:34 +0300, Alexander Bokovoy wrote:
  On Tue, 24 Jun 2014, Nathaniel McCallum wrote:
  On Tue, 2014-06-24 at 15:39 +0300, Alexander Bokovoy wrote:
   On Tue, 03 Jun 2014, Nathaniel McCallum wrote:
   On Tue, 2014-06-03 at 10:27 +0200, Petr Vobornik wrote:
On 3.6.2014 05:08, Nathaniel McCallum wrote:
 This command calls the token sync HTTP POST call in the server
  providing
 the CLI interface to synchronization.

 https://fedorahosted.org/freeipa/ticket/4260

 This patch depends on my patch #0055.

   
Build fails on validation. You forgot to update API.txt and also the
command misses __doc__.
   
(not a proper review)
   Failed for me:
  
   [root@ipa-01 rpms]# ipa otptoken-show test.token
 Unique ID: test.token
 Description: test token
 Owner: abbra
 Vendor: FreeIPA
 Model: hotp
   [root@ipa-01 rpms]# ipa otptoken-sync abbra --token=test.token
   Password:
   First Code:
   Second Code:
   ipa: ERROR: non-public: IOError: ('http error', 401, 'Unauthorized',
   httplib.HTTPMessage instance at 0x2cdde60)
   Traceback (most recent call last):
 File /usr/lib/python2.7/site-packages/ipalib/backend.py, line 129,
   in execute
   result = self.Command[_name](*args, **options)
 File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 439,
   in __call__
   ret = self.run(*args, **options)
 File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 
   1118,
   in run
   return self.forward(*args, **options)
 File /usr/lib/python2.7/site-packages/ipalib/plugins/otptoken.py,
   line 427, in forward
   rsp = urllib.urlopen(sync_uri, query)
 File /usr/lib64/python2.7/urllib.py, line 89, in urlopen
   return opener.open(url, data)
 File /usr/lib64/python2.7/urllib.py, line 210, in open
   return getattr(self, name)(url, data)
 File /usr/lib64/python2.7/urllib.py, line 454, in open_https
   data)
 File /usr/lib64/python2.7/urllib.py, line 374, in http_error
   result = method(url, fp, errcode, errmsg, headers, data)
 File /usr/lib64/python2.7/urllib.py, line 689, in http_error_401
   errcode, errmsg, headers)
 File /usr/lib64/python2.7/urllib.py, line 381, in 
   http_error_default
   raise IOError, ('http error', errcode, errmsg, headers)
   IOError: ('http error', 401, 'Unauthorized', httplib.HTTPMessage
  instance at 0x2cdde60)
   ipa: ERROR: an internal error has occurred
  
   Note that I can successfully use the token. It looks like 
   authentication
   with urllib.urlopen(sync_uri, query) fails.
  
  Works for me (just tested). I suspect you have not updated the ipa httpd
  config. Did you apply patches 0054, 0055 and 0056?
  Yes, I did apply those patches and I installed packages as an upgrade.
  How I supposed to update httpd config? I think we need to solve this
  without re-install and it should be done automatically.
 
  Oh. I thought it *was* done automatically...
  No. You only modified the template which is used for an install from
  scratch.
 
 It *will* get updated automatically if you bump the VERSION on the first 
 line 
 of install/conf/ipa.conf.

Yup, I figured that out about 15 minutes ago by looking at your past
commits. :)

Nathaniel

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH 0055] Add /session/token_sync POST support

2014-06-24 Thread Nathaniel McCallum

On Mon, 2014-06-02 at 23:07 -0400, Nathaniel McCallum wrote:
 This HTTP call takes the following parameters:
  * user
  * password
  * first_code
  * second_code
  * token (optional)
 
 Using this information, the server will perform token synchronization.
 If the token is not specified, all tokens will be searched for
 synchronization.
 Otherwise, only the token specified will be searched.
 
 This patch depends on my patch #0054.

Attached is a new revision. This version should force an update
to /etc/httpd/conf.d/ipa.conf on update. It is also rebased on master.

Nathaniel
From 000eaaccaa3bff59138674f4144303107bda37af Mon Sep 17 00:00:00 2001
From: Nathaniel McCallum npmccal...@redhat.com
Date: Wed, 28 May 2014 11:38:40 -0400
Subject: [PATCH] Add /session/token_sync POST support

This HTTP call takes the following parameters:
 * user
 * password
 * first_code
 * second_code
 * token (optional)

Using this information, the server will perform token synchronization.
If the token is not specified, all tokens will be searched for synchronization.
Otherwise, only the token specified will be searched.
---
 install/conf/ipa.conf  |   8 +++-
 ipaserver/plugins/ldap2.py |  14 --
 ipaserver/plugins/xmlserver.py |   3 +-
 ipaserver/rpcserver.py | 106 +++--
 4 files changed, 122 insertions(+), 9 deletions(-)

diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf
index f4dac9827bd0251463aade5854fd522e4306e468..7eede73efc559967925d2bbfeee54e1e2efd3e21 100644
--- a/install/conf/ipa.conf
+++ b/install/conf/ipa.conf
@@ -1,5 +1,5 @@
 #
-# VERSION 15 - DO NOT REMOVE THIS LINE
+# VERSION 16 - DO NOT REMOVE THIS LINE
 #
 # This file may be overwritten on upgrades.
 #
@@ -103,6 +103,12 @@ KrbConstrainedDelegationLock ipa
   Allow from all
 /Location
 
+Location /ipa/session/sync_token
+  Satisfy Any
+  Order Deny,Allow
+  Allow from all
+/Location
+
 # This is where we redirect on failed auth
 Alias /ipa/errors /usr/share/ipa/html
 
diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py
index cfcec7c803215459cad2c08adae26a44099f2982..888f085b9f251bc933bc15c24a14b4107d4d4784 100644
--- a/ipaserver/plugins/ldap2.py
+++ b/ipaserver/plugins/ldap2.py
@@ -93,7 +93,7 @@ class ldap2(LDAPClient, CrudBackend):
 
 def create_connection(self, ccache=None, bind_dn=None, bind_pw='',
 tls_cacertfile=None, tls_certfile=None, tls_keyfile=None,
-debug_level=0, autobind=False):
+debug_level=0, autobind=False, serverctrls=None, clientctrls=None):
 
 Connect to LDAP server.
 
@@ -151,16 +151,22 @@ class ldap2(LDAPClient, CrudBackend):
 context=krbV.default_context()).principal().name
 
 os.environ['KRB5CCNAME'] = ccache
-conn.sasl_interactive_bind_s(None, SASL_GSSAPI)
+conn.sasl_interactive_bind_s(None, SASL_GSSAPI,
+ serverctrls=serverctrls,
+ clientctrls=clientctrls)
 setattr(context, 'principal', principal)
 else:
 # no kerberos ccache, use simple bind or external sasl
 if autobind:
 pent = pwd.getpwuid(os.geteuid())
 auth_tokens = _ldap.sasl.external(pent.pw_name)
-conn.sasl_interactive_bind_s(None, auth_tokens)
+conn.sasl_interactive_bind_s(None, auth_tokens,
+ serverctrls=serverctrls,
+ clientctrls=clientctrls)
 else:
-conn.simple_bind_s(bind_dn, bind_pw)
+conn.simple_bind_s(bind_dn, bind_pw,
+   serverctrls=serverctrls,
+   clientctrls=clientctrls)
 
 return conn
 
diff --git a/ipaserver/plugins/xmlserver.py b/ipaserver/plugins/xmlserver.py
index 8d96262cf52f04620aeb5223002f4794e18cc0de..7460ead69a12fbe1b4613908f62787f3d26a1cde 100644
--- a/ipaserver/plugins/xmlserver.py
+++ b/ipaserver/plugins/xmlserver.py
@@ -25,7 +25,7 @@ Loads WSGI server plugins.
 from ipalib import api
 
 if 'in_server' in api.env and api.env.in_server is True:
-from ipaserver.rpcserver import wsgi_dispatch, xmlserver, jsonserver_kerb, jsonserver_session, login_kerberos, login_password, change_password, xmlserver_session
+from ipaserver.rpcserver import wsgi_dispatch, xmlserver, jsonserver_kerb, jsonserver_session, login_kerberos, login_password, change_password, sync_token, xmlserver_session
 api.register(wsgi_dispatch)
 api.register(xmlserver)
 api.register(jsonserver_kerb)
@@ -33,4 +33,5 @@ if 'in_server' in api.env and api.env.in_server is True:
 api.register(login_kerberos)
 api.register(login_password)
 api.register(change_password)
+api.register(sync_token)

Re: [Freeipa-devel] [PATCH 0056] Add otptoken-sync command

2014-06-24 Thread Nathaniel McCallum

On Tue, 2014-06-24 at 15:39 +0300, Alexander Bokovoy wrote:
 On Tue, 03 Jun 2014, Nathaniel McCallum wrote:
 On Tue, 2014-06-03 at 10:27 +0200, Petr Vobornik wrote:
  On 3.6.2014 05:08, Nathaniel McCallum wrote:
   This command calls the token sync HTTP POST call in the server providing
   the CLI interface to synchronization.
  
   https://fedorahosted.org/freeipa/ticket/4260
  
   This patch depends on my patch #0055.
  
 
  Build fails on validation. You forgot to update API.txt and also the
  command misses __doc__.
 
  (not a proper review)
 Failed for me:
 
 [root@ipa-01 rpms]# ipa otptoken-show test.token
   Unique ID: test.token
   Description: test token
   Owner: abbra
   Vendor: FreeIPA
   Model: hotp
 [root@ipa-01 rpms]# ipa otptoken-sync abbra --token=test.token 
 Password: 
 First Code: 
 Second Code: 
 ipa: ERROR: non-public: IOError: ('http error', 401, 'Unauthorized',
 httplib.HTTPMessage instance at 0x2cdde60)
 Traceback (most recent call last):
   File /usr/lib/python2.7/site-packages/ipalib/backend.py, line 129,
 in execute
 result = self.Command[_name](*args, **options)
   File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 439,
 in __call__
 ret = self.run(*args, **options)
   File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 1118,
 in run
 return self.forward(*args, **options)
   File /usr/lib/python2.7/site-packages/ipalib/plugins/otptoken.py,
 line 427, in forward
 rsp = urllib.urlopen(sync_uri, query)
   File /usr/lib64/python2.7/urllib.py, line 89, in urlopen
 return opener.open(url, data)
   File /usr/lib64/python2.7/urllib.py, line 210, in open
 return getattr(self, name)(url, data)
   File /usr/lib64/python2.7/urllib.py, line 454, in open_https
 data)
   File /usr/lib64/python2.7/urllib.py, line 374, in http_error
 result = method(url, fp, errcode, errmsg, headers, data)
   File /usr/lib64/python2.7/urllib.py, line 689, in http_error_401
 errcode, errmsg, headers)
   File /usr/lib64/python2.7/urllib.py, line 381, in http_error_default
 raise IOError, ('http error', errcode, errmsg, headers)
 IOError: ('http error', 401, 'Unauthorized', httplib.HTTPMessage instance at 
 0x2cdde60)
 ipa: ERROR: an internal error has occurred
 
 Note that I can successfully use the token. It looks like authentication
 with urllib.urlopen(sync_uri, query) fails.

This should be fixed in 0055.1.

Nathaniel

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH 0267-0268] Preparation for 4.4 release

2014-06-24 Thread Lukas Slebodnik

On (24/06/14 21:34), Martin Kosek wrote:
On 06/24/2014 05:37 PM, Petr Spacek wrote:
On 23.6.2014 17:12, Petr Spacek wrote:
Hello,

Bump NVR to 4.4.

Update NEWS for upcoming 4.4 release.

Pushed to master:
2cd574e90a9fdebdbeaab45ef335e7d63e85dfd7
3a705963ed575f01b792a7e89d825cf56ce99734

At this point v4 branches from master.


Just for my education - what is the branching model in bind-dyndb-ldap? In
FreeIPA, we branch when we release FreeIPA x.y so that bugfixing releases
FreeIPA x.y.z can be done.

When you now branched at 4.4, do you plan to release bugfixes 4.4.x or rather
4.5, 4.6...?
Numbers are cheap.
bind-dyndb-ldap is small project. It will be simpler to use only two
numbers for version. 

LS

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH 0056] Add otptoken-sync command

2014-06-24 Thread Nathaniel McCallum

On Tue, 2014-06-03 at 09:18 -0400, Nathaniel McCallum wrote:
 On Tue, 2014-06-03 at 10:27 +0200, Petr Vobornik wrote:
  On 3.6.2014 05:08, Nathaniel McCallum wrote:
   This command calls the token sync HTTP POST call in the server providing
   the CLI interface to synchronization.
  
   https://fedorahosted.org/freeipa/ticket/4260
  
   This patch depends on my patch #0055.
  
  
  Build fails on validation. You forgot to update API.txt and also the 
  command misses __doc__.
  
  (not a proper review)
 
 Thanks, fixed.

Attached is a new revision which is rebased on master.

In addition it:

1. Moves user to a parameter and moves token to an argument. Doing it
this way both mirrors the existing otptoken APIs and sets us up for
future Kerberos based syncing where the username/password will be
optional.

2. Converts the token ID to a DN.

Nathaniel
From 6876cabce395ab3aee87ce2f9de3a0cb353fae47 Mon Sep 17 00:00:00 2001
From: Nathaniel McCallum npmccal...@redhat.com
Date: Mon, 2 Jun 2014 23:00:52 -0400
Subject: [PATCH] Add otptoken-sync command

This command calls the token sync HTTP POST call in the server providing
the CLI interface to synchronization.

https://fedorahosted.org/freeipa/ticket/4260
---
 API.txt|  9 
 ipalib/plugins/otptoken.py | 56 +-
 2 files changed, 64 insertions(+), 1 deletion(-)

diff --git a/API.txt b/API.txt
index 0dd28068edbd37f021a58195941e102c25fa360f..ab09b089d1ff525de82c2044fac939b78a2afa05 100644
--- a/API.txt
+++ b/API.txt
@@ -2408,6 +2408,15 @@ option: Str('version?', exclude='webui')
 output: Entry('result', type 'dict', Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None))
 output: Output('summary', (type 'unicode', type 'NoneType'), None)
 output: PrimaryKey('value', None, None)
+command: otptoken_sync
+args: 1,5,1
+arg: Str('token?')
+option: Password('first_code', confirm=False)
+option: Password('password', confirm=False)
+option: Password('second_code', confirm=False)
+option: Str('user')
+option: Str('version?', exclude='webui')
+output: Output('result', None, None)
 command: passwd
 args: 3,1,3
 arg: Str('principal', autofill=True, cli_name='user', primary_key=True)
diff --git a/ipalib/plugins/otptoken.py b/ipalib/plugins/otptoken.py
index d834d582a16d95ab08c3f1fe1aef29160c77ae23..035328ce3260dd1c784a7cdb2aa4bf54fe6e7a27 100644
--- a/ipalib/plugins/otptoken.py
+++ b/ipalib/plugins/otptoken.py
@@ -19,13 +19,16 @@
 
 from ipalib.plugins.baseldap import DN, LDAPObject, LDAPAddMember, LDAPRemoveMember
 from ipalib.plugins.baseldap import LDAPCreate, LDAPDelete, LDAPUpdate, LDAPSearch, LDAPRetrieve
-from ipalib import api, Int, Str, Bool, Flag, Bytes, IntEnum, StrEnum, _, ngettext
+from ipalib import api, Int, Str, Bool, Flag, Bytes, IntEnum, StrEnum, Password, _, ngettext
 from ipalib.plugable import Registry
 from ipalib.errors import PasswordMismatch, ConversionError, LastMemberError, NotFound
 from ipalib.request import context
+from ipalib.frontend import Local
+
 import base64
 import uuid
 import urllib
+import urlparse
 import qrcode
 import os
 
@@ -383,3 +386,54 @@ class otptoken_remove_managedby(LDAPRemoveMember):
 __doc__ = _('Remove hosts that can manage this host.')
 
 member_attributes = ['managedby']
+
+@register()
+class otptoken_sync(Local):
+__doc__ = _('Synchronize an OTP token.')
+
+header = 'X-IPA-TokenSync-Result'
+
+takes_options = (
+Str('user', label=_('User ID')),
+Password('password', label=_('Password'), confirm=False),
+Password('first_code', label=_('First Code'), confirm=False),
+Password('second_code', label=_('Second Code'), confirm=False),
+)
+
+takes_args = (
+Str('token?', label=_('Token ID')),
+)
+
+def forward(self, *args, **kwargs):
+status = {'result': {self.header: 'unknown'}}
+
+# Get the sync URI.
+segments = list(urlparse.urlparse(self.api.env.xmlrpc_uri))
+assert segments[0] == 'https' # Ensure encryption.
+segments[2] = segments[2].replace('/xml', '/session/sync_token')
+sync_uri = urlparse.urlunparse(segments)
+
+# Prepare the query.
+query = {k: v for k, v in kwargs.items()
+if k in {x.name for x in self.takes_options}}
+if args and args[0] is not None:
+obj = self.api.Object.otptoken
+query['token'] = DN((obj.primary_key.name, args[0]),
+obj.container_dn, self.api.env.basedn)
+query = urllib.urlencode(query)
+
+# Sync the token.
+# WARNING: This does not validate the server's certificate.
+rsp = urllib.urlopen(sync_uri, query)
+if rsp.getcode() == 200:
+status['result'][self.header] = rsp.info().get(self.header, 'unknown')
+rsp.close()
+
+return status
+
+def output_for_cli(self, textui, result, *keys, **options):
+

42 matches

Mail list logo