Re: [Freeipa-devel] [PATCH] 0021 Fix example usage in ipa man page.
On Wed, 08 Oct 2014, David Kupka wrote: https://fedorahosted.org/freeipa/ticket/4587 -- David Kupka From 883e90237fbde1075d00990568cde18773e80611 Mon Sep 17 00:00:00 2001 From: David Kupka dku...@redhat.com Date: Wed, 8 Oct 2014 01:43:47 -0400 Subject: [PATCH] Fix example usage in ipa man page. https://fedorahosted.org/freeipa/ticket/4587 --- ipa.1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipa.1 b/ipa.1 index fc39fceaae5aa4c614ccaaa7e608f2326d926755..6acfcfd9f7ab580c9b086fa249903cdf10544cdb 100644 --- a/ipa.1 +++ b/ipa.1 @@ -149,7 +149,7 @@ Create a new user with username foo, first name foo and last name bar. \fBipa group\-add bar \-\-desc this is an example group Create a new group with name bar and description this is an example group. .TP -\fBipa group\-add\-member bar \-\-users=admin,foo\fR +\fBipa group\-add\-member bar \-\-users={admin,foo}\fR Add users admin and foo to the group bar. .TP \fBipa user\-show foo \-\-raw\fR I would like to see a stance about shell expansion use here. May be add a phrase about that right after Add users ... to the group ...? It might not be entirely obvious to other people that we rely on a shell expansion features here. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0021 Fix example usage in ipa man page.
On 10/08/2014 08:02 AM, Alexander Bokovoy wrote: On Wed, 08 Oct 2014, David Kupka wrote: https://fedorahosted.org/freeipa/ticket/4587 -- David Kupka From 883e90237fbde1075d00990568cde18773e80611 Mon Sep 17 00:00:00 2001 From: David Kupka dku...@redhat.com Date: Wed, 8 Oct 2014 01:43:47 -0400 Subject: [PATCH] Fix example usage in ipa man page. https://fedorahosted.org/freeipa/ticket/4587 --- ipa.1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipa.1 b/ipa.1 index fc39fceaae5aa4c614ccaaa7e608f2326d926755..6acfcfd9f7ab580c9b086fa249903cdf10544cdb 100644 --- a/ipa.1 +++ b/ipa.1 @@ -149,7 +149,7 @@ Create a new user with username foo, first name foo and last name bar. \fBipa group\-add bar \-\-desc this is an example group Create a new group with name bar and description this is an example group. .TP -\fBipa group\-add\-member bar \-\-users=admin,foo\fR +\fBipa group\-add\-member bar \-\-users={admin,foo}\fR Add users admin and foo to the group bar. .TP \fBipa user\-show foo \-\-raw\fR I would like to see a stance about shell expansion use here. May be add a phrase about that right after Add users ... to the group ...? It might not be entirely obvious to other people that we rely on a shell expansion features here. At first, I wanted to remove one of users mentioned there but '--users=foo' looks confusing to me (using plural and specifying just one value). Personally I would prefer to change all plural parameters to singular form but it is a large change considering the benefit. What about two examples? One '--users=foo' and other using shell expansion. -- David Kupka From 883e90237fbde1075d00990568cde18773e80611 Mon Sep 17 00:00:00 2001 From: David Kupka dku...@redhat.com Date: Wed, 8 Oct 2014 01:43:47 -0400 Subject: [PATCH] Fix example usage in ipa man page. https://fedorahosted.org/freeipa/ticket/4587 --- ipa.1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipa.1 b/ipa.1 index fc39fceaae5aa4c614ccaaa7e608f2326d926755..6acfcfd9f7ab580c9b086fa249903cdf10544cdb 100644 --- a/ipa.1 +++ b/ipa.1 @@ -149,7 +149,7 @@ Create a new user with username foo, first name foo and last name bar. \fBipa group\-add bar \-\-desc this is an example group Create a new group with name bar and description this is an example group. .TP -\fBipa group\-add\-member bar \-\-users=admin,foo\fR +\fBipa group\-add\-member bar \-\-users={admin,foo}\fR Add users admin and foo to the group bar. .TP \fBipa user\-show foo \-\-raw\fR -- 1.9.3 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0021 Fix example usage in ipa man page.
On 10/08/2014 08:19 AM, David Kupka wrote: On 10/08/2014 08:02 AM, Alexander Bokovoy wrote: On Wed, 08 Oct 2014, David Kupka wrote: https://fedorahosted.org/freeipa/ticket/4587 -- David Kupka From 883e90237fbde1075d00990568cde18773e80611 Mon Sep 17 00:00:00 2001 From: David Kupka dku...@redhat.com Date: Wed, 8 Oct 2014 01:43:47 -0400 Subject: [PATCH] Fix example usage in ipa man page. https://fedorahosted.org/freeipa/ticket/4587 --- ipa.1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipa.1 b/ipa.1 index fc39fceaae5aa4c614ccaaa7e608f2326d926755..6acfcfd9f7ab580c9b086fa249903cdf10544cdb 100644 --- a/ipa.1 +++ b/ipa.1 @@ -149,7 +149,7 @@ Create a new user with username foo, first name foo and last name bar. \fBipa group\-add bar \-\-desc this is an example group Create a new group with name bar and description this is an example group. .TP -\fBipa group\-add\-member bar \-\-users=admin,foo\fR +\fBipa group\-add\-member bar \-\-users={admin,foo}\fR Add users admin and foo to the group bar. .TP \fBipa user\-show foo \-\-raw\fR I would like to see a stance about shell expansion use here. May be add a phrase about that right after Add users ... to the group ...? It might not be entirely obvious to other people that we rely on a shell expansion features here. At first, I wanted to remove one of users mentioned there but '--users=foo' looks confusing to me (using plural and specifying just one value). Personally I would prefer to change all plural parameters to singular form but it is a large change considering the benefit. What about two examples? One '--users=foo' and other using shell expansion. I forget to update the patch, sorry. -- David Kupka From 554d9b0f806f6eb7ad8ffc99fbd7ac6cb20c5c4c Mon Sep 17 00:00:00 2001 From: David Kupka dku...@redhat.com Date: Wed, 8 Oct 2014 01:43:47 -0400 Subject: [PATCH] Fix example usage in ipa man page. https://fedorahosted.org/freeipa/ticket/4587 --- ipa.1 | 7 +-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/ipa.1 b/ipa.1 index fc39fceaae5aa4c614ccaaa7e608f2326d926755..fe2a1aa7bafadd70596b5d95bca49a3f583a3c3d 100644 --- a/ipa.1 +++ b/ipa.1 @@ -149,8 +149,11 @@ Create a new user with username foo, first name foo and last name bar. \fBipa group\-add bar \-\-desc this is an example group Create a new group with name bar and description this is an example group. .TP -\fBipa group\-add\-member bar \-\-users=admin,foo\fR -Add users admin and foo to the group bar. +\fBipa group\-add\-member bar \-\-users=foo\fR +Add user foo to the group bar. +.TP +\fBipa group\-add\-member bar \-\-users={admin,foo}\fR +Add users admin and foo to the group bar. This approach depends on shell expansion feature. .TP \fBipa user\-show foo \-\-raw\fR Display user foo as (s)he is stored on the server. -- 1.9.3 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0021 Fix example usage in ipa man page.
On Wed, 08 Oct 2014, David Kupka wrote: On 10/08/2014 08:19 AM, David Kupka wrote: On 10/08/2014 08:02 AM, Alexander Bokovoy wrote: On Wed, 08 Oct 2014, David Kupka wrote: https://fedorahosted.org/freeipa/ticket/4587 -- David Kupka From 883e90237fbde1075d00990568cde18773e80611 Mon Sep 17 00:00:00 2001 From: David Kupka dku...@redhat.com Date: Wed, 8 Oct 2014 01:43:47 -0400 Subject: [PATCH] Fix example usage in ipa man page. https://fedorahosted.org/freeipa/ticket/4587 --- ipa.1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipa.1 b/ipa.1 index fc39fceaae5aa4c614ccaaa7e608f2326d926755..6acfcfd9f7ab580c9b086fa249903cdf10544cdb 100644 --- a/ipa.1 +++ b/ipa.1 @@ -149,7 +149,7 @@ Create a new user with username foo, first name foo and last name bar. \fBipa group\-add bar \-\-desc this is an example group Create a new group with name bar and description this is an example group. .TP -\fBipa group\-add\-member bar \-\-users=admin,foo\fR +\fBipa group\-add\-member bar \-\-users={admin,foo}\fR Add users admin and foo to the group bar. .TP \fBipa user\-show foo \-\-raw\fR I would like to see a stance about shell expansion use here. May be add a phrase about that right after Add users ... to the group ...? It might not be entirely obvious to other people that we rely on a shell expansion features here. At first, I wanted to remove one of users mentioned there but '--users=foo' looks confusing to me (using plural and specifying just one value). Personally I would prefer to change all plural parameters to singular form but it is a large change considering the benefit. What about two examples? One '--users=foo' and other using shell expansion. I forget to update the patch, sorry. -- David Kupka From 554d9b0f806f6eb7ad8ffc99fbd7ac6cb20c5c4c Mon Sep 17 00:00:00 2001 From: David Kupka dku...@redhat.com Date: Wed, 8 Oct 2014 01:43:47 -0400 Subject: [PATCH] Fix example usage in ipa man page. https://fedorahosted.org/freeipa/ticket/4587 --- ipa.1 | 7 +-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/ipa.1 b/ipa.1 index fc39fceaae5aa4c614ccaaa7e608f2326d926755..fe2a1aa7bafadd70596b5d95bca49a3f583a3c3d 100644 --- a/ipa.1 +++ b/ipa.1 @@ -149,8 +149,11 @@ Create a new user with username foo, first name foo and last name bar. \fBipa group\-add bar \-\-desc this is an example group Create a new group with name bar and description this is an example group. .TP -\fBipa group\-add\-member bar \-\-users=admin,foo\fR -Add users admin and foo to the group bar. +\fBipa group\-add\-member bar \-\-users=foo\fR +Add user foo to the group bar. +.TP +\fBipa group\-add\-member bar \-\-users={admin,foo}\fR +Add users admin and foo to the group bar. This approach depends on shell expansion feature. .TP \fBipa user\-show foo \-\-raw\fR Display user foo as (s)he is stored on the server. ACK. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 0019 Stop dogtag when updating its configuration in, ipa-upgradeconfig
https://fedorahosted.org/freeipa/ticket/4569 -- David Kupka From a1363fa49a35115cfa15d51d7ae5c298828efc37 Mon Sep 17 00:00:00 2001 From: David Kupka dku...@redhat.com Date: Tue, 30 Sep 2014 08:41:49 -0400 Subject: [PATCH] Stop dogtag when updating its configuration in ipa-upgradeconfig. Modifying CS.cfg when dogtag is running may (and does) result in corrupting this file. https://fedorahosted.org/freeipa/ticket/4569 --- install/restart_scripts/renew_ca_cert | 31 +- install/tools/ipa-upgradeconfig | 15 +++-- ipaserver/install/cainstance.py | 108 ++ 3 files changed, 84 insertions(+), 70 deletions(-) diff --git a/install/restart_scripts/renew_ca_cert b/install/restart_scripts/renew_ca_cert index 2ad2038703a74fe3549708549091633b35695907..e14e699bf57c631238a342ba19a3a1d483574bbb 100644 --- a/install/restart_scripts/renew_ca_cert +++ b/install/restart_scripts/renew_ca_cert @@ -104,20 +104,23 @@ def main(): cfg_path, 'subsystem.select', '=') if config == 'New': syslog.syslog(syslog.LOG_NOTICE, Updating CS.cfg) -if x509.is_self_signed(cert, x509.DER): -installutils.set_directive( -cfg_path, 'hierarchy.select', 'Root', -quotes=False, separator='=') -installutils.set_directive( -cfg_path, 'subsystem.count', '1', -quotes=False, separator='=') -else: -installutils.set_directive( -cfg_path, 'hierarchy.select', 'Subordinate', -quotes=False, separator='=') -installutils.set_directive( -cfg_path, 'subsystem.count', '0', -quotes=False, separator='=') +with installutils.stopped_service( +configured_constants.SERVICE_NAME, +configured_constants.PKI_INSTANCE_NAME): +if x509.is_self_signed(cert, x509.DER): +installutils.set_directive( +cfg_path, 'hierarchy.select', 'Root', +quotes=False, separator='=') +installutils.set_directive( +cfg_path, 'subsystem.count', '1', +quotes=False, separator='=') +else: +installutils.set_directive( +cfg_path, 'hierarchy.select', 'Subordinate', +quotes=False, separator='=') +installutils.set_directive( +cfg_path, 'subsystem.count', '0', +quotes=False, separator='=') else: syslog.syslog(syslog.LOG_NOTICE, Not updating CS.cfg) diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig index ba4ac93998fa203719e058fdfe557f4f2a67a865..08ff9a224d92245ff2c5845e6c9df22a700df562 100644 --- a/install/tools/ipa-upgradeconfig +++ b/install/tools/ipa-upgradeconfig @@ -233,7 +233,12 @@ def upgrade_pki(ca, fstore): if not installutils.get_directive(configured_constants.CS_CFG_PATH, 'proxy.securePort', '=') and \ os.path.exists(paths.PKI_SETUP_PROXY): -ipautil.run([paths.PKI_SETUP_PROXY, '-pki_instance_root=/var/lib' +# update proxy configuration with stopped dogtag to prevent corruption +# of CS.cfg +with installutils.stopped_service( +configured_constants.SERVICE_NAME, +configured_constants.PKI_INSTANCE_NAME): +ipautil.run([paths.PKI_SETUP_PROXY, '-pki_instance_root=/var/lib' ,'-pki_instance_name=pki-ca','-subsystem_type=ca']) root_logger.debug('Proxy configuration updated') else: @@ -821,9 +826,11 @@ def migrate_crl_publish_dir(ca): root_logger.error('Cannot move CRL file to new directory: %s', e) try: -installutils.set_directive(caconfig.CS_CFG_PATH, -'ca.publish.publisher.instance.FileBaseCRLPublisher.directory', -publishdir, quotes=False, separator='=') +with installutils.stopped_service(caconfig.SERVICE_NAME, +caconfig.PKI_INSTANCE_NAME): +installutils.set_directive(caconfig.CS_CFG_PATH, +'ca.publish.publisher.instance.FileBaseCRLPublisher.directory', +publishdir, quotes=False, separator='=') except OSError, e: root_logger.error('Cannot update CA configuration file %s: %s', caconfig.CS_CFG_PATH, e) diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 521f25d96693efe64b5859901bb3da9da79ee0ec..2793b407a88f0b5b6592f79a7b6279d2fa41a787 100644 --- a/ipaserver/install/cainstance.py +++
Re: [Freeipa-devel] [PATCH] 348 Remove misleading authorization error message in cert-request with --add
On 10/07/2014 06:48 PM, Jan Cholasta wrote: Hi, the attached patch fixes https://fedorahosted.org/freeipa/ticket/4540. The error message is now the generic ACI error message, e.g. Insufficient access: Insufficient 'add' privilege to add the entry 'krbprincipalname=something/somehost.example@example.com,cn=services,cn=accounts,dc=example,dc=com'. Honza Yup, simpler is better in this case. The certmonger tracker seems easier to understand to me now: # ipa-getcert list -i 20141008071708 Number of certificates and requests being tracked: 9. Request ID '20141008071708': status: CA_REJECTED ca-error: Server at https://ipa.mkosek-fedora20.test/ipa/xml denied our request, giving up: 2100 (RPC failed at server. Insufficient access: Insufficient 'add' privilege to add the entry 'krbprincipalname=test/ipa.mkosek-fedora20.t...@mkosek-fedora20.test,cn=services,cn=accounts,dc=mkosek-fedora20,dc=test'.). stuck: yes key pair storage: type=NSSDB,location='/etc/httpd/nssdb',nickname='Server-Cert',token='NSS Certificate DB' certificate: type=NSSDB,location='/etc/httpd/nssdb',nickname='Server-Cert' CA: IPA issuer: subject: expires: unknown pre-save command: post-save command: track: yes auto-renew: yes ACK. Pushed to: master: 8e602eaf46b71ad8f713f549d6a823c70567bb22 ipa-4-1: ed5ffbfd75f3f1a62581c50a2c64d9e75fc74081 ipa-4-0: 80da03a2169de3a78edec42c1eab1f87734f49a7 Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0019 Stop dogtag when updating its configuration in, ipa-upgradeconfig
Hi, Dne 8.10.2014 v 09:09 David Kupka napsal(a): https://fedorahosted.org/freeipa/ticket/4569 In renew_ca_cert and cainstance.py, dogtag should already be stopped in the places you modified, so why the change? Also I don't think it's a good idea to backup CS.cfg when dogtag is still running (in cainstance.py). If the file is being modified by dogtag at the time it is backed up, the backup may be corrupted. Honza -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0064] Create ipa-otp-decrement 389DS plugin
On 10/07/2014 08:48 PM, Nathaniel McCallum wrote: On Tue, 2014-10-07 at 10:52 -0700, Noriko Hosoi wrote: On 2014/10/07 10:48, Nathaniel McCallum wrote: On Tue, 2014-10-07 at 18:54 +0200, thierry bordaz wrote: On 10/07/2014 06:00 PM, Nathaniel McCallum wrote: Attached is the latest patch. I believe this includes all of our discussions up until this point. However, a few bits of additional information are needed. First, I have renamed the plugin to ipa-otp-counter. I believe all replay prevention work can land inside this plugin, so the name is appropriate. Second, I uncovered a bug in 389 which prevents me from validating the non-replication request in bepre. This is the reason for the additional betxnpre callback. If the upstream 389 bug is fixed, we can merge this check back into bepre. https://fedorahosted.org/389/ticket/47919 Hi Nathaniel, Just a rapid question about that dependency on https://fedorahosted.org/389/ticket/47919. Using txnpreop_mod you manage to workaround the DS issue. Do you need a fix for the DS issue in 1.3.2 or can it be fixed in a later version ? I would strongly prefer a fix ASAP. Thanks, Nathaniel, Do you need the fix just in 389-ds-base-1.3.3.x on F21 and newer? Or any other versions, e.g., 1.3.2 on F20, 1.3.3.1-x on RHEL-7.1, etc... ? I think we are just shipping 4.1 on F21. Someone please correct me if I'm wrong. FreeIPA 4.x already requires DS 1.3.3.*, so fixing from this version is sufficient for us. We have a Copr repo for Fedora 20 anyway, so we will just rebuild the updated DS there. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0034] Missing requires on python-dns
Hello, this is going to be a little bit more interesting. RHEL/CentOS version of FreeIPA depends on python-dns = 1.11.1-2 but Fedora version should depend on = 1.12.0. RHEL contains Git snapshot which is newer than 1.11.1 but is still not complete 1.12.0. Fedora contains 'proper' 1.11.1 version which is unfortunately too old. Fedora bug for rebase to 1.12.0: https://bugzilla.redhat.com/show_bug.cgi?id=1150396 Petr^2 Spacek On 7.10.2014 19:34, Gabe Alford wrote: Done. Update patch to use python-dns = 1.11.1 On Tue, Oct 7, 2014 at 11:26 AM, Martin Basti mba...@redhat.com wrote: On 07/10/14 15:58, Gabe Alford wrote: Forgot to add patch. On Tue, Oct 7, 2014 at 7:58 AM, Gabe Alford redhatri...@gmail.com wrote: Hello, Fix for https://fedorahosted.org/freeipa/ticket/4613 Thanks, Gabe ___ Freeipa-devel mailing listFreeipa-devel@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-devel Thank you! I prefer to use python-dns = 1.11.1, there are some DNSSEC fixes which we may use in tests. Could you send updated patch please? ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0021 Fix example usage in ipa man page.
On 10/08/2014 08:36 AM, Alexander Bokovoy wrote: On Wed, 08 Oct 2014, David Kupka wrote: On 10/08/2014 08:19 AM, David Kupka wrote: On 10/08/2014 08:02 AM, Alexander Bokovoy wrote: On Wed, 08 Oct 2014, David Kupka wrote: https://fedorahosted.org/freeipa/ticket/4587 -- David Kupka From 883e90237fbde1075d00990568cde18773e80611 Mon Sep 17 00:00:00 2001 From: David Kupka dku...@redhat.com Date: Wed, 8 Oct 2014 01:43:47 -0400 Subject: [PATCH] Fix example usage in ipa man page. https://fedorahosted.org/freeipa/ticket/4587 --- ipa.1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipa.1 b/ipa.1 index fc39fceaae5aa4c614ccaaa7e608f2326d926755..6acfcfd9f7ab580c9b086fa249903cdf10544cdb 100644 --- a/ipa.1 +++ b/ipa.1 @@ -149,7 +149,7 @@ Create a new user with username foo, first name foo and last name bar. \fBipa group\-add bar \-\-desc this is an example group Create a new group with name bar and description this is an example group. .TP -\fBipa group\-add\-member bar \-\-users=admin,foo\fR +\fBipa group\-add\-member bar \-\-users={admin,foo}\fR Add users admin and foo to the group bar. .TP \fBipa user\-show foo \-\-raw\fR I would like to see a stance about shell expansion use here. May be add a phrase about that right after Add users ... to the group ...? It might not be entirely obvious to other people that we rely on a shell expansion features here. At first, I wanted to remove one of users mentioned there but '--users=foo' looks confusing to me (using plural and specifying just one value). Personally I would prefer to change all plural parameters to singular form but it is a large change considering the benefit. What about two examples? One '--users=foo' and other using shell expansion. I forget to update the patch, sorry. -- David Kupka From 554d9b0f806f6eb7ad8ffc99fbd7ac6cb20c5c4c Mon Sep 17 00:00:00 2001 From: David Kupka dku...@redhat.com Date: Wed, 8 Oct 2014 01:43:47 -0400 Subject: [PATCH] Fix example usage in ipa man page. https://fedorahosted.org/freeipa/ticket/4587 --- ipa.1 | 7 +-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/ipa.1 b/ipa.1 index fc39fceaae5aa4c614ccaaa7e608f2326d926755..fe2a1aa7bafadd70596b5d95bca49a3f583a3c3d 100644 --- a/ipa.1 +++ b/ipa.1 @@ -149,8 +149,11 @@ Create a new user with username foo, first name foo and last name bar. \fBipa group\-add bar \-\-desc this is an example group Create a new group with name bar and description this is an example group. .TP -\fBipa group\-add\-member bar \-\-users=admin,foo\fR -Add users admin and foo to the group bar. +\fBipa group\-add\-member bar \-\-users=foo\fR +Add user foo to the group bar. +.TP +\fBipa group\-add\-member bar \-\-users={admin,foo}\fR +Add users admin and foo to the group bar. This approach depends on shell expansion feature. .TP \fBipa user\-show foo \-\-raw\fR Display user foo as (s)he is stored on the server. ACK. Pushed to: master: f36794e8119c6005a6e802b3c4b23e13a3ac0bf5 ipa-4-1: 6e1c7df530fdc76737576c5b1190ac7c5dc59917 ipa-4-0: 9b6145420a7b57e0d0cc152bcd727206651f9b8d Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCHES] 349-350 Add ipa-client-install switch --request-cert to request cert for the host
Hi, the attached patches fix https://fedorahosted.org/freeipa/ticket/4550. Honza -- Jan Cholasta From 001f7bbc7010f106986f19d5040b272a13aa8ba8 Mon Sep 17 00:00:00 2001 From: Jan Cholasta jchol...@redhat.com Date: Wed, 8 Oct 2014 10:27:25 +0200 Subject: [PATCH 1/2] Fix certmonger.request_cert https://fedorahosted.org/freeipa/ticket/4550 --- ipapython/certmonger.py | 5 - 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/ipapython/certmonger.py b/ipapython/certmonger.py index bcfafda..05071a0 100644 --- a/ipapython/certmonger.py +++ b/ipapython/certmonger.py @@ -253,9 +253,12 @@ def request_cert(nssdb, nickname, subject, principal, passwd_fname=None): Execute certmonger to request a server certificate. cm = _connect_to_certmonger() +ca_path = cm.obj_if.find_ca_by_nickname('IPA') request_parameters = dict(KEY_STORAGE='NSSDB', CERT_STORAGE='NSSDB', CERT_LOCATION=nssdb, CERT_NICKNAME=nickname, - SUBJECT=subject, PRINCIPAL=principal,) + KEY_LOCATION=nssdb, KEY_NICKNAME=nickname, + SUBJECT=subject, PRINCIPAL=[principal], + CA=ca_path) if passwd_fname: request_parameters['KEY_PIN_FILE'] = passwd_fname result = cm.obj_if.add_request(request_parameters) -- 1.9.3 From 993d4393388df2b4f0cad83ce5e1093b5c783e78 Mon Sep 17 00:00:00 2001 From: Jan Cholasta jchol...@redhat.com Date: Tue, 7 Oct 2014 19:07:13 +0200 Subject: [PATCH 2/2] Add ipa-client-install switch --request-cert to request cert for the host The certificate is stored in /etc/ipa/nssdb under the nickname Local IPA host. https://fedorahosted.org/freeipa/ticket/4550 --- ipa-client/ipa-install/ipa-client-install | 104 ++ ipa-client/man/ipa-client-install.1 | 4 ++ 2 files changed, 96 insertions(+), 12 deletions(-) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index 2e59df9..9584ba4 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -74,8 +74,6 @@ SSH_AUTHORIZEDKEYSCOMMAND = paths.SSS_SSH_AUTHORIZEDKEYS SSH_PROXYCOMMAND = paths.SSS_SSH_KNOWNHOSTSPROXY SSH_KNOWNHOSTSFILE = paths.SSSD_PUBCONF_KNOWN_HOSTS -client_nss_nickname_format = 'IPA Machine Certificate - %s' - def parse_options(): def validate_ca_cert_file_option(option, opt, value, parser): if not os.path.exists(value): @@ -158,6 +156,8 @@ def parse_options(): basic_group.add_option(--ca-cert-file, dest=ca_cert_file, type=string, action=callback, callback=validate_ca_cert_file_option, help=load the CA certificate from this file) +basic_group.add_option(--request-cert, dest=request_cert, + action=store_true, default=False) # --on-master is used in ipa-server-install and ipa-replica-install # only, it isn't meant to be used on clients. basic_group.add_option(--on-master, dest=on_master, action=store_true, @@ -482,11 +482,11 @@ def uninstall(options, env): if hostname is None: hostname = socket.getfqdn() -client_nss_nickname = client_nss_nickname_format % hostname +ipa_db = certdb.NSSDatabase(paths.IPA_NSSDB_DIR) +sys_db = certdb.NSSDatabase(paths.NSS_DB_DIR) # Always start certmonger. We can't untrack something if it isn't -# running. Note that this is legacy code to untrack any certificates -# that were created by previous versions of this installer. +# running messagebus = services.knownservices.messagebus try: messagebus.start() @@ -499,14 +499,24 @@ def uninstall(options, env): except Exception, e: log_service_error(cmonger.service_name, 'start', e) -try: -certmonger.stop_tracking(paths.NSS_DB_DIR, nickname=client_nss_nickname) -except (CalledProcessError, RuntimeError), e: -root_logger.error(%s failed to stop tracking certificate: %s, -cmonger.service_name, str(e)) +if ipa_db.has_nickname('Local IPA host'): +try: +certmonger.stop_tracking(paths.IPA_NSSDB_DIR, + nickname='Local IPA host') +except RuntimeError, e: +root_logger.error(%s failed to stop tracking certificate: %s, + cmonger.service_name, e) + +client_nss_nickname = 'IPA Machine Certificate - %s' % hostname +if sys_db.has_nickname(client_nss_nickname): +try: +certmonger.stop_tracking(paths.NSS_DB_DIR, + nickname=client_nss_nickname) +except RuntimeError, e: +root_logger.error(%s failed to stop tracking certificate: %s, + cmonger.service_name, e) # Remove our host cert and CA cert -ipa_db =
Re: [Freeipa-devel] [PATCH 0034] Missing requires on python-dns
On 07/10/14 19:34, Gabe Alford wrote: Done. Update patch to use python-dns = 1.11.1 On Tue, Oct 7, 2014 at 11:26 AM, Martin Basti mba...@redhat.com mailto:mba...@redhat.com wrote: On 07/10/14 15:58, Gabe Alford wrote: Forgot to add patch. On Tue, Oct 7, 2014 at 7:58 AM, Gabe Alford redhatri...@gmail.com mailto:redhatri...@gmail.com wrote: Hello, Fix for https://fedorahosted.org/freeipa/ticket/4613 Thanks, Gabe ___ Freeipa-devel mailing list Freeipa-devel@redhat.com mailto:Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Thank you! I prefer to use python-dns = 1.11.1, there are some DNSSEC fixes which we may use in tests. Could you send updated patch please? -- Martin Basti ACK Thank you! -- Martin Basti ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 351 Support MS CA as the external CA in ipa-server-install and ipa-ca-install
Hi, the attached patch fixes https://fedorahosted.org/freeipa/ticket/4496. Note that this requires pki-core 10.2.0-3. Honza -- Jan Cholasta From acb1995aa55fbe46adcf1a995b29f3a4d3280de5 Mon Sep 17 00:00:00 2001 From: Jan Cholasta jchol...@redhat.com Date: Wed, 8 Oct 2014 10:51:31 +0200 Subject: [PATCH] Support MS CA as the external CA in ipa-server-install and ipa-ca-install Added a new option --external-ca-type which specifies the type of the external CA. It can be either generic (the default) or ms. If ms is selected, the CSR generated for the IPA CA will include MS template name extension with template name SubCA. https://fedorahosted.org/freeipa/ticket/4496 --- freeipa.spec.in| 2 +- install/tools/ipa-ca-install | 10 +- install/tools/ipa-server-install | 10 +- install/tools/man/ipa-ca-install.1 | 6 ++ install/tools/man/ipa-server-install.1 | 3 +++ ipaserver/install/cainstance.py| 14 +- 6 files changed, 41 insertions(+), 4 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index 99cd6df..6fe8704 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -113,7 +113,7 @@ Requires(post): systemd-units Requires: selinux-policy = 3.12.1-179 Requires(post): selinux-policy-base Requires: slapi-nis = 0.47.7 -Requires: pki-ca = 10.1.1 +Requires: pki-ca = 10.2.0-3 %if 0%{?rhel} Requires: subscription-manager %endif diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install index df8e34b..8e6e41b 100755 --- a/install/tools/ipa-ca-install +++ b/install/tools/ipa-ca-install @@ -68,6 +68,9 @@ def parse_options(): default=False, help=unattended installation never prompts the user) parser.add_option(--external-ca, dest=external_ca, action=store_true, default=False, help=Generate a CSR to be signed by an external CA) +parser.add_option(--external-ca-type, dest=external_ca_type, + type=choice, choices=(generic, ms), + help=Type of the external CA) parser.add_option(--external-cert-file, dest=external_cert_files, action=append, metavar=FILE, help=File containing the IPA CA certificate and the external CA certificate chain) @@ -89,6 +92,10 @@ def parse_options(): parser.error(You cannot specify --external-cert-file together with --external-ca) +if options.external_ca_type and not options.external_ca: +parser.error( +You cannot specify --external-ca-type without --external-ca) + return safe_options, options, filename def get_dirman_password(): @@ -317,7 +324,8 @@ def install_master(safe_options, options): elif external == 1: ca.configure_instance(host_name, domain_name, dm_password, dm_password, csr_file=paths.ROOT_IPA_CSR, - subject_base=subject_base) + subject_base=subject_base, + ca_type=options.external_ca_type) else: ca.configure_instance(host_name, domain_name, dm_password, dm_password, diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index b827dfe..e974194 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -203,6 +203,9 @@ def parse_options(): cert_group = OptionGroup(parser, certificate system options) cert_group.add_option(, --external-ca, dest=external_ca, action=store_true, default=False, help=Generate a CSR for the IPA CA certificate to be signed by an external CA) +cert_group.add_option(--external-ca-type, dest=external_ca_type, + type=choice, choices=(generic, ms), + help=Type of the external CA) cert_group.add_option(--external-cert-file, dest=external_cert_files, action=append, metavar=FILE, help=File containing the IPA CA certificate and the external CA certificate chain) @@ -374,6 +377,10 @@ def parse_options(): parser.error(You cannot specify service certificate file options together with --external-ca) +if options.external_ca_type and not options.external_ca: +parser.error( +You cannot specify --external-ca-type without --external-ca) + if (options.external_cert_files and any(not os.path.isabs(path) for path in options.external_cert_files)): parser.error(--external-cert-file must use an absolute path) @@ -1142,7 +1149,8 @@ def main(): ca.configure_instance(host_name, domain_name, dm_password, dm_password, csr_file=paths.ROOT_IPA_CSR, subject_base=options.subject, -
[Freeipa-devel] [PATCH] 352 Fix certmonger configuration in installer code
Hi, the attached patch fixes https://fedorahosted.org/freeipa/ticket/4619. Honza -- Jan Cholasta From d1f307cef0b72c8052dd9277d20814236cb19f79 Mon Sep 17 00:00:00 2001 From: Jan Cholasta jchol...@redhat.com Date: Tue, 7 Oct 2014 16:46:15 +0200 Subject: [PATCH] Fix certmonger configuration in installer code https://fedorahosted.org/freeipa/ticket/4619 --- install/tools/ipa-server-install | 5 +-- install/tools/ipa-upgradeconfig | 2 +- ipaserver/install/cainstance.py | 87 +--- ipaserver/install/dogtaginstance.py | 76 ++- ipaserver/install/ipa_kra_install.py | 2 +- ipaserver/install/krainstance.py | 9 ++-- 6 files changed, 78 insertions(+), 103 deletions(-) diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index 89d7330..f394f1e 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -561,14 +561,13 @@ def uninstall(): kra_instance = krainstance.KRAInstance( api.env.realm, dogtag_constants=dogtag_constants) -kra_instance.stop_tracking_certificates(dogtag_constants) +kra_instance.stop_tracking_certificates() if kra_instance.is_installed(): kra_instance.uninstall() ca_instance = cainstance.CAInstance( api.env.realm, certs.NSS_DIR, dogtag_constants=dogtag_constants) -ca_instance.stop_tracking_certificates(dogtag_constants) -ca_instance.stop_tracking_agent_certificate(dogtag_constants) +ca_instance.stop_tracking_certificates() if ca_instance.is_configured(): ca_instance.uninstall() diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig index 3914eb5..339dcb9 100644 --- a/install/tools/ipa-upgradeconfig +++ b/install/tools/ipa-upgradeconfig @@ -727,7 +727,7 @@ def certificate_renewal_update(ca): # Ok, now we need to stop tracking, then we can start tracking them # again with new configuration: -ca.stop_tracking_certificates(dogtag_constants) +ca.stop_tracking_certificates() if not sysupgrade.get_upgrade_state('dogtag', 'certificate_renewal_update_1'): diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 3a296f5..cbb9e2c 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -330,6 +330,12 @@ class CAInstance(DogtagInstance): 2 = have signed cert, continue installation +tracking_reqs = (('auditSigningCert cert-pki-ca', None), + ('ocspSigningCert cert-pki-ca', None), + ('subsystemCert cert-pki-ca', None), + ('caSigningCert cert-pki-ca', 'ipaCACertRenewal')) +server_cert_name = 'Server-Cert cert-pki-ca' + def __init__(self, realm=None, ra_db=None, dogtag_constants=None, host_name=None, dm_password=None, ldapi=True): if dogtag_constants is None: @@ -363,11 +369,6 @@ class CAInstance(DogtagInstance): self.ra_agent_pwd = None self.ra_cert = None self.requestId = None -self.tracking_reqs = (('Server-Cert cert-pki-ca', None), - ('auditSigningCert cert-pki-ca', None), - ('ocspSigningCert cert-pki-ca', None), - ('subsystemCert cert-pki-ca', None), - ('caSigningCert cert-pki-ca', 'ipaCACertRenewal')) self.log = log_mgr.get_logger(self) def configure_instance(self, host_name, domain, dm_password, @@ -452,7 +453,7 @@ class CAInstance(DogtagInstance): self.step(issuing RA agent certificate, self.__issue_ra_cert) self.step(adding RA agent as a trusted user, self.__configure_ra) self.step(configure certmonger for renewals, self.configure_certmonger_renewal) -self.step(configure certificate renewals, self.configure_cert_renewal) +self.step(configure certificate renewals, self.configure_renewal) if not self.clone: self.step(configure RA certificate renewal, self.configure_agent_renewal) self.step(configure Server-Cert certificate renewal, self.track_servercert) @@ -1311,27 +1312,6 @@ class CAInstance(DogtagInstance): fd.close() os.chmod(location, 0444) -@staticmethod -def configure_certmonger_renewal(): - -Create a new CA type for certmonger that will retrieve updated -certificates from the dogtag master server. - -services.knownservices.messagebus.start() -cmonger = services.knownservices.certmonger -cmonger.enable() -cmonger.start() - -bus = dbus.SystemBus() -obj = bus.get_object('org.fedorahosted.certmonger', - '/org/fedorahosted/certmonger') -iface = dbus.Interface(obj, 'org.fedorahosted.certmonger') -
Re: [Freeipa-devel] [PATCH] 0019 Stop dogtag when updating its configuration in, ipa-upgradeconfig
On 10/08/2014 09:29 AM, Jan Cholasta wrote: Hi, Dne 8.10.2014 v 09:09 David Kupka napsal(a): https://fedorahosted.org/freeipa/ticket/4569 In renew_ca_cert and cainstance.py, dogtag should already be stopped in the places you modified, so why the change? I didn't noticed that it is already stopped, fixed. Also I don't think it's a good idea to backup CS.cfg when dogtag is still running (in cainstance.py). If the file is being modified by dogtag at the time it is backed up, the backup may be corrupted. Fixed, thanks. Honza -- David Kupka From 104dca26a87255be2b67652dd0f4c60b71e92e90 Mon Sep 17 00:00:00 2001 From: David Kupka dku...@redhat.com Date: Tue, 30 Sep 2014 08:41:49 -0400 Subject: [PATCH] Stop dogtag when updating its configuration in ipa-upgradeconfig. Modifying CS.cfg when dogtag is running may (and does) result in corrupting this file. https://fedorahosted.org/freeipa/ticket/4569 --- install/tools/ipa-upgradeconfig | 15 +++ ipaserver/install/cainstance.py | 6 -- 2 files changed, 15 insertions(+), 6 deletions(-) diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig index ba4ac93998fa203719e058fdfe557f4f2a67a865..08ff9a224d92245ff2c5845e6c9df22a700df562 100644 --- a/install/tools/ipa-upgradeconfig +++ b/install/tools/ipa-upgradeconfig @@ -233,7 +233,12 @@ def upgrade_pki(ca, fstore): if not installutils.get_directive(configured_constants.CS_CFG_PATH, 'proxy.securePort', '=') and \ os.path.exists(paths.PKI_SETUP_PROXY): -ipautil.run([paths.PKI_SETUP_PROXY, '-pki_instance_root=/var/lib' +# update proxy configuration with stopped dogtag to prevent corruption +# of CS.cfg +with installutils.stopped_service( +configured_constants.SERVICE_NAME, +configured_constants.PKI_INSTANCE_NAME): +ipautil.run([paths.PKI_SETUP_PROXY, '-pki_instance_root=/var/lib' ,'-pki_instance_name=pki-ca','-subsystem_type=ca']) root_logger.debug('Proxy configuration updated') else: @@ -821,9 +826,11 @@ def migrate_crl_publish_dir(ca): root_logger.error('Cannot move CRL file to new directory: %s', e) try: -installutils.set_directive(caconfig.CS_CFG_PATH, -'ca.publish.publisher.instance.FileBaseCRLPublisher.directory', -publishdir, quotes=False, separator='=') +with installutils.stopped_service(caconfig.SERVICE_NAME, +caconfig.PKI_INSTANCE_NAME): +installutils.set_directive(caconfig.CS_CFG_PATH, +'ca.publish.publisher.instance.FileBaseCRLPublisher.directory', +publishdir, quotes=False, separator='=') except OSError, e: root_logger.error('Cannot update CA configuration file %s: %s', caconfig.CS_CFG_PATH, e) diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 521f25d96693efe64b5859901bb3da9da79ee0ec..ac6dd828aa38e14c16e7bb7c7d1c397793222852 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -1841,8 +1841,10 @@ def backup_config(dogtag_constants=None): if dogtag_constants is None: dogtag_constants = dogtag.configured_constants() -shutil.copy(dogtag_constants.CS_CFG_PATH, -dogtag_constants.CS_CFG_PATH + '.ipabkp') +with stopped_service(dogtag_constants.SERVICE_NAME, + instance_name=dogtag_constants.PKI_INSTANCE_NAME): +shutil.copy(dogtag_constants.CS_CFG_PATH, +dogtag_constants.CS_CFG_PATH + '.ipabkp') def update_cert_config(nickname, cert, dogtag_constants=None): -- 1.9.3 From f322136e5fd0bc1df5edf712c931c328dc5bdb5d Mon Sep 17 00:00:00 2001 From: David Kupka dku...@redhat.com Date: Tue, 30 Sep 2014 08:41:49 -0400 Subject: [PATCH] Stop dogtag when updating its configuration in ipa-upgradeconfig. Modifying CS.cfg when dogtag is running may (and does) result in corrupting this file. https://fedorahosted.org/freeipa/ticket/4569 --- install/tools/ipa-upgradeconfig | 15 +++ ipaserver/install/cainstance.py | 6 -- 2 files changed, 15 insertions(+), 6 deletions(-) diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig index 3914eb59066b515d33bebc19ca5afb4f50548bb2..abe3c077ccbaebf7317591eca19be99b686ae37d 100644 --- a/install/tools/ipa-upgradeconfig +++ b/install/tools/ipa-upgradeconfig @@ -233,7 +233,12 @@ def upgrade_pki(ca, fstore): if not installutils.get_directive(configured_constants.CS_CFG_PATH, 'proxy.securePort', '=') and \ os.path.exists(paths.PKI_SETUP_PROXY): -ipautil.run([paths.PKI_SETUP_PROXY, '-pki_instance_root=/var/lib' +# update proxy configuration with stopped dogtag to prevent corruption +# of CS.cfg +with installutils.stopped_service( +
Re: [Freeipa-devel] [PATCH] 351 Support MS CA as the external CA in ipa-server-install and ipa-ca-install
On 10/08/2014 11:53 AM, Jan Cholasta wrote: Hi, the attached patch fixes https://fedorahosted.org/freeipa/ticket/4496. Note that this requires pki-core 10.2.0-3. Honza The approach looks OK, but I would like to be better in naming documentation: +cert_group.add_option(--external-ca-type, dest=external_ca_type, + type=choice, choices=(generic, ms), + help=Type of the external CA) I would name the option either ad-cs or windows-server-ca, i.e. Active Directory Certificate Services or Windows Server CA. ms sounds too generic to me in this context. When using trademarks we should be specific about what do we mean. Same for man: +\fB\-\-external\-ca\-type\fR=\fITYPE\fR +Type of the external CA. Possible values are generic, ms. Default value is generic. Use ms to include MS template name extension in the CSR. +.TP I would be more verbose and write ... Use windows-server-ca to include Windows Server CA specific template name extension (1.3.6.1.4.1.311.20.2) set in the CSR. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 352 Fix certmonger configuration in installer code
Dne 8.10.2014 v 12:27 Jan Cholasta napsal(a): Hi, the attached patch fixes https://fedorahosted.org/freeipa/ticket/4619. Honza Forgot to delete a line in dogtaginstance.py (thanks to David for noticing). Updated patch attached. -- Jan Cholasta From f2edb5ddf291d1f14c13e155412f5154d491c84e Mon Sep 17 00:00:00 2001 From: Jan Cholasta jchol...@redhat.com Date: Tue, 7 Oct 2014 16:46:15 +0200 Subject: [PATCH] Fix certmonger configuration in installer code https://fedorahosted.org/freeipa/ticket/4619 --- install/tools/ipa-server-install | 5 +-- install/tools/ipa-upgradeconfig | 2 +- ipaserver/install/cainstance.py | 87 +--- ipaserver/install/dogtaginstance.py | 77 ++- ipaserver/install/ipa_kra_install.py | 2 +- ipaserver/install/krainstance.py | 9 ++-- 6 files changed, 78 insertions(+), 104 deletions(-) diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index 89d7330..f394f1e 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -561,14 +561,13 @@ def uninstall(): kra_instance = krainstance.KRAInstance( api.env.realm, dogtag_constants=dogtag_constants) -kra_instance.stop_tracking_certificates(dogtag_constants) +kra_instance.stop_tracking_certificates() if kra_instance.is_installed(): kra_instance.uninstall() ca_instance = cainstance.CAInstance( api.env.realm, certs.NSS_DIR, dogtag_constants=dogtag_constants) -ca_instance.stop_tracking_certificates(dogtag_constants) -ca_instance.stop_tracking_agent_certificate(dogtag_constants) +ca_instance.stop_tracking_certificates() if ca_instance.is_configured(): ca_instance.uninstall() diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig index 3914eb5..339dcb9 100644 --- a/install/tools/ipa-upgradeconfig +++ b/install/tools/ipa-upgradeconfig @@ -727,7 +727,7 @@ def certificate_renewal_update(ca): # Ok, now we need to stop tracking, then we can start tracking them # again with new configuration: -ca.stop_tracking_certificates(dogtag_constants) +ca.stop_tracking_certificates() if not sysupgrade.get_upgrade_state('dogtag', 'certificate_renewal_update_1'): diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 3a296f5..cbb9e2c 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -330,6 +330,12 @@ class CAInstance(DogtagInstance): 2 = have signed cert, continue installation +tracking_reqs = (('auditSigningCert cert-pki-ca', None), + ('ocspSigningCert cert-pki-ca', None), + ('subsystemCert cert-pki-ca', None), + ('caSigningCert cert-pki-ca', 'ipaCACertRenewal')) +server_cert_name = 'Server-Cert cert-pki-ca' + def __init__(self, realm=None, ra_db=None, dogtag_constants=None, host_name=None, dm_password=None, ldapi=True): if dogtag_constants is None: @@ -363,11 +369,6 @@ class CAInstance(DogtagInstance): self.ra_agent_pwd = None self.ra_cert = None self.requestId = None -self.tracking_reqs = (('Server-Cert cert-pki-ca', None), - ('auditSigningCert cert-pki-ca', None), - ('ocspSigningCert cert-pki-ca', None), - ('subsystemCert cert-pki-ca', None), - ('caSigningCert cert-pki-ca', 'ipaCACertRenewal')) self.log = log_mgr.get_logger(self) def configure_instance(self, host_name, domain, dm_password, @@ -452,7 +453,7 @@ class CAInstance(DogtagInstance): self.step(issuing RA agent certificate, self.__issue_ra_cert) self.step(adding RA agent as a trusted user, self.__configure_ra) self.step(configure certmonger for renewals, self.configure_certmonger_renewal) -self.step(configure certificate renewals, self.configure_cert_renewal) +self.step(configure certificate renewals, self.configure_renewal) if not self.clone: self.step(configure RA certificate renewal, self.configure_agent_renewal) self.step(configure Server-Cert certificate renewal, self.track_servercert) @@ -1311,27 +1312,6 @@ class CAInstance(DogtagInstance): fd.close() os.chmod(location, 0444) -@staticmethod -def configure_certmonger_renewal(): - -Create a new CA type for certmonger that will retrieve updated -certificates from the dogtag master server. - -services.knownservices.messagebus.start() -cmonger = services.knownservices.certmonger -cmonger.enable() -cmonger.start() - -bus = dbus.SystemBus() -obj =
[Freeipa-devel] [PATCH] 353 Allow specifying signing algorithm of the IPA CA cert in ipa-ca-install
Hi, the attached patch provides an additional fix for https://fedorahosted.org/freeipa/ticket/4447. Honza -- Jan Cholasta From d0f77421f74b026de15966075e7687ff0350ed54 Mon Sep 17 00:00:00 2001 From: Jan Cholasta jchol...@redhat.com Date: Wed, 8 Oct 2014 12:18:06 +0200 Subject: [PATCH] Allow specifying signing algorithm of the IPA CA cert in ipa-ca-install The --ca-signing-algorithm option is available in ipa-server-install, make it available in ipa-ca-install as well. https://fedorahosted.org/freeipa/ticket/4447 --- install/tools/ipa-ca-install | 13 ++--- install/tools/man/ipa-ca-install.1 | 3 +++ 2 files changed, 13 insertions(+), 3 deletions(-) diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install index df8e34b..653b615 100755 --- a/install/tools/ipa-ca-install +++ b/install/tools/ipa-ca-install @@ -71,6 +71,10 @@ def parse_options(): parser.add_option(--external-cert-file, dest=external_cert_files, action=append, metavar=FILE, help=File containing the IPA CA certificate and the external CA certificate chain) +parser.add_option(--ca-signing-algorithm, dest=ca_signing_algorithm, + type=choice, + choices=('SHA1withRSA', 'SHA256withRSA', 'SHA512withRSA'), + help=Signing algorithm of the IPA CA certificate) options, args = parser.parse_args() safe_options = parser.get_safe_opts(options) @@ -313,17 +317,20 @@ def install_master(safe_options, options): ca.create_ra_agent_db = False if external == 0: ca.configure_instance(host_name, domain_name, dm_password, - dm_password, subject_base=subject_base) + dm_password, subject_base=subject_base, + ca_signing_algorithm=options.ca_signing_algorithm) elif external == 1: ca.configure_instance(host_name, domain_name, dm_password, dm_password, csr_file=paths.ROOT_IPA_CSR, - subject_base=subject_base) + subject_base=subject_base, + ca_signing_algorithm=options.ca_signing_algorithm) else: ca.configure_instance(host_name, domain_name, dm_password, dm_password, cert_file=external_cert_file.name, cert_chain_file=external_ca_file.name, - subject_base=subject_base) + subject_base=subject_base, + ca_signing_algorithm=options.ca_signing_algorithm) ca.stop(ca.dogtag_constants.PKI_INSTANCE_NAME) diff --git a/install/tools/man/ipa-ca-install.1 b/install/tools/man/ipa-ca-install.1 index 8f7201c..a58ac23 100644 --- a/install/tools/man/ipa-ca-install.1 +++ b/install/tools/man/ipa-ca-install.1 @@ -40,6 +40,9 @@ Admin user Kerberos password used for connection check \fB\-\-external\-cert\-file\fR=\fIFILE\fR File containing the IPA CA certificate and the external CA certificate chain. The file is accepted in PEM and DER certificate and PKCS#7 certificate chain formats. This option may be used multiple times. .TP +\fB\-\-ca\-signing\-algorithm\fR=\fIALGORITHM\fR +Signing algorithm of the IPA CA certificate. Possible values are SHA1withRSA, SHA256withRSA, SHA512withRSA. Default value is SHA256withRSA. Use this option with --external-ca if the external CA does not support the default signing algorithm. +.TP \fB\-\-no\-host\-dns\fR Do not use DNS for hostname lookup during installation .TP -- 1.9.3 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 351 Support MS CA as the external CA in ipa-server-install and ipa-ca-install
Dne 8.10.2014 v 12:49 Martin Kosek napsal(a): On 10/08/2014 11:53 AM, Jan Cholasta wrote: Hi, the attached patch fixes https://fedorahosted.org/freeipa/ticket/4496. Note that this requires pki-core 10.2.0-3. Honza The approach looks OK, but I would like to be better in naming documentation: +cert_group.add_option(--external-ca-type, dest=external_ca_type, + type=choice, choices=(generic, ms), + help=Type of the external CA) I would name the option either ad-cs or windows-server-ca, i.e. Active Directory Certificate Services or Windows Server CA. ms sounds too generic to me in this context. When using trademarks we should be specific about what do we mean. Microsoft docs refer to it as Microsoft Certificate Services or simply Certificate Services, so I went with ms-cs. Same for man: +\fB\-\-external\-ca\-type\fR=\fITYPE\fR +Type of the external CA. Possible values are generic, ms. Default value is generic. Use ms to include MS template name extension in the CSR. +.TP I would be more verbose and write ... Use windows-server-ca to include Windows Server CA specific template name extension (1.3.6.1.4.1.311.20.2) set in the CSR. I have reworded the description in man and the commit message a bit. Updated patch attached. -- Jan Cholasta From 14aa5220ab91acd7b7ca831e395a4ade33685527 Mon Sep 17 00:00:00 2001 From: Jan Cholasta jchol...@redhat.com Date: Wed, 8 Oct 2014 10:51:31 +0200 Subject: [PATCH] Support MS CS as the external CA in ipa-server-install and ipa-ca-install Added a new option --external-ca-type which specifies the type of the external CA. It can be either generic (the default) or ms-cs. If ms-cs is selected, the CSR generated for the IPA CA will include MS template name extension (OID 1.3.6.1.4.1.311.20.2) with template name SubCA. https://fedorahosted.org/freeipa/ticket/4496 --- freeipa.spec.in| 2 +- install/tools/ipa-ca-install | 10 +- install/tools/ipa-server-install | 10 +- install/tools/man/ipa-ca-install.1 | 6 ++ install/tools/man/ipa-server-install.1 | 3 +++ ipaserver/install/cainstance.py| 14 +- 6 files changed, 41 insertions(+), 4 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index 99cd6df..6fe8704 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -113,7 +113,7 @@ Requires(post): systemd-units Requires: selinux-policy = 3.12.1-179 Requires(post): selinux-policy-base Requires: slapi-nis = 0.47.7 -Requires: pki-ca = 10.1.1 +Requires: pki-ca = 10.2.0-3 %if 0%{?rhel} Requires: subscription-manager %endif diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install index df8e34b..37f8fc7 100755 --- a/install/tools/ipa-ca-install +++ b/install/tools/ipa-ca-install @@ -68,6 +68,9 @@ def parse_options(): default=False, help=unattended installation never prompts the user) parser.add_option(--external-ca, dest=external_ca, action=store_true, default=False, help=Generate a CSR to be signed by an external CA) +parser.add_option(--external-ca-type, dest=external_ca_type, + type=choice, choices=(generic, ms-cs), + help=Type of the external CA) parser.add_option(--external-cert-file, dest=external_cert_files, action=append, metavar=FILE, help=File containing the IPA CA certificate and the external CA certificate chain) @@ -89,6 +92,10 @@ def parse_options(): parser.error(You cannot specify --external-cert-file together with --external-ca) +if options.external_ca_type and not options.external_ca: +parser.error( +You cannot specify --external-ca-type without --external-ca) + return safe_options, options, filename def get_dirman_password(): @@ -317,7 +324,8 @@ def install_master(safe_options, options): elif external == 1: ca.configure_instance(host_name, domain_name, dm_password, dm_password, csr_file=paths.ROOT_IPA_CSR, - subject_base=subject_base) + subject_base=subject_base, + ca_type=options.external_ca_type) else: ca.configure_instance(host_name, domain_name, dm_password, dm_password, diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index b827dfe..ab97646 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -203,6 +203,9 @@ def parse_options(): cert_group = OptionGroup(parser, certificate system options) cert_group.add_option(, --external-ca, dest=external_ca, action=store_true, default=False, help=Generate a CSR for the IPA CA certificate to be signed by an external CA) +
[Freeipa-devel] [PATCH] 0002 Ignore irrelevant subtrees in schema compat plugin
Please review attached patch for ticket: https://fedorahosted.org/freeipa/ticket/4586 This reduces the number of internal searches and contention for database locks. Together with DS fix for https://fedorahosted.org/389/ticket/47918 the issues reported in 4586 did no longer occur. From 1e871d2d39c7dc3e49d55ccf1d5a163d40d68dcf Mon Sep 17 00:00:00 2001 From: Ludwig Krispenz lkris...@redhat.com Date: Wed, 8 Oct 2014 15:11:54 +0200 Subject: [PATCH] Ignore irrelevant subtrees in schema compat plugin For changes in cn=changelog or o=ipaca the scheam comapat plugin doesn't need to be executed. It saves many internal searches and reduces contribution to lock contention across backens in DS. cf ticket 4586 --- install/updates/10-schema_compat.update | 14 ++ 1 file changed, 14 insertions(+) diff --git a/install/updates/10-schema_compat.update b/install/updates/10-schema_compat.update index aeddadbe3a7231e7795c1c8420dc5a1353f907cc..e5bc70350a28a0e572fa3678ba9ba5bf5075529f 100644 --- a/install/updates/10-schema_compat.update +++ b/install/updates/10-schema_compat.update @@ -18,11 +18,15 @@ add: schema-compat-entry-attribute: 'sudoRunAsUser=%ifeq(ipaSudoRunAsUserCatego add: schema-compat-entry-attribute: 'sudoRunAsUser=%ifeq(ipaSudoRunAsUserCategory,all,ALL,%deref_f(\ipaSudoRunAs\,\(objectclass=posixAccount)\,\uid\))' add: schema-compat-entry-attribute: 'sudoRunAsGroup=%ifeq(ipaSudoRunAsGroupCategory,all,ALL,%{ipaSudoRunAsExtGroup})' add: schema-compat-entry-attribute: 'sudoRunAsGroup=%ifeq(ipaSudoRunAsGroupCategory,all,ALL,%deref_f(\ipaSudoRunAsGroup\,\(objectclass=posixGroup)\,\cn\))' +add: schema-compat-ignore-subtree: cn=changelog +add: schema-compat-ignore-subtree: o=ipaca # Change padding for host and userCategory so the pad returns the same value # as the original, '' or -. dn: cn=ng,cn=Schema Compatibility,cn=plugins,cn=config replace: schema-compat-entry-attribute:'nisNetgroupTriple=(%link(%ifeq(\hostCategory\,\all\,\\,\%collect(\\\%{externalHost}\\\,\\\%deref(\\\memberHost\\\,\\\fqdn\\\)\\\,\\\%deref_r(\\\member\\\,\\\fqdn\\\)\\\,\\\%deref_r(\\\memberHost\\\,\\\member\\\,\\\fqdn\\\)\\\)\),-,,,%ifeq(\userCategory\,\all\,\\,\%collect(\\\%deref(\\\memberUser\\\,\\\uid\\\)\\\,\\\%deref_r(\\\member\\\,\\\uid\\\)\\\,\\\%deref_r(\\\memberUser\\\,\\\member\\\,\\\uid\\\)\\\)\),-),%{nisDomainName:-})::nisNetgroupTriple=(%link(%ifeq(\hostCategory\,\all\,\\,\%collect(\\\%{externalHost}\\\,\\\%deref(\\\memberHost\\\,\\\fqdn\\\)\\\,\\\%deref_r(\\\member\\\,\\\fqdn\\\)\\\,\\\%deref_r(\\\memberHost\\\,\\\member\\\,\\\fqdn\\\)\\\)\),%ifeq(\hostCategory\,\all\,\\,\-\),,,%ifeq(\userCategory\,\all\,\\,\%collect(\\\%deref(\\\memberUser\\\,\\\uid\\\)\\\,\\\%deref_r(\\\member\\\,\\\uid\\\)\\\,\\\%deref_r(\\\memberUser\\\,\\\member\\\,\\\uid\\\)\\\)\),%ifeq(\userCategory\,\all\,\\,\-\)),%{nisDomainName:-})' +add: schema-compat-ignore-subtree: cn=changelog +add: schema-compat-ignore-subtree: o=ipaca dn: cn=computers, cn=Schema Compatibility, cn=plugins, cn=config default:objectClass: top @@ -37,10 +41,20 @@ default:schema-compat-entry-attribute: objectclass=device default:schema-compat-entry-attribute: objectclass=ieee802Device default:schema-compat-entry-attribute: cn=%{fqdn} default:schema-compat-entry-attribute: macAddress=%{macAddress} +add: schema-compat-ignore-subtree: cn=changelog +add: schema-compat-ignore-subtree: o=ipaca dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config add:schema-compat-entry-attribute: sudoOrder=%{sudoOrder} +dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config +add: schema-compat-ignore-subtree: cn=changelog +add: schema-compat-ignore-subtree: o=ipaca + +dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config +add: schema-compat-ignore-subtree: cn=changelog +add: schema-compat-ignore-subtree: o=ipaca + dn: cn=Schema Compatibility,cn=plugins,cn=config # We need to run schema-compat pre-bind callback before # other IPA pre-bind callbacks to make sure bind DN is -- 1.9.0 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 0655 Add additional backup restore checks
This adds basic checks that PAM, DNS, and Kerberos are working before after the backuprestore (in addition to DS, CA IPA CLI that were there before). -- Petr³ From e9495d4c023eb99a19493c3cfbd7c259e12929f5 Mon Sep 17 00:00:00 2001 From: Petr Viktorin pvikt...@redhat.com Date: Thu, 25 Sep 2014 10:11:49 +0200 Subject: [PATCH] Add additional backup restore checks https://fedorahosted.org/freeipa/ticket/3893 --- .../test_integration/test_backup_and_restore.py| 41 ++ 1 file changed, 35 insertions(+), 6 deletions(-) diff --git a/ipatests/test_integration/test_backup_and_restore.py b/ipatests/test_integration/test_backup_and_restore.py index 3cf0d5d708e15a8d44e9f77c21c3ca5343c65f6a..c9b4271d40f292e26fbff3240b875f6c56620a89 100644 --- a/ipatests/test_integration/test_backup_and_restore.py +++ b/ipatests/test_integration/test_backup_and_restore.py @@ -65,6 +65,12 @@ def check_admin_in_cli(host): return result +def check_admin_in_id(host): +result = host.run_command(['id', 'admin']) +assert 'admin' in result.stdout_text, result.stdout_text +return result + + def check_certs(host): result = host.run_command(['ipa', 'cert-find']) assert re.search('^Number of entries returned [1-9]\d*$', @@ -72,20 +78,43 @@ def check_certs(host): return result +def check_dns(host): +result = host.run_command(['host', host.hostname, 'localhost']) +return result + + +def check_kinit(host): +result = host.run_command(['kinit', 'admin'], + stdin_text=host.config.admin_password) +return result + + +CHECKS = [ +(check_admin_in_ldap, assert_entries_equal), +(check_admin_in_cli, assert_results_equal), +(check_admin_in_id, assert_results_equal), +(check_certs, assert_results_equal), +(check_dns, assert_results_equal), +(check_kinit, assert_results_equal), +] + + @contextlib.contextmanager def restore_checker(host): Check that the IPA at host works the same at context enter and exit tasks.kinit_admin(host) -admin_entry = check_admin_in_ldap(host) -admin_cli_result = check_admin_in_cli(host) -certs_output = check_certs(host) +results = [] +for check, assert_func in CHECKS: +log.info('Storing result for %s', check) +results.append(check(host)) yield -assert_entries_equal(admin_entry, check_admin_in_ldap(host)) -assert_results_equal(admin_cli_result, check_admin_in_cli(host)) -assert_results_equal(certs_output, check_certs(host)) +for (check, assert_func), expected in zip(CHECKS, results): +log.info('Checking result for %s', check) +got = check(host) +assert_func(expected, got) def backup(host): -- 2.1.0 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH 0133] Fix ipactl service ordering
IPA sorts service order alphabetically, this patch modify ipactl to use integers. How to reproduce: set attribute ipaConfigString: startOrder 150 DN: cn=HTTP,cn=ipa.example.com,cn=masters,cn=ipa,cn=etc,dc=example,dc=com then run #ipactl restart httpd service should start as last service, but it starts almost first. Patch attached. -- Martin Basti From 277e71a1ce05636fd3961276f626335fe9bfbbbe Mon Sep 17 00:00:00 2001 From: Martin Basti mba...@redhat.com Date: Wed, 8 Oct 2014 16:40:53 +0200 Subject: [PATCH] Fix ipactl service ordering Ipactl sorted service start order as string, which causes service with start order 100 starts before service with start order 30. Patch fixes ipactl to use integers for ordering. --- install/tools/ipactl | 6 +- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/install/tools/ipactl b/install/tools/ipactl index 3f0e79867032b61f63e0626ce33df75df14cecab..7a1e41b01a80eeea85c417399dcf4666f70d4b26 100755 --- a/install/tools/ipactl +++ b/install/tools/ipactl @@ -159,7 +159,11 @@ def get_config(dirsrv): name = entry.single_value['cn'] for p in entry['ipaConfigString']: if p.startswith('startOrder '): -order = p.split()[1] +try: +order = int(p.split()[1]) +except ValueError: +raise IpactlError(Expected order as integer in: %s:%s % ( +name, p)) svc_list.append([order, name]) ordered_list = [] -- 1.8.3.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0064] Create ipa-otp-decrement 389DS plugin
On 10/07/2014 06:00 PM, Nathaniel McCallum wrote: Attached is the latest patch. I believe this includes all of our discussions up until this point. However, a few bits of additional information are needed. First, I have renamed the plugin to ipa-otp-counter. I believe all replay prevention work can land inside this plugin, so the name is appropriate. Second, I uncovered a bug in 389 which prevents me from validating the non-replication request in bepre. This is the reason for the additional betxnpre callback. If the upstream 389 bug is fixed, we can merge this check back into bepre. https://fedorahosted.org/389/ticket/47919 Third, I believe we are now handling replication correct. An error is never returned. When a replication would cause the counter to decrease, we remove all counter/watermark related mods from the operation. This will allow the replication to apply without decrementing the value. There is also a new bepost method which check to see if the replication was discarded (via CSN) while having a higher counter value. If so, we apply the higher counter value. For me the code is good. It took me some time to understand the benefit of removing mods in preop. In fact I think it is a good idea, as it prevents extra repair ops and also make more easy the computation of the value to set in repair mod. Here is the scenario. Server X receives two quick authentications; replications A and B are sent to server Y. Before server Y can process server X's replications, an authentication is performed on server Y; replication C is sent to server X. The following logic holds true: * csnA csnB csnC * valueA = valueC, valueB valueC When server X receives replication C, ipa-otp-counter will strip out all counter mod operations; applying the update but not the lower value. The value of replication B is retained. This is the correct behavior. When server Y processes replications A and B, ipa-otp-counter will detect that a higher value has a lower CSN and will manually set the higher value (in bepost). This initiates replication D, which is sent to server X. Here is the logic: * csnA csnB csnC csnD * valueA = valueC, valueB = valueD, valueD valueC Server X receives replication D. D has the highest CSN. It has the same value as replication B (server X's current value). Because the values are the same, ipa-otp-counter will strip all counter mod operations. This reduces counter write contention which might become a problem in N-way replication when N2. I think we should rather let the mods going on. So that the full topology will have valueD (or valueB)/csnD rather having a set of servers having valueD/csnB and an other set valueD/csnD. thanks thierry On Fri, 2014-10-03 at 19:52 +0200, thierry bordaz wrote: Hello Nathaniel, An additional comment about the patch. When the new value is detected to be invalid, it is fixed by a repair operation (trigger_replication). I did test it and it is fine to update, with an internal operation, the same entry that is currently updated. Now if you apply the repair operation into a be_preop or a betxn_preop, when it returns from preop the txn of the current operation will overwrite the repaired value. An option is to register a bepost that checks the value from the original entry (SLAPI_ENTRY_PRE_OP) and post entry (SLAPI_ENTRY_POST_OP). Then this postop checks the orginal/final value and can trigger the repair op. This time being outside of the main operation txn, the repair op will be applied. thanks thierry On 09/29/2014 08:30 PM, Nathaniel McCallum wrote: On Mon, 2014-09-22 at 09:32 -0400, Simo Sorce wrote: On Sun, 21 Sep 2014 22:33:47 -0400 Nathaniel McCallum npmccal...@redhat.com wrote: Comments inline. + +#define ch_malloc(type) \ +(type*) slapi_ch_malloc(sizeof(type)) +#define ch_calloc(count, type) \ +(type*) slapi_ch_calloc(count, sizeof(type)) +#define ch_free(p) \ +slapi_ch_free((void**) (p)) please do not redefine slapi functions, it just makes it harder to know what you used. +typedef struct { +bool exists; +long long value; +} counter; please no typedefs of structures, use struct counter { ... }; and reference it as struct counter in the code. Btw, FWIW you could use a value of -1 to indicate non-existence of the counter value, given counters can only be positive, this would avoid the need for a struct. +static int +send_error(Slapi_PBlock *pb, int rc, char *template, ...) +{ +va_list ap; +int res; + +va_start(ap, template); +res = vsnprintf(NULL, 0, template, ap); +va_end(ap); + +if (res 0) { +char str[res + 1]; + +va_start(ap, template); +res = vsnprintf(str, sizeof(str), template, ap); +va_end(ap); + +if (res 0) +
Re: [Freeipa-devel] [PATCH] 761 keytab manipulation permission management
On 1.10.2014 18:15, Petr Vobornik wrote: Hello list, Patch for: https://fedorahosted.org/freeipa/ticket/4419 New revisions of 761 and 763 with updated API and ACIs: ipa host-allow-operation HOSTNAME retrieve-keytab --users=STR --groups STR ipa host-disallow-operation HOSTNAME retrieve-keytab --users=STR --groups STR ipa host-allow-operation HOSTNAME create-keytab --users=STR --groups STR ipa host-disallow-operation HOSTNAME create-keytab --users=STR --groups STR ipa service-allow-operation PRINCIPAL retrieve-keytab --users=STR --groups STR ipa service-disallow-operation PRINCIPAL retrieve-keytab --users=STR --groups STR ipa service-allow-operation PRINCIPAL create-keytab --users=STR --groups STR ipa service-disallow-operation PRINCIPAL create-keytab --users=STR --groups STR ACIs are targeted to specific operations by including subtypes. -- Petr Vobornik From e44e27ca63ab333b50f4cf465ea61115c9c83840 Mon Sep 17 00:00:00 2001 From: Petr Vobornik pvobo...@redhat.com Date: Thu, 2 Oct 2014 16:57:08 +0200 Subject: [PATCH] keytab manipulation permission management Adds new API: ipa host-allow-operation HOSTNAME retrieve-keytab --users=STR --groups STR ipa host-disallow-operation HOSTNAME retrieve-keytab --users=STR --groups STR ipa host-allow-operation HOSTNAME create-keytab --users=STR --groups STR ipa host-disallow-operation HOSTNAME create-keytab --users=STR --groups STR ipa service-allow-operation PRINCIPAL retrieve-keytab --users=STR --groups STR ipa service-disallow-operation PRINCIPAL retrieve-keytab --users=STR --groups STR ipa service-allow-operation PRINCIPAL create-keytab --users=STR --groups STR ipa service-disallow-operation PRINCIPAL create-keytab --users=STR --groups STR these methods add or remove user or group DNs in `ipaallowedtoperform` attr with `read_keys` and `write_keys` subtypes. service|host-mod|show outputs these attrs as: Users allowed to retrieve keytab: user1 Groups allowed to retrieve keytab: group1 Users allowed to create keytab: user1 Groups allowed to create keytab: group1 Adding of object class is implemented as a reusable method since this code is used on many places and most likely will be also used in new features. Older code may be refactored later. https://fedorahosted.org/freeipa/ticket/4419 --- ACI.txt| 4 ++ API.txt| 52 +++ VERSION| 4 +- ipalib/plugins/baseldap.py | 17 ++ ipalib/plugins/host.py | 51 -- ipalib/plugins/service.py | 127 +++-- 6 files changed, 244 insertions(+), 11 deletions(-) diff --git a/ACI.txt b/ACI.txt index cebdc2ccec45db1dbf0d5ea0c7f2b1a3a7feeb6e..312e51719d9906f8d6f262330d2bdafe1e59d88a 100644 --- a/ACI.txt +++ b/ACI.txt @@ -95,6 +95,8 @@ aci: (targetattr = userpassword)(targetfilter = (objectclass=ipahost))(versi dn: cn=computers,cn=accounts,dc=ipa,dc=example aci: (targetattr = krblastpwdchange || krbprincipalkey)(targetfilter = (objectclass=ipahost))(version 3.0;acl permission:System: Manage Host Keytab;allow (write) groupdn = ldap:///cn=System: Manage Host Keytab,cn=permissions,cn=pbac,dc=ipa,dc=example;) dn: cn=computers,cn=accounts,dc=ipa,dc=example +aci: (targetattr = createtimestamp || entryusn || ipaallowedtoperform;read_keys || ipaallowedtoperform;write_keys || modifytimestamp || objectclass)(targetfilter = (objectclass=ipahost))(version 3.0;acl permission:System: Manage Host Keytab Permissions;allow (compare,read,search,write) groupdn = ldap:///cn=System: Manage Host Keytab Permissions,cn=permissions,cn=pbac,dc=ipa,dc=example;) +dn: cn=computers,cn=accounts,dc=ipa,dc=example aci: (targetattr = ipasshpubkey)(targetfilter = (objectclass=ipahost))(version 3.0;acl permission:System: Manage Host SSH Public Keys;allow (write) groupdn = ldap:///cn=System: Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=ipa,dc=example;) dn: cn=computers,cn=accounts,dc=ipa,dc=example aci: (targetattr = description || ipaassignedidview || l || macaddress || nshardwareplatform || nshostlocation || nsosversion || userclass)(targetfilter = (objectclass=ipahost))(version 3.0;acl permission:System: Modify Hosts;allow (write) groupdn = ldap:///cn=System: Modify Hosts,cn=permissions,cn=pbac,dc=ipa,dc=example;) @@ -193,6 +195,8 @@ aci: (targetfilter = (objectclass=ipaservice))(version 3.0;acl permission:Sys dn: cn=services,cn=accounts,dc=ipa,dc=example aci: (targetattr = krblastpwdchange || krbprincipalkey)(targetfilter = (objectclass=ipaservice))(version 3.0;acl permission:System: Manage Service Keytab;allow (write) groupdn = ldap:///cn=System: Manage Service Keytab,cn=permissions,cn=pbac,dc=ipa,dc=example;) dn: cn=services,cn=accounts,dc=ipa,dc=example +aci: (targetattr = createtimestamp || entryusn || ipaallowedtoperform;read_keys || ipaallowedtoperform;write_keys || modifytimestamp || objectclass)(targetfilter =
Re: [Freeipa-devel] [PATCH] 764 webui: management of keytab permissions
On 3.10.2014 16:12, Petr Vobornik wrote: On 1.10.2014 18:15, Petr Vobornik wrote: Hello list, Patch for: https://fedorahosted.org/freeipa/ticket/4419 Web UI for 4419. Depends on patch 761 (parent thread). New version which works with 761-2. The content was moved to details facet (based on UXD feedback). -- Petr Vobornik From 7d329ca416e4f79b76d21a79f7062ad667e0506a Mon Sep 17 00:00:00 2001 From: Petr Vobornik pvobo...@redhat.com Date: Thu, 2 Oct 2014 15:44:47 +0200 Subject: [PATCH] webui: management of keytab permissions https://fedorahosted.org/freeipa/ticket/4419 --- install/ui/src/freeipa/association.js | 32 ++--- install/ui/src/freeipa/host.js| 88 +++ install/ui/src/freeipa/service.js | 88 +++ install/ui/test/data/ipa_init.json| 8 ipalib/plugins/internal.py| 8 5 files changed, 217 insertions(+), 7 deletions(-) diff --git a/install/ui/src/freeipa/association.js b/install/ui/src/freeipa/association.js index 64a2926d97856eb9a3dac27834bc4d78e8f5..47ef067a53eef557c1cacd8ad1f3792ee8f223bf 100644 --- a/install/ui/src/freeipa/association.js +++ b/install/ui/src/freeipa/association.js @@ -406,7 +406,7 @@ IPA.association_table_widget = function (spec) { spec = spec || {}; -var index = spec.name.indexOf('_'); +var index = spec.name.lastIndexOf('_'); spec.attribute_member = spec.attribute_member || spec.name.substring(0, index); spec.other_entity = spec.other_entity || spec.name.substring(index+1); @@ -428,6 +428,18 @@ IPA.association_table_widget = function (spec) { that.needs_refresh = IPA.observer(); +/** + * Additional args for add and remove command + * @property {string} + */ +that.additional_args = spec.additional_args || []; + +that.get_mod_pkeys = function () { +var keys = that.additional_args.slice(0); +keys.unshift(that.facet.get_pkey()); +return keys; +}; + that.get_adder_column = function(name) { return that.adder_columns.get(name); }; @@ -589,7 +601,7 @@ IPA.association_table_widget = function (spec) { var i; var columns = that.columns.values; if (columns.length == 1) { // show pkey only -var name = columns[0].name; +var name = columns[0].param; for (i=0; ithat.values.length; i++) { var record = {}; record[name] = that.values[i]; @@ -656,12 +668,12 @@ IPA.association_table_widget = function (spec) { that.add = function(values, on_success, on_error) { -var pkey = that.facet.get_pkey(); +var pkeys = that.get_mod_pkeys(); var command = rpc.command({ entity: that.entity.name, method: that.add_method, -args: [pkey], +args: pkeys, on_success: on_success, on_error: on_error }); @@ -720,12 +732,12 @@ IPA.association_table_widget = function (spec) { that.remove = function(values, on_success, on_error) { -var pkey = that.facet.get_pkey(); +var pkeys = that.get_mod_pkeys(); var command = rpc.command({ entity: that.entity.name, method: that.remove_method, -args: [pkey], +args: pkeys, on_success: on_success, on_error: on_error }); @@ -774,6 +786,12 @@ IPA.association_table_field = function (spec) { var that = IPA.field(spec); +that.load = function(data) { +that.values = that.adapter.load(data); +that.widget.update(that.values); +that.widget.unselect_all(); +}; + that.refresh = function() { function on_success(data, text_status, xhr) { @@ -821,7 +839,7 @@ exp.association_facet_pre_op = function(spec, context) { su.context_entity(spec, context); spec.entity = entity; -var index = spec.name.indexOf('_'); +var index = spec.name.lastIndexOf('_'); spec.attribute_member = spec.attribute_member || spec.name.substring(0, index); spec.other_entity = spec.other_entity || diff --git a/install/ui/src/freeipa/host.js b/install/ui/src/freeipa/host.js index 5b886b6394e73533d73f0d1a3d800922e4ef3e4d..be4ac01b2767b0a74144dbf0ea5c4b45e1a79972 100644 --- a/install/ui/src/freeipa/host.js +++ b/install/ui/src/freeipa/host.js @@ -146,6 +146,94 @@ return { label: '@i18n:objects.host.status' } ] +}, +{ +$factory: IPA.section, +name: 'divider', +layout_css_class: 'col-sm-12', +fields: [] +}, +{ +name: 'read', +label: '@i18n:keytab.allowed_to_retrieve', +$factory: IPA.section, +
Re: [Freeipa-devel] [PATCH 0064] Create ipa-otp-decrement 389DS plugin
On Wed, 2014-10-08 at 17:30 +0200, thierry bordaz wrote: On 10/07/2014 06:00 PM, Nathaniel McCallum wrote: Attached is the latest patch. I believe this includes all of our discussions up until this point. However, a few bits of additional information are needed. First, I have renamed the plugin to ipa-otp-counter. I believe all replay prevention work can land inside this plugin, so the name is appropriate. Second, I uncovered a bug in 389 which prevents me from validating the non-replication request in bepre. This is the reason for the additional betxnpre callback. If the upstream 389 bug is fixed, we can merge this check back into bepre. https://fedorahosted.org/389/ticket/47919 Third, I believe we are now handling replication correct. An error is never returned. When a replication would cause the counter to decrease, we remove all counter/watermark related mods from the operation. This will allow the replication to apply without decrementing the value. There is also a new bepost method which check to see if the replication was discarded (via CSN) while having a higher counter value. If so, we apply the higher counter value. For me the code is good. It took me some time to understand the benefit of removing mods in preop. In fact I think it is a good idea, as it prevents extra repair ops and also make more easy the computation of the value to set in repair mod. Here is the scenario. Server X receives two quick authentications; replications A and B are sent to server Y. Before server Y can process server X's replications, an authentication is performed on server Y; replication C is sent to server X. The following logic holds true: * csnA csnB csnC * valueA = valueC, valueB valueC When server X receives replication C, ipa-otp-counter will strip out all counter mod operations; applying the update but not the lower value. The value of replication B is retained. This is the correct behavior. When server Y processes replications A and B, ipa-otp-counter will detect that a higher value has a lower CSN and will manually set the higher value (in bepost). This initiates replication D, which is sent to server X. Here is the logic: * csnA csnB csnC csnD * valueA = valueC, valueB = valueD, valueD valueC Server X receives replication D. D has the highest CSN. It has the same value as replication B (server X's current value). Because the values are the same, ipa-otp-counter will strip all counter mod operations. This reduces counter write contention which might become a problem in N-way replication when N2. I think we should rather let the mods going on. So that the full topology will have valueD (or valueB)/csnD rather having a set of servers having valueD/csnB and an other set valueD/csnD. I think you misunderstand. The value for csnD is only discarded when the server already has valueB (valueB == valueD). Only the value is discarded, so csnD is still applied. The full topology will have either valueB w/ csnD or valueD w/ csnD. Since, valueB always equals valueD, by substitution, all servers have valueD w/ csnD. Nathaniel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0159-0160 Support ID views in compat tree
On Tue, 07 Oct 2014, Ludwig Krispenz wrote: Hi Alex, I have a question regarding cbdata.target. It is/was a reference to the pblock used to generate a new dn, but now in idview_replace_target_dn(cbdata.target,...) it can be newly allocated and should be freed, so I think there should be a return code indicating if it was allocated or not. Yes, good catch. I've fixed this and other issues raised in the review. I also fixed an issue with an initial lookup by an override. If someone does a search by an override, we would replace uid|cn=value by uid=ipaOriginalUid value if it exists and by ipaAnchorUUID value otherwise -- for groups we don't have ipaOriginalUid as they don't have uids. Now, the filter would look like (ipaAnchorUUID=:SID:S-...) and if there is no entry in the map cache, the search will return nothing, the entry will be staged for lookup through SSSD. In the original version lookup in SSSD didn't take ipaAnchorUUID into account, so the entry would not be found at all. I did add a call to do sid2name first and then use the name to perform actual SSSD lookup. Works nicely now. New patch for slapi-nis is attached. -- / Alexander Bokovoy From 1c2e7caa3e1c11cc0bc0d8477a0c27308ca8506b Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy aboko...@redhat.com Date: Tue, 29 Jul 2014 12:04:34 +0300 Subject: [PATCH] Add support for FreeIPA ID views FreeIPA ID views allow to override POSIX attributes for certain users and groups. A support is added to allow using specific ID view when serving compatibility tree. Each user or group entry which has an override in the view is amended with the overridden values from the view before served out to the LDAP client. A view to use is specified as a part of base DN: cn=view,cn=views,cn=compat,$SUFFIX where cn=compat,$SUFFIX is the original compatibility tree base DN. Each entry, when served through the view, gets new DN rewritten to specify the view. Additionally, if override in the view changes uid (for users) or cn (for groups) attribute, the entry's RDN is changed accordingly. For groups memberUid attribute is modified as well in case there is an override in the view that changes uid value of that member. FreeIPA ID views support overrides for users of trusted Active Directory domains. In case of a trusted AD domain's user or group is returned via compatibility tree, view overrides are applied in two stages: 1. SSSD applies default view for AD users 2. slapi-nis applies explicitly specified (host-specific) view on top of the entry returned by SSSD Thus, slapi-nis does not need to apply default view for AD users and if there are no host-specific views in use, there is no need to specify a view in the base DN, making overhead of a default view for AD users lower. --- configure.ac | 14 ++ doc/ipa/sch-ipa.txt | 93 src/Makefile.am | 4 + src/back-sch-idview.c | 392 ++ src/back-sch-nss.c| 111 +++--- src/back-sch.c| 71 +++-- src/back-sch.h| 38 + 7 files changed, 692 insertions(+), 31 deletions(-) create mode 100644 src/back-sch-idview.c diff --git a/configure.ac b/configure.ac index 84b84d1..71dbdc7 100644 --- a/configure.ac +++ b/configure.ac @@ -383,6 +383,20 @@ if test x$use_nsswitch != xno ; then AC_DEFINE(USE_NSSWITCH,1,[Use nsswitch API to lookup users and groups not found in the LDAP tree]) fi +use_idviews=true +AC_ARG_WITH(idviews, + AS_HELP_STRING([--with-idviews], [Use FreeIPA ID views to override POSIX IDs of users and groups]), + use_idviews=$withval,use_idviews=yes) +if test x$use_idviews = xyes ; then + AC_MSG_RESULT([FreeIPA ID views support is enabled]) + AC_DEFINE(USE_IPA_IDVIEWS,1,[Use FreeIPA ID views to override POSIX attributes of users and groups per view.]) + AC_DEFINE(IPA_IDVIEWS_ATTR_ANCHORUUID, [ipaAnchorUUID],[FreeIPA attr unique pointer for id overrides]) + AC_DEFINE(IPA_IDVIEWS_ATTR_ORIGINALUID, [ipaOriginalUid],[FreeIPA attr original uid value for user id overrides]) +else + AC_MSG_RESULT([FreeIPA ID views support is disabled]) +fi +AM_CONDITIONAL([USE_IPA_IDVIEWS], [test x$use_idviews != xno]) + mylibdir=`eval echo $libdir | sed s,NONE,${ac_default_prefix},g` mylibdir=`eval echo $mylibdir | sed s,NONE,${ac_prefix},g` case $server in diff --git a/doc/ipa/sch-ipa.txt b/doc/ipa/sch-ipa.txt index b5a585b..f560580 100644 --- a/doc/ipa/sch-ipa.txt +++ b/doc/ipa/sch-ipa.txt @@ -87,3 +87,96 @@ on IPA masters. As 'system-auth' PAM service is not used directly by any other application, it is safe to use it for trusted domain users via compatibility path. + +== Support for ID views == + +When FreeIPA 4.1 is in use, Schema compatibility plugin can be configured to +override POSIX attributes according to an identity view (ID View) which +contains overrides for users and groups. + +The overrides are managed by
Re: [Freeipa-devel] [PATCH 0133] Fix ipactl service ordering
On 08/10/14 16:59, Martin Basti wrote: IPA sorts service order alphabetically, this patch modify ipactl to use integers. How to reproduce: set attribute ipaConfigString: startOrder 150 DN: cn=HTTP,cn=ipa.example.com,cn=masters,cn=ipa,cn=etc,dc=example,dc=com then run #ipactl restart httpd service should start as last service, but it starts almost first. Patch attached. selfNACK -- Martin Basti ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0064] Create ipa-otp-decrement 389DS plugin
On 10/08/2014 07:30 PM, Nathaniel McCallum wrote: On Wed, 2014-10-08 at 17:30 +0200, thierry bordaz wrote: On 10/07/2014 06:00 PM, Nathaniel McCallum wrote: Attached is the latest patch. I believe this includes all of our discussions up until this point. However, a few bits of additional information are needed. First, I have renamed the plugin to ipa-otp-counter. I believe all replay prevention work can land inside this plugin, so the name is appropriate. Second, I uncovered a bug in 389 which prevents me from validating the non-replication request in bepre. This is the reason for the additional betxnpre callback. If the upstream 389 bug is fixed, we can merge this check back into bepre. https://fedorahosted.org/389/ticket/47919 Third, I believe we are now handling replication correct. An error is never returned. When a replication would cause the counter to decrease, we remove all counter/watermark related mods from the operation. This will allow the replication to apply without decrementing the value. There is also a new bepost method which check to see if the replication was discarded (via CSN) while having a higher counter value. If so, we apply the higher counter value. For me the code is good. It took me some time to understand the benefit of removing mods in preop. In fact I think it is a good idea, as it prevents extra repair ops and also make more easy the computation of the value to set in repair mod. Here is the scenario. Server X receives two quick authentications; replications A and B are sent to server Y. Before server Y can process server X's replications, an authentication is performed on server Y; replication C is sent to server X. The following logic holds true: * csnA csnB csnC * valueA = valueC, valueB valueC When server X receives replication C, ipa-otp-counter will strip out all counter mod operations; applying the update but not the lower value. The value of replication B is retained. This is the correct behavior. When server Y processes replications A and B, ipa-otp-counter will detect that a higher value has a lower CSN and will manually set the higher value (in bepost). This initiates replication D, which is sent to server X. Here is the logic: * csnA csnB csnC csnD * valueA = valueC, valueB = valueD, valueD valueC Server X receives replication D. D has the highest CSN. It has the same value as replication B (server X's current value). Because the values are the same, ipa-otp-counter will strip all counter mod operations. This reduces counter write contention which might become a problem in N-way replication when N2. I think we should rather let the mods going on. So that the full topology will have valueD (or valueB)/csnD rather having a set of servers having valueD/csnB and an other set valueD/csnD. I think you misunderstand. The value for csnD is only discarded when the server already has valueB (valueB == valueD). Only the value is discarded, so csnD is still applied. The full topology will have either valueB w/ csnD or valueD w/ csnD. Since, valueB always equals valueD, by substitution, all servers have valueD w/ csnD. Nathaniel There are several parts where the CSN are stored. One is used to allow replication protocol to send the approriate updates. This part is stored into a dedicated entry: RUV. In fact when the update valudD/CSND will be received and applied, the RUV will be updated with csnD. An other part is the attribute/attribute values. An attribute value contains the actual value and the CSN associated to that value. This CSN is updated by entry_apply_mod_wsi when it decides which value to keep and which CSN is associated to this value. In the example above, on the server X, the counter attribute has valueB/csnB. Then it receives the update ValueD/csnD it discard this update because valueD=ValueB. That means that on serverX we will have valueB/csnB. Now if on an other server we receive the updates in the reverse order: valueD/csnD first then valueB/csnB. This server will apply and valueD/csnD then will discard valueB/csnB. ValueD and ValueB being identical it is not a big issue. But we will have some server with csnD and others with csnB. thanks thierry ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0064] Create ipa-otp-decrement 389DS plugin
On 10/08/2014 01:45 PM, thierry bordaz wrote: On 10/08/2014 07:30 PM, Nathaniel McCallum wrote: On Wed, 2014-10-08 at 17:30 +0200, thierry bordaz wrote: On 10/07/2014 06:00 PM, Nathaniel McCallum wrote: Attached is the latest patch. I believe this includes all of our discussions up until this point. However, a few bits of additional information are needed. First, I have renamed the plugin to ipa-otp-counter. I believe all replay prevention work can land inside this plugin, so the name is appropriate. Second, I uncovered a bug in 389 which prevents me from validating the non-replication request in bepre. This is the reason for the additional betxnpre callback. If the upstream 389 bug is fixed, we can merge this check back into bepre. https://fedorahosted.org/389/ticket/47919 Third, I believe we are now handling replication correct. An error is never returned. When a replication would cause the counter to decrease, we remove all counter/watermark related mods from the operation. This will allow the replication to apply without decrementing the value. There is also a new bepost method which check to see if the replication was discarded (via CSN) while having a higher counter value. If so, we apply the higher counter value. For me the code is good. It took me some time to understand the benefit of removing mods in preop. In fact I think it is a good idea, as it prevents extra repair ops and also make more easy the computation of the value to set in repair mod. Here is the scenario. Server X receives two quick authentications; replications A and B are sent to server Y. Before server Y can process server X's replications, an authentication is performed on server Y; replication C is sent to server X. The following logic holds true: * csnA csnB csnC * valueA = valueC, valueB valueC When server X receives replication C, ipa-otp-counter will strip out all counter mod operations; applying the update but not the lower value. The value of replication B is retained. This is the correct behavior. When server Y processes replications A and B, ipa-otp-counter will detect that a higher value has a lower CSN and will manually set the higher value (in bepost). This initiates replication D, which is sent to server X. Here is the logic: * csnA csnB csnC csnD * valueA = valueC, valueB = valueD, valueD valueC Server X receives replication D. D has the highest CSN. It has the same value as replication B (server X's current value). Because the values are the same, ipa-otp-counter will strip all counter mod operations. This reduces counter write contention which might become a problem in N-way replication when N2. I think we should rather let the mods going on. So that the full topology will have valueD (or valueB)/csnD rather having a set of servers having valueD/csnB and an other set valueD/csnD. I think you misunderstand. The value for csnD is only discarded when the server already has valueB (valueB == valueD). Only the value is discarded, so csnD is still applied. The full topology will have either valueB w/ csnD or valueD w/ csnD. Since, valueB always equals valueD, by substitution, all servers have valueD w/ csnD. Nathaniel There are several parts where the CSN are stored. One is used to allow replication protocol to send the approriate updates. This part is stored into a dedicated entry: RUV. In fact when the update valudD/CSND will be received and applied, the RUV will be updated with csnD. An other part is the attribute/attribute values. An attribute value contains the actual value and the CSN associated to that value. This CSN is updated by entry_apply_mod_wsi when it decides which value to keep and which CSN is associated to this value. In the example above, on the server X, the counter attribute has valueB/csnB. Then it receives the update ValueD/csnD it discard this update because valueD=ValueB. That means that on serverX we will have valueB/csnB. Now if on an other server we receive the updates in the reverse order: valueD/csnD first then valueB/csnB. This server will apply and valueD/csnD then will discard valueB/csnB. ValueD and ValueB being identical it is not a big issue. But we will have some server with csnD and others with csnB. The CSN is also the key in the changelog database. thanks thierry ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0064] Create ipa-otp-decrement 389DS plugin
On Wed, 2014-10-08 at 21:45 +0200, thierry bordaz wrote: On 10/08/2014 07:30 PM, Nathaniel McCallum wrote: On Wed, 2014-10-08 at 17:30 +0200, thierry bordaz wrote: On 10/07/2014 06:00 PM, Nathaniel McCallum wrote: Attached is the latest patch. I believe this includes all of our discussions up until this point. However, a few bits of additional information are needed. First, I have renamed the plugin to ipa-otp-counter. I believe all replay prevention work can land inside this plugin, so the name is appropriate. Second, I uncovered a bug in 389 which prevents me from validating the non-replication request in bepre. This is the reason for the additional betxnpre callback. If the upstream 389 bug is fixed, we can merge this check back into bepre. https://fedorahosted.org/389/ticket/47919 Third, I believe we are now handling replication correct. An error is never returned. When a replication would cause the counter to decrease, we remove all counter/watermark related mods from the operation. This will allow the replication to apply without decrementing the value. There is also a new bepost method which check to see if the replication was discarded (via CSN) while having a higher counter value. If so, we apply the higher counter value. For me the code is good. It took me some time to understand the benefit of removing mods in preop. In fact I think it is a good idea, as it prevents extra repair ops and also make more easy the computation of the value to set in repair mod. Here is the scenario. Server X receives two quick authentications; replications A and B are sent to server Y. Before server Y can process server X's replications, an authentication is performed on server Y; replication C is sent to server X. The following logic holds true: * csnA csnB csnC * valueA = valueC, valueB valueC When server X receives replication C, ipa-otp-counter will strip out all counter mod operations; applying the update but not the lower value. The value of replication B is retained. This is the correct behavior. When server Y processes replications A and B, ipa-otp-counter will detect that a higher value has a lower CSN and will manually set the higher value (in bepost). This initiates replication D, which is sent to server X. Here is the logic: * csnA csnB csnC csnD * valueA = valueC, valueB = valueD, valueD valueC Server X receives replication D. D has the highest CSN. It has the same value as replication B (server X's current value). Because the values are the same, ipa-otp-counter will strip all counter mod operations. This reduces counter write contention which might become a problem in N-way replication when N2. I think we should rather let the mods going on. So that the full topology will have valueD (or valueB)/csnD rather having a set of servers having valueD/csnB and an other set valueD/csnD. I think you misunderstand. The value for csnD is only discarded when the server already has valueB (valueB == valueD). Only the value is discarded, so csnD is still applied. The full topology will have either valueB w/ csnD or valueD w/ csnD. Since, valueB always equals valueD, by substitution, all servers have valueD w/ csnD. Nathaniel There are several parts where the CSN are stored. One is used to allow replication protocol to send the approriate updates. This part is stored into a dedicated entry: RUV. In fact when the update valudD/CSND will be received and applied, the RUV will be updated with csnD. An other part is the attribute/attribute values. An attribute value contains the actual value and the CSN associated to that value. This CSN is updated by entry_apply_mod_wsi when it decides which value to keep and which CSN is associated to this value. In the example above, on the server X, the counter attribute has valueB/csnB. Then it receives the update ValueD/csnD it discard this update because valueD=ValueB. That means that on serverX we will have valueB/csnB. It does not discard the update (CSN). It discards the value because valueD == valueB. So csnD will be applied, it just won't touch the counter values; valueB will be retained. Now if on an other server we receive the updates in the reverse order: valueD/csnD first then valueB/csnB. This server will apply and valueD/csnD then will discard valueB/csnB. This server will apply valueD/csnD AND csnB, but not valueB. This is because valueB == valueD. ValueD and ValueB being identical it is not a big issue. But we will have some server with csnD and others with csnB. As I understand my code, all servers will have csnD. Some servers will have valueB and others will have valueD, but valueB == valueD. We *never* discard a CSN. We only discard the counter/watermark mods in the replication operation. Nathaniel ___ Freeipa-devel mailing list
Re: [Freeipa-devel] [PATCH 0064] Create ipa-otp-decrement 389DS plugin
On Wed, 2014-10-08 at 13:53 -0600, Rich Megginson wrote: On 10/08/2014 01:45 PM, thierry bordaz wrote: On 10/08/2014 07:30 PM, Nathaniel McCallum wrote: On Wed, 2014-10-08 at 17:30 +0200, thierry bordaz wrote: On 10/07/2014 06:00 PM, Nathaniel McCallum wrote: Attached is the latest patch. I believe this includes all of our discussions up until this point. However, a few bits of additional information are needed. First, I have renamed the plugin to ipa-otp-counter. I believe all replay prevention work can land inside this plugin, so the name is appropriate. Second, I uncovered a bug in 389 which prevents me from validating the non-replication request in bepre. This is the reason for the additional betxnpre callback. If the upstream 389 bug is fixed, we can merge this check back into bepre. https://fedorahosted.org/389/ticket/47919 Third, I believe we are now handling replication correct. An error is never returned. When a replication would cause the counter to decrease, we remove all counter/watermark related mods from the operation. This will allow the replication to apply without decrementing the value. There is also a new bepost method which check to see if the replication was discarded (via CSN) while having a higher counter value. If so, we apply the higher counter value. For me the code is good. It took me some time to understand the benefit of removing mods in preop. In fact I think it is a good idea, as it prevents extra repair ops and also make more easy the computation of the value to set in repair mod. Here is the scenario. Server X receives two quick authentications; replications A and B are sent to server Y. Before server Y can process server X's replications, an authentication is performed on server Y; replication C is sent to server X. The following logic holds true: * csnA csnB csnC * valueA = valueC, valueB valueC When server X receives replication C, ipa-otp-counter will strip out all counter mod operations; applying the update but not the lower value. The value of replication B is retained. This is the correct behavior. When server Y processes replications A and B, ipa-otp-counter will detect that a higher value has a lower CSN and will manually set the higher value (in bepost). This initiates replication D, which is sent to server X. Here is the logic: * csnA csnB csnC csnD * valueA = valueC, valueB = valueD, valueD valueC Server X receives replication D. D has the highest CSN. It has the same value as replication B (server X's current value). Because the values are the same, ipa-otp-counter will strip all counter mod operations. This reduces counter write contention which might become a problem in N-way replication when N2. I think we should rather let the mods going on. So that the full topology will have valueD (or valueB)/csnD rather having a set of servers having valueD/csnB and an other set valueD/csnD. I think you misunderstand. The value for csnD is only discarded when the server already has valueB (valueB == valueD). Only the value is discarded, so csnD is still applied. The full topology will have either valueB w/ csnD or valueD w/ csnD. Since, valueB always equals valueD, by substitution, all servers have valueD w/ csnD. Nathaniel There are several parts where the CSN are stored. One is used to allow replication protocol to send the approriate updates. This part is stored into a dedicated entry: RUV. In fact when the update valudD/CSND will be received and applied, the RUV will be updated with csnD. An other part is the attribute/attribute values. An attribute value contains the actual value and the CSN associated to that value. This CSN is updated by entry_apply_mod_wsi when it decides which value to keep and which CSN is associated to this value. In the example above, on the server X, the counter attribute has valueB/csnB. Then it receives the update ValueD/csnD it discard this update because valueD=ValueB. That means that on serverX we will have valueB/csnB. Now if on an other server we receive the updates in the reverse order: valueD/csnD first then valueB/csnB. This server will apply and valueD/csnD then will discard valueB/csnB. ValueD and ValueB being identical it is not a big issue. But we will have some server with csnD and others with csnB. The CSN is also the key in the changelog database. Right. We *never* discard a replication operation. We only discard some of its mods if and only if those mods would result in either no change at all or an illegal change. If an illegal change would occur, we also issue a new fixup replication request so that everyone quickly gets consistency. Nathaniel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0064] Create ipa-otp-decrement 389DS plugin
On Wed, 08 Oct 2014 15:53:39 -0400 Nathaniel McCallum npmccal...@redhat.com wrote: As I understand my code, all servers will have csnD. Some servers will have valueB and others will have valueD, but valueB == valueD. We *never* discard a CSN. We only discard the counter/watermark mods in the replication operation. What Thierry is saying is that the individual attributes in the entry have associate the last CSN that modified them. Because you remove the mods when ValueD == ValueB the counter attribute will not have the associated CSN changed. But it doesn't really matter because the plugin will always keep things consistent. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [HELP] Regular users should not be able to add OTP tokens with custom name
The background of this email is this bug: https://fedorahosted.org/freeipa/ticket/4456 Attached are two patches which solve this issue for admin users (not very helpful, I know). They depend on this fix in 389: https://fedorahosted.org/389/ticket/47920 There are two outstanding issues: 1. 389 does not send the post read control for normal users. The operation itself succeeds, but no control is sent. The relevant sections from the log are attached. 389 is denying access to the following attributes (* = valid, ! = invalid): ! objectClass ! ipatokenOTPalgorithm ! ipatokenOTPdigits * ipatokenOTPkey * ipatokenHOTPcounter ! ipatokenOwner ! managedBy ! ipatokenUniqueID The ACIs allowing access to most of these attributes are here: https://git.fedorahosted.org/cgit/freeipa.git/tree/install/share/default-aci.ldif#n90 Note that I am able to query the entry just fine (including all the above invalidly restricted attributes). Hence, I know the ACIs are working just fine. Part of the strange thing is that in the post read control request, I haven't indicated that I want *any* attributes returned (i.e. I want just the DN). So I'm not sure why it is querying all the attributes. I would suspect that the proper behavior would be to only check the ACIs on attributes that will actually be returned. 2. The second patch (0002) modifies the ACI for normal user token addition from this: aci: (target = ldap:///ipatokenuniqueid=*,cn=otp,$SUFFIX;)(targetfilter = (objectClass=ipaToken))(version 3.0; acl Users can create self-managed tokens; allow (add) userattr = ipatokenOwner#SELFDN and userattr = managedBy#SELFDN;) To this: aci: (target = ldap:///ipatokenuniqueid=autogenerate,cn=otp, $SUFFIX)(targetfilter = (objectClass=ipaToken))(version 3.0; acl Users can create self-managed tokens; allow (add) userattr = ipatokenOwner#SELFDN and userattr = managedBy#SELFDN;) The idea is to allow users to create tokens which will be expanded by the UUID plugin. Unfortunately, after the UUID is expanded, the ACIs are checked. Since the expanded UUID no longer matches the ACI, the addition is denied. Is this truly the correct behavior? I would think that the ACIs would be checked before the UUID plugin, not after. From 7e9d847ec2d9b1b3829abbf3ec6961091d378fc7 Mon Sep 17 00:00:00 2001 From: Nathaniel McCallum npmccal...@redhat.com Date: Wed, 8 Oct 2014 16:20:21 -0400 Subject: [PATCH 2/2] Use UUID plugin to generate ipaTokenUniqueIDs This lets us to deny custom ipaTokenUniqueIDs to non-admin users. https://fedorahosted.org/freeipa/ticket/4456 --- install/share/Makefile.am| 1 + install/share/default-aci.ldif | 2 +- install/share/uuid-ipatokenuniqueid.ldif | 11 install/updates/40-otp.update| 3 +- ipalib/plugins/otptoken.py | 47 ++-- ipaserver/install/dsinstance.py | 1 + 6 files changed, 42 insertions(+), 23 deletions(-) create mode 100644 install/share/uuid-ipatokenuniqueid.ldif diff --git a/install/share/Makefile.am b/install/share/Makefile.am index 7d8ceb60e6374e133cfb6e3684bc307dbf313ce7..19bea40c872f148a3a7b8dcafca6e576429e3ace 100644 --- a/install/share/Makefile.am +++ b/install/share/Makefile.am @@ -63,6 +63,7 @@ app_DATA =\ user_private_groups.ldif \ host_nis_groups.ldif \ uuid-ipauniqueid.ldif \ + uuid-ipatokenuniqueid.ldif \ modrdn-krbprinc.ldif \ entryusn.ldif \ root-autobind.ldif \ diff --git a/install/share/default-aci.ldif b/install/share/default-aci.ldif index af7eedb0b92375f893a61ad1fb6e2d7b176389f9..7b6519b291dbaaa075e949317154c047da8f32ce 100644 --- a/install/share/default-aci.ldif +++ b/install/share/default-aci.ldif @@ -96,4 +96,4 @@ aci: (targetfilter = (objectClass=ipatokenTOTP))(targetattrs = ipatokenOTPalg aci: (targetfilter = (objectClass=ipatokenHOTP))(targetattrs = ipatokenOTPalgorithm || ipatokenOTPdigits)(version 3.0; acl Users/managers can see HOTP details; allow (read, search, compare) userattr = ipatokenOwner#USERDN or userattr = managedBy#USERDN;) aci: (targetfilter = (objectClass=ipaToken))(targetattrs = description || ipatokenDisabled || ipatokenNotBefore || ipatokenNotAfter || ipatokenVendor || ipatokenModel || ipatokenSerial)(version 3.0; acl Managers can write basic token info; allow (write) userattr = managedBy#USERDN;) aci: (targetfilter = (objectClass=ipaToken))(version 3.0; acl Managers can delete tokens; allow (delete) userattr = managedBy#USERDN;) -aci: (target = ldap:///ipatokenuniqueid=*,cn=otp,$SUFFIX;)(targetfilter = (objectClass=ipaToken))(version 3.0; acl Users can create self-managed tokens; allow (add) userattr = ipatokenOwner#SELFDN and userattr = managedBy#SELFDN;) +aci: (target = ldap:///ipatokenuniqueid=autogenerate,cn=otp,$SUFFIX;)(targetfilter = (objectClass=ipaToken))(version 3.0; acl Users can create self-managed tokens; allow (add) userattr = ipatokenOwner#SELFDN and userattr = managedBy#SELFDN;) diff --git
Re: [Freeipa-devel] [PATCH 0064] Create ipa-otp-decrement 389DS plugin
On Wed, 2014-10-08 at 17:19 -0400, Simo Sorce wrote: On Wed, 08 Oct 2014 15:53:39 -0400 Nathaniel McCallum npmccal...@redhat.com wrote: As I understand my code, all servers will have csnD. Some servers will have valueB and others will have valueD, but valueB == valueD. We *never* discard a CSN. We only discard the counter/watermark mods in the replication operation. What Thierry is saying is that the individual attributes in the entry have associate the last CSN that modified them. Because you remove the mods when ValueD == ValueB the counter attribute will not have the associated CSN changed. But it doesn't really matter because the plugin will always keep things consistent. Oh, I thought this was only being tracked on a per-entry basis. If it really matters, I can undo this optimization (it is a single character change). It will just be some extra writes. Nathaniel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0064] Create ipa-otp-decrement 389DS plugin
On Wed, 2014-10-08 at 17:19 -0400, Simo Sorce wrote: On Wed, 08 Oct 2014 15:53:39 -0400 Nathaniel McCallum npmccal...@redhat.com wrote: As I understand my code, all servers will have csnD. Some servers will have valueB and others will have valueD, but valueB == valueD. We *never* discard a CSN. We only discard the counter/watermark mods in the replication operation. What Thierry is saying is that the individual attributes in the entry have associate the last CSN that modified them. Because you remove the mods when ValueD == ValueB the counter attribute will not have the associated CSN changed. But it doesn't really matter because the plugin will always keep things consistent. Attached is a new version. It removes this optimization. If server X has valueB/csnB and receives valueD/csnD and valueB == valueD, the replication will be applied without any modification. However, if valueB valueD and csnD csnB, the counter mods will still be stripped. It also collapses the error check from betxnpre to bepre now that we have a fix for https://fedorahosted.org/389/ticket/47919 committed. The betxnpre functions are completely removed. Also, a dependency on 389 1.3.3.4 (not yet released) is added. Nathaniel From 368eb782ec7e4d4c245f4cee5bb819eac4ef2a30 Mon Sep 17 00:00:00 2001 From: Nathaniel McCallum npmccal...@redhat.com Date: Wed, 10 Sep 2014 17:31:37 -0400 Subject: [PATCH] Create ipa-otp-counter 389DS plugin This plugin ensures that all counter/watermark operations are atomic and never decrement. Also, deletion is not permitted. Because this plugin also ensures internal operations behave properly, this also gives ipa-pwd-extop the appropriate behavior for OTP authentication. https://fedorahosted.org/freeipa/ticket/4493 https://fedorahosted.org/freeipa/ticket/4494 --- daemons/configure.ac | 1 + daemons/ipa-slapi-plugins/Makefile.am | 1 + .../ipa-slapi-plugins/ipa-otp-counter/Makefile.am | 25 ++ daemons/ipa-slapi-plugins/ipa-otp-counter/berval.c | 96 + daemons/ipa-slapi-plugins/ipa-otp-counter/berval.h | 66 .../ipa-otp-counter/ipa-otp-counter.sym| 1 + .../ipa-otp-counter/ipa_otp_counter.c | 436 + .../ipa-slapi-plugins/ipa-otp-counter/ldapmod.c| 110 ++ .../ipa-slapi-plugins/ipa-otp-counter/ldapmod.h| 54 +++ .../ipa-otp-counter/otp-counter-conf.ldif | 15 + freeipa.spec.in| 8 +- ipaserver/install/dsinstance.py| 4 + 12 files changed, 814 insertions(+), 3 deletions(-) create mode 100644 daemons/ipa-slapi-plugins/ipa-otp-counter/Makefile.am create mode 100644 daemons/ipa-slapi-plugins/ipa-otp-counter/berval.c create mode 100644 daemons/ipa-slapi-plugins/ipa-otp-counter/berval.h create mode 100644 daemons/ipa-slapi-plugins/ipa-otp-counter/ipa-otp-counter.sym create mode 100644 daemons/ipa-slapi-plugins/ipa-otp-counter/ipa_otp_counter.c create mode 100644 daemons/ipa-slapi-plugins/ipa-otp-counter/ldapmod.c create mode 100644 daemons/ipa-slapi-plugins/ipa-otp-counter/ldapmod.h create mode 100644 daemons/ipa-slapi-plugins/ipa-otp-counter/otp-counter-conf.ldif diff --git a/daemons/configure.ac b/daemons/configure.ac index b4507a6d972f854331925e72869898576bdfd76f..bfcdeadcd1dc73762d8c773ee50210d9bdb91e92 100644 --- a/daemons/configure.ac +++ b/daemons/configure.ac @@ -314,6 +314,7 @@ AC_CONFIG_FILES([ ipa-slapi-plugins/ipa-dns/Makefile ipa-slapi-plugins/ipa-enrollment/Makefile ipa-slapi-plugins/ipa-lockout/Makefile +ipa-slapi-plugins/ipa-otp-counter/Makefile ipa-slapi-plugins/ipa-otp-lasttoken/Makefile ipa-slapi-plugins/ipa-pwd-extop/Makefile ipa-slapi-plugins/ipa-extdom-extop/Makefile diff --git a/daemons/ipa-slapi-plugins/Makefile.am b/daemons/ipa-slapi-plugins/Makefile.am index 06e6ee8b86f138cce05f2184ac98c39ffaf9757f..07733921e43ac2eb9e248b276351d915a854bf7e 100644 --- a/daemons/ipa-slapi-plugins/Makefile.am +++ b/daemons/ipa-slapi-plugins/Makefile.am @@ -7,6 +7,7 @@ SUBDIRS = \ ipa-enrollment \ ipa-lockout \ ipa-modrdn \ + ipa-otp-counter \ ipa-otp-lasttoken \ ipa-pwd-extop \ ipa-extdom-extop \ diff --git a/daemons/ipa-slapi-plugins/ipa-otp-counter/Makefile.am b/daemons/ipa-slapi-plugins/ipa-otp-counter/Makefile.am new file mode 100644 index ..6b18467613e9bd301ce7432b7052f0fb15aae886 --- /dev/null +++ b/daemons/ipa-slapi-plugins/ipa-otp-counter/Makefile.am @@ -0,0 +1,25 @@ +MAINTAINERCLEANFILES = *~ Makefile.in +PLUGIN_COMMON_DIR = ../common +AM_CPPFLAGS = \ + -I. \ + -I$(srcdir) \ + -I$(PLUGIN_COMMON_DIR) \ + -I/usr/include/dirsrv \ + -DPREFIX=\$(prefix)\ \ + -DBINDIR=\$(bindir)\\ + -DLIBDIR=\$(libdir)\ \ + -DLIBEXECDIR=\$(libexecdir)\ \ + -DDATADIR=\$(datadir)\\ + $(AM_CFLAGS) \ + $(LDAP_CFLAGS) \ + $(WARN_CFLAGS) + +plugindir =