Re: [Freeipa-devel] [PATCH] 0640 Add managed read permissions for compat tree
On Thu, 04 Sep 2014, Martin Kosek wrote: On 09/04/2014 02:40 PM, Alexander Bokovoy wrote: On Wed, 03 Sep 2014, Martin Kosek wrote: On 09/03/2014 03:15 PM, Petr Viktorin wrote: On 09/03/2014 02:27 PM, Petr Viktorin wrote: On 09/03/2014 01:27 PM, Petr Viktorin wrote: Hello, This adds managed read permissions to the compat tree. For users it grants anonymous access; authenticated users can read groups, hosts and netgroups. I'm unsure if this is what we want to do for groups, but Read Group Membership is only granted to authenticated users by default, and the compat tree exposes memberuid. https://fedorahosted.org/freeipa/ticket/4521 Self-NACK, there's a typo (though I could swear I tested this :/) Fixed patch attached. I tested and it looks and works OK, ACK from me. We can wait till tomorrow to see if there are no reservations from Alexander or Rob. I think we need a bit more fixes. Here is ACL log for an anonymous request: [04/Sep/2014:15:28:49 +0300] schema-compat-plugin - searching from cn=compat,dc=ipacloud,dc=test for (uid=admin) with scope 2 (sub) [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 binddn= [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny search on entry(cn=computers,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous: no aci matched the subject by aci(27): aciname=permission:System: Read DNS Configuration, acidn=dc=ipacloud,dc=test [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 binddn= [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny search on entry(cn=groups,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous: no aci matched the subject by aci(27): aciname=permission:System: Read DNS Configuration, acidn=dc=ipacloud,dc=test [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 binddn= [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny search on entry(cn=ab,cn=groups,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous: no aci matched the subject by aci(27): aciname=permission:System: Read DNS Configuration, acidn=dc=ipacloud,dc=test [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 binddn= [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny search on entry(cn=editors,cn=groups,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous: no aci matched the subject by aci(27): aciname= permission:System: Read DNS Configuration, acidn=dc=ipacloud,dc=test [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 binddn= [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny search on entry(cn=admins,cn=groups,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous: no aci matched the subject by aci(27): aciname= permission:System: Read DNS Configuration, acidn=dc=ipacloud,dc=test [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 binddn= [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny search on entry(cn=ng,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous: no aci matched the subject by aci(27): aciname=permission:System: Read DNS Configuration, acidn=dc=ipacloud,dc=test [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 binddn= [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow search on entry(cn=users,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous: allowed by aci(38): aciname= permission:System: Read User Compat Tree, acidn=dc=ipacloud,dc=test [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 binddn= [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow search on entry(uid=ab,cn=users,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous: cached allow by aci(38) [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 binddn= [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow search on entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous: cached allow by aci(38) [04/Sep/2014:15:28:49 +0300] schema-compat-plugin - search matched uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 binddn= [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny read on entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(createTimestamp) to anonymous: no aci matched the subject by aci(18): aciname= Admin can manage any entry, acidn=dc=ipacloud,dc=test [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow read on entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(objectClass) to anonymous: allowed by aci(38): aciname= permission:System: Read User Compat Tree, acidn=dc=ipacloud,dc=test [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow read on entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(gecos) to anonymous: cached allow by aci(38) [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow read on entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(cn) to
Re: [Freeipa-devel] [PATCH] 0640 Add managed read permissions for compat tree
On Fri, 05 Sep 2014, Alexander Bokovoy wrote: On Thu, 04 Sep 2014, Martin Kosek wrote: On 09/04/2014 02:40 PM, Alexander Bokovoy wrote: On Wed, 03 Sep 2014, Martin Kosek wrote: On 09/03/2014 03:15 PM, Petr Viktorin wrote: On 09/03/2014 02:27 PM, Petr Viktorin wrote: On 09/03/2014 01:27 PM, Petr Viktorin wrote: Hello, This adds managed read permissions to the compat tree. For users it grants anonymous access; authenticated users can read groups, hosts and netgroups. I'm unsure if this is what we want to do for groups, but Read Group Membership is only granted to authenticated users by default, and the compat tree exposes memberuid. https://fedorahosted.org/freeipa/ticket/4521 Self-NACK, there's a typo (though I could swear I tested this :/) Fixed patch attached. I tested and it looks and works OK, ACK from me. We can wait till tomorrow to see if there are no reservations from Alexander or Rob. I think we need a bit more fixes. Here is ACL log for an anonymous request: [04/Sep/2014:15:28:49 +0300] schema-compat-plugin - searching from cn=compat,dc=ipacloud,dc=test for (uid=admin) with scope 2 (sub) [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 binddn= [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny search on entry(cn=computers,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous: no aci matched the subject by aci(27): aciname=permission:System: Read DNS Configuration, acidn=dc=ipacloud,dc=test [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 binddn= [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny search on entry(cn=groups,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous: no aci matched the subject by aci(27): aciname=permission:System: Read DNS Configuration, acidn=dc=ipacloud,dc=test [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 binddn= [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny search on entry(cn=ab,cn=groups,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous: no aci matched the subject by aci(27): aciname=permission:System: Read DNS Configuration, acidn=dc=ipacloud,dc=test [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 binddn= [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny search on entry(cn=editors,cn=groups,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous: no aci matched the subject by aci(27): aciname= permission:System: Read DNS Configuration, acidn=dc=ipacloud,dc=test [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 binddn= [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny search on entry(cn=admins,cn=groups,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous: no aci matched the subject by aci(27): aciname= permission:System: Read DNS Configuration, acidn=dc=ipacloud,dc=test [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 binddn= [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny search on entry(cn=ng,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous: no aci matched the subject by aci(27): aciname=permission:System: Read DNS Configuration, acidn=dc=ipacloud,dc=test [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 binddn= [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow search on entry(cn=users,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous: allowed by aci(38): aciname= permission:System: Read User Compat Tree, acidn=dc=ipacloud,dc=test [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 binddn= [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow search on entry(uid=ab,cn=users,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous: cached allow by aci(38) [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 binddn= [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow search on entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous: cached allow by aci(38) [04/Sep/2014:15:28:49 +0300] schema-compat-plugin - search matched uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 binddn= [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny read on entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(createTimestamp) to anonymous: no aci matched the subject by aci(18): aciname= Admin can manage any entry, acidn=dc=ipacloud,dc=test [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow read on entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(objectClass) to anonymous: allowed by aci(38): aciname= permission:System: Read User Compat Tree, acidn=dc=ipacloud,dc=test [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow read on entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(gecos) to anonymous: cached allow by aci(38) [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow read on
Re: [Freeipa-devel] [PATCH] 0640 Add managed read permissions for compat tree
On 09/05/2014 09:03 AM, Alexander Bokovoy wrote: On Fri, 05 Sep 2014, Alexander Bokovoy wrote: On Thu, 04 Sep 2014, Martin Kosek wrote: On 09/04/2014 02:40 PM, Alexander Bokovoy wrote: On Wed, 03 Sep 2014, Martin Kosek wrote: On 09/03/2014 03:15 PM, Petr Viktorin wrote: On 09/03/2014 02:27 PM, Petr Viktorin wrote: On 09/03/2014 01:27 PM, Petr Viktorin wrote: Hello, This adds managed read permissions to the compat tree. For users it grants anonymous access; authenticated users can read groups, hosts and netgroups. I'm unsure if this is what we want to do for groups, but Read Group Membership is only granted to authenticated users by default, and the compat tree exposes memberuid. https://fedorahosted.org/freeipa/ticket/4521 Self-NACK, there's a typo (though I could swear I tested this :/) Fixed patch attached. I tested and it looks and works OK, ACK from me. We can wait till tomorrow to see if there are no reservations from Alexander or Rob. I think we need a bit more fixes. Here is ACL log for an anonymous request: [04/Sep/2014:15:28:49 +0300] schema-compat-plugin - searching from cn=compat,dc=ipacloud,dc=test for (uid=admin) with scope 2 (sub) [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 binddn= [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny search on entry(cn=computers,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous: no aci matched the subject by aci(27): aciname=permission:System: Read DNS Configuration, acidn=dc=ipacloud,dc=test [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 binddn= [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny search on entry(cn=groups,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous: no aci matched the subject by aci(27): aciname=permission:System: Read DNS Configuration, acidn=dc=ipacloud,dc=test [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 binddn= [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny search on entry(cn=ab,cn=groups,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous: no aci matched the subject by aci(27): aciname=permission:System: Read DNS Configuration, acidn=dc=ipacloud,dc=test [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 binddn= [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny search on entry(cn=editors,cn=groups,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous: no aci matched the subject by aci(27): aciname= permission:System: Read DNS Configuration, acidn=dc=ipacloud,dc=test [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 binddn= [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny search on entry(cn=admins,cn=groups,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous: no aci matched the subject by aci(27): aciname= permission:System: Read DNS Configuration, acidn=dc=ipacloud,dc=test [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 binddn= [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny search on entry(cn=ng,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous: no aci matched the subject by aci(27): aciname=permission:System: Read DNS Configuration, acidn=dc=ipacloud,dc=test [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 binddn= [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow search on entry(cn=users,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous: allowed by aci(38): aciname= permission:System: Read User Compat Tree, acidn=dc=ipacloud,dc=test [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 binddn= [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow search on entry(uid=ab,cn=users,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous: cached allow by aci(38) [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 binddn= [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow search on entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous: cached allow by aci(38) [04/Sep/2014:15:28:49 +0300] schema-compat-plugin - search matched uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 binddn= [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny read on entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(createTimestamp) to anonymous: no aci matched the subject by aci(18): aciname= Admin can manage any entry, acidn=dc=ipacloud,dc=test [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow read on entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(objectClass) to anonymous: allowed by aci(38): aciname= permission:System: Read User Compat Tree, acidn=dc=ipacloud,dc=test [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow read on
Re: [Freeipa-devel] [PATCH] 0011 Allow user to force Kerberos realm during installation
On 09/04/2014 01:22 PM, Jan Cholasta wrote: Dne 4.9.2014 v 12:42 David Kupka napsal(a): On 09/03/2014 05:09 PM, Jan Cholasta wrote: Hi, Dne 27.8.2014 v 13:56 David Kupka napsal(a): Usually it isn't wise to allow something like this. But in environment with broken DNS (described in ticket) there is probably not many alternatives. https://fedorahosted.org/freeipa/ticket/ 1) I think you can log realm in search() as part of the Starting IPA discovery ... message instead of a separate message. 2) Also, no need to log the realm twice in search(). I forget to remove some redundant debug prints. 3) It looks like you forgot to un-indent some code in ipadnssearchkrbkdc(). Fixed, thanks. What I meant is that this: def ipadnssearchkrbkdc(self, domain=None): kdc = None if not domain: domain = self.domain kdc = self.ipadns_search_srv(domain, '_kerberos._udp', 88, break_on_first=False) if kdc: kdc = ','.join(kdc) else: root_logger.debug(SRV record for KDC not found! Domain: %s % domain) kdc = None return kdc should be this: def ipadnssearchkrbkdc(self, domain=None): if not domain: domain = self.domain kdc = self.ipadns_search_srv(domain, '_kerberos._udp', 88, break_on_first=False) if kdc: kdc = ','.join(kdc) else: root_logger.debug(SRV record for KDC not found! Domain: %s % domain) kdc = None return kdc Isn't that right? Oh, you're right, again :) Thanks. Honza -- David Kupka From e3dfea228328da6d520180515426095ce0985c47 Mon Sep 17 00:00:00 2001 From: David Kupka dku...@redhat.com Date: Wed, 27 Aug 2014 12:31:09 +0200 Subject: [PATCH] Allow user to force Kerberos realm during installation. User can set realm not matching one resolved from DNS. This is useful especially when DNS is missconfigured. https://fedorahosted.org/freeipa/ticket/ --- ipa-client/ipa-install/ipa-client-install | 2 +- ipa-client/ipaclient/ipadiscovery.py | 52 +++ 2 files changed, 33 insertions(+), 21 deletions(-) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index 08fefc86d31392e9abf66ee4f8fff54a88179795..4eb3b3b8dcf5e31f08e9895b33ca0419eaf2195a 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -2126,7 +2126,7 @@ def install(options, env, fstore, statestore): # Create the discovery instance ds = ipadiscovery.IPADiscovery() -ret = ds.search(domain=options.domain, servers=options.server, hostname=hostname, ca_cert_path=get_cert_path(options.ca_cert_file)) +ret = ds.search(domain=options.domain, servers=options.server, realm=options.realm_name, hostname=hostname, ca_cert_path=get_cert_path(options.ca_cert_file)) if options.server and ret != 0: # There is no point to continue with installation as server list was diff --git a/ipa-client/ipaclient/ipadiscovery.py b/ipa-client/ipaclient/ipadiscovery.py index 0532f618e81d215c4416f62f81af2add48c7dc8e..0d574825aa493a8d565afe30077b74aec03924a3 100644 --- a/ipa-client/ipaclient/ipadiscovery.py +++ b/ipa-client/ipaclient/ipadiscovery.py @@ -139,7 +139,7 @@ class IPADiscovery(object): domain = domain[p+1:] return (None, None) -def search(self, domain = , servers = , hostname=None, ca_cert_path=None): +def search(self, domain=, servers=, realm=None, hostname=None, ca_cert_path=None): Use DNS discovery to identify valid IPA servers. @@ -218,13 +218,21 @@ class IPADiscovery(object): #search for kerberos root_logger.debug([Kerberos realm search]) -krb_realm, kdc = self.ipadnssearchkrb(self.domain) -if not servers and not krb_realm: +if realm: +root_logger.debug(Kerberos realm forced) +self.realm = realm +self.realm_source = 'Forced' +else: +realm = self.ipadnssearchkrbrealm() +self.realm = realm +self.realm_source = ( +'Discovered Kerberos DNS records from %s' % self.domain) + +if not servers and not realm: return REALM_NOT_FOUND -self.realm = krb_realm -self.kdc = kdc -self.realm_source = self.kdc_source = ( +self.kdc = self.ipadnssearchkrbkdc() +self.kdc_source = ( 'Discovered Kerberos DNS records from %s' % self.domain) # We may have received multiple servers corresponding to the domain @@ -452,11 +460,12 @@ class IPADiscovery(object): return servers -def ipadnssearchkrb(self, tdomain): +def ipadnssearchkrbrealm(self, domain=None): realm = None -kdc = None
Re: [Freeipa-devel] [PATCH 0119] Fix dnsrecord-mod, regression in 4.x
On 09/04/2014 05:12 PM, Jan Cholasta wrote: Dne 4.9.2014 v 16:45 Martin Basti napsal(a): On 04/09/14 16:36, Jan Cholasta wrote: Hi, Dne 4.9.2014 v 16:13 Martin Basti napsal(a): Regression is caused by different output types for dnsrecord-mod and dnsrecord-del. dnsrecord-mod internally calls remove record, if there is no more records in owner name, which cause output validation error. [root@vm-035 git]# ipa dnsrecord-mod ipa.example ds --ns-rec= ipa: ERROR: an internal error has occurred ipa: ERROR: non-public: TypeError: dnsrecord_mod.validate_output() = PrimaryKey.validate(): output['value']: need class 'ipapython.dnsutil.DNSName'; got type 'list': [DNS name ds] Traceback (most recent call last): File /usr/lib/python2.7/site-packages/ipaserver/rpcserver.py, line 348, in wsgi_execute result = self.Command[name](*args, **options) File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 451, in __call__ self.validate_output(ret, options['version']) File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 944, in validate_output o.validate(self, value, version) File /usr/lib/python2.7/site-packages/ipalib/output.py, line 126, in validate types[0], type(value), value)) TypeError: dnsrecord_mod.validate_output() = PrimaryKey.validate(): output['value']: need class 'ipapython.dnsutil.DNSName'; got type 'list': [DNS name ds] ipa: INFO: [jsonserver_session] admin@IPA.EXAMPLE: dnsrecord_mod(DNS name ipa.example., DNS name ds, nsrecord=None, rights=False, structured=False, all=False, raw=False, version=u'2.102'): TypeError Patch attached. NACK, the assert needs to be inside the if, otherwise old clients will fail on it. Honza Thanks Updated patch attached Thanks, ACK. Pushed to: master: 62a255949377d4a6b3cc197462223b5b0495d18d ipa-4-0: 1dc9db49db895f130c68c12c316c8946944e70cf ipa-4-1: 9e8aed8e53b91605685cd050cfdc27c41112ceb8 -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 1109 No client machine cert
On 09/04/2014 05:13 PM, Rob Crittenden wrote: Jan Cholasta wrote: Hi, Dne 3.9.2014 v 21:23 Rob Crittenden napsal(a): No longer request and install a cert for the IPA client machine. rob The original plan was to keep generating the certificate, but in /etc/ipa/nssdb instead of /etc/pki/nssdb (see the attached patch). I'm fine with either approach. The cert has never been used and is now actively causing issues in RHEL-7 with systemd and kickstart. It could be made optional, and move the location, but IMHO its time has come. rob One change that Rob's patch also do is that from now on, certmonger would not be enabled and running by default on client machines. It would only be enabled on IPA server. I am still not confident about the resolution to just stop generating the certificate, I was leaning more towards making it optional + generating to better database as Honza proposed. Simo, Alexander, what is your take on this? Thanks, Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0640 Add managed read permissions for compat tree
On 09/04/2014 04:44 PM, Ludwig Krispenz wrote: On 09/04/2014 04:38 PM, Martin Kosek wrote: On 09/04/2014 04:10 PM, Alexander Bokovoy wrote: ... createTimestamp is operational attribute and is synthesized by slapi-nis, there is no problem allowing access to it. I think we can allow following operational attributes: createTimestamp, modifyTimestamp, entryUSN, creatorsName, modifiersName, entryDN, hasSubordinates, numSubordinates Ah, ok, probably yes. At least for some of them - CCing Simo. For example entryUSN is used by SSSD - CCing jhrozek to confirm. So it should be allowed for whole FreeIPA DIT. So this change is not so related to these patches. Do we also want to expose attributes like creatorsName/modifiersName? Do we consider that a public information or juts audit-like information for DM only? They are standard features of LDAP servers. RFC 4512 states: = 3.4 Operational attributes ... Servers SHOULD maintain the 'creatorsName', 'createTimestamp', 'modifiersName', and 'modifyTimestamp' attributes for all entries of the DIT. = This is, again, a question of policy. Active Directory forbids anonymous access to the tree; so they always expose these attributes to authenticated users only. If we allow anonymous access, we should allow these attributes too. Well, DS *does* maintain the attributes - question is whether we want to show them to anonymous/authenticated people or just the DM :) if you want to show them depends if it is useful or sensitive. I don't know why an anonymous user would need access to them. Are they sensitive ? Well, at least they expose a DN which has rights to create and modify entries and could be used trying to get more access Alexander, should we then show just +'createtimestamp', 'modifytimestamp', 'entryusn', to authenticated users? I do not think that modifiers/creatorsDN is something that anonymous user need to see by default. Admin can allow it if he wants, but IMO it should not be the default. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0008 Use certmonger D-Bus API instead of messing with its files.
On 09/04/2014 03:09 PM, Jan Cholasta wrote: Dne 4.9.2014 v 13:40 Martin Kosek napsal(a): On 09/04/2014 01:19 PM, Jan Cholasta wrote: Dne 4.9.2014 v 12:31 David Kupka napsal(a): On 09/03/2014 04:45 PM, Jan Cholasta wrote: Dne 3.9.2014 v 16:25 David Kupka napsal(a): On 09/03/2014 04:05 PM, Jan Cholasta wrote: Dne 3.9.2014 v 12:37 David Kupka napsal(a): On 09/02/2014 01:56 PM, Jan Cholasta wrote: Dne 29.8.2014 v 14:34 David Kupka napsal(a): Hope, I've addressed all the issues (except 9 and 11, inline). Let's go for another round :-) On 08/27/2014 11:05 AM, Jan Cholasta wrote: Hi, Dne 25.8.2014 v 15:39 David Kupka napsal(a): On 08/19/2014 05:44 PM, Rob Crittenden wrote: David Kupka wrote: On 08/19/2014 09:58 AM, Martin Kosek wrote: On 08/19/2014 09:05 AM, David Kupka wrote: FreeIPA will use certmonger D-Bus API as discussed in this thread https://www.redhat.com/archives/freeipa-devel/2014-July/msg00304.html This change should prevent hard-to-reproduce bugs like https://fedorahosted.org/freeipa/ticket/4280 Thanks for this effort, the updated certmonger module looks much better! This will help us get rid of the non-standard communication with certmonger. Just couple initial comments from me by reading the code: 1) Testing needs fixed version of certmonger, right? This needs to be spelled out right with the patch. Yes, certmonger 0.75.13 and above should be fine according ticket https://fedorahosted.org/certmonger/ticket/36. Added to patch description. You should update the spec to set the minimum version as well. Sure, thanks. 2) Description text in patches is cheap, do not be afraid to use it and describe what you did and why. Link to the ticket is missing in the description as well: Ok, increased verbosity a bit :-) Subject: [PATCH] Use certmonger D-Bus API instead of messing with its files. --- 3) get_request_id API: criteria = ( -('cert_storage_location', dogtag_constants.ALIAS_DIR, - certmonger.NPATH), -('cert_nickname', nickname, None), +('cert_storage_location', dogtag_constants.ALIAS_DIR), +('cert_nickname', nickname), ) request_id = certmonger.get_request_id(criteria) Do we want to continue using the criteria object or should we rather switch to normal function options? I.e. rather using request_id = certmonger.get_request_id(cert_nickname=nickname, cert_storage_location=dogtag_constants.ALIAS_DIR) ? It would look more consistent with other calls. I am just asking, not insisting. I've no preference here. It seems to be a very small change. Has anyone a reason to do it one way and not the other? I think I used this criteria thing to avoid having a bazillion optional parameters and for future-proofing. I think at this point the list is probably pretty stable, so I'd base it on whether you care about having a whole ton of optional parameters or not (it has the advantage of self-documenting itself). The list is probably stable but also really excessive. I don't think it would help to have more than dozen optional parameters. So I prefer to leave as-is and change it in future if it is wanted. 3) Starting function: +try: +ipautil.run([paths.SYSTEMCTL, 'start', 'certmonger'], skip_output=True) +except Exception, e: +root_logger.error('Failed to start certmonger: %s' % e) +raise e I see 2 issues related to this code: a) Do not call SYSTEMCTL directly. To be platform independent, rather use services.knownservices.messagebus.start() that is overridable by someone else porting to non-systemd platforms. Is there anything that can't be done using ipalib/ipapython/ipaplatform? It can't make coffee (yet). b) In this case, do not use raise e, but just raise to keep the exception stack trace intact for better debugging. Every day there's something new to learn about python or FreeIPA. Both a) and b) should be fixed in other occasions and places. I found only one occurence of a) issue. Is there some hidden or are you talking about the whole FreeIPA project? 4) Feel free to add yourself to Authors section of this module. You refactored it greatly to earn it :-) Done. You already import dbus, why also separately import DBusException? Removed, thanks for noticing. rob 1) The patch needs to be rebased. I didn't notice the patch is targeted for 4.0. Can you please provide patches for both ipa-4-0 and ipa-4-1/master? Attached, 0008-5 works on master/ipa-4-1 and 0008-5-ipa40 works on ipa-4-0. There is a little bug in ipa-upgradeconfig in the 4.0 version of the patch. This is wrong: for request in requests: nss_dir, nickname, ca_name, pre_command, post_command, profile = request criteria = { 'cert-database': nss_dir, 'cert-nickname': nickname, 'ca-name':
Re: [Freeipa-devel] [PATCH] 1109 No client machine cert
On Fri, 05 Sep 2014, Martin Kosek wrote: On 09/04/2014 05:13 PM, Rob Crittenden wrote: Jan Cholasta wrote: Hi, Dne 3.9.2014 v 21:23 Rob Crittenden napsal(a): No longer request and install a cert for the IPA client machine. rob The original plan was to keep generating the certificate, but in /etc/ipa/nssdb instead of /etc/pki/nssdb (see the attached patch). I'm fine with either approach. The cert has never been used and is now actively causing issues in RHEL-7 with systemd and kickstart. It could be made optional, and move the location, but IMHO its time has come. rob One change that Rob's patch also do is that from now on, certmonger would not be enabled and running by default on client machines. It would only be enabled on IPA server. I am still not confident about the resolution to just stop generating the certificate, I was leaning more towards making it optional + generating to better database as Honza proposed. Simo, Alexander, what is your take on this? I'm fine with making it optional. However, on client machine upgrades do not stop and disable certmonger if it is tracking more than just the host certificate. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0640 Add managed read permissions for compat tree
On Fri, 05 Sep 2014, Martin Kosek wrote: On 09/04/2014 04:44 PM, Ludwig Krispenz wrote: On 09/04/2014 04:38 PM, Martin Kosek wrote: On 09/04/2014 04:10 PM, Alexander Bokovoy wrote: ... createTimestamp is operational attribute and is synthesized by slapi-nis, there is no problem allowing access to it. I think we can allow following operational attributes: createTimestamp, modifyTimestamp, entryUSN, creatorsName, modifiersName, entryDN, hasSubordinates, numSubordinates Ah, ok, probably yes. At least for some of them - CCing Simo. For example entryUSN is used by SSSD - CCing jhrozek to confirm. So it should be allowed for whole FreeIPA DIT. So this change is not so related to these patches. Do we also want to expose attributes like creatorsName/modifiersName? Do we consider that a public information or juts audit-like information for DM only? They are standard features of LDAP servers. RFC 4512 states: = 3.4 Operational attributes ... Servers SHOULD maintain the 'creatorsName', 'createTimestamp', 'modifiersName', and 'modifyTimestamp' attributes for all entries of the DIT. = This is, again, a question of policy. Active Directory forbids anonymous access to the tree; so they always expose these attributes to authenticated users only. If we allow anonymous access, we should allow these attributes too. Well, DS *does* maintain the attributes - question is whether we want to show them to anonymous/authenticated people or just the DM :) if you want to show them depends if it is useful or sensitive. I don't know why an anonymous user would need access to them. Are they sensitive ? Well, at least they expose a DN which has rights to create and modify entries and could be used trying to get more access Alexander, should we then show just +'createtimestamp', 'modifytimestamp', 'entryusn', to authenticated users? I do not think that modifiers/creatorsDN is something that anonymous user need to see by default. createtimestamp, modifytimestamp, and entryusn are all needed for sssd LDAP provider. Not allowing them for anonymous will make legacy SSSD performance suboptimal. modifier/creator DNs can be given out only to authenticated users. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 318 Backup CS.cfg before modifying it
On 09/03/2014 06:35 PM, Jan Cholasta wrote: Hi, the attached patch fixes https://fedorahosted.org/freeipa/ticket/4166. Honza ACK Neither patch applies to 4.1, though. Could you send a version for that as well? -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES 0109-0110] DNS: fix DS record validation
On 09/04/2014 01:11 PM, Petr Spacek wrote: On 4.9.2014 13:02, Martin Basti wrote: On 04/09/14 11:46, Petr Spacek wrote: On 3.9.2014 16:42, Martin Basti wrote: On 02/09/14 17:16, Petr Spacek wrote: On 20.8.2014 19:26, Martin Basti wrote: Part of DNSSEC Patches attached. NACK # ipa dnsrecord-add ipa.example. ds '--ds-rec=1 2 3 4' ipa: ERROR: invalid 'dsrecord': DS record requires to coexist with an NS record (RFC 4529, section 4.6) RFC number is incorrect. IMHO it should also reference 'RFC 4035 section 2.4'. Also, there is one hole: Current code allows you to add DS RR to existing NS and then to remove NS. Let me know if adding a check to -del is too hard, maybe we can live without it... dnsrecord-del validation added Updated patch attached Required in ipa 4.1 but this could be pushed to 4.0.x too It almost works ... almost. I'm not sure if the problem is in your patch or in existing code: [root@vm-035 git]# ipa dnsrecord-add ipa.example ds --ds-rec='1 2 3 4' Record name: ds DS record: 1 2 3 4 NS record: vm-035.idm.lab.eng.brq.redhat.com. [root@vm-035 git]# ipa dnsrecord-mod ipa.example ds --ns-rec= ipa: ERROR: invalid 'dsrecord': DS record requires to coexist with an NS record (RFC 4592 section 4.6, RFC 4035 section 2.4) [root@vm-035 git]# ipa dnsrecord-mod ipa.example ds --ds-rec= Record name: ds NS record: vm-035.idm.lab.eng.brq.redhat.com. [root@vm-035 git]# ipa dnsrecord-mod ipa.example ds --ns-rec= ipa: ERROR: an internal error has occurred # tail /var/log/httpd/error_log ipa: ERROR: non-public: TypeError: dnsrecord_mod.validate_output() = PrimaryKey.validate(): output['value']: need class 'ipapython.dnsutil.DNSName'; got type 'list': [DNS name ds] Traceback (most recent call last): File /usr/lib/python2.7/site-packages/ipaserver/rpcserver.py, line 348, in wsgi_execute result = self.Command[name](*args, **options) File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 451, in __call__ self.validate_output(ret, options['version']) File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 944, in validate_output o.validate(self, value, version) File /usr/lib/python2.7/site-packages/ipalib/output.py, line 126, in validate types[0], type(value), value)) TypeError: dnsrecord_mod.validate_output() = PrimaryKey.validate(): output['value']: need class 'ipapython.dnsutil.DNSName'; got type 'list': [DNS name ds] ipa: INFO: [jsonserver_session] admin@IPA.EXAMPLE: dnsrecord_mod(DNS name ipa.example., DNS name ds, nsrecord=None, rights=False, structured=False, all=False, raw=False, version=u'2.102'): TypeError This bug is not related with the patches. Error is raised when you try to delete the last record in RRset using dnsrecord-mod --any-rec= Okay, functional ACK. Please send a separate patch for this problem or at least open a ticket and describe what is wrong with it. It can be pushed if Python gurus are okay with the code. Thank you! Ok, LGTM. Pushed to master, ipa-4-1. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES 0111-0113] Fix NS record coexistence validation
On 09/04/2014 01:12 PM, Petr Spacek wrote: On 3.9.2014 16:51, Martin Basti wrote: On 03/09/14 12:30, Martin Kosek wrote: On 09/02/2014 05:38 PM, Petr Spacek wrote: On 21.8.2014 19:21, Martin Basti wrote: During work on DNSSEC we found a wrong validation of NS records Patch 0113 fixes an error in tests caused by bind-dyndb-ldap bug https://fedorahosted.org/bind-dyndb-ldap/ticket/123 Patches attached. Functional ACK. It can be pushed if Python gurus don't see any problem. I think the patches will need a rebase before push, I cannot apply them to my tree. The Python part itself looked good to me. Martin Rebased patch attached, due changes in freeipa-mbasti-0109, patches mbasti-0109.2, mbasti-0110.2 are required. Rebased versions work for me. Functional ACK. Ok, LGTM. Pushed to master, ipa-4-1. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Do not restart apache server when not necessary.
https://fedorahosted.org/freeipa/ticket/4352 -- David Kupka From 9f081c8f1cab3f0d7cb0d55054ae7ad8f1ed8a10 Mon Sep 17 00:00:00 2001 From: David Kupka dku...@redhat.com Date: Fri, 5 Sep 2014 09:55:23 +0200 Subject: [PATCH] Do not restart apache server when not necessary. https://fedorahosted.org/freeipa/ticket/4352 --- install/tools/ipa-replica-install | 1 - 1 file changed, 1 deletion(-) diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install index 5bfd61ee69d4682823a57f4b99a0d9a054a56d22..621127558a525a75a36fbbd3d97bc9084642869e 100755 --- a/install/tools/ipa-replica-install +++ b/install/tools/ipa-replica-install @@ -699,7 +699,6 @@ def main(): CA.configure_certmonger_renewal() CA.import_ra_cert(dir + /ra.p12) CA.fix_ra_perms() -services.knownservices.httpd.restart() # The DS instance is created before the keytab, add the SSL cert we # generated -- 1.9.3 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0107-0108] Fix DNS wildcard validation
On 3.9.2014 14:40, Martin Basti wrote: On 02/09/14 17:33, Petr Spacek wrote: On 21.8.2014 10:58, Martin Basti wrote: On 21/08/14 08:43, Petr Spacek wrote: On 20.8.2014 17:37, Martin Basti wrote: +# dissallowed wildcard (RFC 4592) +no_wildcard_rtypes = ['CNAME', 'DNAME', 'DS', 'NS'] NACK http://tools.ietf.org/html/rfc4592#section-4.3 doesn't forbid CNAME with wildcard owner name. This subsection is is just a note for implementers about proper wildcard handling. Sorry :-) Thank you! Updated patches attached. # ipa dnsrecord-add ipa.example. '*' --ns-rec='ns' ipa: ERROR: invalid 'idnsname': owner of DNAME, DS, NS records should not be a wildcard domain name (RFC 4592) It would be nice to have more specific reference to RFC: 'RFC 4592 section 4'. CondACK: It can be pushed if you amend the error message. Updated patch attached. Please push to branches: ipa 4.0.x, 4.1, master The error message seems okay, it can be pushed. -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0107-0108] Fix DNS wildcard validation
On 09/05/2014 12:21 PM, Petr Spacek wrote: On 3.9.2014 14:40, Martin Basti wrote: On 02/09/14 17:33, Petr Spacek wrote: On 21.8.2014 10:58, Martin Basti wrote: On 21/08/14 08:43, Petr Spacek wrote: On 20.8.2014 17:37, Martin Basti wrote: +# dissallowed wildcard (RFC 4592) +no_wildcard_rtypes = ['CNAME', 'DNAME', 'DS', 'NS'] NACK http://tools.ietf.org/html/rfc4592#section-4.3 doesn't forbid CNAME with wildcard owner name. This subsection is is just a note for implementers about proper wildcard handling. Sorry :-) Thank you! Updated patches attached. # ipa dnsrecord-add ipa.example. '*' --ns-rec='ns' ipa: ERROR: invalid 'idnsname': owner of DNAME, DS, NS records should not be a wildcard domain name (RFC 4592) It would be nice to have more specific reference to RFC: 'RFC 4592 section 4'. CondACK: It can be pushed if you amend the error message. Updated patch attached. Please push to branches: ipa 4.0.x, 4.1, master The error message seems okay, it can be pushed. Pushed to: master: 028b3d1009122e01f32710463a96cacddd4d26c1 ipa-4-0: 3c6f83e41de097a23c4839c2d14b091c7bacc562 ipa-4-1: 031677c80b1b9a2706186421e651c6132b14e6e2 -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] Fwd: [freeipa] update to Java/8
Petr, why do we require java-1.7.0-openjdk in BuildRequires anyway? Shouldn't rhino be enough? Original Message Subject: [freeipa] update to Java/8 Date: Tue, 2 Sep 2014 17:41:13 + (UTC) From: Pádraig Brady pbr...@fedoraproject.org To: freeipa-ow...@fedoraproject.org, scm-comm...@lists.fedoraproject.org commit c1d3c76c37530d0608f710f986be1614d2ed848b Author: Pádraig Brady p...@draigbrady.com Date: Tue Sep 2 18:40:05 2014 +0100 update to Java/8 Java/7 is no longer available in rawhide, so update to allow rebuilds to proceed. freeipa.spec |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) --- diff --git a/freeipa.spec b/freeipa.spec index f871260..2f8eac0 100644 --- a/freeipa.spec +++ b/freeipa.spec @@ -67,7 +67,7 @@ BuildRequires: m2crypto BuildRequires: check BuildRequires: libsss_idmap-devel BuildRequires: libsss_nss_idmap-devel -BuildRequires: java-1.7.0-openjdk +BuildRequires: java-1.8.0-openjdk BuildRequires: rhino BuildRequires: libverto-devel BuildRequires: systemd ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0282] Create temporary directories with ug=rwx, o= permissions
On 4.9.2014 18:31, Martin Basti wrote: On 04/09/14 17:55, Petr Spacek wrote: Hello, Create temporary directories with ug=rwx,o= permissions. Zero group permissions do not allow to use POSIX ACLs which is undesirable. NACK It creates drwxr-x--- permissions (umask problem) Thank you for catching this. This version of the patch should fix the problem. It is not very nice but I don't see any better solution. -- Petr^2 Spacek From 2bcf23d57eb67bf29d88bb1682ff32f58ee6a070 Mon Sep 17 00:00:00 2001 From: Petr Spacek pspa...@redhat.com Date: Thu, 4 Sep 2014 15:43:49 +0200 Subject: [PATCH] Create temporary directories with ug=rwx,o= permissions. Zero group permissions do not allow to use POSIX ACLs which is undesirable. Signed-off-by: Petr Spacek pspa...@redhat.com --- src/fs.c | 18 +- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/src/fs.c b/src/fs.c index 255026a23e1703048073e2b584ac5602bc05f85d..174ea01b72fa7542e6b89b2311d492201996eac7 100644 --- a/src/fs.c +++ b/src/fs.c @@ -40,24 +40,40 @@ isc_result_t fs_dir_create(const char *dir_name) { isc_result_t result; + const mode_t dir_mode = S_IRWXU | S_IRWXG; char dir_curr[PATH_MAX + 1] = ; isc_dir_t dir_handle; int ret; REQUIRE(dir_name != NULL); if (getcwd(dir_curr, sizeof(dir_curr) - 1) == NULL) strncpy(dir_curr, msg_getcwd_failed, sizeof(dir_curr)); - ret = mkdir(dir_name, 0700); + ret = mkdir(dir_name, dir_mode); if (ret == 0) result = ISC_R_SUCCESS; else result = isc__errno2result(errno); if (result != ISC_R_SUCCESS result != ISC_R_FILEEXISTS) { log_error_r(unable to create directory '%s', working directory is '%s', dir_name, dir_curr); return result; + + } else if (result == ISC_R_SUCCESS) { + /* umask hack for new directories: BIND is multi-threaded and + * I don't want to change umask for all threads or add locking + * solely for this purpose. */ + ret = chmod(dir_name, dir_mode); + if (ret == 0) + result = ISC_R_SUCCESS; + else { + result = isc__errno2result(errno); + log_error_r(unable to chmod directory '%s', +working directory is '%s', +dir_name, dir_curr); + return result; + } } /* Verify that the directory is accessible */ -- 1.9.3 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0282] Create temporary directories with ug=rwx, o= permissions
On 05/09/14 12:43, Petr Spacek wrote: On 4.9.2014 18:31, Martin Basti wrote: On 04/09/14 17:55, Petr Spacek wrote: Hello, Create temporary directories with ug=rwx,o= permissions. Zero group permissions do not allow to use POSIX ACLs which is undesirable. NACK It creates drwxr-x--- permissions (umask problem) Thank you for catching this. This version of the patch should fix the problem. It is not very nice but I don't see any better solution. It works! ACK with * * Patch doesn't change permissions for existing directories, but because patch pspacek-280, new version of bind plugin will create new file structure under new 'master' directory, so there is no problem with old directories with old permissions, isn't it? -- Martin Basti ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0640 Add managed read permissions for compat tree
On 09/05/2014 09:18 AM, Martin Kosek wrote: On 09/05/2014 09:03 AM, Alexander Bokovoy wrote: On Fri, 05 Sep 2014, Alexander Bokovoy wrote: On Thu, 04 Sep 2014, Martin Kosek wrote: On 09/04/2014 02:40 PM, Alexander Bokovoy wrote: On Wed, 03 Sep 2014, Martin Kosek wrote: On 09/03/2014 03:15 PM, Petr Viktorin wrote: On 09/03/2014 02:27 PM, Petr Viktorin wrote: On 09/03/2014 01:27 PM, Petr Viktorin wrote: Hello, This adds managed read permissions to the compat tree. For users it grants anonymous access; authenticated users can read groups, hosts and netgroups. I'm unsure if this is what we want to do for groups, but Read Group Membership is only granted to authenticated users by default, and the compat tree exposes memberuid. https://fedorahosted.org/freeipa/ticket/4521 Self-NACK, there's a typo (though I could swear I tested this :/) Fixed patch attached. I tested and it looks and works OK, ACK from me. We can wait till tomorrow to see if there are no reservations from Alexander or Rob. I think we need a bit more fixes. Here is ACL log for an anonymous request: [04/Sep/2014:15:28:49 +0300] schema-compat-plugin - searching from cn=compat,dc=ipacloud,dc=test for (uid=admin) with scope 2 (sub) [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 binddn= [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny search on entry(cn=computers,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous: no aci matched the subject by aci(27): aciname=permission:System: Read DNS Configuration, acidn=dc=ipacloud,dc=test [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 binddn= [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny search on entry(cn=groups,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous: no aci matched the subject by aci(27): aciname=permission:System: Read DNS Configuration, acidn=dc=ipacloud,dc=test [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 binddn= [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny search on entry(cn=ab,cn=groups,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous: no aci matched the subject by aci(27): aciname=permission:System: Read DNS Configuration, acidn=dc=ipacloud,dc=test [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 binddn= [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny search on entry(cn=editors,cn=groups,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous: no aci matched the subject by aci(27): aciname= permission:System: Read DNS Configuration, acidn=dc=ipacloud,dc=test [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 binddn= [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny search on entry(cn=admins,cn=groups,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous: no aci matched the subject by aci(27): aciname= permission:System: Read DNS Configuration, acidn=dc=ipacloud,dc=test [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 binddn= [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny search on entry(cn=ng,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous: no aci matched the subject by aci(27): aciname=permission:System: Read DNS Configuration, acidn=dc=ipacloud,dc=test [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 binddn= [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow search on entry(cn=users,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous: allowed by aci(38): aciname= permission:System: Read User Compat Tree, acidn=dc=ipacloud,dc=test [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 binddn= [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow search on entry(uid=ab,cn=users,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous: cached allow by aci(38) [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 binddn= [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow search on entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous: cached allow by aci(38) [04/Sep/2014:15:28:49 +0300] schema-compat-plugin - search matched uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 binddn= [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny read on entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(createTimestamp) to anonymous: no aci matched the subject by aci(18): aciname= Admin can manage any entry, acidn=dc=ipacloud,dc=test [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow read on entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(objectClass) to anonymous: allowed by aci(38): aciname= permission:System: Read User Compat Tree, acidn=dc=ipacloud,dc=test [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow read on entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(gecos) to anonymous: cached allow by aci(38)
Re: [Freeipa-devel] [PATCH] Do not restart apache server when not necessary.
On 09/05/2014 12:17 PM, David Kupka wrote: https://fedorahosted.org/freeipa/ticket/4352 Thanks, ACK. Pushed to master, ipa-4-1, ipa-4-0. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0640 Add managed read permissions for compat tree
On Fri, 05 Sep 2014, Petr Viktorin wrote: On 09/05/2014 09:18 AM, Martin Kosek wrote: On 09/05/2014 09:03 AM, Alexander Bokovoy wrote: On Fri, 05 Sep 2014, Alexander Bokovoy wrote: On Thu, 04 Sep 2014, Martin Kosek wrote: On 09/04/2014 02:40 PM, Alexander Bokovoy wrote: On Wed, 03 Sep 2014, Martin Kosek wrote: On 09/03/2014 03:15 PM, Petr Viktorin wrote: On 09/03/2014 02:27 PM, Petr Viktorin wrote: On 09/03/2014 01:27 PM, Petr Viktorin wrote: Hello, This adds managed read permissions to the compat tree. For users it grants anonymous access; authenticated users can read groups, hosts and netgroups. I'm unsure if this is what we want to do for groups, but Read Group Membership is only granted to authenticated users by default, and the compat tree exposes memberuid. https://fedorahosted.org/freeipa/ticket/4521 Self-NACK, there's a typo (though I could swear I tested this :/) Fixed patch attached. I tested and it looks and works OK, ACK from me. We can wait till tomorrow to see if there are no reservations from Alexander or Rob. I think we need a bit more fixes. Here is ACL log for an anonymous request: [04/Sep/2014:15:28:49 +0300] schema-compat-plugin - searching from cn=compat,dc=ipacloud,dc=test for (uid=admin) with scope 2 (sub) [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 binddn= [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny search on entry(cn=computers,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous: no aci matched the subject by aci(27): aciname=permission:System: Read DNS Configuration, acidn=dc=ipacloud,dc=test [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 binddn= [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny search on entry(cn=groups,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous: no aci matched the subject by aci(27): aciname=permission:System: Read DNS Configuration, acidn=dc=ipacloud,dc=test [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 binddn= [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny search on entry(cn=ab,cn=groups,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous: no aci matched the subject by aci(27): aciname=permission:System: Read DNS Configuration, acidn=dc=ipacloud,dc=test [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 binddn= [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny search on entry(cn=editors,cn=groups,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous: no aci matched the subject by aci(27): aciname= permission:System: Read DNS Configuration, acidn=dc=ipacloud,dc=test [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 binddn= [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny search on entry(cn=admins,cn=groups,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous: no aci matched the subject by aci(27): aciname= permission:System: Read DNS Configuration, acidn=dc=ipacloud,dc=test [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 binddn= [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny search on entry(cn=ng,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous: no aci matched the subject by aci(27): aciname=permission:System: Read DNS Configuration, acidn=dc=ipacloud,dc=test [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 binddn= [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow search on entry(cn=users,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous: allowed by aci(38): aciname= permission:System: Read User Compat Tree, acidn=dc=ipacloud,dc=test [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 binddn= [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow search on entry(uid=ab,cn=users,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous: cached allow by aci(38) [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 binddn= [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow search on entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous: cached allow by aci(38) [04/Sep/2014:15:28:49 +0300] schema-compat-plugin - search matched uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 binddn= [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny read on entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(createTimestamp) to anonymous: no aci matched the subject by aci(18): aciname= Admin can manage any entry, acidn=dc=ipacloud,dc=test [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow read on entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(objectClass) to anonymous: allowed by aci(38): aciname= permission:System: Read User Compat Tree, acidn=dc=ipacloud,dc=test [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow read on entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(gecos) to
Re: [Freeipa-devel] [PATCH] 318 Backup CS.cfg before modifying it
Dne 5.9.2014 v 12:05 Petr Viktorin napsal(a): On 09/03/2014 06:35 PM, Jan Cholasta wrote: Hi, the attached patch fixes https://fedorahosted.org/freeipa/ticket/4166. Honza ACK Neither patch applies to 4.1, though. Could you send a version for that as well? Sure. -- Jan Cholasta From 422d73c10d6a27793724170ae3599fd9838d6f17 Mon Sep 17 00:00:00 2001 From: Jan Cholasta jchol...@redhat.com Date: Wed, 3 Sep 2014 15:04:35 +0200 Subject: [PATCH] Backup CS.cfg before modifying it https://fedorahosted.org/freeipa/ticket/4166 --- install/tools/ipa-upgradeconfig | 1 + ipaserver/install/cainstance.py | 21 + 2 files changed, 22 insertions(+) diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig index 90dfa6c..983f6cf 100644 --- a/install/tools/ipa-upgradeconfig +++ b/install/tools/ipa-upgradeconfig @@ -1145,6 +1145,7 @@ def main(): sub_dict['SUBJECT_BASE'] = subject_base ca = cainstance.CAInstance(api.env.realm, certs.NSS_DIR) +ca.backup_config() # migrate CRL publish dir before the location in ipa.conf is updated ca_restart = migrate_crl_publish_dir(ca) diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 0ba46f2..2a50ad0 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -455,6 +455,7 @@ class CAInstance(service.Service): self.step(creating pki-ca instance, self.create_instance) self.step(configuring certificate server instance, self.__configure_instance) self.step(stopping certificate server instance to update CS.cfg, self.__stop) +self.step(backing up CS.cfg, self.backup_config) self.step(disabling nonces, self.__disable_nonce) self.step(set up CRL publishing, self.__enable_crl_publish) self.step(enable PKIX certificate path discovery and validation, self.enable_pkix) @@ -818,6 +819,12 @@ class CAInstance(service.Service): root_logger.debug(traceback.format_exc()) root_logger.critical(Failed to restart the certificate server. See the installation log for details.) +def backup_config(self): +try: +backup_config(self.dogtag_constants) +except Exception, e: +root_logger.warning(Failed to backup CS.cfg: %s, e) + def __disable_nonce(self): # Turn off Nonces update_result = installutils.update_file( @@ -1822,6 +1829,16 @@ def install_replica_ca(config, postinstall=False): return ca +def backup_config(dogtag_constants=None): + +Create a backup copy of CS.cfg + +if dogtag_constants is None: +dogtag_constants = dogtag.configured_constants() + +shutil.copy(dogtag_constants.CS_CFG_PATH, +dogtag_constants.CS_CFG_PATH + '.ipabkp') + def update_cert_config(nickname, cert, dogtag_constants=None): When renewing a CA subsystem certificate the configuration file @@ -1843,6 +1860,10 @@ def update_cert_config(nickname, cert, dogtag_constants=None): with stopped_service(dogtag_constants.SERVICE_NAME, instance_name=dogtag_constants.PKI_INSTANCE_NAME): +try: +backup_config(dogtag_constants) +except Exception, e: +syslog.syslog(syslog.LOG_ERR, Failed to backup CS.cfg: %s % e) installutils.set_directive(dogtag.configured_constants().CS_CFG_PATH, directives[nickname], -- 1.9.3 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0640 Add managed read permissions for compat tree
On 09/05/2014 01:34 PM, Alexander Bokovoy wrote: On Fri, 05 Sep 2014, Petr Viktorin wrote: On 09/05/2014 09:18 AM, Martin Kosek wrote: ... Thanks! Looks sane to me. We would just need to remove Views related ACIs for the 4.0.x version that we will need for today. Thanks indeed! Here is the patched patch. The Read Operational Attributes permission is split for createtimestamp/modifytimestamp/entryusn (anonymous) and creatorsname/modifiersname (authenticated). Thanks! ACK. Pushed to: master: 418ce870bfbe13cea694a7b862cafe35c703f660 ipa-4-0: 3e2c86aeabbd2e3c54ad73a40803ef2bf5b0cb17 ipa-4-1: 9bcd88589e30d31d3f533cd42d2f816ef01b07c7 Only admins can read the cn=compat entry itself. I don't think that's an issue though. It is an empty virtual entry that doesn't exist anywhere and is synthesized by slapi-nis on each request. As with most containers, it's not very interesting, but if it's hidden its contents won't be listed in GUI browsers. In the compat tree that's not much of an issue, hopefully. -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Make CA-less ipa-server-install option --root-ca-file optional
On 08/07/2014 05:46 PM, Petr Viktorin wrote: On 08/06/2014 09:42 AM, Jan Cholasta wrote: Dne 5.8.2014 v 10:30 Jan Cholasta napsal(a): Hi, the attached patch fixes the code part of https://fedorahosted.org/freeipa/ticket/4457. Works for me, thanks! Pushed to: master: 6ad8c464a43260f8f58dc262f841c35be35b57b5 ipa-4-0: 7c690d7e1238133677e49236595eb24483876ef8 ipa-4-1: be6568234002165fe11dd55407f8eb8e9b357790 Also the patch depends on my patch 295, which is already available in ipa-4-1 and master. Attaching the current version of the patch. The next step is to review and update CA-less articles in our wiki. The next step should be adding integration tests for this, otherwise it will break in a few months. -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0011 Allow user to force Kerberos realm during installation
Dne 5.9.2014 v 09:25 David Kupka napsal(a): On 09/04/2014 01:22 PM, Jan Cholasta wrote: Dne 4.9.2014 v 12:42 David Kupka napsal(a): On 09/03/2014 05:09 PM, Jan Cholasta wrote: Hi, Dne 27.8.2014 v 13:56 David Kupka napsal(a): Usually it isn't wise to allow something like this. But in environment with broken DNS (described in ticket) there is probably not many alternatives. https://fedorahosted.org/freeipa/ticket/ 1) I think you can log realm in search() as part of the Starting IPA discovery ... message instead of a separate message. 2) Also, no need to log the realm twice in search(). I forget to remove some redundant debug prints. 3) It looks like you forgot to un-indent some code in ipadnssearchkrbkdc(). Fixed, thanks. What I meant is that this: def ipadnssearchkrbkdc(self, domain=None): kdc = None if not domain: domain = self.domain kdc = self.ipadns_search_srv(domain, '_kerberos._udp', 88, break_on_first=False) if kdc: kdc = ','.join(kdc) else: root_logger.debug(SRV record for KDC not found! Domain: %s % domain) kdc = None return kdc should be this: def ipadnssearchkrbkdc(self, domain=None): if not domain: domain = self.domain kdc = self.ipadns_search_srv(domain, '_kerberos._udp', 88, break_on_first=False) if kdc: kdc = ','.join(kdc) else: root_logger.debug(SRV record for KDC not found! Domain: %s % domain) kdc = None return kdc Isn't that right? Oh, you're right, again :) Thanks. Honza ACK. -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 1109 No client machine cert
On Fri, 2014-09-05 at 10:43 +0200, Martin Kosek wrote: On 09/04/2014 05:13 PM, Rob Crittenden wrote: Jan Cholasta wrote: Hi, Dne 3.9.2014 v 21:23 Rob Crittenden napsal(a): No longer request and install a cert for the IPA client machine. rob The original plan was to keep generating the certificate, but in /etc/ipa/nssdb instead of /etc/pki/nssdb (see the attached patch). I'm fine with either approach. The cert has never been used and is now actively causing issues in RHEL-7 with systemd and kickstart. It could be made optional, and move the location, but IMHO its time has come. rob One change that Rob's patch also do is that from now on, certmonger would not be enabled and running by default on client machines. It would only be enabled on IPA server. I am still not confident about the resolution to just stop generating the certificate, I was leaning more towards making it optional + generating to better database as Honza proposed. Simo, Alexander, what is your take on this? I'm with Rob, do not eanble and fetch certs we are not going to sue, this will also make the list of certs in the server more relevant. Simo. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0640 Add managed read permissions for compat tree
On Fri, 2014-09-05 at 12:12 +0300, Alexander Bokovoy wrote: On Fri, 05 Sep 2014, Martin Kosek wrote: On 09/04/2014 04:44 PM, Ludwig Krispenz wrote: On 09/04/2014 04:38 PM, Martin Kosek wrote: On 09/04/2014 04:10 PM, Alexander Bokovoy wrote: ... createTimestamp is operational attribute and is synthesized by slapi-nis, there is no problem allowing access to it. I think we can allow following operational attributes: createTimestamp, modifyTimestamp, entryUSN, creatorsName, modifiersName, entryDN, hasSubordinates, numSubordinates Ah, ok, probably yes. At least for some of them - CCing Simo. For example entryUSN is used by SSSD - CCing jhrozek to confirm. So it should be allowed for whole FreeIPA DIT. So this change is not so related to these patches. Do we also want to expose attributes like creatorsName/modifiersName? Do we consider that a public information or juts audit-like information for DM only? They are standard features of LDAP servers. RFC 4512 states: = 3.4 Operational attributes ... Servers SHOULD maintain the 'creatorsName', 'createTimestamp', 'modifiersName', and 'modifyTimestamp' attributes for all entries of the DIT. = This is, again, a question of policy. Active Directory forbids anonymous access to the tree; so they always expose these attributes to authenticated users only. If we allow anonymous access, we should allow these attributes too. Well, DS *does* maintain the attributes - question is whether we want to show them to anonymous/authenticated people or just the DM :) if you want to show them depends if it is useful or sensitive. I don't know why an anonymous user would need access to them. Are they sensitive ? Well, at least they expose a DN which has rights to create and modify entries and could be used trying to get more access Alexander, should we then show just +'createtimestamp', 'modifytimestamp', 'entryusn', to authenticated users? I do not think that modifiers/creatorsDN is something that anonymous user need to see by default. createtimestamp, modifytimestamp, and entryusn are all needed for sssd LDAP provider. Not allowing them for anonymous will make legacy SSSD performance suboptimal. modifier/creator DNs can be given out only to authenticated users. Yup, entryUSN is used to do quicker cache validation and modifyTimestamp too. ack to what Alexander proposed. Simo. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0011 Allow user to force Kerberos realm during installation
On 09/05/2014 02:44 PM, Jan Cholasta wrote: Dne 5.9.2014 v 09:25 David Kupka napsal(a): On 09/04/2014 01:22 PM, Jan Cholasta wrote: Dne 4.9.2014 v 12:42 David Kupka napsal(a): On 09/03/2014 05:09 PM, Jan Cholasta wrote: Hi, Dne 27.8.2014 v 13:56 David Kupka napsal(a): Usually it isn't wise to allow something like this. But in environment with broken DNS (described in ticket) there is probably not many alternatives. https://fedorahosted.org/freeipa/ticket/ 1) I think you can log realm in search() as part of the Starting IPA discovery ... message instead of a separate message. 2) Also, no need to log the realm twice in search(). I forget to remove some redundant debug prints. 3) It looks like you forgot to un-indent some code in ipadnssearchkrbkdc(). Fixed, thanks. What I meant is that this: def ipadnssearchkrbkdc(self, domain=None): kdc = None if not domain: domain = self.domain kdc = self.ipadns_search_srv(domain, '_kerberos._udp', 88, break_on_first=False) if kdc: kdc = ','.join(kdc) else: root_logger.debug(SRV record for KDC not found! Domain: %s % domain) kdc = None return kdc should be this: def ipadnssearchkrbkdc(self, domain=None): if not domain: domain = self.domain kdc = self.ipadns_search_srv(domain, '_kerberos._udp', 88, break_on_first=False) if kdc: kdc = ','.join(kdc) else: root_logger.debug(SRV record for KDC not found! Domain: %s % domain) kdc = None return kdc Isn't that right? Oh, you're right, again :) Thanks. Honza ACK. Pushed to: master: dc4bdd327a639877b7d4553810b69943d996 ipa-4-1: a28d9b8f0a87633ac298676f47eadf0d7dc31cfb ipa-4-0: 0e077319046b8f8089b7b8590fafb824df4b8077 -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0282] Create temporary directories with ug=rwx, o= permissions
On 5.9.2014 13:08, Martin Basti wrote: On 05/09/14 12:43, Petr Spacek wrote: On 4.9.2014 18:31, Martin Basti wrote: On 04/09/14 17:55, Petr Spacek wrote: Hello, Create temporary directories with ug=rwx,o= permissions. Zero group permissions do not allow to use POSIX ACLs which is undesirable. NACK It creates drwxr-x--- permissions (umask problem) Thank you for catching this. This version of the patch should fix the problem. It is not very nice but I don't see any better solution. It works! ACK with * * Patch doesn't change permissions for existing directories, but because patch pspacek-280, new version of bind plugin will create new file structure under new 'master' directory, so there is no problem with old directories with old permissions, isn't it? That is intentional. I don't want to change permissions if user decided to change them for some reason. -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 748 webui: extract complex pkey on Add and Edit
On 09/04/2014 12:53 AM, Endi Sukma Dewata wrote: On 9/2/2014 10:15 AM, Petr Vobornik wrote: DNS zone 'Add and Edit' failed because of new DNS name encoding. This patch makes sure that keys are extracted properly. https://fedorahosted.org/freeipa/ticket/4520 ACK. Pushed to: master: c50dff22827cefbb0b0838bf7e9b1e3fcf8752c0 ipa-4-1: 2fd4f40e361f4acb9b3383533432bfe90dbefe0f ipa-4-0: 3e987f6973314e4265f5f18723916b89e13cd1c6 Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 1109 No client machine cert
Alexander Bokovoy wrote: On Fri, 05 Sep 2014, Martin Kosek wrote: On 09/04/2014 05:13 PM, Rob Crittenden wrote: Jan Cholasta wrote: Hi, Dne 3.9.2014 v 21:23 Rob Crittenden napsal(a): No longer request and install a cert for the IPA client machine. rob The original plan was to keep generating the certificate, but in /etc/ipa/nssdb instead of /etc/pki/nssdb (see the attached patch). I'm fine with either approach. The cert has never been used and is now actively causing issues in RHEL-7 with systemd and kickstart. It could be made optional, and move the location, but IMHO its time has come. rob One change that Rob's patch also do is that from now on, certmonger would not be enabled and running by default on client machines. It would only be enabled on IPA server. I am still not confident about the resolution to just stop generating the certificate, I was leaning more towards making it optional + generating to better database as Honza proposed. Simo, Alexander, what is your take on this? I'm fine with making it optional. However, on client machine upgrades do not stop and disable certmonger if it is tracking more than just the host certificate. Well, that is unrelated to this change. Should that be a separate ticket? rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 1109 No client machine cert
On 09/05/2014 03:15 PM, Rob Crittenden wrote: Alexander Bokovoy wrote: On Fri, 05 Sep 2014, Martin Kosek wrote: On 09/04/2014 05:13 PM, Rob Crittenden wrote: Jan Cholasta wrote: Hi, Dne 3.9.2014 v 21:23 Rob Crittenden napsal(a): No longer request and install a cert for the IPA client machine. rob The original plan was to keep generating the certificate, but in /etc/ipa/nssdb instead of /etc/pki/nssdb (see the attached patch). I'm fine with either approach. The cert has never been used and is now actively causing issues in RHEL-7 with systemd and kickstart. It could be made optional, and move the location, but IMHO its time has come. rob One change that Rob's patch also do is that from now on, certmonger would not be enabled and running by default on client machines. It would only be enabled on IPA server. I am still not confident about the resolution to just stop generating the certificate, I was leaning more towards making it optional + generating to better database as Honza proposed. Simo, Alexander, what is your take on this? I'm fine with making it optional. However, on client machine upgrades do not stop and disable certmonger if it is tracking more than just the host certificate. Well, that is unrelated to this change. Should that be a separate ticket? rob I see it as very related. If we choose to do this optionally, instead of removing the code, we would do it conditionally (with different NSS database). But so far, it seems we choose only really simply just remove the code, i.e. no ticket needed. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] FreeIPA 4.0.2
Hello Team, The time has come and we are about to spin the release wheels for FreeIPA 4.0.2! Let us do quick check before the release. This version Release Man is Petr Viktorin. I created candidate release notes in http://www.freeipa.org/page/Releases/4.0.2. Please fee free to amend. == Missing work == I checked open tickets, the team worked great in lowering the number in the end of this week. Thank you! Out of the missing tickets, I only see this one potential candidate for inclusion: #4166 Backup CS.cfg before modifying it Any other patches that should land in 4.0.2? == Known Issues == I am aware of 2 related issues on 389-ds-base: #47889 DS crashed during ipa-server-install on test_ava_filter #47885 deref plugin should not return references with noc access rights Any other issues you are aware of? The 2 above can be just documented in the Release Notes, the fix will not be in FreeIPA anyway. -- Martin Kosek mko...@redhat.com Supervisor, Software Engineering - Identity Management Team Red Hat Inc. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 1109 No client machine cert
Martin Kosek wrote: On 09/05/2014 03:15 PM, Rob Crittenden wrote: Alexander Bokovoy wrote: On Fri, 05 Sep 2014, Martin Kosek wrote: On 09/04/2014 05:13 PM, Rob Crittenden wrote: Jan Cholasta wrote: Hi, Dne 3.9.2014 v 21:23 Rob Crittenden napsal(a): No longer request and install a cert for the IPA client machine. rob The original plan was to keep generating the certificate, but in /etc/ipa/nssdb instead of /etc/pki/nssdb (see the attached patch). I'm fine with either approach. The cert has never been used and is now actively causing issues in RHEL-7 with systemd and kickstart. It could be made optional, and move the location, but IMHO its time has come. rob One change that Rob's patch also do is that from now on, certmonger would not be enabled and running by default on client machines. It would only be enabled on IPA server. I am still not confident about the resolution to just stop generating the certificate, I was leaning more towards making it optional + generating to better database as Honza proposed. Simo, Alexander, what is your take on this? I'm fine with making it optional. However, on client machine upgrades do not stop and disable certmonger if it is tracking more than just the host certificate. Well, that is unrelated to this change. Should that be a separate ticket? rob I see it as very related. If we choose to do this optionally, instead of removing the code, we would do it conditionally (with different NSS database). I'd prefer to remove it altogether and potentially add it back conditionally if anyone notices. But so far, it seems we choose only really simply just remove the code, i.e. no ticket needed. Alexander is pointing out that we disable certmonger at the end of ipa-client-install and this is not good if certmonger is tracking anything else (IPA or otherwise). This is a good point but not related to whether we issue and track a cert ourselves. In fact, to expand on his concerns, it is probably wise to do something similar to what we do in ipa-server-install during uninstall where we list the still-tracked certs for further investigation. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 1109 No client machine cert
On Fri, 05 Sep 2014, Rob Crittenden wrote: Alexander Bokovoy wrote: On Fri, 05 Sep 2014, Martin Kosek wrote: On 09/04/2014 05:13 PM, Rob Crittenden wrote: Jan Cholasta wrote: Hi, Dne 3.9.2014 v 21:23 Rob Crittenden napsal(a): No longer request and install a cert for the IPA client machine. rob The original plan was to keep generating the certificate, but in /etc/ipa/nssdb instead of /etc/pki/nssdb (see the attached patch). I'm fine with either approach. The cert has never been used and is now actively causing issues in RHEL-7 with systemd and kickstart. It could be made optional, and move the location, but IMHO its time has come. rob One change that Rob's patch also do is that from now on, certmonger would not be enabled and running by default on client machines. It would only be enabled on IPA server. I am still not confident about the resolution to just stop generating the certificate, I was leaning more towards making it optional + generating to better database as Honza proposed. Simo, Alexander, what is your take on this? I'm fine with making it optional. However, on client machine upgrades do not stop and disable certmonger if it is tracking more than just the host certificate. Well, that is unrelated to this change. Should that be a separate ticket? A separate ticket is fine too. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0640 Add managed read permissions for compat tree
On 09/05/2014 01:51 PM, Petr Viktorin wrote: On 09/05/2014 01:34 PM, Alexander Bokovoy wrote: On Fri, 05 Sep 2014, Petr Viktorin wrote: On 09/05/2014 09:18 AM, Martin Kosek wrote: ... Thanks! Looks sane to me. We would just need to remove Views related ACIs for the 4.0.x version that we will need for today. Thanks indeed! Here is the patched patch. The Read Operational Attributes permission is split for createtimestamp/modifytimestamp/entryusn (anonymous) and creatorsname/modifiersname (authenticated). Thanks! ACK. Pushed to: master: 418ce870bfbe13cea694a7b862cafe35c703f660 ipa-4-0: 3e2c86aeabbd2e3c54ad73a40803ef2bf5b0cb17 ipa-4-1: 9bcd88589e30d31d3f533cd42d2f816ef01b07c7 *@#$%, I committed the wrong patch by mistake. Fixed in: master: 68d656f80a483a57f5ed80b7ead03a071abb0ef0 ipa-4-0: b5870edb403572b19ffc91b1f3e504277b4c82a2 ipa-4-1: cd80528123a63250f0d0ebb167f6468ad008009f -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Make CA-less ipa-server-install option --root-ca-file optional
On 09/05/2014 02:03 PM, Petr Viktorin wrote: On 08/07/2014 05:46 PM, Petr Viktorin wrote: On 08/06/2014 09:42 AM, Jan Cholasta wrote: Dne 5.8.2014 v 10:30 Jan Cholasta napsal(a): Hi, the attached patch fixes the code part of https://fedorahosted.org/freeipa/ticket/4457. Works for me, thanks! Pushed to: master: 6ad8c464a43260f8f58dc262f841c35be35b57b5 ipa-4-0: 7c690d7e1238133677e49236595eb24483876ef8 ipa-4-1: be6568234002165fe11dd55407f8eb8e9b357790 Just after pushing I noticed the note in the ticket that Dmitri wants to take a look :( Dmitri, please reopen the ticket if there are more improvements to be made. I'm attaching the changed docs for reference. -- Petr³ Usage: ipa-server-install [options] Options: --version show program's version number and exit -h, --helpshow this help message and exit basic options: -r REALM_NAME, --realm=REALM_NAME realm name -n DOMAIN_NAME, --domain=DOMAIN_NAME domain name -p DM_PASSWORD, --ds-password=DM_PASSWORD admin password -P MASTER_PASSWORD, --master-password=MASTER_PASSWORD kerberos master password (normally autogenerated) -a ADMIN_PASSWORD, --admin-password=ADMIN_PASSWORD admin user kerberos password --mkhomedir create home directories for users on their first login --hostname=HOST_NAME fully qualified name of server --ip-address=IP_ADDRESS Master Server IP Address -N, --no-ntpdo not configure ntp --idstart=IDSTART The starting value for the IDs range (default random) --idmax=IDMAX The max value value for the IDs range (default: idstart+19) --no_hbac_allow Don't install allow_all HBAC rule --no-ui-redirectDo not automatically redirect to the Web UI --ssh-trust-dns configure OpenSSH client to trust DNS SSHFP records --no-sshdo not configure OpenSSH client --no-sshd do not configure OpenSSH server -d, --debug print debugging information -U, --unattendedunattended (un)installation never prompts the user certificate system options: --external-ca Generate a CSR for the IPA CA certificate to be signed by an external CA --external_cert_file=EXTERNAL_CERT_FILE File containing the IPA CA certificate signed by the external CA in PEM format --external_ca_file=EXTERNAL_CA_FILE File containing the external CA certificate chain in PEM format --no-pkinit disables pkinit setup steps --dirsrv_pkcs12=DIRSRV_PKCS12 PKCS#12 file containing the Directory Server SSL certificate --http_pkcs12=HTTP_PKCS12 PKCS#12 file containing the Apache Server SSL certificate --pkinit_pkcs12=PKINIT_PKCS12 PKCS#12 file containing the Kerberos KDC SSL certificate --dirsrv_pin=DIRSRV_PIN The password of the Directory Server PKCS#12 file --http_pin=HTTP_PIN The password of the Apache Server PKCS#12 file --pkinit_pin=PKINIT_PIN The password of the Kerberos KDC PKCS#12 file --root-ca-file=ROOT_CA_FILE PEM file containing the CA certificate for the PKCS#12 files --subject=SUBJECT The certificate subject base (default O=realm-name) DNS options: --setup-dns configure bind with our zone --forwarder=FORWARDERS Add a DNS forwarder --no-forwarders Do not add any DNS forwarders, use root servers instead --reverse-zone=REVERSE_ZONE The reverse DNS zone to use --no-reverseDo not create reverse DNS zone --zonemgr=ZONEMGR DNS zone manager e-mail address. Defaults to hostmaster@DOMAIN --no-host-dns Do not use DNS for hostname lookup during installation --no-dns-sshfp Do not automatically create DNS SSHFP records uninstall options: --uninstall uninstall an existing installation. The uninstall can be run with --unattended option ipa-server-install(1) FreeIPA Manual Pages ipa-server-install(1) NAME ipa-server-install - Configure an IPA server SYNOPSIS ipa-server-install [OPTION]... DESCRIPTION Configures the services needed by an IPA server. This includes setting up a
Re: [Freeipa-devel] [PATCH 0282] Create temporary directories with ug=rwx, o= permissions
On 05/09/14 14:51, Petr Spacek wrote: On 5.9.2014 13:08, Martin Basti wrote: On 05/09/14 12:43, Petr Spacek wrote: On 4.9.2014 18:31, Martin Basti wrote: On 04/09/14 17:55, Petr Spacek wrote: Hello, Create temporary directories with ug=rwx,o= permissions. Zero group permissions do not allow to use POSIX ACLs which is undesirable. NACK It creates drwxr-x--- permissions (umask problem) Thank you for catching this. This version of the patch should fix the problem. It is not very nice but I don't see any better solution. It works! ACK with * * Patch doesn't change permissions for existing directories, but because patch pspacek-280, new version of bind plugin will create new file structure under new 'master' directory, so there is no problem with old directories with old permissions, isn't it? That is intentional. I don't want to change permissions if user decided to change them for some reason. ok, double ACK then :-) -- Martin Basti ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 318 Backup CS.cfg before modifying it
On 09/05/2014 01:47 PM, Jan Cholasta wrote: Dne 5.9.2014 v 12:05 Petr Viktorin napsal(a): On 09/03/2014 06:35 PM, Jan Cholasta wrote: Hi, the attached patch fixes https://fedorahosted.org/freeipa/ticket/4166. Honza ACK Neither patch applies to 4.1, though. Could you send a version for that as well? Sure. Thanks. Pushed to: master: 2ed6fb092eac2397f4d6395307c91a497d747ac0 ipa-4-0: 8292b228b89e056316a11590a263176a9c595f14 ipa-4-1: b6c7e5fd4cb8c91d8bd44f2fa8f3fb9e15194900 -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] FreeIPA 4.0.2
On 09/05/2014 03:19 PM, Martin Kosek wrote: Hello Team, The time has come and we are about to spin the release wheels for FreeIPA 4.0.2! Let us do quick check before the release. This version Release Man is Petr Viktorin. I can start the release process in a few hours, if the new bind-dyndb-ldap goes out by then. I created candidate release notes in http://www.freeipa.org/page/Releases/4.0.2. Please fee free to amend. == Missing work == I checked open tickets, the team worked great in lowering the number in the end of this week. Thank you! Out of the missing tickets, I only see this one potential candidate for inclusion: #4166 Backup CS.cfg before modifying it Just pushed. Any other patches that should land in 4.0.2? We'll need to add a Conflicts: bind-dyndb-ldap 5.1. == Known Issues == I am aware of 2 related issues on 389-ds-base: #47889 DS crashed during ipa-server-install on test_ava_filter https://fedorahosted.org/389/ticket/47889 #47885 deref plugin should not return references with noc access rights https://fedorahosted.org/389/ticket/47885 Any other issues you are aware of? The 2 above can be just documented in the Release Notes, the fix will not be in FreeIPA anyway. -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] FreeIPA 4.0.2
On 09/05/2014 04:17 PM, Petr Viktorin wrote: On 09/05/2014 03:19 PM, Martin Kosek wrote: Hello Team, The time has come and we are about to spin the release wheels for FreeIPA 4.0.2! Let us do quick check before the release. This version Release Man is Petr Viktorin. I can start the release process in a few hours, if the new bind-dyndb-ldap goes out by then. I created candidate release notes in http://www.freeipa.org/page/Releases/4.0.2. Please fee free to amend. == Missing work == I checked open tickets, the team worked great in lowering the number in the end of this week. Thank you! Out of the missing tickets, I only see this one potential candidate for inclusion: #4166Backup CS.cfg before modifying it Just pushed. Any other patches that should land in 4.0.2? We'll need to add a Conflicts: bind-dyndb-ldap 5.1 Aaand I would really consider the proposed Rob's patch for removing host certificate also for 4.0.2 release. . == Known Issues == I am aware of 2 related issues on 389-ds-base: #47889 DS crashed during ipa-server-install on test_ava_filter https://fedorahosted.org/389/ticket/47889 #47885 deref plugin should not return references with noc access rights https://fedorahosted.org/389/ticket/47885 Any other issues you are aware of? The 2 above can be just documented in the Release Notes, the fix will not be in FreeIPA anyway. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] FreeIPA 4.0.2
On Fri, 05 Sep 2014, Martin Kosek wrote: Hello Team, The time has come and we are about to spin the release wheels for FreeIPA 4.0.2! Let us do quick check before the release. This version Release Man is Petr Viktorin. I created candidate release notes in http://www.freeipa.org/page/Releases/4.0.2. Please fee free to amend. Fixed trust-related items and added information about schema-compat changes. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH 0283] Fix root zone handling
Hello, Fix root zone handling. syncrepl_update() was buggy in a way which could cause accidental zone removal. Test case: A server with two zones: '.' and 'test.' Zone '.': . NS ns1.test. . NS ns2.test. test. NS ns1.test. test. NS ns2.test. Zone 'test.': test. NS ns1.test. test. NS ns2.test. ns1.test. A 192.0.2.1 ns2.test. A 192.0.2.2 Removing whole name 'test.' from zone '.' will cause removal of zone 'test.' instead of removing NS records from zone '.'. -- Petr^2 Spacek From 197807ff45deb9383a0a72855cd95d0d847300cc Mon Sep 17 00:00:00 2001 From: Petr Spacek pspa...@redhat.com Date: Fri, 5 Sep 2014 17:25:01 +0200 Subject: [PATCH] Fix root zone handling. syncrepl_update() was buggy in a way which could cause accidental zone removal. Test case: A server with two zones: '.' and 'test.' Zone '.': . NS ns1.test. . NS ns2.test. test. NS ns1.test. test. NS ns2.test. Zone 'test.': test. NS ns1.test. test. NS ns2.test. ns1.test. A 192.0.2.1 ns2.test. A 192.0.2.2 Removing whole name 'test.' from zone '.' will cause removal of zone 'test.' instead of removing NS records from zone '.'. Signed-off-by: Petr Spacek pspa...@redhat.com --- src/ldap_convert.c | 7 ++- src/ldap_convert.h | 4 +++- src/ldap_helper.c | 54 -- 3 files changed, 45 insertions(+), 20 deletions(-) diff --git a/src/ldap_convert.c b/src/ldap_convert.c index be5c2e1d4dc903b4d9e72cc07ed1d9fc32fef0d1..01b63fb08f8243a8b3852a465d57d57e76f5b57e 100644 --- a/src/ldap_convert.c +++ b/src/ldap_convert.c @@ -48,6 +48,7 @@ * @param[out] target Absolute DNS name derived from the first two idnsNames. * @param[out] origin Absolute DNS name derived from the last idnsName *component of DN, i.e. zone. Can be NULL. + * @param[out] iszone ISC_TRUE if DN points to zone object, ISC_FALSE otherwise. * * @code * Examples: @@ -66,7 +67,7 @@ */ isc_result_t dn_to_dnsname(isc_mem_t *mctx, const char *dn_str, dns_name_t *target, - dns_name_t *otarget) + dns_name_t *otarget, isc_boolean_t *iszone) { LDAPDN dn = NULL; LDAPRDN rdn = NULL; @@ -142,9 +143,13 @@ dn_to_dnsname(isc_mem_t *mctx, const char *dn_str, dns_name_t *target, log_error(no idnsName component found in DN); CLEANUP_WITH(ISC_R_UNEXPECTEDEND); } else if (idx == 1) { /* zone only */ + if (iszone != NULL) + *iszone = ISC_TRUE; CHECK(dns_name_copy(dns_rootname, origin, NULL)); CHECK(dns_name_fromtext(name, name_buf, dns_rootname, 0, NULL)); } else if (idx == 2) { /* owner and zone */ + if (iszone != NULL) + *iszone = ISC_FALSE; CHECK(dns_name_fromtext(origin, origin_buf, dns_rootname, 0, NULL)); CHECK(dns_name_fromtext(name, name_buf, origin, 0, NULL)); diff --git a/src/ldap_convert.h b/src/ldap_convert.h index 3c02af30b450d8ae6bd7ca95fa0a0f492ed9fc3a..a012e326b96d1531449ed3bdf97cfc97bac80392 100644 --- a/src/ldap_convert.h +++ b/src/ldap_convert.h @@ -38,7 +38,9 @@ * that DNS name is returned. */ isc_result_t dn_to_dnsname(isc_mem_t *mctx, const char *dn, - dns_name_t *target, dns_name_t *origin) ATTR_NONNULL(1, 2, 3) ATTR_CHECKRESULT; + dns_name_t *target, dns_name_t *origin, + isc_boolean_t *iszone) + ATTR_NONNULL(1, 2, 3) ATTR_CHECKRESULT; isc_result_t dnsname_to_dn(zone_register_t *zr, dns_name_t *name, ld_string_t *target) ATTR_NONNULLS ATTR_CHECKRESULT; diff --git a/src/ldap_helper.c b/src/ldap_helper.c index 199a565aed72c14d226d35da2adca81f7444f892..01a7b9e141d1a5644d28a54499e9a86e36821f6d 100644 --- a/src/ldap_helper.c +++ b/src/ldap_helper.c @@ -1365,10 +1365,12 @@ ldap_delete_zone(ldap_instance_t *inst, isc_task_t * const task, const char *dn, isc_boolean_t lock, isc_boolean_t preserve_forwarding) { isc_result_t result; + isc_boolean_t iszone; dns_name_t name; dns_name_init(name, NULL); - CHECK(dn_to_dnsname(inst-mctx, dn, name, NULL)); + CHECK(dn_to_dnsname(inst-mctx, dn, name, NULL, iszone)); + INSIST(iszone == ISC_TRUE); result = ldap_delete_zone2(inst, task, name, lock, preserve_forwarding); @@ -1653,6 +1655,7 @@ ldap_parse_fwd_zoneentry(ldap_entry_t *entry, ldap_instance_t *inst) { const char *dn; dns_name_t name; + isc_boolean_t iszone; char name_txt[DNS_NAME_FORMATSIZE]; isc_result_t result; @@ -1663,7 +1666,8 @@ ldap_parse_fwd_zoneentry(ldap_entry_t *entry, ldap_instance_t *inst) /* Derive the DNS name of the zone from the DN. */ dn = entry-dn; - CHECK(dn_to_dnsname(inst-mctx, dn, name, NULL)); + CHECK(dn_to_dnsname(inst-mctx, dn, name, NULL, iszone)); + INSIST(iszone == ISC_TRUE); result = configure_zone_forwarders(entry, inst, name); if (result != ISC_R_DISABLED result != ISC_R_SUCCESS) { @@ -2277,6 +2281,7 @@ ldap_parse_master_zoneentry(ldap_entry_t * const entry, dns_db_t * const olddb, isc_boolean_t new_zone = ISC_FALSE; isc_boolean_t want_secure = ISC_FALSE; isc_boolean_t configured = ISC_FALSE; + isc_boolean_t
Re: [Freeipa-devel] [PATCH] 1109 No client machine cert
On 09/03/2014 09:23 PM, Rob Crittenden wrote: No longer request and install a cert for the IPA client machine. https://fedorahosted.org/freeipa/ticket/4449 ACK Pushed to: master: c1bf5203937827369c7ce023d03c75d2da6d83ee ipa-4-1: 058c1f453c4e2df38eec57ba605cd5dc492eb978 ipa-4-0: 2dd2fd7e1aa470ea8fa3fd09ebecacec7ee8bc77 -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0283] Fix root zone handling
On 5.9.2014 17:40, Petr Spacek wrote: Hello, Fix root zone handling. syncrepl_update() was buggy in a way which could cause accidental zone removal. Test case: A server with two zones: '.' and 'test.' Zone '.': . NS ns1.test. . NS ns2.test. test. NS ns1.test. test. NS ns2.test. Zone 'test.': test. NS ns1.test. test. NS ns2.test. ns1.test. A 192.0.2.1 ns2.test. A 192.0.2.2 Removing whole name 'test.' from zone '.' will cause removal of zone 'test.' instead of removing NS records from zone '.'. And fix the fix ... -- Petr^2 Spacek From ec90d905830a621fcebcfba032fe3bb4f093b9ac Mon Sep 17 00:00:00 2001 From: Petr Spacek pspa...@redhat.com Date: Fri, 5 Sep 2014 17:25:01 +0200 Subject: [PATCH] Fix root zone handling. syncrepl_update() was buggy in a way which could cause accidental zone removal. Test case: A server with two zones: '.' and 'test.' Zone '.': . NS ns1.test. . NS ns2.test. test. NS ns1.test. test. NS ns2.test. Zone 'test.': test. NS ns1.test. test. NS ns2.test. ns1.test. A 192.0.2.1 ns2.test. A 192.0.2.2 Removing whole name 'test.' from zone '.' will cause removal of zone 'test.' instead of removing NS records from zone '.'. Signed-off-by: Petr Spacek pspa...@redhat.com --- src/ldap_convert.c | 7 ++- src/ldap_convert.h | 4 +++- src/ldap_helper.c | 54 -- 3 files changed, 45 insertions(+), 20 deletions(-) diff --git a/src/ldap_convert.c b/src/ldap_convert.c index be5c2e1d4dc903b4d9e72cc07ed1d9fc32fef0d1..01b63fb08f8243a8b3852a465d57d57e76f5b57e 100644 --- a/src/ldap_convert.c +++ b/src/ldap_convert.c @@ -48,6 +48,7 @@ * @param[out] target Absolute DNS name derived from the first two idnsNames. * @param[out] origin Absolute DNS name derived from the last idnsName *component of DN, i.e. zone. Can be NULL. + * @param[out] iszone ISC_TRUE if DN points to zone object, ISC_FALSE otherwise. * * @code * Examples: @@ -66,7 +67,7 @@ */ isc_result_t dn_to_dnsname(isc_mem_t *mctx, const char *dn_str, dns_name_t *target, - dns_name_t *otarget) + dns_name_t *otarget, isc_boolean_t *iszone) { LDAPDN dn = NULL; LDAPRDN rdn = NULL; @@ -142,9 +143,13 @@ dn_to_dnsname(isc_mem_t *mctx, const char *dn_str, dns_name_t *target, log_error(no idnsName component found in DN); CLEANUP_WITH(ISC_R_UNEXPECTEDEND); } else if (idx == 1) { /* zone only */ + if (iszone != NULL) + *iszone = ISC_TRUE; CHECK(dns_name_copy(dns_rootname, origin, NULL)); CHECK(dns_name_fromtext(name, name_buf, dns_rootname, 0, NULL)); } else if (idx == 2) { /* owner and zone */ + if (iszone != NULL) + *iszone = ISC_FALSE; CHECK(dns_name_fromtext(origin, origin_buf, dns_rootname, 0, NULL)); CHECK(dns_name_fromtext(name, name_buf, origin, 0, NULL)); diff --git a/src/ldap_convert.h b/src/ldap_convert.h index 3c02af30b450d8ae6bd7ca95fa0a0f492ed9fc3a..a012e326b96d1531449ed3bdf97cfc97bac80392 100644 --- a/src/ldap_convert.h +++ b/src/ldap_convert.h @@ -38,7 +38,9 @@ * that DNS name is returned. */ isc_result_t dn_to_dnsname(isc_mem_t *mctx, const char *dn, - dns_name_t *target, dns_name_t *origin) ATTR_NONNULL(1, 2, 3) ATTR_CHECKRESULT; + dns_name_t *target, dns_name_t *origin, + isc_boolean_t *iszone) + ATTR_NONNULL(1, 2, 3) ATTR_CHECKRESULT; isc_result_t dnsname_to_dn(zone_register_t *zr, dns_name_t *name, ld_string_t *target) ATTR_NONNULLS ATTR_CHECKRESULT; diff --git a/src/ldap_helper.c b/src/ldap_helper.c index 199a565aed72c14d226d35da2adca81f7444f892..b3cc7f8389e52decd2f90a18eae761fbc37433a0 100644 --- a/src/ldap_helper.c +++ b/src/ldap_helper.c @@ -1365,10 +1365,12 @@ ldap_delete_zone(ldap_instance_t *inst, isc_task_t * const task, const char *dn, isc_boolean_t lock, isc_boolean_t preserve_forwarding) { isc_result_t result; + isc_boolean_t iszone; dns_name_t name; dns_name_init(name, NULL); - CHECK(dn_to_dnsname(inst-mctx, dn, name, NULL)); + CHECK(dn_to_dnsname(inst-mctx, dn, name, NULL, iszone)); + INSIST(iszone == ISC_TRUE); result = ldap_delete_zone2(inst, task, name, lock, preserve_forwarding); @@ -1653,6 +1655,7 @@ ldap_parse_fwd_zoneentry(ldap_entry_t *entry, ldap_instance_t *inst) { const char *dn; dns_name_t name; + isc_boolean_t iszone; char name_txt[DNS_NAME_FORMATSIZE]; isc_result_t result; @@ -1663,7 +1666,8 @@ ldap_parse_fwd_zoneentry(ldap_entry_t *entry, ldap_instance_t *inst) /* Derive the DNS name of the zone from the DN. */ dn = entry-dn; - CHECK(dn_to_dnsname(inst-mctx, dn, name, NULL)); + CHECK(dn_to_dnsname(inst-mctx, dn, name, NULL, iszone)); + INSIST(iszone == ISC_TRUE); result = configure_zone_forwarders(entry, inst, name); if (result != ISC_R_DISABLED result != ISC_R_SUCCESS) { @@ -2277,6 +2281,7 @@ ldap_parse_master_zoneentry(ldap_entry_t * const entry, dns_db_t * const olddb, isc_boolean_t new_zone = ISC_FALSE; isc_boolean_t want_secure =