[Freeipa-devel] [PATCHES 297-299] Improvements for idviews xmlrpc tests
Hi,
this couple of patches adds coverage for the scenario in
https://fedorahosted.org/freeipa/ticket/4839 , plus fixes issues that caused
ipa-run-tests to skip this test file.
TomasFrom 2ae01c99cd0348aec1b6d2e90fb81e8691bc4b57 Mon Sep 17 00:00:00 2001
From: Tomas Babej tba...@redhat.com
Date: Tue, 20 Jan 2015 16:49:42 +0100
Subject: [PATCH] ipatests: Add coverage for referential integrity plugin
applied on ipaAssignedIDView
This adds a test case which makes sure that referential integrity
plugin does not leave any trailing references for ipaAssignedIDView
attribute on hosts, if the ID view being referenced has been deleted.
https://fedorahosted.org/freeipa/ticket/4839
---
ipatests/test_xmlrpc/test_idviews_plugin.py | 87 -
1 file changed, 86 insertions(+), 1 deletion(-)
diff --git a/ipatests/test_xmlrpc/test_idviews_plugin.py b/ipatests/test_xmlrpc/test_idviews_plugin.py
index 607428af5d437da4ae72d97d2160b713da71be80..49c66d648a7ddda8a9f641924e5c4fd810eda2d4 100644
--- a/ipatests/test_xmlrpc/test_idviews_plugin.py
+++ b/ipatests/test_xmlrpc/test_idviews_plugin.py
@@ -39,6 +39,7 @@ idview2 = u'idview2'
host1 = u'host1.test'
host2 = u'host2.test'
host3 = u'host3.test'
+host4 = u'host4.test'
hostgroup1 = u'hostgroup1'
hostgroup2 = u'hostgroup2'
@@ -52,6 +53,7 @@ nonexistentgroup = u'nonexistentgroup'
host1 = u'testhost1'
host2 = u'testhost2'
host3 = u'testhost3'
+host4 = u'testhost4'
# Test helpers
@@ -106,7 +108,7 @@ class test_idviews(Declarative):
cleanup_commands = [
('idview_del', [idview1, idview2], {'continue': True}),
-('host_del', [host1, host2, host3], {'continue': True}),
+('host_del', [host1, host2, host3, host4], {'continue': True}),
('hostgroup_del', [hostgroup1, hostgroup2], {'continue': True}),
('idoverride_del', [idview1, idoverrideuser1, idoverridegroup1],
{'continue': True}),
@@ -1332,5 +1334,88 @@ class test_idviews(Declarative):
),
),
+# Recreate the view, assign it to a host and then delete the view
+# Check that the host no longer references the view
+dict(
+desc='Create ID View %s' % idview1,
+command=(
+'idview_add',
+[idview1],
+{}
+),
+expected=dict(
+value=idview1,
+summary=u'Added ID View %s' % idview1,
+result=dict(
+dn=get_idview_dn(idview1),
+objectclass=objectclasses.idview,
+cn=[idview1]
+)
+),
+),
+
+dict(
+desc='Create %r' % host4,
+command=('host_add', [get_fqdn(host4)],
+dict(
+description=u'Test host 4',
+l=u'Undisclosed location 4',
+force=True,
+),
+),
+expected=dict(
+value=get_fqdn(host4),
+summary=u'Added host %s' % get_fqdn(host4),
+result=dict(
+dn=get_host_dn(host4),
+fqdn=[get_fqdn(host4)],
+description=[u'Test host 4'],
+l=[u'Undisclosed location 4'],
+krbprincipalname=[
+u'host/%s@%s' % (get_fqdn(host4), api.env.realm)],
+objectclass=objectclasses.host,
+ipauniqueid=[fuzzy_uuid],
+managedby_host=[get_fqdn(host4)],
+has_keytab=False,
+has_password=False,
+),
+),
+),
+
+dict(
+desc='Delete ID View that is assigned %s' % idview1,
+command=('idview_del', [idview1], {}),
+expected=dict(
+result=dict(failed=[]),
+summary=u'Deleted ID View %s' % idview1,
+value=[idview1],
+),
+),
+
+dict(
+desc='Check that %s has not %s applied' % (host4, idview1),
+command=('host_show', [get_fqdn(host4)], {'all': True}),
+expected=dict(
+value=get_fqdn(host4),
+summary=None,
+result=dict(
+cn=[get_fqdn(host4)],
+dn=get_host_dn(host4),
+fqdn=[get_fqdn(host4)],
+description=[u'Test host 4'],
+l=[u'Undisclosed location 4'],
+krbprincipalname=[get_host_principal(host4)],
+has_keytab=False,
+has_password=False,
+managedby_host=[get_fqdn(host4)],
+ipakrbokasdelegate=False,
+ipakrbrequirespreauth=True,
+ipauniqueid=[fuzzy_uuid],
+managing_host=[get_fqdn(host4)],
+
[Freeipa-devel] [PATCH] Use curl instead of wget
[Note I didn't test this patch]
Curl has a shared library, and so ends up being used by more components
of the OS. It should be preferred over wget.
The motivation for this patch is for Project Atomic hosts; we want to
include ipa-client, but trim down its dependencies.
If wget isn't installed on the host, it doesn't need to be updated for
security errata.
---
freeipa.spec.in| 4 ++--
ipa-client/ipa-install/ipa-client-install | 2 +-
ipaplatform/base/paths.py | 1 -
ipaplatform/redhat/services.py | 8
ipaserver/advise/plugins/legacy_clients.py | 16
5 files changed, 15 insertions(+), 16 deletions(-)
From dfd2bb440b786a074fdc0fa73910ca48583187e6 Mon Sep 17 00:00:00 2001
From: Colin Walters walt...@verbum.org
Date: Wed, 21 Jan 2015 16:59:52 -0500
Subject: [PATCH] Use curl instead of wget
Curl has a shared library, and so ends up being used by more components
of the OS. It should be preferred over wget.
The motivation for this patch is for Project Atomic hosts; we want to
include ipa-client, but trim down its dependencies.
If wget isn't installed on the host, it doesn't need to be updated for
security errata.
---
freeipa.spec.in| 4 ++--
ipa-client/ipa-install/ipa-client-install | 2 +-
ipaplatform/base/paths.py | 1 -
ipaplatform/redhat/services.py | 8
ipaserver/advise/plugins/legacy_clients.py | 16
5 files changed, 15 insertions(+), 16 deletions(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 4da0732..f8fe2ad 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -224,7 +224,7 @@ Requires: ntp
Requires: krb5-workstation
Requires: authconfig
Requires: pam_krb5
-Requires: wget
+Requires: curl
Requires: libcurl = 7.21.7-2
Requires: xmlrpc-c = 1.27.4
Requires: sssd = 1.12.3
@@ -286,7 +286,7 @@ Requires: python-qrcode-core = 5.0.0
Requires: python-pyasn1
Requires: python-dateutil
Requires: python-yubico
-Requires: wget
+Requires: curl
Conflicts: %{alt_name}-python
Obsoletes: %{alt_name}-python %{version}
diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index dfe0e3b..f8fc7d2 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -1753,7 +1753,7 @@ def get_ca_certs_from_http(url, warn=True):
root_logger.debug(trying to retrieve CA cert via HTTP from %s, url)
try:
-stdout, stderr, rc = run([paths.BIN_WGET, -O, -, url])
+stdout, stderr, rc = run([curl, url])
except CalledProcessError, e:
raise errors.NoCertificateError(entry=url)
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index 5c52714..aa6dc6f 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -187,7 +187,6 @@ class BasePathNamespace(object):
SSS_SSH_AUTHORIZEDKEYS = /usr/bin/sss_ssh_authorizedkeys
SSS_SSH_KNOWNHOSTSPROXY = /usr/bin/sss_ssh_knownhostsproxy
UPDATE_CA_TRUST = /usr/bin/update-ca-trust
-BIN_WGET = /usr/bin/wget
ZIP = /usr/bin/zip
BIND_LDAP_SO = /usr/lib/bind/ldap.so
BIND_LDAP_DNS_IPA_WORKDIR = /var/named/dyndb-ldap/ipa/
diff --git a/ipaplatform/redhat/services.py b/ipaplatform/redhat/services.py
index 8759cab..0801e59 100644
--- a/ipaplatform/redhat/services.py
+++ b/ipaplatform/redhat/services.py
@@ -201,10 +201,10 @@ class RedHatCAService(RedHatService):
}
args = [
-paths.BIN_WGET,
-'-S', '-O', '-',
-'--timeout=30',
-'--no-check-certificate',
+'curl',
+'-v',
+'--max-time', '30',
+'--insecure',
url
]
diff --git a/ipaserver/advise/plugins/legacy_clients.py b/ipaserver/advise/plugins/legacy_clients.py
index 6d17f7e..93f186e 100644
--- a/ipaserver/advise/plugins/legacy_clients.py
+++ b/ipaserver/advise/plugins/legacy_clients.py
@@ -48,13 +48,13 @@ class config_base_legacy_client(Advice):
'cacertdir_rehash?format=txt')
self.log.comment('Download the CA certificate of the IPA server')
self.log.command('mkdir -p -m 755 /etc/openldap/cacerts')
-self.log.command('wget http://%s/ipa/config/ca.crt -O '
- '/etc/openldap/cacerts/ipa.crt\n' % api.env.host)
+self.log.command('curl -o /etc/openldap/cacerts/ipa.crt http://%s/ipa/config/ca.crt\n'
+ % api.env.host)
self.log.comment('Generate hashes for the openldap library')
self.log.command('command -v cacertdir_rehash')
self.log.command('if [ $? -ne 0 ] ; then')
-self.log.command(' wget %s -O cacertdir_rehash ;' % cacertdir_rehash)
+self.log.command(' curl -o cacertdir_rehash %s;' % cacertdir_rehash)
Re: [Freeipa-devel] [PATCH] Use curl instead of wget
On Wed, 21 Jan 2015, Colin Walters wrote: [Note I didn't test this patch] Curl has a shared library, and so ends up being used by more components of the OS. It should be preferred over wget. The motivation for this patch is for Project Atomic hosts; we want to include ipa-client, but trim down its dependencies. If wget isn't installed on the host, it doesn't need to be updated for security errata. --- freeipa.spec.in| 4 ++-- ipa-client/ipa-install/ipa-client-install | 2 +- ipaplatform/base/paths.py | 1 - ipaplatform/redhat/services.py | 8 ipaserver/advise/plugins/legacy_clients.py | 16 5 files changed, 15 insertions(+), 16 deletions(-) In general, I'm not against trimming this dependency. However, please follow existing pattern by defining paths.BIN_CURL and using it instead of paths.BIN_WGET. FreeIPA client runs on Debian GNU/Linux-based platforms as well and we need to keep the abstraction. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 0174-0175 ipa-kdb fixes
Hi,
couple patches to fix Kerberos DAL driver in relation to trusts.
Patch 0174:
Allow using CA paths defined in krb5.conf on top of what we define
automatically for trusted domains.
https://fedorahosted.org/freeipa/ticket/4791
Patch 0175:
Change error code reported back to Kerberos client when a principal from
a disabled trusted domain attempts to access resources we control.
The error code will help older SSSD to properly reflect error message in
the PAM stack.
https://fedorahosted.org/freeipa/ticket/4788
--
/ Alexander Bokovoy
From 5539c7d29e185c4ee6489a9f93008e2b0c2670c9 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy aboko...@redhat.com
Date: Fri, 5 Dec 2014 21:22:23 +0200
Subject: [PATCH 1/2] ipa-kdb: when processing transitions, hand over
unknown ones to KDC
When processing cross-realm trust transitions, let the KDC to handle
those we don't know about. Admins might define the transitions as
explicit [capaths] in krb5.conf.
https://fedorahosted.org/freeipa/ticket/4791
---
daemons/ipa-kdb/ipa_kdb_mspac.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index a450007..0cbdd4c 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -2688,7 +2688,8 @@ krb5_error_code ipadb_check_transited_realms(krb5_context
kcontext,
}
}
- ret = KRB5KRB_AP_ERR_ILL_CR_TKT;
+ /* Tell to KDC that we don't handle this transition so that rules in
krb5.conf could play its role */
+ ret = KRB5_PLUGIN_NO_HANDLE;
if (has_client_realm has_transited_contents has_server_realm) {
ret = 0;
}
--
2.1.0
From c3d2718b3f28fabfdfb29cd6d0ee87d848e32d2f Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy aboko...@redhat.com
Date: Wed, 10 Dec 2014 14:59:38 +0200
Subject: [PATCH 2/2] ipa-kdb: reject principals from disabled domains as a KDC
policy
Fixes https://fedorahosted.org/freeipa/ticket/4788
---
daemons/ipa-kdb/ipa_kdb_mspac.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index 0cbdd4c..5d7f892 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -1375,7 +1375,7 @@ static krb5_error_code filter_logon_info(krb5_context
context,
domain-parent-sid_blacklist_incoming[k],
true);
if (result) {
filter_logon_info_log_message(info-info-info3.base.domain_sid);
-return EINVAL;
+return KRB5KDC_ERR_POLICY;
}
}
}
--
2.1.0
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 395 Revert Make all ipatokenTOTP attributes mandatory
Hi, the attached patch fixes https://fedorahosted.org/freeipa/ticket/4833. Honza -- Jan Cholasta From f5e6e45977b699bada1990f8231d0f142ab6fc61 Mon Sep 17 00:00:00 2001 From: Jan Cholasta jchol...@redhat.com Date: Wed, 21 Jan 2015 07:57:03 + Subject: [PATCH] Revert Make all ipatokenTOTP attributes mandatory This reverts commit adcd373931c50d91550f6b74b191d08ecce5b137. https://fedorahosted.org/freeipa/ticket/4833 --- install/share/70ipaotp.ldif | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/install/share/70ipaotp.ldif b/install/share/70ipaotp.ldif index b35ab62..0c48d9a 100644 --- a/install/share/70ipaotp.ldif +++ b/install/share/70ipaotp.ldif @@ -29,7 +29,7 @@ attributeTypes: (2.16.840.1.113730.3.8.16.1.24 NAME 'ipatokenTOTPsyncWindow' DES attributeTypes: (2.16.840.1.113730.3.8.16.1.25 NAME 'ipatokenHOTPauthWindow' DESC 'HOTP Auth Window (maximum authentication skip-ahead)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA OTP') attributeTypes: (2.16.840.1.113730.3.8.16.1.26 NAME 'ipatokenHOTPsyncWindow' DESC 'HOTP Sync Window (maximum synchronization skip-ahead)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA OTP') objectClasses: (2.16.840.1.113730.3.8.16.2.1 NAME 'ipaToken' SUP top ABSTRACT DESC 'Abstract token class for tokens' MUST (ipatokenUniqueID) MAY (description $ managedBy $ ipatokenOwner $ ipatokenDisabled $ ipatokenNotBefore $ ipatokenNotAfter $ ipatokenVendor $ ipatokenModel $ ipatokenSerial) X-ORIGIN 'IPA OTP') -objectClasses: (2.16.840.1.113730.3.8.16.2.2 NAME 'ipatokenTOTP' SUP ipaToken STRUCTURAL DESC 'TOTP Token Type' MUST (ipatokenOTPkey $ ipatokenOTPalgorithm $ ipatokenOTPdigits $ ipatokenTOTPclockOffset $ ipatokenTOTPtimeStep) MAY (ipatokenTOTPwatermark) X-ORIGIN 'IPA OTP') +objectClasses: (2.16.840.1.113730.3.8.16.2.2 NAME 'ipatokenTOTP' SUP ipaToken STRUCTURAL DESC 'TOTP Token Type' MAY (ipatokenOTPkey $ ipatokenOTPalgorithm $ ipatokenOTPdigits $ ipatokenTOTPclockOffset $ ipatokenTOTPtimeStep $ ipatokenTOTPwatermark) X-ORIGIN 'IPA OTP') objectClasses: (2.16.840.1.113730.3.8.16.2.3 NAME 'ipatokenRadiusProxyUser' SUP top AUXILIARY DESC 'Radius Proxy User' MAY (ipatokenRadiusConfigLink $ ipatokenRadiusUserName) X-ORIGIN 'IPA OTP') objectClasses: (2.16.840.1.113730.3.8.16.2.4 NAME 'ipatokenRadiusConfiguration' SUP top STRUCTURAL DESC 'Proxy Radius Configuration' MUST (cn $ ipatokenRadiusServer $ ipatokenRadiusSecret) MAY (description $ ipatokenRadiusTimeout $ ipatokenRadiusRetries $ ipatokenUserMapAttribute) X-ORIGIN 'IPA OTP') objectClasses: (2.16.840.1.113730.3.8.16.2.5 NAME 'ipatokenHOTP' SUP ipaToken STRUCTURAL DESC 'HOTP Token Type' MUST (ipatokenOTPkey $ ipatokenOTPalgorithm $ ipatokenOTPdigits $ ipatokenHOTPcounter) X-ORIGIN 'IPA OTP') -- 2.1.0 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 395 Revert Make all ipatokenTOTP attributes mandatory
Dne 21.1.2015 v 09:09 Martin Kosek napsal(a): On 01/21/2015 09:02 AM, Jan Cholasta wrote: Hi, the attached patch fixes https://fedorahosted.org/freeipa/ticket/4833. Honza Please also add the reason why we are reverting the change (see details https://bugzilla.redhat.com/show_bug.cgi?id=1176995#c7) directly to commit description. When done, I will ACK. Updated patch attached. (Feel free to amend the explanation.) -- Jan Cholasta From 625f01ec59b3304cffd7db3ae134026f3e5bc93c Mon Sep 17 00:00:00 2001 From: Jan Cholasta jchol...@redhat.com Date: Wed, 21 Jan 2015 07:57:03 + Subject: [PATCH] Revert Make all ipatokenTOTP attributes mandatory This prevents schema replication conflicts which cause replication failures with older versions of IPA. This reverts commit adcd373931c50d91550f6b74b191d08ecce5b137. https://fedorahosted.org/freeipa/ticket/4833 --- install/share/70ipaotp.ldif | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/install/share/70ipaotp.ldif b/install/share/70ipaotp.ldif index b35ab62..0c48d9a 100644 --- a/install/share/70ipaotp.ldif +++ b/install/share/70ipaotp.ldif @@ -29,7 +29,7 @@ attributeTypes: (2.16.840.1.113730.3.8.16.1.24 NAME 'ipatokenTOTPsyncWindow' DES attributeTypes: (2.16.840.1.113730.3.8.16.1.25 NAME 'ipatokenHOTPauthWindow' DESC 'HOTP Auth Window (maximum authentication skip-ahead)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA OTP') attributeTypes: (2.16.840.1.113730.3.8.16.1.26 NAME 'ipatokenHOTPsyncWindow' DESC 'HOTP Sync Window (maximum synchronization skip-ahead)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA OTP') objectClasses: (2.16.840.1.113730.3.8.16.2.1 NAME 'ipaToken' SUP top ABSTRACT DESC 'Abstract token class for tokens' MUST (ipatokenUniqueID) MAY (description $ managedBy $ ipatokenOwner $ ipatokenDisabled $ ipatokenNotBefore $ ipatokenNotAfter $ ipatokenVendor $ ipatokenModel $ ipatokenSerial) X-ORIGIN 'IPA OTP') -objectClasses: (2.16.840.1.113730.3.8.16.2.2 NAME 'ipatokenTOTP' SUP ipaToken STRUCTURAL DESC 'TOTP Token Type' MUST (ipatokenOTPkey $ ipatokenOTPalgorithm $ ipatokenOTPdigits $ ipatokenTOTPclockOffset $ ipatokenTOTPtimeStep) MAY (ipatokenTOTPwatermark) X-ORIGIN 'IPA OTP') +objectClasses: (2.16.840.1.113730.3.8.16.2.2 NAME 'ipatokenTOTP' SUP ipaToken STRUCTURAL DESC 'TOTP Token Type' MAY (ipatokenOTPkey $ ipatokenOTPalgorithm $ ipatokenOTPdigits $ ipatokenTOTPclockOffset $ ipatokenTOTPtimeStep $ ipatokenTOTPwatermark) X-ORIGIN 'IPA OTP') objectClasses: (2.16.840.1.113730.3.8.16.2.3 NAME 'ipatokenRadiusProxyUser' SUP top AUXILIARY DESC 'Radius Proxy User' MAY (ipatokenRadiusConfigLink $ ipatokenRadiusUserName) X-ORIGIN 'IPA OTP') objectClasses: (2.16.840.1.113730.3.8.16.2.4 NAME 'ipatokenRadiusConfiguration' SUP top STRUCTURAL DESC 'Proxy Radius Configuration' MUST (cn $ ipatokenRadiusServer $ ipatokenRadiusSecret) MAY (description $ ipatokenRadiusTimeout $ ipatokenRadiusRetries $ ipatokenUserMapAttribute) X-ORIGIN 'IPA OTP') objectClasses: (2.16.840.1.113730.3.8.16.2.5 NAME 'ipatokenHOTP' SUP ipaToken STRUCTURAL DESC 'HOTP Token Type' MUST (ipatokenOTPkey $ ipatokenOTPalgorithm $ ipatokenOTPdigits $ ipatokenHOTPcounter) X-ORIGIN 'IPA OTP') -- 2.1.0 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 395 Revert Make all ipatokenTOTP attributes mandatory
On 01/21/2015 09:02 AM, Jan Cholasta wrote: Hi, the attached patch fixes https://fedorahosted.org/freeipa/ticket/4833. Honza Please also add the reason why we are reverting the change (see details https://bugzilla.redhat.com/show_bug.cgi?id=1176995#c7) directly to commit description. When done, I will ACK. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 395 Revert Make all ipatokenTOTP attributes mandatory
On 01/21/2015 09:15 AM, Jan Cholasta wrote: Dne 21.1.2015 v 09:09 Martin Kosek napsal(a): On 01/21/2015 09:02 AM, Jan Cholasta wrote: Hi, the attached patch fixes https://fedorahosted.org/freeipa/ticket/4833. Honza Please also add the reason why we are reverting the change (see details https://bugzilla.redhat.com/show_bug.cgi?id=1176995#c7) directly to commit description. When done, I will ACK. Updated patch attached. (Feel free to amend the explanation.) Ok, I just added direct link to the Bugzilla comment I referred. Pushed to master, ipa-4-1, ipa-4-0. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCHES 0187, 0188] DNSSEC ipa-dnskeysyncd fixes
Patch 188 catch ldap exceptions to prevent false positive abrt reports
Patch 187 fixes issues with removing root zone
Patches attached.
--
Martin Basti
From baed3cbcc9d4cf1768a7f2eff96e9d0943bfc578 Mon Sep 17 00:00:00 2001
From: Martin Basti mba...@redhat.com
Date: Wed, 21 Jan 2015 13:32:44 +0100
Subject: [PATCH] DNSSEC catch ldap exceptions in ipa-dnskeysyncd
Server down exception causes lot of false positive abrt reports.
---
daemons/dnssec/ipa-dnskeysyncd | 8 ++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/daemons/dnssec/ipa-dnskeysyncd b/daemons/dnssec/ipa-dnskeysyncd
index c7475bd65ba7ad38af99f2e8c3ae3bc8837f2c9b..e184d88b47ff7c7224c71057807e447e4b5e9e12 100755
--- a/daemons/dnssec/ipa-dnskeysyncd
+++ b/daemons/dnssec/ipa-dnskeysyncd
@@ -102,5 +102,9 @@ while watcher_running:
filterstr=ldap_url.filterstr
)
-while ldap_connection.syncrepl_poll(all=1, msgid=ldap_search):
-pass
+try:
+while ldap_connection.syncrepl_poll(all=1, msgid=ldap_search):
+pass
+except (ldap.SERVER_DOWN, ldap.CONNECT_ERROR) as e:
+log.exception('syncrepl_poll: LDAP error (%s)', e)
+sys.exit(1)
--
2.1.0
From b47299085fd04bb8ccc99e47b2a0e33d52fd1e8a Mon Sep 17 00:00:00 2001
From: Martin Basti mba...@redhat.com
Date: Wed, 21 Jan 2015 12:19:17 +0100
Subject: [PATCH] DNSSEC: fix root zone dns name conversion
Root zone was represented as '@', which was incorrect. ksmutil did not
accept it.
Now root zone is represented as '.'
---
ipapython/dnssec/odsmgr.py | 3 +++
1 file changed, 3 insertions(+)
diff --git a/ipapython/dnssec/odsmgr.py b/ipapython/dnssec/odsmgr.py
index a91b6c553d9ab7364258bd1ca24d236a3994ec6d..ed17351cad4db28caed2623aa4bec145d5bc4414 100644
--- a/ipapython/dnssec/odsmgr.py
+++ b/ipapython/dnssec/odsmgr.py
@@ -145,6 +145,9 @@ class ODSMgr(object):
def del_ods_zone(self, name):
# ods-ksmutil blows up if zone name has period at the end
name = name.relativize(dns.name.root)
+# detect if name is root zone
+if name == dns.name.empty:
+name = dns.name.root
cmd = ['zone', 'delete', '--zone', str(name)]
output = self.ksmutil(cmd)
self.log.info(output)
--
2.1.0
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH 0320] Fix description of idnsAllowQuery attribute in README
Hello, Fix description of idnsAllowQuery attribute in README. https://fedorahosted.org/bind-dyndb-ldap/ticket/154 I got off-list ACK from Martin^2. Pushed to master: a4565b3ef843e4464d2e950f0716818e7c7ce09b -- Petr^2 Spacek From 94169b05e3a5e2d5b4c522274c50e523b0c1f030 Mon Sep 17 00:00:00 2001 From: Petr Spacek pspa...@redhat.com Date: Wed, 21 Jan 2015 13:53:02 +0100 Subject: [PATCH] Fix description of idnsAllowQuery attribute in README. https://fedorahosted.org/bind-dyndb-ldap/ticket/154 --- README | 23 +++ 1 file changed, 11 insertions(+), 12 deletions(-) diff --git a/README b/README index 1b8f2a713ad901d3aab5ed799cbb9c5e9c746c44..47cd9f68a3d27131ba95a07839cc3c2c5f2e8e49 100644 --- a/README +++ b/README @@ -62,23 +62,22 @@ Attributes: value dyn_update from plugin configuration will be used. * idnsAllowQuery - Specifies BIND9 zone ACL element. This attribute can be set multiple - times and are merged together to the one ACL. + Specifies BIND9 zone ACL element as one string. - Example: - idnsAllowQuery: 127.0.0.1 - idnsAllowQuery: ::1 - idnsAllowQuery: 192.168.1.0/24 + Example 1: idnsAllowQuery: 192.0.2.1 + In the first example above, only the client with 192.0.2.1 IP address + is allowed to query records from the zone. - In the example above clients with 127.0.0.1 and ::1 IP addresses and - clients from the 192.168.1.0/24 network are allowed to obtain records - from the zone. + Example 2: idnsAllowQuery: !192.0.2.33; 192.0.2.0/24; + In the second example, queries from client 192.0.2.33 are refused + but queries from all other clients in the 192.0.2.0/24 network + are allowed. You can specify IPv4/IPv6 address, IPv4/IPv6 network address in CIDR - format and any or none keywords. The ! prefix (for example - !192.168.1.0/24) means negation of the ACL element. + format, and any or none keywords. The ! prefix (for example + !192.0.2.33) means negation of the ACL element. - If not set then zone inherits global allow-query from named.conf. + If not set, then zone inherits global allow-query from named.conf. * idnsAllowTransfer Uses same format as idnsAllowQuery. Allows zone transfers for matching -- 2.1.0 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
