Re: [Freeipa-devel] [PATCH] 0021 Fix example usage in ipa man page.
On Wed, 08 Oct 2014, David Kupka wrote:
https://fedorahosted.org/freeipa/ticket/4587
--
David Kupka
From 883e90237fbde1075d00990568cde18773e80611 Mon Sep 17 00:00:00 2001
From: David Kupka dku...@redhat.com
Date: Wed, 8 Oct 2014 01:43:47 -0400
Subject: [PATCH] Fix example usage in ipa man page.
https://fedorahosted.org/freeipa/ticket/4587
---
ipa.1 | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ipa.1 b/ipa.1
index
fc39fceaae5aa4c614ccaaa7e608f2326d926755..6acfcfd9f7ab580c9b086fa249903cdf10544cdb
100644
--- a/ipa.1
+++ b/ipa.1
@@ -149,7 +149,7 @@ Create a new user with username foo, first name foo and last name
bar.
\fBipa group\-add bar \-\-desc this is an example group
Create a new group with name bar and description this is an example group.
.TP
-\fBipa group\-add\-member bar \-\-users=admin,foo\fR
+\fBipa group\-add\-member bar \-\-users={admin,foo}\fR
Add users admin and foo to the group bar.
.TP
\fBipa user\-show foo \-\-raw\fR
I would like to see a stance about shell expansion use here. May be add
a phrase about that right after Add users ... to the group ...? It
might not be entirely obvious to other people that we rely on a shell
expansion features here.
--
/ Alexander Bokovoy
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0021 Fix example usage in ipa man page.
On 10/08/2014 08:02 AM, Alexander Bokovoy wrote:
On Wed, 08 Oct 2014, David Kupka wrote:
https://fedorahosted.org/freeipa/ticket/4587
--
David Kupka
From 883e90237fbde1075d00990568cde18773e80611 Mon Sep 17 00:00:00 2001
From: David Kupka dku...@redhat.com
Date: Wed, 8 Oct 2014 01:43:47 -0400
Subject: [PATCH] Fix example usage in ipa man page.
https://fedorahosted.org/freeipa/ticket/4587
---
ipa.1 | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ipa.1 b/ipa.1
index
fc39fceaae5aa4c614ccaaa7e608f2326d926755..6acfcfd9f7ab580c9b086fa249903cdf10544cdb
100644
--- a/ipa.1
+++ b/ipa.1
@@ -149,7 +149,7 @@ Create a new user with username foo, first name
foo and last name bar.
\fBipa group\-add bar \-\-desc this is an example group
Create a new group with name bar and description this is an example
group.
.TP
-\fBipa group\-add\-member bar \-\-users=admin,foo\fR
+\fBipa group\-add\-member bar \-\-users={admin,foo}\fR
Add users admin and foo to the group bar.
.TP
\fBipa user\-show foo \-\-raw\fR
I would like to see a stance about shell expansion use here. May be add
a phrase about that right after Add users ... to the group ...? It
might not be entirely obvious to other people that we rely on a shell
expansion features here.
At first, I wanted to remove one of users mentioned there but
'--users=foo' looks confusing to me (using plural and specifying just
one value).
Personally I would prefer to change all plural parameters to singular
form but it is a large change considering the benefit.
What about two examples? One '--users=foo' and other using shell expansion.
--
David Kupka
From 883e90237fbde1075d00990568cde18773e80611 Mon Sep 17 00:00:00 2001
From: David Kupka dku...@redhat.com
Date: Wed, 8 Oct 2014 01:43:47 -0400
Subject: [PATCH] Fix example usage in ipa man page.
https://fedorahosted.org/freeipa/ticket/4587
---
ipa.1 | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ipa.1 b/ipa.1
index fc39fceaae5aa4c614ccaaa7e608f2326d926755..6acfcfd9f7ab580c9b086fa249903cdf10544cdb 100644
--- a/ipa.1
+++ b/ipa.1
@@ -149,7 +149,7 @@ Create a new user with username foo, first name foo and last name bar.
\fBipa group\-add bar \-\-desc this is an example group
Create a new group with name bar and description this is an example group.
.TP
-\fBipa group\-add\-member bar \-\-users=admin,foo\fR
+\fBipa group\-add\-member bar \-\-users={admin,foo}\fR
Add users admin and foo to the group bar.
.TP
\fBipa user\-show foo \-\-raw\fR
--
1.9.3
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0021 Fix example usage in ipa man page.
On 10/08/2014 08:19 AM, David Kupka wrote:
On 10/08/2014 08:02 AM, Alexander Bokovoy wrote:
On Wed, 08 Oct 2014, David Kupka wrote:
https://fedorahosted.org/freeipa/ticket/4587
--
David Kupka
From 883e90237fbde1075d00990568cde18773e80611 Mon Sep 17 00:00:00 2001
From: David Kupka dku...@redhat.com
Date: Wed, 8 Oct 2014 01:43:47 -0400
Subject: [PATCH] Fix example usage in ipa man page.
https://fedorahosted.org/freeipa/ticket/4587
---
ipa.1 | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ipa.1 b/ipa.1
index
fc39fceaae5aa4c614ccaaa7e608f2326d926755..6acfcfd9f7ab580c9b086fa249903cdf10544cdb
100644
--- a/ipa.1
+++ b/ipa.1
@@ -149,7 +149,7 @@ Create a new user with username foo, first name
foo and last name bar.
\fBipa group\-add bar \-\-desc this is an example group
Create a new group with name bar and description this is an example
group.
.TP
-\fBipa group\-add\-member bar \-\-users=admin,foo\fR
+\fBipa group\-add\-member bar \-\-users={admin,foo}\fR
Add users admin and foo to the group bar.
.TP
\fBipa user\-show foo \-\-raw\fR
I would like to see a stance about shell expansion use here. May be add
a phrase about that right after Add users ... to the group ...? It
might not be entirely obvious to other people that we rely on a shell
expansion features here.
At first, I wanted to remove one of users mentioned there but
'--users=foo' looks confusing to me (using plural and specifying just
one value).
Personally I would prefer to change all plural parameters to singular
form but it is a large change considering the benefit.
What about two examples? One '--users=foo' and other using shell expansion.
I forget to update the patch, sorry.
--
David Kupka
From 554d9b0f806f6eb7ad8ffc99fbd7ac6cb20c5c4c Mon Sep 17 00:00:00 2001
From: David Kupka dku...@redhat.com
Date: Wed, 8 Oct 2014 01:43:47 -0400
Subject: [PATCH] Fix example usage in ipa man page.
https://fedorahosted.org/freeipa/ticket/4587
---
ipa.1 | 7 +--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/ipa.1 b/ipa.1
index fc39fceaae5aa4c614ccaaa7e608f2326d926755..fe2a1aa7bafadd70596b5d95bca49a3f583a3c3d 100644
--- a/ipa.1
+++ b/ipa.1
@@ -149,8 +149,11 @@ Create a new user with username foo, first name foo and last name bar.
\fBipa group\-add bar \-\-desc this is an example group
Create a new group with name bar and description this is an example group.
.TP
-\fBipa group\-add\-member bar \-\-users=admin,foo\fR
-Add users admin and foo to the group bar.
+\fBipa group\-add\-member bar \-\-users=foo\fR
+Add user foo to the group bar.
+.TP
+\fBipa group\-add\-member bar \-\-users={admin,foo}\fR
+Add users admin and foo to the group bar. This approach depends on shell expansion feature.
.TP
\fBipa user\-show foo \-\-raw\fR
Display user foo as (s)he is stored on the server.
--
1.9.3
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0021 Fix example usage in ipa man page.
On Wed, 08 Oct 2014, David Kupka wrote:
On 10/08/2014 08:19 AM, David Kupka wrote:
On 10/08/2014 08:02 AM, Alexander Bokovoy wrote:
On Wed, 08 Oct 2014, David Kupka wrote:
https://fedorahosted.org/freeipa/ticket/4587
--
David Kupka
From 883e90237fbde1075d00990568cde18773e80611 Mon Sep 17 00:00:00 2001
From: David Kupka dku...@redhat.com
Date: Wed, 8 Oct 2014 01:43:47 -0400
Subject: [PATCH] Fix example usage in ipa man page.
https://fedorahosted.org/freeipa/ticket/4587
---
ipa.1 | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ipa.1 b/ipa.1
index
fc39fceaae5aa4c614ccaaa7e608f2326d926755..6acfcfd9f7ab580c9b086fa249903cdf10544cdb
100644
--- a/ipa.1
+++ b/ipa.1
@@ -149,7 +149,7 @@ Create a new user with username foo, first name
foo and last name bar.
\fBipa group\-add bar \-\-desc this is an example group
Create a new group with name bar and description this is an example
group.
.TP
-\fBipa group\-add\-member bar \-\-users=admin,foo\fR
+\fBipa group\-add\-member bar \-\-users={admin,foo}\fR
Add users admin and foo to the group bar.
.TP
\fBipa user\-show foo \-\-raw\fR
I would like to see a stance about shell expansion use here. May be add
a phrase about that right after Add users ... to the group ...? It
might not be entirely obvious to other people that we rely on a shell
expansion features here.
At first, I wanted to remove one of users mentioned there but
'--users=foo' looks confusing to me (using plural and specifying just
one value).
Personally I would prefer to change all plural parameters to singular
form but it is a large change considering the benefit.
What about two examples? One '--users=foo' and other using shell expansion.
I forget to update the patch, sorry.
--
David Kupka
From 554d9b0f806f6eb7ad8ffc99fbd7ac6cb20c5c4c Mon Sep 17 00:00:00 2001
From: David Kupka dku...@redhat.com
Date: Wed, 8 Oct 2014 01:43:47 -0400
Subject: [PATCH] Fix example usage in ipa man page.
https://fedorahosted.org/freeipa/ticket/4587
---
ipa.1 | 7 +--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/ipa.1 b/ipa.1
index
fc39fceaae5aa4c614ccaaa7e608f2326d926755..fe2a1aa7bafadd70596b5d95bca49a3f583a3c3d
100644
--- a/ipa.1
+++ b/ipa.1
@@ -149,8 +149,11 @@ Create a new user with username foo, first name foo and last
name bar.
\fBipa group\-add bar \-\-desc this is an example group
Create a new group with name bar and description this is an example group.
.TP
-\fBipa group\-add\-member bar \-\-users=admin,foo\fR
-Add users admin and foo to the group bar.
+\fBipa group\-add\-member bar \-\-users=foo\fR
+Add user foo to the group bar.
+.TP
+\fBipa group\-add\-member bar \-\-users={admin,foo}\fR
+Add users admin and foo to the group bar. This approach depends on shell
expansion feature.
.TP
\fBipa user\-show foo \-\-raw\fR
Display user foo as (s)he is stored on the server.
ACK.
--
/ Alexander Bokovoy
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 0019 Stop dogtag when updating its configuration in, ipa-upgradeconfig
https://fedorahosted.org/freeipa/ticket/4569
--
David Kupka
From a1363fa49a35115cfa15d51d7ae5c298828efc37 Mon Sep 17 00:00:00 2001
From: David Kupka dku...@redhat.com
Date: Tue, 30 Sep 2014 08:41:49 -0400
Subject: [PATCH] Stop dogtag when updating its configuration in
ipa-upgradeconfig.
Modifying CS.cfg when dogtag is running may (and does) result in corrupting
this file.
https://fedorahosted.org/freeipa/ticket/4569
---
install/restart_scripts/renew_ca_cert | 31 +-
install/tools/ipa-upgradeconfig | 15 +++--
ipaserver/install/cainstance.py | 108 ++
3 files changed, 84 insertions(+), 70 deletions(-)
diff --git a/install/restart_scripts/renew_ca_cert b/install/restart_scripts/renew_ca_cert
index 2ad2038703a74fe3549708549091633b35695907..e14e699bf57c631238a342ba19a3a1d483574bbb 100644
--- a/install/restart_scripts/renew_ca_cert
+++ b/install/restart_scripts/renew_ca_cert
@@ -104,20 +104,23 @@ def main():
cfg_path, 'subsystem.select', '=')
if config == 'New':
syslog.syslog(syslog.LOG_NOTICE, Updating CS.cfg)
-if x509.is_self_signed(cert, x509.DER):
-installutils.set_directive(
-cfg_path, 'hierarchy.select', 'Root',
-quotes=False, separator='=')
-installutils.set_directive(
-cfg_path, 'subsystem.count', '1',
-quotes=False, separator='=')
-else:
-installutils.set_directive(
-cfg_path, 'hierarchy.select', 'Subordinate',
-quotes=False, separator='=')
-installutils.set_directive(
-cfg_path, 'subsystem.count', '0',
-quotes=False, separator='=')
+with installutils.stopped_service(
+configured_constants.SERVICE_NAME,
+configured_constants.PKI_INSTANCE_NAME):
+if x509.is_self_signed(cert, x509.DER):
+installutils.set_directive(
+cfg_path, 'hierarchy.select', 'Root',
+quotes=False, separator='=')
+installutils.set_directive(
+cfg_path, 'subsystem.count', '1',
+quotes=False, separator='=')
+else:
+installutils.set_directive(
+cfg_path, 'hierarchy.select', 'Subordinate',
+quotes=False, separator='=')
+installutils.set_directive(
+cfg_path, 'subsystem.count', '0',
+quotes=False, separator='=')
else:
syslog.syslog(syslog.LOG_NOTICE, Not updating CS.cfg)
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index ba4ac93998fa203719e058fdfe557f4f2a67a865..08ff9a224d92245ff2c5845e6c9df22a700df562 100644
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -233,7 +233,12 @@ def upgrade_pki(ca, fstore):
if not installutils.get_directive(configured_constants.CS_CFG_PATH,
'proxy.securePort', '=') and \
os.path.exists(paths.PKI_SETUP_PROXY):
-ipautil.run([paths.PKI_SETUP_PROXY, '-pki_instance_root=/var/lib'
+# update proxy configuration with stopped dogtag to prevent corruption
+# of CS.cfg
+with installutils.stopped_service(
+configured_constants.SERVICE_NAME,
+configured_constants.PKI_INSTANCE_NAME):
+ipautil.run([paths.PKI_SETUP_PROXY, '-pki_instance_root=/var/lib'
,'-pki_instance_name=pki-ca','-subsystem_type=ca'])
root_logger.debug('Proxy configuration updated')
else:
@@ -821,9 +826,11 @@ def migrate_crl_publish_dir(ca):
root_logger.error('Cannot move CRL file to new directory: %s', e)
try:
-installutils.set_directive(caconfig.CS_CFG_PATH,
-'ca.publish.publisher.instance.FileBaseCRLPublisher.directory',
-publishdir, quotes=False, separator='=')
+with installutils.stopped_service(caconfig.SERVICE_NAME,
+caconfig.PKI_INSTANCE_NAME):
+installutils.set_directive(caconfig.CS_CFG_PATH,
+'ca.publish.publisher.instance.FileBaseCRLPublisher.directory',
+publishdir, quotes=False, separator='=')
except OSError, e:
root_logger.error('Cannot update CA configuration file %s: %s',
caconfig.CS_CFG_PATH, e)
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 521f25d96693efe64b5859901bb3da9da79ee0ec..2793b407a88f0b5b6592f79a7b6279d2fa41a787 100644
--- a/ipaserver/install/cainstance.py
+++
Re: [Freeipa-devel] [PATCH] 348 Remove misleading authorization error message in cert-request with --add
On 10/07/2014 06:48 PM, Jan Cholasta wrote: Hi, the attached patch fixes https://fedorahosted.org/freeipa/ticket/4540. The error message is now the generic ACI error message, e.g. Insufficient access: Insufficient 'add' privilege to add the entry 'krbprincipalname=something/somehost.example@example.com,cn=services,cn=accounts,dc=example,dc=com'. Honza Yup, simpler is better in this case. The certmonger tracker seems easier to understand to me now: # ipa-getcert list -i 20141008071708 Number of certificates and requests being tracked: 9. Request ID '20141008071708': status: CA_REJECTED ca-error: Server at https://ipa.mkosek-fedora20.test/ipa/xml denied our request, giving up: 2100 (RPC failed at server. Insufficient access: Insufficient 'add' privilege to add the entry 'krbprincipalname=test/ipa.mkosek-fedora20.t...@mkosek-fedora20.test,cn=services,cn=accounts,dc=mkosek-fedora20,dc=test'.). stuck: yes key pair storage: type=NSSDB,location='/etc/httpd/nssdb',nickname='Server-Cert',token='NSS Certificate DB' certificate: type=NSSDB,location='/etc/httpd/nssdb',nickname='Server-Cert' CA: IPA issuer: subject: expires: unknown pre-save command: post-save command: track: yes auto-renew: yes ACK. Pushed to: master: 8e602eaf46b71ad8f713f549d6a823c70567bb22 ipa-4-1: ed5ffbfd75f3f1a62581c50a2c64d9e75fc74081 ipa-4-0: 80da03a2169de3a78edec42c1eab1f87734f49a7 Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0019 Stop dogtag when updating its configuration in, ipa-upgradeconfig
Hi, Dne 8.10.2014 v 09:09 David Kupka napsal(a): https://fedorahosted.org/freeipa/ticket/4569 In renew_ca_cert and cainstance.py, dogtag should already be stopped in the places you modified, so why the change? Also I don't think it's a good idea to backup CS.cfg when dogtag is still running (in cainstance.py). If the file is being modified by dogtag at the time it is backed up, the backup may be corrupted. Honza -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0064] Create ipa-otp-decrement 389DS plugin
On 10/07/2014 08:48 PM, Nathaniel McCallum wrote: On Tue, 2014-10-07 at 10:52 -0700, Noriko Hosoi wrote: On 2014/10/07 10:48, Nathaniel McCallum wrote: On Tue, 2014-10-07 at 18:54 +0200, thierry bordaz wrote: On 10/07/2014 06:00 PM, Nathaniel McCallum wrote: Attached is the latest patch. I believe this includes all of our discussions up until this point. However, a few bits of additional information are needed. First, I have renamed the plugin to ipa-otp-counter. I believe all replay prevention work can land inside this plugin, so the name is appropriate. Second, I uncovered a bug in 389 which prevents me from validating the non-replication request in bepre. This is the reason for the additional betxnpre callback. If the upstream 389 bug is fixed, we can merge this check back into bepre. https://fedorahosted.org/389/ticket/47919 Hi Nathaniel, Just a rapid question about that dependency on https://fedorahosted.org/389/ticket/47919. Using txnpreop_mod you manage to workaround the DS issue. Do you need a fix for the DS issue in 1.3.2 or can it be fixed in a later version ? I would strongly prefer a fix ASAP. Thanks, Nathaniel, Do you need the fix just in 389-ds-base-1.3.3.x on F21 and newer? Or any other versions, e.g., 1.3.2 on F20, 1.3.3.1-x on RHEL-7.1, etc... ? I think we are just shipping 4.1 on F21. Someone please correct me if I'm wrong. FreeIPA 4.x already requires DS 1.3.3.*, so fixing from this version is sufficient for us. We have a Copr repo for Fedora 20 anyway, so we will just rebuild the updated DS there. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0034] Missing requires on python-dns
Hello, this is going to be a little bit more interesting. RHEL/CentOS version of FreeIPA depends on python-dns = 1.11.1-2 but Fedora version should depend on = 1.12.0. RHEL contains Git snapshot which is newer than 1.11.1 but is still not complete 1.12.0. Fedora contains 'proper' 1.11.1 version which is unfortunately too old. Fedora bug for rebase to 1.12.0: https://bugzilla.redhat.com/show_bug.cgi?id=1150396 Petr^2 Spacek On 7.10.2014 19:34, Gabe Alford wrote: Done. Update patch to use python-dns = 1.11.1 On Tue, Oct 7, 2014 at 11:26 AM, Martin Basti mba...@redhat.com wrote: On 07/10/14 15:58, Gabe Alford wrote: Forgot to add patch. On Tue, Oct 7, 2014 at 7:58 AM, Gabe Alford redhatri...@gmail.com wrote: Hello, Fix for https://fedorahosted.org/freeipa/ticket/4613 Thanks, Gabe ___ Freeipa-devel mailing listFreeipa-devel@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-devel Thank you! I prefer to use python-dns = 1.11.1, there are some DNSSEC fixes which we may use in tests. Could you send updated patch please? ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0021 Fix example usage in ipa man page.
On 10/08/2014 08:36 AM, Alexander Bokovoy wrote:
On Wed, 08 Oct 2014, David Kupka wrote:
On 10/08/2014 08:19 AM, David Kupka wrote:
On 10/08/2014 08:02 AM, Alexander Bokovoy wrote:
On Wed, 08 Oct 2014, David Kupka wrote:
https://fedorahosted.org/freeipa/ticket/4587
--
David Kupka
From 883e90237fbde1075d00990568cde18773e80611 Mon Sep 17 00:00:00 2001
From: David Kupka dku...@redhat.com
Date: Wed, 8 Oct 2014 01:43:47 -0400
Subject: [PATCH] Fix example usage in ipa man page.
https://fedorahosted.org/freeipa/ticket/4587
---
ipa.1 | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ipa.1 b/ipa.1
index
fc39fceaae5aa4c614ccaaa7e608f2326d926755..6acfcfd9f7ab580c9b086fa249903cdf10544cdb
100644
--- a/ipa.1
+++ b/ipa.1
@@ -149,7 +149,7 @@ Create a new user with username foo, first name
foo and last name bar.
\fBipa group\-add bar \-\-desc this is an example group
Create a new group with name bar and description this is an example
group.
.TP
-\fBipa group\-add\-member bar \-\-users=admin,foo\fR
+\fBipa group\-add\-member bar \-\-users={admin,foo}\fR
Add users admin and foo to the group bar.
.TP
\fBipa user\-show foo \-\-raw\fR
I would like to see a stance about shell expansion use here. May be add
a phrase about that right after Add users ... to the group ...? It
might not be entirely obvious to other people that we rely on a shell
expansion features here.
At first, I wanted to remove one of users mentioned there but
'--users=foo' looks confusing to me (using plural and specifying just
one value).
Personally I would prefer to change all plural parameters to singular
form but it is a large change considering the benefit.
What about two examples? One '--users=foo' and other using shell expansion.
I forget to update the patch, sorry.
--
David Kupka
From 554d9b0f806f6eb7ad8ffc99fbd7ac6cb20c5c4c Mon Sep 17 00:00:00 2001
From: David Kupka dku...@redhat.com
Date: Wed, 8 Oct 2014 01:43:47 -0400
Subject: [PATCH] Fix example usage in ipa man page.
https://fedorahosted.org/freeipa/ticket/4587
---
ipa.1 | 7 +--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/ipa.1 b/ipa.1
index
fc39fceaae5aa4c614ccaaa7e608f2326d926755..fe2a1aa7bafadd70596b5d95bca49a3f583a3c3d
100644
--- a/ipa.1
+++ b/ipa.1
@@ -149,8 +149,11 @@ Create a new user with username foo, first name foo
and last name bar.
\fBipa group\-add bar \-\-desc this is an example group
Create a new group with name bar and description this is an example
group.
.TP
-\fBipa group\-add\-member bar \-\-users=admin,foo\fR
-Add users admin and foo to the group bar.
+\fBipa group\-add\-member bar \-\-users=foo\fR
+Add user foo to the group bar.
+.TP
+\fBipa group\-add\-member bar \-\-users={admin,foo}\fR
+Add users admin and foo to the group bar. This approach depends on
shell expansion feature.
.TP
\fBipa user\-show foo \-\-raw\fR
Display user foo as (s)he is stored on the server.
ACK.
Pushed to:
master: f36794e8119c6005a6e802b3c4b23e13a3ac0bf5
ipa-4-1: 6e1c7df530fdc76737576c5b1190ac7c5dc59917
ipa-4-0: 9b6145420a7b57e0d0cc152bcd727206651f9b8d
Martin
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCHES] 349-350 Add ipa-client-install switch --request-cert to request cert for the host
Hi,
the attached patches fix https://fedorahosted.org/freeipa/ticket/4550.
Honza
--
Jan Cholasta
From 001f7bbc7010f106986f19d5040b272a13aa8ba8 Mon Sep 17 00:00:00 2001
From: Jan Cholasta jchol...@redhat.com
Date: Wed, 8 Oct 2014 10:27:25 +0200
Subject: [PATCH 1/2] Fix certmonger.request_cert
https://fedorahosted.org/freeipa/ticket/4550
---
ipapython/certmonger.py | 5 -
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/ipapython/certmonger.py b/ipapython/certmonger.py
index bcfafda..05071a0 100644
--- a/ipapython/certmonger.py
+++ b/ipapython/certmonger.py
@@ -253,9 +253,12 @@ def request_cert(nssdb, nickname, subject, principal, passwd_fname=None):
Execute certmonger to request a server certificate.
cm = _connect_to_certmonger()
+ca_path = cm.obj_if.find_ca_by_nickname('IPA')
request_parameters = dict(KEY_STORAGE='NSSDB', CERT_STORAGE='NSSDB',
CERT_LOCATION=nssdb, CERT_NICKNAME=nickname,
- SUBJECT=subject, PRINCIPAL=principal,)
+ KEY_LOCATION=nssdb, KEY_NICKNAME=nickname,
+ SUBJECT=subject, PRINCIPAL=[principal],
+ CA=ca_path)
if passwd_fname:
request_parameters['KEY_PIN_FILE'] = passwd_fname
result = cm.obj_if.add_request(request_parameters)
--
1.9.3
From 993d4393388df2b4f0cad83ce5e1093b5c783e78 Mon Sep 17 00:00:00 2001
From: Jan Cholasta jchol...@redhat.com
Date: Tue, 7 Oct 2014 19:07:13 +0200
Subject: [PATCH 2/2] Add ipa-client-install switch --request-cert to request
cert for the host
The certificate is stored in /etc/ipa/nssdb under the nickname
Local IPA host.
https://fedorahosted.org/freeipa/ticket/4550
---
ipa-client/ipa-install/ipa-client-install | 104 ++
ipa-client/man/ipa-client-install.1 | 4 ++
2 files changed, 96 insertions(+), 12 deletions(-)
diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index 2e59df9..9584ba4 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -74,8 +74,6 @@ SSH_AUTHORIZEDKEYSCOMMAND = paths.SSS_SSH_AUTHORIZEDKEYS
SSH_PROXYCOMMAND = paths.SSS_SSH_KNOWNHOSTSPROXY
SSH_KNOWNHOSTSFILE = paths.SSSD_PUBCONF_KNOWN_HOSTS
-client_nss_nickname_format = 'IPA Machine Certificate - %s'
-
def parse_options():
def validate_ca_cert_file_option(option, opt, value, parser):
if not os.path.exists(value):
@@ -158,6 +156,8 @@ def parse_options():
basic_group.add_option(--ca-cert-file, dest=ca_cert_file,
type=string, action=callback, callback=validate_ca_cert_file_option,
help=load the CA certificate from this file)
+basic_group.add_option(--request-cert, dest=request_cert,
+ action=store_true, default=False)
# --on-master is used in ipa-server-install and ipa-replica-install
# only, it isn't meant to be used on clients.
basic_group.add_option(--on-master, dest=on_master, action=store_true,
@@ -482,11 +482,11 @@ def uninstall(options, env):
if hostname is None:
hostname = socket.getfqdn()
-client_nss_nickname = client_nss_nickname_format % hostname
+ipa_db = certdb.NSSDatabase(paths.IPA_NSSDB_DIR)
+sys_db = certdb.NSSDatabase(paths.NSS_DB_DIR)
# Always start certmonger. We can't untrack something if it isn't
-# running. Note that this is legacy code to untrack any certificates
-# that were created by previous versions of this installer.
+# running
messagebus = services.knownservices.messagebus
try:
messagebus.start()
@@ -499,14 +499,24 @@ def uninstall(options, env):
except Exception, e:
log_service_error(cmonger.service_name, 'start', e)
-try:
-certmonger.stop_tracking(paths.NSS_DB_DIR, nickname=client_nss_nickname)
-except (CalledProcessError, RuntimeError), e:
-root_logger.error(%s failed to stop tracking certificate: %s,
-cmonger.service_name, str(e))
+if ipa_db.has_nickname('Local IPA host'):
+try:
+certmonger.stop_tracking(paths.IPA_NSSDB_DIR,
+ nickname='Local IPA host')
+except RuntimeError, e:
+root_logger.error(%s failed to stop tracking certificate: %s,
+ cmonger.service_name, e)
+
+client_nss_nickname = 'IPA Machine Certificate - %s' % hostname
+if sys_db.has_nickname(client_nss_nickname):
+try:
+certmonger.stop_tracking(paths.NSS_DB_DIR,
+ nickname=client_nss_nickname)
+except RuntimeError, e:
+root_logger.error(%s failed to stop tracking certificate: %s,
+ cmonger.service_name, e)
# Remove our host cert and CA cert
-ipa_db =
Re: [Freeipa-devel] [PATCH 0034] Missing requires on python-dns
On 07/10/14 19:34, Gabe Alford wrote: Done. Update patch to use python-dns = 1.11.1 On Tue, Oct 7, 2014 at 11:26 AM, Martin Basti mba...@redhat.com mailto:mba...@redhat.com wrote: On 07/10/14 15:58, Gabe Alford wrote: Forgot to add patch. On Tue, Oct 7, 2014 at 7:58 AM, Gabe Alford redhatri...@gmail.com mailto:redhatri...@gmail.com wrote: Hello, Fix for https://fedorahosted.org/freeipa/ticket/4613 Thanks, Gabe ___ Freeipa-devel mailing list Freeipa-devel@redhat.com mailto:Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Thank you! I prefer to use python-dns = 1.11.1, there are some DNSSEC fixes which we may use in tests. Could you send updated patch please? -- Martin Basti ACK Thank you! -- Martin Basti ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 351 Support MS CA as the external CA in ipa-server-install and ipa-ca-install
Hi,
the attached patch fixes https://fedorahosted.org/freeipa/ticket/4496.
Note that this requires pki-core 10.2.0-3.
Honza
--
Jan Cholasta
From acb1995aa55fbe46adcf1a995b29f3a4d3280de5 Mon Sep 17 00:00:00 2001
From: Jan Cholasta jchol...@redhat.com
Date: Wed, 8 Oct 2014 10:51:31 +0200
Subject: [PATCH] Support MS CA as the external CA in ipa-server-install and
ipa-ca-install
Added a new option --external-ca-type which specifies the type of the
external CA. It can be either generic (the default) or ms. If ms is
selected, the CSR generated for the IPA CA will include MS template name
extension with template name SubCA.
https://fedorahosted.org/freeipa/ticket/4496
---
freeipa.spec.in| 2 +-
install/tools/ipa-ca-install | 10 +-
install/tools/ipa-server-install | 10 +-
install/tools/man/ipa-ca-install.1 | 6 ++
install/tools/man/ipa-server-install.1 | 3 +++
ipaserver/install/cainstance.py| 14 +-
6 files changed, 41 insertions(+), 4 deletions(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 99cd6df..6fe8704 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -113,7 +113,7 @@ Requires(post): systemd-units
Requires: selinux-policy = 3.12.1-179
Requires(post): selinux-policy-base
Requires: slapi-nis = 0.47.7
-Requires: pki-ca = 10.1.1
+Requires: pki-ca = 10.2.0-3
%if 0%{?rhel}
Requires: subscription-manager
%endif
diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install
index df8e34b..8e6e41b 100755
--- a/install/tools/ipa-ca-install
+++ b/install/tools/ipa-ca-install
@@ -68,6 +68,9 @@ def parse_options():
default=False, help=unattended installation never prompts the user)
parser.add_option(--external-ca, dest=external_ca, action=store_true,
default=False, help=Generate a CSR to be signed by an external CA)
+parser.add_option(--external-ca-type, dest=external_ca_type,
+ type=choice, choices=(generic, ms),
+ help=Type of the external CA)
parser.add_option(--external-cert-file, dest=external_cert_files,
action=append, metavar=FILE,
help=File containing the IPA CA certificate and the external CA certificate chain)
@@ -89,6 +92,10 @@ def parse_options():
parser.error(You cannot specify --external-cert-file
together with --external-ca)
+if options.external_ca_type and not options.external_ca:
+parser.error(
+You cannot specify --external-ca-type without --external-ca)
+
return safe_options, options, filename
def get_dirman_password():
@@ -317,7 +324,8 @@ def install_master(safe_options, options):
elif external == 1:
ca.configure_instance(host_name, domain_name, dm_password,
dm_password, csr_file=paths.ROOT_IPA_CSR,
- subject_base=subject_base)
+ subject_base=subject_base,
+ ca_type=options.external_ca_type)
else:
ca.configure_instance(host_name, domain_name, dm_password,
dm_password,
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index b827dfe..e974194 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -203,6 +203,9 @@ def parse_options():
cert_group = OptionGroup(parser, certificate system options)
cert_group.add_option(, --external-ca, dest=external_ca, action=store_true,
default=False, help=Generate a CSR for the IPA CA certificate to be signed by an external CA)
+cert_group.add_option(--external-ca-type, dest=external_ca_type,
+ type=choice, choices=(generic, ms),
+ help=Type of the external CA)
cert_group.add_option(--external-cert-file, dest=external_cert_files,
action=append, metavar=FILE,
help=File containing the IPA CA certificate and the external CA certificate chain)
@@ -374,6 +377,10 @@ def parse_options():
parser.error(You cannot specify service certificate file options
together with --external-ca)
+if options.external_ca_type and not options.external_ca:
+parser.error(
+You cannot specify --external-ca-type without --external-ca)
+
if (options.external_cert_files and
any(not os.path.isabs(path) for path in options.external_cert_files)):
parser.error(--external-cert-file must use an absolute path)
@@ -1142,7 +1149,8 @@ def main():
ca.configure_instance(host_name, domain_name, dm_password,
dm_password, csr_file=paths.ROOT_IPA_CSR,
subject_base=options.subject,
-
[Freeipa-devel] [PATCH] 352 Fix certmonger configuration in installer code
Hi,
the attached patch fixes https://fedorahosted.org/freeipa/ticket/4619.
Honza
--
Jan Cholasta
From d1f307cef0b72c8052dd9277d20814236cb19f79 Mon Sep 17 00:00:00 2001
From: Jan Cholasta jchol...@redhat.com
Date: Tue, 7 Oct 2014 16:46:15 +0200
Subject: [PATCH] Fix certmonger configuration in installer code
https://fedorahosted.org/freeipa/ticket/4619
---
install/tools/ipa-server-install | 5 +--
install/tools/ipa-upgradeconfig | 2 +-
ipaserver/install/cainstance.py | 87 +---
ipaserver/install/dogtaginstance.py | 76 ++-
ipaserver/install/ipa_kra_install.py | 2 +-
ipaserver/install/krainstance.py | 9 ++--
6 files changed, 78 insertions(+), 103 deletions(-)
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index 89d7330..f394f1e 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -561,14 +561,13 @@ def uninstall():
kra_instance = krainstance.KRAInstance(
api.env.realm, dogtag_constants=dogtag_constants)
-kra_instance.stop_tracking_certificates(dogtag_constants)
+kra_instance.stop_tracking_certificates()
if kra_instance.is_installed():
kra_instance.uninstall()
ca_instance = cainstance.CAInstance(
api.env.realm, certs.NSS_DIR, dogtag_constants=dogtag_constants)
-ca_instance.stop_tracking_certificates(dogtag_constants)
-ca_instance.stop_tracking_agent_certificate(dogtag_constants)
+ca_instance.stop_tracking_certificates()
if ca_instance.is_configured():
ca_instance.uninstall()
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index 3914eb5..339dcb9 100644
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -727,7 +727,7 @@ def certificate_renewal_update(ca):
# Ok, now we need to stop tracking, then we can start tracking them
# again with new configuration:
-ca.stop_tracking_certificates(dogtag_constants)
+ca.stop_tracking_certificates()
if not sysupgrade.get_upgrade_state('dogtag',
'certificate_renewal_update_1'):
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 3a296f5..cbb9e2c 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -330,6 +330,12 @@ class CAInstance(DogtagInstance):
2 = have signed cert, continue installation
+tracking_reqs = (('auditSigningCert cert-pki-ca', None),
+ ('ocspSigningCert cert-pki-ca', None),
+ ('subsystemCert cert-pki-ca', None),
+ ('caSigningCert cert-pki-ca', 'ipaCACertRenewal'))
+server_cert_name = 'Server-Cert cert-pki-ca'
+
def __init__(self, realm=None, ra_db=None, dogtag_constants=None,
host_name=None, dm_password=None, ldapi=True):
if dogtag_constants is None:
@@ -363,11 +369,6 @@ class CAInstance(DogtagInstance):
self.ra_agent_pwd = None
self.ra_cert = None
self.requestId = None
-self.tracking_reqs = (('Server-Cert cert-pki-ca', None),
- ('auditSigningCert cert-pki-ca', None),
- ('ocspSigningCert cert-pki-ca', None),
- ('subsystemCert cert-pki-ca', None),
- ('caSigningCert cert-pki-ca', 'ipaCACertRenewal'))
self.log = log_mgr.get_logger(self)
def configure_instance(self, host_name, domain, dm_password,
@@ -452,7 +453,7 @@ class CAInstance(DogtagInstance):
self.step(issuing RA agent certificate, self.__issue_ra_cert)
self.step(adding RA agent as a trusted user, self.__configure_ra)
self.step(configure certmonger for renewals, self.configure_certmonger_renewal)
-self.step(configure certificate renewals, self.configure_cert_renewal)
+self.step(configure certificate renewals, self.configure_renewal)
if not self.clone:
self.step(configure RA certificate renewal, self.configure_agent_renewal)
self.step(configure Server-Cert certificate renewal, self.track_servercert)
@@ -1311,27 +1312,6 @@ class CAInstance(DogtagInstance):
fd.close()
os.chmod(location, 0444)
-@staticmethod
-def configure_certmonger_renewal():
-
-Create a new CA type for certmonger that will retrieve updated
-certificates from the dogtag master server.
-
-services.knownservices.messagebus.start()
-cmonger = services.knownservices.certmonger
-cmonger.enable()
-cmonger.start()
-
-bus = dbus.SystemBus()
-obj = bus.get_object('org.fedorahosted.certmonger',
- '/org/fedorahosted/certmonger')
-iface = dbus.Interface(obj, 'org.fedorahosted.certmonger')
-
Re: [Freeipa-devel] [PATCH] 0019 Stop dogtag when updating its configuration in, ipa-upgradeconfig
On 10/08/2014 09:29 AM, Jan Cholasta wrote:
Hi,
Dne 8.10.2014 v 09:09 David Kupka napsal(a):
https://fedorahosted.org/freeipa/ticket/4569
In renew_ca_cert and cainstance.py, dogtag should already be stopped in
the places you modified, so why the change?
I didn't noticed that it is already stopped, fixed.
Also I don't think it's a good idea to backup CS.cfg when dogtag is
still running (in cainstance.py). If the file is being modified by
dogtag at the time it is backed up, the backup may be corrupted.
Fixed, thanks.
Honza
--
David Kupka
From 104dca26a87255be2b67652dd0f4c60b71e92e90 Mon Sep 17 00:00:00 2001
From: David Kupka dku...@redhat.com
Date: Tue, 30 Sep 2014 08:41:49 -0400
Subject: [PATCH] Stop dogtag when updating its configuration in
ipa-upgradeconfig.
Modifying CS.cfg when dogtag is running may (and does) result in corrupting
this file.
https://fedorahosted.org/freeipa/ticket/4569
---
install/tools/ipa-upgradeconfig | 15 +++
ipaserver/install/cainstance.py | 6 --
2 files changed, 15 insertions(+), 6 deletions(-)
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index ba4ac93998fa203719e058fdfe557f4f2a67a865..08ff9a224d92245ff2c5845e6c9df22a700df562 100644
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -233,7 +233,12 @@ def upgrade_pki(ca, fstore):
if not installutils.get_directive(configured_constants.CS_CFG_PATH,
'proxy.securePort', '=') and \
os.path.exists(paths.PKI_SETUP_PROXY):
-ipautil.run([paths.PKI_SETUP_PROXY, '-pki_instance_root=/var/lib'
+# update proxy configuration with stopped dogtag to prevent corruption
+# of CS.cfg
+with installutils.stopped_service(
+configured_constants.SERVICE_NAME,
+configured_constants.PKI_INSTANCE_NAME):
+ipautil.run([paths.PKI_SETUP_PROXY, '-pki_instance_root=/var/lib'
,'-pki_instance_name=pki-ca','-subsystem_type=ca'])
root_logger.debug('Proxy configuration updated')
else:
@@ -821,9 +826,11 @@ def migrate_crl_publish_dir(ca):
root_logger.error('Cannot move CRL file to new directory: %s', e)
try:
-installutils.set_directive(caconfig.CS_CFG_PATH,
-'ca.publish.publisher.instance.FileBaseCRLPublisher.directory',
-publishdir, quotes=False, separator='=')
+with installutils.stopped_service(caconfig.SERVICE_NAME,
+caconfig.PKI_INSTANCE_NAME):
+installutils.set_directive(caconfig.CS_CFG_PATH,
+'ca.publish.publisher.instance.FileBaseCRLPublisher.directory',
+publishdir, quotes=False, separator='=')
except OSError, e:
root_logger.error('Cannot update CA configuration file %s: %s',
caconfig.CS_CFG_PATH, e)
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 521f25d96693efe64b5859901bb3da9da79ee0ec..ac6dd828aa38e14c16e7bb7c7d1c397793222852 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -1841,8 +1841,10 @@ def backup_config(dogtag_constants=None):
if dogtag_constants is None:
dogtag_constants = dogtag.configured_constants()
-shutil.copy(dogtag_constants.CS_CFG_PATH,
-dogtag_constants.CS_CFG_PATH + '.ipabkp')
+with stopped_service(dogtag_constants.SERVICE_NAME,
+ instance_name=dogtag_constants.PKI_INSTANCE_NAME):
+shutil.copy(dogtag_constants.CS_CFG_PATH,
+dogtag_constants.CS_CFG_PATH + '.ipabkp')
def update_cert_config(nickname, cert, dogtag_constants=None):
--
1.9.3
From f322136e5fd0bc1df5edf712c931c328dc5bdb5d Mon Sep 17 00:00:00 2001
From: David Kupka dku...@redhat.com
Date: Tue, 30 Sep 2014 08:41:49 -0400
Subject: [PATCH] Stop dogtag when updating its configuration in
ipa-upgradeconfig.
Modifying CS.cfg when dogtag is running may (and does) result in corrupting
this file.
https://fedorahosted.org/freeipa/ticket/4569
---
install/tools/ipa-upgradeconfig | 15 +++
ipaserver/install/cainstance.py | 6 --
2 files changed, 15 insertions(+), 6 deletions(-)
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index 3914eb59066b515d33bebc19ca5afb4f50548bb2..abe3c077ccbaebf7317591eca19be99b686ae37d 100644
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -233,7 +233,12 @@ def upgrade_pki(ca, fstore):
if not installutils.get_directive(configured_constants.CS_CFG_PATH,
'proxy.securePort', '=') and \
os.path.exists(paths.PKI_SETUP_PROXY):
-ipautil.run([paths.PKI_SETUP_PROXY, '-pki_instance_root=/var/lib'
+# update proxy configuration with stopped dogtag to prevent corruption
+# of CS.cfg
+with installutils.stopped_service(
+
Re: [Freeipa-devel] [PATCH] 351 Support MS CA as the external CA in ipa-server-install and ipa-ca-install
On 10/08/2014 11:53 AM, Jan Cholasta wrote: Hi, the attached patch fixes https://fedorahosted.org/freeipa/ticket/4496. Note that this requires pki-core 10.2.0-3. Honza The approach looks OK, but I would like to be better in naming documentation: +cert_group.add_option(--external-ca-type, dest=external_ca_type, + type=choice, choices=(generic, ms), + help=Type of the external CA) I would name the option either ad-cs or windows-server-ca, i.e. Active Directory Certificate Services or Windows Server CA. ms sounds too generic to me in this context. When using trademarks we should be specific about what do we mean. Same for man: +\fB\-\-external\-ca\-type\fR=\fITYPE\fR +Type of the external CA. Possible values are generic, ms. Default value is generic. Use ms to include MS template name extension in the CSR. +.TP I would be more verbose and write ... Use windows-server-ca to include Windows Server CA specific template name extension (1.3.6.1.4.1.311.20.2) set in the CSR. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 352 Fix certmonger configuration in installer code
Dne 8.10.2014 v 12:27 Jan Cholasta napsal(a):
Hi,
the attached patch fixes https://fedorahosted.org/freeipa/ticket/4619.
Honza
Forgot to delete a line in dogtaginstance.py (thanks to David for
noticing). Updated patch attached.
--
Jan Cholasta
From f2edb5ddf291d1f14c13e155412f5154d491c84e Mon Sep 17 00:00:00 2001
From: Jan Cholasta jchol...@redhat.com
Date: Tue, 7 Oct 2014 16:46:15 +0200
Subject: [PATCH] Fix certmonger configuration in installer code
https://fedorahosted.org/freeipa/ticket/4619
---
install/tools/ipa-server-install | 5 +--
install/tools/ipa-upgradeconfig | 2 +-
ipaserver/install/cainstance.py | 87 +---
ipaserver/install/dogtaginstance.py | 77 ++-
ipaserver/install/ipa_kra_install.py | 2 +-
ipaserver/install/krainstance.py | 9 ++--
6 files changed, 78 insertions(+), 104 deletions(-)
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index 89d7330..f394f1e 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -561,14 +561,13 @@ def uninstall():
kra_instance = krainstance.KRAInstance(
api.env.realm, dogtag_constants=dogtag_constants)
-kra_instance.stop_tracking_certificates(dogtag_constants)
+kra_instance.stop_tracking_certificates()
if kra_instance.is_installed():
kra_instance.uninstall()
ca_instance = cainstance.CAInstance(
api.env.realm, certs.NSS_DIR, dogtag_constants=dogtag_constants)
-ca_instance.stop_tracking_certificates(dogtag_constants)
-ca_instance.stop_tracking_agent_certificate(dogtag_constants)
+ca_instance.stop_tracking_certificates()
if ca_instance.is_configured():
ca_instance.uninstall()
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index 3914eb5..339dcb9 100644
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -727,7 +727,7 @@ def certificate_renewal_update(ca):
# Ok, now we need to stop tracking, then we can start tracking them
# again with new configuration:
-ca.stop_tracking_certificates(dogtag_constants)
+ca.stop_tracking_certificates()
if not sysupgrade.get_upgrade_state('dogtag',
'certificate_renewal_update_1'):
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 3a296f5..cbb9e2c 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -330,6 +330,12 @@ class CAInstance(DogtagInstance):
2 = have signed cert, continue installation
+tracking_reqs = (('auditSigningCert cert-pki-ca', None),
+ ('ocspSigningCert cert-pki-ca', None),
+ ('subsystemCert cert-pki-ca', None),
+ ('caSigningCert cert-pki-ca', 'ipaCACertRenewal'))
+server_cert_name = 'Server-Cert cert-pki-ca'
+
def __init__(self, realm=None, ra_db=None, dogtag_constants=None,
host_name=None, dm_password=None, ldapi=True):
if dogtag_constants is None:
@@ -363,11 +369,6 @@ class CAInstance(DogtagInstance):
self.ra_agent_pwd = None
self.ra_cert = None
self.requestId = None
-self.tracking_reqs = (('Server-Cert cert-pki-ca', None),
- ('auditSigningCert cert-pki-ca', None),
- ('ocspSigningCert cert-pki-ca', None),
- ('subsystemCert cert-pki-ca', None),
- ('caSigningCert cert-pki-ca', 'ipaCACertRenewal'))
self.log = log_mgr.get_logger(self)
def configure_instance(self, host_name, domain, dm_password,
@@ -452,7 +453,7 @@ class CAInstance(DogtagInstance):
self.step(issuing RA agent certificate, self.__issue_ra_cert)
self.step(adding RA agent as a trusted user, self.__configure_ra)
self.step(configure certmonger for renewals, self.configure_certmonger_renewal)
-self.step(configure certificate renewals, self.configure_cert_renewal)
+self.step(configure certificate renewals, self.configure_renewal)
if not self.clone:
self.step(configure RA certificate renewal, self.configure_agent_renewal)
self.step(configure Server-Cert certificate renewal, self.track_servercert)
@@ -1311,27 +1312,6 @@ class CAInstance(DogtagInstance):
fd.close()
os.chmod(location, 0444)
-@staticmethod
-def configure_certmonger_renewal():
-
-Create a new CA type for certmonger that will retrieve updated
-certificates from the dogtag master server.
-
-services.knownservices.messagebus.start()
-cmonger = services.knownservices.certmonger
-cmonger.enable()
-cmonger.start()
-
-bus = dbus.SystemBus()
-obj =
[Freeipa-devel] [PATCH] 353 Allow specifying signing algorithm of the IPA CA cert in ipa-ca-install
Hi,
the attached patch provides an additional fix for
https://fedorahosted.org/freeipa/ticket/4447.
Honza
--
Jan Cholasta
From d0f77421f74b026de15966075e7687ff0350ed54 Mon Sep 17 00:00:00 2001
From: Jan Cholasta jchol...@redhat.com
Date: Wed, 8 Oct 2014 12:18:06 +0200
Subject: [PATCH] Allow specifying signing algorithm of the IPA CA cert in
ipa-ca-install
The --ca-signing-algorithm option is available in ipa-server-install, make
it available in ipa-ca-install as well.
https://fedorahosted.org/freeipa/ticket/4447
---
install/tools/ipa-ca-install | 13 ++---
install/tools/man/ipa-ca-install.1 | 3 +++
2 files changed, 13 insertions(+), 3 deletions(-)
diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install
index df8e34b..653b615 100755
--- a/install/tools/ipa-ca-install
+++ b/install/tools/ipa-ca-install
@@ -71,6 +71,10 @@ def parse_options():
parser.add_option(--external-cert-file, dest=external_cert_files,
action=append, metavar=FILE,
help=File containing the IPA CA certificate and the external CA certificate chain)
+parser.add_option(--ca-signing-algorithm, dest=ca_signing_algorithm,
+ type=choice,
+ choices=('SHA1withRSA', 'SHA256withRSA', 'SHA512withRSA'),
+ help=Signing algorithm of the IPA CA certificate)
options, args = parser.parse_args()
safe_options = parser.get_safe_opts(options)
@@ -313,17 +317,20 @@ def install_master(safe_options, options):
ca.create_ra_agent_db = False
if external == 0:
ca.configure_instance(host_name, domain_name, dm_password,
- dm_password, subject_base=subject_base)
+ dm_password, subject_base=subject_base,
+ ca_signing_algorithm=options.ca_signing_algorithm)
elif external == 1:
ca.configure_instance(host_name, domain_name, dm_password,
dm_password, csr_file=paths.ROOT_IPA_CSR,
- subject_base=subject_base)
+ subject_base=subject_base,
+ ca_signing_algorithm=options.ca_signing_algorithm)
else:
ca.configure_instance(host_name, domain_name, dm_password,
dm_password,
cert_file=external_cert_file.name,
cert_chain_file=external_ca_file.name,
- subject_base=subject_base)
+ subject_base=subject_base,
+ ca_signing_algorithm=options.ca_signing_algorithm)
ca.stop(ca.dogtag_constants.PKI_INSTANCE_NAME)
diff --git a/install/tools/man/ipa-ca-install.1 b/install/tools/man/ipa-ca-install.1
index 8f7201c..a58ac23 100644
--- a/install/tools/man/ipa-ca-install.1
+++ b/install/tools/man/ipa-ca-install.1
@@ -40,6 +40,9 @@ Admin user Kerberos password used for connection check
\fB\-\-external\-cert\-file\fR=\fIFILE\fR
File containing the IPA CA certificate and the external CA certificate chain. The file is accepted in PEM and DER certificate and PKCS#7 certificate chain formats. This option may be used multiple times.
.TP
+\fB\-\-ca\-signing\-algorithm\fR=\fIALGORITHM\fR
+Signing algorithm of the IPA CA certificate. Possible values are SHA1withRSA, SHA256withRSA, SHA512withRSA. Default value is SHA256withRSA. Use this option with --external-ca if the external CA does not support the default signing algorithm.
+.TP
\fB\-\-no\-host\-dns\fR
Do not use DNS for hostname lookup during installation
.TP
--
1.9.3
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 351 Support MS CA as the external CA in ipa-server-install and ipa-ca-install
Dne 8.10.2014 v 12:49 Martin Kosek napsal(a):
On 10/08/2014 11:53 AM, Jan Cholasta wrote:
Hi,
the attached patch fixes https://fedorahosted.org/freeipa/ticket/4496.
Note that this requires pki-core 10.2.0-3.
Honza
The approach looks OK, but I would like to be better in naming documentation:
+cert_group.add_option(--external-ca-type, dest=external_ca_type,
+ type=choice, choices=(generic, ms),
+ help=Type of the external CA)
I would name the option either ad-cs or windows-server-ca, i.e. Active
Directory Certificate Services or Windows Server CA. ms sounds too generic
to me in this context. When using trademarks we should be specific about what
do we mean.
Microsoft docs refer to it as Microsoft Certificate Services or simply
Certificate Services, so I went with ms-cs.
Same for man:
+\fB\-\-external\-ca\-type\fR=\fITYPE\fR
+Type of the external CA. Possible values are generic, ms. Default value is
generic. Use ms to include MS template name extension in the CSR.
+.TP
I would be more verbose and write
... Use windows-server-ca to include Windows Server CA specific template name
extension (1.3.6.1.4.1.311.20.2) set in the CSR.
I have reworded the description in man and the commit message a bit.
Updated patch attached.
--
Jan Cholasta
From 14aa5220ab91acd7b7ca831e395a4ade33685527 Mon Sep 17 00:00:00 2001
From: Jan Cholasta jchol...@redhat.com
Date: Wed, 8 Oct 2014 10:51:31 +0200
Subject: [PATCH] Support MS CS as the external CA in ipa-server-install and
ipa-ca-install
Added a new option --external-ca-type which specifies the type of the
external CA. It can be either generic (the default) or ms-cs. If ms-cs
is selected, the CSR generated for the IPA CA will include MS template name
extension (OID 1.3.6.1.4.1.311.20.2) with template name SubCA.
https://fedorahosted.org/freeipa/ticket/4496
---
freeipa.spec.in| 2 +-
install/tools/ipa-ca-install | 10 +-
install/tools/ipa-server-install | 10 +-
install/tools/man/ipa-ca-install.1 | 6 ++
install/tools/man/ipa-server-install.1 | 3 +++
ipaserver/install/cainstance.py| 14 +-
6 files changed, 41 insertions(+), 4 deletions(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 99cd6df..6fe8704 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -113,7 +113,7 @@ Requires(post): systemd-units
Requires: selinux-policy = 3.12.1-179
Requires(post): selinux-policy-base
Requires: slapi-nis = 0.47.7
-Requires: pki-ca = 10.1.1
+Requires: pki-ca = 10.2.0-3
%if 0%{?rhel}
Requires: subscription-manager
%endif
diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install
index df8e34b..37f8fc7 100755
--- a/install/tools/ipa-ca-install
+++ b/install/tools/ipa-ca-install
@@ -68,6 +68,9 @@ def parse_options():
default=False, help=unattended installation never prompts the user)
parser.add_option(--external-ca, dest=external_ca, action=store_true,
default=False, help=Generate a CSR to be signed by an external CA)
+parser.add_option(--external-ca-type, dest=external_ca_type,
+ type=choice, choices=(generic, ms-cs),
+ help=Type of the external CA)
parser.add_option(--external-cert-file, dest=external_cert_files,
action=append, metavar=FILE,
help=File containing the IPA CA certificate and the external CA certificate chain)
@@ -89,6 +92,10 @@ def parse_options():
parser.error(You cannot specify --external-cert-file
together with --external-ca)
+if options.external_ca_type and not options.external_ca:
+parser.error(
+You cannot specify --external-ca-type without --external-ca)
+
return safe_options, options, filename
def get_dirman_password():
@@ -317,7 +324,8 @@ def install_master(safe_options, options):
elif external == 1:
ca.configure_instance(host_name, domain_name, dm_password,
dm_password, csr_file=paths.ROOT_IPA_CSR,
- subject_base=subject_base)
+ subject_base=subject_base,
+ ca_type=options.external_ca_type)
else:
ca.configure_instance(host_name, domain_name, dm_password,
dm_password,
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index b827dfe..ab97646 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -203,6 +203,9 @@ def parse_options():
cert_group = OptionGroup(parser, certificate system options)
cert_group.add_option(, --external-ca, dest=external_ca, action=store_true,
default=False, help=Generate a CSR for the IPA CA certificate to be signed by an external CA)
+
[Freeipa-devel] [PATCH] 0002 Ignore irrelevant subtrees in schema compat plugin
Please review attached patch for ticket:
https://fedorahosted.org/freeipa/ticket/4586
This reduces the number of internal searches and contention for database
locks. Together with DS fix for https://fedorahosted.org/389/ticket/47918
the issues reported in 4586 did no longer occur.
From 1e871d2d39c7dc3e49d55ccf1d5a163d40d68dcf Mon Sep 17 00:00:00 2001
From: Ludwig Krispenz lkris...@redhat.com
Date: Wed, 8 Oct 2014 15:11:54 +0200
Subject: [PATCH] Ignore irrelevant subtrees in schema compat plugin
For changes in cn=changelog or o=ipaca the scheam comapat plugin doesn't need to be
executed. It saves many internal searches and reduces contribution to lock
contention across backens in DS. cf ticket 4586
---
install/updates/10-schema_compat.update | 14 ++
1 file changed, 14 insertions(+)
diff --git a/install/updates/10-schema_compat.update b/install/updates/10-schema_compat.update
index aeddadbe3a7231e7795c1c8420dc5a1353f907cc..e5bc70350a28a0e572fa3678ba9ba5bf5075529f 100644
--- a/install/updates/10-schema_compat.update
+++ b/install/updates/10-schema_compat.update
@@ -18,11 +18,15 @@ add: schema-compat-entry-attribute: 'sudoRunAsUser=%ifeq(ipaSudoRunAsUserCatego
add: schema-compat-entry-attribute: 'sudoRunAsUser=%ifeq(ipaSudoRunAsUserCategory,all,ALL,%deref_f(\ipaSudoRunAs\,\(objectclass=posixAccount)\,\uid\))'
add: schema-compat-entry-attribute: 'sudoRunAsGroup=%ifeq(ipaSudoRunAsGroupCategory,all,ALL,%{ipaSudoRunAsExtGroup})'
add: schema-compat-entry-attribute: 'sudoRunAsGroup=%ifeq(ipaSudoRunAsGroupCategory,all,ALL,%deref_f(\ipaSudoRunAsGroup\,\(objectclass=posixGroup)\,\cn\))'
+add: schema-compat-ignore-subtree: cn=changelog
+add: schema-compat-ignore-subtree: o=ipaca
# Change padding for host and userCategory so the pad returns the same value
# as the original, '' or -.
dn: cn=ng,cn=Schema Compatibility,cn=plugins,cn=config
replace: schema-compat-entry-attribute:'nisNetgroupTriple=(%link(%ifeq(\hostCategory\,\all\,\\,\%collect(\\\%{externalHost}\\\,\\\%deref(\\\memberHost\\\,\\\fqdn\\\)\\\,\\\%deref_r(\\\member\\\,\\\fqdn\\\)\\\,\\\%deref_r(\\\memberHost\\\,\\\member\\\,\\\fqdn\\\)\\\)\),-,,,%ifeq(\userCategory\,\all\,\\,\%collect(\\\%deref(\\\memberUser\\\,\\\uid\\\)\\\,\\\%deref_r(\\\member\\\,\\\uid\\\)\\\,\\\%deref_r(\\\memberUser\\\,\\\member\\\,\\\uid\\\)\\\)\),-),%{nisDomainName:-})::nisNetgroupTriple=(%link(%ifeq(\hostCategory\,\all\,\\,\%collect(\\\%{externalHost}\\\,\\\%deref(\\\memberHost\\\,\\\fqdn\\\)\\\,\\\%deref_r(\\\member\\\,\\\fqdn\\\)\\\,\\\%deref_r(\\\memberHost\\\,\\\member\\\,\\\fqdn\\\)\\\)\),%ifeq(\hostCategory\,\all\,\\,\-\),,,%ifeq(\userCategory\,\all\,\\,\%collect(\\\%deref(\\\memberUser\\\,\\\uid\\\)\\\,\\\%deref_r(\\\member\\\,\\\uid\\\)\\\,\\\%deref_r(\\\memberUser\\\,\\\member\\\,\\\uid\\\)\\\)\),%ifeq(\userCategory\,\all\,\\,\-\)),%{nisDomainName:-})'
+add: schema-compat-ignore-subtree: cn=changelog
+add: schema-compat-ignore-subtree: o=ipaca
dn: cn=computers, cn=Schema Compatibility, cn=plugins, cn=config
default:objectClass: top
@@ -37,10 +41,20 @@ default:schema-compat-entry-attribute: objectclass=device
default:schema-compat-entry-attribute: objectclass=ieee802Device
default:schema-compat-entry-attribute: cn=%{fqdn}
default:schema-compat-entry-attribute: macAddress=%{macAddress}
+add: schema-compat-ignore-subtree: cn=changelog
+add: schema-compat-ignore-subtree: o=ipaca
dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config
add:schema-compat-entry-attribute: sudoOrder=%{sudoOrder}
+dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config
+add: schema-compat-ignore-subtree: cn=changelog
+add: schema-compat-ignore-subtree: o=ipaca
+
+dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config
+add: schema-compat-ignore-subtree: cn=changelog
+add: schema-compat-ignore-subtree: o=ipaca
+
dn: cn=Schema Compatibility,cn=plugins,cn=config
# We need to run schema-compat pre-bind callback before
# other IPA pre-bind callbacks to make sure bind DN is
--
1.9.0
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 0655 Add additional backup restore checks
This adds basic checks that PAM, DNS, and Kerberos are working before
after the backuprestore (in addition to DS, CA IPA CLI that were
there before).
--
Petr³
From e9495d4c023eb99a19493c3cfbd7c259e12929f5 Mon Sep 17 00:00:00 2001
From: Petr Viktorin pvikt...@redhat.com
Date: Thu, 25 Sep 2014 10:11:49 +0200
Subject: [PATCH] Add additional backup restore checks
https://fedorahosted.org/freeipa/ticket/3893
---
.../test_integration/test_backup_and_restore.py| 41 ++
1 file changed, 35 insertions(+), 6 deletions(-)
diff --git a/ipatests/test_integration/test_backup_and_restore.py b/ipatests/test_integration/test_backup_and_restore.py
index 3cf0d5d708e15a8d44e9f77c21c3ca5343c65f6a..c9b4271d40f292e26fbff3240b875f6c56620a89 100644
--- a/ipatests/test_integration/test_backup_and_restore.py
+++ b/ipatests/test_integration/test_backup_and_restore.py
@@ -65,6 +65,12 @@ def check_admin_in_cli(host):
return result
+def check_admin_in_id(host):
+result = host.run_command(['id', 'admin'])
+assert 'admin' in result.stdout_text, result.stdout_text
+return result
+
+
def check_certs(host):
result = host.run_command(['ipa', 'cert-find'])
assert re.search('^Number of entries returned [1-9]\d*$',
@@ -72,20 +78,43 @@ def check_certs(host):
return result
+def check_dns(host):
+result = host.run_command(['host', host.hostname, 'localhost'])
+return result
+
+
+def check_kinit(host):
+result = host.run_command(['kinit', 'admin'],
+ stdin_text=host.config.admin_password)
+return result
+
+
+CHECKS = [
+(check_admin_in_ldap, assert_entries_equal),
+(check_admin_in_cli, assert_results_equal),
+(check_admin_in_id, assert_results_equal),
+(check_certs, assert_results_equal),
+(check_dns, assert_results_equal),
+(check_kinit, assert_results_equal),
+]
+
+
@contextlib.contextmanager
def restore_checker(host):
Check that the IPA at host works the same at context enter and exit
tasks.kinit_admin(host)
-admin_entry = check_admin_in_ldap(host)
-admin_cli_result = check_admin_in_cli(host)
-certs_output = check_certs(host)
+results = []
+for check, assert_func in CHECKS:
+log.info('Storing result for %s', check)
+results.append(check(host))
yield
-assert_entries_equal(admin_entry, check_admin_in_ldap(host))
-assert_results_equal(admin_cli_result, check_admin_in_cli(host))
-assert_results_equal(certs_output, check_certs(host))
+for (check, assert_func), expected in zip(CHECKS, results):
+log.info('Checking result for %s', check)
+got = check(host)
+assert_func(expected, got)
def backup(host):
--
2.1.0
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH 0133] Fix ipactl service ordering
IPA sorts service order alphabetically, this patch modify ipactl to use
integers.
How to reproduce:
set attribute ipaConfigString: startOrder 150
DN: cn=HTTP,cn=ipa.example.com,cn=masters,cn=ipa,cn=etc,dc=example,dc=com
then run
#ipactl restart
httpd service should start as last service, but it starts almost first.
Patch attached.
--
Martin Basti
From 277e71a1ce05636fd3961276f626335fe9bfbbbe Mon Sep 17 00:00:00 2001
From: Martin Basti mba...@redhat.com
Date: Wed, 8 Oct 2014 16:40:53 +0200
Subject: [PATCH] Fix ipactl service ordering
Ipactl sorted service start order as string, which causes service with start order
100 starts before service with start order 30.
Patch fixes ipactl to use integers for ordering.
---
install/tools/ipactl | 6 +-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/install/tools/ipactl b/install/tools/ipactl
index 3f0e79867032b61f63e0626ce33df75df14cecab..7a1e41b01a80eeea85c417399dcf4666f70d4b26 100755
--- a/install/tools/ipactl
+++ b/install/tools/ipactl
@@ -159,7 +159,11 @@ def get_config(dirsrv):
name = entry.single_value['cn']
for p in entry['ipaConfigString']:
if p.startswith('startOrder '):
-order = p.split()[1]
+try:
+order = int(p.split()[1])
+except ValueError:
+raise IpactlError(Expected order as integer in: %s:%s % (
+name, p))
svc_list.append([order, name])
ordered_list = []
--
1.8.3.1
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0064] Create ipa-otp-decrement 389DS plugin
On 10/07/2014 06:00 PM, Nathaniel McCallum wrote:
Attached is the latest patch. I believe this includes all of our
discussions up until this point. However, a few bits of additional
information are needed.
First, I have renamed the plugin to ipa-otp-counter. I believe all
replay prevention work can land inside this plugin, so the name is
appropriate.
Second, I uncovered a bug in 389 which prevents me from validating the
non-replication request in bepre. This is the reason for the additional
betxnpre callback. If the upstream 389 bug is fixed, we can merge this
check back into bepre. https://fedorahosted.org/389/ticket/47919
Third, I believe we are now handling replication correct. An error is
never returned. When a replication would cause the counter to decrease,
we remove all counter/watermark related mods from the operation. This
will allow the replication to apply without decrementing the value.
There is also a new bepost method which check to see if the replication
was discarded (via CSN) while having a higher counter value. If so, we
apply the higher counter value.
For me the code is good. It took me some time to understand the benefit
of removing mods in preop.
In fact I think it is a good idea, as it prevents extra repair ops and
also make more easy the computation of the value to set in repair mod.
Here is the scenario. Server X receives two quick authentications;
replications A and B are sent to server Y. Before server Y can process
server X's replications, an authentication is performed on server Y;
replication C is sent to server X. The following logic holds true:
* csnA csnB csnC
* valueA = valueC, valueB valueC
When server X receives replication C, ipa-otp-counter will strip out all
counter mod operations; applying the update but not the lower value. The
value of replication B is retained. This is the correct behavior.
When server Y processes replications A and B, ipa-otp-counter will
detect that a higher value has a lower CSN and will manually set the
higher value (in bepost). This initiates replication D, which is sent to
server X. Here is the logic:
* csnA csnB csnC csnD
* valueA = valueC, valueB = valueD, valueD valueC
Server X receives replication D. D has the highest CSN. It has the same
value as replication B (server X's current value). Because the values
are the same, ipa-otp-counter will strip all counter mod operations.
This reduces counter write contention which might become a problem in
N-way replication when N2.
I think we should rather let the mods going on. So that the full
topology will have
valueD (or valueB)/csnD rather having a set of servers having
valueD/csnB and an other set valueD/csnD.
thanks
thierry
On Fri, 2014-10-03 at 19:52 +0200, thierry bordaz wrote:
Hello Nathaniel,
An additional comment about the patch.
When the new value is detected to be invalid, it is fixed by a
repair operation (trigger_replication).
I did test it and it is fine to update, with an internal
operation, the same entry that is currently updated.
Now if you apply the repair operation into a be_preop or a
betxn_preop, when it returns from preop the txn of the current
operation will overwrite the repaired value.
An option is to register a bepost that checks the value from
the original entry (SLAPI_ENTRY_PRE_OP) and post entry
(SLAPI_ENTRY_POST_OP). Then this postop checks the
orginal/final value and can trigger the repair op.
This time being outside of the main operation txn, the repair
op will be applied.
thanks
thierry
On 09/29/2014 08:30 PM, Nathaniel McCallum wrote:
On Mon, 2014-09-22 at 09:32 -0400, Simo Sorce wrote:
On Sun, 21 Sep 2014 22:33:47 -0400
Nathaniel McCallum npmccal...@redhat.com wrote:
Comments inline.
+
+#define ch_malloc(type) \
+(type*) slapi_ch_malloc(sizeof(type))
+#define ch_calloc(count, type) \
+(type*) slapi_ch_calloc(count, sizeof(type))
+#define ch_free(p) \
+slapi_ch_free((void**) (p))
please do not redefine slapi functions, it just makes it harder to know
what you used.
+typedef struct {
+bool exists;
+long long value;
+} counter;
please no typedefs of structures, use struct counter { ... }; and
reference it as struct counter in the code.
Btw, FWIW you could use a value of -1 to indicate non-existence of the
counter value, given counters can only be positive, this would avoid
the need for a struct.
+static int
+send_error(Slapi_PBlock *pb, int rc, char *template, ...)
+{
+va_list ap;
+int res;
+
+va_start(ap, template);
+res = vsnprintf(NULL, 0, template, ap);
+va_end(ap);
+
+if (res 0) {
+char str[res + 1];
+
+va_start(ap, template);
+res = vsnprintf(str, sizeof(str), template, ap);
+va_end(ap);
+
+if (res 0)
+
Re: [Freeipa-devel] [PATCH] 761 keytab manipulation permission management
On 1.10.2014 18:15, Petr Vobornik wrote: Hello list, Patch for: https://fedorahosted.org/freeipa/ticket/4419 New revisions of 761 and 763 with updated API and ACIs: ipa host-allow-operation HOSTNAME retrieve-keytab --users=STR --groups STR ipa host-disallow-operation HOSTNAME retrieve-keytab --users=STR --groups STR ipa host-allow-operation HOSTNAME create-keytab --users=STR --groups STR ipa host-disallow-operation HOSTNAME create-keytab --users=STR --groups STR ipa service-allow-operation PRINCIPAL retrieve-keytab --users=STR --groups STR ipa service-disallow-operation PRINCIPAL retrieve-keytab --users=STR --groups STR ipa service-allow-operation PRINCIPAL create-keytab --users=STR --groups STR ipa service-disallow-operation PRINCIPAL create-keytab --users=STR --groups STR ACIs are targeted to specific operations by including subtypes. -- Petr Vobornik From e44e27ca63ab333b50f4cf465ea61115c9c83840 Mon Sep 17 00:00:00 2001 From: Petr Vobornik pvobo...@redhat.com Date: Thu, 2 Oct 2014 16:57:08 +0200 Subject: [PATCH] keytab manipulation permission management Adds new API: ipa host-allow-operation HOSTNAME retrieve-keytab --users=STR --groups STR ipa host-disallow-operation HOSTNAME retrieve-keytab --users=STR --groups STR ipa host-allow-operation HOSTNAME create-keytab --users=STR --groups STR ipa host-disallow-operation HOSTNAME create-keytab --users=STR --groups STR ipa service-allow-operation PRINCIPAL retrieve-keytab --users=STR --groups STR ipa service-disallow-operation PRINCIPAL retrieve-keytab --users=STR --groups STR ipa service-allow-operation PRINCIPAL create-keytab --users=STR --groups STR ipa service-disallow-operation PRINCIPAL create-keytab --users=STR --groups STR these methods add or remove user or group DNs in `ipaallowedtoperform` attr with `read_keys` and `write_keys` subtypes. service|host-mod|show outputs these attrs as: Users allowed to retrieve keytab: user1 Groups allowed to retrieve keytab: group1 Users allowed to create keytab: user1 Groups allowed to create keytab: group1 Adding of object class is implemented as a reusable method since this code is used on many places and most likely will be also used in new features. Older code may be refactored later. https://fedorahosted.org/freeipa/ticket/4419 --- ACI.txt| 4 ++ API.txt| 52 +++ VERSION| 4 +- ipalib/plugins/baseldap.py | 17 ++ ipalib/plugins/host.py | 51 -- ipalib/plugins/service.py | 127 +++-- 6 files changed, 244 insertions(+), 11 deletions(-) diff --git a/ACI.txt b/ACI.txt index cebdc2ccec45db1dbf0d5ea0c7f2b1a3a7feeb6e..312e51719d9906f8d6f262330d2bdafe1e59d88a 100644 --- a/ACI.txt +++ b/ACI.txt @@ -95,6 +95,8 @@ aci: (targetattr = userpassword)(targetfilter = (objectclass=ipahost))(versi dn: cn=computers,cn=accounts,dc=ipa,dc=example aci: (targetattr = krblastpwdchange || krbprincipalkey)(targetfilter = (objectclass=ipahost))(version 3.0;acl permission:System: Manage Host Keytab;allow (write) groupdn = ldap:///cn=System: Manage Host Keytab,cn=permissions,cn=pbac,dc=ipa,dc=example;) dn: cn=computers,cn=accounts,dc=ipa,dc=example +aci: (targetattr = createtimestamp || entryusn || ipaallowedtoperform;read_keys || ipaallowedtoperform;write_keys || modifytimestamp || objectclass)(targetfilter = (objectclass=ipahost))(version 3.0;acl permission:System: Manage Host Keytab Permissions;allow (compare,read,search,write) groupdn = ldap:///cn=System: Manage Host Keytab Permissions,cn=permissions,cn=pbac,dc=ipa,dc=example;) +dn: cn=computers,cn=accounts,dc=ipa,dc=example aci: (targetattr = ipasshpubkey)(targetfilter = (objectclass=ipahost))(version 3.0;acl permission:System: Manage Host SSH Public Keys;allow (write) groupdn = ldap:///cn=System: Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=ipa,dc=example;) dn: cn=computers,cn=accounts,dc=ipa,dc=example aci: (targetattr = description || ipaassignedidview || l || macaddress || nshardwareplatform || nshostlocation || nsosversion || userclass)(targetfilter = (objectclass=ipahost))(version 3.0;acl permission:System: Modify Hosts;allow (write) groupdn = ldap:///cn=System: Modify Hosts,cn=permissions,cn=pbac,dc=ipa,dc=example;) @@ -193,6 +195,8 @@ aci: (targetfilter = (objectclass=ipaservice))(version 3.0;acl permission:Sys dn: cn=services,cn=accounts,dc=ipa,dc=example aci: (targetattr = krblastpwdchange || krbprincipalkey)(targetfilter = (objectclass=ipaservice))(version 3.0;acl permission:System: Manage Service Keytab;allow (write) groupdn = ldap:///cn=System: Manage Service Keytab,cn=permissions,cn=pbac,dc=ipa,dc=example;) dn: cn=services,cn=accounts,dc=ipa,dc=example +aci: (targetattr = createtimestamp || entryusn || ipaallowedtoperform;read_keys || ipaallowedtoperform;write_keys || modifytimestamp || objectclass)(targetfilter =
Re: [Freeipa-devel] [PATCH] 764 webui: management of keytab permissions
On 3.10.2014 16:12, Petr Vobornik wrote:
On 1.10.2014 18:15, Petr Vobornik wrote:
Hello list,
Patch for: https://fedorahosted.org/freeipa/ticket/4419
Web UI for 4419. Depends on patch 761 (parent thread).
New version which works with 761-2.
The content was moved to details facet (based on UXD feedback).
--
Petr Vobornik
From 7d329ca416e4f79b76d21a79f7062ad667e0506a Mon Sep 17 00:00:00 2001
From: Petr Vobornik pvobo...@redhat.com
Date: Thu, 2 Oct 2014 15:44:47 +0200
Subject: [PATCH] webui: management of keytab permissions
https://fedorahosted.org/freeipa/ticket/4419
---
install/ui/src/freeipa/association.js | 32 ++---
install/ui/src/freeipa/host.js| 88 +++
install/ui/src/freeipa/service.js | 88 +++
install/ui/test/data/ipa_init.json| 8
ipalib/plugins/internal.py| 8
5 files changed, 217 insertions(+), 7 deletions(-)
diff --git a/install/ui/src/freeipa/association.js b/install/ui/src/freeipa/association.js
index 64a2926d97856eb9a3dac27834bc4d78e8f5..47ef067a53eef557c1cacd8ad1f3792ee8f223bf 100644
--- a/install/ui/src/freeipa/association.js
+++ b/install/ui/src/freeipa/association.js
@@ -406,7 +406,7 @@ IPA.association_table_widget = function (spec) {
spec = spec || {};
-var index = spec.name.indexOf('_');
+var index = spec.name.lastIndexOf('_');
spec.attribute_member = spec.attribute_member || spec.name.substring(0, index);
spec.other_entity = spec.other_entity || spec.name.substring(index+1);
@@ -428,6 +428,18 @@ IPA.association_table_widget = function (spec) {
that.needs_refresh = IPA.observer();
+/**
+ * Additional args for add and remove command
+ * @property {string}
+ */
+that.additional_args = spec.additional_args || [];
+
+that.get_mod_pkeys = function () {
+var keys = that.additional_args.slice(0);
+keys.unshift(that.facet.get_pkey());
+return keys;
+};
+
that.get_adder_column = function(name) {
return that.adder_columns.get(name);
};
@@ -589,7 +601,7 @@ IPA.association_table_widget = function (spec) {
var i;
var columns = that.columns.values;
if (columns.length == 1) { // show pkey only
-var name = columns[0].name;
+var name = columns[0].param;
for (i=0; ithat.values.length; i++) {
var record = {};
record[name] = that.values[i];
@@ -656,12 +668,12 @@ IPA.association_table_widget = function (spec) {
that.add = function(values, on_success, on_error) {
-var pkey = that.facet.get_pkey();
+var pkeys = that.get_mod_pkeys();
var command = rpc.command({
entity: that.entity.name,
method: that.add_method,
-args: [pkey],
+args: pkeys,
on_success: on_success,
on_error: on_error
});
@@ -720,12 +732,12 @@ IPA.association_table_widget = function (spec) {
that.remove = function(values, on_success, on_error) {
-var pkey = that.facet.get_pkey();
+var pkeys = that.get_mod_pkeys();
var command = rpc.command({
entity: that.entity.name,
method: that.remove_method,
-args: [pkey],
+args: pkeys,
on_success: on_success,
on_error: on_error
});
@@ -774,6 +786,12 @@ IPA.association_table_field = function (spec) {
var that = IPA.field(spec);
+that.load = function(data) {
+that.values = that.adapter.load(data);
+that.widget.update(that.values);
+that.widget.unselect_all();
+};
+
that.refresh = function() {
function on_success(data, text_status, xhr) {
@@ -821,7 +839,7 @@ exp.association_facet_pre_op = function(spec, context) {
su.context_entity(spec, context);
spec.entity = entity;
-var index = spec.name.indexOf('_');
+var index = spec.name.lastIndexOf('_');
spec.attribute_member = spec.attribute_member ||
spec.name.substring(0, index);
spec.other_entity = spec.other_entity ||
diff --git a/install/ui/src/freeipa/host.js b/install/ui/src/freeipa/host.js
index 5b886b6394e73533d73f0d1a3d800922e4ef3e4d..be4ac01b2767b0a74144dbf0ea5c4b45e1a79972 100644
--- a/install/ui/src/freeipa/host.js
+++ b/install/ui/src/freeipa/host.js
@@ -146,6 +146,94 @@ return {
label: '@i18n:objects.host.status'
}
]
+},
+{
+$factory: IPA.section,
+name: 'divider',
+layout_css_class: 'col-sm-12',
+fields: []
+},
+{
+name: 'read',
+label: '@i18n:keytab.allowed_to_retrieve',
+$factory: IPA.section,
+
Re: [Freeipa-devel] [PATCH 0064] Create ipa-otp-decrement 389DS plugin
On Wed, 2014-10-08 at 17:30 +0200, thierry bordaz wrote: On 10/07/2014 06:00 PM, Nathaniel McCallum wrote: Attached is the latest patch. I believe this includes all of our discussions up until this point. However, a few bits of additional information are needed. First, I have renamed the plugin to ipa-otp-counter. I believe all replay prevention work can land inside this plugin, so the name is appropriate. Second, I uncovered a bug in 389 which prevents me from validating the non-replication request in bepre. This is the reason for the additional betxnpre callback. If the upstream 389 bug is fixed, we can merge this check back into bepre. https://fedorahosted.org/389/ticket/47919 Third, I believe we are now handling replication correct. An error is never returned. When a replication would cause the counter to decrease, we remove all counter/watermark related mods from the operation. This will allow the replication to apply without decrementing the value. There is also a new bepost method which check to see if the replication was discarded (via CSN) while having a higher counter value. If so, we apply the higher counter value. For me the code is good. It took me some time to understand the benefit of removing mods in preop. In fact I think it is a good idea, as it prevents extra repair ops and also make more easy the computation of the value to set in repair mod. Here is the scenario. Server X receives two quick authentications; replications A and B are sent to server Y. Before server Y can process server X's replications, an authentication is performed on server Y; replication C is sent to server X. The following logic holds true: * csnA csnB csnC * valueA = valueC, valueB valueC When server X receives replication C, ipa-otp-counter will strip out all counter mod operations; applying the update but not the lower value. The value of replication B is retained. This is the correct behavior. When server Y processes replications A and B, ipa-otp-counter will detect that a higher value has a lower CSN and will manually set the higher value (in bepost). This initiates replication D, which is sent to server X. Here is the logic: * csnA csnB csnC csnD * valueA = valueC, valueB = valueD, valueD valueC Server X receives replication D. D has the highest CSN. It has the same value as replication B (server X's current value). Because the values are the same, ipa-otp-counter will strip all counter mod operations. This reduces counter write contention which might become a problem in N-way replication when N2. I think we should rather let the mods going on. So that the full topology will have valueD (or valueB)/csnD rather having a set of servers having valueD/csnB and an other set valueD/csnD. I think you misunderstand. The value for csnD is only discarded when the server already has valueB (valueB == valueD). Only the value is discarded, so csnD is still applied. The full topology will have either valueB w/ csnD or valueD w/ csnD. Since, valueB always equals valueD, by substitution, all servers have valueD w/ csnD. Nathaniel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0159-0160 Support ID views in compat tree
On Tue, 07 Oct 2014, Ludwig Krispenz wrote:
Hi Alex,
I have a question regarding cbdata.target. It is/was a reference to
the pblock used to generate a new dn, but now in
idview_replace_target_dn(cbdata.target,...) it can be newly allocated
and should be freed, so I think there should be a return code
indicating if it was allocated or not.
Yes, good catch.
I've fixed this and other issues raised in the review.
I also fixed an issue with an initial lookup by an override. If someone
does a search by an override, we would replace uid|cn=value by
uid=ipaOriginalUid value if it exists and by ipaAnchorUUID value
otherwise -- for groups we don't have ipaOriginalUid as they don't have
uids. Now, the filter would look like (ipaAnchorUUID=:SID:S-...) and if
there is no entry in the map cache, the search will return nothing, the
entry will be staged for lookup through SSSD.
In the original version lookup in SSSD didn't take ipaAnchorUUID into
account, so the entry would not be found at all. I did add a call to
do sid2name first and then use the name to perform actual SSSD lookup.
Works nicely now.
New patch for slapi-nis is attached.
--
/ Alexander Bokovoy
From 1c2e7caa3e1c11cc0bc0d8477a0c27308ca8506b Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy aboko...@redhat.com
Date: Tue, 29 Jul 2014 12:04:34 +0300
Subject: [PATCH] Add support for FreeIPA ID views
FreeIPA ID views allow to override POSIX attributes for certain
users and groups.
A support is added to allow using specific ID view when serving
compatibility tree. Each user or group entry which has an override
in the view is amended with the overridden values from the view
before served out to the LDAP client.
A view to use is specified as a part of base DN:
cn=view,cn=views,cn=compat,$SUFFIX
where cn=compat,$SUFFIX is the original compatibility tree base DN.
Each entry, when served through the view, gets new DN rewritten to
specify the view. Additionally, if override in the view changes
uid (for users) or cn (for groups) attribute, the entry's RDN is changed
accordingly.
For groups memberUid attribute is modified as well in case there is an override
in the view that changes uid value of that member.
FreeIPA ID views support overrides for users of trusted Active Directory
domains.
In case of a trusted AD domain's user or group is returned via compatibility
tree,
view overrides are applied in two stages:
1. SSSD applies default view for AD users
2. slapi-nis applies explicitly specified (host-specific) view
on top of the entry returned by SSSD
Thus, slapi-nis does not need to apply default view for AD users and if there
are
no host-specific views in use, there is no need to specify a view in the base
DN,
making overhead of a default view for AD users lower.
---
configure.ac | 14 ++
doc/ipa/sch-ipa.txt | 93
src/Makefile.am | 4 +
src/back-sch-idview.c | 392 ++
src/back-sch-nss.c| 111 +++---
src/back-sch.c| 71 +++--
src/back-sch.h| 38 +
7 files changed, 692 insertions(+), 31 deletions(-)
create mode 100644 src/back-sch-idview.c
diff --git a/configure.ac b/configure.ac
index 84b84d1..71dbdc7 100644
--- a/configure.ac
+++ b/configure.ac
@@ -383,6 +383,20 @@ if test x$use_nsswitch != xno ; then
AC_DEFINE(USE_NSSWITCH,1,[Use nsswitch API to lookup users and groups
not found in the LDAP tree])
fi
+use_idviews=true
+AC_ARG_WITH(idviews,
+ AS_HELP_STRING([--with-idviews], [Use FreeIPA ID views to override
POSIX IDs of users and groups]),
+ use_idviews=$withval,use_idviews=yes)
+if test x$use_idviews = xyes ; then
+ AC_MSG_RESULT([FreeIPA ID views support is enabled])
+ AC_DEFINE(USE_IPA_IDVIEWS,1,[Use FreeIPA ID views to override POSIX
attributes of users and groups per view.])
+ AC_DEFINE(IPA_IDVIEWS_ATTR_ANCHORUUID, [ipaAnchorUUID],[FreeIPA attr
unique pointer for id overrides])
+ AC_DEFINE(IPA_IDVIEWS_ATTR_ORIGINALUID, [ipaOriginalUid],[FreeIPA
attr original uid value for user id overrides])
+else
+ AC_MSG_RESULT([FreeIPA ID views support is disabled])
+fi
+AM_CONDITIONAL([USE_IPA_IDVIEWS], [test x$use_idviews != xno])
+
mylibdir=`eval echo $libdir | sed s,NONE,${ac_default_prefix},g`
mylibdir=`eval echo $mylibdir | sed s,NONE,${ac_prefix},g`
case $server in
diff --git a/doc/ipa/sch-ipa.txt b/doc/ipa/sch-ipa.txt
index b5a585b..f560580 100644
--- a/doc/ipa/sch-ipa.txt
+++ b/doc/ipa/sch-ipa.txt
@@ -87,3 +87,96 @@ on IPA masters.
As 'system-auth' PAM service is not used directly by any other application, it
is safe to use it for trusted domain users via compatibility path.
+
+== Support for ID views ==
+
+When FreeIPA 4.1 is in use, Schema compatibility plugin can be configured to
+override POSIX attributes according to an identity view (ID View) which
+contains overrides for users and groups.
+
+The overrides are managed by
Re: [Freeipa-devel] [PATCH 0133] Fix ipactl service ordering
On 08/10/14 16:59, Martin Basti wrote: IPA sorts service order alphabetically, this patch modify ipactl to use integers. How to reproduce: set attribute ipaConfigString: startOrder 150 DN: cn=HTTP,cn=ipa.example.com,cn=masters,cn=ipa,cn=etc,dc=example,dc=com then run #ipactl restart httpd service should start as last service, but it starts almost first. Patch attached. selfNACK -- Martin Basti ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0064] Create ipa-otp-decrement 389DS plugin
On 10/08/2014 07:30 PM, Nathaniel McCallum wrote: On Wed, 2014-10-08 at 17:30 +0200, thierry bordaz wrote: On 10/07/2014 06:00 PM, Nathaniel McCallum wrote: Attached is the latest patch. I believe this includes all of our discussions up until this point. However, a few bits of additional information are needed. First, I have renamed the plugin to ipa-otp-counter. I believe all replay prevention work can land inside this plugin, so the name is appropriate. Second, I uncovered a bug in 389 which prevents me from validating the non-replication request in bepre. This is the reason for the additional betxnpre callback. If the upstream 389 bug is fixed, we can merge this check back into bepre. https://fedorahosted.org/389/ticket/47919 Third, I believe we are now handling replication correct. An error is never returned. When a replication would cause the counter to decrease, we remove all counter/watermark related mods from the operation. This will allow the replication to apply without decrementing the value. There is also a new bepost method which check to see if the replication was discarded (via CSN) while having a higher counter value. If so, we apply the higher counter value. For me the code is good. It took me some time to understand the benefit of removing mods in preop. In fact I think it is a good idea, as it prevents extra repair ops and also make more easy the computation of the value to set in repair mod. Here is the scenario. Server X receives two quick authentications; replications A and B are sent to server Y. Before server Y can process server X's replications, an authentication is performed on server Y; replication C is sent to server X. The following logic holds true: * csnA csnB csnC * valueA = valueC, valueB valueC When server X receives replication C, ipa-otp-counter will strip out all counter mod operations; applying the update but not the lower value. The value of replication B is retained. This is the correct behavior. When server Y processes replications A and B, ipa-otp-counter will detect that a higher value has a lower CSN and will manually set the higher value (in bepost). This initiates replication D, which is sent to server X. Here is the logic: * csnA csnB csnC csnD * valueA = valueC, valueB = valueD, valueD valueC Server X receives replication D. D has the highest CSN. It has the same value as replication B (server X's current value). Because the values are the same, ipa-otp-counter will strip all counter mod operations. This reduces counter write contention which might become a problem in N-way replication when N2. I think we should rather let the mods going on. So that the full topology will have valueD (or valueB)/csnD rather having a set of servers having valueD/csnB and an other set valueD/csnD. I think you misunderstand. The value for csnD is only discarded when the server already has valueB (valueB == valueD). Only the value is discarded, so csnD is still applied. The full topology will have either valueB w/ csnD or valueD w/ csnD. Since, valueB always equals valueD, by substitution, all servers have valueD w/ csnD. Nathaniel There are several parts where the CSN are stored. One is used to allow replication protocol to send the approriate updates. This part is stored into a dedicated entry: RUV. In fact when the update valudD/CSND will be received and applied, the RUV will be updated with csnD. An other part is the attribute/attribute values. An attribute value contains the actual value and the CSN associated to that value. This CSN is updated by entry_apply_mod_wsi when it decides which value to keep and which CSN is associated to this value. In the example above, on the server X, the counter attribute has valueB/csnB. Then it receives the update ValueD/csnD it discard this update because valueD=ValueB. That means that on serverX we will have valueB/csnB. Now if on an other server we receive the updates in the reverse order: valueD/csnD first then valueB/csnB. This server will apply and valueD/csnD then will discard valueB/csnB. ValueD and ValueB being identical it is not a big issue. But we will have some server with csnD and others with csnB. thanks thierry ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0064] Create ipa-otp-decrement 389DS plugin
On 10/08/2014 01:45 PM, thierry bordaz wrote: On 10/08/2014 07:30 PM, Nathaniel McCallum wrote: On Wed, 2014-10-08 at 17:30 +0200, thierry bordaz wrote: On 10/07/2014 06:00 PM, Nathaniel McCallum wrote: Attached is the latest patch. I believe this includes all of our discussions up until this point. However, a few bits of additional information are needed. First, I have renamed the plugin to ipa-otp-counter. I believe all replay prevention work can land inside this plugin, so the name is appropriate. Second, I uncovered a bug in 389 which prevents me from validating the non-replication request in bepre. This is the reason for the additional betxnpre callback. If the upstream 389 bug is fixed, we can merge this check back into bepre. https://fedorahosted.org/389/ticket/47919 Third, I believe we are now handling replication correct. An error is never returned. When a replication would cause the counter to decrease, we remove all counter/watermark related mods from the operation. This will allow the replication to apply without decrementing the value. There is also a new bepost method which check to see if the replication was discarded (via CSN) while having a higher counter value. If so, we apply the higher counter value. For me the code is good. It took me some time to understand the benefit of removing mods in preop. In fact I think it is a good idea, as it prevents extra repair ops and also make more easy the computation of the value to set in repair mod. Here is the scenario. Server X receives two quick authentications; replications A and B are sent to server Y. Before server Y can process server X's replications, an authentication is performed on server Y; replication C is sent to server X. The following logic holds true: * csnA csnB csnC * valueA = valueC, valueB valueC When server X receives replication C, ipa-otp-counter will strip out all counter mod operations; applying the update but not the lower value. The value of replication B is retained. This is the correct behavior. When server Y processes replications A and B, ipa-otp-counter will detect that a higher value has a lower CSN and will manually set the higher value (in bepost). This initiates replication D, which is sent to server X. Here is the logic: * csnA csnB csnC csnD * valueA = valueC, valueB = valueD, valueD valueC Server X receives replication D. D has the highest CSN. It has the same value as replication B (server X's current value). Because the values are the same, ipa-otp-counter will strip all counter mod operations. This reduces counter write contention which might become a problem in N-way replication when N2. I think we should rather let the mods going on. So that the full topology will have valueD (or valueB)/csnD rather having a set of servers having valueD/csnB and an other set valueD/csnD. I think you misunderstand. The value for csnD is only discarded when the server already has valueB (valueB == valueD). Only the value is discarded, so csnD is still applied. The full topology will have either valueB w/ csnD or valueD w/ csnD. Since, valueB always equals valueD, by substitution, all servers have valueD w/ csnD. Nathaniel There are several parts where the CSN are stored. One is used to allow replication protocol to send the approriate updates. This part is stored into a dedicated entry: RUV. In fact when the update valudD/CSND will be received and applied, the RUV will be updated with csnD. An other part is the attribute/attribute values. An attribute value contains the actual value and the CSN associated to that value. This CSN is updated by entry_apply_mod_wsi when it decides which value to keep and which CSN is associated to this value. In the example above, on the server X, the counter attribute has valueB/csnB. Then it receives the update ValueD/csnD it discard this update because valueD=ValueB. That means that on serverX we will have valueB/csnB. Now if on an other server we receive the updates in the reverse order: valueD/csnD first then valueB/csnB. This server will apply and valueD/csnD then will discard valueB/csnB. ValueD and ValueB being identical it is not a big issue. But we will have some server with csnD and others with csnB. The CSN is also the key in the changelog database. thanks thierry ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0064] Create ipa-otp-decrement 389DS plugin
On Wed, 2014-10-08 at 21:45 +0200, thierry bordaz wrote: On 10/08/2014 07:30 PM, Nathaniel McCallum wrote: On Wed, 2014-10-08 at 17:30 +0200, thierry bordaz wrote: On 10/07/2014 06:00 PM, Nathaniel McCallum wrote: Attached is the latest patch. I believe this includes all of our discussions up until this point. However, a few bits of additional information are needed. First, I have renamed the plugin to ipa-otp-counter. I believe all replay prevention work can land inside this plugin, so the name is appropriate. Second, I uncovered a bug in 389 which prevents me from validating the non-replication request in bepre. This is the reason for the additional betxnpre callback. If the upstream 389 bug is fixed, we can merge this check back into bepre. https://fedorahosted.org/389/ticket/47919 Third, I believe we are now handling replication correct. An error is never returned. When a replication would cause the counter to decrease, we remove all counter/watermark related mods from the operation. This will allow the replication to apply without decrementing the value. There is also a new bepost method which check to see if the replication was discarded (via CSN) while having a higher counter value. If so, we apply the higher counter value. For me the code is good. It took me some time to understand the benefit of removing mods in preop. In fact I think it is a good idea, as it prevents extra repair ops and also make more easy the computation of the value to set in repair mod. Here is the scenario. Server X receives two quick authentications; replications A and B are sent to server Y. Before server Y can process server X's replications, an authentication is performed on server Y; replication C is sent to server X. The following logic holds true: * csnA csnB csnC * valueA = valueC, valueB valueC When server X receives replication C, ipa-otp-counter will strip out all counter mod operations; applying the update but not the lower value. The value of replication B is retained. This is the correct behavior. When server Y processes replications A and B, ipa-otp-counter will detect that a higher value has a lower CSN and will manually set the higher value (in bepost). This initiates replication D, which is sent to server X. Here is the logic: * csnA csnB csnC csnD * valueA = valueC, valueB = valueD, valueD valueC Server X receives replication D. D has the highest CSN. It has the same value as replication B (server X's current value). Because the values are the same, ipa-otp-counter will strip all counter mod operations. This reduces counter write contention which might become a problem in N-way replication when N2. I think we should rather let the mods going on. So that the full topology will have valueD (or valueB)/csnD rather having a set of servers having valueD/csnB and an other set valueD/csnD. I think you misunderstand. The value for csnD is only discarded when the server already has valueB (valueB == valueD). Only the value is discarded, so csnD is still applied. The full topology will have either valueB w/ csnD or valueD w/ csnD. Since, valueB always equals valueD, by substitution, all servers have valueD w/ csnD. Nathaniel There are several parts where the CSN are stored. One is used to allow replication protocol to send the approriate updates. This part is stored into a dedicated entry: RUV. In fact when the update valudD/CSND will be received and applied, the RUV will be updated with csnD. An other part is the attribute/attribute values. An attribute value contains the actual value and the CSN associated to that value. This CSN is updated by entry_apply_mod_wsi when it decides which value to keep and which CSN is associated to this value. In the example above, on the server X, the counter attribute has valueB/csnB. Then it receives the update ValueD/csnD it discard this update because valueD=ValueB. That means that on serverX we will have valueB/csnB. It does not discard the update (CSN). It discards the value because valueD == valueB. So csnD will be applied, it just won't touch the counter values; valueB will be retained. Now if on an other server we receive the updates in the reverse order: valueD/csnD first then valueB/csnB. This server will apply and valueD/csnD then will discard valueB/csnB. This server will apply valueD/csnD AND csnB, but not valueB. This is because valueB == valueD. ValueD and ValueB being identical it is not a big issue. But we will have some server with csnD and others with csnB. As I understand my code, all servers will have csnD. Some servers will have valueB and others will have valueD, but valueB == valueD. We *never* discard a CSN. We only discard the counter/watermark mods in the replication operation. Nathaniel ___ Freeipa-devel mailing list
Re: [Freeipa-devel] [PATCH 0064] Create ipa-otp-decrement 389DS plugin
On Wed, 2014-10-08 at 13:53 -0600, Rich Megginson wrote: On 10/08/2014 01:45 PM, thierry bordaz wrote: On 10/08/2014 07:30 PM, Nathaniel McCallum wrote: On Wed, 2014-10-08 at 17:30 +0200, thierry bordaz wrote: On 10/07/2014 06:00 PM, Nathaniel McCallum wrote: Attached is the latest patch. I believe this includes all of our discussions up until this point. However, a few bits of additional information are needed. First, I have renamed the plugin to ipa-otp-counter. I believe all replay prevention work can land inside this plugin, so the name is appropriate. Second, I uncovered a bug in 389 which prevents me from validating the non-replication request in bepre. This is the reason for the additional betxnpre callback. If the upstream 389 bug is fixed, we can merge this check back into bepre. https://fedorahosted.org/389/ticket/47919 Third, I believe we are now handling replication correct. An error is never returned. When a replication would cause the counter to decrease, we remove all counter/watermark related mods from the operation. This will allow the replication to apply without decrementing the value. There is also a new bepost method which check to see if the replication was discarded (via CSN) while having a higher counter value. If so, we apply the higher counter value. For me the code is good. It took me some time to understand the benefit of removing mods in preop. In fact I think it is a good idea, as it prevents extra repair ops and also make more easy the computation of the value to set in repair mod. Here is the scenario. Server X receives two quick authentications; replications A and B are sent to server Y. Before server Y can process server X's replications, an authentication is performed on server Y; replication C is sent to server X. The following logic holds true: * csnA csnB csnC * valueA = valueC, valueB valueC When server X receives replication C, ipa-otp-counter will strip out all counter mod operations; applying the update but not the lower value. The value of replication B is retained. This is the correct behavior. When server Y processes replications A and B, ipa-otp-counter will detect that a higher value has a lower CSN and will manually set the higher value (in bepost). This initiates replication D, which is sent to server X. Here is the logic: * csnA csnB csnC csnD * valueA = valueC, valueB = valueD, valueD valueC Server X receives replication D. D has the highest CSN. It has the same value as replication B (server X's current value). Because the values are the same, ipa-otp-counter will strip all counter mod operations. This reduces counter write contention which might become a problem in N-way replication when N2. I think we should rather let the mods going on. So that the full topology will have valueD (or valueB)/csnD rather having a set of servers having valueD/csnB and an other set valueD/csnD. I think you misunderstand. The value for csnD is only discarded when the server already has valueB (valueB == valueD). Only the value is discarded, so csnD is still applied. The full topology will have either valueB w/ csnD or valueD w/ csnD. Since, valueB always equals valueD, by substitution, all servers have valueD w/ csnD. Nathaniel There are several parts where the CSN are stored. One is used to allow replication protocol to send the approriate updates. This part is stored into a dedicated entry: RUV. In fact when the update valudD/CSND will be received and applied, the RUV will be updated with csnD. An other part is the attribute/attribute values. An attribute value contains the actual value and the CSN associated to that value. This CSN is updated by entry_apply_mod_wsi when it decides which value to keep and which CSN is associated to this value. In the example above, on the server X, the counter attribute has valueB/csnB. Then it receives the update ValueD/csnD it discard this update because valueD=ValueB. That means that on serverX we will have valueB/csnB. Now if on an other server we receive the updates in the reverse order: valueD/csnD first then valueB/csnB. This server will apply and valueD/csnD then will discard valueB/csnB. ValueD and ValueB being identical it is not a big issue. But we will have some server with csnD and others with csnB. The CSN is also the key in the changelog database. Right. We *never* discard a replication operation. We only discard some of its mods if and only if those mods would result in either no change at all or an illegal change. If an illegal change would occur, we also issue a new fixup replication request so that everyone quickly gets consistency. Nathaniel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0064] Create ipa-otp-decrement 389DS plugin
On Wed, 08 Oct 2014 15:53:39 -0400 Nathaniel McCallum npmccal...@redhat.com wrote: As I understand my code, all servers will have csnD. Some servers will have valueB and others will have valueD, but valueB == valueD. We *never* discard a CSN. We only discard the counter/watermark mods in the replication operation. What Thierry is saying is that the individual attributes in the entry have associate the last CSN that modified them. Because you remove the mods when ValueD == ValueB the counter attribute will not have the associated CSN changed. But it doesn't really matter because the plugin will always keep things consistent. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [HELP] Regular users should not be able to add OTP tokens with custom name
The background of this email is this bug: https://fedorahosted.org/freeipa/ticket/4456 Attached are two patches which solve this issue for admin users (not very helpful, I know). They depend on this fix in 389: https://fedorahosted.org/389/ticket/47920 There are two outstanding issues: 1. 389 does not send the post read control for normal users. The operation itself succeeds, but no control is sent. The relevant sections from the log are attached. 389 is denying access to the following attributes (* = valid, ! = invalid): ! objectClass ! ipatokenOTPalgorithm ! ipatokenOTPdigits * ipatokenOTPkey * ipatokenHOTPcounter ! ipatokenOwner ! managedBy ! ipatokenUniqueID The ACIs allowing access to most of these attributes are here: https://git.fedorahosted.org/cgit/freeipa.git/tree/install/share/default-aci.ldif#n90 Note that I am able to query the entry just fine (including all the above invalidly restricted attributes). Hence, I know the ACIs are working just fine. Part of the strange thing is that in the post read control request, I haven't indicated that I want *any* attributes returned (i.e. I want just the DN). So I'm not sure why it is querying all the attributes. I would suspect that the proper behavior would be to only check the ACIs on attributes that will actually be returned. 2. The second patch (0002) modifies the ACI for normal user token addition from this: aci: (target = ldap:///ipatokenuniqueid=*,cn=otp,$SUFFIX;)(targetfilter = (objectClass=ipaToken))(version 3.0; acl Users can create self-managed tokens; allow (add) userattr = ipatokenOwner#SELFDN and userattr = managedBy#SELFDN;) To this: aci: (target = ldap:///ipatokenuniqueid=autogenerate,cn=otp, $SUFFIX)(targetfilter = (objectClass=ipaToken))(version 3.0; acl Users can create self-managed tokens; allow (add) userattr = ipatokenOwner#SELFDN and userattr = managedBy#SELFDN;) The idea is to allow users to create tokens which will be expanded by the UUID plugin. Unfortunately, after the UUID is expanded, the ACIs are checked. Since the expanded UUID no longer matches the ACI, the addition is denied. Is this truly the correct behavior? I would think that the ACIs would be checked before the UUID plugin, not after. From 7e9d847ec2d9b1b3829abbf3ec6961091d378fc7 Mon Sep 17 00:00:00 2001 From: Nathaniel McCallum npmccal...@redhat.com Date: Wed, 8 Oct 2014 16:20:21 -0400 Subject: [PATCH 2/2] Use UUID plugin to generate ipaTokenUniqueIDs This lets us to deny custom ipaTokenUniqueIDs to non-admin users. https://fedorahosted.org/freeipa/ticket/4456 --- install/share/Makefile.am| 1 + install/share/default-aci.ldif | 2 +- install/share/uuid-ipatokenuniqueid.ldif | 11 install/updates/40-otp.update| 3 +- ipalib/plugins/otptoken.py | 47 ++-- ipaserver/install/dsinstance.py | 1 + 6 files changed, 42 insertions(+), 23 deletions(-) create mode 100644 install/share/uuid-ipatokenuniqueid.ldif diff --git a/install/share/Makefile.am b/install/share/Makefile.am index 7d8ceb60e6374e133cfb6e3684bc307dbf313ce7..19bea40c872f148a3a7b8dcafca6e576429e3ace 100644 --- a/install/share/Makefile.am +++ b/install/share/Makefile.am @@ -63,6 +63,7 @@ app_DATA =\ user_private_groups.ldif \ host_nis_groups.ldif \ uuid-ipauniqueid.ldif \ + uuid-ipatokenuniqueid.ldif \ modrdn-krbprinc.ldif \ entryusn.ldif \ root-autobind.ldif \ diff --git a/install/share/default-aci.ldif b/install/share/default-aci.ldif index af7eedb0b92375f893a61ad1fb6e2d7b176389f9..7b6519b291dbaaa075e949317154c047da8f32ce 100644 --- a/install/share/default-aci.ldif +++ b/install/share/default-aci.ldif @@ -96,4 +96,4 @@ aci: (targetfilter = (objectClass=ipatokenTOTP))(targetattrs = ipatokenOTPalg aci: (targetfilter = (objectClass=ipatokenHOTP))(targetattrs = ipatokenOTPalgorithm || ipatokenOTPdigits)(version 3.0; acl Users/managers can see HOTP details; allow (read, search, compare) userattr = ipatokenOwner#USERDN or userattr = managedBy#USERDN;) aci: (targetfilter = (objectClass=ipaToken))(targetattrs = description || ipatokenDisabled || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial)(version 3.0; acl Managers can write basic token info; allow (write) userattr = managedBy#USERDN;) aci: (targetfilter = (objectClass=ipaToken))(version 3.0; acl Managers can delete tokens; allow (delete) userattr = managedBy#USERDN;) -aci: (target = ldap:///ipatokenuniqueid=*,cn=otp,$SUFFIX;)(targetfilter = (objectClass=ipaToken))(version 3.0; acl Users can create self-managed tokens; allow (add) userattr = ipatokenOwner#SELFDN and userattr = managedBy#SELFDN;) +aci: (target = ldap:///ipatokenuniqueid=autogenerate,cn=otp,$SUFFIX;)(targetfilter = (objectClass=ipaToken))(version 3.0; acl Users can create self-managed tokens; allow (add) userattr = ipatokenOwner#SELFDN and userattr = managedBy#SELFDN;) diff --git
Re: [Freeipa-devel] [PATCH 0064] Create ipa-otp-decrement 389DS plugin
On Wed, 2014-10-08 at 17:19 -0400, Simo Sorce wrote: On Wed, 08 Oct 2014 15:53:39 -0400 Nathaniel McCallum npmccal...@redhat.com wrote: As I understand my code, all servers will have csnD. Some servers will have valueB and others will have valueD, but valueB == valueD. We *never* discard a CSN. We only discard the counter/watermark mods in the replication operation. What Thierry is saying is that the individual attributes in the entry have associate the last CSN that modified them. Because you remove the mods when ValueD == ValueB the counter attribute will not have the associated CSN changed. But it doesn't really matter because the plugin will always keep things consistent. Oh, I thought this was only being tracked on a per-entry basis. If it really matters, I can undo this optimization (it is a single character change). It will just be some extra writes. Nathaniel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0064] Create ipa-otp-decrement 389DS plugin
On Wed, 2014-10-08 at 17:19 -0400, Simo Sorce wrote: On Wed, 08 Oct 2014 15:53:39 -0400 Nathaniel McCallum npmccal...@redhat.com wrote: As I understand my code, all servers will have csnD. Some servers will have valueB and others will have valueD, but valueB == valueD. We *never* discard a CSN. We only discard the counter/watermark mods in the replication operation. What Thierry is saying is that the individual attributes in the entry have associate the last CSN that modified them. Because you remove the mods when ValueD == ValueB the counter attribute will not have the associated CSN changed. But it doesn't really matter because the plugin will always keep things consistent. Attached is a new version. It removes this optimization. If server X has valueB/csnB and receives valueD/csnD and valueB == valueD, the replication will be applied without any modification. However, if valueB valueD and csnD csnB, the counter mods will still be stripped. It also collapses the error check from betxnpre to bepre now that we have a fix for https://fedorahosted.org/389/ticket/47919 committed. The betxnpre functions are completely removed. Also, a dependency on 389 1.3.3.4 (not yet released) is added. Nathaniel From 368eb782ec7e4d4c245f4cee5bb819eac4ef2a30 Mon Sep 17 00:00:00 2001 From: Nathaniel McCallum npmccal...@redhat.com Date: Wed, 10 Sep 2014 17:31:37 -0400 Subject: [PATCH] Create ipa-otp-counter 389DS plugin This plugin ensures that all counter/watermark operations are atomic and never decrement. Also, deletion is not permitted. Because this plugin also ensures internal operations behave properly, this also gives ipa-pwd-extop the appropriate behavior for OTP authentication. https://fedorahosted.org/freeipa/ticket/4493 https://fedorahosted.org/freeipa/ticket/4494 --- daemons/configure.ac | 1 + daemons/ipa-slapi-plugins/Makefile.am | 1 + .../ipa-slapi-plugins/ipa-otp-counter/Makefile.am | 25 ++ daemons/ipa-slapi-plugins/ipa-otp-counter/berval.c | 96 + daemons/ipa-slapi-plugins/ipa-otp-counter/berval.h | 66 .../ipa-otp-counter/ipa-otp-counter.sym| 1 + .../ipa-otp-counter/ipa_otp_counter.c | 436 + .../ipa-slapi-plugins/ipa-otp-counter/ldapmod.c| 110 ++ .../ipa-slapi-plugins/ipa-otp-counter/ldapmod.h| 54 +++ .../ipa-otp-counter/otp-counter-conf.ldif | 15 + freeipa.spec.in| 8 +- ipaserver/install/dsinstance.py| 4 + 12 files changed, 814 insertions(+), 3 deletions(-) create mode 100644 daemons/ipa-slapi-plugins/ipa-otp-counter/Makefile.am create mode 100644 daemons/ipa-slapi-plugins/ipa-otp-counter/berval.c create mode 100644 daemons/ipa-slapi-plugins/ipa-otp-counter/berval.h create mode 100644 daemons/ipa-slapi-plugins/ipa-otp-counter/ipa-otp-counter.sym create mode 100644 daemons/ipa-slapi-plugins/ipa-otp-counter/ipa_otp_counter.c create mode 100644 daemons/ipa-slapi-plugins/ipa-otp-counter/ldapmod.c create mode 100644 daemons/ipa-slapi-plugins/ipa-otp-counter/ldapmod.h create mode 100644 daemons/ipa-slapi-plugins/ipa-otp-counter/otp-counter-conf.ldif diff --git a/daemons/configure.ac b/daemons/configure.ac index b4507a6d972f854331925e72869898576bdfd76f..bfcdeadcd1dc73762d8c773ee50210d9bdb91e92 100644 --- a/daemons/configure.ac +++ b/daemons/configure.ac @@ -314,6 +314,7 @@ AC_CONFIG_FILES([ ipa-slapi-plugins/ipa-dns/Makefile ipa-slapi-plugins/ipa-enrollment/Makefile ipa-slapi-plugins/ipa-lockout/Makefile +ipa-slapi-plugins/ipa-otp-counter/Makefile ipa-slapi-plugins/ipa-otp-lasttoken/Makefile ipa-slapi-plugins/ipa-pwd-extop/Makefile ipa-slapi-plugins/ipa-extdom-extop/Makefile diff --git a/daemons/ipa-slapi-plugins/Makefile.am b/daemons/ipa-slapi-plugins/Makefile.am index 06e6ee8b86f138cce05f2184ac98c39ffaf9757f..07733921e43ac2eb9e248b276351d915a854bf7e 100644 --- a/daemons/ipa-slapi-plugins/Makefile.am +++ b/daemons/ipa-slapi-plugins/Makefile.am @@ -7,6 +7,7 @@ SUBDIRS = \ ipa-enrollment \ ipa-lockout \ ipa-modrdn \ + ipa-otp-counter \ ipa-otp-lasttoken \ ipa-pwd-extop \ ipa-extdom-extop \ diff --git a/daemons/ipa-slapi-plugins/ipa-otp-counter/Makefile.am b/daemons/ipa-slapi-plugins/ipa-otp-counter/Makefile.am new file mode 100644 index ..6b18467613e9bd301ce7432b7052f0fb15aae886 --- /dev/null +++ b/daemons/ipa-slapi-plugins/ipa-otp-counter/Makefile.am @@ -0,0 +1,25 @@ +MAINTAINERCLEANFILES = *~ Makefile.in +PLUGIN_COMMON_DIR = ../common +AM_CPPFLAGS = \ + -I. \ + -I$(srcdir) \ + -I$(PLUGIN_COMMON_DIR) \ + -I/usr/include/dirsrv \ + -DPREFIX=\$(prefix)\ \ + -DBINDIR=\$(bindir)\\ + -DLIBDIR=\$(libdir)\ \ + -DLIBEXECDIR=\$(libexecdir)\ \ + -DDATADIR=\$(datadir)\\ + $(AM_CFLAGS) \ + $(LDAP_CFLAGS) \ + $(WARN_CFLAGS) + +plugindir =
