[Freeipa-devel] [PATCHES 297-299] Improvements for idviews xmlrpc tests
Hi, this couple of patches adds coverage for the scenario in https://fedorahosted.org/freeipa/ticket/4839 , plus fixes issues that caused ipa-run-tests to skip this test file. TomasFrom 2ae01c99cd0348aec1b6d2e90fb81e8691bc4b57 Mon Sep 17 00:00:00 2001 From: Tomas Babej tba...@redhat.com Date: Tue, 20 Jan 2015 16:49:42 +0100 Subject: [PATCH] ipatests: Add coverage for referential integrity plugin applied on ipaAssignedIDView This adds a test case which makes sure that referential integrity plugin does not leave any trailing references for ipaAssignedIDView attribute on hosts, if the ID view being referenced has been deleted. https://fedorahosted.org/freeipa/ticket/4839 --- ipatests/test_xmlrpc/test_idviews_plugin.py | 87 - 1 file changed, 86 insertions(+), 1 deletion(-) diff --git a/ipatests/test_xmlrpc/test_idviews_plugin.py b/ipatests/test_xmlrpc/test_idviews_plugin.py index 607428af5d437da4ae72d97d2160b713da71be80..49c66d648a7ddda8a9f641924e5c4fd810eda2d4 100644 --- a/ipatests/test_xmlrpc/test_idviews_plugin.py +++ b/ipatests/test_xmlrpc/test_idviews_plugin.py @@ -39,6 +39,7 @@ idview2 = u'idview2' host1 = u'host1.test' host2 = u'host2.test' host3 = u'host3.test' +host4 = u'host4.test' hostgroup1 = u'hostgroup1' hostgroup2 = u'hostgroup2' @@ -52,6 +53,7 @@ nonexistentgroup = u'nonexistentgroup' host1 = u'testhost1' host2 = u'testhost2' host3 = u'testhost3' +host4 = u'testhost4' # Test helpers @@ -106,7 +108,7 @@ class test_idviews(Declarative): cleanup_commands = [ ('idview_del', [idview1, idview2], {'continue': True}), -('host_del', [host1, host2, host3], {'continue': True}), +('host_del', [host1, host2, host3, host4], {'continue': True}), ('hostgroup_del', [hostgroup1, hostgroup2], {'continue': True}), ('idoverride_del', [idview1, idoverrideuser1, idoverridegroup1], {'continue': True}), @@ -1332,5 +1334,88 @@ class test_idviews(Declarative): ), ), +# Recreate the view, assign it to a host and then delete the view +# Check that the host no longer references the view +dict( +desc='Create ID View %s' % idview1, +command=( +'idview_add', +[idview1], +{} +), +expected=dict( +value=idview1, +summary=u'Added ID View %s' % idview1, +result=dict( +dn=get_idview_dn(idview1), +objectclass=objectclasses.idview, +cn=[idview1] +) +), +), + +dict( +desc='Create %r' % host4, +command=('host_add', [get_fqdn(host4)], +dict( +description=u'Test host 4', +l=u'Undisclosed location 4', +force=True, +), +), +expected=dict( +value=get_fqdn(host4), +summary=u'Added host %s' % get_fqdn(host4), +result=dict( +dn=get_host_dn(host4), +fqdn=[get_fqdn(host4)], +description=[u'Test host 4'], +l=[u'Undisclosed location 4'], +krbprincipalname=[ +u'host/%s@%s' % (get_fqdn(host4), api.env.realm)], +objectclass=objectclasses.host, +ipauniqueid=[fuzzy_uuid], +managedby_host=[get_fqdn(host4)], +has_keytab=False, +has_password=False, +), +), +), + +dict( +desc='Delete ID View that is assigned %s' % idview1, +command=('idview_del', [idview1], {}), +expected=dict( +result=dict(failed=[]), +summary=u'Deleted ID View %s' % idview1, +value=[idview1], +), +), + +dict( +desc='Check that %s has not %s applied' % (host4, idview1), +command=('host_show', [get_fqdn(host4)], {'all': True}), +expected=dict( +value=get_fqdn(host4), +summary=None, +result=dict( +cn=[get_fqdn(host4)], +dn=get_host_dn(host4), +fqdn=[get_fqdn(host4)], +description=[u'Test host 4'], +l=[u'Undisclosed location 4'], +krbprincipalname=[get_host_principal(host4)], +has_keytab=False, +has_password=False, +managedby_host=[get_fqdn(host4)], +ipakrbokasdelegate=False, +ipakrbrequirespreauth=True, +ipauniqueid=[fuzzy_uuid], +managing_host=[get_fqdn(host4)], +
[Freeipa-devel] [PATCH] Use curl instead of wget
[Note I didn't test this patch] Curl has a shared library, and so ends up being used by more components of the OS. It should be preferred over wget. The motivation for this patch is for Project Atomic hosts; we want to include ipa-client, but trim down its dependencies. If wget isn't installed on the host, it doesn't need to be updated for security errata. --- freeipa.spec.in| 4 ++-- ipa-client/ipa-install/ipa-client-install | 2 +- ipaplatform/base/paths.py | 1 - ipaplatform/redhat/services.py | 8 ipaserver/advise/plugins/legacy_clients.py | 16 5 files changed, 15 insertions(+), 16 deletions(-) From dfd2bb440b786a074fdc0fa73910ca48583187e6 Mon Sep 17 00:00:00 2001 From: Colin Walters walt...@verbum.org Date: Wed, 21 Jan 2015 16:59:52 -0500 Subject: [PATCH] Use curl instead of wget Curl has a shared library, and so ends up being used by more components of the OS. It should be preferred over wget. The motivation for this patch is for Project Atomic hosts; we want to include ipa-client, but trim down its dependencies. If wget isn't installed on the host, it doesn't need to be updated for security errata. --- freeipa.spec.in| 4 ++-- ipa-client/ipa-install/ipa-client-install | 2 +- ipaplatform/base/paths.py | 1 - ipaplatform/redhat/services.py | 8 ipaserver/advise/plugins/legacy_clients.py | 16 5 files changed, 15 insertions(+), 16 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index 4da0732..f8fe2ad 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -224,7 +224,7 @@ Requires: ntp Requires: krb5-workstation Requires: authconfig Requires: pam_krb5 -Requires: wget +Requires: curl Requires: libcurl = 7.21.7-2 Requires: xmlrpc-c = 1.27.4 Requires: sssd = 1.12.3 @@ -286,7 +286,7 @@ Requires: python-qrcode-core = 5.0.0 Requires: python-pyasn1 Requires: python-dateutil Requires: python-yubico -Requires: wget +Requires: curl Conflicts: %{alt_name}-python Obsoletes: %{alt_name}-python %{version} diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index dfe0e3b..f8fc7d2 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -1753,7 +1753,7 @@ def get_ca_certs_from_http(url, warn=True): root_logger.debug(trying to retrieve CA cert via HTTP from %s, url) try: -stdout, stderr, rc = run([paths.BIN_WGET, -O, -, url]) +stdout, stderr, rc = run([curl, url]) except CalledProcessError, e: raise errors.NoCertificateError(entry=url) diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py index 5c52714..aa6dc6f 100644 --- a/ipaplatform/base/paths.py +++ b/ipaplatform/base/paths.py @@ -187,7 +187,6 @@ class BasePathNamespace(object): SSS_SSH_AUTHORIZEDKEYS = /usr/bin/sss_ssh_authorizedkeys SSS_SSH_KNOWNHOSTSPROXY = /usr/bin/sss_ssh_knownhostsproxy UPDATE_CA_TRUST = /usr/bin/update-ca-trust -BIN_WGET = /usr/bin/wget ZIP = /usr/bin/zip BIND_LDAP_SO = /usr/lib/bind/ldap.so BIND_LDAP_DNS_IPA_WORKDIR = /var/named/dyndb-ldap/ipa/ diff --git a/ipaplatform/redhat/services.py b/ipaplatform/redhat/services.py index 8759cab..0801e59 100644 --- a/ipaplatform/redhat/services.py +++ b/ipaplatform/redhat/services.py @@ -201,10 +201,10 @@ class RedHatCAService(RedHatService): } args = [ -paths.BIN_WGET, -'-S', '-O', '-', -'--timeout=30', -'--no-check-certificate', +'curl', +'-v', +'--max-time', '30', +'--insecure', url ] diff --git a/ipaserver/advise/plugins/legacy_clients.py b/ipaserver/advise/plugins/legacy_clients.py index 6d17f7e..93f186e 100644 --- a/ipaserver/advise/plugins/legacy_clients.py +++ b/ipaserver/advise/plugins/legacy_clients.py @@ -48,13 +48,13 @@ class config_base_legacy_client(Advice): 'cacertdir_rehash?format=txt') self.log.comment('Download the CA certificate of the IPA server') self.log.command('mkdir -p -m 755 /etc/openldap/cacerts') -self.log.command('wget http://%s/ipa/config/ca.crt -O ' - '/etc/openldap/cacerts/ipa.crt\n' % api.env.host) +self.log.command('curl -o /etc/openldap/cacerts/ipa.crt http://%s/ipa/config/ca.crt\n' + % api.env.host) self.log.comment('Generate hashes for the openldap library') self.log.command('command -v cacertdir_rehash') self.log.command('if [ $? -ne 0 ] ; then') -self.log.command(' wget %s -O cacertdir_rehash ;' % cacertdir_rehash) +self.log.command(' curl -o cacertdir_rehash %s;' % cacertdir_rehash)
Re: [Freeipa-devel] [PATCH] Use curl instead of wget
On Wed, 21 Jan 2015, Colin Walters wrote: [Note I didn't test this patch] Curl has a shared library, and so ends up being used by more components of the OS. It should be preferred over wget. The motivation for this patch is for Project Atomic hosts; we want to include ipa-client, but trim down its dependencies. If wget isn't installed on the host, it doesn't need to be updated for security errata. --- freeipa.spec.in| 4 ++-- ipa-client/ipa-install/ipa-client-install | 2 +- ipaplatform/base/paths.py | 1 - ipaplatform/redhat/services.py | 8 ipaserver/advise/plugins/legacy_clients.py | 16 5 files changed, 15 insertions(+), 16 deletions(-) In general, I'm not against trimming this dependency. However, please follow existing pattern by defining paths.BIN_CURL and using it instead of paths.BIN_WGET. FreeIPA client runs on Debian GNU/Linux-based platforms as well and we need to keep the abstraction. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 0174-0175 ipa-kdb fixes
Hi, couple patches to fix Kerberos DAL driver in relation to trusts. Patch 0174: Allow using CA paths defined in krb5.conf on top of what we define automatically for trusted domains. https://fedorahosted.org/freeipa/ticket/4791 Patch 0175: Change error code reported back to Kerberos client when a principal from a disabled trusted domain attempts to access resources we control. The error code will help older SSSD to properly reflect error message in the PAM stack. https://fedorahosted.org/freeipa/ticket/4788 -- / Alexander Bokovoy From 5539c7d29e185c4ee6489a9f93008e2b0c2670c9 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy aboko...@redhat.com Date: Fri, 5 Dec 2014 21:22:23 +0200 Subject: [PATCH 1/2] ipa-kdb: when processing transitions, hand over unknown ones to KDC When processing cross-realm trust transitions, let the KDC to handle those we don't know about. Admins might define the transitions as explicit [capaths] in krb5.conf. https://fedorahosted.org/freeipa/ticket/4791 --- daemons/ipa-kdb/ipa_kdb_mspac.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c index a450007..0cbdd4c 100644 --- a/daemons/ipa-kdb/ipa_kdb_mspac.c +++ b/daemons/ipa-kdb/ipa_kdb_mspac.c @@ -2688,7 +2688,8 @@ krb5_error_code ipadb_check_transited_realms(krb5_context kcontext, } } - ret = KRB5KRB_AP_ERR_ILL_CR_TKT; + /* Tell to KDC that we don't handle this transition so that rules in krb5.conf could play its role */ + ret = KRB5_PLUGIN_NO_HANDLE; if (has_client_realm has_transited_contents has_server_realm) { ret = 0; } -- 2.1.0 From c3d2718b3f28fabfdfb29cd6d0ee87d848e32d2f Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy aboko...@redhat.com Date: Wed, 10 Dec 2014 14:59:38 +0200 Subject: [PATCH 2/2] ipa-kdb: reject principals from disabled domains as a KDC policy Fixes https://fedorahosted.org/freeipa/ticket/4788 --- daemons/ipa-kdb/ipa_kdb_mspac.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c index 0cbdd4c..5d7f892 100644 --- a/daemons/ipa-kdb/ipa_kdb_mspac.c +++ b/daemons/ipa-kdb/ipa_kdb_mspac.c @@ -1375,7 +1375,7 @@ static krb5_error_code filter_logon_info(krb5_context context, domain-parent-sid_blacklist_incoming[k], true); if (result) { filter_logon_info_log_message(info-info-info3.base.domain_sid); -return EINVAL; +return KRB5KDC_ERR_POLICY; } } } -- 2.1.0 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 395 Revert Make all ipatokenTOTP attributes mandatory
Hi, the attached patch fixes https://fedorahosted.org/freeipa/ticket/4833. Honza -- Jan Cholasta From f5e6e45977b699bada1990f8231d0f142ab6fc61 Mon Sep 17 00:00:00 2001 From: Jan Cholasta jchol...@redhat.com Date: Wed, 21 Jan 2015 07:57:03 + Subject: [PATCH] Revert Make all ipatokenTOTP attributes mandatory This reverts commit adcd373931c50d91550f6b74b191d08ecce5b137. https://fedorahosted.org/freeipa/ticket/4833 --- install/share/70ipaotp.ldif | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/install/share/70ipaotp.ldif b/install/share/70ipaotp.ldif index b35ab62..0c48d9a 100644 --- a/install/share/70ipaotp.ldif +++ b/install/share/70ipaotp.ldif @@ -29,7 +29,7 @@ attributeTypes: (2.16.840.1.113730.3.8.16.1.24 NAME 'ipatokenTOTPsyncWindow' DES attributeTypes: (2.16.840.1.113730.3.8.16.1.25 NAME 'ipatokenHOTPauthWindow' DESC 'HOTP Auth Window (maximum authentication skip-ahead)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA OTP') attributeTypes: (2.16.840.1.113730.3.8.16.1.26 NAME 'ipatokenHOTPsyncWindow' DESC 'HOTP Sync Window (maximum synchronization skip-ahead)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA OTP') objectClasses: (2.16.840.1.113730.3.8.16.2.1 NAME 'ipaToken' SUP top ABSTRACT DESC 'Abstract token class for tokens' MUST (ipatokenUniqueID) MAY (description $ managedBy $ ipatokenOwner $ ipatokenDisabled $ ipatokenNotBefore $ ipatokenNotAfter $ ipatokenVendor $ ipatokenModel $ ipatokenSerial) X-ORIGIN 'IPA OTP') -objectClasses: (2.16.840.1.113730.3.8.16.2.2 NAME 'ipatokenTOTP' SUP ipaToken STRUCTURAL DESC 'TOTP Token Type' MUST (ipatokenOTPkey $ ipatokenOTPalgorithm $ ipatokenOTPdigits $ ipatokenTOTPclockOffset $ ipatokenTOTPtimeStep) MAY (ipatokenTOTPwatermark) X-ORIGIN 'IPA OTP') +objectClasses: (2.16.840.1.113730.3.8.16.2.2 NAME 'ipatokenTOTP' SUP ipaToken STRUCTURAL DESC 'TOTP Token Type' MAY (ipatokenOTPkey $ ipatokenOTPalgorithm $ ipatokenOTPdigits $ ipatokenTOTPclockOffset $ ipatokenTOTPtimeStep $ ipatokenTOTPwatermark) X-ORIGIN 'IPA OTP') objectClasses: (2.16.840.1.113730.3.8.16.2.3 NAME 'ipatokenRadiusProxyUser' SUP top AUXILIARY DESC 'Radius Proxy User' MAY (ipatokenRadiusConfigLink $ ipatokenRadiusUserName) X-ORIGIN 'IPA OTP') objectClasses: (2.16.840.1.113730.3.8.16.2.4 NAME 'ipatokenRadiusConfiguration' SUP top STRUCTURAL DESC 'Proxy Radius Configuration' MUST (cn $ ipatokenRadiusServer $ ipatokenRadiusSecret) MAY (description $ ipatokenRadiusTimeout $ ipatokenRadiusRetries $ ipatokenUserMapAttribute) X-ORIGIN 'IPA OTP') objectClasses: (2.16.840.1.113730.3.8.16.2.5 NAME 'ipatokenHOTP' SUP ipaToken STRUCTURAL DESC 'HOTP Token Type' MUST (ipatokenOTPkey $ ipatokenOTPalgorithm $ ipatokenOTPdigits $ ipatokenHOTPcounter) X-ORIGIN 'IPA OTP') -- 2.1.0 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 395 Revert Make all ipatokenTOTP attributes mandatory
Dne 21.1.2015 v 09:09 Martin Kosek napsal(a): On 01/21/2015 09:02 AM, Jan Cholasta wrote: Hi, the attached patch fixes https://fedorahosted.org/freeipa/ticket/4833. Honza Please also add the reason why we are reverting the change (see details https://bugzilla.redhat.com/show_bug.cgi?id=1176995#c7) directly to commit description. When done, I will ACK. Updated patch attached. (Feel free to amend the explanation.) -- Jan Cholasta From 625f01ec59b3304cffd7db3ae134026f3e5bc93c Mon Sep 17 00:00:00 2001 From: Jan Cholasta jchol...@redhat.com Date: Wed, 21 Jan 2015 07:57:03 + Subject: [PATCH] Revert Make all ipatokenTOTP attributes mandatory This prevents schema replication conflicts which cause replication failures with older versions of IPA. This reverts commit adcd373931c50d91550f6b74b191d08ecce5b137. https://fedorahosted.org/freeipa/ticket/4833 --- install/share/70ipaotp.ldif | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/install/share/70ipaotp.ldif b/install/share/70ipaotp.ldif index b35ab62..0c48d9a 100644 --- a/install/share/70ipaotp.ldif +++ b/install/share/70ipaotp.ldif @@ -29,7 +29,7 @@ attributeTypes: (2.16.840.1.113730.3.8.16.1.24 NAME 'ipatokenTOTPsyncWindow' DES attributeTypes: (2.16.840.1.113730.3.8.16.1.25 NAME 'ipatokenHOTPauthWindow' DESC 'HOTP Auth Window (maximum authentication skip-ahead)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA OTP') attributeTypes: (2.16.840.1.113730.3.8.16.1.26 NAME 'ipatokenHOTPsyncWindow' DESC 'HOTP Sync Window (maximum synchronization skip-ahead)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA OTP') objectClasses: (2.16.840.1.113730.3.8.16.2.1 NAME 'ipaToken' SUP top ABSTRACT DESC 'Abstract token class for tokens' MUST (ipatokenUniqueID) MAY (description $ managedBy $ ipatokenOwner $ ipatokenDisabled $ ipatokenNotBefore $ ipatokenNotAfter $ ipatokenVendor $ ipatokenModel $ ipatokenSerial) X-ORIGIN 'IPA OTP') -objectClasses: (2.16.840.1.113730.3.8.16.2.2 NAME 'ipatokenTOTP' SUP ipaToken STRUCTURAL DESC 'TOTP Token Type' MUST (ipatokenOTPkey $ ipatokenOTPalgorithm $ ipatokenOTPdigits $ ipatokenTOTPclockOffset $ ipatokenTOTPtimeStep) MAY (ipatokenTOTPwatermark) X-ORIGIN 'IPA OTP') +objectClasses: (2.16.840.1.113730.3.8.16.2.2 NAME 'ipatokenTOTP' SUP ipaToken STRUCTURAL DESC 'TOTP Token Type' MAY (ipatokenOTPkey $ ipatokenOTPalgorithm $ ipatokenOTPdigits $ ipatokenTOTPclockOffset $ ipatokenTOTPtimeStep $ ipatokenTOTPwatermark) X-ORIGIN 'IPA OTP') objectClasses: (2.16.840.1.113730.3.8.16.2.3 NAME 'ipatokenRadiusProxyUser' SUP top AUXILIARY DESC 'Radius Proxy User' MAY (ipatokenRadiusConfigLink $ ipatokenRadiusUserName) X-ORIGIN 'IPA OTP') objectClasses: (2.16.840.1.113730.3.8.16.2.4 NAME 'ipatokenRadiusConfiguration' SUP top STRUCTURAL DESC 'Proxy Radius Configuration' MUST (cn $ ipatokenRadiusServer $ ipatokenRadiusSecret) MAY (description $ ipatokenRadiusTimeout $ ipatokenRadiusRetries $ ipatokenUserMapAttribute) X-ORIGIN 'IPA OTP') objectClasses: (2.16.840.1.113730.3.8.16.2.5 NAME 'ipatokenHOTP' SUP ipaToken STRUCTURAL DESC 'HOTP Token Type' MUST (ipatokenOTPkey $ ipatokenOTPalgorithm $ ipatokenOTPdigits $ ipatokenHOTPcounter) X-ORIGIN 'IPA OTP') -- 2.1.0 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 395 Revert Make all ipatokenTOTP attributes mandatory
On 01/21/2015 09:02 AM, Jan Cholasta wrote: Hi, the attached patch fixes https://fedorahosted.org/freeipa/ticket/4833. Honza Please also add the reason why we are reverting the change (see details https://bugzilla.redhat.com/show_bug.cgi?id=1176995#c7) directly to commit description. When done, I will ACK. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 395 Revert Make all ipatokenTOTP attributes mandatory
On 01/21/2015 09:15 AM, Jan Cholasta wrote: Dne 21.1.2015 v 09:09 Martin Kosek napsal(a): On 01/21/2015 09:02 AM, Jan Cholasta wrote: Hi, the attached patch fixes https://fedorahosted.org/freeipa/ticket/4833. Honza Please also add the reason why we are reverting the change (see details https://bugzilla.redhat.com/show_bug.cgi?id=1176995#c7) directly to commit description. When done, I will ACK. Updated patch attached. (Feel free to amend the explanation.) Ok, I just added direct link to the Bugzilla comment I referred. Pushed to master, ipa-4-1, ipa-4-0. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCHES 0187, 0188] DNSSEC ipa-dnskeysyncd fixes
Patch 188 catch ldap exceptions to prevent false positive abrt reports Patch 187 fixes issues with removing root zone Patches attached. -- Martin Basti From baed3cbcc9d4cf1768a7f2eff96e9d0943bfc578 Mon Sep 17 00:00:00 2001 From: Martin Basti mba...@redhat.com Date: Wed, 21 Jan 2015 13:32:44 +0100 Subject: [PATCH] DNSSEC catch ldap exceptions in ipa-dnskeysyncd Server down exception causes lot of false positive abrt reports. --- daemons/dnssec/ipa-dnskeysyncd | 8 ++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/daemons/dnssec/ipa-dnskeysyncd b/daemons/dnssec/ipa-dnskeysyncd index c7475bd65ba7ad38af99f2e8c3ae3bc8837f2c9b..e184d88b47ff7c7224c71057807e447e4b5e9e12 100755 --- a/daemons/dnssec/ipa-dnskeysyncd +++ b/daemons/dnssec/ipa-dnskeysyncd @@ -102,5 +102,9 @@ while watcher_running: filterstr=ldap_url.filterstr ) -while ldap_connection.syncrepl_poll(all=1, msgid=ldap_search): -pass +try: +while ldap_connection.syncrepl_poll(all=1, msgid=ldap_search): +pass +except (ldap.SERVER_DOWN, ldap.CONNECT_ERROR) as e: +log.exception('syncrepl_poll: LDAP error (%s)', e) +sys.exit(1) -- 2.1.0 From b47299085fd04bb8ccc99e47b2a0e33d52fd1e8a Mon Sep 17 00:00:00 2001 From: Martin Basti mba...@redhat.com Date: Wed, 21 Jan 2015 12:19:17 +0100 Subject: [PATCH] DNSSEC: fix root zone dns name conversion Root zone was represented as '@', which was incorrect. ksmutil did not accept it. Now root zone is represented as '.' --- ipapython/dnssec/odsmgr.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ipapython/dnssec/odsmgr.py b/ipapython/dnssec/odsmgr.py index a91b6c553d9ab7364258bd1ca24d236a3994ec6d..ed17351cad4db28caed2623aa4bec145d5bc4414 100644 --- a/ipapython/dnssec/odsmgr.py +++ b/ipapython/dnssec/odsmgr.py @@ -145,6 +145,9 @@ class ODSMgr(object): def del_ods_zone(self, name): # ods-ksmutil blows up if zone name has period at the end name = name.relativize(dns.name.root) +# detect if name is root zone +if name == dns.name.empty: +name = dns.name.root cmd = ['zone', 'delete', '--zone', str(name)] output = self.ksmutil(cmd) self.log.info(output) -- 2.1.0 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH 0320] Fix description of idnsAllowQuery attribute in README
Hello, Fix description of idnsAllowQuery attribute in README. https://fedorahosted.org/bind-dyndb-ldap/ticket/154 I got off-list ACK from Martin^2. Pushed to master: a4565b3ef843e4464d2e950f0716818e7c7ce09b -- Petr^2 Spacek From 94169b05e3a5e2d5b4c522274c50e523b0c1f030 Mon Sep 17 00:00:00 2001 From: Petr Spacek pspa...@redhat.com Date: Wed, 21 Jan 2015 13:53:02 +0100 Subject: [PATCH] Fix description of idnsAllowQuery attribute in README. https://fedorahosted.org/bind-dyndb-ldap/ticket/154 --- README | 23 +++ 1 file changed, 11 insertions(+), 12 deletions(-) diff --git a/README b/README index 1b8f2a713ad901d3aab5ed799cbb9c5e9c746c44..47cd9f68a3d27131ba95a07839cc3c2c5f2e8e49 100644 --- a/README +++ b/README @@ -62,23 +62,22 @@ Attributes: value dyn_update from plugin configuration will be used. * idnsAllowQuery - Specifies BIND9 zone ACL element. This attribute can be set multiple - times and are merged together to the one ACL. + Specifies BIND9 zone ACL element as one string. - Example: - idnsAllowQuery: 127.0.0.1 - idnsAllowQuery: ::1 - idnsAllowQuery: 192.168.1.0/24 + Example 1: idnsAllowQuery: 192.0.2.1 + In the first example above, only the client with 192.0.2.1 IP address + is allowed to query records from the zone. - In the example above clients with 127.0.0.1 and ::1 IP addresses and - clients from the 192.168.1.0/24 network are allowed to obtain records - from the zone. + Example 2: idnsAllowQuery: !192.0.2.33; 192.0.2.0/24; + In the second example, queries from client 192.0.2.33 are refused + but queries from all other clients in the 192.0.2.0/24 network + are allowed. You can specify IPv4/IPv6 address, IPv4/IPv6 network address in CIDR - format and any or none keywords. The ! prefix (for example - !192.168.1.0/24) means negation of the ACL element. + format, and any or none keywords. The ! prefix (for example + !192.0.2.33) means negation of the ACL element. - If not set then zone inherits global allow-query from named.conf. + If not set, then zone inherits global allow-query from named.conf. * idnsAllowTransfer Uses same format as idnsAllowQuery. Allows zone transfers for matching -- 2.1.0 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel